From alex.wilkinson at dsto.defence.gov.au  Tue Jul  1 00:41:58 2008
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Tue, 1 Jul 2008 12:41:58 +0800
Subject: [c-nsp] 7200 upgrade from 12.2(25)S8
In-Reply-To: <20080701035035.GF12357@ref.nmedia.net>
References: <20080701035035.GF12357@ref.nmedia.net>
Message-ID: <20080701044157.GV3898@stlux503.dsto.defence.gov.au>

    0n Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote: 

    >Did Cisco ever use both cores of the G1? 

G1 is multicore ?

 -aW

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.



From christian at broknrobot.com  Tue Jul  1 01:25:57 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 1 Jul 2008 01:25:57 -0400
Subject: [c-nsp] 7200 upgrade from 12.2(25)S8
In-Reply-To: <20080701044157.GV3898@stlux503.dsto.defence.gov.au>
References: <20080701035035.GF12357@ref.nmedia.net>
	<20080701044157.GV3898@stlux503.dsto.defence.gov.au>
Message-ID: <c93a55220806302225t42de6223tf0cdee7185fd2508@mail.gmail.com>

MPF (multi-processor-forwarding)

http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_end-of-life_notice0900aecd8067dd9f_ps352_Products_End-of-Life_Notice.html
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/MPF123T7.html

On Tue, Jul 1, 2008 at 12:41 AM, Wilkinson, Alex <
alex.wilkinson at dsto.defence.gov.au> wrote:

>    0n Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote:
>
>    >Did Cisco ever use both cores of the G1?
>
> G1 is multicore ?
>
>  -aW
>
> IMPORTANT: This email remains the property of the Australian Defence
> Organisation and is subject to the jurisdiction of section 70 of the CRIMES
> ACT 1914.  If you have received this email in error, you are requested to
> contact the sender and delete the email.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mrz at velvet.org  Tue Jul  1 01:29:00 2008
From: mrz at velvet.org (matthew zeier)
Date: Mon, 30 Jun 2008 22:29:00 -0700
Subject: [c-nsp] bcp on edge filtering & udp
In-Reply-To: <48695414.6050001@gmail.com>
References: <486942C6.8030900@velvet.org> <48695414.6050001@gmail.com>
Message-ID: <4869C09C.8060609@velvet.org>

haven't made up my mind on that - either the routers directly connecting 
to the Internet or closer into my "core".

Rogelio wrote:
> matthew zeier wrote:
>> Trying to find a pre-build set of ACLs for filtering bogus inbound
>> udp, if one already exists, otherwise I'll have to build my own :)
>
> Where are you trying to filter this? At your CPE router?

From mksmith at adhost.com  Tue Jul  1 01:34:43 2008
From: mksmith at adhost.com (Michael Smith)
Date: Mon, 30 Jun 2008 22:34:43 -0700
Subject: [c-nsp] bcp on edge filtering & udp
In-Reply-To: <486942C6.8030900@velvet.org>
Message-ID: <C48F1003.237E9%mksmith@adhost.com>

Hey Matt:


> From: matthew zeier <mrz at velvet.org>
> Date: Mon, 30 Jun 2008 13:32:06 -0700
> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] bcp on edge filtering & udp
> 
> Trying to find a pre-build set of ACLs for filtering bogus inbound udp,
> if one already exists, otherwise I'll have to build my own :)

Here's a good start.

access-list 199 deny   udp any any eq 135
access-list 199 deny   udp any any eq 137
access-list 199 deny   udp any any eq 138
access-list 199 deny   udp any any eq 139
access-list 199 deny   udp any any eq 445
access-list 199 deny   udp any any eq 4899
access-list 199 deny   udp any any eq 1434
access-list 199 deny   udp any any eq 194
access-list 199 deny   udp any any eq 529
access-list 199 deny   udp any any eq 994
access-list 199 deny   udp any any eq 69
access-list 199 deny   udp any any range 6666 6669

Regards,

Mike


From zivl at gilat.net  Tue Jul  1 01:54:48 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 1 Jul 2008 08:54:48 +0300
Subject: [c-nsp] Error
In-Reply-To: <20080630163859.GM4633@greenie.muc.de>
References: <200806301619.m5UGJs6f073793@puck.nether.net>
	<20080630163859.GM4633@greenie.muc.de>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local>

I have the same fixed IP address at home for 3 years now and I also get mailer error messages lately claiming that MY message didn't reach the recipient and the reasons are many, such as unknown user, mailbox over quota, out of office auto reply, some are from anti-spam systems, but all of them are sent back to me because the sender address is my e-mail address, and the mail was sent from a lot of ip addresses, none of them are even close to mine. So I guess someone is using my e-mail address for sending spam, and I guess I'm not the only one, The reason for spammers to use a valid e-mail address is quite clear, a lot of anti-spam systems perform this kind of check, to see if the sender's address is real and has good "reputation"

Damn them!


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering
Sent: Monday, June 30, 2008 7:39 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Error

Hi,

On Mon, Jun 30, 2008 at 06:09:20PM +0200, gert at greenie.muc.de wrote:
> The original message was received at Mon, 30 Jun 2008 18:09:20 +0200
> from greenie.muc.de [168.218.142.88]
>
> ----- The following addresses had permanent fatal errors -----
> <cisco-nsp at puck.nether.net>

I'm not *exactly* sure what happened here (need to look more closely at my mail headers), but I can assure you that "168.218.142.88" is *not* one of my IP addresses (and has never been).

So I think this was a fake, and never came near one of my machines :-/

Most likely a virus spam, or so.  I've seen a few of those recently, claiming to be mailer errors and having a malware attachment.

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From p.mayers at imperial.ac.uk  Tue Jul  1 05:24:36 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 01 Jul 2008 10:24:36 +0100
Subject: [c-nsp] Layer 2 multicast issues
In-Reply-To: <87e0d3ae0806280248jf71e065o63a1c5190881aef1@mail.gmail.com>
References: <87e0d3ae0806280248jf71e065o63a1c5190881aef1@mail.gmail.com>
Message-ID: <4869F7D4.3040203@imperial.ac.uk>

vince anton wrote:
> Hi list
> 
> Im looking for some advice in troubleshooting a flat layer 2 network, made
> up of a number of L2 interconnected/cascaded switches running ip multicast.
> 
> currently, such network has about 50 video streams (or multicast groups)
> from a single source at around 3-4Mbps each, and there are some issues with
> video quality on some receivers, although this is random and i cant seem to
> find a pattern yet.
> 
> im trying to understand what issues with IP multicast traffic may be, and
> what the root cause is, given that all of the swithces support IGMP snooping
> in hardware, and dont have a maxed-out CPU

Do you have an IGMP querier on the network? IGMP snooping works a lot 
better if you do.

From anthony.gueneau at gmail.com  Tue Jul  1 06:35:11 2008
From: anthony.gueneau at gmail.com (=?ISO-8859-1?Q?Anthony_Gu=E9neau?=)
Date: Tue, 1 Jul 2008 12:35:11 +0200
Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps
Message-ID: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>

Hi,

Does anybody know what syslog messages are supposed to be sent when a VSS
failover occurs?
Would it be easier to monitor it through SNMP traps? In that case what kind
of traps should I enable and what are the corresponding OID to handle from
the server?
The main idea is to detect any failures within the VSS domain. I identified
3 types of failures I would need to detect thanks to the syslog messages or
SNMP-traps. Then, corresponding alarms will be generated. Here they are:
-> Active Supervisor Engine Failure (=Active Virtual Switch Chassis Failure)
-> Hot-standby Supervisor Engine Failure (=Standby Virtual Switch Chassis
Failure)
-> Complete VSL Failure (Dual Active)

If someone knows or identified syslog messages and/or SNMP traps
corresponding to each of these three failures, could you please get back to
me with these informations?
Many thanks.

Anthony

From aaronis at people.net.au  Tue Jul  1 07:19:44 2008
From: aaronis at people.net.au (Aaron R)
Date: Tue, 1 Jul 2008 19:19:44 +0800
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <20080630112104.GG4112@thot.informatik.uni-kl.de>
Message-ID: <200807011121.m61BL2Ax084691@puck.nether.net>

Hi,

As we all know Telnet is plaintext and insecure. I assume they have disabled
telnet from the firewall to encourage secure communication? 

I don't see why else they would have disabled it. Having said this they
still enable telnet to the device which is a complete contradiction :P

Cisco?

Cheers,

Aaron.

-----Original Message-----
From: Joerg Mayer [mailto:jmayer at loplof.de] 
Sent: Monday, June 30, 2008 7:21 PM
To: Aaron R
Cc: 'Felix Nkansah'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?

On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
> It is disabled as a security feature. I have also wanted to do the same
for
> troubleshooting purposes.

And why exactly is this a security feature? What is the *gain* in security?

 Ciao
  Joerg
--
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.



From sukumars at cisco.com  Tue Jul  1 07:40:35 2008
From: sukumars at cisco.com (Sukumar Subburayan (sukumars))
Date: Tue, 1 Jul 2008 04:40:35 -0700
Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps
In-Reply-To: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>
References: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>
Message-ID: <BB87E6B2C147324A859C6ABDB1C1930E077FE5B1@xmb-sjc-22d.amer.cisco.com>

For Complete VSL failure, we have SNMP trap, that can be configured using:

vss(config)#snmp-server enable traps vswitch ?
  vsl  Enable SNMP Virtual Switch Link (VSL) notification
 
For Active supervisor failure, you can monitor the following syslog message:

PFREDUN-SW2_SPSTBY-6-ACTIVE: Initializing as Virtual Switch ACTIVE processor

If the message comes from 'SW2' it means that previous active(SW1) went down.

For standby supervisor failure, the VSL link will go down, as entire standby is down. So, you could use the 
VSL link trap. 

Additionally following syslogs are printed on the active, when standby goes down:

%VSLP-SW2_SP-2-VSL_DOWN:   All VSL links went down while switch is in ACTIVE role

or this:

%PFREDUN-SW2_SP-6-ACTIVE: Standby supervisor removed or reloaded, changing to Simplex mode


sukumar


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony Gu?neau
Sent: Tuesday, July 01, 2008 4:05 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps

Hi,

Does anybody know what syslog messages are supposed to be sent when a VSS failover occurs?
Would it be easier to monitor it through SNMP traps? In that case what kind of traps should I enable and what are the corresponding OID to handle from the server?
The main idea is to detect any failures within the VSS domain. I identified
3 types of failures I would need to detect thanks to the syslog messages or SNMP-traps. Then, corresponding alarms will be generated. Here they are:
-> Active Supervisor Engine Failure (=Active Virtual Switch Chassis 
-> Failure) Hot-standby Supervisor Engine Failure (=Standby Virtual 
-> Switch Chassis
Failure)
-> Complete VSL Failure (Dual Active)

If someone knows or identified syslog messages and/or SNMP traps corresponding to each of these three failures, could you please get back to me with these informations?
Many thanks.

Anthony
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From k.vdh at solcon.nl  Tue Jul  1 07:09:49 2008
From: k.vdh at solcon.nl (Koen)
Date: Tue, 01 Jul 2008 13:09:49 +0200
Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps
In-Reply-To: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>
References: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>
Message-ID: <486A107D.5020006@solcon.nl>

Hi Anthony,

I was just looking for this too and found out the following you can use 
to make a check:

MIB 		CISCO-VIRTUAL-SWITCH-MIB

Object  	cvsChassisEntry
OID 		1.3.6.1.4.1.9.9.388.1.2.2.1
Type 		CvsChassisEntry
Description 	"An entry describes the present chassis information in
		the virtual switch architecture."

Object  	cvsChassisRole
OID 		1.3.6.1.4.1.9.9.388.1.2.2.1.2
Type 		VSSwitchRole
		1:standalone
		2:active
		3:standby

Greetz,

Koen


Anthony Gu?neau wrote:
> Hi,
> 
> Does anybody know what syslog messages are supposed to be sent when a VSS
> failover occurs?
> Would it be easier to monitor it through SNMP traps? In that case what kind
> of traps should I enable and what are the corresponding OID to handle from
> the server?
> The main idea is to detect any failures within the VSS domain. I identified
> 3 types of failures I would need to detect thanks to the syslog messages or
> SNMP-traps. Then, corresponding alarms will be generated. Here they are:
> -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis Failure)
> -> Hot-standby Supervisor Engine Failure (=Standby Virtual Switch Chassis
> Failure)
> -> Complete VSL Failure (Dual Active)
> 
> If someone knows or identified syslog messages and/or SNMP traps
> corresponding to each of these three failures, could you please get back to
> me with these informations?
> Many thanks.
> 
> Anthony
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From sukumars at cisco.com  Tue Jul  1 08:00:40 2008
From: sukumars at cisco.com (Sukumar Subburayan (sukumars))
Date: Tue, 1 Jul 2008 05:00:40 -0700
Subject: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps
In-Reply-To: <486A107D.5020006@solcon.nl>
References: <ffff1a1e0807010335g2d6ff1o6636bb1689f34816@mail.gmail.com>
	<486A107D.5020006@solcon.nl>
Message-ID: <BB87E6B2C147324A859C6ABDB1C1930E077FE5B6@xmb-sjc-22d.amer.cisco.com>

Dual-active cases (VSL down) cannot be detected by below.

We need to use the 'vswitch vsl' trap for that.


sukumar
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Koen
Sent: Tuesday, July 01, 2008 4:40 PM
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco VSS monitoring through Syslog/SNMP-traps

Hi Anthony,

I was just looking for this too and found out the following you can use to make a check:

MIB 		CISCO-VIRTUAL-SWITCH-MIB

Object  	cvsChassisEntry
OID 		1.3.6.1.4.1.9.9.388.1.2.2.1
Type 		CvsChassisEntry
Description 	"An entry describes the present chassis information in
		the virtual switch architecture."

Object  	cvsChassisRole
OID 		1.3.6.1.4.1.9.9.388.1.2.2.1.2
Type 		VSSwitchRole
		1:standalone
		2:active
		3:standby

Greetz,

Koen


Anthony Gu?neau wrote:
> Hi,
> 
> Does anybody know what syslog messages are supposed to be sent when a 
> VSS failover occurs?
> Would it be easier to monitor it through SNMP traps? In that case what 
> kind of traps should I enable and what are the corresponding OID to 
> handle from the server?
> The main idea is to detect any failures within the VSS domain. I 
> identified
> 3 types of failures I would need to detect thanks to the syslog 
> messages or SNMP-traps. Then, corresponding alarms will be generated. Here they are:
> -> Active Supervisor Engine Failure (=Active Virtual Switch Chassis 
> -> Failure) Hot-standby Supervisor Engine Failure (=Standby Virtual 
> -> Switch Chassis
> Failure)
> -> Complete VSL Failure (Dual Active)
> 
> If someone knows or identified syslog messages and/or SNMP traps 
> corresponding to each of these three failures, could you please get 
> back to me with these informations?
> Many thanks.
> 
> Anthony
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From reuben-cisco-nsp at reub.net  Tue Jul  1 07:29:11 2008
From: reuben-cisco-nsp at reub.net (Reuben Farrelly)
Date: Tue, 01 Jul 2008 21:29:11 +1000
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <200807011121.m61BL2Ax084691@puck.nether.net>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
Message-ID: <486A1507.6040107@reub.net>

You also can't ssh from a PIX, but you can of course ssh to it.

So it's not IMHO likely to be a case of "telnet being insecure", but avoiding 
-all- client sourced access from a PIX out to anything else which the PIX could 
potentially connect to.

I suspect the thinking is that the PIX itself, if compromised, can't be used as 
a platform to launch into other devices in the network.  Especially given it is 
probably one device which would normally have direct and unrestricted access to 
the private and DMZ networks in most topologies...

Reuben



On 1/07/2008 9:19 PM, Aaron R wrote:
> Hi,
> 
> As we all know Telnet is plaintext and insecure. I assume they have disabled
> telnet from the firewall to encourage secure communication? 
> 
> I don't see why else they would have disabled it. Having said this they
> still enable telnet to the device which is a complete contradiction :P
> 
> Cisco?
> 
> Cheers,
> 
> Aaron.

From rodunn at cisco.com  Tue Jul  1 10:16:23 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 1 Jul 2008 10:16:23 -0400
Subject: [c-nsp] 7200 upgrade from 12.2(25)S8
In-Reply-To: <20080701035035.GF12357@ref.nmedia.net>
References: <20080701035035.GF12357@ref.nmedia.net>
Message-ID: <20080701141623.GE13269@rtp-cse-489.cisco.com>

On Mon, Jun 30, 2008 at 08:50:35PM -0700, Chris Cappuccio wrote:
> I've got 12.2(25)S8 on various 7200 NPE-G1 and NPE-400 boxes in core and edge NSP roles.  The last NPE-400 is about to get upgraded to a G1 or G2.
>

As a migration path 12.2(33)SRC1 towards IOX-XE on ASR is a good looking
path.

 
> This OS has been rock-solid for years.  I'm using the routers for various combinations of mpls ldp/bgp vpn, ip4, ip6, bgp, ospf, multilink, ethernet, POS, mac-accounting, netflow, and that's really about it.  Nothing new or overly complicated.
> 
> I was hoping to get some use of the second G1 CPU core, some of the boxes could use more power, mostly for BGP rescans in the face of increasing traffic loads.  And possibly newer ip6 code (i barely use it now, but things are heading in that direction.)
> 
> Any recommendations for a newer version?  Or, if it aint broke, don't fuck with it?  Did Cisco ever use both cores of the G1? 
>

We did for some PPPoX type offloading functionality but it turned out to
be more complex than it was worth given the faster CPU's and HW forwarding
rates desired. Hence the ASR1000 line was developed.

Rodney


 
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From christian at broknrobot.com  Tue Jul  1 10:25:04 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 1 Jul 2008 07:25:04 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486A1507.6040107@reub.net>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
	<486A1507.6040107@reub.net>
Message-ID: <c93a55220807010725u13581803lbda97aed69ac23ed@mail.gmail.com>

there is no need to have a firewall be an ssh/telnet client, that is not a
firewall's purpose... if you want to source ssh/telnet from the same subnet
your firewall is on, build a  jump box/bastion host..IMO- no network device
is a place to be using a remote access protocol (telnet, ssh, rsh), no
matter a firewall, router, load balancer, whatever...

there is just no reason for it, it just leaves another method of access to
your infrastructure in the case your device gets compromised

-christian

From vikassharmas at gmail.com  Tue Jul  1 11:27:09 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Tue, 1 Jul 2008 20:57:09 +0530
Subject: [c-nsp] CoPP on PE router for access network
Message-ID: <cca140000807010827l6f338f00l3c5b6bb68b49ae47@mail.gmail.com>

Hi,

I want to understand the impact of mpls vpn (vrf) control traffic on CoPP.
Can I block vrf contol plane packets (PE-CE) using CoPP? If yes, what is the
impact? Another idea is to use infrastructure acl. but I am more interested
if I can block PE-CE control traffic using CoPP?

Regards,
Vikas Sharma

From rodunn at cisco.com  Tue Jul  1 11:41:18 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 1 Jul 2008 11:41:18 -0400
Subject: [c-nsp] CoPP on PE router for access network
In-Reply-To: <cca140000807010827l6f338f00l3c5b6bb68b49ae47@mail.gmail.com>
References: <cca140000807010827l6f338f00l3c5b6bb68b49ae47@mail.gmail.com>
Message-ID: <20080701154118.GI13269@rtp-cse-489.cisco.com>

Last I checked CoPP was not VRF aware and it applied to any traffic
punted to the RP that we could match on so it would apply to PE-CE
links.

Rodney

On Tue, Jul 01, 2008 at 08:57:09PM +0530, Vikas Sharma wrote:
> Hi,
> 
> I want to understand the impact of mpls vpn (vrf) control traffic on CoPP.
> Can I block vrf contol plane packets (PE-CE) using CoPP? If yes, what is the
> impact? Another idea is to use infrastructure acl. but I am more interested
> if I can block PE-CE control traffic using CoPP?
> 
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jhigham at epri.com  Tue Jul  1 12:06:29 2008
From: jhigham at epri.com (Higham, Josh)
Date: Tue, 1 Jul 2008 09:06:29 -0700
Subject: [c-nsp] Capture expressions on an FWSM (was Re: Telnet FROM a
	PIX Appliance?)
In-Reply-To: <48690FB4.6040902@spacething.org>
References: <18dba4e50806300311n5d696788x541c687d7e315e14@mail.gmail.com><200806301032.m5UAWDRw056902@puck.nether.net><20080630112104.GG4112@thot.informatik.uni-kl.de><EC993E87D960A541A66BF21D62AA42A6188ACCAB64@exch2k7.gilat.local>	<4C3B8C75B5899943AEC675BA6DD462730103B755@uspalex02.epri.com>
	<002101c8dacb$11339ab0$f211a8c0@flamwsugsmul5v>
	<48690FB4.6040902@spacething.org>
Message-ID: <4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com>

> Tony Varriale wrote:
> > Any chance you could give the group more details before saying it 
> > can't be trusted?
> >
> I'm afraid I don't have any concrete details to add, but I've found 
> capture expressions on Firewall Service Modules to be quite 
> inconsistent. Presumably this is something to do with the modules 
> interaction with the chassis? I haven't had the time to lab 
> this, and I 
> haven't always had problems, but I now generally work to the 
> mantra that 
> "the absence of a packet in an FWSM capture is not proof that 
> the packet 
> does not exist, but the presence of a packet in a capture does prove 
> it's existence".
> 
> Perhaps there is a cisco documentation on this, listing known caveats 
> and limitations?

I found the same situation with the ASA (version 8.0 code).  Normally
you would expect the packet capture to be the very first code path, but
this is demonstrably not true.  In my case I had a span port on a switch
and would get the packet, but a capture on the firewall did not show it.

"The absence of a packet is not proof that the packet doesn't exist"

Thanks,
Josh

> > ----- Original Message ----- From: "Higham, Josh" <jhigham at epri.com>
> > To: <cisco-nsp at puck.nether.net>
> > Sent: Monday, June 30, 2008 10:41 AM
> > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> >
> >
> >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
> >>>
> >>> I guess it's more as a "working right" educational purpose,
> >>> so you won't use your firewall as a debugging client.
> >>> In newer versions there's the packet tracker that can help
> >>> you debug connectivity problems.
> >>> Ziv
> >>
> >> As an FYI, the ASA/Pix packet capture cannot currently be 
> completely
> >> trusted (version 8.0).  I found an annoying bug where I 
> would capture
> >> the frame on a span session monitoring the port connected to the
> >> firewall, but it wouldn't show up on the firewall capture.
> >>
> >> The packet in question was also being dropped by the 
> firewall, but with
> >> no logging (and with a permit ip any any rule in place).  
> The 'fix' was
> >> to apply a nat translation and then remove it.  TAC was completely
> >> unhelpful (worst ever TAC experience).
> >>
> >> Blocking outbound sessions on the firewall also means that 
> it can't be
> >> used to bounce an attack, if compromised.
> >>
> >> Thanks,
> >> Josh
> >
> 
> 

From mrz at velvet.org  Tue Jul  1 12:40:40 2008
From: mrz at velvet.org (matthew zeier)
Date: Tue, 01 Jul 2008 09:40:40 -0700
Subject: [c-nsp] bcp on edge filtering & udp
In-Reply-To: <C48F1003.237E9%mksmith@adhost.com>
References: <C48F1003.237E9%mksmith@adhost.com>
Message-ID: <486A5E08.6000001@velvet.org>

I keep seeing stuff with a udp src or dst port of 0.  Anyone else see 
that in the wild?

Michael Smith wrote:
> Hey Matt:
> 
> 
>> From: matthew zeier <mrz at velvet.org>
>> Date: Mon, 30 Jun 2008 13:32:06 -0700
>> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
>> Subject: [c-nsp] bcp on edge filtering & udp
>>
>> Trying to find a pre-build set of ACLs for filtering bogus inbound udp,
>> if one already exists, otherwise I'll have to build my own :)
> 
> Here's a good start.
> 
> access-list 199 deny   udp any any eq 135
> access-list 199 deny   udp any any eq 137
> access-list 199 deny   udp any any eq 138
> access-list 199 deny   udp any any eq 139
> access-list 199 deny   udp any any eq 445
> access-list 199 deny   udp any any eq 4899
> access-list 199 deny   udp any any eq 1434
> access-list 199 deny   udp any any eq 194
> access-list 199 deny   udp any any eq 529
> access-list 199 deny   udp any any eq 994
> access-list 199 deny   udp any any eq 69
> access-list 199 deny   udp any any range 6666 6669
> 
> Regards,
> 
> Mike
> 

From p.mayers at imperial.ac.uk  Tue Jul  1 12:42:43 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Tue, 01 Jul 2008 17:42:43 +0100
Subject: [c-nsp] bcp on edge filtering & udp
In-Reply-To: <486A5E08.6000001@velvet.org>
References: <C48F1003.237E9%mksmith@adhost.com> <486A5E08.6000001@velvet.org>
Message-ID: <486A5E83.8080706@imperial.ac.uk>

matthew zeier wrote:
> I keep seeing stuff with a udp src or dst port of 0.  Anyone else see 
> that in the wild?

If you're getting that from netflow, it's probably IP fragments.

From jay at west.net  Tue Jul  1 13:17:25 2008
From: jay at west.net (Jay Hennigan)
Date: Tue, 01 Jul 2008 10:17:25 -0700
Subject: [c-nsp] Error
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local>
References: <200806301619.m5UGJs6f073793@puck.nether.net>	<20080630163859.GM4633@greenie.muc.de>
	<EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local>
Message-ID: <486A66A5.4070401@west.net>

Ziv Leyes wrote:
> I have the same fixed IP address at home for 3 years now and I also get mailer error messages lately claiming that MY message didn't reach the recipient and the reasons are many, such as unknown user, mailbox over quota, out of office auto reply, some are from anti-spam systems, but all of them are sent back to me because the sender address is my e-mail address, and the mail was sent from a lot of ip addresses, none of them are even close to mine. So I guess someone is using my e-mail address for sending spam, and I guess I'm not the only one, The reason for spammers to use a valid e-mail address is quite clear, a lot of anti-spam systems perform this kind of check, to see if the sender's address is real and has good "reputation"
> 
> Damn them!

Damn both the spammers and the broken mail servers that accept the mail 
first and then bounce it back to the forged "sender", thus being a 
secondary source of spam.

The receiving mail system upon getting mail for an unknown user, mailbox 
full, or anti-spam detection should reject the mail immediately, not 
accept it and then later attempt to bounce it back to the purported sender.

Don't even get me started on "out of office" autoresponders.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From scubacuda at gmail.com  Tue Jul  1 13:37:37 2008
From: scubacuda at gmail.com (Rogelio)
Date: Tue, 01 Jul 2008 10:37:37 -0700
Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch
Message-ID: <486A6B61.8090409@gmail.com>

I've got an interesting problem.  I've got some non-Cisco wireless units 
that are VLAN tagged, and for whatever reason, they're not working, and 
I'm going to need to pull them down from a roof and troubleshoot them.

Any ideas on what I might do to see them if I were to use a layer 2 
non-VLAN-friendly switch?  That's all I have immediately available.

Or is doing a hard reset on them my only option?

From jay at west.net  Tue Jul  1 13:47:23 2008
From: jay at west.net (Jay Hennigan)
Date: Tue, 01 Jul 2008 10:47:23 -0700
Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch
In-Reply-To: <486A6B61.8090409@gmail.com>
References: <486A6B61.8090409@gmail.com>
Message-ID: <486A6DAB.80504@west.net>

Rogelio wrote:
> I've got an interesting problem.  I've got some non-Cisco wireless units 
> that are VLAN tagged, and for whatever reason, they're not working, and 
> I'm going to need to pull them down from a roof and troubleshoot them.
> 
> Any ideas on what I might do to see them if I were to use a layer 2 
> non-VLAN-friendly switch?  That's all I have immediately available.

Crossover cable and ifconfig on any *nix box or Macintosh to set up the 
appropriate VLAN.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From scubacuda at gmail.com  Tue Jul  1 13:59:01 2008
From: scubacuda at gmail.com (Rogelio)
Date: Tue, 1 Jul 2008 10:59:01 -0700
Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch
In-Reply-To: <486A6DAB.80504@west.net>
References: <486A6B61.8090409@gmail.com> <486A6DAB.80504@west.net>
Message-ID: <2b7af7c40807011059s25c4501bjd3c2343a0cff58b0@mail.gmail.com>

On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan <jay at west.net> wrote:

>
> Crossover cable and ifconfig on any *nix box or Macintosh to set up the
> appropriate VLAN.


Wow, this is perfect.  Thanks!

From scubacuda at gmail.com  Tue Jul  1 14:10:38 2008
From: scubacuda at gmail.com (Rogelio)
Date: Tue, 1 Jul 2008 11:10:38 -0700
Subject: [c-nsp] seeing VLAN-tagged device with layer 2 switch
In-Reply-To: <486A6DAB.80504@west.net>
References: <486A6B61.8090409@gmail.com> <486A6DAB.80504@west.net>
Message-ID: <2b7af7c40807011110y97ad036udcc32933df09744c@mail.gmail.com>

On Tue, Jul 1, 2008 at 10:47 AM, Jay Hennigan <jay at west.net> wrote:

> Rogelio wrote:
>
>> I've got an interesting problem.  I've got some non-Cisco wireless units
>> that are VLAN tagged, and for whatever reason, they're not working, and I'm
>> going to need to pull them down from a roof and troubleshoot them.
>>
>> Any ideas on what I might do to see them if I were to use a layer 2
>> non-VLAN-friendly switch?  That's all I have immediately available.
>>
>
> Crossover cable and ifconfig on any *nix box or Macintosh to set up the
> appropriate VLAN.


For what it's worth, here's a HOWTO on doing this

http://www.cyberciti.biz/tips/howto-configure-linux-virtual-local-area-network-vlan.html

As you can see, different flavors of Linux do things quite differently...

But here is one method of doing it (according to the above URL)

Create the interface

# vconfig add eth0 5

# ifconfig eth0.5

# ifconfig eth0.5 192.168.1.100 netmask 255.255.255.0 broadcast
192.168.1.255 up

Check the interface
# cat /proc/net/vlan/eth0.5

Kill the interface when you're done

# ifconfig eth0.5 down
# vconfig rem eth0.5

From dwinkworth at wi.rr.com  Tue Jul  1 14:26:15 2008
From: dwinkworth at wi.rr.com (dwinkworth at wi.rr.com)
Date: Tue, 1 Jul 2008 13:26:15 -0500
Subject: [c-nsp] bcp on edge filtering & udp
Message-ID: <25281100.57441214936775672.JavaMail.root@hrndva-web15-z02>

DLSw uses UDP port 0 by default.  There is a feature that allows you to disable this.

http://www.cisco.com/en/US/tech/tk331/tk336/technologies_tech_note09186a0080093eca.shtml


---- matthew zeier <mrz at velvet.org> wrote: 
> I keep seeing stuff with a udp src or dst port of 0.  Anyone else see 
> that in the wild?
> 
> Michael Smith wrote:
> > Hey Matt:
> > 
> > 
> >> From: matthew zeier <mrz at velvet.org>
> >> Date: Mon, 30 Jun 2008 13:32:06 -0700
> >> To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> >> Subject: [c-nsp] bcp on edge filtering & udp
> >>
> >> Trying to find a pre-build set of ACLs for filtering bogus inbound udp,
> >> if one already exists, otherwise I'll have to build my own :)
> > 
> > Here's a good start.
> > 
> > access-list 199 deny   udp any any eq 135
> > access-list 199 deny   udp any any eq 137
> > access-list 199 deny   udp any any eq 138
> > access-list 199 deny   udp any any eq 139
> > access-list 199 deny   udp any any eq 445
> > access-list 199 deny   udp any any eq 4899
> > access-list 199 deny   udp any any eq 1434
> > access-list 199 deny   udp any any eq 194
> > access-list 199 deny   udp any any eq 529
> > access-list 199 deny   udp any any eq 994
> > access-list 199 deny   udp any any eq 69
> > access-list 199 deny   udp any any range 6666 6669
> > 
> > Regards,
> > 
> > Mike
> > 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From petelists at templin.org  Tue Jul  1 14:34:31 2008
From: petelists at templin.org (Pete Templin)
Date: Tue, 01 Jul 2008 13:34:31 -0500
Subject: [c-nsp] Error
In-Reply-To: <486A66A5.4070401@west.net>
References: <200806301619.m5UGJs6f073793@puck.nether.net>	<20080630163859.GM4633@greenie.muc.de>	<EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local>
	<486A66A5.4070401@west.net>
Message-ID: <486A78B7.1070506@templin.org>

Jay Hennigan wrote:

> Damn both the spammers and the broken mail servers that accept the mail 
> first and then bounce it back to the forged "sender", thus being a 
> secondary source of spam.
> 
> The receiving mail system upon getting mail for an unknown user, mailbox 
> full, or anti-spam detection should reject the mail immediately, not 
> accept it and then later attempt to bounce it back to the purported sender.

Then write an updated RFC that changes the standards to reflect this 
behavior, and get it published and accepted.

pt

From daniel_p_lacey at yahoo.com  Tue Jul  1 15:16:43 2008
From: daniel_p_lacey at yahoo.com (Daniel Lacey)
Date: Tue, 01 Jul 2008 12:16:43 -0700
Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber interface
Message-ID: <486A829B.4090606@yahoo.com>

Hi all,

I am trying to monitor a Cisco router (7206) using OpenNMS and SNMP.
It is running: 7200 Software (C7200-IS-M), Version 12.2(19b), RELEASE 
SOFTWARE (fc3)

There is an ATM fiber interface on this router.
The sub-interfaces report the correct speed via the SNMP agent.
The following interfaces report ifSpeed as 0, even tho the admin has 
told me that the speed is set by command line for every interface.
The interfaces are named:

ATM3/0-atm layer
ATM3/0-aal5 layer

Can anybody shed a little light on what we may be doing wrong?

Is this an IOS problem/constraint or user error?


Thanks in advance!
Dan



From ddunkin at netos.net  Tue Jul  1 15:49:32 2008
From: ddunkin at netos.net (Darryl Dunkin)
Date: Tue, 1 Jul 2008 12:49:32 -0700
Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber
	interface
References: <486A829B.4090606@yahoo.com>
Message-ID: <56F5BC5F404CF84896C447397A1AAF206FB84E@MAIL.nosi.netos.com>

This is normal behavior from what I've seen, as you don't have a PVC
configured for the main interface so it has no bandwidth on the ATM
layer.

This is the view from a 7500, but I see the same results. Look at the
0.0 interface instead.

ifIndex IfDescr ifType ifMtu ifSpeed
5	ATM0/0/0-atm layer	37		0
6	ATM0/0/0.0-atm subif	134		149760000
7	ATM0/0/0-aal5 layer	49		0
8	ATM0/0/0.0-aal5 layer	49	4470	149760000

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Lacey
Sent: Tuesday, July 01, 2008 12:17
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7206 misreporting ifSpeed via SNMP on ATM fiber
interface

Hi all,

I am trying to monitor a Cisco router (7206) using OpenNMS and SNMP.
It is running: 7200 Software (C7200-IS-M), Version 12.2(19b), RELEASE 
SOFTWARE (fc3)

There is an ATM fiber interface on this router.
The sub-interfaces report the correct speed via the SNMP agent.
The following interfaces report ifSpeed as 0, even tho the admin has 
told me that the speed is set by command line for every interface.
The interfaces are named:

ATM3/0-atm layer
ATM3/0-aal5 layer

Can anybody shed a little light on what we may be doing wrong?

Is this an IOS problem/constraint or user error?


Thanks in advance!
Dan


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From sam_mailinglists at spacething.org  Tue Jul  1 15:55:56 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Tue, 01 Jul 2008 20:55:56 +0100
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486A1507.6040107@reub.net>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
	<486A1507.6040107@reub.net>
Message-ID: <486A8BCC.7070606@spacething.org>

I can buy the comprising argument for a reason not to do this.

I think the reason most people here want to be able to do outbound 
telnet is for troubleshooting - checking port connectivity and protocol 
banners. Many times administrators are insistent that a server is 
listening on such and such a port, and it's not. It's nice to be able to 
troubleshoot problems in chunks.

Sam

Reuben Farrelly wrote:
> You also can't ssh from a PIX, but you can of course ssh to it.
>
> So it's not IMHO likely to be a case of "telnet being insecure", but 
> avoiding -all- client sourced access from a PIX out to anything else 
> which the PIX could potentially connect to.
>
> I suspect the thinking is that the PIX itself, if compromised, can't 
> be used as a platform to launch into other devices in the network.  
> Especially given it is probably one device which would normally have 
> direct and unrestricted access to the private and DMZ networks in most 
> topologies...
>
> Reuben
>
>
>
> On 1/07/2008 9:19 PM, Aaron R wrote:
>> Hi,
>>
>> As we all know Telnet is plaintext and insecure. I assume they have 
>> disabled
>> telnet from the firewall to encourage secure communication?
>> I don't see why else they would have disabled it. Having said this they
>> still enable telnet to the device which is a complete contradiction :P
>>
>> Cisco?
>>
>> Cheers,
>>
>> Aaron.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tdurack at gmail.com  Tue Jul  1 16:18:27 2008
From: tdurack at gmail.com (Tim Durack)
Date: Tue, 1 Jul 2008 16:18:27 -0400
Subject: [c-nsp] iSCSI SAN,
	Ethernet flow-control and redundant network topology
Message-ID: <9e246b4d0807011318h4ff23a5en675b9bd2383ae93@mail.gmail.com>

I'm coming under some pressure to enable ethernet flow-control and
modify our network topology to keep a Dell iSCSI SAN engineer happy.
(We already have several years successful experience with another
iSCSI SAN, so this isn't new to us.)

>From what I can tell ethernet flow-control probably doesn't work too
well in the age of wire-speed switches. It could be deployed
switch->server if really desired, but even then it might simply
interfere with the higher-layer iSCSI/TCP congestion control
mechanism.

Our DC network topology is straight out of Cisco's DC design guide -
every access switch is redundantly connected to two 6509s, 6509s 2x10G
trunked, 6509s are the STP root. (I'd probably run VSS if it was baked
a little more.)

I've already got some good docs for reference, but any comments from the field?

Tim:>

From peder at networkoblivion.com  Tue Jul  1 16:37:27 2008
From: peder at networkoblivion.com (Peder @ NetworkOblivion)
Date: Tue, 01 Jul 2008 15:37:27 -0500
Subject: [c-nsp] PA-MC-T3 Error
Message-ID: <486A9587.4060300@networkoblivion.com>

I am getting the following on a new cT3 from a provider into a PA-MC-T3. 
  I think it indicates that there is an issue on their end, but they say 
I have a config issue.  Can anybody confirm or deny if this points to an 
issue on my end, or if it is their end?  I have other DS3's into other 
equipment and there really isn't much to set, so I think it is their 
issue.  When they do a loopback to me, I see it come up.

7204VXR#sh contr t3 3/0
T3 3/0 is down.  Hardware is CT3 single wide port adapter
   CT3 H/W Version : 1.0.1, CT3 ROM Version : 1.1, CT3 F/W Version : 2.4.3
   FREEDM version: 1, reset 0 resurrect 0
   Applique type is Channelized T3
   Description: Time Warner
   Transmitter is sending remote alarm.
   Receiver is getting AIS.
   Framing is M23, Line Code is B3ZS, Clock Source is Line
   Rx-error throttling on T1's ENABLED
   Rx throttle total 0, equipment customer loopback
   Data in current interval (205 seconds elapsed):
      0 Line Code Violations, 0 P-bit Coding Violation
      0 C-bit Coding Violation, 0 P-bit Err Secs
      0 P-bit Severely Err Secs, 0 Severely Err Framing Secs
      205 Unavailable Secs, 0 Line Errored Secs
      0 C-bit Errored Secs, 0 C-bit Severely Errored Secs


SHOW RUN:
controller T3 3/0
  framing m23
  clock source line
  t1 1 channel-group 0 timeslots 1-24
  t1 2 channel-group 0 timeslots 1-24
  t1 3 channel-group 0 timeslots 1-24
  t1 4 channel-group 0 timeslots 1-24
  t1 5 channel-group 0 timeslots 1-24
  t1 6 channel-group 0 timeslots 1-24
  t1 7 channel-group 0 timeslots 1-24
  t1 8 channel-group 0 timeslots 1-24
  t1 9 channel-group 0 timeslots 1-24

From SPfister at dps.k12.oh.us  Tue Jul  1 16:39:44 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 01 Jul 2008 16:39:44 -0400
Subject: [c-nsp] L2TPv3 tunnel - one-way only
Message-ID: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us>

I've got an L2TPv3 tunnel set up between our central location and one of our remote sites. Everything looks OK, but data is only flowing one way (from the central side to the remote side, it looks like). Has anyone seen anything like this?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From jasongurtz at npumail.com  Tue Jul  1 16:39:30 2008
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Tue, 1 Jul 2008 16:39:30 -0400
Subject: [c-nsp] Error
In-Reply-To: <486A78B7.1070506@templin.org>
References: <200806301619.m5UGJs6f073793@puck.nether.net>	<20080630163859.GM4633@greenie.muc.de>	<EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local><486A66A5.4070401@west.net>
	<486A78B7.1070506@templin.org>
Message-ID: <A92EAF652EC423438D55C14C60771C87C0BEA2@exchgsrv.NPUTILITIES.local>


> Then write an updated RFC that changes the standards to reflect this
> behavior, and get it published and accepted.

Looks like 5821 will have to do (3821/4821 already taken) and be great
when everyone's compliant by the year 2030.  In the meantime, BATV (draft
is: draft-levine-smtp-batv-01) can be of help.  Helpfully, it even breaks
most C/R systems as well :)

~JasonG

-- 

From rodunn at cisco.com  Tue Jul  1 16:54:03 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 1 Jul 2008 16:54:03 -0400
Subject: [c-nsp] L2TPv3 tunnel - one-way only
In-Reply-To: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us>
References: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <20080701205403.GO14994@rtp-cse-489.cisco.com>

What boxes?

I saw this once with the 3845 (I think it was) where the LAN interface
was not going in to promiscuous mode to rx all mac frames.

Check the VC and see if you only see tx or rx counters and on which
box.

Also check 'sh controller' to see if there is a promiscuous mode in it.

Rodney


On Tue, Jul 01, 2008 at 04:39:44PM -0400, Steven Pfister wrote:
> I've got an L2TPv3 tunnel set up between our central location and one of our remote sites. Everything looks OK, but data is only flowing one way (from the central side to the remote side, it looks like). Has anyone seen anything like this?
> 
> Thanks!
> 
> Steve Pfister
> Technical Coordinator, 
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St. 
> Dayton, OH 45402
>  
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From almog.purepeak at gmail.com  Tue Jul  1 17:19:27 2008
From: almog.purepeak at gmail.com (almog ohayon)
Date: Wed, 2 Jul 2008 00:19:27 +0300
Subject: [c-nsp] Real life - traffic limit ..
Message-ID: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com>

Hi,
I have the following scenario :
1 specific source to 1 specific destination that needs to be limit to
certain amount of bandwidth but
still have minimum BW guarantee and minimum packet drops .

which method to use :
police ?
shape average/peak ?
priority ?
etc...

if you can give me a real life example it would be excellent .

From christian at broknrobot.com  Tue Jul  1 19:47:38 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 1 Jul 2008 19:47:38 -0400
Subject: [c-nsp] Real life - traffic limit ..
In-Reply-To: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com>
References: <3b53747c0807011419w38c621e0w3851977875f16bbe@mail.gmail.com>
Message-ID: <c93a55220807011647p3aca2136xf21e647cf4a96737@mail.gmail.com>

what is your hardware/software ver platform?

On Tue, Jul 1, 2008 at 5:19 PM, almog ohayon <almog.purepeak at gmail.com>
wrote:

> Hi,
> I have the following scenario :
> 1 specific source to 1 specific destination that needs to be limit to
> certain amount of bandwidth but
> still have minimum BW guarantee and minimum packet drops .
>
> which method to use :
> police ?
> shape average/peak ?
> priority ?
> etc...
>
> if you can give me a real life example it would be excellent .
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From mtinka at globaltransit.net  Tue Jul  1 21:32:35 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 2 Jul 2008 09:32:35 +0800
Subject: [c-nsp] 7200 upgrade from 12.2(25)S8
In-Reply-To: <20080701141623.GE13269@rtp-cse-489.cisco.com>
References: <20080701035035.GF12357@ref.nmedia.net>
	<20080701141623.GE13269@rtp-cse-489.cisco.com>
Message-ID: <200807020932.35530.mtinka@globaltransit.net>

On Tuesday 01 July 2008 22:16:23 Rodney Dunn wrote:

> As a migration path 12.2(33)SRC1...

We've had some success with SRC in testing and partial 
deployment - as well as some interesting experiences.

We like it because it's quite comprehensive, and runs across 
all our NPE-G1/G2 and 7201 deployments. Having a single OS 
on all routers of the same family is a plus.

Watch out for bugs, especially if your configuration gets a 
little complex. Otherwise, SRC2 should be out later this 
month.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080702/a2c1dd58/attachment.bin>

From whisper555 at gmail.com  Tue Jul  1 23:59:46 2008
From: whisper555 at gmail.com (Whisper)
Date: Wed, 2 Jul 2008 13:59:46 +1000
Subject: [c-nsp] bcp on edge filtering & udp
In-Reply-To: <C48F1003.237E9%mksmith@adhost.com>
References: <486942C6.8030900@velvet.org> <C48F1003.237E9%mksmith@adhost.com>
Message-ID: <5333e1040807012059q46dc9d0ct9998c81fa3d42a28@mail.gmail.com>

 access-list 199 permit tcp any any
access-list 199 permit icmp any any

:)

On Tue, Jul 1, 2008 at 3:34 PM, Michael Smith <mksmith at adhost.com> wrote:

> Hey Matt:
>
>
> > From: matthew zeier <mrz at velvet.org>
> > Date: Mon, 30 Jun 2008 13:32:06 -0700
> > To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
> > Subject: [c-nsp] bcp on edge filtering & udp
> >
> > Trying to find a pre-build set of ACLs for filtering bogus inbound udp,
> > if one already exists, otherwise I'll have to build my own :)
>
> Here's a good start.
>
> access-list 199 deny   udp any any eq 135
> access-list 199 deny   udp any any eq 137
> access-list 199 deny   udp any any eq 138
> access-list 199 deny   udp any any eq 139
> access-list 199 deny   udp any any eq 445
> access-list 199 deny   udp any any eq 4899
> access-list 199 deny   udp any any eq 1434
> access-list 199 deny   udp any any eq 194
> access-list 199 deny   udp any any eq 529
> access-list 199 deny   udp any any eq 994
> access-list 199 deny   udp any any eq 69
> access-list 199 deny   udp any any range 6666 6669
>
> Regards,
>
> Mike
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jay at west.net  Wed Jul  2 00:19:07 2008
From: jay at west.net (Jay Hennigan)
Date: Tue, 01 Jul 2008 21:19:07 -0700
Subject: [c-nsp] PA-MC-T3 Error
In-Reply-To: <486A9587.4060300@networkoblivion.com>
References: <486A9587.4060300@networkoblivion.com>
Message-ID: <486B01BB.1060602@west.net>

Peder @ NetworkOblivion wrote:
> I am getting the following on a new cT3 from a provider into a PA-MC-T3. 
>  I think it indicates that there is an issue on their end, but they say 
> I have a config issue.  Can anybody confirm or deny if this points to an 
> issue on my end, or if it is their end?  I have other DS3's into other 
> equipment and there really isn't much to set, so I think it is their 
> issue.  When they do a loopback to me, I see it come up.

Does the other side come up with a hard loop (co-ax jumper) from you?

> 7204VXR#sh contr t3 3/0

>   Transmitter is sending remote alarm.

You are sending to the other end an indication that you are receiving an 
alarm from the other side.

>   Receiver is getting AIS.

The other end is sending you a signal that it is seeing all 1 bits from 
you, unframed.

>   Framing is M23, Line Code is B3ZS, Clock Source is Line

Make sure that the other side is set similarly, B3ZS and M23 (some 
equipment may have this as M13).

Make sure that neither side has the TX and RX co-ax cables swapped.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From oboehmer at cisco.com  Wed Jul  2 02:22:25 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 2 Jul 2008 08:22:25 +0200
Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan under
	thesame	physical interface
In-Reply-To: <1214849728.8702.10.camel@dsba-ipso>
References: <1214849728.8702.10.camel@dsba-ipso>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com>

luismi <> wrote on Monday, June 30, 2008 8:15 PM:

> Hi there,
> 
> I have a dude I could solve using a lab enviroment but for several
> reasons I don't have enought time at this momment, neither I have the
> correct equipment here.
> 
> I am thinking on collapse several routers configurations in new
> equipment, deploying subinterfaces with 802.1q and VRFs.
> 
> The situation is that for the same physical interface I would have
> several subinterfaces, working in the same vlan but diferent vrf, with
> also diferent ip addresses but all of them are in the same subnet.
> 
> The question is, is the router going to be enough clever to deliver
> the packet in the correct interface? Take note that the IP address
> use as destination in the incoming packet is not going to be ip
> address of the interface since the router and its vrfs.

This is not going to work. The router needs the vlan tag to associate
the appropriate (sub)interface with the packet, so the vlan tag has to
be unique on the interface (some platforms like the 6500 even ask for a
unique tag per system). VRF association comes later and is based on the
vrf configured on the (sub)interface.
So if you want to consolidate multiple vlan/.1q connections, you will
need to change vlan IDs in order to make them unique. 

	oli

From ayourtch at gmail.com  Wed Jul  2 04:57:36 2008
From: ayourtch at gmail.com (Andrew Yourtchenko)
Date: Wed, 2 Jul 2008 10:57:36 +0200
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486A8BCC.7070606@spacething.org>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
	<486A1507.6040107@reub.net> <486A8BCC.7070606@spacething.org>
Message-ID: <530c5af60807020157k1083c5ffnf05d50304652828e@mail.gmail.com>

On Tue, Jul 1, 2008 at 9:55 PM, Sam Stickland
<sam_mailinglists at spacething.org> wrote:
> I can buy the comprising argument for a reason not to do this.
>
> I think the reason most people here want to be able to do outbound telnet is
> for troubleshooting - checking port connectivity and protocol banners. Many
> times administrators are insistent that a server is listening on such and
> such a port, and it's not. It's nice to be able to troubleshoot problems in
> chunks.
>

if the matter is just testing whether the TCP server is listening on a
given port or not, would the following work for this purpose ?

-----
access-list foo permit tcp host x.x.x.x host y.y.y.y
access-list foo permit tcp host y.y.y.y host x.x.x.x

capture test interface bar access-list foo

copy http://x.x.x.x:NNNN/test flash:test

show capture test detail
-----



thanks,
andrew

From tom at snnap.net  Wed Jul  2 05:09:53 2008
From: tom at snnap.net (Tom Storey)
Date: Wed, 2 Jul 2008 18:39:53 +0930
Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan under
	the same	physical interface
In-Reply-To: <1214849728.8702.10.camel@dsba-ipso>
References: <1214849728.8702.10.camel@dsba-ipso>
Message-ID: <ACA3095D-D581-4CD8-8519-9DE77C53CE30@snnap.net>


On 01/07/2008, at 3:45 AM, luismi wrote:

> The question is, is the router going to be enough clever to deliver  
> the
> packet in the correct interface?

Lets assume the router was clever enough to do this, the question  
would then be: are the switches clever enough to do it? The buck  
doesnt stop at the router. :-)

Youve got 4094 VLAN IDs to choose from, go nuts.

Tom

From ayourtch at gmail.com  Wed Jul  2 05:19:26 2008
From: ayourtch at gmail.com (Andrew Yourtchenko)
Date: Wed, 2 Jul 2008 11:19:26 +0200
Subject: [c-nsp] Capture expressions on an FWSM (was Re: Telnet FROM a
	PIX Appliance?)
In-Reply-To: <4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com>
References: <18dba4e50806300311n5d696788x541c687d7e315e14@mail.gmail.com>
	<200806301032.m5UAWDRw056902@puck.nether.net>
	<20080630112104.GG4112@thot.informatik.uni-kl.de>
	<EC993E87D960A541A66BF21D62AA42A6188ACCAB64@exch2k7.gilat.local>
	<4C3B8C75B5899943AEC675BA6DD462730103B755@uspalex02.epri.com>
	<002101c8dacb$11339ab0$f211a8c0@flamwsugsmul5v>
	<48690FB4.6040902@spacething.org>
	<4C3B8C75B5899943AEC675BA6DD462730103B904@uspalex02.epri.com>
Message-ID: <530c5af60807020219y75c93c8are15479325d76ddfb@mail.gmail.com>

On Tue, Jul 1, 2008 at 6:06 PM, Higham, Josh <jhigham at epri.com> wrote:
>> Tony Varriale wrote:
>> > Any chance you could give the group more details before saying it
>> > can't be trusted?
>> >
>> I'm afraid I don't have any concrete details to add, but I've found
>> capture expressions on Firewall Service Modules to be quite
>> inconsistent. Presumably this is something to do with the modules
>> interaction with the chassis? I haven't had the time to lab
>> this, and I
>> haven't always had problems, but I now generally work to the
>> mantra that
>> "the absence of a packet in an FWSM capture is not proof that
>> the packet
>> does not exist, but the presence of a packet in a capture does prove
>> it's existence".
>>
>> Perhaps there is a cisco documentation on this, listing known caveats
>> and limitations?

it's useful to make a distinction between the FWSM and ASA.
FWSM has a few distinct components - fast path, session path, and
control plane.
The bulk of the traffic goes over a fast path (separate chips), and
the capture is
accumulated on the control plane.

While this sounds easy, in reality there are a lot of different
scenarios to account for -
and not all of them were caught the first time. Generally in 3.1.9 I
have found it to be
reasonably reliable - but I still tend to apply the same principle as
you when it comes
to "tricky" scenarios where the packets are absent - that I try to
doublecheck to ensure
there is no mistake made.

The capture on the FWSM should work similar to ASA's - with the
obvious caveat that since the packets are collected on the control
plane, the timing might be a bit off - so for time-sensitive scenarios
I'd still advise the span (by the way, the absence of the packets
there is also not a proof that the packet did not exist :-) - keep in
mind the DEC field notice.

The descriptions for the fixes within the capture component should be
coming up within the normal release notes - as for everything else.

Now, the ASA is purely software, which makes things a lot easier. To
me the only issue
that readily comes to mind is  CSCsh89784. The code is pretty early in
the packet path,
so the only reason I can see is that there was some issue at a lower
level - the NIC driver.
But then the tweaks with the xlate on the other hand should not have
changed anything...

If you're able to make this behaviour happen at will, please drop me an email.

thanks,
andrew


>
> I found the same situation with the ASA (version 8.0 code).  Normally
> you would expect the packet capture to be the very first code path, but
> this is demonstrably not true.  In my case I had a span port on a switch
> and would get the packet, but a capture on the firewall did not show it.
>
> "The absence of a packet is not proof that the packet doesn't exist"
>
> Thanks,
> Josh
>
>> > ----- Original Message ----- From: "Higham, Josh" <jhigham at epri.com>
>> > To: <cisco-nsp at puck.nether.net>
>> > Sent: Monday, June 30, 2008 10:41 AM
>> > Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>> >
>> >
>> >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Leyes
>> >>>
>> >>> I guess it's more as a "working right" educational purpose,
>> >>> so you won't use your firewall as a debugging client.
>> >>> In newer versions there's the packet tracker that can help
>> >>> you debug connectivity problems.
>> >>> Ziv
>> >>
>> >> As an FYI, the ASA/Pix packet capture cannot currently be
>> completely
>> >> trusted (version 8.0).  I found an annoying bug where I
>> would capture
>> >> the frame on a span session monitoring the port connected to the
>> >> firewall, but it wouldn't show up on the firewall capture.
>> >>
>> >> The packet in question was also being dropped by the
>> firewall, but with
>> >> no logging (and with a permit ip any any rule in place).
>> The 'fix' was
>> >> to apply a nat translation and then remove it.  TAC was completely
>> >> unhelpful (worst ever TAC experience).
>> >>
>> >> Blocking outbound sessions on the firewall also means that
>> it can't be
>> >> used to bounce an attack, if compromised.
>> >>
>> >> Thanks,
>> >> Josh
>> >
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From asturluismi at gmail.com  Wed Jul  2 05:23:25 2008
From: asturluismi at gmail.com (luismi)
Date: Wed, 02 Jul 2008 11:23:25 +0200
Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan
	under	thesame	physical interface
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com>
References: <1214849728.8702.10.camel@dsba-ipso>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com>
Message-ID: <1214990605.6603.4.camel@dsba-ipso>

What I was thinking in assign different subinterfaces (from different
physical interfaces) to the same vlan in the same chassis.

I think that the router will be able to manage that configuration, for
example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same
vlan, with different IP address from the same subnet.

Is that correct?

El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer)
escribi?:
> luismi <> wrote on Monday, June 30, 2008 8:15 PM:
> 
> > Hi there,
> > 
> > I have a dude I could solve using a lab enviroment but for several
> > reasons I don't have enought time at this momment, neither I have the
> > correct equipment here.
> > 
> > I am thinking on collapse several routers configurations in new
> > equipment, deploying subinterfaces with 802.1q and VRFs.
> > 
> > The situation is that for the same physical interface I would have
> > several subinterfaces, working in the same vlan but diferent vrf, with
> > also diferent ip addresses but all of them are in the same subnet.
> > 
> > The question is, is the router going to be enough clever to deliver
> > the packet in the correct interface? Take note that the IP address
> > use as destination in the incoming packet is not going to be ip
> > address of the interface since the router and its vrfs.
> 
> This is not going to work. The router needs the vlan tag to associate
> the appropriate (sub)interface with the packet, so the vlan tag has to
> be unique on the interface (some platforms like the 6500 even ask for a
> unique tag per system). VRF association comes later and is based on the
> vrf configured on the (sub)interface.
> So if you want to consolidate multiple vlan/.1q connections, you will
> need to change vlan IDs in order to make them unique. 
> 
> 	oli


From oboehmer at cisco.com  Wed Jul  2 05:38:31 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 2 Jul 2008 11:38:31 +0200
Subject: [c-nsp] Multiple 802.1q subinterfaces with the same vlan
	underthesame	physical interface
In-Reply-To: <1214990605.6603.4.camel@dsba-ipso>
References: <1214849728.8702.10.camel@dsba-ipso>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com>
	<1214990605.6603.4.camel@dsba-ipso>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com>

luismi <mailto:asturluismi at gmail.com> wrote on Wednesday, July 02, 2008 11:23 AM:

> What I was thinking in assign different subinterfaces (from different
> physical interfaces) to the same vlan in the same chassis.
> 
> I think that the router will be able to manage that configuration, for
> example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same
> vlan, with different IP address from the same subnet.
> 
> Is that correct?

yes, this will work on most platforms. The 6500/7600 uses system-wide vlans (with a few exceptions), so this won't work there..
Tom's comment on the (possibly connected) switched infrastructure still applies, but if you are "only" consolidating the router part, it should work.

	oli


> 
> El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer)
> escribi?:
>> luismi <> wrote on Monday, June 30, 2008 8:15 PM:
>> 
>>> Hi there,
>>> 
>>> I have a dude I could solve using a lab enviroment but for several
>>> reasons I don't have enought time at this momment, neither I have
>>> the correct equipment here. 
>>> 
>>> I am thinking on collapse several routers configurations in new
>>> equipment, deploying subinterfaces with 802.1q and VRFs.
>>> 
>>> The situation is that for the same physical interface I would have
>>> several subinterfaces, working in the same vlan but diferent vrf,
>>> with also diferent ip addresses but all of them are in the same
>>> subnet. 
>>> 
>>> The question is, is the router going to be enough clever to deliver
>>> the packet in the correct interface? Take note that the IP address
>>> use as destination in the incoming packet is not going to be ip
>>> address of the interface since the router and its vrfs.
>> 
>> This is not going to work. The router needs the vlan tag to associate
>> the appropriate (sub)interface with the packet, so the vlan tag has
>> to be unique on the interface (some platforms like the 6500 even ask
>> for a unique tag per system). VRF association comes later and is
>> based on the vrf configured on the (sub)interface.
>> So if you want to consolidate multiple vlan/.1q connections, you will
>> need to change vlan IDs in order to make them unique.
>> 
>> 	oli

From asturluismi at gmail.com  Wed Jul  2 07:12:03 2008
From: asturluismi at gmail.com (luismi)
Date: Wed, 02 Jul 2008 13:12:03 +0200
Subject: [c-nsp] Multiple 802.1q subinterfaces with the same
	vlan	underthesame	physical interface
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com>
References: <1214849728.8702.10.camel@dsba-ipso>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405A88C78@xmb-ams-333.emea.cisco.com>
	<1214990605.6603.4.camel@dsba-ipso>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405A88DF4@xmb-ams-333.emea.cisco.com>
Message-ID: <1214997123.6603.9.camel@dsba-ipso>

My conclusion is that in the scenario I am using the problem is that it
won't be possible to configure a router with several subinterfaces in
the same vlan under the same physical interface due an issue with the
MAC address and the switches side.

And yes, At the moment I am just trying to consolidate the router side,
reduce the management efforts, point of failures... since we go for just
2 routers in HSRP with vlans and VRF instead of a 4 routers (2 x HSRP).

Thanks for all the comments.


El mi?, 02-07-2008 a las 11:38 +0200, Oliver Boehmer (oboehmer)
escribi?:
> luismi <mailto:asturluismi at gmail.com> wrote on Wednesday, July 02, 2008 11:23 AM:
> 
> > What I was thinking in assign different subinterfaces (from different
> > physical interfaces) to the same vlan in the same chassis.
> > 
> > I think that the router will be able to manage that configuration, for
> > example: fa0/0.1 and fa1/0.1 working in different vrfs but in the same
> > vlan, with different IP address from the same subnet.
> > 
> > Is that correct?
> 
> yes, this will work on most platforms. The 6500/7600 uses system-wide vlans (with a few exceptions), so this won't work there..
> Tom's comment on the (possibly connected) switched infrastructure still applies, but if you are "only" consolidating the router part, it should work.
> 
> 	oli
> 
> 
> > 
> > El mi?, 02-07-2008 a las 08:22 +0200, Oliver Boehmer (oboehmer)
> > escribi?:
> >> luismi <> wrote on Monday, June 30, 2008 8:15 PM:
> >> 
> >>> Hi there,
> >>> 
> >>> I have a dude I could solve using a lab enviroment but for several
> >>> reasons I don't have enought time at this momment, neither I have
> >>> the correct equipment here. 
> >>> 
> >>> I am thinking on collapse several routers configurations in new
> >>> equipment, deploying subinterfaces with 802.1q and VRFs.
> >>> 
> >>> The situation is that for the same physical interface I would have
> >>> several subinterfaces, working in the same vlan but diferent vrf,
> >>> with also diferent ip addresses but all of them are in the same
> >>> subnet. 
> >>> 
> >>> The question is, is the router going to be enough clever to deliver
> >>> the packet in the correct interface? Take note that the IP address
> >>> use as destination in the incoming packet is not going to be ip
> >>> address of the interface since the router and its vrfs.
> >> 
> >> This is not going to work. The router needs the vlan tag to associate
> >> the appropriate (sub)interface with the packet, so the vlan tag has
> >> to be unique on the interface (some platforms like the 6500 even ask
> >> for a unique tag per system). VRF association comes later and is
> >> based on the vrf configured on the (sub)interface.
> >> So if you want to consolidate multiple vlan/.1q connections, you will
> >> need to change vlan IDs in order to make them unique.
> >> 
> >> 	oli


From zivl at gilat.net  Wed Jul  2 07:26:27 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Wed, 2 Jul 2008 14:26:27 +0300
Subject: [c-nsp] Error
In-Reply-To: <A92EAF652EC423438D55C14C60771C87C0BEA2@exchgsrv.NPUTILITIES.local>
References: <200806301619.m5UGJs6f073793@puck.nether.net>
	<20080630163859.GM4633@greenie.muc.de>
	<EC993E87D960A541A66BF21D62AA42A6188ACCAC23@exch2k7.gilat.local><486A66A5.4070401@west.net>
	<486A78B7.1070506@templin.org>
	<A92EAF652EC423438D55C14C60771C87C0BEA2@exchgsrv.NPUTILITIES.local>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188ACCAF99@exch2k7.gilat.local>

I'm not the one that is capable to do it and I don't wanna sound demagogic but I think the whole SMTP protocol should be re-written from scratch. We're talking about a protocol that is over 40 years old! And nowadays we need much more than a "simple mail transfer protocol"
Well, this goes also for TCP...
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Gurtz
Sent: Tuesday, July 01, 2008 11:40 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Error


> Then write an updated RFC that changes the standards to reflect this
> behavior, and get it published and accepted.

Looks like 5821 will have to do (3821/4821 already taken) and be great
when everyone's compliant by the year 2030.  In the meantime, BATV (draft
is: draft-levine-smtp-batv-01) can be of help.  Helpfully, it even breaks
most C/R systems as well :)

~JasonG

--
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From vikassharmas at gmail.com  Wed Jul  2 07:49:02 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Wed, 2 Jul 2008 17:19:02 +0530
Subject: [c-nsp] /31 network
Message-ID: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>

Hi,

has anyone used /31 network instead of /30? I believe this is recommended to
use /31 network? Need expert comments.

Regards,
Vikas Sharma

From risnaini at indo.net.id  Wed Jul  2 07:56:06 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 02 Jul 2008 18:56:06 +0700
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <486B6CD6.5010107@indo.net.id>

Yep,

ti works.

a. rahman isnaini r.sutan

Vikas Sharma wrote:
> Hi,
> 
> has anyone used /31 network instead of /30? I believe this is recommended to
> use /31 network? Need expert comments.
> 
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From stig.johansen at ementor.no  Wed Jul  2 08:15:56 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Wed, 2 Jul 2008 14:15:56 +0200
Subject: [c-nsp] /31 network
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B11@100NOOSLMSG004.common.alpharoot.net>

Hi there,

It works just fine on "newer" Cisco IOS for point-to-point links. (It
came in 12.2(2)T and 12.2(28)SB). The RFC is 3021 (Using 31-Bit Prefixes
on IPv4 Point-to-Point Links).

/Stig

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
Sent: 2. juli 2008 13:49
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] /31 network

Hi,

has anyone used /31 network instead of /30? I believe this is
recommended to
use /31 network? Need expert comments.

Regards,
Vikas Sharma
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From harbor235 at gmail.com  Wed Jul  2 08:57:14 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 2 Jul 2008 08:57:14 -0400
Subject: [c-nsp] Route Reflector Design
Message-ID: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>

To all,

Does anyone have any good docs on RR design in service provider networks?

I have read docs detailing a central route reflector and a RR for each POP.
The piece I am missing is how the next-hop attribute reflected for each POP
prefix (say POP1)
into the AS is routed to by other POPs or other routers not peering with the
POP1(say POP10)?

I assume an IGP is used somehow, however, its the internal IGP design I am
not grasping.

thanx in advance

Mike j

From ianh at chime.net.au  Wed Jul  2 08:00:10 2008
From: ianh at chime.net.au (Ian Henderson)
Date: Wed, 2 Jul 2008 20:00:10 +0800
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <100362309621454DAA534950B17E55DB9E02CAA8F3@isp-per-exc01.win2k.iinet.net.au>

Vikas Sharma wrote on 2008-07-02:

> has anyone used /31 network instead of /30? I believe this is
> recommended to use /31 network? Need expert comments.

Works fine. Just don't use x.x.x.0/31 or x.x.x.254/31 otherwise you'll get complaints from Windows users that traceroute no longer works.

--
Ian Henderson, CCIE #14721
Senior Network Engineer, iiNet Limited



From charles at thewybles.com  Wed Jul  2 09:24:15 2008
From: charles at thewybles.com (charles at thewybles.com)
Date: Wed, 2 Jul 2008 13:24:15 +0000
Subject: [c-nsp] Route Reflector Design
Message-ID: <343740191-1215005099-cardhu_decombobulator_blackberry.rim.net-2140976254-@bxe135.bisx.prod.on.blackberry>

Can you provide a link to the documentation you have reviewed already? Saves the google. :)


I'm in the process of building out a service provider network and route reflector/noc info etc is a big part of that process.

Thanks!

Charles Wyble

------Original Message------
From: Mike Johnson
Sender: 
To: cisco-nsp at puck.nether.net
Sent: Jul 2, 2008 5:57 AM
Subject: [c-nsp] Route Reflector Design

To all,

Does anyone have any good docs on RR design in service provider networks?

I have read docs detailing a central route reflector and a RR for each POP.
The piece I am missing is how the next-hop attribute reflected for each POP
prefix (say POP1)
into the AS is routed to by other POPs or other routers not peering with the
POP1(say POP10)?

I assume an IGP is used somehow, however, its the internal IGP design I am
not grasping.

thanx in advance

Mike j
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



Sent via BlackBerry from T-Mobile

From justin at justinshore.com  Wed Jul  2 09:27:06 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 02 Jul 2008 08:27:06 -0500
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <486B822A.6040206@justinshore.com>

It works fine here.  I use it for all my infrastructure links between 
Cisco gear (and only Cisco gear).  More specifically IOS devices.  I 
don't believe FWSMs, IDSMs, ASAs, etc have support for it.  I never 
tried but I'd seriously doubt it.

Justin

Vikas Sharma wrote:
> Hi,
> 
> has anyone used /31 network instead of /30? I believe this is recommended to
> use /31 network? Need expert comments.
> 
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From ccie15385 at gmail.com  Wed Jul  2 09:34:57 2008
From: ccie15385 at gmail.com (JH Cockburn)
Date: Wed, 2 Jul 2008 15:34:57 +0200
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
Message-ID: <001201c8dc48$6d726a30$8604030a@africa.enterprise.root>

Hi Mike,
Regarding the next-hop stuff and taken from the RFC (2796):

   In addition, when a RR reflects a route, it should not modify the
   following path attributes: NEXT_HOP, AS_PATH, LOCAL_PREF, and MED.
   Their modification could potential result in routing loops.

Also on page 6 of this RFC the deployment of RR's is discussed under the
heading "9. Configuration and Deployment Considerations"

Hope this helps...

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Johnson
Sent: Wednesday, July 02, 2008 2:57 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Route Reflector Design

To all,

Does anyone have any good docs on RR design in service provider networks?

I have read docs detailing a central route reflector and a RR for each POP.
The piece I am missing is how the next-hop attribute reflected for each POP
prefix (say POP1)
into the AS is routed to by other POPs or other routers not peering with the
POP1(say POP10)?

I assume an IGP is used somehow, however, its the internal IGP design I am
not grasping.

thanx in advance

Mike j
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tim at pelican.org  Wed Jul  2 09:34:19 2008
From: tim at pelican.org (Tim Franklin)
Date: Wed, 2 Jul 2008 14:34:19 +0100 (BST)
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
Message-ID: <c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>

On Wed, July 2, 2008 1:57 pm, Mike Johnson wrote:

> Does anyone have any good docs on RR design in service provider networks?
>
>
> I have read docs detailing a central route reflector and a RR for each
> POP. The piece I am missing is how the next-hop attribute reflected for
> each POP prefix (say POP1) into the AS is routed to by other POPs or
> other routers not peering with the POP1(say POP10)?
>
> I assume an IGP is used somehow, however, its the internal IGP design I
> am not grasping.

Have all the edge boxes - RR clients in PoPs - set update-source to a
loopback, and set next-hop self.

Peer between loopbacks everywhere.

Put all the loopbacks in your IGP.

Job done :)

Regards,
Tim.



From jaitken at aitken.com  Wed Jul  2 09:35:23 2008
From: jaitken at aitken.com (Jeff Aitken)
Date: Wed, 2 Jul 2008 13:35:23 +0000
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
Message-ID: <20080702133523.GA68759@eagle.aitken.com>

On Wed, Jul 02, 2008 at 08:57:14AM -0400, Mike Johnson wrote:
> I have read docs detailing a central route reflector and a RR for each POP.
> [...]
> I assume an IGP is used somehow, however, its the internal IGP design I am
> not grasping.

Mike,

A common, but by no means the only, strategy is as follows:

1. All routers participate in a single, flat IGP.  The only routes carried
   in the IGP are loopbacks and links between routers.  All other routes are
   carried in BGP.  This keeps things simple and promotes fast convergence.
2. All core routers participate in a full IBGP mesh.
3. All lower-level routers in a "region" are client peers of the cores 
   that serve that region (where 'region' could mean POP, city, country,
   etc., depending on your network).
4. All routes advertised via BGP have their next-hop reset where they
   enter the network.  Typically this is on the edge routers, which are
   client peers of the local core routers, but can be done anywhere.  The
   end result is that no matter where on the network you stand, every BGP
   route has a next-hop address that corresponds to a router loopback that
   you know how to reach via your IGP.

Variations on this model might include:

a. Multi-{level,area} IGP, if your network is big enough to warrant it.
b. Fewer reflectors, from "regional" all the way to "central".
c. In very large or complex networks, you might see tiered reflection or
   confederations, but those should be fairly rare.


--Jeff


From harbor235 at gmail.com  Wed Jul  2 09:48:23 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 2 Jul 2008 09:48:23 -0400
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
Message-ID: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>

Tim,

Got that, now for a large network would you create a backbone area (OSPF)
for regionalization of routes
and make routers within the region into other areas? Its the underlying IGP
design that makes all the connector nets to POPs available my main concern.

thanx for your help,


-Mike j


On 7/2/08, Tim Franklin <tim at pelican.org> wrote:
>
> On Wed, July 2, 2008 1:57 pm, Mike Johnson wrote:
>
> > Does anyone have any good docs on RR design in service provider networks?
> >
> >
> > I have read docs detailing a central route reflector and a RR for each
> > POP. The piece I am missing is how the next-hop attribute reflected for
> > each POP prefix (say POP1) into the AS is routed to by other POPs or
> > other routers not peering with the POP1(say POP10)?
> >
> > I assume an IGP is used somehow, however, its the internal IGP design I
> > am not grasping.
>
> Have all the edge boxes - RR clients in PoPs - set update-source to a
> loopback, and set next-hop self.
>
> Peer between loopbacks everywhere.
>
> Put all the loopbacks in your IGP.
>
> Job done :)
>
> Regards,
> Tim.
>
>
>

From petelists at templin.org  Wed Jul  2 09:50:47 2008
From: petelists at templin.org (Pete Templin)
Date: Wed, 02 Jul 2008 08:50:47 -0500
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <20080702133523.GA68759@eagle.aitken.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<20080702133523.GA68759@eagle.aitken.com>
Message-ID: <486B87B7.7010707@templin.org>

I'm going to add some elaborations and alternatives in between your 
excellent comments, if you don't mind...

Jeff Aitken wrote:

> A common, but by no means the only, strategy is as follows:
> 
> 1. All routers participate in a single, flat IGP.  The only routes carried
>    in the IGP are loopbacks and links between routers.  All other routes are
>    carried in BGP.  This keeps things simple and promotes fast convergence.

Lesson learned: if you can, put all of the loopbacks into an 
aggregateable range, and all of the inter-router links in an 
aggregateable range.  Makes rACLs much easier when you deploy them 
(tomorrow).

IGP metric design can take many shapes.  Planning your metrics early can 
make for excellent stability in the face of issues and outages, and can 
keep leased line costs low.

> 3. All lower-level routers in a "region" are client peers of the cores 
>    that serve that region (where 'region' could mean POP, city, country,
>    etc., depending on your network).

We took this a step further, for future-proofing, courtesy of guidance 
from AOL/ATDN and their excellent NANOG presentation on migrating from 
OSPF to ISIS.  All of the lower-level routers are client peers of the 
cores, and are fully meshed within the region; the cores do NOT reflect 
routes from client to client.  This helps quench MED oscillation issues.

> 4. All routes advertised via BGP have their next-hop reset where they
>    enter the network.  Typically this is on the edge routers, which are
>    client peers of the local core routers, but can be done anywhere.  The
>    end result is that no matter where on the network you stand, every BGP
>    route has a next-hop address that corresponds to a router loopback that
>    you know how to reach via your IGP.

It's simplest to reset ALL routes, but you might want to look at doing 
it on MOST, leaving a hook to exclude some special-case routes such as 
blackhole routes.

You can also avoid the next-hop rewrite as long as the link containing 
the next hop is in BGP (or your IGP, but not recommended).  I haven't 
proven my theory, but my theory says that NOT rewriting the next-hop 
allows MPLS (if you're running it) to label-switch packets all the way 
to the egress interface.  A rewritten next-hop would invoke PHP at the 
next-to-edge router, and the edge router would have to do a FIB lookup. 
  Am I wrong?  Possibly.  Would there be a benefit?  I think so.

pt

From petelists at templin.org  Wed Jul  2 09:58:02 2008
From: petelists at templin.org (Pete Templin)
Date: Wed, 02 Jul 2008 08:58:02 -0500
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
Message-ID: <486B896A.1020305@templin.org>

Mike Johnson wrote:

> Got that, now for a large network would you create a backbone area (OSPF)
> for regionalization of routes
> and make routers within the region into other areas? Its the underlying IGP
> design that makes all the connector nets to POPs available my main concern.

Would you be hitting anywhere close to 5,000 (nodes plus links plus 
loopbacks)?  If not, single area seems to be the better bet.

Multi-area becomes almost distance-vector: there's a vector to the 
backbone area, a vector across the backbone area, and a vector to the 
exit point.  Ick.

pt


From bryan.phillips at cybera.net  Wed Jul  2 10:01:10 2008
From: bryan.phillips at cybera.net (Bryan Phillips)
Date: Wed, 2 Jul 2008 09:01:10 -0500
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <48FAC036AD7B7642BB2944FB9AE674A302F01281@EXCHANGE.nashville.cybera.net>

Been using /31's for awhile now. Cuts down the IP space.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
Sent: Wednesday, July 02, 2008 6:49 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] /31 network

Hi,

has anyone used /31 network instead of /30? I believe this is
recommended to
use /31 network? Need expert comments.

Regards,
Vikas Sharma
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From dudepron at gmail.com  Wed Jul  2 10:03:04 2008
From: dudepron at gmail.com (Aaron)
Date: Wed, 2 Jul 2008 10:03:04 -0400
Subject: [c-nsp] /31 network
In-Reply-To: <486B822A.6040206@justinshore.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
	<486B822A.6040206@justinshore.com>
Message-ID: <480dad640807020703k544c2e84obeb55bb22a7b33b5@mail.gmail.com>

It also works in 12.0S too. 12.0(21)+

Aaron

On Wed, Jul 2, 2008 at 9:27 AM, Justin Shore <justin at justinshore.com> wrote:

> It works fine here.  I use it for all my infrastructure links between Cisco
> gear (and only Cisco gear).  More specifically IOS devices.  I don't believe
> FWSMs, IDSMs, ASAs, etc have support for it.  I never tried but I'd
> seriously doubt it.
>
> Justin
>
>
> Vikas Sharma wrote:
>
>> Hi,
>>
>> has anyone used /31 network instead of /30? I believe this is recommended
>> to
>> use /31 network? Need expert comments.
>>
>> Regards,
>> Vikas Sharma
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From cisco-nsp at slepicka.net  Wed Jul  2 10:07:36 2008
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Wed, 02 Jul 2008 09:07:36 -0500
Subject: [c-nsp] /31 network
In-Reply-To: <486B822A.6040206@justinshore.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
	<486B822A.6040206@justinshore.com>
Message-ID: <486B8BA8.9070400@slepicka.net>

/31s work fine here for IOS gear.  I can confirm that the ASA does not 
support them.  It's been a while since I last tried but, if I remember 
correctly, you can configure an interface with a /31, but it won't pass 
traffic nor will it be obvious what the problem is.

Justin Shore wrote:
> It works fine here.  I use it for all my infrastructure links between 
> Cisco gear (and only Cisco gear).  More specifically IOS devices.  I 
> don't believe FWSMs, IDSMs, ASAs, etc have support for it.  I never 
> tried but I'd seriously doubt it.
>
> Justin
>
> Vikas Sharma wrote:
>> Hi,
>>
>> has anyone used /31 network instead of /30? I believe this is 
>> recommended to
>> use /31 network? Need expert comments.
>>
>> Regards,
>> Vikas Sharma
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From harbor235 at gmail.com  Wed Jul  2 10:13:58 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 2 Jul 2008 10:13:58 -0400
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <486B896A.1020305@templin.org>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
	<486B896A.1020305@templin.org>
Message-ID: <836bf1f90807020713t72be891fp36493dccb735b39e@mail.gmail.com>

Guys,

this is great stuff, I may have some additional questions after I digest all
the info.

thanx again

Mike j


On 7/2/08, Pete Templin <petelists at templin.org> wrote:
>
> Mike Johnson wrote:
>
> Got that, now for a large network would you create a backbone area (OSPF)
>> for regionalization of routes
>> and make routers within the region into other areas? Its the underlying
>> IGP
>> design that makes all the connector nets to POPs available my main
>> concern.
>>
>
> Would you be hitting anywhere close to 5,000 (nodes plus links plus
> loopbacks)?  If not, single area seems to be the better bet.
>
> Multi-area becomes almost distance-vector: there's a vector to the backbone
> area, a vector across the backbone area, and a vector to the exit point.
>  Ick.
>
> pt
>
>

From p.caci at seabone.net  Wed Jul  2 10:16:43 2008
From: p.caci at seabone.net (Pierfrancesco Caci)
Date: Wed, 02 Jul 2008 16:16:43 +0200
Subject: [c-nsp] /31 network
In-Reply-To: <486B822A.6040206@justinshore.com> (Justin Shore's message of
	"Wed, 02 Jul 2008 08:27:06 -0500")
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
	<486B822A.6040206@justinshore.com>
Message-ID: <87skus74ms.fsf@clarabella.noc.seabone.net>

:-> "Justin" == Justin Shore <justin at justinshore.com> writes:

    > It works fine here.  I use it for all my infrastructure links between
    > Cisco gear (and only Cisco gear).  More specifically IOS
    > devices. 

works also between IOS and IOS-XR, XR to XR, and IOS to JUNOS, here. 



-- 


-------------------------------------------------------------------------------
 Pierfrancesco Caci | Network & System Administrator - INOC-DBA: 6762*PFC
 p.caci at seabone.net | Telecom Italia Sparkle - http://etabeta.noc.seabone.net/
Linux clarabella 2.6.15-29-server #1 SMP Mon Sep 24 17:37:57 UTC 2007 i686 GNU/Linux


From tim at pelican.org  Wed Jul  2 10:23:05 2008
From: tim at pelican.org (Tim Franklin)
Date: Wed, 2 Jul 2008 15:23:05 +0100 (BST)
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
Message-ID: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>

On Wed, July 2, 2008 2:48 pm, Mike Johnson wrote:

> Got that, now for a large network would you create a backbone area (OSPF)
> for regionalization of routes
> and make routers within the region into other areas? Its the underlying
> IGP
> design that makes all the connector nets to POPs available my main
> concern.

I wouldn't bother, unless you have many thousands of devices - but I must
admit I haven't crunched the numbers hard or built anything large enough
to see where the necessary pain happens.

Remember, at this point you've only got a fairly small number of routes in
your IGP, and they ought to be the most stable routes in your network, so
you're going to be running SPF both quickly and infrequently.

Regards,
Tim.



From SPfister at dps.k12.oh.us  Wed Jul  2 11:20:02 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Wed, 02 Jul 2008 11:20:02 -0400
Subject: [c-nsp] L2TPv3 tunnel - one-way only
In-Reply-To: <20080701205403.GO14994@rtp-cse-489.cisco.com>
References: <486A5DCE.9E6F.00B8.0@dps.k12.oh.us>
	<20080701205403.GO14994@rtp-cse-489.cisco.com>
Message-ID: <486B6462.9E6F.00B8.0@dps.k12.oh.us>

Here is the current config. I'm trying to gain access to vlan 77 on the remote side (10.77.0.0/16). 

Thanks!

--Steve

central side:

l2tp-class l2-dyn
 authentication
 hostname ADM
 password somepassword
 cookie size 8
!
pseudowire-class pw-dynamic
 encapsulation l2tpv3
 protocol l2tpv3 l2-dyn
 ip local interface Loopback0
!
interface Loopback0
 ip address 192.168.7.1 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.9.1 255.255.255.0
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.77
 encapsulation dot1Q 77
 no snmp trap link-status
 no cdp enable
 xconnect 192.168.7.77 77 pw-class pw-dynamic

-------------

remote side:

l2tp-class l2-dyn
 authentication
 hostname XYZ
 password somepassword
 cookie size 8
!
pseudowire-class pw-dynamic
 encapsulation l2tpv3
 protocol l2tpv3 l2-dyn
 ip local interface Loopback0
!
interface Loopback0
 ip address 192.168.7.77 255.255.255.255
!
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip route-cache flow
 speed 100
 full-duplex
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 10.77.0.1 255.255.0.0
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.77
 encapsulation dot1Q 77
 no snmp trap link-status
 no cdp enable
 xconnect 192.168.7.1 77 pw-class pw-dynamic


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From harbor235 at gmail.com  Wed Jul  2 11:34:42 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 2 Jul 2008 11:34:42 -0400
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
	<1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
Message-ID: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>

How am I able to utilize thousands of devices in a flat IGP domain? I
thought
only a couple hundred is recommended before deploying multiple areas.

Are you guys recommneding OSPF or ISIS?

-mike j



On 7/2/08, Tim Franklin <tim at pelican.org> wrote:
>
> On Wed, July 2, 2008 2:48 pm, Mike Johnson wrote:
>
> > Got that, now for a large network would you create a backbone area (OSPF)
> > for regionalization of routes
> > and make routers within the region into other areas? Its the underlying
> > IGP
> > design that makes all the connector nets to POPs available my main
> > concern.
>
> I wouldn't bother, unless you have many thousands of devices - but I must
> admit I haven't crunched the numbers hard or built anything large enough
> to see where the necessary pain happens.
>
> Remember, at this point you've only got a fairly small number of routes in
> your IGP, and they ought to be the most stable routes in your network, so
> you're going to be running SPF both quickly and infrequently.
>
> Regards,
> Tim.
>
>
>

From petelists at templin.org  Wed Jul  2 11:47:34 2008
From: petelists at templin.org (Pete Templin)
Date: Wed, 02 Jul 2008 10:47:34 -0500
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>	<1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
Message-ID: <486BA316.1060907@templin.org>

Mike Johnson wrote:
> How am I able to utilize thousands of devices in a flat IGP domain? I
> thought only a couple hundred is recommended before deploying
> multiple areas.

Do you really have thousands of routers within your network "core"?  I 
have twelve distribution/edge routers and two core routers, maximum, per 
POP.  With five POPs, 40-60 routers, ~140 links, etc., I'm nowhere near 
the 5,000 target ceiling.

> Are you guys recommneding OSPF or ISIS?

I went from OSPF to ISIS a few years ago for several reasons.  The 
relevant reasons are:

1) Perceived network security: since we don't accept CLNS packets from 
customers or providers, it's much tougher to packet-bomb our IGP.
2) Perceived operational security: since we do MPLS VPNs and anticipate 
savvy customers wanting to use OSPF over those, having our technicians 
"separated" from our production IGP as soon as they get to 'router o' 
was a good thing.

I'm now contemplating going back to OSPF.  The relevant reasons are:

1) We have some use for Catalyst 3550s in our network, and AFAIK they 
don't speak ISIS.
2) We're having extreme pain trying to bring up ISIS for IPv6.

pt


From karim.adel at gmail.com  Wed Jul  2 12:05:05 2008
From: karim.adel at gmail.com (Kim Onnel)
Date: Wed, 2 Jul 2008 19:05:05 +0300
Subject: [c-nsp] OT: Cisco ITP consultant needed
In-Reply-To: <e05f39290807020848g47fb42c0m41df8f59f3a55c8b@mail.gmail.com>
References: <e05f39290807020848g47fb42c0m41df8f59f3a55c8b@mail.gmail.com>
Message-ID: <e05f39290807020905h238a0247gc9b8adaacc5bb341@mail.gmail.com>

Hello,

Sorry if this is off topic, we are looking for someone who has Cisco ITP
experience(SS7oIP) to do a 6 months job with a very very very and i do mean
"Very" attractive money.

Please forward this to anyone you might know willing and send me your resume
if interested.

Thanks,
Kim

From jaitken at aitken.com  Wed Jul  2 12:12:23 2008
From: jaitken at aitken.com (Jeff Aitken)
Date: Wed, 2 Jul 2008 16:12:23 +0000
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<c53b92a64a8cdaafad246765604bac5e.squirrel@webmail.pelican.org>
	<836bf1f90807020648s63f40852wa3019cf58b856466@mail.gmail.com>
	<1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
Message-ID: <20080702161223.GA71249@eagle.aitken.com>

On Wed, Jul 02, 2008 at 11:34:42AM -0400, Mike Johnson wrote:
> How am I able to utilize thousands of devices in a flat IGP domain? I
> thought only a couple hundred is recommended before deploying multiple
> areas.

There is no one right answer.  It depends on your network: what is the
topology, how much aggregation are you doing, how stable are the devices
and links, etc.  As usual, apply the KISS principle.  If you don't NEED
multiple areas, don't use them.  

That said, *thousands* of devices likely means multiple areas.


> Are you guys recommneding OSPF or ISIS?

Quoting from Dave Katz' excellent presentation from NANOG19 [1]:

    "For all but extreme cases (large full-mesh networks), protocols are
     pretty much equivalent in scalability and functionality

     Stability and scalability are largely artifacts of implementation, not
     protocol design

     Familiarity and comfort in both engineering and operations is probably
     the biggest factor in choosing"

I've worked for at least two providers that switched from OSPF to ISIS,
and my current employer uses both in various places.  I'd recommend using
what your ops folks are familiar with; the cost of learning something new
will likely outweigh any (largely theoretical) gain.

One final consideration is that OSPF support is pretty ubiquitous across a
wide variety of devices (routers, switches, firewalls, load balancers, etc)
while ISIS support tends to exist only in routers (and to a lesser degree,
switches) used by service providers.  Whether this matters to you depends
on your current & expected vendor/platform set.


--Jeff

[1] http://www.nanog.org/mtg-0006/katz.html


From jared at corp.sonic.net  Wed Jul  2 13:36:59 2008
From: jared at corp.sonic.net (Jared Gillis)
Date: Wed, 02 Jul 2008 10:36:59 -0700
Subject: [c-nsp] 3640 not sending OSPF state traps
Message-ID: <486BBCBB.8060306@corp.sonic.net>

Hi all,

I recently turned up a 3640 running 12.3 latest Enterprise code and OSPF. Everything works as expected, except that the device will not send an OSPF trap OSPF state changes on any of it's interfaces. I do receive syslog messages for the OSPF state changes.
log-adjacency-changes is on in my OSPF config, and all the trap types under "snmp-server enable traps" are active.
There is no "snmp-server enable traps ospf" command available.
I tried changing to 12.3 latest IP Plus code, with no change.
I'm about to try other code versions, possibly even some 12.2 code, but I figure that there's got to be something new to 12.3 or the 3640 that I'm missing.
Thanks in advance,

-- 
Jared Gillis - jared at corp.sonic.net       Sonic.net, Inc.
Network Operations                        2260 Apollo Way
707.522.1000 (Voice)                      Santa Rosa, CA 95407
707.547.3400 (Support)                    http://www.sonic.net/

From rsnyder at toontown.erial.nj.us  Wed Jul  2 13:48:40 2008
From: rsnyder at toontown.erial.nj.us (Bob Snyder)
Date: Wed, 2 Jul 2008 13:48:40 -0400
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <20080702174840.GA690@toontown.erial.nj.us>

On Wed, Jul 02, 2008 at 05:19:02PM +0530, Vikas Sharma wrote:

> has anyone used /31 network instead of /30? I believe this is recommended to
> use /31 network? Need expert comments.

Make sure your monitoring tools handle it ok. When I looked into it a
number of years ago, Openview was not at all happy dealing with /31's.
I'd hope that tools have updated since the release of the RFC a while
ago, but.....

At my current job, we continue to use /30's.

Bob

From tvarriale at comcast.net  Wed Jul  2 13:52:06 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Wed, 2 Jul 2008 12:52:06 -0500
Subject: [c-nsp] /31 network
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <003001c8dc6c$58bf9b70$f211a8c0@flamwsugsmul5v>

Yup.  Works great on IOS on versions mentioned in other messages.

tv
----- Original Message ----- 
From: "Vikas Sharma" <vikassharmas at gmail.com>
To: <cisco-nsp at puck.nether.net>
Sent: Wednesday, July 02, 2008 6:49 AM
Subject: [c-nsp] /31 network


> Hi,
>
> has anyone used /31 network instead of /30? I believe this is recommended 
> to
> use /31 network? Need expert comments.
>
> Regards,
> Vikas Sharma
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From saku+cisco-nsp at ytti.fi  Wed Jul  2 15:11:53 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Wed, 2 Jul 2008 22:11:53 +0300
Subject: [c-nsp] CoPP on PE router for access network
In-Reply-To: <20080701154118.GI13269@rtp-cse-489.cisco.com>
References: <cca140000807010827l6f338f00l3c5b6bb68b49ae47@mail.gmail.com>
	<20080701154118.GI13269@rtp-cse-489.cisco.com>
Message-ID: <20080702191152.GA32429@mx.ytti.net>

On (2008-07-01 11:41 -0400), Rodney Dunn wrote:

> Last I checked CoPP was not VRF aware and it applied to any traffic
> punted to the RP that we could match on so it would apply to PE-CE
> links.

Big annoyance is that it most platforms CoPP is evaluated before
labels are popped, so you will blindly accept packets
coming from P side to the PE, assuming it's VRF packet
(or you're running explicit null, in which case also INET
packet will be blindly accepted in most platforms)

-- 
  ++ytti

From saku+cisco-nsp at ytti.fi  Wed Jul  2 15:15:12 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Wed, 2 Jul 2008 22:15:12 +0300
Subject: [c-nsp] /31 network
In-Reply-To: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
References: <cca140000807020449u25413ab9kfed706835e0da8e6@mail.gmail.com>
Message-ID: <20080702191512.GB32429@mx.ytti.net>

On (2008-07-02 17:19 +0530), Vikas Sharma wrote:

> has anyone used /31 network instead of /30? I believe this is recommended to
> use /31 network? Need expert comments.

We've been running it years, some CPE grade boxes have had software bugs
where while they should support /31 weird things start to happen, like
they start to arp for whole Internet (0.0.0.0/0 towards PE), in which case
our fix is to enable proxy-arp in PE (to get customer connection running) and
upgrade software in next possible maintenance. I think we've seen another
different issue too, but I didn't handle it.

-- 
  ++ytti

From daniel.dib at reaper.nu  Wed Jul  2 15:45:13 2008
From: daniel.dib at reaper.nu (Daniel Dib)
Date: Wed, 2 Jul 2008 21:45:13 +0200
Subject: [c-nsp] /31 network
In-Reply-To: <20080702191512.GB32429@mx.ytti.net>
Message-ID: <000001c8dc7c$257ddc80$8119fea9@reap>



On (2008-07-02 17:19 +0530), Vikas Sharma wrote:

> has anyone used /31 network instead of /30? I believe this is recommended
to
> use /31 network? Need expert comments.

We've been running it for a long time. We use it for PE-CPE links where CPE
is c877/1800/3750/7300 etc. Haven't seen any issues with it. We used /30
before, also if we are upgrading a circuit and the customer gets a new
router we often take the /30 back and replace it with /31 which saves some
addresses.

/Daniel


From kgraham at industrial-marshmallow.com  Wed Jul  2 16:08:52 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Wed, 2 Jul 2008 13:08:52 -0700 (PDT)
Subject: [c-nsp] /31 network
Message-ID: <599421.84529.qm@web906.biz.mail.mud.yahoo.com>


> has anyone used /31 network instead of /30? I believe this is recommended to
> use /31 network? Need expert comments.

Support still seems very limited, but on a similar thread, has anyone toyed
with the 'ip unnumbered for Ethernet' feature? Initially it was just option-82
magic, but I noticed there's now also a "poll" option to support non-DHCP
hosts:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/unnumber.html

There's the single message from a CLI example:

     "Warning: dynamic routing protocols will not work on non-point-to-point
     interfaces with IP unnumbered configured."

...though without more discussion on the underlying functionality, that's
terribly vague (ie. would explicit neighbor configurations remedy the
limitiation?).


From rodunn at cisco.com  Wed Jul  2 16:16:22 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 2 Jul 2008 16:16:22 -0400
Subject: [c-nsp] /31 network
In-Reply-To: <599421.84529.qm@web906.biz.mail.mud.yahoo.com>
References: <599421.84529.qm@web906.biz.mail.mud.yahoo.com>
Message-ID: <20080702201622.GD27911@rtp-cse-489.cisco.com>

There were some bad problems with that.

I wouldn't use it.

It was originally for the PPPoE type setups IIRC to preserve address
space.

For routed P2P use /31's.

On Wed, Jul 02, 2008 at 01:08:52PM -0700, Kevin Graham wrote:
> 
> > has anyone used /31 network instead of /30? I believe this is recommended to
> > use /31 network? Need expert comments.
> 
> Support still seems very limited, but on a similar thread, has anyone toyed
> with the 'ip unnumbered for Ethernet' feature? Initially it was just option-82
> magic, but I noticed there's now also a "poll" option to support non-DHCP
> hosts:
> 
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/unnumber.html
> 
> There's the single message from a CLI example:
> 
>      "Warning: dynamic routing protocols will not work on non-point-to-point
>      interfaces with IP unnumbered configured."
> 
> ...though without more discussion on the underlying functionality, that's
> terribly vague (ie. would explicit neighbor configurations remedy the
> limitiation?).
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From almog.purepeak at gmail.com  Wed Jul  2 16:23:33 2008
From: almog.purepeak at gmail.com (almog ohayon)
Date: Wed, 2 Jul 2008 23:23:33 +0300
Subject: [c-nsp] Routing loop..
Message-ID: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com>

Hi,
How can i notice that there is a routing loop ??
This question is regarding CCIE R&S of course ...

From juniper84 at live.com  Wed Jul  2 16:38:45 2008
From: juniper84 at live.com (J C)
Date: Wed, 2 Jul 2008 17:38:45 -0300
Subject: [c-nsp] Vlan Issue - 7304 & 4507
Message-ID: <BAY131-W425ACF09C95736426DE127D0990@phx.gbl>


I'm experiencing a weird issue between a Cisco 7304 and a 4507R switch...

Basically it looks like this:

Customer -> Trunk (vlan 1709 native) -> 4507R -> Trunk -> Sub-interface 7304 (customer vrf)

We
can see the mac-address from the customer equipment but are unable to
ping it from the 7304.  We then moved the ip-address from the 7304 vlan
sub-interface to a SVI on the 4507R and now we're able to successfully
ping the device.  Chaning the vlan from 1709 to 2000+ seemed to has
fixed the issue in one previous incident.

Everything appears fine when we look at the mac-address table and the ARP tables within the vrf.

Anyone run into anything similar?  

I'm assuming code level, but I'd love to find a Cisco BugID before I speak out.
_________________________________________________________________
Express yourself with free Messenger emoticons. Get them today!
http://www.freemessengeremoticons.ca/?icid=EMENCA122

From adrian.minta at gmail.com  Wed Jul  2 16:48:51 2008
From: adrian.minta at gmail.com (Adrian Minta)
Date: Wed, 02 Jul 2008 23:48:51 +0300
Subject: [c-nsp] Routing loop..
In-Reply-To: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com>
References: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com>
Message-ID: <486BE9B3.4000503@gmail.com>

almog ohayon wrote:
> Hi,
> How can i notice that there is a routing loop ??
> This question is regarding CCIE R&S of course ...
>
>   
traceroute ?

-- 
Best regards,
Adrian Minta 




From ATolstykh at integrysgroup.com  Wed Jul  2 17:41:51 2008
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Wed, 2 Jul 2008 16:41:51 -0500
Subject: [c-nsp] Routing loop..
In-Reply-To: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com>
References: <3b53747c0807021323v10d72f83y13d44e2cd9cd77ae@mail.gmail.com>
Message-ID: <6E31172B4025564D861CD73627500BAC02E2F824@pru-mail02.pe.net>

Debug ip routing

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of almog ohayon
Sent: Wednesday, July 02, 2008 3:24 PM
To: cisco-nsp at puck.nether.net; Cisco certification
Subject: [c-nsp] Routing loop..

Hi,
How can i notice that there is a routing loop ??
This question is regarding CCIE R&S of course ...
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and delete the material from any computer.


From justin at justinshore.com  Wed Jul  2 18:56:53 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 02 Jul 2008 17:56:53 -0500
Subject: [c-nsp] IS-IS default route quandary
Message-ID: <486C07B5.2090705@justinshore.com>

I'm trying to figure out a default route issue that stems from our 
original IS-IS deployment.  The entire IS-IS deployment is a flat L2 design.

      A    B
      |\  /|
      | \/ |
      | /\ |
      |/  \|
      C    D

A & B are border routers and C & D are our 7600 core.  Each border is 
dual-homed to each core router.  The access edge routers (DSL, cable, 
metroE, dialup, etc) are dual-homed to the core routers as well.  Full 
BGP tables are extended to core (A-D are in an iBGP mesh).  The access 
edge can't handle full routes.  Customer routes are still in IS-IS but 
I'm slowly moving them to iBGP.  To dynamically learn a default route on 
the access edge via IS-IS I have to originate it somewhere upstream. 
The borders currently originate the default route in IS-IS and advertise 
it to the core which propagates that on to the access edge.

On each border router we also have a static default route pointed to the 
physical interface of the upstream peers (which if memory serves me 
correctly that's a bad idea because it causes an ARP to be sent for 
every flow that requires that specific route).  This is a hold-over from 
my predecessor and hasn't been scrutinized until now.  When I pull the 
static default from either A or B it relearns the default from the core 
routers, C & D.  Now when I do this it still has routes pointing to all 
the advertised prefixes on the Internet thanks to the full tables so I 
don't think I'll have any reachability issues.  Or will I?  My main 
concerns are that this will cause a routing loop between the borders and 
core for any routes that aren't in the borders' RIB.  This would mainly 
be BOGONs and other non-routable space that we use internally (so it may 
not be a real problem).  In theory I shouldn't ever have to rely on a 
default route to my upstreams thanks to my full tables.  I'm also 
concerned with how this may affect my uRPF and RTBH setup.  Would this 
catchall route nullify the effect of a iBGP-learned null-route from my 
RTBH setup?

I would prefer my borders to not have a default route vs a default 
pointing back to my core.  Is there a way to not accept the default via 
IS-IS?  L2 IS-IS speakers will propagate all L2 routes to all L2 
neighbors.  We could not get a L1 and L1/2 design to work early on in 
our testing so we chose the flat L2 approach instead.  Is there 
something else that I'm missing here?  Down the road I'll have to 
directly connect the borders together due to our upcoming SCE deployment 
(longer story).

Thanks
  Justin

From Kris.Amy at eip.net.au  Wed Jul  2 21:07:11 2008
From: Kris.Amy at eip.net.au (Kris Amy)
Date: Thu, 3 Jul 2008 11:07:11 +1000
Subject: [c-nsp] Ideal LNS/LAC Router
Message-ID: <C4926116.2307A%kris.amy@eip.net.au>

Hi,

Currently we are using 7301's for LAC/LNS purposes and was wondering what is
the next platform that we should be looking to move towards.

-- 
Kind Regards,
Kris Amy


From markom at markom.info  Wed Jul  2 21:38:46 2008
From: markom at markom.info (Marko Milivojevic)
Date: Thu, 3 Jul 2008 01:38:46 +0000
Subject: [c-nsp] Ideal LNS/LAC Router
In-Reply-To: <C4926116.2307A%kris.amy@eip.net.au>
References: <C4926116.2307A%kris.amy@eip.net.au>
Message-ID: <1fb747910807021838nf6b425fmd07783ad14c35314@mail.gmail.com>

Apparently, the new ASR 1000 series promises to be the future platform
from Cisco for that purpose...

On Thu, Jul 3, 2008 at 01:07, Kris Amy <Kris.Amy at eip.net.au> wrote:
> Hi,
>
> Currently we are using 7301's for LAC/LNS purposes and was wondering what is
> the next platform that we should be looking to move towards.

From mtinka at globaltransit.net  Wed Jul  2 22:14:36 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 3 Jul 2008 10:14:36 +0800
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <486BA316.1060907@templin.org>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
	<486BA316.1060907@templin.org>
Message-ID: <200807031014.43273.mtinka@globaltransit.net>

On Wednesday 02 July 2008 23:47:34 Pete Templin wrote:

> I went from OSPF to ISIS a few years ago for several
> reasons.  The relevant reasons are:

One of the biggest reasons we made the switch is that IS-IS 
allows us to "string" our network across the globe easier 
than OSPF, because OSPF has the "all areas must connect to 
the backbone area" rule - and we don't like virtual links.

All other reasons were gravy; although we do like the fact 
that v6 is implemented in the same IS-IS protocol as v4.

> 1) We have some use for Catalyst 3550s in our network,
> and AFAIK they don't speak ISIS.

This is very annoying.

We had a chat with our SE, and the DSBU are considering 
supporting IS-IS (initially for v4) on the 3560G (which we 
have a lot of) some time next year.

> 2) We're having extreme pain trying to bring up ISIS for
> IPv6.

What kinds of issues?

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080703/8a4ab61f/attachment.bin>

From mtinka at globaltransit.net  Wed Jul  2 22:17:36 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 3 Jul 2008 10:17:36 +0800
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
Message-ID: <200807031017.37543.mtinka@globaltransit.net>

On Wednesday 02 July 2008 23:34:42 Mike Johnson wrote:

> How am I able to utilize thousands of devices in a flat
> IGP domain? I thought
> only a couple hundred is recommended before deploying
> multiple areas.

Our school of thought has always been, build scalability 
from the beginning even though you only have 2 routers in 
the network, i.e.:

* support BGP peer groups or peer session templates from
  day one.

* support route reflectors from day one.

* support multi-area/multi-level IGP designs from day one.

* support Loopbacks in the IGP and prefixes in iBGP from
  day one.

One never knows when the network is going to explode - it 
saves you a lot of hassle and potential re-design, down the 
line.

Probably the same reason most folk will buy a router/switch 
with full flash/memory from day one, even when it probably 
won't have BGP from the onset.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080703/33b25768/attachment.bin>

From oboehmer at cisco.com  Thu Jul  3 01:14:36 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 3 Jul 2008 07:14:36 +0200
Subject: [c-nsp] IS-IS default route quandary
In-Reply-To: <486C07B5.2090705@justinshore.com>
References: <486C07B5.2090705@justinshore.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com>

Justin Shore <> wrote on Thursday, July 03, 2008 12:57 AM:

> I'm trying to figure out a default route issue that stems from our
> original IS-IS deployment.  The entire IS-IS deployment is a flat L2
> design. 
> 
>       A    B
>       |\  /|
>       | \/ |
>       | /\ |
>       |/  \|
>       C    D
> 
> A & B are border routers and C & D are our 7600 core.  Each border is
> dual-homed to each core router.  The access edge routers (DSL, cable,
> metroE, dialup, etc) are dual-homed to the core routers as well.  Full
> BGP tables are extended to core (A-D are in an iBGP mesh).  The access
> edge can't handle full routes.  Customer routes are still in IS-IS but
> I'm slowly moving them to iBGP.  To dynamically learn a default route
> on the access edge via IS-IS I have to originate it somewhere
> upstream. 
> The borders currently originate the default route in IS-IS and
> advertise it to the core which propagates that on to the access edge.
> 
> On each border router we also have a static default route pointed to
> the physical interface of the upstream peers (which if memory serves
> me correctly that's a bad idea because it causes an ARP to be sent for
> every flow that requires that specific route).

right, if this is not a p2p interface. So a very bad idea..

>  This is a hold-over from 
> my predecessor and hasn't been scrutinized until now.  When I pull the
> static default from either A or B it relearns the default from the
> core routers, C & D.  Now when I do this it still has routes pointing
to all 
> the advertised prefixes on the Internet thanks to the full tables so I
> don't think I'll have any reachability issues.  Or will I?  My main
> concerns are that this will cause a routing loop between the borders
> and core for any routes that aren't in the borders' RIB.  This would
> mainly be BOGONs and other non-routable space that we use internally
(so it
> may not be a real problem). 

and, in addition, such packets should not show up on your borders unless
you have downstream peers/customers on the borders as well and they
point a default towards you.

> In theory I shouldn't ever have to rely
> on a default route to my upstreams thanks to my full tables.  I'm also
> concerned with how this may affect my uRPF and RTBH setup.  Would this
> catchall route nullify the effect of a iBGP-learned null-route from my
> RTBH setup?

Well, if your current static default doesn't affect your uRPF and RTBH
setup, why would a dynamic default do?
 
> I would prefer my borders to not have a default route vs a default
> pointing back to my core.  Is there a way to not accept the default
> via IS-IS?

IS-IS doesn't have something like OSPF's "distribute-list in" to filter
routes from being entered into the RIB, but you can use the "distance"
command to achieve something similar:

access-list 10 permit 0.0.0.0
router isis <foo>
 distance 255 0.0.0.0 255.255.255.255 10

this will assign distance 255 to the default-route (originated by
whatever neighbor), and 255 will suppress installation into the RIB.

Or you originate a default in iBGP and run your access nodes with a
limited BGP table only.

	oli

From risnaini at indo.net.id  Thu Jul  3 02:20:44 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Thu, 03 Jul 2008 13:20:44 +0700
Subject: [c-nsp] Ideal LNS/LAC Router
In-Reply-To: <C4926116.2307A%kris.amy@eip.net.au>
References: <C4926116.2307A%kris.amy@eip.net.au>
Message-ID: <486C6FBC.6030402@indo.net.id>

Hallo,

I'm using 2600, 7200 depends on how many vpdns will be established...

rgs
a. rahman isnaini r.sutan


Kris Amy wrote:
> Hi,
> 
> Currently we are using 7301's for LAC/LNS purposes and was wondering what is
> the next platform that we should be looking to move towards.
> 

From gkg at gmx.de  Thu Jul  3 03:28:49 2008
From: gkg at gmx.de (Garry)
Date: Thu, 03 Jul 2008 09:28:49 +0200
Subject: [c-nsp] Ideal LNS/LAC Router
In-Reply-To: <C4926116.2307A%kris.amy@eip.net.au>
References: <C4926116.2307A%kris.amy@eip.net.au>
Message-ID: <486C7FB1.3070708@gmx.de>

Kris Amy wrote:
> Hi,
>
> Currently we are using 7301's for LAC/LNS purposes and was wondering what is
> the next platform that we should be looking to move towards.
>   
We've replaced some ancient 7200 (non-VXR) with 3825, nice platform with 
the dual GigE on-board, and enough power to handle something like 
2000-3000 L2TP tunnels (guestimate - currently doing something like 
200-300 tunnels per router, with peak CPU around 10%) ... having 
multiple does for nice redundancy and easy extendability ... at a decent 
price ... guess after all it depends on how many sessions you need to 
handle though ...


-gg

From rupert.finnigan at googlemail.com  Thu Jul  3 04:32:23 2008
From: rupert.finnigan at googlemail.com (Rupert Finnigan)
Date: Thu, 3 Jul 2008 09:32:23 +0100
Subject: [c-nsp] 1800 Series QOS Problems
Message-ID: <518564410807030132y34488b90r84847ce81ca86494@mail.gmail.com>

Hi All,

I'm having a bit of a hard time getting the QOS result I want on a 1800
router. I'm running VoIP trunks between digital PBX systems, but can't get
the priority treatment that I want.

The setup involves a 1801 router at one end on a ADSL connection, and a 2821
router at the other on a SDSL connection. I'm only really worried about the
1801 at the moment.

This is what I've done so far:

Applied a policy map to the inbound VLAN interface, to mark the RTP packets
as EF and the rest as AF43. This works fine.
Apply "qos pre-classify" on the mGRE Tun Interface to carry the markings
over to the encrypted packets.
Applied a policy map to the outbound ATM interface to priority queue the EF
packets, with a max of 25% bandwidth, and fair-queue the rest.

I'm not seeing the packet count increasing on "show policy-map interface atm
0" as I would expect, which suggests it's not working as it should be.
However, if I apply the last policy-map to the dialer interface, it does
increase as expected - but I'm not seeing any evidence that it's actually
prioritising the VoIP packets.

I'm a bit stumped now, and so any help would be greatly received!

Thanks,

Rupert

From Michael.Robson at manchester.ac.uk  Thu Jul  3 04:34:19 2008
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Thu, 3 Jul 2008 09:34:19 +0100
Subject: [c-nsp] Default-Information Originate
In-Reply-To: <mailman.5145.1215030290.65431.cisco-nsp@puck.nether.net>
References: <mailman.5145.1215030290.65431.cisco-nsp@puck.nether.net>
Message-ID: <EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>

I used to think that I had a handle on when the default information  
originate command was needed, but I have recently seen working config.  
that pokes a finger in my eye of understanding, where some bad Ciscco  
document caused further blurring; and so some questions

- Should the default-information originate command be needed within  
BGP configuration of a router to cause a default route that has been  
learnt from an eBGP peer to be advertised by this router to its iBGP  
peers?

- Similarly, should this command be needed to cause a default route  
that has been learnt from an iBGP peer to be advertised by the router  
to an eBGP peer?

Ta.

Michael.


From p.mayers at imperial.ac.uk  Thu Jul  3 05:22:51 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Thu, 03 Jul 2008 10:22:51 +0100
Subject: [c-nsp] Default-Information Originate
In-Reply-To: <EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
References: <mailman.5145.1215030290.65431.cisco-nsp@puck.nether.net>
	<EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
Message-ID: <486C9A6B.502@imperial.ac.uk>

Michael Robson wrote:
> I used to think that I had a handle on when the default information 
> originate command was needed, but I have recently seen working config. 
> that pokes a finger in my eye of understanding, where some bad Ciscco 
> document caused further blurring; and so some questions
> 
> - Should the default-information originate command be needed within BGP 
> configuration of a router to cause a default route that has been learnt 
> from an eBGP peer to be advertised by this router to its iBGP peers?

No

> 
> - Similarly, should this command be needed to cause a default route that 
> has been learnt from an iBGP peer to be advertised by the router to an 
> eBGP peer?

No

We have both configs in place.

From markom at markom.info  Thu Jul  3 05:28:07 2008
From: markom at markom.info (Marko Milivojevic)
Date: Thu, 3 Jul 2008 09:28:07 +0000
Subject: [c-nsp] Default-Information Originate
In-Reply-To: <EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
References: <mailman.5145.1215030290.65431.cisco-nsp@puck.nether.net>
	<EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
Message-ID: <1fb747910807030228q38cda954u68109d6c7328715f@mail.gmail.com>

If the route is in BGP already, then answer to both of your questions
is no. You will need it only on a router that is "injecting" it into
the BGP from some other protocol. You will also need it on a router
that has a full routing table, but for some reason you wish it to
advertise subset+default to neighbors.

On Thu, Jul 3, 2008 at 08:34, Michael Robson
<Michael.Robson at manchester.ac.uk> wrote:
> I used to think that I had a handle on when the default information
> originate command was needed, but I have recently seen working config. that
> pokes a finger in my eye of understanding, where some bad Ciscco document
> caused further blurring; and so some questions
>
> - Should the default-information originate command be needed within BGP
> configuration of a router to cause a default route that has been learnt from
> an eBGP peer to be advertised by this router to its iBGP peers?
>
> - Similarly, should this command be needed to cause a default route that has
> been learnt from an iBGP peer to be advertised by the router to an eBGP
> peer?
>
> Ta.
>
> Michael.

From skeeve at skeeve.org  Thu Jul  3 06:38:20 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Thu, 3 Jul 2008 20:38:20 +1000
Subject: [c-nsp] ASA questions
Message-ID: <0ff801c8dcf8$e9650110$bc2f0330$@org>

I am looking for an ASA with the primary use being to stop DDoS attacks
which one of my customers is getting slammed with.

Need at least a couple of hundred meg throughput.. Preferably in transparent
mode.

Couple of questions:
-	Is an SSM needed to do DoS protection?
-	The 5550 can't take an SSM?
-	Is the transparent protection functional in dot1q VLAN's? (If I want
to run multiple carriers into a switch then into the ASA and back out)

I am not so familiar with the protection or smarts offered by the ASA in
regards to DoS protection.

.Skeeve

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From peter at rathlev.dk  Thu Jul  3 06:54:46 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 03 Jul 2008 12:54:46 +0200
Subject: [c-nsp] ASA questions
In-Reply-To: <0ff801c8dcf8$e9650110$bc2f0330$@org>
References: <0ff801c8dcf8$e9650110$bc2f0330$@org>
Message-ID: <1215082486.20536.5.camel@svesken.sys.mjna.net>

Hi Skeeve,

On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote:
> I am looking for an ASA with the primary use being to stop DDoS attacks
> which one of my customers is getting slammed with.
> 
> Need at least a couple of hundred meg throughput.. Preferably in transparent
> mode.
> 
> Couple of questions:
> - Is an SSM needed to do DoS protection?

The ASA code can protect against things like SYN flood (embryonic and
half-open connection limits) and you can do rate limiting. If you need
more advanced (e.g. signature based) protection, you'd need something
like the AIP-SSM. But the ASA does a good job on it's own.

> - The 5550 can't take an SSM?

No, the 5550 can't take an SSM, since the slot is already taken by a 4
port GigabitEthernet module, which cannot be removed.

> - Is the transparent protection functional in dot1q VLAN's? (If I want
> to run multiple carriers into a switch then into the ASA and back out)

Yes, you can run multiple transparent firewall interface pairs,
filtering each pair seperately, if that is what you mean.

Regards,
Peter



From drew.weaver at thenap.com  Thu Jul  3 07:18:46 2008
From: drew.weaver at thenap.com (Drew Weaver)
Date: Thu, 3 Jul 2008 07:18:46 -0400
Subject: [c-nsp] 'multiplexing" netflow?
Message-ID: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>

                Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis.

Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ?

-Drew

From achatz at forthnet.gr  Thu Jul  3 07:18:52 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 03 Jul 2008 14:18:52 +0300
Subject: [c-nsp] 3640 not sending OSPF state traps
In-Reply-To: <486BBCBB.8060306@corp.sonic.net>
References: <486BBCBB.8060306@corp.sonic.net>
Message-ID: <486CB59C.7040203@forthnet.gr>

You need 12.3(14)T or later on 3640.

--
Tassos

Jared Gillis wrote on 2/7/2008 8:36 ??:
> Hi all,
> 
> I recently turned up a 3640 running 12.3 latest Enterprise code and 
> OSPF. Everything works as expected, except that the device will not send 
> an OSPF trap OSPF state changes on any of it's interfaces. I do receive 
> syslog messages for the OSPF state changes.
> log-adjacency-changes is on in my OSPF config, and all the trap types 
> under "snmp-server enable traps" are active.
> There is no "snmp-server enable traps ospf" command available.
> I tried changing to 12.3 latest IP Plus code, with no change.
> I'm about to try other code versions, possibly even some 12.2 code, but 
> I figure that there's got to be something new to 12.3 or the 3640 that 
> I'm missing.
> Thanks in advance,
> 

From markom at markom.info  Thu Jul  3 07:41:15 2008
From: markom at markom.info (Marko Milivojevic)
Date: Thu, 3 Jul 2008 11:41:15 +0000
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>
References: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>
Message-ID: <1fb747910807030441r7332657ka08fecfd9a6fa98f@mail.gmail.com>

You should be able to configure two export destinations on a router.
If you need more than that, you indeed need a netflow procy of the
sorts. Have you checked if flow-tools package has something that you
could use for this purpose?

On Thu, Jul 3, 2008 at 11:18, Drew Weaver <drew.weaver at thenap.com> wrote:
>                Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis.
>
> Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ?

From eric at atlantech.net  Thu Jul  3 07:45:10 2008
From: eric at atlantech.net (Eric Van Tol)
Date: Thu, 3 Jul 2008 07:45:10 -0400
Subject: [c-nsp] OSPF4-BAD-LENGTH
Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local>

Hi all,
This isn't a question of what, but how :-)  We received this log on one of our 6509s last night:

Jul  3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5

This address has no direct connectivity with our network, as it appears to be from a Chinese network.  My question is how does an OSPF packet get through the general internet?  Or could this be more than likely just some sort of vulnerability scanner that is spoofing various protocols?

-evt

From drew.weaver at thenap.com  Thu Jul  3 07:46:09 2008
From: drew.weaver at thenap.com (Drew Weaver)
Date: Thu, 3 Jul 2008 07:46:09 -0400
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local>
References: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>
	<7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local>
Message-ID: <B7152C470C9BF3448ED33F16A75D81C14D33824107@exchanga.thenap.com>

Now I remember why I can't use this (sorry it's been a while since I've examined this)

The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis.

So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where.

-Drew
From: Ben Hicks [mailto:ben.hicks at centius.co.uk]
Sent: Thursday, July 03, 2008 7:22 AM
To: Drew Weaver; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 'multiplexing" netflow?


Why not just have multiple export statements.

Taken from - http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_mdnf.html#wp1021114



  export destination 10.0.101.254 9991
  export destination 10.0.101.254 1999



Many thanks,

Ben


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net on behalf of Drew Weaver
Sent: Thu 03/07/2008 12:18
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 'multiplexing" netflow?

                Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis.

Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ?

-Drew
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From luan at t3technology.com  Thu Jul  3 07:52:18 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Thu, 3 Jul 2008 07:52:18 -0400
Subject: [c-nsp] OSPF4-BAD-LENGTH
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local>
References: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local>
Message-ID: <002d01c8dd03$3edb29d0$bc917d70$@com>

They are trying this maybe?
http://www.cisco.com/en/US/partner/products/products_security_advisory09186a
008029e189.shtml

-Luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol
Sent: Thursday, July 03, 2008 7:45 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] OSPF4-BAD-LENGTH

Hi all,
This isn't a question of what, but how :-)  We received this log on one of
our 6509s last night:

Jul  3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet
type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5

This address has no direct connectivity with our network, as it appears to
be from a Chinese network.  My question is how does an OSPF packet get
through the general internet?  Or could this be more than likely just some
sort of vulnerability scanner that is spoofing various protocols?

-evt
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From eric at atlantech.net  Thu Jul  3 08:17:31 2008
From: eric at atlantech.net (Eric Van Tol)
Date: Thu, 3 Jul 2008 08:17:31 -0400
Subject: [c-nsp] OSPF4-BAD-LENGTH
In-Reply-To: <002d01c8dd03$3edb29d0$bc917d70$@com>
References: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local>
	<002d01c8dd03$3edb29d0$bc917d70$@com>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635058ED5A3@exchange.aoihq.local>

> -----Original Message-----
> From: Luan M Nguyen [mailto:luan at t3technology.com]
> Sent: Thursday, July 03, 2008 7:52 AM
> To: Eric Van Tol; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] OSPF4-BAD-LENGTH
>
> They are trying this maybe?
> http://www.cisco.com/en/US/partner/products/products_security_advisor
> y09186a
> 008029e189.shtml
>
> -Luan
>

Hmm...quite possibly.  Luckily, we're not running any affected version and we use authentication.  Thanks for the info.

-evt

From MLouis at nwnit.com  Thu Jul  3 08:21:31 2008
From: MLouis at nwnit.com (Mike Louis)
Date: Thu, 3 Jul 2008 08:21:31 -0400
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D33824107@exchanga.thenap.com>
References: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>
	<7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local>
	<B7152C470C9BF3448ED33F16A75D81C14D33824107@exchanga.thenap.com>
Message-ID: <CBBF2C7B2547D14A910A349B58810AC22BBBEF66B0@mncmx1.NWNIT.CORP>

Have you tried this tool?

Flow Fan-out - It will replicate a single netflow source and send it out to multiple destinations.

http://www.splintered.net/sw/flow-tools/docs/flow-fanout.html

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver
Sent: Thursday, July 03, 2008 7:46 AM
To: 'Ben Hicks'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 'multiplexing" netflow?

Now I remember why I can't use this (sorry it's been a while since I've examined this)

The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis.

So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where.

-Drew
From: Ben Hicks [mailto:ben.hicks at centius.co.uk]
Sent: Thursday, July 03, 2008 7:22 AM
To: Drew Weaver; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 'multiplexing" netflow?


Why not just have multiple export statements.

Taken from - http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_mdnf.html#wp1021114



  export destination 10.0.101.254 9991
  export destination 10.0.101.254 1999



Many thanks,

Ben


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net on behalf of Drew Weaver
Sent: Thu 03/07/2008 12:18
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 'multiplexing" netflow?

                Hi there, we have equipment at our edge that requires us to export our netflow to it in order for it to function but we would also like our NetFlow stats to be exported somewhere else for analysis.

Does anyone know of a product that you can export your netflow to that will then in turn export it to multiple destinations (that works well and is easy to use/reliable) ?

-Drew
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From gordon.bezzina at bell.net.mt  Thu Jul  3 09:25:43 2008
From: gordon.bezzina at bell.net.mt (Gordon Bezzina)
Date: Thu, 3 Jul 2008 15:25:43 +0200
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <mailman.5241.1215085355.65431.cisco-nsp@puck.nether.net>
References: <mailman.5241.1215085355.65431.cisco-nsp@puck.nether.net>
Message-ID: <005c01c8dd10$4b79fc40$e26df4c0$@bezzina@bell.net.mt>

Hi,

Get a plain linux box, install flow-tools and use flow-fanout.

Example:

/usr/bin/flow-fanout -s 0/192.168.3.5/2000 0/192.168.3.10/9996
0/192.168.3.22/2055

Accept netflow from 192.168.3.5 on port 2000 and re-export them to:
	1. 192.168.3.10 port 9996; and
	2. 192.168.3.22 port 2055.

My linux box has been up for 157days already and flow-fanout never crashed
:-)

Hope it helps

Brgds
Gordon


On Thu, Jul 3, 2008 at 11:18, Drew Weaver <drew.weaver at thenap.com> wrote:
>                Hi there, we have equipment at our edge that requires us to
export our netflow to it in order for it to function but we would also like
our NetFlow stats to be exported somewhere else for analysis.
>
> Does anyone know of a product that you can export your netflow to that
will then in turn export it to multiple destinations (that works well and is
easy to use/reliable) ?




From emre.turkmenler at doruk.net.tr  Thu Jul  3 06:15:56 2008
From: emre.turkmenler at doruk.net.tr (=?iso-8859-9?Q?Emre_T=FCrkmenler?=)
Date: Thu, 3 Jul 2008 13:15:56 +0300
Subject: [c-nsp] Cisco 878 SDM connection problem
Message-ID: <022c01c8dcf5$c85fa9f0$170d3ad4@emre>


Hi,

I want to connect to a Cisco 878 with SDM but i have problems, it may be a java problem.
I have the latest version installed at the moment.


Can someone explain how I can use SDM?

Thanks

From chris.garzon at gmail.com  Thu Jul  3 12:48:59 2008
From: chris.garzon at gmail.com (Dracul)
Date: Fri, 4 Jul 2008 00:48:59 +0800
Subject: [c-nsp] WLC and LWAPP Aps
Message-ID: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>

Hi All,

Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. I
cannot seem to make the lighweight AP to get IP address from
the internal DHCP server of the WLC let more the LW AP be discovered by the
4404. used Layer2 and Layer 3 mode already

From der.mikus at gmail.com  Thu Jul  3 13:03:20 2008
From: der.mikus at gmail.com (Mike Butash)
Date: Thu, 03 Jul 2008 10:03:20 -0700
Subject: [c-nsp] ASA questions
In-Reply-To: <1215082486.20536.5.camel@svesken.sys.mjna.net>
References: <0ff801c8dcf8$e9650110$bc2f0330$@org>
	<1215082486.20536.5.camel@svesken.sys.mjna.net>
Message-ID: <486D0658.4040904@gmail.com>

   If it's a major DoS or DDoS, look at the Cisco Anomaly 
Detection/Mitigation appliances they borg'd from Riverhead a few years 
ago.  When we began undergoing nightly DDoS's from millions of sources 
of several hundred meg and up to several gigs, they were a godsend to 
actually allow us to combat attacks effectively.  They have their 
quirks, but they also work wonders for removing illegitimate traffic off 
the network.  Maybe also recommend Prolexic.com services...  Might be 
cheaper in the long run, and they are quite effective in doing about the 
same service the anomaly mitigation appliances provide.

   ASA's will allow for some basic protection as Peter stated, but they 
won't do much for intelligent attacks, which most botnets allow for 
push-button nuking of any network with somewhat decently emulated floods 
of traffic.  Once you can dump out the flood of crap thrown at you, an 
average 5520 or whatever your "normal" traffic requires will suffice.

-mb


Peter Rathlev wrote:
> Hi Skeeve,
> 
> On Thu, 2008-07-03 at 20:38 +1000, Skeeve Stevens wrote:
>> I am looking for an ASA with the primary use being to stop DDoS attacks
>> which one of my customers is getting slammed with.
>>
>> Need at least a couple of hundred meg throughput.. Preferably in transparent
>> mode.
>>
>> Couple of questions:
>> - Is an SSM needed to do DoS protection?
> 
> The ASA code can protect against things like SYN flood (embryonic and
> half-open connection limits) and you can do rate limiting. If you need
> more advanced (e.g. signature based) protection, you'd need something
> like the AIP-SSM. But the ASA does a good job on it's own.
> 
>> - The 5550 can't take an SSM?
> 
> No, the 5550 can't take an SSM, since the slot is already taken by a 4
> port GigabitEthernet module, which cannot be removed.
> 
>> - Is the transparent protection functional in dot1q VLAN's? (If I want
>> to run multiple carriers into a switch then into the ASA and back out)
> 
> Yes, you can run multiple transparent firewall interface pairs,
> filtering each pair seperately, if that is what you mean.
> 
> Regards,
> Peter
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From harbor235 at gmail.com  Thu Jul  3 13:05:09 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Thu, 3 Jul 2008 13:05:09 -0400
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <200807031017.37543.mtinka@globaltransit.net>
References: <836bf1f90807020557s78131112ma1b84850709bd1fb@mail.gmail.com>
	<1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
	<200807031017.37543.mtinka@globaltransit.net>
Message-ID: <836bf1f90807031005rd123c4brcbf3fff192497c75@mail.gmail.com>

Guys,

thanx for the all the recommendations, I find them all insightful and will
consider them all.

thanx again

-Mike j



On 7/2/08, Mark Tinka <mtinka at globaltransit.net> wrote:
>
> On Wednesday 02 July 2008 23:34:42 Mike Johnson wrote:
>
> > How am I able to utilize thousands of devices in a flat
> > IGP domain? I thought
> > only a couple hundred is recommended before deploying
> > multiple areas.
>
> Our school of thought has always been, build scalability
> from the beginning even though you only have 2 routers in
> the network, i.e.:
>
> * support BGP peer groups or peer session templates from
> day one.
>
> * support route reflectors from day one.
>
> * support multi-area/multi-level IGP designs from day one.
>
> * support Loopbacks in the IGP and prefixes in iBGP from
> day one.
>
> One never knows when the network is going to explode - it
> saves you a lot of hassle and potential re-design, down the
> line.
>
> Probably the same reason most folk will buy a router/switch
> with full flash/memory from day one, even when it probably
> won't have BGP from the onset.
>
> Cheers,
>
> Mark.
>
>

From jmayer at loplof.de  Thu Jul  3 14:15:17 2008
From: jmayer at loplof.de (Joerg Mayer)
Date: Thu, 3 Jul 2008 20:15:17 +0200
Subject: [c-nsp] WLC and LWAPP Aps
In-Reply-To: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
Message-ID: <20080703181517.GJ4112@thot.informatik.uni-kl.de>

On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote:
> Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131. I
> cannot seem to make the lighweight AP to get IP address from
> the internal DHCP server of the WLC let more the LW AP be discovered by the
> 4404. used Layer2 and Layer 3 mode already

How about some more details? Are AP and management-if in the same network?
If not, what have you done to make sure that the AP knows where to find it?
If all fails: You can configure the managementi-if address directly on the
lw-ap command line.

 Ciao
   Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.

From sthaug at nethelp.no  Thu Jul  3 14:23:01 2008
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Thu, 03 Jul 2008 20:23:01 +0200 (CEST)
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <486BA316.1060907@templin.org>
References: <1fd5261d454c5fbe4169e949a9267329.squirrel@webmail.pelican.org>
	<836bf1f90807020834p5d36574cu373cdc2ae6ffe49f@mail.gmail.com>
	<486BA316.1060907@templin.org>
Message-ID: <20080703.202301.74732300.sthaug@nethelp.no>

> I'm now contemplating going back to OSPF.  The relevant reasons are:
> 
> 1) We have some use for Catalyst 3550s in our network, and AFAIK they 
> don't speak ISIS.
> 2) We're having extreme pain trying to bring up ISIS for IPv6.

I was wondering whether you could elaborate a bit more on the second
point? (Background: We have a Juniper based backbone, with IS-IS and
IPv6, and it "just works". Due to an upcoming merger we are likely to
have a mixed Juniper/Cisco backbone in the not too distant future, and
any info on problems with IS-IS for IPv6 would be interesting.)

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From lsawyer at gci.com  Thu Jul  3 14:29:26 2008
From: lsawyer at gci.com (Leif Sawyer)
Date: Thu, 3 Jul 2008 10:29:26 -0800
Subject: [c-nsp] Route Reflector Design
In-Reply-To: <20080703.202301.74732300.sthaug@nethelp.no>
Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com>

Steinar Haug [sthaug at nethelp.no] writes in response to
> Pete Templin [petelists at templin.org], whom  wrote:
>> I'm now contemplating going back to OSPF.  The relevant reasons are:
>> 
>> 1) We have some use for Catalyst 3550s in our network, and 
>>    AFAIK they don't speak ISIS.
>> 2) We're having extreme pain trying to bring up ISIS for IPv6.
> 
> I was wondering whether you could elaborate a bit more on the 
> second point? (Background: We have a Juniper based backbone, 
> with IS-IS and IPv6, and it "just works". Due to an upcoming 
> merger we are likely to have a mixed Juniper/Cisco backbone 
> in the not too distant future, and any info on problems with 
> IS-IS for IPv6 would be interesting.)

Really?

This is the basic configlet I applied to our routers -n- 
switches, ignoring any issues with the cef commands, of course.
I haven't seen any issues at all with our roll-out.

!
ipv6 unicast-routing
ipv6 cef
ipv6 cef distributed
!
router isis
 is-type level-2-only
 metric-style wide
 no adjacency-check
 !
 address-family ipv6
   multi-topology
   no adjacency-check
!


From robbie.jacka at regions.com  Thu Jul  3 14:33:55 2008
From: robbie.jacka at regions.com (robbie.jacka at regions.com)
Date: Thu, 3 Jul 2008 13:33:55 -0500
Subject: [c-nsp] OSPF4-BAD-LENGTH
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635058ED59F@exchange.aoihq.local>
Message-ID: <OF1CF39D60.CCF9B7D0-ON8625747B.0065DF39-8625747B.0065FBFB@corp.rgbk.com>

Sounds possibly like an attack versus CSCsf12082. CVE is CVE-2008-0537

http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
--
robbie




                                                                           
             Eric Van Tol                                                  
             <eric at atlantech.n                                             
             et>                                                        To 
             Sent by:                  "cisco-nsp at puck.nether.net"         
             cisco-nsp-bounces         <cisco-nsp at puck.nether.net>         
             @puck.nether.net                                           cc 
                                                                           
                                                                   Subject 
             07/03/2008 06:45          [c-nsp] OSPF4-BAD-LENGTH            
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Hi all,
This isn't a question of what, but how :-)  We received this log on one of
our 6509s last night:

Jul  3 06:04:40 EDT: %OSPF-4-BADLENGTH: Invalid length 34778 in OSPF packet
type 39 from 218.106.119.133 (ID 244.193.1.14), GigabitEthernet1/5

This address has no direct connectivity with our network, as it appears to
be from a Chinese network.  My question is how does an OSPF packet get
through the general internet?  Or could this be more than likely just some
sort of vulnerability scanner that is spoofing various protocols?

-evt
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From aaron.glenn at gmail.com  Thu Jul  3 14:49:33 2008
From: aaron.glenn at gmail.com (Aaron Glenn)
Date: Thu, 3 Jul 2008 11:49:33 -0700
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D33824107@exchanga.thenap.com>
References: <B7152C470C9BF3448ED33F16A75D81C14D338240FD@exchanga.thenap.com>
	<7891A597D920D242A3C9CA4C24BF88049B1E49@exch-be12.exchange.local>
	<B7152C470C9BF3448ED33F16A75D81C14D33824107@exchanga.thenap.com>
Message-ID: <18f601940807031149k7863c1b7g3da0edb0268db004@mail.gmail.com>

On Thu, Jul 3, 2008 at 4:46 AM, Drew Weaver <drew.weaver at thenap.com> wrote:
> Now I remember why I can't use this (sorry it's been a while since I've examined this)
>
> The appliance we are sending our flows to can only handle maybe 1% of our actual flows (sampled) (and only from 2 out of 10 of our interfaces) I would like to send all of the flow data to another system for analysis.
>
> So basically I would need to send all of the flow data to a middle-man, and then have it configured to somehow know what to send where.

flow-fanout or, my recommendation, pmacct

From troy at i2bnetworks.com  Thu Jul  3 16:04:34 2008
From: troy at i2bnetworks.com (Troy Beisigl)
Date: Thu, 3 Jul 2008 13:04:34 -0700
Subject: [c-nsp] Strange behavior in a Cisco CPE
Message-ID: <4FA21019-9272-43C4-A000-7B7C6A9CFD9F@i2bnetworks.com>

Hi All,

We are seeing some really strange behavior on a Cisco 1721 CPE. It  
acts like we are having a connectivity problem with packet loss or  
very high latency. There is about 86Kbps to 350Kbps of traffic on it.  
It has  WIC-1DSU-T1 card and is doing just basic static routes with a  
Full T1. There are no errors on the T1. If I log into the router and  
try to send say 1000 icmp packets to something on the other end of the  
T1, it will go for few packets and then pause for about 15 to 20  
seconds before continuing right where it stopped. It never drops any  
packets, just freezes and then continues. It does this about every  
minute or 2. Has anyone seen this before?

Nothing shows up in the logs and we have rebooted it with no  
resolution to the problem. Pings to and through the router from  
outside never stop or drop when this happens either, but it is causing  
problems with QoS for VoIP. CPU load is nothing and RAM is fine.

#sh proc cpu
CPU utilization for five seconds: 0%/0%; one minute: 1%; five minutes:  
2%

#sh mem
                 Head    Total(b)     Used(b)     Free(b)   Lowest(b)   
Largest(b)
Processor   80A9C858     3134376     1932072     1202304      
1024128     1089528
       I/O     D99C00     2515976     1661620      854356       
854356      854300

Anyone have any ideas?


Thanks.

-Troy

From vinny at tellurian.com  Thu Jul  3 17:19:05 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Thu, 3 Jul 2008 17:19:05 -0400
Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design)
In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com>
References: <20080703.202301.74732300.sthaug@nethelp.no>
	<38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Leif Sawyer
> Sent: Thursday, July 03, 2008 2:29 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Route Reflector Design
>
> Steinar Haug [sthaug at nethelp.no] writes in response to
> > Pete Templin [petelists at templin.org], whom  wrote:
> >> I'm now contemplating going back to OSPF.  The relevant reasons are:
> >>
> >> 1) We have some use for Catalyst 3550s in our network, and
> >>    AFAIK they don't speak ISIS.
> >> 2) We're having extreme pain trying to bring up ISIS for IPv6.
> >
> > I was wondering whether you could elaborate a bit more on the
> > second point? (Background: We have a Juniper based backbone,
> > with IS-IS and IPv6, and it "just works". Due to an upcoming
> > merger we are likely to have a mixed Juniper/Cisco backbone
> > in the not too distant future, and any info on problems with
> > IS-IS for IPv6 would be interesting.)
>
> Really?
>
> This is the basic configlet I applied to our routers -n-
> switches, ignoring any issues with the cef commands, of course.
> I haven't seen any issues at all with our roll-out.

While on this topic, if anyone has figured out a non-disruptive strategy to deploying IPv6 in a core with a mix of Cisco and Foundry routers running ISIS, any pointers would be appreciated. Foundry currently doesn't support multi-toplogy with ISIS which is the major stumbling block I've run into. Not using multi-toplogy support and ignoring the v6 TLV's with "no adjacency-check" still seems to cause problems and drop adjacencies. I've additionally looked into the "multi-topology transition" command but it hasn't provided a clear answer to me.

If we were all Cisco it looks like it's a piece of cake. I just can't find the magic combination with Cisco and Foundry... unless I disrupt my whole network to convert it to have both v4 and v6 TLV's in the single ISIS topology. Any pointers from anyone who has been down this path with these two vendors? It would be much appreciated. :)

-Vinny


From tedm at toybox.placo.com  Thu Jul  3 23:21:32 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Thu, 3 Jul 2008 20:21:32 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6188ACCAB64@exch2k7.gilat.local>
Message-ID: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>


Rubbish.

The reason the PIX doesen't allow Telnet is that the original
PIX devices were built on a Windows core, Windows 3.1 as I
believe, with the GUI and most of the command line utilities
stripped away.  Because the PIX was an early out-of-the-hole
firewall, it captured a customer base of customers who needed
a firewall but frankly didn't understand much about what they
needed.  ie: dumb bunnies in cash-rich organizations willing
to buy sub-par technology that was hyped up to rediculous
amounts.  It's an old story in technology.

This was a very valuable customer base which is why Cisco
purchased the PIX product line.  Cisco had little interest
in the lame firewalling technology of the PIX and has
spent at least a decade of careful work grooming the PIX
customers off PIXes and on to Cisco router platforms.  To
accomplish this they were -extraordinairly- careful to
preserve the PIX interface and limitations over the years.
But as anyone who works with PIXes knows, Cisco has really
not improved the basic technology of the PIX over the years.

That is why the current Cisco IOS-based firewalls have
a firewalling feature set that knocks a PIX into a cocked
hat.

It is also why Cisco has finally felt comfortable enough
that they have migrated the PIX customers worth keeping
over to their own product line, to announce that they were
discontinuing the PIX product line.  As they did recently.

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
> Sent: Monday, June 30, 2008 5:31 AM
> To: Joerg Mayer; Aaron R
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> I guess it's more as a "working right" educational purpose, so 
> you won't use your firewall as a debugging client.
> In newer versions there's the packet tracker that can help you 
> debug connectivity problems.
> Ziv
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
> Sent: Monday, June 30, 2008 2:21 PM
> To: Aaron R
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
> > It is disabled as a security feature. I have also wanted to do 
> the same for
> > troubleshooting purposes.
> 
> And why exactly is this a security feature? What is the *gain* in 
> security?
> 
>  Ciao
>   Joerg
> --
> Joerg Mayer                                           <jmayer at loplof.de>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> ******************************************************************
> ******************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & 
> computer viruses.
> ******************************************************************
> ******************
> 
> 
> 
> 
> 
> 
>  
>  
> ******************************************************************
> ******************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & 
> computer viruses.
> ******************************************************************
> ******************
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From tvarriale at comcast.net  Fri Jul  4 00:50:13 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Thu, 3 Jul 2008 23:50:13 -0500
Subject: [c-nsp] Telnet FROM a PIX Appliance?
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
Message-ID: <004401c8dd91$72d8daf0$f211a8c0@flamwsugsmul5v>

Holy crap.  Did you say Windows?

tv
----- Original Message ----- 
From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
To: "Ziv Leyes" <zivl at gilat.net>; "Joerg Mayer" <jmayer at loplof.de>; "Aaron 
R" <aaronis at people.net.au>
Cc: <cisco-nsp at puck.nether.net>
Sent: Thursday, July 03, 2008 10:21 PM
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?


>
> Rubbish.
>
> The reason the PIX doesen't allow Telnet is that the original
> PIX devices were built on a Windows core, Windows 3.1 as I
> believe, with the GUI and most of the command line utilities
> stripped away.  Because the PIX was an early out-of-the-hole
> firewall, it captured a customer base of customers who needed
> a firewall but frankly didn't understand much about what they
> needed.  ie: dumb bunnies in cash-rich organizations willing
> to buy sub-par technology that was hyped up to rediculous
> amounts.  It's an old story in technology.
>
> This was a very valuable customer base which is why Cisco
> purchased the PIX product line.  Cisco had little interest
> in the lame firewalling technology of the PIX and has
> spent at least a decade of careful work grooming the PIX
> customers off PIXes and on to Cisco router platforms.  To
> accomplish this they were -extraordinairly- careful to
> preserve the PIX interface and limitations over the years.
> But as anyone who works with PIXes knows, Cisco has really
> not improved the basic technology of the PIX over the years.
>
> That is why the current Cisco IOS-based firewalls have
> a firewalling feature set that knocks a PIX into a cocked
> hat.
>
> It is also why Cisco has finally felt comfortable enough
> that they have migrated the PIX customers worth keeping
> over to their own product line, to announce that they were
> discontinuing the PIX product line.  As they did recently.
>
> Ted
>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
>> Sent: Monday, June 30, 2008 5:31 AM
>> To: Joerg Mayer; Aaron R
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>>
>> I guess it's more as a "working right" educational purpose, so
>> you won't use your firewall as a debugging client.
>> In newer versions there's the packet tracker that can help you
>> debug connectivity problems.
>> Ziv
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
>> Sent: Monday, June 30, 2008 2:21 PM
>> To: Aaron R
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
>> > It is disabled as a security feature. I have also wanted to do
>> the same for
>> > troubleshooting purposes.
>>
>> And why exactly is this a security feature? What is the *gain* in
>> security?
>>
>>  Ciao
>>   Joerg
>> --
>> Joerg Mayer                                           <jmayer at loplof.de>
>> We are stuck with technology when what we really want is just stuff that
>> works. Some say that should read Microsoft instead of technology.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> ******************************************************************
>> ******************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals &
>> computer viruses.
>> ******************************************************************
>> ******************
>>
>>
>>
>>
>>
>>
>>
>>
>> ******************************************************************
>> ******************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals &
>> computer viruses.
>> ******************************************************************
>> ******************
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From swmike at swm.pp.se  Fri Jul  4 01:41:59 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 4 Jul 2008 07:41:59 +0200 (CEST)
Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design)
In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1>
References: <20080703.202301.74732300.sthaug@nethelp.no>
	<38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com>
	<15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1>
Message-ID: <alpine.DEB.1.10.0807040739000.14629@uplift.swm.pp.se>

On Thu, 3 Jul 2008, Vinny Abello wrote:

> While on this topic, if anyone has figured out a non-disruptive strategy 
> to deploying IPv6 in a core with a mix of Cisco and Foundry routers 
> running ISIS, any pointers would be appreciated. Foundry currently

We had multitopology problems between platforms/vendors as well, we ended 
up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for 
IPv4/VPNv4), this gave us a completely different control plane for IPv6 
and pretty much guaranteed to be non-intrusive to devices not running IPv6 
or needing the information.

Multitopology ISIS is a great idea and I would really like to run it, but 
it just didn't work with our mix of platforms and vendors.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From tseveendorj at gmail.com  Fri Jul  4 02:15:42 2008
From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu)
Date: Fri, 4 Jul 2008 15:15:42 +0900
Subject: [c-nsp] ISDN related errors
Message-ID: <62c908120807032315m41f54695k43d543062f8e5be5@mail.gmail.com>

Hi Guys,

My gateway is 5350XM connected to ISDN by PRI. That gateway used for call
terminating. I have found following errors when I'm debugging ISDN Q.931.
What is the reason and how to solve this?

1.
Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned


2.
 Cause i = 0x80BF - Service/option not available, unspecified
 Cause i = 0x80BF - Service/option not available, unspecified

3.
 Cause i = 0x82AF - Resource unavailable, unspecified
 Cause i = 0x82AF - Resource unavailable, unspecified


4.
  Cause i = 0x82FF - Interworking error; unspecified
  Cause i = 0x82FF - Interworking error; unspecified

5.
 Cause i = 0x8AAA - Switching equipment congestion
 Cause i = 0x8AAA - Switching equipment congestion


Thank you

Best regards,
Tseveendorj

From dr at cluenet.de  Fri Jul  4 07:03:31 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Fri, 4 Jul 2008 13:03:31 +0200
Subject: [c-nsp] Restricting HWIC-3G-GSM to GPRS-only operation
Message-ID: <20080704110331.GA23174@srv01.cluenet.de>

Hi,

is there any way to restrict an HWIC-3G-GSM UMTS/GPRS interface to
GPRS-only operation? We want to avoid using flaky UMTS in a certain
spot.

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From juniper84 at live.com  Fri Jul  4 08:10:48 2008
From: juniper84 at live.com (J C)
Date: Fri, 4 Jul 2008 09:10:48 -0300
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
Message-ID: <BAY131-W385C6E7610597BAF94531FD09B0@phx.gbl>


I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly.

According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS.  In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification.

Does anyone have any experience with this type of QoS configuration on this product?

_________________________________________________________________
Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now!
http://g.msn.ca/ca55/212

From peder at networkoblivion.com  Fri Jul  4 08:28:17 2008
From: peder at networkoblivion.com (Peder @ NetworkOblivion)
Date: Fri, 04 Jul 2008 07:28:17 -0500
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
Message-ID: <486E1761.5010805@networkoblivion.com>

What!?  The original PIX code was < 500k as the first versions from 
Network Translations only had 512k flash moodules in them.  There is no 
way that it was based on Windows, not even 3.1.  I think you are 
thinking of the Centri (or whatever it was called) that was windows 
based that they bought many years ago.  I actually worked at Cisco when 
they bought the PIX and the Centri and then they killed the Centri 
shortly thereafter.  I think the Centri ran on Windows 95, but I am not 
100% sure as that was 10+ years ago.

IMO, the reason that so many people use(d) the PIX is that they just 
work.  You set it up and forget it for two years.  You rarely even need 
to update the software on it as there are so few bugs that are show 
stoppers.  Now, the ASA is a different story.  There is a lot more stuff 
in it and hence a lot more bugs.

Ted Mittelstaedt wrote:
> Rubbish.
> 
> The reason the PIX doesen't allow Telnet is that the original
> PIX devices were built on a Windows core, Windows 3.1 as I
> believe, with the GUI and most of the command line utilities
> stripped away.  Because the PIX was an early out-of-the-hole
> firewall, it captured a customer base of customers who needed
> a firewall but frankly didn't understand much about what they
> needed.  ie: dumb bunnies in cash-rich organizations willing
> to buy sub-par technology that was hyped up to rediculous
> amounts.  It's an old story in technology.
> 
> This was a very valuable customer base which is why Cisco
> purchased the PIX product line.  Cisco had little interest
> in the lame firewalling technology of the PIX and has
> spent at least a decade of careful work grooming the PIX
> customers off PIXes and on to Cisco router platforms.  To
> accomplish this they were -extraordinairly- careful to
> preserve the PIX interface and limitations over the years.
> But as anyone who works with PIXes knows, Cisco has really
> not improved the basic technology of the PIX over the years.
> 
> That is why the current Cisco IOS-based firewalls have
> a firewalling feature set that knocks a PIX into a cocked
> hat.
> 
> It is also why Cisco has finally felt comfortable enough
> that they have migrated the PIX customers worth keeping
> over to their own product line, to announce that they were
> discontinuing the PIX product line.  As they did recently.
> 
> Ted
> 
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
>> Sent: Monday, June 30, 2008 5:31 AM
>> To: Joerg Mayer; Aaron R
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>>
>> I guess it's more as a "working right" educational purpose, so 
>> you won't use your firewall as a debugging client.
>> In newer versions there's the packet tracker that can help you 
>> debug connectivity problems.
>> Ziv
>>
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net 
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
>> Sent: Monday, June 30, 2008 2:21 PM
>> To: Aaron R
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
>>> It is disabled as a security feature. I have also wanted to do 
>> the same for
>>> troubleshooting purposes.
>> And why exactly is this a security feature? What is the *gain* in 
>> security?
>>
>>  Ciao
>>   Joerg
>> --
>> Joerg Mayer                                           <jmayer at loplof.de>
>> We are stuck with technology when what we really want is just stuff that
>> works. Some say that should read Microsoft instead of technology.
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> ******************************************************************
>> ******************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & 
>> computer viruses.
>> ******************************************************************
>> ******************
>>
>>
>>
>>
>>
>>
>>  
>>  
>> ******************************************************************
>> ******************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & 
>> computer viruses.
>> ******************************************************************
>> ******************
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From felixnkansah at gmail.com  Fri Jul  4 08:29:57 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Fri, 4 Jul 2008 12:29:57 +0000
Subject: [c-nsp] Shutting Down Catalyst 6509?
Message-ID: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>

Hi Team,

I am in a lab trying my hands for the first time on a new Catalyst 6509 to
be deployed for a client.

It has some gigabitethernet and FWSM modules installed, along with one
supervisor engine.

It's started and loaded beautifully, all modules having passed the
diagnostics, etc.

My concern is 'how do I shut the switch down'?

I dont want to believe I can just power it off from the power source as I do
with the lower end versions. Or is it?

Please help answer this question along with any other caveats, links, etc
that you would like to share with me based on your experiences.

Regards,

Felix

From A.L.M.Buxey at lboro.ac.uk  Fri Jul  4 08:42:37 2008
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Fri, 4 Jul 2008 13:42:37 +0100
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
Message-ID: <20080704124237.GA31219@lboro.ac.uk>

Hi,

> My concern is 'how do I shut the switch down'?

real power down?  turn one PSU off, then the other.
just ensure you've saved the config if you've made
changes beforehand!

alan

From streiner at cluebyfour.org  Fri Jul  4 08:46:51 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Fri, 4 Jul 2008 08:46:51 -0400 (EDT)
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>

On Fri, 4 Jul 2008, Felix Nkansah wrote:

> My concern is 'how do I shut the switch down'?
>
> I dont want to believe I can just power it off from the power source as I do
> with the lower end versions. Or is it?

There are on/off switches on each of the power supplies.  Just twist the 
switch from the on to the off position.

jms

From felixnkansah at gmail.com  Fri Jul  4 08:54:48 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Fri, 4 Jul 2008 12:54:48 +0000
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
Message-ID: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>

Thanks guys.

I thought it has some special shutdown procedures or commands.

Thanks.

From chris.garzon at gmail.com  Fri Jul  4 09:42:22 2008
From: chris.garzon at gmail.com (Dracul)
Date: Fri, 4 Jul 2008 21:42:22 +0800
Subject: [c-nsp] WLC and LWAPP Aps
In-Reply-To: <6bc4a240807030959x3558a3c1u11af69e69569f78@mail.gmail.com>
References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
	<6bc4a240807030959x3558a3c1u11af69e69569f78@mail.gmail.com>
Message-ID: <876789290807040642y1171ed37n5a9ef1df6349998b@mail.gmail.com>

Hi havad,

Thanks! I have an additional question, how many APs can the internal DHCP of
a WLAN controller support?

THanks,
chris

On Fri, Jul 4, 2008 at 12:59 AM, H?vard Nyhus <hnyhus at gmail.com> wrote:

> On Thu, Jul 3, 2008 at 6:48 PM, Dracul <chris.garzon at gmail.com> wrote:
> > Hi All,
> >
> > Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131.
> I
> > cannot seem to make the lighweight AP to get IP address from
> > the internal DHCP server of the WLC let more the LW AP be discovered by
> the
> > 4404. used Layer2 and Layer 3 mode already
>
> Hi!
>
> You need to use dhcp option 43 for the access points to realize where
> the wlc is.. this is described in detail here:
>
> http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00808714fe.shtml
>
> --
> H?vard Staub Nyhus
> +47 41 88 00 99
>



-- 
===
Support www.gawadkalinga.org

From chris.garzon at gmail.com  Fri Jul  4 09:42:31 2008
From: chris.garzon at gmail.com (Dracul)
Date: Fri, 4 Jul 2008 21:42:31 +0800
Subject: [c-nsp] WLC and LWAPP Aps
In-Reply-To: <20080703181517.GJ4112@thot.informatik.uni-kl.de>
References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
	<20080703181517.GJ4112@thot.informatik.uni-kl.de>
Message-ID: <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com>

Additional query.

On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer <jmayer at loplof.de> wrote:

> On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote:
> > Has anyone done smooth installs with Cisco WLC 4404 series with AIR 1131.
> I
> > cannot seem to make the lighweight AP to get IP address from
> > the internal DHCP server of the WLC let more the LW AP be discovered by
> the
> > 4404. used Layer2 and Layer 3 mode already
>
> How about some more details? Are AP and management-if in the same network?
> If not, what have you done to make sure that the AP knows where to find it?
> If all fails: You can configure the managementi-if address directly on the
> lw-ap command line.
>
>  Ciao
>   Joerg
> --
> Joerg Mayer                                           <jmayer at loplof.de>
> We are stuck with technology when what we really want is just stuff that
> works. Some say that should read Microsoft instead of technology.
>



-- 
===
Support www.gawadkalinga.org

From pavel.skovajsa at gmail.com  Fri Jul  4 09:48:03 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Fri, 4 Jul 2008 15:48:03 +0200
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
Message-ID: <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com>

There is a secret shutdown procedure but you will have to plug a mouse
into the supervisor, and move into left bottom corner, click start,
then shutdown :)

Just joking, sorry.

Pavel


On Fri, Jul 4, 2008 at 2:54 PM, Felix Nkansah <felixnkansah at gmail.com> wrote:
> Thanks guys.
>
> I thought it has some special shutdown procedures or commands.
>
> Thanks.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mcrocker at crocker.com  Fri Jul  4 10:06:05 2008
From: mcrocker at crocker.com (Matthew Crocker)
Date: Fri, 4 Jul 2008 10:06:05 -0400
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
	<323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com>
Message-ID: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com>

> There is a secret shutdown procedure but you will have to plug a mouse
> into the supervisor, and move into left bottom corner, click start,
> then shutdown :)
>
> Just joking, sorry.

Of course you are joking,  everyone knows it is the UPPER left corner,  
apple menu -> Shutdown...  Start button to shutdown, geeez!



From juniper84 at live.com  Fri Jul  4 10:25:24 2008
From: juniper84 at live.com (J C)
Date: Fri, 4 Jul 2008 11:25:24 -0300
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
In-Reply-To: <BAY131-W385C6E7610597BAF94531FD09B0@phx.gbl>
References: <BAY131-W385C6E7610597BAF94531FD09B0@phx.gbl>
Message-ID: <BAY131-W55A8A548CDBA052FDAA37FD09B0@phx.gbl>


Anyone?... =)

> From: juniper84 at live.com
> To: cisco-nsp at puck.nether.net
> Date: Fri, 4 Jul 2008 09:10:48 -0300
> Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
> 
> 
> I'm in the midst of configuring a number of 7600 switches and I'm running into an issue where I'm unable to successfully have Pipe Mode with an Explicit NULL working correctly.
> 
> According to some of the restrictions I've read...the 'set qos-group' and 'set discard-class' commands are not supported in the 12.2SR IOS.  In previous configurations with Pipe Mode with Explicit Null I've used these two commands to preserve the classification.
> 
> Does anyone have any experience with this type of QoS configuration on this product?
> 
> _________________________________________________________________
> Find hidden words, unscramble celebrity names, or try the ultimate crossword puzzle with Live Search Games. Play now!
> http://g.msn.ca/ca55/212
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

_________________________________________________________________


From vinny at tellurian.com  Fri Jul  4 10:25:56 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Fri, 4 Jul 2008 10:25:56 -0400
Subject: [c-nsp] IPv6 Migration with ISIS (was Route Reflector Design)
In-Reply-To: <alpine.DEB.1.10.0807040739000.14629@uplift.swm.pp.se>
References: <20080703.202301.74732300.sthaug@nethelp.no>
	<38D04BF3A4B7B2499D19EB1DB54285EA07DC1C71@FNB1EX01.gci.com>
	<15CEC87F00BB7B4CA0E904C5FCF056461D8F4DF8@exchangenj1>
	<alpine.DEB.1.10.0807040739000.14629@uplift.swm.pp.se>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E13@exchangenj1>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson
> Sent: Friday, July 04, 2008 1:42 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] IPv6 Migration with ISIS (was Route Reflector
> Design)
>
> On Thu, 3 Jul 2008, Vinny Abello wrote:
>
> > While on this topic, if anyone has figured out a non-disruptive
> strategy
> > to deploying IPv6 in a core with a mix of Cisco and Foundry routers
> > running ISIS, any pointers would be appreciated. Foundry currently
>
> We had multitopology problems between platforms/vendors as well, we
> ended
> up "solving" the issue by using OSPFv3 as IPv6 IGP (and ISIS for
> IPv4/VPNv4), this gave us a completely different control plane for IPv6
> and pretty much guaranteed to be non-intrusive to devices not running
> IPv6
> or needing the information.
>
> Multitopology ISIS is a great idea and I would really like to run it,
> but
> it just didn't work with our mix of platforms and vendors.

Thanks Mikael. I hadn't considered running OSPFv3 for IPv6. I'll have to see if that is a viable possibility in our network. Did you run into any challenges in doing this such as administrative distances of the routing protocols and things defaulting to using IPv6 instead of IPv4 or other unexpected results? In theory if you're only doing the IPv6 address family, I wouldn't expect any problems, but firsthand experience is always better than theory. :) By the way, what other vendor's or vendors' equipment were you working with besides Cisco where you had the same ISIS multi-topology challenges?

-Vinny

From jlarsen at richweb.com  Fri Jul  4 10:29:47 2008
From: jlarsen at richweb.com (C. Jon Larsen)
Date: Fri, 4 Jul 2008 10:29:47 -0400 (EDT)
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486E1761.5010805@networkoblivion.com>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
	<486E1761.5010805@networkoblivion.com>
Message-ID: <Pine.LNX.4.62.0807040934591.429@pologrounds.richweb.com>


Ted,

Peder is correct. Cisco bought the company that made the pix (NTI) because 
NTI was one of the first companies to have a decent working NAT overload
implementation. NAT was a big deal back then - around 1995/1996 and Cisco 
routers did not have NAT in the IOS until 11.2 I think. At that 
time UUnet and many other SPs were tossing out a full /24 for every t1, 
but the smaller ISDN and frac t1 based connections started coming with much 
smaller allocations, and PAT was something everyone (small customers) 
started wanting badly. There was a smattering of non cisco boxes that 
could do a little nat, but customers wanted  solid state hardware that was 
easy to configure or at least flexible enough to be able to configure for a 
variety of wan service offerings - smds, atm, frame, isdn, x.25 was still 
here and there, and on the lan side decnet, ipx/spx, netbeui etc were 
still in play.

Cisco, Proteon and Wellfleet and 3com to a lesser extent 
were the big router players but none of them were addressing the 
emerging NAT market very well.

NTI was a small company with good engineers that wrote a 
custom kernel that did what few others were doing. I saw a few customers 
that actually bought the NTI box or were going to buy the box BEFORE cisco 
bought NTI. When Cisco bought NTI and threw their marketing behind the 
PIX, and started pushing it to resellers, it took off because it was a 
good box that fit a niche market very well. In fact the original NTI boxes 
were again more of a nat box that a firewall. When you installed a pix you set 
the screening router (a cisco of course) up as the dmz firewall with its 
acl capability to protect the dmz hosts and the pix had the outbound nat 
config and the conduits for the inbound flow to the inside network. The 
original pixes were pretty limited as a firewall and of course had no 
capability for a 3rd or 4th interface. They were strictly used for the 
corporate/inside network interface/connect point.

Customers bought PIXes at that time because they were easier than having 
to figure out how to setup a linux or Sun bastion host / proxy toolkit or 
fiddle with ipmasq for most companies that did not have in house un*x 
talent. Customers were running out of IPs to number their PCs (and MACs 
- remember the need to browse the internet killed appletalk and localtalk) 
that and the ISPs were not handing them out (/24s) like candy anymore.

As far as firewall feature set on a router goes ... I had to laugh. I have 
always considered that somewhat fiddly / buggy. Good way to make a solid 
product (a cisco router) into something that needs more attention and is 
slightly less reliable - especially when implemented on low end hardware 
like 800s, or 16xx, or 17xx, 2610s, etc. I have seen at least 3 or 4 fw 
feature set implementations on routers that were backwards - i.e. 
inspecting traffic in the wrong direction. There is also at least one 
config for the fwfs on cisco.com's website that has it backwards too that 
I ran across.

As far as cisco discontinuing the pix ?? Thats plain wrong. The PIX 
lives on, it just has a new name (ASA) so cisco can move upmarket 
and charge more for the same code base :)

Of course the cpus are much faster in the ASA boxes, and it has a more 
extensible/modular hardware architecture than the pix and you can plug in 
the IDS/IPS modules, etc. The ASA boxes usually have a celeron cpu in the 
2Ghz range whereas the pixes started of as 486 dx2 66MHz chips (yes 
really, with like 4MB or maybe 8MB of main DRAM) and worked their way up 
to 300 or 400Mhz PII chips in the beefier models.

Cisco has no interest in migrating any customers from PIX/ASA to routers. 
They want to sell you BOTH and a few Cat switches while they are at it :)

And finally, Peder is correct again about the Centri. Centri was a flaming 
pile of junk. It ran on windows nt server (workstation was also 
supported I'm pretty sure).

Of course it was terrible (the centri) - windows nt was a terrible product 
that never really did get stable enough for use as a reliable pc server 
much less as a critical piece of network gear. Centri did have some 
really "impressive" guis tools for managing firewall configs. At that 
time the pix was popular but hard to configure for end customers who 
typically have net admins on staff and not network engrs (times 
really have not changed have they :). Customers wanted to manage their 
own boxes and not have to call an integrator every time an acl needed a 
tweak. Thus the pretty gui of the cenrti appealed (in theory). I never saw 
one get sold and work though. Couple of demo/evals, and it usually died 
there in the sales process :)

It would have been near impossible for anyone to build a firewall based 
on windows 3.1 technology. Windows 3.1 did not have a true kernel or built 
in (native) tcp stack. Remember Chameleon anyone ? trumpet winsock ? 
Those DOS TSR-based "tcp mini kernels" as they were called were so 
unstable that a windows 3.1 or 3.11 based firewall would have keeled over 
the minute it saw real use. Those stacks were barely functional as a 
client, much less a server or firewall.

I dont remember any vendors coming out with windows based "firewalls" 
until win nt 4.0. Windows in all its versions just was not stable enough 
until then and recall that Windows 3.5 and up are not the same product at 
all as win 3.1. Win 3.1 was 16bit dos with a gui command shell and a 
gui api. Win 3.5.x and up was Cutler's 32bit rewrite of VAX and 
Microsofts first true operating system :)

No way would cisco have purchased or built or sold or recommended 
to clients anything based on win3.1 other than maybe a terminal emulator 
to attach to a cisco serial console :)

I remember a customer that badly wanted to migrate off of netware to 
"save" licensing $$. Remember this was before CALs and such and windows 
3.5.1 was almost free as a network server. They had to boot the 3.5.1 
server every nite so it would not crash the next day. The netware 
3.12 server had been up for like 3-4 years at a time :)



On Fri, 4 Jul 2008, Peder @ NetworkOblivion wrote:

> What!?  The original PIX code was < 500k as the first versions from Network 
> Translations only had 512k flash moodules in them.  There is no way that it 
> was based on Windows, not even 3.1.  I think you are thinking of the Centri 
> (or whatever it was called) that was windows based that they bought many 
> years ago.  I actually worked at Cisco when they bought the PIX and the 
> Centri and then they killed the Centri shortly thereafter.  I think the 
> Centri ran on Windows 95, but I am not 100% sure as that was 10+ years ago.
>
> IMO, the reason that so many people use(d) the PIX is that they just work. 
> You set it up and forget it for two years.  You rarely even need to update 
> the software on it as there are so few bugs that are show stoppers.  Now, the 
> ASA is a different story.  There is a lot more stuff in it and hence a lot 
> more bugs.
>
> Ted Mittelstaedt wrote:
>> Rubbish.
>> 
>> The reason the PIX doesen't allow Telnet is that the original
>> PIX devices were built on a Windows core, Windows 3.1 as I
>> believe, with the GUI and most of the command line utilities
>> stripped away.  Because the PIX was an early out-of-the-hole
>> firewall, it captured a customer base of customers who needed
>> a firewall but frankly didn't understand much about what they
>> needed.  ie: dumb bunnies in cash-rich organizations willing
>> to buy sub-par technology that was hyped up to rediculous
>> amounts.  It's an old story in technology.
>> 
>> This was a very valuable customer base which is why Cisco
>> purchased the PIX product line.  Cisco had little interest
>> in the lame firewalling technology of the PIX and has
>> spent at least a decade of careful work grooming the PIX
>> customers off PIXes and on to Cisco router platforms.  To
>> accomplish this they were -extraordinairly- careful to
>> preserve the PIX interface and limitations over the years.
>> But as anyone who works with PIXes knows, Cisco has really
>> not improved the basic technology of the PIX over the years.
>> 
>> That is why the current Cisco IOS-based firewalls have
>> a firewalling feature set that knocks a PIX into a cocked
>> hat.
>> 
>> It is also why Cisco has finally felt comfortable enough
>> that they have migrated the PIX customers worth keeping
>> over to their own product line, to announce that they were
>> discontinuing the PIX product line.  As they did recently.
>> 
>> Ted
>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
>>> Sent: Monday, June 30, 2008 5:31 AM
>>> To: Joerg Mayer; Aaron R
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>> 
>>> 
>>> I guess it's more as a "working right" educational purpose, so you won't 
>>> use your firewall as a debugging client.
>>> In newer versions there's the packet tracker that can help you debug 
>>> connectivity problems.
>>> Ziv
>>> 
>>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net 
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
>>> Sent: Monday, June 30, 2008 2:21 PM
>>> To: Aaron R
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>> 
>>> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
>>>> It is disabled as a security feature. I have also wanted to do 
>>> the same for
>>>> troubleshooting purposes.
>>> And why exactly is this a security feature? What is the *gain* in 
>>> security?
>>> 
>>>  Ciao
>>>   Joerg
>>> --
>>> Joerg Mayer                                           <jmayer at loplof.de>
>>> We are stuck with technology when what we really want is just stuff that
>>> works. Some say that should read Microsoft instead of technology.
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>>> 
>>> 
>>> 
>>> 
>>> ******************************************************************
>>> ******************
>>> This footnote confirms that this email message has been scanned by
>>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
>>> viruses.
>>> ******************************************************************
>>> ******************
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>>   ******************************************************************
>>> ******************
>>> This footnote confirms that this email message has been scanned by
>>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
>>> viruses.
>>> ******************************************************************
>>> ******************
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From Michael.Robson at manchester.ac.uk  Fri Jul  4 10:39:04 2008
From: Michael.Robson at manchester.ac.uk (Michael Robson)
Date: Fri, 4 Jul 2008 15:39:04 +0100
Subject: [c-nsp] Default-Information Originate supplimental question
References: <EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
Message-ID: <B161CAB4-D761-4334-8D2D-089E207EDF60@manchester.ac.uk>

Guys, thanks for the clarification; but now further questions leading  
on from this. My understanding is that by default (without overriding)  
if you are redistributing routes from BGP into OSPF on the router and  
some routes  have been learned via iBGP, then these iBGP-learned  
routes will not be advertised since it is an IGP->IGP exchange (which  
might cause loops). Following from this, since as I understand it,   
"the default-information originate" command is a special case variant  
of the redistribute command, then the default route, by default,  will  
not be injected into OSPF if it had been learned via iBGP - correct?  
If this is the case, then if you have the situation on a router where  
there are 2 default routes being learned, one via iBGP and one via  
eBGP and the _iBGP_ route is preferred over the eBGP (e.g. it has a  
lower MED value), then would the lesser preferred route be injected  
since the other cannot be by default, or would neither be injected  
because the preferred default route has been learned via iBGP?   
Finally (phew), can anyone give a possible explanation as to why none  
of our eBGP-learned routes have an origin type of e (i.e. they are all  
of type i)?

Thanks,

Michael
-- 

From vinny at tellurian.com  Fri Jul  4 10:47:03 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Fri, 4 Jul 2008 10:47:03 -0400
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486E1761.5010805@networkoblivion.com>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
	<486E1761.5010805@networkoblivion.com>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Peder @ NetworkOblivion
> Sent: Friday, July 04, 2008 8:28 AM
> To: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>
> What!?  The original PIX code was < 500k as the first versions from
> Network Translations only had 512k flash moodules in them.  There is no
> way that it was based on Windows, not even 3.1.  I think you are
> thinking of the Centri (or whatever it was called) that was windows
> based that they bought many years ago.  I actually worked at Cisco when
> they bought the PIX and the Centri and then they killed the Centri
> shortly thereafter.  I think the Centri ran on Windows 95, but I am not
> 100% sure as that was 10+ years ago.
>
> IMO, the reason that so many people use(d) the PIX is that they just
> work.  You set it up and forget it for two years.  You rarely even need
> to update the software on it as there are so few bugs that are show
> stoppers.  Now, the ASA is a different story.  There is a lot more
> stuff
> in it and hence a lot more bugs.

I definitely agree with the "just work" statement, but there are some issues we've run into with the PIX that don't exist on the ASA.

We use hundreds of Cisco PIX and ASA devices for our customers. In our experience, the ASA is far superior in features and verbosity of information it presents to you and flexibility. I think we had one customer hit by a show stopper bug that was a memory leak in the ASA which was triggered by a lot of web traffic. I think that was fixed in 7.2.3. We actually experienced quite a large show stopper bug on the PIX 6.3.5 code which still exists causing the PIX to crash. It was related to a large number of VPN connections changing state if I recall. We had to get an interim build from Cisco of 6.3.5.xxx to fix this. We mainly run 7.2.4 and 8.0.3 on the ASA (8.0.3 if we want AnyConnect). They work pretty well, although I'm leery of 8.x code still and noticed the ASA 5505 on 8.0.3 has an unusually high CPU load when doing nothing.

Whenever I assist someone with troubleshooting a VPN issue or something else on a Cisco security device, my first question is if we're working with a PIX or ASA... If it's a PIX my usual response is ugh... If it's ASA I cheer in my head. :) The ASA is much easier to troubleshoot and is more predictable and IOS like. PIX 6.3.5 also has an issue sometimes with creating new VPN tunnels and the access-list you create not being recognized resulting in ACL deny messages in debug. Workarounds include reapplying the crypto map (not recommended as it's disruptive), rebooting, or a trick we found by adding an additional line to the access list then removing it. Odd, I know but it works every time. I think it actually is a result of the order all the commands are entered but I never tracked it down specifically. The ASA doesn't appear to have this glitch.

Also, minus the added hardware in the ASA which handles things like SSL VPN's and the other optional hardware options, you can run the same code (not image, but code) on the PIX 515 and higher models that the ASA devices run (7.x and 8.x), providing you have enough memory. So when saying ASA above I'm also referring to the PIX on 7.x or 8.x code.

When it comes down to it, they're all just little PC's with flash for the OS, Intel NICs and Intel processors. The modern ones are anyway... I know the older PIX models really resembled a PC having a floppy drive for recovery purposes and everything. I never worked much with those, however.

-Vinny

From justin at justinshore.com  Fri Jul  4 10:53:19 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 04 Jul 2008 09:53:19 -0500
Subject: [c-nsp] IS-IS default route quandary
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com>
References: <486C07B5.2090705@justinshore.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405ACE7D4@xmb-ams-333.emea.cisco.com>
Message-ID: <486E395F.8040009@justinshore.com>

Oliver Boehmer (oboehmer) wrote:
>> On each border router we also have a static default route pointed to
>> the physical interface of the upstream peers (which if memory serves
>> me correctly that's a bad idea because it causes an ARP to be sent for
>> every flow that requires that specific route).
> 
> right, if this is not a p2p interface. So a very bad idea..

So if I have a static default I should aim it at the other side's
interface IP, correct?  I don't believe I need the static overall but it
would be good to know anyway.

>> and core for any routes that aren't in the borders' RIB.  This would
>> mainly be BOGONs and other non-routable space that we use internally
> (so it
>> may not be a real problem). 
> 
> and, in addition, such packets should not show up on your borders unless
> you have downstream peers/customers on the borders as well and they
> point a default towards you.

Right, so I'm not sure if I really need it at all.  I've begun
distributing BOGONs around the network with my RTBH, at least but the
martians that the IOS freaks out over.  I would hope that I can block
most of it on the edges but of course I can't guarantee that at this
time.  So this may not be a big issue anyway.

>> In theory I shouldn't ever have to rely
>> on a default route to my upstreams thanks to my full tables.  I'm also
>> concerned with how this may affect my uRPF and RTBH setup.  Would this
>> catchall route nullify the effect of a iBGP-learned null-route from my
>> RTBH setup?
> 
> Well, if your current static default doesn't affect your uRPF and RTBH
> setup, why would a dynamic default do?

Um, good point.  That one escaped me.  So if I'm thinking about this
correctly, uRPF won't be harmed by the existence of a static default or
a dynamic default.

> IS-IS doesn't have something like OSPF's "distribute-list in" to filter
> routes from being entered into the RIB, but you can use the "distance"
> command to achieve something similar:

A distribute-list would be a handy solution.

> access-list 10 permit 0.0.0.0
> router isis <foo>
>  distance 255 0.0.0.0 255.255.255.255 10
> 
> this will assign distance 255 to the default-route (originated by
> whatever neighbor), and 255 will suppress installation into the RIB.

I never thought of use distance in that manner.  That just might work!

> Or you originate a default in iBGP and run your access nodes with a
> limited BGP table only.

I had been thinking about this, trying to decide pros and cons.  My 
access edges are each in their own route-reflector cluster with the 2 
cores and the RTBH trigger server.  Convergence and recovery speed might 
be an issue I suppose.  I'll have to kick that around some more.

Thanks for the info.  Have a great holiday
  Justin

From sam_mailinglists at spacething.org  Fri Jul  4 10:58:16 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Fri, 04 Jul 2008 15:58:16 +0100
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>	<486E1761.5010805@networkoblivion.com>
	<15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1>
Message-ID: <486E3A88.1070704@spacething.org>

Vinny Abello wrote:
> Also, minus the added hardware in the ASA which handles things like SSL VPN's and the other optional hardware options, you can run the same code (not image, but code) on the PIX 515 and higher models that the ASA devices run (7.x and 8.x), providing you have enough memory. So when saying ASA above I'm also referring to the PIX on 7.x or 8.x code.
>
>   
My understanding is that the 7.x code is the same on the PIXes and the 
ASA; but version 8.x on the ASA is a rewrite built on top of a Linux 
kernel, whereas 8.x is still based on the old code.

Sam

From vinny at tellurian.com  Fri Jul  4 11:08:44 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Fri, 4 Jul 2008 11:08:44 -0400
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486E3A88.1070704@spacething.org>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
	<486E1761.5010805@networkoblivion.com>
	<15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1>
	<486E3A88.1070704@spacething.org>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E16@exchangenj1>

> -----Original Message-----
> From: Sam Stickland [mailto:sam_mailinglists at spacething.org]
> Sent: Friday, July 04, 2008 10:58 AM
> To: Vinny Abello
> Cc: Peder @ NetworkOblivion; cisco-nsp at puck.nether.net >> Cisco-NSP
> Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>
> Vinny Abello wrote:
> > Also, minus the added hardware in the ASA which handles things like
> SSL VPN's and the other optional hardware options, you can run the same
> code (not image, but code) on the PIX 515 and higher models that the
> ASA devices run (7.x and 8.x), providing you have enough memory. So
> when saying ASA above I'm also referring to the PIX on 7.x or 8.x code.
> >
> >
> My understanding is that the 7.x code is the same on the PIXes and the
> ASA; but version 8.x on the ASA is a rewrite built on top of a Linux
> kernel, whereas 8.x is still based on the old code.

You're saying 8.x on the ASA runs atop a Linux kernel whereas 8.x on the PIX is still based on the same 7.x kernel that both the ASA and PIX use in that version? I hadn't heard nor have I seen anything to indicate that, but it's definitely possible... and interesting. Does anyone have any references that confirms this? Maybe that's why my CPU look so different on the 5505 on 8.x.

-Vinny

From Robert.Smales at cw.com  Fri Jul  4 11:12:11 2008
From: Robert.Smales at cw.com (Smales, Robert)
Date: Fri, 4 Jul 2008 16:12:11 +0100
Subject: [c-nsp] Strange behavior in a Cisco CPE
In-Reply-To: <4FA21019-9272-43C4-A000-7B7C6A9CFD9F@i2bnetworks.com>
Message-ID: <602ACF092EFFB044931BD8746C19AD2F081AEB@gbcwswiem006.ad.plc.cwintra.com>


Troy Beisigl wrote:

> We are seeing some really strange behavior on a Cisco 1721 CPE. It  
> acts like we are having a connectivity problem with packet loss or  
> very high latency. There is about 86Kbps to 350Kbps of 
> traffic on it.  
> It has  WIC-1DSU-T1 card and is doing just basic static 
> routes with a  
> Full T1. There are no errors on the T1. If I log into the router and  
> try to send say 1000 icmp packets to something on the other 
> end of the  
> T1, it will go for few packets and then pause for about 15 to 20  
> seconds before continuing right where it stopped. It never drops any  
> packets, just freezes and then continues. It does this about every  
> minute or 2. Has anyone seen this before?
> 

How are you accessing the router? If you are telnetting in remotely, it could be that what you are seeing are delays in the information being transmitted from the router to your terminal, rather than delay in the router transmitting the icmp packets to the destination.

Just a thought.

Robert

Robert Smales                                                
IP Provide Engineer
Cable&Wireless Europe, Asia & US
www.cw.com                              

This e-mail has been scanned for viruses by the Cable & Wireless e-mail security system - powered by MessageLabs. For more information on a proactive managed e-mail security service, visit http://www.cw.com/uk/emailprotection/ 

The information contained in this e-mail is confidential and may also be subject to legal privilege. It is intended only for the recipient(s) named above. If you are not named above as a recipient, you must not read, copy, disclose, forward or otherwise use the information contained in this email. If you have received this e-mail in error, please notify the sender (whose contact details are above) immediately by reply e-mail and delete the message and any attachments without retaining any copies.
 
Cable and Wireless plc 
Registered in England and Wales.Company Number 238525 
Registered office: 3rd Floor, 26 Red Lion Square, London WC1R 4HQ

From vinny at tellurian.com  Fri Jul  4 11:12:18 2008
From: vinny at tellurian.com (Vinny Abello)
Date: Fri, 4 Jul 2008 11:12:18 -0400
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486E3A88.1070704@spacething.org>
References: <BMEDLGAENEKCJFGODFOCKEMICFAA.tedm@toybox.placo.com>
	<486E1761.5010805@networkoblivion.com>
	<15CEC87F00BB7B4CA0E904C5FCF056461D8F4E14@exchangenj1>
	<486E3A88.1070704@spacething.org>
Message-ID: <15CEC87F00BB7B4CA0E904C5FCF056461D8F4E17@exchangenj1>

> -----Original Message-----
> From: Sam Stickland [mailto:sam_mailinglists at spacething.org]
> Sent: Friday, July 04, 2008 10:58 AM
> To: Vinny Abello
> Cc: Peder @ NetworkOblivion; cisco-nsp at puck.nether.net >> Cisco-NSP
> Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>
> Vinny Abello wrote:
> > Also, minus the added hardware in the ASA which handles things like
> SSL VPN's and the other optional hardware options, you can run the same
> code (not image, but code) on the PIX 515 and higher models that the
> ASA devices run (7.x and 8.x), providing you have enough memory. So
> when saying ASA above I'm also referring to the PIX on 7.x or 8.x code.
> >
> >
> My understanding is that the 7.x code is the same on the PIXes and the
> ASA; but version 8.x on the ASA is a rewrite built on top of a Linux
> kernel, whereas 8.x is still based on the old code.

Ahh, I just found indeed this is true.

"Beginning with version PIX OS version 8.x, the codes diverge, with the ASA using a Linux kernel and PIX continuing to use the traditional Finesse/PIX OS combination."

This is taken from Wikipedia: http://en.wikipedia.org/wiki/Cisco_ASA_5500_Series_Adaptive_Security_Appliances

With references to Cisco's open source licensing in 8.x on the ASA.

-Vinny

From gulerozgur at yahoo.co.uk  Fri Jul  4 11:14:08 2008
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Fri, 4 Jul 2008 15:14:08 +0000 (GMT)
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
In-Reply-To: <BAY131-W385C6E7610597BAF94531FD09B0@phx.gbl>
Message-ID: <342155.63869.qm@web25507.mail.ukl.yahoo.com>


Can't you simply match the exp bit with explicit-null on egress PE?

Why do you need the qos-group?

Cheers
Ozgur

--- On Fri, 4/7/08, J C <juniper84 at live.com> wrote:
From: J C <juniper84 at live.com>
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
To: cisco-nsp at puck.nether.net
Date: Friday, 4 July, 2008, 1:10 PM

I'm in the midst of configuring a number of 7600 switches and I'm
running into an issue where I'm unable to successfully have Pipe Mode with
an Explicit NULL working correctly.

According to some of the restrictions I've read...the 'set
qos-group' and 'set discard-class' commands are not supported in
the 12.2SR IOS.  In previous configurations with Pipe Mode with Explicit Null
I've used these two commands to preserve the classification.

Does anyone have any experience with this type of QoS configuration on this
product?

_________________________________________________________________
Find hidden words, unscramble celebrity names, or try the ultimate crossword
puzzle with Live Search Games. Play now!
http://g.msn.ca/ca55/212
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


      __________________________________________________________
Not happy with your email address?.
Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html

From mark at noc.mainstreet.net  Fri Jul  4 10:47:12 2008
From: mark at noc.mainstreet.net (Mark Kent)
Date: Fri, 4 Jul 2008 07:47:12 -0700 (PDT)
Subject: [c-nsp] Shutting Down Catalyst 6509
In-Reply-To: <mailman.5405.1215181666.65431.cisco-nsp@puck.nether.net>
	(cisco-nsp-request@puck.nether.net)
References: <mailman.5405.1215181666.65431.cisco-nsp@puck.nether.net>
Message-ID: <200807041447.m64ElC2B025946@mainstreet.net>

>> My concern is 'how do I shut the switch down'?

In addition to the "turn it off" replies, if you wanted to be
super-careful you could:

a) wr in the msfc

b) from the fwsm system context, "wr mem all", then force a fail-over
   to the other 6509/fwsm you have (you do have another, right?).

c) Do "no power enable module 1" (replace 1 with the actual slot number). 

d) Repeat b+c for any other FWSM/ACE modules.

e) remove power

-mark

From peter at rathlev.dk  Fri Jul  4 11:37:15 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 04 Jul 2008 17:37:15 +0200
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
	<323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com>
	<762A2E44-473A-417F-86D7-145C1857ED58@crocker.com>
Message-ID: <1215185835.32230.4.camel@svesken.sys.mjna.net>

On Fri, 2008-07-04 at 10:06 -0400, Matthew Crocker wrote:
> > There is a secret shutdown procedure but you will have to plug a mouse
> > into the supervisor, and move into left bottom corner, click start,
> > then shutdown :)
> >
> > Just joking, sorry.
> 
> Of course you are joking,  everyone knows it is the UPPER left corner,  
> apple menu -> Shutdown...  Start button to shutdown, geeez!

No no no, it's the upper RIGHT corner, where everybody sane places the
XFCE system menu. The Ca6500 runs Linux/XFCE, only the 7600s run OS
X. :-)

Anyway, it would be nice with a "graceful shutdown" for the whole box.
Things like letting the routing protocols converge before the router
shuts interfaces and such things. Are there any other ways than some TCL
for this?

Regards,
Peter

> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From juniper84 at live.com  Fri Jul  4 11:52:55 2008
From: juniper84 at live.com (J C)
Date: Fri, 4 Jul 2008 12:52:55 -0300
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
In-Reply-To: <342155.63869.qm@web25507.mail.ukl.yahoo.com>
References: <BAY131-W385C6E7610597BAF94531FD09B0@phx.gbl>
	<342155.63869.qm@web25507.mail.ukl.yahoo.com>
Message-ID: <BAY131-W22219283C3A1D61394E0EAD09B0@phx.gbl>


Those two commands that I listed were required (as far as I know) in configuring an end-to-end solution for Pipe Mode w/ Explicit Null.  The 'set qos-group' and/or 'set discard-class' command(s) was used on the Egress PE link to capture the QoS settings from the MPLS EXP value that would have been lost on the final pop.

The issue I'm having right now is that I'm not seeing any matches on my 'match mpls experimental topmost' policy-maps.

CPE
------------
class match-any TEST
 match access-group 1

access-list 1 permit 192.168.1.0 0.0.0.255

policy-map TEST
 class TEST
  set mpls experimental imposition 5

interface Fa0/0
ip address 192.168.1.1 255.255.255.0
service-policy TEST input

interface Fa0/1
ip address 172.31.1.1 255.255.255.0
mpls ip encapsulate explicit-null

*A 'show policy-map interface Fa0/0' verifies that traffic is being 'marked' with MPLS EXP 5.

7600-PE
-----------

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 500
 switchport trunk allowed vlan 500
 switchport mode trunk
 switchport nonegotiate
 load-interval 30
 no snmp trap link-status
 mls qos trust dscp

interface Vlan500
 description Test-Site#1
 ip vrf forwarding TEST
 ip address 172.31.1.2 255.255.255.0
 load-interval 30
 mpls ip


I've tried placing a variety of policy-maps on both interface Gi1/1 and Vlan 500 to determine if the MPLS bits are carrying through to the PE.  So far nothing.  The backbone egress policy map on the TenGigabitEthernet interface shows that my test traffic is flowing through matching class-default; so I know that traffic isn't getting matched.

Is it possible that the 7600-PFC3C doesn't support Pipe Mode with Explicit Null LSP...and that it just supports Short Pipe, Pipe Mode and Uniform mode?  After reading the documentation on the PFC I don't see any mention to Pipe mode with Explicit Null.




Date: Fri, 4 Jul 2008 15:14:08 +0000
From: gulerozgur at yahoo.co.uk
Subject: Re: [c-nsp] Pipe Mode with an Explicit NULL LSP
To: cisco-nsp at puck.nether.net; juniper84 at live.com


Can't you simply match the exp bit with explicit-null on egress PE?

Why do you need the qos-group?

Cheers
Ozgur

--- On Fri, 4/7/08, J C <juniper84 at live.com> wrote:
From: J C <juniper84 at live.com>
Subject: [c-nsp] Pipe Mode with an Explicit NULL LSP
To: cisco-nsp at puck.nether.net
Date: Friday, 4 July, 2008, 1:10 PM

I'm in the midst of configuring a number of 7600 switches and I'm
running into an issue where I'm unable to successfully have Pipe Mode with
an Explicit NULL working correctly.

According to some of the restrictions I've read...the 'set
qos-group' and 'set discard-class' commands are not supported in
the 12.2SR IOS.  In previous configurations with Pipe Mode with Explicit Null
I've used these two commands to preserve the classification.

Does anyone have any experience with this type of QoS configuration on
 this
product?

_________________________________________________________________
Find hidden words, unscramble celebrity names, or try the ultimate crossword
puzzle with Live Search Games. Play now!
http://g.msn.ca/ca55/212
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/




       
Not happy with your email address?

  Get the one you 

really want - millions of new email addresses available now at  Yahoo!
_________________________________________________________________
Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games!
http://g.msn.ca/ca55/207

From peter at rathlev.dk  Fri Jul  4 12:08:31 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 04 Jul 2008 18:08:31 +0200
Subject: [c-nsp] Default-Information Originate supplimental question
In-Reply-To: <B161CAB4-D761-4334-8D2D-089E207EDF60@manchester.ac.uk>
References: <EC22CE4F-25A4-4E45-9EA8-28854C4F66B3@manchester.ac.uk>
	<B161CAB4-D761-4334-8D2D-089E207EDF60@manchester.ac.uk>
Message-ID: <1215187711.32230.22.camel@svesken.sys.mjna.net>

Hi Michael,

I'm not too strong on redistributing, but have some general comments
regarding the BGP part. I hope someone else will correct me if I'm wrong
here.

On Fri, 2008-07-04 at 15:39 +0100, Michael Robson wrote:
> Guys, thanks for the clarification; but now further questions leading  
> on from this. My understanding is that by default (without overriding)  
> if you are redistributing routes from BGP into OSPF on the router and  
> some routes  have been learned via iBGP, then these iBGP-learned  
> routes will not be advertised since it is an IGP->IGP exchange (which  
> might cause loops). Following from this, since as I understand it,   
> "the default-information originate" command is a special case variant  
> of the redistribute command,

The "default-information originate" does not redistribute anything in
itself. Focus on the "originate" part -- if this BGP speaker knows a
"default" (not from BGP) and the default is lifted into BGP (via
"network 0.0.0.0" or some kind of redistribution) the BGP speaker will
only actually tell its neighbors about it if it can "originate" the
default.

>                              then the default route, by default,  will  
> not be injected into OSPF if it had been learned via iBGP - correct?  

Your redistribution is not related to whether or not the box originates
a default. In order for BGP to originate a default, it has to have the
default from somewhere else, like an IGP or a static route. The
"default-information originate" just allows a 0/0 route to be announced
via BGP, which by default will not happen.

If a box learns the default via BGP (e.g. from a BGP neighbor with
"default-information originate") and you unconditionally redistribute
everything to some OSPF process, I think this process will get the
default, "originate" or not. And a BGP speaker will relay a default also
without the "originate" command, since it doesn't _originate_ the route.

> If this is the case, then if you have the situation on a router where  
> there are 2 default routes being learned, one via iBGP and one via  
> eBGP and the _iBGP_ route is preferred over the eBGP (e.g. it has a  
> lower MED value), then would the lesser preferred route be injected  
> since the other cannot be by default, or would neither be injected  
> because the preferred default route has been learned via iBGP?

That may be a good question, but it sounds like a dangerous thing to
try. :-) Do you need this redistribuion from BGP to your IGP? Are you
using synchronization?

> Finally (phew), can anyone give a possible explanation as to why none  
> of our eBGP-learned routes have an origin type of e (i.e. they are all  
> of type i)?

Origin "e" is "EGP" a legacy protocol (probably) not used anymore. So
either you have "?" (incomplete, e.g. redistributed routes) og "i" (IGP,
e.g. "network" statements).

Regards,
Peter



From sam_mailinglists at spacething.org  Fri Jul  4 12:52:08 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Fri, 04 Jul 2008 17:52:08 +0100
Subject: [c-nsp] Quick spanning-tree and bridge-group question
Message-ID: <486E5538.9030005@spacething.org>

Guys,

Maybe I'm going a little code-blind here.

Ports Fa0/1.161, Fa0/1.162 and Se0/0/0.10 are all members of same IEEE 
bridge-group.

The port path cost on all three interfaces is the same, but I've set the 
priority of the Serial interface port to be 144.

How come the Se0/0/0.10 is still forwarding? What am I missing?

R1#sh spanning-tree

 Bridge group 10 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, address 0013.8050.b191
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 10, address 0019.aa7f.3480
  Root port is 28 (Serial0/0/0.10), cost of root path is 685
  Topology change flag not set, detected flag not set
  Number of topology changes 21 last change occurred 00:22:10 ago
          from FastEthernet0/1.161
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.26.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32929, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 5, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 862, received 4700

 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.27.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32930, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 6, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 862, received 4690

 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding
   Port path cost 647, Port priority 144, Port Identifier 144.28.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32768, address 0016.4699.0509
   Designated port id is 128.21, designated path cost 38
   Timers: message age 3, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 470, received 9930

Sam

From sam_mailinglists at spacething.org  Fri Jul  4 13:17:19 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Fri, 04 Jul 2008 18:17:19 +0100
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E5538.9030005@spacething.org>
References: <486E5538.9030005@spacething.org>
Message-ID: <486E5B1F.9030903@spacething.org>

Apologies I pasted some info where the path costs didn't total up to be 
the same. Here's the correct one.

The total path cost is 723 on every interface, the port priority on the 
Serial interface is higher.

The only logical conclusion appears to be that it's comparing the bridge 
IDs  before the port priority? Isn't this supposed to be the other way 
around?

Sam

R1#sh spanning-tree

 Bridge group 10 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, address 0013.8050.b191
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 10, address 0019.aa7f.3480
  Root port is 28 (Serial0/0/0.10), cost of root path is 723
  Topology change flag not set, detected flag not set
  Number of topology changes 23 last change occurred 00:05:20 ago
          from FastEthernet0/1.161
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.26.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32929, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 5, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 863, received 5326

 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.27.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32930, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 6, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 862, received 5314

 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding
   Port path cost 685, Port priority 144, Port Identifier 144.28.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32768, address 0016.4699.0509
   Designated port id is 128.21, designated path cost 38
   Timers: message age 3, forward delay 0, hold 0
   Number of transitions to forwarding state: 3
   BPDU: sent 471, received 11176




From david.freedman at uk.clara.net  Fri Jul  4 13:37:58 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Fri, 04 Jul 2008 18:37:58 +0100
Subject: [c-nsp] IS-IS default route quandary
In-Reply-To: <486C07B5.2090705@justinshore.com>
References: <486C07B5.2090705@justinshore.com>
Message-ID: <g4lmdn$bkd$1@ger.gmane.org>

> On each border router we also have a static default route pointed to the
> physical interface of the upstream peers 

Can't you get them to originate you a default via BGP?



From peter at rathlev.dk  Fri Jul  4 13:23:39 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 04 Jul 2008 19:23:39 +0200
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E5538.9030005@spacething.org>
References: <486E5538.9030005@spacething.org>
Message-ID: <1215192219.1142.5.camel@svesken.sys.mjna.net>

On Fri, 2008-07-04 at 17:52 +0100, Sam Stickland wrote:
> Guys,
> 
> Maybe I'm going a little code-blind here.
> 
> Ports Fa0/1.161, Fa0/1.162 and Se0/0/0.10 are all members of same IEEE 
> bridge-group.
> 
> The port path cost on all three interfaces is the same, but I've set the 
> priority of the Serial interface port to be 144.
> 
> How come the Se0/0/0.10 is still forwarding? What am I missing?
>
> R1#sh spanning-tree
> 
>  Bridge group 10 is executing the ieee compatible Spanning Tree protocol
>   Bridge Identifier has priority 32768, address 0013.8050.b191
>   Configured hello time 2, max age 20, forward delay 15
>   Current root has priority 10, address 0019.aa7f.3480
>   Root port is 28 (Serial0/0/0.10), cost of root path is 685
>   Topology change flag not set, detected flag not set
>   Number of topology changes 21 last change occurred 00:22:10 ago
>           from FastEthernet0/1.161
>   Times:  hold 1, topology change 35, notification 2
>           hello 2, max age 20, forward delay 15
>   Timers: hello 0, topology change 0, notification 0, aging 300
> 
<cut>

According to the output above Se0/0/0.10 is the root port, which will
never be blocking. You don't state what's beyond these three ports, but
if Se0/0/0.10 is the only path towards the root, it will never block, no
matter how you set cost or priority.

Since the other ports are blocking, they are probably all paths towards
the root. The port cost is 38 for Se0/0/0.10 and 76 for Fa0/1.161 and
Fa0/1.162, so even if all ports went to the same device, Se0/0/0.10
would be preferred because of a lower cost.

Regards,
Peter



From peter at rathlev.dk  Fri Jul  4 13:30:28 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 04 Jul 2008 19:30:28 +0200
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E5B1F.9030903@spacething.org>
References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org>
Message-ID: <1215192628.1142.9.camel@svesken.sys.mjna.net>

On Fri, 2008-07-04 at 18:17 +0100, Sam Stickland wrote:
> Apologies I pasted some info where the path costs didn't total up to be 
> the same. Here's the correct one.

Well, I jumped up and answered wrongly then. ;-)

> The total path cost is 723 on every interface, the port priority on the 
> Serial interface is higher.
> 
> The only logical conclusion appears to be that it's comparing the bridge 
> IDs  before the port priority? Isn't this supposed to be the other way 
> around?

Isn't port priority the last thing the Spanning Tree Algorithm looks at?
AFAIK the selection of root port should be, in order: Root Bridge ID,
Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is
Port Priority and Port Index.

Are the three ports all pointing towards the root bridge?

Regards,
Peter



From david.freedman at uk.clara.net  Fri Jul  4 13:46:24 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Fri, 04 Jul 2008 18:46:24 +0100
Subject: [c-nsp] IS-IS default route quandary
In-Reply-To: <g4lmdn$bkd$1@ger.gmane.org>
References: <486C07B5.2090705@justinshore.com> <g4lmdn$bkd$1@ger.gmane.org>
Message-ID: <g4lmth$du4$1@ger.gmane.org>

And of course *carefully* redistribute this into IS-IS until you've
migrated away from customer routes in the IS-IS.

David Freedman wrote:
>> On each border router we also have a static default route pointed to the
>> physical interface of the upstream peers 
> 
> Can't you get them to originate you a default via BGP?
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From sam_mailinglists at spacething.org  Fri Jul  4 14:06:23 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Fri, 04 Jul 2008 19:06:23 +0100
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <1215192628.1142.9.camel@svesken.sys.mjna.net>
References: <486E5538.9030005@spacething.org>	
	<486E5B1F.9030903@spacething.org>
	<1215192628.1142.9.camel@svesken.sys.mjna.net>
Message-ID: <486E669F.6000006@spacething.org>

Peter Rathlev wrote:
>
> Isn't port priority the last thing the Spanning Tree Algorithm looks at?
> AFAIK the selection of root port should be, in order: Root Bridge ID,
> Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is
> Port Priority and Port Index.
>
> Are the three ports all pointing towards the root bridge?
>   
Yes, all three ports are pointing towards the root.  You are right, I 
had remembered the order wrong. At least something like this causes it 
to sink it. (I would test it but I'm having trouble convincing one of 
the other routers to change it's bridge identifier on the BVI :| )

Sam

From sam_mailinglists at spacething.org  Fri Jul  4 14:18:05 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Fri, 04 Jul 2008 19:18:05 +0100
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E669F.6000006@spacething.org>
References: <486E5538.9030005@spacething.org>		<486E5B1F.9030903@spacething.org>	<1215192628.1142.9.camel@svesken.sys.mjna.net>
	<486E669F.6000006@spacething.org>
Message-ID: <486E695D.3010401@spacething.org>

Sam Stickland wrote:
> Peter Rathlev wrote:
>>
>> Isn't port priority the last thing the Spanning Tree Algorithm looks at?
>> AFAIK the selection of root port should be, in order: Root Bridge ID,
>> Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is
>> Port Priority and Port Index.
>>
>> Are the three ports all pointing towards the root bridge?
>>   
> Yes, all three ports are pointing towards the root.  You are right, I 
> had remembered the order wrong. At least something like this causes it 
> to sink it. (I would test it but I'm having trouble convincing one of 
> the other routers to change it's bridge identifier on the BVI :| )
>
Well I finally convinced the router to change it bridge id (had to 
change the mac-address on all physical interfaces - even those not in 
the bridge group!), but I still don't see the result I'd expect:

R1#sh spanning-tree

 Bridge group 10 is executing the ieee compatible Spanning Tree protocol
  Bridge Identifier has priority 32768, address 0013.8050.b191
  Configured hello time 2, max age 20, forward delay 15
  Current root has priority 10, address 0019.aa7f.3480
  Root port is 28 (Serial0/0/0.10), cost of root path is 723
  Topology change flag not set, detected flag not set
  Number of topology changes 34 last change occurred 00:02:09 ago
          from FastEthernet0/1.161
  Times:  hold 1, topology change 35, notification 2
          hello 2, max age 20, forward delay 15
  Timers: hello 0, topology change 0, notification 0, aging 300

 Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.26.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32929, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 6, forward delay 0, hold 0
   Number of transitions to forwarding state: 6
   BPDU: sent 870, received 7351

 Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking
   Port path cost 647, Port priority 128, Port Identifier 128.27.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32930, address 0019.aab4.f700
   Designated port id is 112.3, designated path cost 76
   Timers: message age 5, forward delay 0, hold 0
   Number of transitions to forwarding state: 2
   BPDU: sent 862, received 7330

 Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding
   Port path cost 685, Port priority 144, Port Identifier 144.28.
   Designated root has priority 10, address 0019.aa7f.3480
   Designated bridge has priority 32768, address 0055.aa7f.3480
   Designated port id is 128.20, designated path cost 38
   Timers: message age 4, forward delay 0, hold 0
   Number of transitions to forwarding state: 6
   BPDU: sent 552, received 14515


From r.engehausen at gmail.com  Fri Jul  4 14:24:56 2008
From: r.engehausen at gmail.com (Roy)
Date: Fri, 04 Jul 2008 11:24:56 -0700
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E5538.9030005@spacething.org>
References: <486E5538.9030005@spacething.org>
Message-ID: <486E6AF8.6090502@gmail.com>

I think the "designated path cost " of the serial link is the lowest.   
The path cost is the sum of the costs of the complete path to the root 
bridge.  Does the serial port have the shortest path?  You need to 
increase the cost of the serial line until its total path cost is 
greater than the ethernet ports

Roy



From rbf+cisco-nsp at panix.com  Fri Jul  4 14:38:58 2008
From: rbf+cisco-nsp at panix.com (Brett Frankenberger)
Date: Fri, 4 Jul 2008 13:38:58 -0500
Subject: [c-nsp] Quick spanning-tree and bridge-group question
In-Reply-To: <486E695D.3010401@spacething.org>
References: <486E5538.9030005@spacething.org> <486E5B1F.9030903@spacething.org>
	<1215192628.1142.9.camel@svesken.sys.mjna.net>
	<486E669F.6000006@spacething.org> <486E695D.3010401@spacething.org>
Message-ID: <20080704183858.GA13685@panix.com>

On Fri, Jul 04, 2008 at 07:18:05PM +0100, Sam Stickland wrote:
> Sam Stickland wrote:
> >Peter Rathlev wrote:
> >>
> >>Isn't port priority the last thing the Spanning Tree Algorithm looks at?
> >>AFAIK the selection of root port should be, in order: Root Bridge ID,
> >>Port Path Cost, Sending Bridge ID and at last Sending Port ID, which is
> >>Port Priority and Port Index.
> >>
> >>Are the three ports all pointing towards the root bridge?
> >>  
> >Yes, all three ports are pointing towards the root.  You are right, I 
> >had remembered the order wrong. At least something like this causes it 
> >to sink it. (I would test it but I'm having trouble convincing one of 
> >the other routers to change it's bridge identifier on the BVI :| )
> >
> Well I finally convinced the router to change it bridge id (had to 
> change the mac-address on all physical interfaces - even those not in 
> the bridge group!), but I still don't see the result I'd expect:

Bridge Priority is part of the Bridge ID comparison.  Your path costs
are equal, so brige priority gets compared next.  32768 is the
smallest of the three, so that path wins.  You didn't need to convince
the router to change the MAC address it used for the Bridge ID -- just
increasing it's priority setting would have made it less preferred. 
(If you make it higher than 32929, then FA0/1.161 will become the root
port and transition to frowarding.)

Assuming an IOS router and a bridge group:
   bridge X priority 32391

> R1#sh spanning-tree
> 
> Bridge group 10 is executing the ieee compatible Spanning Tree protocol
>  Bridge Identifier has priority 32768, address 0013.8050.b191
>  Configured hello time 2, max age 20, forward delay 15
>  Current root has priority 10, address 0019.aa7f.3480
>  Root port is 28 (Serial0/0/0.10), cost of root path is 723
>  Topology change flag not set, detected flag not set
>  Number of topology changes 34 last change occurred 00:02:09 ago
>          from FastEthernet0/1.161
>  Times:  hold 1, topology change 35, notification 2
>          hello 2, max age 20, forward delay 15
>  Timers: hello 0, topology change 0, notification 0, aging 300
> 
> Port 26 (FastEthernet0/1.161) of Bridge group 10 is blocking
>   Port path cost 647, Port priority 128, Port Identifier 128.26.
>   Designated root has priority 10, address 0019.aa7f.3480
>   Designated bridge has priority 32929, address 0019.aab4.f700
>   Designated port id is 112.3, designated path cost 76
>   Timers: message age 6, forward delay 0, hold 0
>   Number of transitions to forwarding state: 6
>   BPDU: sent 870, received 7351
> 
> Port 27 (FastEthernet0/1.162) of Bridge group 10 is blocking
>   Port path cost 647, Port priority 128, Port Identifier 128.27.
>   Designated root has priority 10, address 0019.aa7f.3480
>   Designated bridge has priority 32930, address 0019.aab4.f700
>   Designated port id is 112.3, designated path cost 76
>   Timers: message age 5, forward delay 0, hold 0
>   Number of transitions to forwarding state: 2
>   BPDU: sent 862, received 7330
> 
> Port 28 (Serial0/0/0.10) of Bridge group 10 is forwarding
>   Port path cost 685, Port priority 144, Port Identifier 144.28.
>   Designated root has priority 10, address 0019.aa7f.3480
>   Designated bridge has priority 32768, address 0055.aa7f.3480
>   Designated port id is 128.20, designated path cost 38
>   Timers: message age 4, forward delay 0, hold 0
>   Number of transitions to forwarding state: 6
>   BPDU: sent 552, received 14515

     -- Brett

From justin at justinshore.com  Sat Jul  5 02:25:31 2008
From: justin at justinshore.com (Justin Shore)
Date: Sat, 05 Jul 2008 01:25:31 -0500
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
Message-ID: <486F13DB.80708@justinshore.com>

Felix Nkansah wrote:
> Thanks guys.
> 
> I thought it has some special shutdown procedures or commands.

Some of the linecards should be commanded to shutdown prior to cutting 
power to the chassis.  Interface linecards aren't a concern but those 
that have special functions are essentially servers on a linecards. 
IDSM2, FWSMs, ACEs, SLBs, and the WebVPN module I believe are examples 
of linecards that should be told to shutdown gracefully before cutting 
off power to the chassis.  Figure out which modules are in what slot 
with 'show module' and then use 'hw-module module X shutdown' to 
shutdown the appropriate modules.  'show module' will tell you when the 
linecard is offline.

Justin

From avayner at cisco.com  Sat Jul  5 04:21:01 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 5 Jul 2008 10:21:01 +0200
Subject: [c-nsp] Ideal LNS/LAC Router
In-Reply-To: <C4926116.2307A%kris.amy@eip.net.au>
References: <C4926116.2307A%kris.amy@eip.net.au>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501910BF9@xmb-ams-331.emea.cisco.com>

Kris,

For short term (or lower scale) solutions, you should be looking at
7201.
The 7201 is a NPE-G2 in 1RU format, like the 7301 is a 1RU format of the
NPE-G1.
The extra bonus on 7201 (except more CPU power) is a 4th GigE port
allowing easier redundant topologies...

For longer term (or large scale) solutions, I would suggest you take a
look at ASR1000. 

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy
Sent: Thursday, July 03, 2008 04:07 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Ideal LNS/LAC Router

Hi,

Currently we are using 7301's for LAC/LNS purposes and was wondering
what is the next platform that we should be looking to move towards.

--
Kind Regards,
Kris Amy

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From risnaini at indo.net.id  Sat Jul  5 04:09:03 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Sat, 05 Jul 2008 15:09:03 +0700
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <762A2E44-473A-417F-86D7-145C1857ED58@crocker.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>	<323aca890807040648i3ec8e427u86e01ef476aa798d@mail.gmail.com>
	<762A2E44-473A-417F-86D7-145C1857ED58@crocker.com>
Message-ID: <486F2C1F.2080100@indo.net.id>

Mine at up right corner, I just moved my Bar :)

a. r.i. rangkayo sutan

Matthew Crocker wrote:
>> There is a secret shutdown procedure but you will have to plug a mouse
>> into the supervisor, and move into left bottom corner, click start,
>> then shutdown :)
>>
>> Just joking, sorry.
> 
> Of course you are joking,  everyone knows it is the UPPER left corner, 
> apple menu -> Shutdown...  Start button to shutdown, geeez!
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From sam_mailinglists at spacething.org  Sat Jul  5 05:39:04 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Sat, 05 Jul 2008 10:39:04 +0100
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <486F13DB.80708@justinshore.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
	<486F13DB.80708@justinshore.com>
Message-ID: <486F4138.50808@spacething.org>

Justin Shore wrote:
> Felix Nkansah wrote:
>> Thanks guys.
>>
>> I thought it has some special shutdown procedures or commands.
>
> Some of the linecards should be commanded to shutdown prior to cutting 
> power to the chassis.  Interface linecards aren't a concern but those 
> that have special functions are essentially servers on a linecards. 
> IDSM2, FWSMs, ACEs, SLBs, and the WebVPN module I believe are examples 
> of linecards that should be told to shutdown gracefully before cutting 
> off power to the chassis.  Figure out which modules are in what slot 
> with 'show module' and then use 'hw-module module X shutdown' to 
> shutdown the appropriate modules.  'show module' will tell you when 
> the linecard is offline. 
I nearly  replied to this thread sooner, because I'd always been told  
to shut down the FWSMs gracefully before pulling the power. But when I 
google'd it I couldn't actually find anything to support this. The 
closest I could find was from the FWSM FAQ at 
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item09186a00801e9e26.shtml 
which states:


Q. The FWSM has a label that states, "Do not remove card while status 
light is green or disk corruption may occur." What does this mean?

    A. The firewall module should be removed only after you disable 
power using one of these methods. (There is no preference for a 
particular method.)

        * Use the command-line interface (CLI) of the switch and issue 
one of these commands.
              o CatOS - set module power down mod
              o Cisco IOS? Software - no power enable module slot
        * Press the shutdown button on the blade.
        * Physically power down the chassis.

    You can remove the module safely when the status light is longer green.



So "no preference for a particular method" certainly seems to be saying 
that it's OK to just pull the plug on FWSMs.

On the other hand the documentation is very clear about the ACE module:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/installation/note/aceinote.html#wp42206

        * Step 1 Before you remove the module from the chassis, enter 
the no power enable module command in configure mode at the switch or 
router CLI to properly shut down the module to prevent data loss.


Sam

From justin at justinshore.com  Sat Jul  5 11:43:51 2008
From: justin at justinshore.com (Justin Shore)
Date: Sat, 05 Jul 2008 10:43:51 -0500
Subject: [c-nsp] IS-IS default route quandary
In-Reply-To: <g4lmth$du4$1@ger.gmane.org>
References: <486C07B5.2090705@justinshore.com> <g4lmdn$bkd$1@ger.gmane.org>
	<g4lmth$du4$1@ger.gmane.org>
Message-ID: <486F96B7.20703@justinshore.com>

It's a possibility.  I'll have to hit up my upstreams to see.  I've got 
a couple options to try next week.

Thanks
  Justin

David Freedman wrote:
> And of course *carefully* redistribute this into IS-IS until you've
> migrated away from customer routes in the IS-IS.
> 
> David Freedman wrote:
>>> On each border router we also have a static default route pointed to the
>>> physical interface of the upstream peers 
>> Can't you get them to originate you a default via BGP?


From cisco-nsp at punk.co.nz  Sun Jul  6 00:00:04 2008
From: cisco-nsp at punk.co.nz (Kris Price)
Date: Sun, 06 Jul 2008 12:00:04 +0800
Subject: [c-nsp] 7600 vs MX experience?
Message-ID: <48704344.1030808@punk.co.nz>

Hi,

We're looking at 7600 + RSP720 platform and the MX from Juniper for our 
MPLS needs and I was interested in hearing feedback from people about 
their experiences - both positive and negative - with either platforms.

Whatever is selected will be used both as Ps and PEs w/ all 10GE on the 
core side. This is a fairly large (continental) deployment, and it will 
set the standard internationally for this customer. Main use will be for 
IP VPN and EoMPLS, but VPLS may show up in the future too.

Looks like they both will work for our needs. So what it really comes 
down to is important things like *stability*, support experience, etc.

Please contact me off list if you'd rather not express something in public.

Feedback is very much appreciated. :)

Cheers
Kris

From tedm at toybox.placo.com  Sun Jul  6 02:06:45 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Sat, 5 Jul 2008 23:06:45 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <004401c8dd91$72d8daf0$f211a8c0@flamwsugsmul5v>
Message-ID: <BMEDLGAENEKCJFGODFOCCEMKCFAA.tedm@toybox.placo.com>


Yes.  I heard this from the president/owner of Imagestream.
Considering what that company makes there's no question in
my mind that the reverse-engineered one of the very early
version PIXes.  There are vestiges of this even in current
code - notice for example that access-list subnet masks are
not IOS-style, they are DOS/Windows style - although I'm 
sure with the number of PIXes that Cisco sold once they
bought the product, any licensable Windows code was long
since removed.

Ted

> -----Original Message-----
> From: Tony Varriale [mailto:tvarriale at comcast.net]
> Sent: Thursday, July 03, 2008 9:50 PM
> To: Ted Mittelstaedt
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> Holy crap.  Did you say Windows?
> 
> tv
> ----- Original Message ----- 
> From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
> To: "Ziv Leyes" <zivl at gilat.net>; "Joerg Mayer" 
> <jmayer at loplof.de>; "Aaron 
> R" <aaronis at people.net.au>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Thursday, July 03, 2008 10:21 PM
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> >
> > Rubbish.
> >
> > The reason the PIX doesen't allow Telnet is that the original
> > PIX devices were built on a Windows core, Windows 3.1 as I
> > believe, with the GUI and most of the command line utilities
> > stripped away.  Because the PIX was an early out-of-the-hole
> > firewall, it captured a customer base of customers who needed
> > a firewall but frankly didn't understand much about what they
> > needed.  ie: dumb bunnies in cash-rich organizations willing
> > to buy sub-par technology that was hyped up to rediculous
> > amounts.  It's an old story in technology.
> >
> > This was a very valuable customer base which is why Cisco
> > purchased the PIX product line.  Cisco had little interest
> > in the lame firewalling technology of the PIX and has
> > spent at least a decade of careful work grooming the PIX
> > customers off PIXes and on to Cisco router platforms.  To
> > accomplish this they were -extraordinairly- careful to
> > preserve the PIX interface and limitations over the years.
> > But as anyone who works with PIXes knows, Cisco has really
> > not improved the basic technology of the PIX over the years.
> >
> > That is why the current Cisco IOS-based firewalls have
> > a firewalling feature set that knocks a PIX into a cocked
> > hat.
> >
> > It is also why Cisco has finally felt comfortable enough
> > that they have migrated the PIX customers worth keeping
> > over to their own product line, to announce that they were
> > discontinuing the PIX product line.  As they did recently.
> >
> > Ted
> >
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
> >> Sent: Monday, June 30, 2008 5:31 AM
> >> To: Joerg Mayer; Aaron R
> >> Cc: cisco-nsp at puck.nether.net
> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> >>
> >>
> >> I guess it's more as a "working right" educational purpose, so
> >> you won't use your firewall as a debugging client.
> >> In newer versions there's the packet tracker that can help you
> >> debug connectivity problems.
> >> Ziv
> >>
> >>
> >> -----Original Message-----
> >> From: cisco-nsp-bounces at puck.nether.net
> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
> >> Sent: Monday, June 30, 2008 2:21 PM
> >> To: Aaron R
> >> Cc: cisco-nsp at puck.nether.net
> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> >>
> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
> >> > It is disabled as a security feature. I have also wanted to do
> >> the same for
> >> > troubleshooting purposes.
> >>
> >> And why exactly is this a security feature? What is the *gain* in
> >> security?
> >>
> >>  Ciao
> >>   Joerg
> >> --
> >> Joerg Mayer                                           
> <jmayer at loplof.de>
> >> We are stuck with technology when what we really want is just 
> stuff that
> >> works. Some say that should read Microsoft instead of technology.
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >>
> >>
> >>
> >> ******************************************************************
> >> ******************
> >> This footnote confirms that this email message has been scanned by
> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
> >> computer viruses.
> >> ******************************************************************
> >> ******************
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> ******************************************************************
> >> ******************
> >> This footnote confirms that this email message has been scanned by
> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
> >> computer viruses.
> >> ******************************************************************
> >> ******************
> >>
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/ 
> 
> 

From tedm at toybox.placo.com  Sun Jul  6 02:26:49 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Sat, 5 Jul 2008 23:26:49 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486E1761.5010805@networkoblivion.com>
Message-ID: <BMEDLGAENEKCJFGODFOCAEMLCFAA.tedm@toybox.placo.com>



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Peder @
> NetworkOblivion
> Sent: Friday, July 04, 2008 5:28 AM
> To: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> What!?  The original PIX code was < 500k as the first versions from 
> Network Translations only had 512k flash moodules in them.  There is no 
> way that it was based on Windows, not even 3.1.  I think you are 
> thinking of the Centri (or whatever it was called) that was windows 
> based that they bought many years ago.  I actually worked at Cisco when 
> they bought the PIX and the Centri and then they killed the Centri 
> shortly thereafter.  I think the Centri ran on Windows 95, but I am not 
> 100% sure as that was 10+ years ago.
> 

Interesting, I'm sure your correct.

> IMO, the reason that so many people use(d) the PIX is that they just 
> work.

I disagree.  The reason they use them is they are cheap.  Cisco
did not require a separate IOS license the way that they do with
a router running IOS-Firewall Feature set.

Ted

From tedm at toybox.placo.com  Sun Jul  6 04:27:00 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Sun, 6 Jul 2008 01:27:00 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <Pine.LNX.4.62.0807040934591.429@pologrounds.richweb.com>
Message-ID: <BMEDLGAENEKCJFGODFOCIEMLCFAA.tedm@toybox.placo.com>



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of C. Jon Larsen
> Sent: Friday, July 04, 2008 7:30 AM
> To: Peder @ NetworkOblivion
> Cc: cisco-nsp at puck.nether.net >> Cisco-NSP Mailing List
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>
>
>
> Ted,
>
> Peder is correct. Cisco bought the company that made the pix
> (NTI) because
> NTI was one of the first companies to have a decent working NAT overload
> implementation.

There was a set of patches to FreeBSD version 2.1 that added in
translation, that came out around 1995.  I had a running translator
years before IOS 11.2 came out with it and had a 60 person company
behind it.

> NAT was a big deal back then - around 1995/1996 and Cisco
> routers did not have NAT in the IOS until 11.2 I think.

Yes, and Cisco could have used the freely available NAT code
that was BSD-licensed (ie: free, NOT GPL, really free).  They
did not have to pay off the NTI guys for something already
available for free.  And they didn't.  They wanted the NTI
customer brainshare, and likely, to put a potential competitor out
of business.

> At that
> time UUnet and many other SPs were tossing out a full /24 for every t1,
> but the smaller ISDN and frac t1 based connections started coming
> with much
> smaller allocations, and PAT was something everyone (small customers)
> started wanting badly. There was a smattering of non cisco boxes that
> could do a little nat, but customers wanted  solid state hardware
> that was
> easy to configure or at least flexible enough to be able to
> configure for a
> variety of wan service offerings - smds, atm, frame, isdn, x.25 was still
> here and there, and on the lan side decnet, ipx/spx, netbeui etc were
> still in play.
>
> Cisco, Proteon and Wellfleet and 3com to a lesser extent
> were the big router players but none of them were addressing the
> emerging NAT market very well.
>
> NTI was a small company with good engineers that wrote a
> custom kernel that did what few others were doing. I saw a few customers
> that actually bought the NTI box or were going to buy the box
> BEFORE cisco
> bought NTI. When Cisco bought NTI and threw their marketing behind the
> PIX, and started pushing it to resellers, it took off because it was a
> good box that fit a niche market very well. In fact the original
> NTI boxes
> were again more of a nat box that a firewall. When you installed
> a pix you set
> the screening router (a cisco of course) up as the dmz firewall with its
> acl capability to protect the dmz hosts and the pix had the outbound nat
> config and the conduits for the inbound flow to the inside network. The
> original pixes were pretty limited as a firewall and of course had no
> capability for a 3rd or 4th interface. They were strictly used for the
> corporate/inside network interface/connect point.
>
> Customers bought PIXes at that time because they were easier than having
> to figure out how to setup a linux

Linux was a toy in 1995 nobody was using it for production anything.

> or Sun bastion host / proxy toolkit or
> fiddle with ipmasq for most companies that did not have in house un*x
> talent. Customers were running out of IPs to number their PCs (and MACs
> - remember the need to browse the internet killed appletalk and
> localtalk)
> that and the ISPs were not handing them out (/24s) like candy anymore.
>
> As far as firewall feature set on a router goes ... I had to
> laugh. I have
> always considered that somewhat fiddly / buggy. Good way to make a solid
> product (a cisco router) into something that needs more attention and is
> slightly less reliable - especially when implemented on low end hardware
> like 800s, or 16xx, or 17xx, 2610s, etc.

IOS 11.2 for the 2500 was the first that did NAT

> I have seen at least 3 or 4 fw
> feature set implementations on routers that were backwards - i.e.
> inspecting traffic in the wrong direction. There is also at least one
> config for the fwfs on cisco.com's website that has it backwards too that
> I ran across.
>

Yeah, I've seen that config too.  But, every IOS rev Cisco has
ever come out with has been full of bugs for at least the first 10
revisions.  In any case, putting them head-to-head today is a
very different fish-kettle than in the beginning.  I'll take a
2800 or 3800 series router with firewall on it over an ASA
any day.

> As far as cisco discontinuing the pix ?? Thats plain wrong. The PIX
> lives on, it just has a new name (ASA) so cisco can move upmarket
> and charge more for the same code base :)
>

Let's just say Cisco's not discontinuing a PIX-like firewall.  But
calling the ASA a PIX?  No, not at all.  The ASA is ever worse
to deal with than the PIX

Fortunately, I don't have to deal with either on new installs,
at any rate.  Our customers who used to demand PIXes and routinely
override my recommendations to buy a router aren't doing that
with the ASA due to the price hike.

> Of course the cpus are much faster in the ASA boxes, and it has a more
> extensible/modular hardware architecture than the pix and you can plug in
> the IDS/IPS modules, etc. The ASA boxes usually have a celeron cpu in the
> 2Ghz range whereas the pixes started of as 486 dx2 66MHz chips (yes
> really, with like 4MB or maybe 8MB of main DRAM) and worked their way up
> to 300 or 400Mhz PII chips in the beefier models.
>
> Cisco has no interest in migrating any customers from PIX/ASA to routers.
> They want to sell you BOTH

Heh.  Yep, and unnecessary.

> and a few Cat switches while they are at it :)
>

Cisco is a smart enough company to sell to people's preconceptions.
Such as, for example, the silliness that having a firewall that
allows outbound telnet is safer than allowing incoming telnet to
a bastion host (either inside or outside) and then having people
jump off from that to the inside.  Once you open a vector from the
outside to the inside, the firewall is compromised, no matter
how convoluted you make that vector.  Not to mention that the
vast majority of trouble comes in via e-mail anyhow.  But, you
don't see Cisco trying to educate people.  They simply make
products in every way, shape or form that do whatever people
want, no matter how stupid, and sit back and let people waste
money if they want.

> And finally, Peder is correct again about the Centri. Centri was
> a flaming
> pile of junk. It ran on windows nt server (workstation was also
> supported I'm pretty sure).
>
> Of course it was terrible (the centri) - windows nt was a
> terrible product
> that never really did get stable enough for use as a reliable pc server
> much less as a critical piece of network gear.

Vista today and MS Server are any different?

> Centri did have some
> really "impressive" guis tools for managing firewall configs. At that
> time the pix was popular but hard to configure for end customers who
> typically have net admins on staff and not network engrs (times
> really have not changed have they :). Customers wanted to manage their
> own boxes and not have to call an integrator every time an acl needed a
> tweak. Thus the pretty gui of the cenrti appealed (in theory). I
> never saw
> one get sold and work though. Couple of demo/evals, and it usually died
> there in the sales process :)
>
> It would have been near impossible for anyone to build a firewall based
> on windows 3.1 technology. Windows 3.1 did not have a true kernel
> or built
> in (native) tcp stack.

It most certainly did - it was the MS Networking Client
for DOS that had the TCP/IP protocol.  It only worked with LAN
cards, though.  MS even released a winsock that talked to that
stack.

Yes it was real-mode, and technically it wasn't "windows" code
but really most Windows 3.1 apps took over the system anyway,
to do their own thing, it's mainly a semantic argument.

> Remember Chameleon anyone ? trumpet winsock ?

Those got a boost because they would speak PPP/SLIP out the
serial port.  The MS Networking stuff wouldn't until Windows 95.

> Those DOS TSR-based "tcp mini kernels" as they were called were so
> unstable that a windows 3.1 or 3.11 based firewall would have keeled over
> the minute it saw real use. Those stacks were barely functional as a
> client, much less a server or firewall.
>

Once more, not true see:

http://www.ka9q.net/code/ka9qnos/

Many people ran this stuff for years, very stable it was.

> I dont remember any vendors coming out with windows based "firewalls"
> until win nt 4.0. Windows in all its versions just was not stable enough
> until then and recall that Windows 3.5 and up are not the same product at
> all as win 3.1. Win 3.1 was 16bit dos with a gui command shell and a
> gui api. Win 3.5.x and up was Cutler's 32bit rewrite of VAX and
> Microsofts first true operating system :)
>

Xenix was Microsoft's first true operating system in 1980, followed
by OS/2 in 1987 (joint with IBM).  Cutler and his Vomit Making System
rewrite didn't come along until '88.

> No way would cisco have purchased or built or sold or recommended
> to clients anything based on win3.1 other than maybe a terminal emulator
> to attach to a cisco serial console :)
>
> I remember a customer that badly wanted to migrate off of netware to
> "save" licensing $$. Remember this was before CALs and such and windows
> 3.5.1 was almost free as a network server. They had to boot the 3.5.1
> server every nite so it would not crash the next day. The netware
> 3.12 server had been up for like 3-4 years at a time :)
>

I remember similar nonsense from customers during that time period as well.

Ted


From zivl at gilat.net  Sun Jul  6 05:18:47 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Sun, 6 Jul 2008 12:18:47 +0300
Subject: [c-nsp] Cisco 878 SDM connection problem
In-Reply-To: <022c01c8dcf5$c85fa9f0$170d3ad4@emre>
References: <022c01c8dcf5$c85fa9f0$170d3ad4@emre>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188AD8D6C2@exch2k7.gilat.local>

I think this will get you started:
http://www.cisco.com/univercd/cc/td/doc/product/software/sdm/sdmi21.htm
There are also links to download the SDM software and install it on your PC instead of using the Java from within the device.
You need to have a registered user in Cisco in order to be able to download this kind of software
Regards,
Ziv


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Emre T?rkmenler
Sent: Thursday, July 03, 2008 1:16 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco 878 SDM connection problem


Hi,

I want to connect to a Cisco 878 with SDM but i have problems, it may be a java problem.
I have the latest version installed at the moment.


Can someone explain how I can use SDM?

Thanks
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From nick.jon.griffin at gmail.com  Sun Jul  6 11:57:31 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Sun, 6 Jul 2008 10:57:31 -0500
Subject: [c-nsp] WLC and LWAPP Aps
In-Reply-To: <876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com>
References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
	<20080703181517.GJ4112@thot.informatik.uni-kl.de>
	<876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com>
Message-ID: <a2b352c40807060857r4b894c3fj6d88fbf0dbe1273@mail.gmail.com>

You should be asking yourself, how many access points can the controller
itself accomodate, I imagine that the DHCP server will let you dole out dhcp
scopes all day long, but at the end of the day the controllers are bound to
a maximum number of access points. If your ap manager and your management
interface are on the same subnet, its a great idea to place the access
points your talking about on the same vlan/subnet so that they may discover
the controller via L2 broadcast frames, otherwise you get to do some
TLV/conversions to configure DHCP option 43, in your situation, since this
is your first deployment I would recommend priming the access points as I
mentioned above. You will also need to configure the ip address of the
controller under the management, and probably the ap manager interface.


HTH,

Nick Griffin

On Fri, Jul 4, 2008 at 8:42 AM, Dracul <chris.garzon at gmail.com> wrote:

> Additional query.
>
> On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer <jmayer at loplof.de> wrote:
>
> > On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote:
> > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR
> 1131.
> > I
> > > cannot seem to make the lighweight AP to get IP address from
> > > the internal DHCP server of the WLC let more the LW AP be discovered by
> > the
> > > 4404. used Layer2 and Layer 3 mode already
> >
> > How about some more details? Are AP and management-if in the same
> network?
> > If not, what have you done to make sure that the AP knows where to find
> it?
> > If all fails: You can configure the managementi-if address directly on
> the
> > lw-ap command line.
> >
> >  Ciao
> >   Joerg
> > --
> > Joerg Mayer                                           <jmayer at loplof.de>
> > We are stuck with technology when what we really want is just stuff that
> > works. Some say that should read Microsoft instead of technology.
> >
>
>
>
> --
> ===
> Support www.gawadkalinga.org
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From anthony.gueneau at gmail.com  Sun Jul  6 12:11:12 2008
From: anthony.gueneau at gmail.com (Anthony GUENEAU)
Date: Sun, 6 Jul 2008 18:11:12 +0200
Subject: [c-nsp] 3750 stack member failure detection
Message-ID: <4870eea3.0c07560a.1598.155e@mx.google.com>

Hi,

 

Does anybody know how to detect a stack member down within a 3750 stack
through SNMP ?

What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it ?

Thanks.

 

Anthony


From bennetb at gmail.com  Sun Jul  6 13:49:25 2008
From: bennetb at gmail.com (Brandon Bennett)
Date: Sun, 6 Jul 2008 11:49:25 -0600
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <BMEDLGAENEKCJFGODFOCAEMLCFAA.tedm@toybox.placo.com>
References: <486E1761.5010805@networkoblivion.com>
	<BMEDLGAENEKCJFGODFOCAEMLCFAA.tedm@toybox.placo.com>
Message-ID: <d81b6b610807061049t24ee99eehdc595228147c1d3d@mail.gmail.com>

On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt <tedm at toybox.placo.com>
wrote:

>
> > What!?  The original PIX code was < 500k as the first versions from
> > Network Translations only had 512k flash moodules in them.  There is no
> > way that it was based on Windows, not even 3.1.
>

Straight from the horses mouth.  It's was written from the ground up.

http://www.control.auc.dk/~magnus/Mailboxe/firewall-archive/0000.html

also another good read:

http://home.cfl.rr.com/dealgroup/pix/pix_page_history.htm

Aparently they used Plan9 computer to develop it as well with the rumor that
PIX is a dediation to Plan9 being that IX is the roman numerals for 9.


> >I disagree.  The reason they use them is they are cheap.  Cisco
> >did not require a separate IOS license the way that they do with
> >a router running IOS-Firewall Feature set.
>

I have found that PIX/ASA does a much better job at stateful firewalling
that CBAC can even though they share 95% of the same inspect engines.  I
have never had an issue with scaling the CPU/memory on a PIX  or resource
limitations.   I have had this on IOS from time to time.


> Yes, and Cisco could have used the freely available NAT code
>that was BSD-licensed (ie: free, NOT GPL, really free).  They
>did not have to pay off the NTI guys for something already
>available for free.  And they didn't.  They wanted the NTI
>customer brainshare, and likely, to put a potential competitor out
>of business.

The fact of the matter is that NTI was doing it better and faster than the
Sun and BSD implentations out there at the time.  Combine this with the fact
that it was easy to setup, maintain, and monitor simiar to the rest of the
network gear and it just makes sense.   I don't think this is an example of
Cisco trying to dominate the market by "buying-out" competitors.  If that
was the case Cisco would not have continued the product line for 13 years
(and running).

>Let's just say Cisco's not discontinuing a PIX-like firewall.  But
>calling the ASA a PIX?  No, not at all.  The ASA is ever worse
>to deal with than the PIX

Dude, the ASA is a pix with some slight modifications.  The code was shared
until 8.x (you could boot asa code on a pix and pix code on an asa).  8.x
the ASA now runs a linux kernel, but most of the actually firewall code is
the same.  For all intent and purposes the ASA is the next-generation PIX.


Further more the price difference between the PIX and the ASA is not much.
There is still free 3DES/AES licencing, there is still free IPSec VPN
termination.  The only difference would be the additional licensing and
modules that the ASA can do (SSLVPN, IPS, etc)

Lets compare   Pix 515e could handl 190mbits clear text  The ASA5510 can
handle 300mbit clear text.

List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW,
128MB, 2 FE,VAC+), USD 6,995.00
List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES,
USD 3,495.00

So the ASA is acutally FAR cheaper.   Even the ASA5520 (which may be bit
more of a better comparison) is still cheaper than the PIX515e.

The config is the same, the code is the same.  I am not sure why you say
they are far different.  I've been using PIX for nearly 8 years now and the
ASA is nothing different.


As far as the rest of your conversation,  it kinda getting far off topic. :)

Although I am not sure how much information I can take from a guy who though
PIX code was Windows 3.1 based.  (Not to mention Windows 3.1 didn't even
include a kernel!).

The wrap up: The PIX/ASA is very capible firewall, you quickly learn ways
around not being able to telnet from the box itself.  IOS as well shares a
lot from the PIX/ASA (and visa versa) and also can make a good firewall.
With the ASR1000 it can make a very very quick firewall :)   Also there are
other options from other vendors (blasphemy... I know) like a netscreen
(which ironically ALSO doesn't allow you to telnet from the box :) )

-Brandon Bennett
CCIE No 19406.

From rubensk at gmail.com  Sun Jul  6 15:04:42 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Sun, 6 Jul 2008 16:04:42 -0300
Subject: [c-nsp] 7600 vs MX experience?
In-Reply-To: <48704344.1030808@punk.co.nz>
References: <48704344.1030808@punk.co.nz>
Message-ID: <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com>

On a recent event I could meet with lots of people from carriers of
all sizes in the LAC region, so I will summarize based on the overall
experience:
- There were far more stories of instability on the 7600 than on
Juniper, even from those that uses both as Ps and PEs. I can't precise
whether the Junipear gear was M-, MX- or T- series. IOS versions that
solved that bug that was annoying but introduced some different bugs
of their own were also a popular quote.
-  On the other hand, people with simpler 7600 configurations had less
problems and could use more IOS versions that the others. That's my
direct experience: with no FlexWAN, OSMs or ES-20s service cards, you
have much more flexibility in adopting newer software and has fewer
bugs to deal with.
- Support experience with Cisco from carriers that had either Cisco
SmartNET contracts or Cisco Shared Support from one Cisco Partner
(let's name them and reward their good service: NEC) was rather good,
but other Cisco Shared Support partners were awful at supporting
carrier needs. Support experience with Juniper was good whether they
called a partner(the same partner serves most or all of Juniper
carrier customers in the region)  or Juniper directly.

Based on that experience, may I suggest some ideas  ?
1) If you are going to avoid using 7600 with service cards, then don't
get a 7600. Get a ME6500 or some other Catalyst with the port density
you need. No VPLS, some restrictions on EoMPLS (port or subinterface
but no VLAN-based EoMPLS), but they cost much less, are stable and
made by a friendly BU. ME6500 has H-VPLS, so you can provide VPLS
services if you have a VPLS concentrator somewhere, which then would
be a pricier 7600, or a Juniper with low port density (M7i-2GE for
instance).
2) If you buy Cisco gear and don't know wether you Shared Support
partner will do a good job, buy some boxes with SmartNET and some
boxed with Shared Support for the 2nd year. On the 1st year you will
probably get SmarNET because of Cisco sales policies, so you will
already have a quality to compare to. From 2nd year on, Shared Support
will be much cheaper and you will be tempted to buy all support in
this flavor, but beware of the provider you don't know yet.
3)  Think a lot before doing VPLS services, as the customer may think
it's good due to no subnetting or renumbering, but point-to-multipoint
is something that I really prefer to see routed. IP VPN with Multicast
can probably fit most customer needs instead of VPLS.


Rubens



On Sun, Jul 6, 2008 at 1:00 AM, Kris Price <cisco-nsp at punk.co.nz> wrote:
> Hi,
>
> We're looking at 7600 + RSP720 platform and the MX from Juniper for our MPLS
> needs and I was interested in hearing feedback from people about their
> experiences - both positive and negative - with either platforms.
>
> Whatever is selected will be used both as Ps and PEs w/ all 10GE on the core
> side. This is a fairly large (continental) deployment, and it will set the
> standard internationally for this customer. Main use will be for IP VPN and
> EoMPLS, but VPLS may show up in the future too.
>
> Looks like they both will work for our needs. So what it really comes down
> to is important things like *stability*, support experience, etc.
>
> Please contact me off list if you'd rather not express something in public.
>
> Feedback is very much appreciated. :)
>
> Cheers
> Kris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From paul at paulstewart.org  Sun Jul  6 15:18:19 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Sun, 6 Jul 2008 15:18:19 -0400
Subject: [c-nsp] 7600 vs MX experience?
In-Reply-To: <6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com>
References: <48704344.1030808@punk.co.nz>
	<6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com>
Message-ID: <001001c8df9d$0f60f0d0$2e22d270$@org>

Hi Rubens...

Sorry if this is sidetracking the conversation a bit - apologies.  But, what
can folks tell me about shared support in general?  I always thought it was
Smartnet or nothing hence why I'm asking... is this "3rd party Cisco
support" that I've seen advertised a few times?

With "shared smartnet", do you lose the ability to contact TAC directly?
What about software updates - from Cisco or from the partner??

Thanks very much,

Paul Stewart




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rubens Kuhl Jr.
Sent: Sunday, July 06, 2008 3:05 PM
To: Kris Price
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 7600 vs MX experience?

On a recent event I could meet with lots of people from carriers of
all sizes in the LAC region, so I will summarize based on the overall
experience:
- There were far more stories of instability on the 7600 than on
Juniper, even from those that uses both as Ps and PEs. I can't precise
whether the Junipear gear was M-, MX- or T- series. IOS versions that
solved that bug that was annoying but introduced some different bugs
of their own were also a popular quote.
-  On the other hand, people with simpler 7600 configurations had less
problems and could use more IOS versions that the others. That's my
direct experience: with no FlexWAN, OSMs or ES-20s service cards, you
have much more flexibility in adopting newer software and has fewer
bugs to deal with.
- Support experience with Cisco from carriers that had either Cisco
SmartNET contracts or Cisco Shared Support from one Cisco Partner
(let's name them and reward their good service: NEC) was rather good,
but other Cisco Shared Support partners were awful at supporting
carrier needs. Support experience with Juniper was good whether they
called a partner(the same partner serves most or all of Juniper
carrier customers in the region)  or Juniper directly.

Based on that experience, may I suggest some ideas  ?
1) If you are going to avoid using 7600 with service cards, then don't
get a 7600. Get a ME6500 or some other Catalyst with the port density
you need. No VPLS, some restrictions on EoMPLS (port or subinterface
but no VLAN-based EoMPLS), but they cost much less, are stable and
made by a friendly BU. ME6500 has H-VPLS, so you can provide VPLS
services if you have a VPLS concentrator somewhere, which then would
be a pricier 7600, or a Juniper with low port density (M7i-2GE for
instance).
2) If you buy Cisco gear and don't know wether you Shared Support
partner will do a good job, buy some boxes with SmartNET and some
boxed with Shared Support for the 2nd year. On the 1st year you will
probably get SmarNET because of Cisco sales policies, so you will
already have a quality to compare to. From 2nd year on, Shared Support
will be much cheaper and you will be tempted to buy all support in
this flavor, but beware of the provider you don't know yet.
3)  Think a lot before doing VPLS services, as the customer may think
it's good due to no subnetting or renumbering, but point-to-multipoint
is something that I really prefer to see routed. IP VPN with Multicast
can probably fit most customer needs instead of VPLS.


Rubens



On Sun, Jul 6, 2008 at 1:00 AM, Kris Price <cisco-nsp at punk.co.nz> wrote:
> Hi,
>
> We're looking at 7600 + RSP720 platform and the MX from Juniper for our
MPLS
> needs and I was interested in hearing feedback from people about their
> experiences - both positive and negative - with either platforms.
>
> Whatever is selected will be used both as Ps and PEs w/ all 10GE on the
core
> side. This is a fairly large (continental) deployment, and it will set the
> standard internationally for this customer. Main use will be for IP VPN
and
> EoMPLS, but VPLS may show up in the future too.
>
> Looks like they both will work for our needs. So what it really comes down
> to is important things like *stability*, support experience, etc.
>
> Please contact me off list if you'd rather not express something in
public.
>
> Feedback is very much appreciated. :)
>
> Cheers
> Kris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.4.5/1537 - Release Date: 7/6/2008
5:26 AM


From apowers at lancope.com  Sun Jul  6 14:44:49 2008
From: apowers at lancope.com (Adam Powers)
Date: Sun, 06 Jul 2008 14:44:49 -0400
Subject: [c-nsp] 'multiplexing" netflow?
In-Reply-To: <005c01c8dd10$4b79fc40$e26df4c0$@bezzina@bell.net.mt>
Message-ID: <C4968AE1.89793%apowers@lancope.com>

Lancope sells a commercial Flow Replicator that?s designed for replication
and redistribution of any unidirectional UDP app including NetFlow. It
operates in both unicast and promiscuous modes. More info here...

http://www.lancope.com/products/replicator.aspx

An open source alternative that I know many have used to much success is the
UDP Samplicator project found here:

http://freshmeat.net/projects/samplicator/



On 7/3/08 9:25 AM, "Gordon Bezzina" <gordon.bezzina at bell.net.mt> wrote:

> Hi,
> 
> Get a plain linux box, install flow-tools and use flow-fanout.
> 
> Example:
> 
> /usr/bin/flow-fanout -s 0/192.168.3.5/2000 0/192.168.3.10/9996
> 0/192.168.3.22/2055
> 
> Accept netflow from 192.168.3.5 on port 2000 and re-export them to:
>         1. 192.168.3.10 port 9996; and
>         2. 192.168.3.22 port 2055.
> 
> My linux box has been up for 157days already and flow-fanout never crashed
> :-)
> 
> Hope it helps
> 
> Brgds
> Gordon
> 
> 
> On Thu, Jul 3, 2008 at 11:18, Drew Weaver <drew.weaver at thenap.com> wrote:
>> >                Hi there, we have equipment at our edge that requires us to
> export our netflow to it in order for it to function but we would also like
> our NetFlow stats to be exported somewhere else for analysis.
>> >
>> > Does anyone know of a product that you can export your netflow to that
> will then in turn export it to multiple destinations (that works well and is
> easy to use/reliable) ?
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 

Adam  Powers
Chief Technology Officer
Lancope, Inc.
c. 678.725.1028
f. 678.302.8744
e. adam at lancope.com


From mtinka at globaltransit.net  Sun Jul  6 21:18:28 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 7 Jul 2008 09:18:28 +0800
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
Message-ID: <200807070918.32290.mtinka@globaltransit.net>

On Friday 04 July 2008 20:54:48 Felix Nkansah wrote:

> Thanks guys.
>
> I thought it has some special shutdown procedures or
> commands.

Which is something we wish for on Cisco's new ASR line, 
seeing as it has a hard drive and all.

Current documented procedure to shutdown the ASR is to 
reload as normal, then power-off the PSU's when you see the 
Bootloader - not very elegant.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080707/8702ea67/attachment-0001.bin>

From chris.garzon at gmail.com  Sun Jul  6 22:36:23 2008
From: chris.garzon at gmail.com (Dracul)
Date: Mon, 7 Jul 2008 10:36:23 +0800
Subject: [c-nsp] WLC and LWAPP Aps
In-Reply-To: <a2b352c40807060857r4b894c3fj6d88fbf0dbe1273@mail.gmail.com>
References: <876789290807030948r78e196c5g72b0b814e5ee1eee@mail.gmail.com>
	<20080703181517.GJ4112@thot.informatik.uni-kl.de>
	<876789290807040642k322820e8wd8b4d10dea0e4f15@mail.gmail.com>
	<a2b352c40807060857r4b894c3fj6d88fbf0dbe1273@mail.gmail.com>
Message-ID: <876789290807061936r326a245aue7b1e388d4283413@mail.gmail.com>

Thanks Nick,

I'm planning to maximize my 4404's capability. which is 100. What I'm afraid
of if the internal DHCP of the 4404 will be ok to serve the 100 LWAPs. Then
my clients would use another DHCP server to connect.

Best regards,
Chris

On Sun, Jul 6, 2008 at 11:57 PM, Nick Griffin <nick.jon.griffin at gmail.com>
wrote:

> You should be asking yourself, how many access points can the controller
> itself accomodate, I imagine that the DHCP server will let you dole out dhcp
> scopes all day long, but at the end of the day the controllers are bound to
> a maximum number of access points. If your ap manager and your management
> interface are on the same subnet, its a great idea to place the access
> points your talking about on the same vlan/subnet so that they may discover
> the controller via L2 broadcast frames, otherwise you get to do some
> TLV/conversions to configure DHCP option 43, in your situation, since this
> is your first deployment I would recommend priming the access points as I
> mentioned above. You will also need to configure the ip address of the
> controller under the management, and probably the ap manager interface.
>
>
> HTH,
>
> Nick Griffin
>
> On Fri, Jul 4, 2008 at 8:42 AM, Dracul <chris.garzon at gmail.com> wrote:
>
>> Additional query.
>>
>> On Fri, Jul 4, 2008 at 2:15 AM, Joerg Mayer <jmayer at loplof.de> wrote:
>>
>> > On Fri, Jul 04, 2008 at 12:48:59AM +0800, Dracul wrote:
>> > > Has anyone done smooth installs with Cisco WLC 4404 series with AIR
>> 1131.
>> > I
>> > > cannot seem to make the lighweight AP to get IP address from
>> > > the internal DHCP server of the WLC let more the LW AP be discovered
>> by
>> > the
>> > > 4404. used Layer2 and Layer 3 mode already
>> >
>> > How about some more details? Are AP and management-if in the same
>> network?
>> > If not, what have you done to make sure that the AP knows where to find
>> it?
>> > If all fails: You can configure the managementi-if address directly on
>> the
>> > lw-ap command line.
>> >
>> >  Ciao
>> >   Joerg
>> > --
>> > Joerg Mayer                                           <jmayer at loplof.de
>> >
>> > We are stuck with technology when what we really want is just stuff that
>> > works. Some say that should read Microsoft instead of technology.
>> >
>>
>>
>>
>>
>>
>

From tvarriale at comcast.net  Sun Jul  6 22:50:16 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Sun, 6 Jul 2008 21:50:16 -0500
Subject: [c-nsp] Telnet FROM a PIX Appliance?
References: <BMEDLGAENEKCJFGODFOCCEMKCFAA.tedm@toybox.placo.com>
Message-ID: <006101c8dfdc$30146020$f211a8c0@flamwsugsmul5v>

It's fairly well known by people that have been fortunate to been around 
Cisco that long and/or that know a little PIXen history that the OS was 
called Finesse.

It was a custom built OS and AFAIK has had no stage performances in any 
other devices.

But, don't take my word for it.  I'm sure the NTI guys are still around out 
west somewhere.

I think your Windows similiarity stretch is incredible creepy.  I feel like 
I'm getting hoaxed into a pyramid scheme for some reason.

tv
----- Original Message ----- 
From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
To: "Tony Varriale" <tvarriale at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Sunday, July 06, 2008 1:06 AM
Subject: RE: [c-nsp] Telnet FROM a PIX Appliance?


>
> Yes.  I heard this from the president/owner of Imagestream.
> Considering what that company makes there's no question in
> my mind that the reverse-engineered one of the very early
> version PIXes.  There are vestiges of this even in current
> code - notice for example that access-list subnet masks are
> not IOS-style, they are DOS/Windows style - although I'm
> sure with the number of PIXes that Cisco sold once they
> bought the product, any licensable Windows code was long
> since removed.
>
> Ted
>
>> -----Original Message-----
>> From: Tony Varriale [mailto:tvarriale at comcast.net]
>> Sent: Thursday, July 03, 2008 9:50 PM
>> To: Ted Mittelstaedt
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>>
>> Holy crap.  Did you say Windows?
>>
>> tv
>> ----- Original Message ----- 
>> From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
>> To: "Ziv Leyes" <zivl at gilat.net>; "Joerg Mayer"
>> <jmayer at loplof.de>; "Aaron
>> R" <aaronis at people.net.au>
>> Cc: <cisco-nsp at puck.nether.net>
>> Sent: Thursday, July 03, 2008 10:21 PM
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>>
>> >
>> > Rubbish.
>> >
>> > The reason the PIX doesen't allow Telnet is that the original
>> > PIX devices were built on a Windows core, Windows 3.1 as I
>> > believe, with the GUI and most of the command line utilities
>> > stripped away.  Because the PIX was an early out-of-the-hole
>> > firewall, it captured a customer base of customers who needed
>> > a firewall but frankly didn't understand much about what they
>> > needed.  ie: dumb bunnies in cash-rich organizations willing
>> > to buy sub-par technology that was hyped up to rediculous
>> > amounts.  It's an old story in technology.
>> >
>> > This was a very valuable customer base which is why Cisco
>> > purchased the PIX product line.  Cisco had little interest
>> > in the lame firewalling technology of the PIX and has
>> > spent at least a decade of careful work grooming the PIX
>> > customers off PIXes and on to Cisco router platforms.  To
>> > accomplish this they were -extraordinairly- careful to
>> > preserve the PIX interface and limitations over the years.
>> > But as anyone who works with PIXes knows, Cisco has really
>> > not improved the basic technology of the PIX over the years.
>> >
>> > That is why the current Cisco IOS-based firewalls have
>> > a firewalling feature set that knocks a PIX into a cocked
>> > hat.
>> >
>> > It is also why Cisco has finally felt comfortable enough
>> > that they have migrated the PIX customers worth keeping
>> > over to their own product line, to announce that they were
>> > discontinuing the PIX product line.  As they did recently.
>> >
>> > Ted
>> >
>> >> -----Original Message-----
>> >> From: cisco-nsp-bounces at puck.nether.net
>> >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Ziv Leyes
>> >> Sent: Monday, June 30, 2008 5:31 AM
>> >> To: Joerg Mayer; Aaron R
>> >> Cc: cisco-nsp at puck.nether.net
>> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>> >>
>> >>
>> >> I guess it's more as a "working right" educational purpose, so
>> >> you won't use your firewall as a debugging client.
>> >> In newer versions there's the packet tracker that can help you
>> >> debug connectivity problems.
>> >> Ziv
>> >>
>> >>
>> >> -----Original Message-----
>> >> From: cisco-nsp-bounces at puck.nether.net
>> >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer
>> >> Sent: Monday, June 30, 2008 2:21 PM
>> >> To: Aaron R
>> >> Cc: cisco-nsp at puck.nether.net
>> >> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>> >>
>> >> On Mon, Jun 30, 2008 at 06:30:59PM +0800, Aaron R wrote:
>> >> > It is disabled as a security feature. I have also wanted to do
>> >> the same for
>> >> > troubleshooting purposes.
>> >>
>> >> And why exactly is this a security feature? What is the *gain* in
>> >> security?
>> >>
>> >>  Ciao
>> >>   Joerg
>> >> --
>> >> Joerg Mayer
>> <jmayer at loplof.de>
>> >> We are stuck with technology when what we really want is just
>> stuff that
>> >> works. Some say that should read Microsoft instead of technology.
>> >>
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ******************************************************************
>> >> ******************
>> >> This footnote confirms that this email message has been scanned by
>> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
>> >> computer viruses.
>> >> ******************************************************************
>> >> ******************
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> ******************************************************************
>> >> ******************
>> >> This footnote confirms that this email message has been scanned by
>> >> PineApp Mail-SeCure for the presence of malicious code, vandals &
>> >> computer viruses.
>> >> ******************************************************************
>> >> ******************
>> >>
>> >>
>> >>
>> >> _______________________________________________
>> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>> 


From sethm at rollernet.us  Mon Jul  7 00:40:08 2008
From: sethm at rollernet.us (Seth Mattinen)
Date: Sun, 06 Jul 2008 21:40:08 -0700
Subject: [c-nsp] Shutting Down Catalyst 6509?
In-Reply-To: <200807070918.32290.mtinka@globaltransit.net>
References: <18dba4e50807040529y1eab40aq1b6c263fbb76da6b@mail.gmail.com>
	<Pine.LNX.4.64.0807040845080.12553@whammy.cluebyfour.org>
	<18dba4e50807040554v37f02f22u76d61ddec74d7faf@mail.gmail.com>
	<200807070918.32290.mtinka@globaltransit.net>
Message-ID: <48719E28.1080409@rollernet.us>

Mark Tinka wrote:
> On Friday 04 July 2008 20:54:48 Felix Nkansah wrote:
> 
>> Thanks guys.
>>
>> I thought it has some special shutdown procedures or
>> commands.
> 
> Which is something we wish for on Cisco's new ASR line, 
> seeing as it has a hard drive and all.
> 
> Current documented procedure to shutdown the ASR is to 
> reload as normal, then power-off the PSU's when you see the 
> Bootloader - not very elegant.
> 

How the heck would something like that make it past QA? I've never in my 
life worried about corrupting a router, switch, or any associated 
modules. One would think that some kind of battery-backed write cache 
similar to how RAID controllers deal with unexpected power loss could be 
used. I've never priced an ASR but they certainly don't look cheap.

~Seth

From juniper84 at live.com  Mon Jul  7 00:51:30 2008
From: juniper84 at live.com (J C)
Date: Mon, 7 Jul 2008 01:51:30 -0300
Subject: [c-nsp] 7600 MPLS QoS
Message-ID: <BAY131-W25C4E8CCBD9148FE6780EDD0940@phx.gbl>


I've been going through all the documentation regarding MPLS and configuring MPLS QoS on PFC's and I'm stumped on this question.



In the past MPLS networks I've used Pipe Mode with Explicit Null
LSP to configure QoS within the MPLS network. The benefit of this for a
carrier network was that it preserved the customer markings and allowed
us to control the treatment of the traffic right up to (and including)
the egress of the PE to the carrier owned CPE.



>From reading the documentation on the 7600 I don't see anywhere the
ability to use Pipe Mode with Explicit-Null LSP...I only see Uniform
Mode and Short Pipe Mode. Right away Uniform Mode is out of the
question, and Short Pipe mode is the best alternative, but it only
allows you to control the treatment of the traffic until it reaches the
final PE, at which point the traffic has no MPLS EXP bits left on it
and only the original customer markings are left.



So my question is...am I just missing something regarding the 7600
and its ability to support Pipe mode with Explicit-Null? I'm asking
this because I also noticed that 'set qos-groups' is not available to
do on ingress MPLS-MPLS interfaces...



And if this method of MPLS QoS is not supported on the 7600, whats
the next best thing?...Lastly, if Short Pipe Mode is the only
alternative, then how can the SP still control treatment on the Egress
of the final PE...as all MPLS EXP bits will be stripped during the
final 'pop'.



Thanks in advance MPLS guru's!!!!
_________________________________________________________________
Try Chicktionary, a game that tests how many words you can form from the letters given. Find this and more puzzles at Live Search Games!
http://g.msn.ca/ca55/207

From justin at justinshore.com  Mon Jul  7 01:50:52 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 07 Jul 2008 00:50:52 -0500
Subject: [c-nsp] 7600 vs MX experience?
In-Reply-To: <001001c8df9d$0f60f0d0$2e22d270$@org>
References: <48704344.1030808@punk.co.nz>	<6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com>
	<001001c8df9d$0f60f0d0$2e22d270$@org>
Message-ID: <4871AEBC.5020304@justinshore.com>

Paul Stewart wrote:
> Hi Rubens...
> 
> Sorry if this is sidetracking the conversation a bit - apologies.  But, what
> can folks tell me about shared support in general?  I always thought it was
> Smartnet or nothing hence why I'm asking... is this "3rd party Cisco
> support" that I've seen advertised a few times?
> 
> With "shared smartnet", do you lose the ability to contact TAC directly?
> What about software updates - from Cisco or from the partner??

To go along with Paul's question, what about hardware warranty & RMA?

Justin

From john.douglas at gmail.com  Mon Jul  7 02:33:35 2008
From: john.douglas at gmail.com (john douglas)
Date: Mon, 7 Jul 2008 16:33:35 +1000
Subject: [c-nsp] What is spanning tree interface "St1"
Message-ID: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com>

Hi All,

I am investigating some ongoing spanning tree root changes and I am
seeing this interface "St1" appearing in the STP root debug

016536: Jul  7 16:10:01.680 AEST: STP: VLAN0148 heard root
32916-0013.60a9.0f00 on St1
016537: Jul  7 16:10:01.680 AEST: STP: VLAN0149 Topology Change rcvd on St1
016538: Jul  7 16:10:01.680 AEST: STP: VLAN0148 heard root
32916-0013.60a9.0f00 on St1
016544: Jul  7 16:10:01.722 AEST: STP: VLAN0148 we are the spanning tree root
016545: Jul  7 16:10:01.722 AEST: STP: VLAN0148 heard root
8340-0008.e379.d980 on Gi1/0/28
016546: Jul  7 16:10:01.722 AEST:     supersedes 32916-0013.60a9.0f00
016547: Jul  7 16:10:01.722 AEST: STP: VLAN0148 new root is 8340,
0008.e379.d980 on port Gi1/0/28, cost 39
016548: Jul  7 16:10:01.722 AEST: STP: VLAN0148 sent Topology Change
Notice on Gi1/0/28
016549: Jul  7 16:10:02.678 AEST: STP: VLAN0148 Topology Change rcvd on St1

My google fu must be bad today because I cannot seem to find any
reference to spanning tree and "St1" at all .. I see similar output in
the sh spanning tree details for this vlan. I only have 2 interfaces
on the switch that live in Vlan 148, however I now have this magical
interface "St1" which has appeared with cost 100 ?

#sh vlan id 148

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
148  foofoofoobar1                   active    Gi1/0/28, Gi2/0/23

#sh spanning-tree vlan 148
VLAN0148
  Spanning tree enabled protocol ieee
  Root ID    Priority    8340
             Address     0008.e379.d980
             Cost        38
             Port        28 (GigabitEthernet1/0/28)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32916  (priority 32768 sys-id-ext 148)
             Address     0013.60a9.0f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi1/0/28         Root FWD 29        128.28   P2p
St1              Desg FWD 100       128.1000 P2p
Gi2/0/23         Desg FWD 9         128.75   P2p

Ideas anyone?

From avayner at cisco.com  Mon Jul  7 03:46:00 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 7 Jul 2008 09:46:00 +0200
Subject: [c-nsp] What is spanning tree interface "St1"
In-Reply-To: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com>
References: <5c846eaf0807062333h807ea4di467853c3c4bbc560@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501910D64@xmb-ams-331.emea.cisco.com>

John,

St1 is a logical interface associated with the internal stack.

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of john douglas
Sent: Monday, July 07, 2008 09:34 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] What is spanning tree interface "St1"

Hi All,

I am investigating some ongoing spanning tree root changes and I am
seeing this interface "St1" appearing in the STP root debug

016536: Jul  7 16:10:01.680 AEST: STP: VLAN0148 heard root
32916-0013.60a9.0f00 on St1
016537: Jul  7 16:10:01.680 AEST: STP: VLAN0149 Topology Change rcvd on
St1
016538: Jul  7 16:10:01.680 AEST: STP: VLAN0148 heard root
32916-0013.60a9.0f00 on St1
016544: Jul  7 16:10:01.722 AEST: STP: VLAN0148 we are the spanning tree
root
016545: Jul  7 16:10:01.722 AEST: STP: VLAN0148 heard root
8340-0008.e379.d980 on Gi1/0/28
016546: Jul  7 16:10:01.722 AEST:     supersedes 32916-0013.60a9.0f00
016547: Jul  7 16:10:01.722 AEST: STP: VLAN0148 new root is 8340,
0008.e379.d980 on port Gi1/0/28, cost 39
016548: Jul  7 16:10:01.722 AEST: STP: VLAN0148 sent Topology Change
Notice on Gi1/0/28
016549: Jul  7 16:10:02.678 AEST: STP: VLAN0148 Topology Change rcvd on
St1

My google fu must be bad today because I cannot seem to find any
reference to spanning tree and "St1" at all .. I see similar output in
the sh spanning tree details for this vlan. I only have 2 interfaces on
the switch that live in Vlan 148, however I now have this magical
interface "St1" which has appeared with cost 100 ?

#sh vlan id 148

VLAN Name                             Status    Ports
---- -------------------------------- ---------
-------------------------------
148  foofoofoobar1                   active    Gi1/0/28, Gi2/0/23

#sh spanning-tree vlan 148
VLAN0148
  Spanning tree enabled protocol ieee
  Root ID    Priority    8340
             Address     0008.e379.d980
             Cost        38
             Port        28 (GigabitEthernet1/0/28)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32916  (priority 32768 sys-id-ext 148)
             Address     0013.60a9.0f00
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- --------
--------------------------------
Gi1/0/28         Root FWD 29        128.28   P2p
St1              Desg FWD 100       128.1000 P2p
Gi2/0/23         Desg FWD 9         128.75   P2p

Ideas anyone?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tedm at toybox.placo.com  Mon Jul  7 03:49:12 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Mon, 7 Jul 2008 00:49:12 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <d81b6b610807061049t24ee99eehdc595228147c1d3d@mail.gmail.com>
Message-ID: <BMEDLGAENEKCJFGODFOCKEMMCFAA.tedm@toybox.placo.com>


-----Original Message-----
From: Brandon Bennett [mailto:bennetb at gmail.com]
Sent: Sunday, July 06, 2008 10:49 AM
To: Ted Mittelstaedt
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?


On Sun, Jul 6, 2008 at 12:26 AM, Ted Mittelstaedt <tedm at toybox.placo.com>
wrote:


>>I disagree.  The reason they use them is they are cheap.  Cisco

>>did not require a separate IOS license the way that they do with
>>a router running IOS-Firewall Feature set.

>I have found that PIX/ASA does a much better job at stateful firewalling
>that CBAC can even though they share 95% of the same inspect engines.  I
>have never had an issue with scaling the CPU/memory on a PIX  or resource
>limitations.   I have had this on IOS from time to time.

I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
Not that I blame the PIX though, as I had been telling the customer
almost a year earlier that they would need a 515.

I've also had trouble with stateful inspection on IOS on a router
with insufficent ram in it.  Once again, I predicted to the customer
in advance it would happen, the customer didn't want to spend
money in advance on ram, and sure enough it did happen at an
inconvenient time for them.

Both times I savored saying "I told you so", believe me.

>> Yes, and Cisco could have used the freely available NAT code
>>that was BSD-licensed (ie: free, NOT GPL, really free).  They
>>did not have to pay off the NTI guys for something already
>>available for free.  And they didn't.  They wanted the NTI
>>customer brainshare, and likely, to put a potential competitor out
>>of business.

>The fact of the matter is that NTI was doing it better and faster than
>the Sun and BSD implentations out there at the time.

I was not aware of any Sun NAT implementation at that time period.  If
there was, what was it?  Checkpoint did run on Solaris, I admined one of
those as a matter of fact, but it was not NAT.  And it was annoying.

As for the NTI being better than BSD, that's just your opinion.
First of all the NAT stuff was only on FreeBSD, NOT on any of the
other BSD's, and it definitely wasn't on Solaris.  When it was
released it was a set of kernel patches and an application, and
it wasn't applicable to any other UNIX.

Please point out any "bake-off's" comparisons that were done at
that time.  Most people didn't know what NAT was.  I never had
problems with the FreeBSD implementation of NAT and in fact, doing
it this way supported some applications that the Cisco IOS nat didn't.
(at the beginning) like PPTP client VPN's initiated from behind.  And
Netmeeting H.323 since you could also run a NM proxy on the system,
if you recall that was pretty common in the NT days for remote control
since it was free.

I never used the NTI stuff at that time so I don't have an opinion
on which was better, but I'll bet money you never used the FreeBSD
NAT patches either, so I'll put your "fact of the matter is"
statement down to youthful eagerness and leave it at that. ;-)

>Combine this with
>the fact that it was easy to setup, maintain, and monitor simiar to the
>rest of the network gear

If a PIX is so easy to setup and maintain then I would have not
had quite a lot of work over the years in administering them for
people.

I will say that the PIX command line is no worse to setup and
admin than IOS - once you know all of the idiosyncracies of the
PIXos - but that's no different than the idiosyncracies of IOS.
I do find the PIX GUI to be a big piece of crap, though.

But, the assertion that it's easy to setup is only the case when
your talking about real network admins.  For the general public,
that is frankly absurd.  What is easy to setup is a Linksys RV042.
(which will VPN into a PIX quite nicely, although you have to turn
off stateful packet inspection on it if your running Vista, per
http://support.microsoft.com/kb/934430/en-us)

>and it just makes sense.   I don't think this
>is an example of Cisco trying to dominate the market by "buying-out"
>competitors.  If that was the case Cisco would not have continued the
>product line for 13 years (and running).

Continuing the product line for 13 years is definitely not a
symptom of a company trying to buy out a competitor, your right
there.  What it IS a symptom of, is a company trying to keep
a captured customer base from bolting.  If there had been no
brainshare and no customer base for the NTI stuff then Cisco
would have done the same thing they did when they picked up
the ISDN technology they wanted from Combinet, they would have
almost immediately renamed the product line and moved all
the decent technology into IOS as quick as they could.

I'm sure you have been in the business long enough to understand
that companies only buy other companies to make money.  That
money comes from - drumroll - customers, does it not?  Thus
to put it simply, companies only buy other companies so they
can get more money out of customers.  They don't do it to
make prices cheaper for you, they do it so they can lock you
into them further, or because they pitched their products to
you and you didn't like them and so went with someone else, now
they bought that someone else, so they own you even though
you never liked them.

The stated reasons of "helping customers" are almost always
utter hogwash.  For the most part acquisitions essentially
reduce competition and thus allow
the acquiring company to maintain high prices or jack up their
prices.  This doesen't help customers.  The very FEW times
that an acquisition helps is when the acquired company was
going bankrupt - and your a customer who bought in to the
failing companies product line.  But boy, your gonna pay through
the nose to the acquiring company to maintain your service
agreements, and the fact of the matter is you made a decision
to buy into a loser's products - it's a regrettable decision
no matter how you slice it, and the acquiring company is
merely the less unpleasant than scrapping and replacing the
product.

If Cisco hadn't maintained the PIX product line for as long
as they did, I would agree that Cisco just bought NTI because
they wanted it's technology.  But you are missing the obvious
here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
the PIX after all.  If so, why?  I'll tell you, it's because
there's a customer base out there that is large!  It is NOT
because it's better or worse to do the same thing that the
PIX does on an IOS router, it's because this large customer
base THINKS it's better to do the stuff the PIX does on a
standalone box that isn't a router.  The baby wants his
bottle and Cisco isn't going to take it away.  Simple as that.

>>Let's just say Cisco's not discontinuing a PIX-like firewall.  But
>>calling the ASA a PIX?  No, not at all.  The ASA is ever worse
>>to deal with than the PIX

>Dude, the ASA is a pix with some slight modifications.  The code was shared
>until 8.x (you could boot asa code on a pix and pix code on an asa).  8.x
>the ASA now runs a linux kernel, but most of the actually firewall code is
>the same.  For all intent and purposes the ASA is the next-generation PIX.

If it only has slight modifications then it's definitely not
next-generation.  Make up your mind, please! :-)

The reason -I- think the ASA is worse is because the ASA just
perpetuates the nonsense that a router can't be a firewall.
Sure it can, it just depends on what firmware is running on it.
Cisco missed the boat here to educate the customer base.  I
am just thankful Cisco jacked up the price so I can educate
my customers without them just hearing "mo money mo money
mo money mo money".

>Further more the price difference between the PIX and the ASA is not much.
>There is still free 3DES/AES licencing, there is still free IPSec VPN
>termination.  The only difference would be the additional licensing and
>modules that the ASA can do (SSLVPN, IPS, etc)

>Lets compare   Pix 515e could handl 190mbits clear text  The ASA5510 can
>handle 300mbit clear text.

>List price of a PIX-515E-UR-BUN. PIX 515E-UR Bundle (Chas, Unrestricted SW,
> 128MB, 2 FE,VAC+), USD 6,995.00
>List price of a ASA5510-BUN-K9, ASA 5510 Appliance with SW, 5FE,3DES/AES,
>  USD 3,495.00

>So the ASA is acutally FAR cheaper.

Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?  How you going to get
300mbt through 2 FE ports?  Let's tack on an extra $1K, shall we?  And
where does Cisco get off charging an extra $3K for 50 miserable SSL VPN
licenses?  The SSL protocol is OPEN for God's sake.  Oh I get it, REMOVE
support for PPTP VPN's (ie: out of the box Microsoft VPN client that's
FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
me more, baby.  Harder, Harder!

And, I forgot about AIP, what is that, $7K a year for a subscription?
So if you don't pay the $7K a year, then when the latest AIM comes out
that is written to get around the current inspection and is wasting your
employees productivity in spades, you have to buy a new ASA.  Great one,
that!!

> Even the ASA5520 (which may be bit more
> of a better comparison) is still cheaper than the PIX515e.

The point was rather a comparison between IOS-based router and
PIX or ASA, not between PIX and ASA.

In any case, how many companies have 300Mbit Internet connections?
How many companies have 190Mbit Internet connections?  And how exactly
do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
on it? ;-)  These are BigCo comparisons your talking, and frankly,
BigCo's buy what they do because of their previously established
vendor relationships, they are not switching to ASA's because they
care about the price.  And most BigCo's buy direct from Cisco
anyhow, so the list prices are pure fiction.

A much more realistic comparison with product that's sold to
people who actually do care about the price is:

PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
on the surface it LOOKS like a better deal - until you have to bend
over and take it in the shorts for that insane SSL VPN license.  Oh,
and of course, with the 5505, your screwed there since 50 SSL users
is the licensed limit, you have to go to the 5510 for more.  The old 506E
had no restriction on number of VPN clients.

In a router vs ASA comparison:

CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
$2495

ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
3DES/AES
$2095

Let's see, with the former I can use all of my free Microsoft VPN clients,
PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
server to server VPN's as I want.  I can drop in a T1 card if needed.  I
can have as much stuff as I want behind it.

With the ASA I can have a max 10 SSL users, or I have to switch all my
Microsoft VPN clients over to L2TP.  I'm limited to 50 users.

For the extra $400 it's not worth dealing with the ASA when you can
have a real router.  And 5 years from now when some competitor has
come out with an ethernet-to-ethernet firewall that is better than
the ASA, well I can still use the router to feed the T1.

And on top of that IOS has had IPv6 for years, the ASA just finally
got a working implementation with version 8.0.3 or so I read.  (I
don't really know, maybe it still doesen't work right)

>>As far as the rest of your conversation,  it kinda getting far off topic.
:)

>Although I am not sure how much information I can take from a guy who
>though PIX code was Windows 3.1 based.  (Not to mention Windows 3.1 didn't
>even include a kernel!).

I never said CURRENT code was Win 3.1 based, I said I had heard that
the original PIX code from pre-Cisco days was Win 3.1 based.
Surely you remember that Win 3.1 will run in real
mode, without the GUI, by just putting command.com as the last statement
in the winstart.bat file.  Win 3.0, don't forget,
would run on an XT, in real mode, with a GUI.  Back in
those days a lot of people who wrote embedded stuff would
use DOS or a stripped Windows merely as a program loader,
so it didn't seem that farfetched to me when I heard it.

>The wrap up: The PIX/ASA is very capible firewall, you quickly learn
>ways around not being able to telnet from the box itself.  IOS as well
>shares a lot from the PIX/ASA (and visa versa) and also can make a good
>firewall.  With the ASR1000 it can make a very very quick firewall :)
>Also there are other options from other vendors (blasphemy... I know)
>like a netscreen (which ironically ALSO doesn't allow you to telnet
>from the box :) )

Or, a Linux box with squid as a transparent proxy, etc.

Ted


From tedm at toybox.placo.com  Mon Jul  7 04:09:19 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Mon, 7 Jul 2008 01:09:19 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <006101c8dfdc$30146020$f211a8c0@flamwsugsmul5v>
Message-ID: <BMEDLGAENEKCJFGODFOCEEMNCFAA.tedm@toybox.placo.com>



> -----Original Message-----
> From: Tony Varriale [mailto:tvarriale at comcast.net]
> Sent: Sunday, July 06, 2008 7:50 PM
> To: Ted Mittelstaedt
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
> 
> 
> It's fairly well known by people that have been fortunate to been around 
> Cisco that long and/or that know a little PIXen history that the OS was 
> called Finesse.
>
> It was a custom built OS and AFAIK has had no stage performances in any 
> other devices.
> 

Well, actually

Cisco's LocalDirector, the "industries first load balancer"

> But, don't take my word for it.  I'm sure the NTI guys are still 
> around out 
> west somewhere.
> 

Once the atual OS name was supplied, digging up information
about it proved simple:

http://www.linkedin.com/in/brantleycoile

> I think your Windows similiarity stretch is incredible creepy.  I 
> feel like 
> I'm getting hoaxed into a pyramid scheme for some reason.
>

:-)  Cisco Corp. is a pyramid scheme. ;-)

Ted
 

From techconfig at yahoo.com  Mon Jul  7 04:23:23 2008
From: techconfig at yahoo.com (Mark Tech)
Date: Mon, 7 Jul 2008 01:23:23 -0700 (PDT)
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
Message-ID: <706576.69100.qm@web44807.mail.sp1.yahoo.com>

Hi
Can the WS-X6748-SFP support MPLS on a 7600 chassis?
Regards
Marl


      

From rubensk at gmail.com  Mon Jul  7 04:47:45 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 7 Jul 2008 05:47:45 -0300
Subject: [c-nsp] Shared Support versus Smartnet
Message-ID: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com>

On Sun, Jul 6, 2008 at 4:18 PM, Paul Stewart <paul at paulstewart.org> wrote:
> Hi Rubens...
>
> Sorry if this is sidetracking the conversation a bit - apologies.  But, what
> can folks tell me about shared support in general?  I always thought it was
> Smartnet or nothing hence why I'm asking... is this "3rd party Cisco
> support" that I've seen advertised a few times?

Don't know for sure, but probably yes.


> With "shared smartnet", do you lose the ability to contact TAC directly?

Yes, according to CCO docs. L1 and L2 are done by partner, TAC gets
involved from L3 and above.

> What about software updates - from Cisco or from the partner??

Partner, according to CCO docs. I'll only know for sure in a few weeks
when we renew our contracts.

Cisco Shared Support looks very similar to the old PICA contracts;
Cisco and partners insist they are different, but the more I look,
more I feel they are the same.


Rubens

From rubensk at gmail.com  Mon Jul  7 04:53:32 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 7 Jul 2008 05:53:32 -0300
Subject: [c-nsp] Support versus warranty/RMA
Message-ID: <6bb5f5b10807070153s6f470adagf9edc61adf3902d4@mail.gmail.com>

>> Smartnet or nothing hence why I'm asking... is this "3rd party Cisco
>> support" that I've seen advertised a few times?
>>
>> With "shared smartnet", do you lose the ability to contact TAC directly?
>> What about software updates - from Cisco or from the partner??
>
> To go along with Paul's question, what about hardware warranty & RMA?

Shared Support gives you support level hardware maintenance, not
warranty level. Shared Support is usually "same day ship"/"next
business day", but could give a faster replacing policy if the partner
can afford the logistics to do it and you can afford to buy the
service. Usually they cannot, so if want 4h or 12h you probably need
to stick with Smartnet, but that is up to the partner so they might do
it.


Rubens

From rubensk at gmail.com  Mon Jul  7 04:57:29 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 7 Jul 2008 05:57:29 -0300
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
In-Reply-To: <706576.69100.qm@web44807.mail.sp1.yahoo.com>
References: <706576.69100.qm@web44807.mail.sp1.yahoo.com>
Message-ID: <6bb5f5b10807070157i72df6c12o473e63e87a58b801@mail.gmail.com>

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From techconfig at yahoo.com  Mon Jul  7 05:14:45 2008
From: techconfig at yahoo.com (Mark Tech)
Date: Mon, 7 Jul 2008 02:14:45 -0700 (PDT)
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
Message-ID: <953271.75056.qm@web44802.mail.sp1.yahoo.com>

Hi Rubens, thanks for the response. Currently I have not got the cards yet so I cannot test myself. At the moment they are just plain cards with no extra DPC cards, which is the cause of my concerns.?I will be using RSP 720-3C which has integrated PFC's so I assume that will take care of MPLS?
Mark



----- Original Message ----
From: Rubens Kuhl Jr. <rubensk at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 9:57:29 AM
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck..nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



      

From asturluismi at gmail.com  Mon Jul  7 05:16:10 2008
From: asturluismi at gmail.com (luismi)
Date: Mon, 07 Jul 2008 11:16:10 +0200
Subject: [c-nsp] Switch cluster with 2950 and 3750 stack
Message-ID: <1215422170.10856.8.camel@dsba-ipso>

Hi all,

I need to redesign an smaill network here.
It is working with now with just a 2950 but I would like to improve the
availability.

I have some dudes that they will be probably answered in some place in
Internet but I didn't find that place yet.

The actual scenario is:
1 x 2950 connected to a 3750 stack

The future scensario I would like to have is:
2 x 2950 connected to a 3750 stack

Well, the reason to use 2950 is that we have several 2950 switches here
and there is no reason to make a new invesment since they are enough for
our requirements, they load is also quite small.

I would like to do a cluster with the 2950 switches probably using some
GigaStack Gbics.

The question is...
As soon as I create the cluster in the 2950 switches, is it possible to
create a port-channel (one port from one 2950 and one port from the
other 2950) against a port-channel at the 3750 stack side?

I hope someone in this list can answer that.

Thanks in advance. 


From ccie15385 at gmail.com  Mon Jul  7 05:25:01 2008
From: ccie15385 at gmail.com (JH Cockburn)
Date: Mon, 7 Jul 2008 11:25:01 +0200
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
In-Reply-To: <953271.75056.qm@web44802.mail.sp1.yahoo.com>
References: <953271.75056.qm@web44802.mail.sp1.yahoo.com>
Message-ID: <000f01c8e013$57cb97a0$8604030a@africa.enterprise.root>

Hi Mark,

We have those (DFC-equipped) in our 7600's acting as P devices in our
Datacenter and they work 100%. Is there anything special you want to do
MPLS-wise? 

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech
Sent: Monday, July 07, 2008 11:15 AM
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Rubens, thanks for the response. Currently I have not got the cards yet
so I cannot test myself. At the moment they are just plain cards with no
extra DPC cards, which is the cause of my concerns.?I will be using RSP
720-3C which has integrated PFC's so I assume that will take care of MPLS?
Mark



----- Original Message ----
From: Rubens Kuhl Jr. <rubensk at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 9:57:29 AM
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck..nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From pavel.skovajsa at gmail.com  Mon Jul  7 05:35:34 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Mon, 7 Jul 2008 11:35:34 +0200
Subject: [c-nsp] Switch cluster with 2950 and 3750 stack
In-Reply-To: <1215422170.10856.8.camel@dsba-ipso>
References: <1215422170.10856.8.camel@dsba-ipso>
Message-ID: <323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com>

Hi,
no this is not possible. Etherchannel is always one logical device to
another logical device.

For example two 2950 to each other.
Or stack of 3750 to one 2950
or stack of 3750 to stack of 3750
or the newest edge bleeding etherchannel setup (google up MEC) is: VSS
1440 (2x650x) to 2950

pavel



On Mon, Jul 7, 2008 at 11:16 AM, luismi <asturluismi at gmail.com> wrote:
> Hi all,
>
> I need to redesign an smaill network here.
> It is working with now with just a 2950 but I would like to improve the
> availability.
>
> I have some dudes that they will be probably answered in some place in
> Internet but I didn't find that place yet.
>
> The actual scenario is:
> 1 x 2950 connected to a 3750 stack
>
> The future scensario I would like to have is:
> 2 x 2950 connected to a 3750 stack
>
> Well, the reason to use 2950 is that we have several 2950 switches here
> and there is no reason to make a new invesment since they are enough for
> our requirements, they load is also quite small.
>
> I would like to do a cluster with the 2950 switches probably using some
> GigaStack Gbics.
>
> The question is...
> As soon as I create the cluster in the 2950 switches, is it possible to
> create a port-channel (one port from one 2950 and one port from the
> other 2950) against a port-channel at the 3750 stack side?
>
> I hope someone in this list can answer that.
>
> Thanks in advance.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From saku+cisco-nsp at ytti.fi  Mon Jul  7 05:37:51 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Mon, 7 Jul 2008 12:37:51 +0300
Subject: [c-nsp] Shared Support versus Smartnet
In-Reply-To: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com>
References: <6bb5f5b10807070147j3f101c67i9b9af6995dface0d@mail.gmail.com>
Message-ID: <20080707093750.GA30789@mx.ytti.net>

On (2008-07-07 05:47 -0300), Rubens Kuhl Jr. wrote:
 
> Yes, according to CCO docs. L1 and L2 are done by partner, TAC gets
> involved from L3 and above.

It's all what you agree in the contract. In my case with HP, we
agreed that P1 and P2 could be opened directly to TAC and
P3, P4 via HP. I almost exclusively open cases as P3 so 
HP was mail bouncer for us, they could not offer us much of
added value, because all the cases require internal cisco
information, but as far as it went to tracking the cases
and bouncing the emails I was satisfied.
Had our cases been simpler ones, which would not require
internal cisco knowledge, I have no doubt the HP CCIE's
could have helped me.

> > What about software updates - from Cisco or from the partner??
> 
> Partner, according to CCO docs. I'll only know for sure in a few weeks
> when we renew our contracts.
> 
> Cisco Shared Support looks very similar to the old PICA contracts;
> Cisco and partners insist they are different, but the more I look,
> more I feel they are the same.

At least mine was PICA and all the agreed accesses to CCO were there,
including rights to download software.


So bottom line, TAC cases took slight delay because of the need
for HP to bounce the email, but on the plus side, I could forget
about the cases and HP did good track about polling for updates
for cases not moving.
CCO side was all that I needed, couldn't differentiate it for
my needs from gold partner account.
RMA stuff under HP was flawless (fast, easy).


Of course this is just one example, I'm sure there are tons of bad
places to buy cisco support from, tons of bad agreements signed etc.
So all I can recommend is make sure agreement guarantees that you
get the minimum service you require to run things smoothly and 
that there is financial penalty to provider in case you don't get it.


-- 
  ++ytti

From techconfig at yahoo.com  Mon Jul  7 05:58:33 2008
From: techconfig at yahoo.com (Mark Tech)
Date: Mon, 7 Jul 2008 02:58:33 -0700 (PDT)
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
Message-ID: <449636.76373.qm@web44811.mail.sp1.yahoo.com>

Hi, I don't need anything special, I'm just wanting to make sure that I can label switch on these plain cards using RSP720's on a 7600 chassis as its not clear in the Cisco docs that I've found. If not I'd like to know what extra cards would be required to accomplish this
Cheers
Mark



----- Original Message ----
From: JH Cockburn <ccie15385 at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 10:25:01 AM
Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Mark,

We have those (DFC-equipped) in our 7600's acting as P devices in our
Datacenter and they work 100%. Is there anything special you want to do
MPLS-wise? 

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech
Sent: Monday, July 07, 2008 11:15 AM
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Rubens, thanks for the response. Currently I have not got the cards yet
so I cannot test myself. At the moment they are just plain cards with no
extra DPC cards, which is the cause of my concerns.?I will be using RSP
720-3C which has integrated PFC's so I assume that will take care of MPLS?
Mark



----- Original Message ----
From: Rubens Kuhl Jr. <rubensk at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 9:57:29 AM
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list? cisco-nsp at puck..nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



? ? ? 
_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


      

From ccie15385 at gmail.com  Mon Jul  7 06:15:41 2008
From: ccie15385 at gmail.com (JH Cockburn)
Date: Mon, 7 Jul 2008 12:15:41 +0200
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
In-Reply-To: <449636.76373.qm@web44811.mail.sp1.yahoo.com>
References: <449636.76373.qm@web44811.mail.sp1.yahoo.com>
Message-ID: <000301c8e01a$6c11b350$8604030a@africa.enterprise.root>

Hi M,

Also make sure your IOS will support MPLS.ip-base image will not for
instance.

 

Cheers

 

  _____  

From: Mark Tech [mailto:techconfig at yahoo.com] 
Sent: Monday, July 07, 2008 11:59 AM
To: JH Cockburn
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

 

Hi, I don't need anything special, I'm just wanting to make sure that I can
label switch on these plain cards using RSP720's on a 7600 chassis as its
not clear in the Cisco docs that I've found. If not I'd like to know what
extra cards would be required to accomplish this

 

Cheers

 

Mark

 

----- Original Message ----
From: JH Cockburn <ccie15385 at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 10:25:01 AM
Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Mark,

We have those (DFC-equipped) in our 7600's acting as P devices in our
Datacenter and they work 100%. Is there anything special you want to do
MPLS-wise? 

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech
Sent: Monday, July 07, 2008 11:15 AM
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Rubens, thanks for the response. Currently I have not got the cards yet
so I cannot test myself. At the moment they are just plain cards with no
extra DPC cards, which is the cause of my concerns. I will be using RSP
720-3C which has integrated PFC's so I assume that will take care of MPLS?
Mark



----- Original Message ----
From: Rubens Kuhl Jr. <rubensk at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 9:57:29 AM
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck..nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 


From mtinka at globaltransit.net  Mon Jul  7 06:11:36 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 7 Jul 2008 18:11:36 +0800
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
In-Reply-To: <449636.76373.qm@web44811.mail.sp1.yahoo.com>
References: <449636.76373.qm@web44811.mail.sp1.yahoo.com>
Message-ID: <200807071811.37318.mtinka@globaltransit.net>

On Monday 07 July 2008 17:58:33 Mark Tech wrote:

> Hi, I don't need anything special, I'm just wanting to
> make sure that I can label switch on these plain cards
> using RSP720's on a 7600 chassis as its not clear in the
> Cisco docs that I've found. If not I'd like to know what
> extra cards would be required to accomplish this Cheers

As Rubens mentioned, MPLS on this platform is provided via 
the PFC.

You should be fine with an RSP720.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080707/b818ab7e/attachment.bin>

From techconfig at yahoo.com  Mon Jul  7 06:22:32 2008
From: techconfig at yahoo.com (Mark Tech)
Date: Mon, 7 Jul 2008 03:22:32 -0700 (PDT)
Subject: [c-nsp] WS-X6748-SFP 7600 MPLS
In-Reply-To: <000301c8e01a$6c11b350$8604030a@africa.enterprise.root>
Message-ID: <61156.67646.qm@web44804.mail.sp1.yahoo.com>

Hi all, thanks for clearing that up for me. BTW we will be running S764AIK9-12233SRC
   
  Cheers
   
  Mark

JH Cockburn <ccie15385 at gmail.com> wrote:
        v\:* {behavior:url(#default#VML);}  o\:* {behavior:url(#default#VML);}  w\:* {behavior:url(#default#VML);}  .shape {behavior:url(#default#VML);}        st1\:*{behavior:url(#default#ieooui) }                Hi M,
  Also make sure your IOS will support MPLS
ip-base image will not for instance

   
  Cheers
   
      
---------------------------------
  
  From: Mark Tech [mailto:techconfig at yahoo.com] 
Sent: Monday, July 07, 2008 11:59 AM
To: JH Cockburn
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

   
      Hi, I don't need anything special, I'm just wanting to make sure that I can label switch on these plain cards using RSP720's on a 7600 chassis as its not clear in the Cisco docs that I've found. If not I'd like to know what extra cards would be required to accomplish this

     

    Cheers

     

    Mark

     
    ----- Original Message ----
From: JH Cockburn <ccie15385 at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 10:25:01 AM
Subject: RE: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Mark,

We have those (DFC-equipped) in our 7600's acting as P devices in our
Datacenter and they work 100%. Is there anything special you want to do
MPLS-wise? 

Cheers
JC

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech
Sent: Monday, July 07, 2008 11:15 AM
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

Hi Rubens, thanks for the response. Currently I have not got the cards yet
so I cannot test myself. At the moment they are just plain cards with no
extra DPC cards, which is the cause of my concerns. I will be using RSP
720-3C which has integrated PFC's so I assume that will take care of MPLS?
Mark



----- Original Message ----
From: Rubens Kuhl Jr. <rubensk at gmail.com>
To: Mark Tech <techconfig at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Monday, July 7, 2008 9:57:29 AM
Subject: Re: [c-nsp] WS-X6748-SFP 7600 MPLS

You didn't mention if is a DFC-equipped WS-X6748-SFP or not, but I
don't think it matters: the card doesn't have "service capabilities"
and will fall-back to PFC-based MPLS, which might satisfy your
requirements or not. No FlexWAN/OSM/ES20 services, just plain vanilla
MPLS.



Rubens


On Mon, Jul 7, 2008 at 5:23 AM, Mark Tech <techconfig at yahoo.com> wrote:
> Hi
> Can the WS-X6748-SFP support MPLS on a 7600 chassis?
> Regards
> Marl
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck..nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



      
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



   



       

From asturluismi at gmail.com  Mon Jul  7 07:23:40 2008
From: asturluismi at gmail.com (luismi)
Date: Mon, 07 Jul 2008 13:23:40 +0200
Subject: [c-nsp] Switch cluster with 2950 and 3750 stack
In-Reply-To: <323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com>
References: <1215422170.10856.8.camel@dsba-ipso>
	<323aca890807070235kacf69d5l2f1e7d22673d840e@mail.gmail.com>
Message-ID: <1215429820.7241.0.camel@dsba-ipso>

Thanks for the fast answer!! :D

El lun, 07-07-2008 a las 11:35 +0200, Pavel Skovajsa escribi?:
> Hi,
> no this is not possible. Etherchannel is always one logical device to
> another logical device.
> 
> For example two 2950 to each other.
> Or stack of 3750 to one 2950
> or stack of 3750 to stack of 3750
> or the newest edge bleeding etherchannel setup (google up MEC) is: VSS
> 1440 (2x650x) to 2950
> 
> pavel
> 
> 
> 
> On Mon, Jul 7, 2008 at 11:16 AM, luismi <asturluismi at gmail.com> wrote:
> > Hi all,
> >
> > I need to redesign an smaill network here.
> > It is working with now with just a 2950 but I would like to improve the
> > availability.
> >
> > I have some dudes that they will be probably answered in some place in
> > Internet but I didn't find that place yet.
> >
> > The actual scenario is:
> > 1 x 2950 connected to a 3750 stack
> >
> > The future scensario I would like to have is:
> > 2 x 2950 connected to a 3750 stack
> >
> > Well, the reason to use 2950 is that we have several 2950 switches here
> > and there is no reason to make a new invesment since they are enough for
> > our requirements, they load is also quite small.
> >
> > I would like to do a cluster with the 2950 switches probably using some
> > GigaStack Gbics.
> >
> > The question is...
> > As soon as I create the cluster in the 2950 switches, is it possible to
> > create a port-channel (one port from one 2950 and one port from the
> > other 2950) against a port-channel at the 3750 stack side?
> >
> > I hope someone in this list can answer that.
> >
> > Thanks in advance.
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From SPfister at dps.k12.oh.us  Mon Jul  7 08:35:36 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Mon, 07 Jul 2008 08:35:36 -0400
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3
Message-ID: <4871D558.9E6F.00B8.0@dps.k12.oh.us>

I've got a 3640 router that's connected to a 3550 switch. The trunking is set up as dynamic desirable, and I need to change it to be a dot1q trunk. I'm having a little trouble getting that done. I tried doing a:

switchport trunk encapsulation dot1q
switchport mode trunk

and the switch became unreachable. Do I need to add something like:

switchport trunk native vlan 77

?

Parts of the config are included below...

Thanks!



router
-------
interface FastEthernet0/0
 no ip address
 no ip redirects
 no ip proxy-arp
 ip pim sparse-mode
 ip route-cache flow
 speed 100
 full-duplex
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 10.77.0.1 255.255.0.0
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.77
 encapsulation dot1Q 77
 no snmp trap link-status
 no cdp enable
 xconnect 192.168.7.1 77 pw-class pw-dynamic


Switch
--------
interface FastEthernet0/48
 switchport access vlan 77
 switchport mode dynamic desirable
 speed 100
 duplex full
 spanning-tree portfast
!
interface Vlan77
 ip address 10.77.0.10 255.255.0.0
!
ip default-gateway 10.77.0.1


Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From maillist at webjogger.net  Mon Jul  7 09:24:37 2008
From: maillist at webjogger.net (Adam Greene)
Date: Mon, 7 Jul 2008 09:24:37 -0400
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3
References: <4871D558.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <010501c8e034$cdf5fa30$12140a0a@GINKGO>

Steven,

Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on 
the switch.

If you want the switch to use an IP address from the 10.77.0.0/16 block, you 
have to include vlan 1 as the native vlan on the 3550, and put the 
10.77.0.10 address on vlan 1 rather than vlan 77.

Thanks,
Adam


----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, July 07, 2008 8:35 AM
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3


> I've got a 3640 router that's connected to a 3550 switch. The trunking is 
> set up as dynamic desirable, and I need to change it to be a dot1q trunk. 
> I'm having a little trouble getting that done. I tried doing a:
>
> switchport trunk encapsulation dot1q
> switchport mode trunk
>
> and the switch became unreachable. Do I need to add something like:
>
> switchport trunk native vlan 77
>
> ?
>
> Parts of the config are included below...
>
> Thanks!
>
>
>
> router
> -------
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip proxy-arp
> ip pim sparse-mode
> ip route-cache flow
> speed 100
> full-duplex
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 10.77.0.1 255.255.0.0
> no snmp trap link-status
> no cdp enable
> !
> interface FastEthernet0/0.77
> encapsulation dot1Q 77
> no snmp trap link-status
> no cdp enable
> xconnect 192.168.7.1 77 pw-class pw-dynamic
>
>
> Switch
> --------
> interface FastEthernet0/48
> switchport access vlan 77
> switchport mode dynamic desirable
> speed 100
> duplex full
> spanning-tree portfast
> !
> interface Vlan77
> ip address 10.77.0.10 255.255.0.0
> !
> ip default-gateway 10.77.0.1
>
>
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> 



From notrevebr at gmail.com  Mon Jul  7 10:46:05 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Mon, 7 Jul 2008 11:46:05 -0300
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
Message-ID: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com>

Hi all,

Is it possible to use 2821 for vpn concentrator doing both
site-to-site and remote access connections in only one interface?

Hi have 2 crypto map?s, but the interface accept only one.

crypto dynamic-map vpnmap 10
 set transform-set transfervpn
 reverse-route

crypto map L2L 11 ipsec-isakmp
 set peer 200.200.200.1
 set peer 200.200.201.1
 set transform-set L2L
 match address 120

interface GigabitEthernet0/0
 ip address 200.100.100.1 255.255.254.0
 duplex auto
 speed auto
 crypto map onsaescom
end

Anybody use the 2800 for this purpose?

Tks all.

From SPfister at dps.k12.oh.us  Mon Jul  7 11:26:28 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Mon, 07 Jul 2008 11:26:28 -0400
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3
In-Reply-To: <010501c8e034$cdf5fa30$12140a0a@GINKGO>
References: <4871D558.9E6F.00B8.0@dps.k12.oh.us>
	<010501c8e034$cdf5fa30$12140a0a@GINKGO>
Message-ID: <4871FD63.9E6F.00B8.0@dps.k12.oh.us>

Yes, I knew that was a problem, but wasn't sure which way to go.

Is there any way to do this by changing the router instead? The 10.77.0.0/16 is supposed to be part of the 77 vlan. I'm hoping to be able to do this remotely (the site has limited access hours). The router is the nearer device and the switch is behind it (from the central site's point of view).

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> "Adam Greene" <maillist at webjogger.net> 7/7/2008 9:24 AM >>>
Steven,

Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on 
the switch.

If you want the switch to use an IP address from the 10.77.0.0/16 block, you 
have to include vlan 1 as the native vlan on the 3550, and put the 
10.77.0.10 address on vlan 1 rather than vlan 77.

Thanks,
Adam


----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, July 07, 2008 8:35 AM
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3


> I've got a 3640 router that's connected to a 3550 switch. The trunking is 
> set up as dynamic desirable, and I need to change it to be a dot1q trunk. 
> I'm having a little trouble getting that done. I tried doing a:
>
> switchport trunk encapsulation dot1q
> switchport mode trunk
>
> and the switch became unreachable. Do I need to add something like:
>
> switchport trunk native vlan 77
>
> ?
>
> Parts of the config are included below...
>
> Thanks!
>
>
>
> router
> -------
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip proxy-arp
> ip pim sparse-mode
> ip route-cache flow
> speed 100
> full-duplex
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 10.77.0.1 255.255.0.0
> no snmp trap link-status
> no cdp enable
> !
> interface FastEthernet0/0.77
> encapsulation dot1Q 77
> no snmp trap link-status
> no cdp enable
> xconnect 192.168.7.1 77 pw-class pw-dynamic
>
>
> Switch
> --------
> interface FastEthernet0/48
> switchport access vlan 77
> switchport mode dynamic desirable
> speed 100
> duplex full
> spanning-tree portfast
> !
> interface Vlan77
> ip address 10.77.0.10 255.255.0.0
> !
> ip default-gateway 10.77.0.1
>
>
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us 
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>
> 




From moua0100 at umn.edu  Mon Jul  7 11:52:42 2008
From: moua0100 at umn.edu (Ge Moua)
Date: Mon, 7 Jul 2008 10:52:42 -0500
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
In-Reply-To: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com>
References: <3cf174360807070746k54cf4e4ag7f4097b7a9d053c8@mail.gmail.com>
Message-ID: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu>

Yes, use subinterfaces:
interface GigabitEthernet0/0.1
interface GigabitEthernet0/0.2
interface GigabitEthernet0/0.3
++

Then attach different crypto-map per sub-interface.  We are doing this.

Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
 
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
Sent: Monday, July 07, 2008 9:46 AM
To: cisco-nsp
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access

Hi all,

Is it possible to use 2821 for vpn concentrator doing both site-to-site and
remote access connections in only one interface?

Hi have 2 crypto map?s, but the interface accept only one.

crypto dynamic-map vpnmap 10
 set transform-set transfervpn
 reverse-route

crypto map L2L 11 ipsec-isakmp
 set peer 200.200.200.1
 set peer 200.200.201.1
 set transform-set L2L
 match address 120

interface GigabitEthernet0/0
 ip address 200.100.100.1 255.255.254.0
 duplex auto
 speed auto
 crypto map onsaescom
end

Anybody use the 2800 for this purpose?

Tks all.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From asturluismi at gmail.com  Mon Jul  7 11:59:45 2008
From: asturluismi at gmail.com (luismi)
Date: Mon, 07 Jul 2008 17:59:45 +0200
Subject: [c-nsp] Off-Topic?: Powerswitches recommendation
Message-ID: <1215446385.7241.4.camel@dsba-ipso>

Hi all,

First of all, sorry for this message but I need some recommendations
about powerswitches manufacters.

I need a powerswitch (maybe more than one) for at least 16 switches,
routers,
I saw that MGE and APC are now working together.
I also know about http://www.epowerswitch.at
I would like to hear about other manufacters.

All comments are appreciated.

Thanks.


From kyled at noelcomm.com  Mon Jul  7 12:42:48 2008
From: kyled at noelcomm.com (Kyle Duren)
Date: Mon, 7 Jul 2008 09:42:48 -0700
Subject: [c-nsp] cisco-nsp Digest, Vol 68, Issue 27
In-Reply-To: <mailman.1.1215446401.13420.cisco-nsp@puck.nether.net>
Message-ID: <002c01c8e050$7dd7cf80$b71d0a0a@noelcomm.local>

I had good luck with this unit, it's a smaller company that makes them, but
when we had a unit fail, the company did a good job making sure we had a new
one asap! We used them to restart various network servers and switches.

http://www.digital-loggers.com/epcr2.html


-Kyle Duren

----------------------------------------------------------------------

Message: 1
Date: Mon, 07 Jul 2008 17:59:45 +0200
From: luismi <asturluismi at gmail.com>
Subject: [c-nsp] Off-Topic?: Powerswitches recommendation
To: cisco-nsp at puck.nether.net
Message-ID: <1215446385.7241.4.camel at dsba-ipso>
Content-Type: text/plain

Hi all,

First of all, sorry for this message but I need some recommendations
about powerswitches manufacters.

I need a powerswitch (maybe more than one) for at least 16 switches,
routers,
I saw that MGE and APC are now working together.
I also know about http://www.epowerswitch.at
I would like to hear about other manufacters.

All comments are appreciated.

Thanks.


From ATolstykh at integrysgroup.com  Mon Jul  7 13:55:45 2008
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Mon, 07 Jul 2008 12:55:45 -0500
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
In-Reply-To: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu>
Message-ID: <C497C2D1.50A3%ATolstykh@integrysgroup.com>

Use multiple statements within a single crypto map configuration:

crypto map iosvpn 5 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard5
 reverse-route
crypto map iosvpn 15 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard15
 reverse-route
crypto map iosvpn 25 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard25
 reverse-route
crypto map iosvpn 35 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard35
 reverse-route
crypto map iosvpn 100 ipsec-isakmp dynamic dyn


On 7/7/08 10:52 AM, "Ge Moua" <moua0100 at umn.edu> wrote:

> Yes, use subinterfaces:
> interface GigabitEthernet0/0.1
> interface GigabitEthernet0/0.2
> interface GigabitEthernet0/0.3
> ++
> 
> Then attach different crypto-map per sub-interface.  We are doing this.
> 
> Regards,
> Ge Moua | Email: moua0100 at umn.edu
> 
> Network Design Engineer
> University of Minnesota | Networking & Telecommunications Services
>  
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
> Sent: Monday, July 07, 2008 9:46 AM
> To: cisco-nsp
> Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
> 
> Hi all,
> 
> Is it possible to use 2821 for vpn concentrator doing both site-to-site and
> remote access connections in only one interface?
> 
> Hi have 2 crypto map?s, but the interface accept only one.
> 
> crypto dynamic-map vpnmap 10
>  set transform-set transfervpn
>  reverse-route
> 
> crypto map L2L 11 ipsec-isakmp
>  set peer 200.200.200.1
>  set peer 200.200.201.1
>  set transform-set L2L
>  match address 120
> 
> interface GigabitEthernet0/0
>  ip address 200.100.100.1 255.255.254.0
>  duplex auto
>  speed auto
>  crypto map onsaescom
> end
> 
> Anybody use the 2800 for this purpose?
> 
> Tks all.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


?
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.?Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.??If you received this in error, please contact the sender and delete the material from any computer.


From justin at justinshore.com  Mon Jul  7 14:52:47 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 07 Jul 2008 13:52:47 -0500
Subject: [c-nsp] Off-Topic?: Powerswitches recommendation
In-Reply-To: <1215446385.7241.4.camel@dsba-ipso>
References: <1215446385.7241.4.camel@dsba-ipso>
Message-ID: <487265FF.6060007@justinshore.com>

luismi wrote:
> Hi all,
> 
> First of all, sorry for this message but I need some recommendations
> about powerswitches manufacters.

We have some Emerson in our data center but I've never actually got my 
hands on them.  I believe they have a common management front-end that 
can manage all the strips at once.

Justin


From notrevebr at gmail.com  Mon Jul  7 15:08:35 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Mon, 7 Jul 2008 16:08:35 -0300
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
In-Reply-To: <C497C2D1.50A3%ATolstykh@integrysgroup.com>
References: <002301c8e049$7de5dd70$31dd5ea0@ad.umn.edu>
	<C497C2D1.50A3%ATolstykh@integrysgroup.com>
Message-ID: <3cf174360807071208w20d8c627s98e0137f52146c8e@mail.gmail.com>

Andrew,


Great!!!
Tks for good information.



On 7/7/08, Tolstykh, Andrew <ATolstykh at integrysgroup.com> wrote:
> Use multiple statements within a single crypto map configuration:
>
> crypto map iosvpn 5 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard5
>  reverse-route
> crypto map iosvpn 15 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard15
>  reverse-route
> crypto map iosvpn 25 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard25
>  reverse-route
> crypto map iosvpn 35 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard35
>  reverse-route
> crypto map iosvpn 100 ipsec-isakmp dynamic dyn
>
>
> On 7/7/08 10:52 AM, "Ge Moua" <moua0100 at umn.edu> wrote:
>
> > Yes, use subinterfaces:
> > interface GigabitEthernet0/0.1
> > interface GigabitEthernet0/0.2
> > interface GigabitEthernet0/0.3
> > ++
> >
> > Then attach different crypto-map per sub-interface.  We are doing this.
> >
> > Regards,
> > Ge Moua | Email: moua0100 at umn.edu
> >
> > Network Design Engineer
> > University of Minnesota | Networking & Telecommunications Services
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
> > Sent: Monday, July 07, 2008 9:46 AM
> > To: cisco-nsp
> > Subject: [c-nsp] 2800 for VPN Server site-to-site and remote access
> >
> > Hi all,
> >
> > Is it possible to use 2821 for vpn concentrator doing both site-to-site and
> > remote access connections in only one interface?
> >
> > Hi have 2 crypto map?s, but the interface accept only one.
> >
> > crypto dynamic-map vpnmap 10
> >  set transform-set transfervpn
> >  reverse-route
> >
> > crypto map L2L 11 ipsec-isakmp
> >  set peer 200.200.200.1
> >  set peer 200.200.201.1
> >  set transform-set L2L
> >  match address 120
> >
> > interface GigabitEthernet0/0
> >  ip address 200.100.100.1 255.255.254.0
> >  duplex auto
> >  speed auto
> >  crypto map onsaescom
> > end
> >
> > Anybody use the 2800 for this purpose?
> >
> > Tks all.
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
> The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and delete the material from any computer.
>
>

From bennetb at gmail.com  Mon Jul  7 16:17:55 2008
From: bennetb at gmail.com (Brandon Bennett)
Date: Mon, 7 Jul 2008 14:17:55 -0600
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <BMEDLGAENEKCJFGODFOCKEMMCFAA.tedm@toybox.placo.com>
References: <d81b6b610807061049t24ee99eehdc595228147c1d3d@mail.gmail.com>
	<BMEDLGAENEKCJFGODFOCKEMMCFAA.tedm@toybox.placo.com>
Message-ID: <d81b6b610807071317l6549cc99p6a7288671ac91e28@mail.gmail.com>

>
> >I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
> >Not that I blame the PIX though, as I had been telling the customer
> >almost a year earlier that they would need a 515.


And running a production webserver on a 486-DX2 is also not a good idea.  I
don't see your point here.


> >I was not aware of any Sun NAT implementation at that time period.  If
> >there was, what was it?  Checkpoint did run on Solaris, I admined one of
> >those as a matter of fact, but it was not NAT.  And it was annoying.
>
> >As for the NTI being better than BSD, that's just your opinion.

Well the point that Bradly Coile made is that he could not the the
performance he wanted using traditional IP stacks on those platforms.  Not
so much my opinion, but his.


> >Please point out any "bake-off's" comparisons that were done at
> >that time.


Pointless and a waste of time.  If you want to argue PIX popularity 13 years
ago, be my guest.  I will not be subject to it however.



> >Most people didn't know what NAT was.  I never had
> >problems with the FreeBSD implementation of NAT and in fact, doing
> >it this way supported some applications that the Cisco IOS nat didn't.
> >(at the beginning) like PPTP client VPN's initiated from behind.  And
> >Netmeeting H.323 since you could also run a NM proxy on the system,
> >if you recall that was pretty common in the NT days for remote control
> >since it was free.


Again off-topic and pointless.  NAT didn't just one day get deployed on
nearly every enterprise network overnight.  It started somewhere, the
applications that ran over them doesn't matter.

>
>
> >I never used the NTI stuff at that time so I don't have an opinion
> >on which was better, but I'll bet money you never used the FreeBSD
> >NAT patches either, so I'll put your "fact of the matter is"
> >statement down to youthful eagerness and leave it at that. ;-)


I was aguing a technical point.  My grammar and choice of words may have
been poor.  I apologize

>
>
> >If a PIX is so easy to setup and maintain then I would have not
> >had quite a lot of work over the years in administering them for
> >people.


It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands
to setup NAT than It was to apply a patch and compile new FreeBSD kernel and
userland utilities.   Now days this just comes down to a matter of
preference.

>
>
> >I will say that the PIX command line is no worse to setup and
> >admin than IOS - once you know all of the idiosyncracies of the
> >PIXos - but that's no different than the idiosyncracies of IOS.
> >I do find the PIX GUI to be a big piece of crap, though.


There is at least something we agree on :)

>
>
> >But, the assertion that it's easy to setup is only the case when
> >your talking about real network admins.  For the general public,
> >that is frankly absurd.  What is easy to setup is a Linksys RV042.
> >(which will VPN into a PIX quite nicely, although you have to turn
> >off stateful packet inspection on it if your running Vista, per
> >http://support.microsoft.com/kb/934430/en-us<http://support.microsoft.com/kb/934430/en-us>
> )


Both of which are produts of the 21st century.  I think you either really
misinterpreted my point or you are just grasping for anything.

?---- clip----------
>a bunch of crap of aqusitions
>--- clip-----------

Who cares.



>
> >If Cisco hadn't maintained the PIX product line for as long
> >as they did, I would agree that Cisco just bought NTI because
> >they wanted it's technology.  But you are missing the obvious
> >here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
> >the PIX after all.  If so, why?  I'll tell you, it's because
> >there's a customer base out there that is large!  It is NOT
> >because it's better or worse to do the same thing that the
> >PIX does on an IOS router, it's because this large customer
> >base THINKS it's better to do the stuff the PIX does on a
> >standalone box that isn't a router.  The baby wants his
> >bottle and Cisco isn't going to take it away.  Simple as that.


Interesting standpoint.  I view it more as a customer choice.  There are
something I find easier on a pix (troubleshooting, captures, packet-tracer)
and there are something I find much better on IOS (Lan to Lan IPSec) and the
are both very capible products.   If you want to push your customers onto
IOS firewalls knock yourself out.  I don't think anyone can argue that
point.

>If it only has slight modifications then it's definitely not
> >next-generation.  Make up your mind, please! :-)


Oh jesus christ.  If your only argument on why you think the ASA is not a
PIX is some gramatical sematics on my part then you have bigger problems.


>
> The reason -I- think the ASA is worse is because the ASA just
> perpetuates the nonsense that a router can't be a firewall.
> Sure it can, it just depends on what firmware is running on it.
> Cisco missed the boat here to educate the customer base.  I
> am just thankful Cisco jacked up the price so I can educate
> my customers without them just hearing "mo money mo money
> mo money mo money".
>
> >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?

>How you going to get 300mbt through 2 FE ports?

Gigabit interface are not avaible on the 515.  Why is that a fair
comparison?



> >And where does Cisco get off charging an extra $3K for 50 miserable SSL
> VPN
> >licenses?


The same license  is required on IOS to support the same functionality

>The SSL protocol is OPEN for God's sake.


They aren't charging for the SSL protocol, they are charging for all the
additional features that comes with it.  Do you even understand what the SSL
VPN product is?  It provided proxied connections for http, citrix, rdp,
exchange, in addition to almost any application you throw at that.  In
addition it create a full tunnel through TLS and TLS over UDP.

All of which are not defined in the SSL standard!


> >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft
> VPN client that's
> >FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
> >me more, baby.  Harder, Harder!


IPsec license is still free.  L2TP over IPSEC is stil free and works with
Microsoft out of the box (and is secure!).   PPTP was removed cause it is
not a secure protocol!

>
> >And, I forgot about AIP, what is that, $7K a year for a subscription?
> >So if you don't pay the $7K a year, then when the latest AIM comes out
> >that is written to get around the current inspection and is wasting your
> >employees productivity in spades, you have to buy a new ASA.  Great one,
> >that!!


Say what?  There are cheaper Smartnet contracts out there.  Do some
research.

>
>
> The point was rather a comparison between IOS-based router and
> PIX or ASA, not between PIX and ASA.
>
> >In any case, how many companies have 300Mbit Internet connections?
> >How many companies have 190Mbit Internet connections?  And how exactly
> >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
> >on it? ;-)  These are BigCo comparisons your talking, and frankly,
> >BigCo's buy what they do because of their previously established
> >vendor relationships, they are not switching to ASA's because they
> >care about the price.


I said nothing about companies or the reason to buy ASA.  It was mearly
comparing the price of two similar firewalls.  You fabricated the rest.  Yes
when buying a firewall, or any gear for that matter, you must take a lot
into concideration.  No one is arguing that.


> >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure
> fiction.


They still get a discount off of list on most gear.  So list prices are a
good comparison standpoint.  Now I can't say take the list prices from
Juniper and compare them to Cisco as I get different discounts from each
company, but to compare Cisco to Cisco it is 100% valid.


>
>
> A much more realistic comparison with product that's sold to
> people who actually do care about the price is:
>
> >PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
> >on the surface it LOOKS like a better deal - until you have to bend
> >over and take it in the shorts for that insane SSL VPN license.  Oh,
> >and of course, with the 5505, your screwed there since 50 SSL users
> >is the licensed limit, you have to go to the 5510 for more.  The old 506E
> >had no restriction on number of VPN clients.


A PIX cannot support SSL VPN.  SSL VPN is an addition feature avablie (via a
license) on the ASA platform. ASA still includes free IPSec VPN client
termination (and lan to lan).   Yes there is a hard limit on the number of
_IPSec_ on the ASA platform which some have complained about, but you
shouldn't be terminating that many clients on a Pix 506 in the first place.
It has no hardware crypto!

>CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
> >$2495
>
> >ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
> >3DES/AES
> >$2095
>
> >Let's see, with the former I can use all of my free Microsoft VPN clients,
> >PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
> >server to server VPN's as I want.  I can drop in a T1 card if needed.  I
> >can have as much stuff as I want behind it.

>With the ASA I can have a max 10 SSL users, or I have to switch all my
>Microsoft VPN clients over to L2TP.  I'm limited to 50 users.

Yes and those are some valid point of why you should use an IOS based router
as a firewall.  These reasons are definatly more apparent in SMB
situations.  Where you have sepearte hardware in a corproate enviroment most
of this is moot.

As far as PPTP goes, Dude is 2008!   PPTP has not only proven to be insecure
but it also doesn't work through PAT as it requires a GRE tunnel (GRE
doesn't have port numberes).   It's like saying I should run my network with
RIPv2 cause my routers support it.  Sure it's there, that doesn't mean you
should use it.

PIX forces certain level of security onto the users.  I cannot enable telnet
on the outside interface for example.  Argue this point if you must, but I
don't see it as a bad thing.   You can setup an IOS based PPTP server for
termination while you migrate your users to another platform.

As far as SSL VPN licenses go.  Cisco is currently the cheapest per SSL VPN
user in the industry.  Seems like to be thats not bad.  If thats still to
expensive for you, use IPSec, L2TP over IPSec, or an open source solution
like OpenVPN

>
> >And on top of that IOS has had IPv6 for years, the ASA just finally
> >got a working implementation with version 8.0.3 or so I read.  (I
> >don't really know, maybe it still doesen't work right)


According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T,
although ahead of the curve then the ASA,  12.3T is also ED code and
shouldn't been used.

>
> >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe
> original PIX code from pre-Cisco days >was Win 3.1 based.
> >Surely you remember that Win 3.1 will run in real
> >mode, without the GUI, by just putting command.com as the last statement
> >in the winstart.bat file.  Win 3.0, don't forget,
> >would run on an XT, in real mode, with a GUI.  Back in
> >those days a lot of people who wrote embedded stuff would
> >use DOS or a stripped Windows merely as a program loader,
> >so it didn't seem that farfetched to me when I heard it.


Seriously?!?  I don't even know what to say to that....

>
>
>  In the end its your network.  That was the point.

From jason.plank at comcast.net  Mon Jul  7 16:29:14 2008
From: jason.plank at comcast.net (jason.plank at comcast.net)
Date: Mon, 07 Jul 2008 20:29:14 +0000
Subject: [c-nsp] Telnet FROM a PIX Appliance?
Message-ID: <070720082029.13813.48727C99000E949B000035F5220073483005020E049FD202019C0E06@comcast.net>

Brandon,

Much respect.

--
Regards,

Jason Plank
CCIE #16560
e: jason.plank at comcast.net

 -------------- Original message ----------------------
From: "Brandon Bennett" <bennetb at gmail.com>
> >
> > >I have, actually.  With a lot of VPN tunnels terminated on a PIX 506.
> > >Not that I blame the PIX though, as I had been telling the customer
> > >almost a year earlier that they would need a 515.
> 
> 
> And running a production webserver on a 486-DX2 is also not a good idea.  I
> don't see your point here.
> 
> 
> > >I was not aware of any Sun NAT implementation at that time period.  If
> > >there was, what was it?  Checkpoint did run on Solaris, I admined one of
> > >those as a matter of fact, but it was not NAT.  And it was annoying.
> >
> > >As for the NTI being better than BSD, that's just your opinion.
> 
> Well the point that Bradly Coile made is that he could not the the
> performance he wanted using traditional IP stacks on those platforms.  Not
> so much my opinion, but his.
> 
> 
> > >Please point out any "bake-off's" comparisons that were done at
> > >that time.
> 
> 
> Pointless and a waste of time.  If you want to argue PIX popularity 13 years
> ago, be my guest.  I will not be subject to it however.
> 
> 
> 
> > >Most people didn't know what NAT was.  I never had
> > >problems with the FreeBSD implementation of NAT and in fact, doing
> > >it this way supported some applications that the Cisco IOS nat didn't.
> > >(at the beginning) like PPTP client VPN's initiated from behind.  And
> > >Netmeeting H.323 since you could also run a NM proxy on the system,
> > >if you recall that was pretty common in the NT days for remote control
> > >since it was free.
> 
> 
> Again off-topic and pointless.  NAT didn't just one day get deployed on
> nearly every enterprise network overnight.  It started somewhere, the
> applications that ran over them doesn't matter.
> 
> >
> >
> > >I never used the NTI stuff at that time so I don't have an opinion
> > >on which was better, but I'll bet money you never used the FreeBSD
> > >NAT patches either, so I'll put your "fact of the matter is"
> > >statement down to youthful eagerness and leave it at that. ;-)
> 
> 
> I was aguing a technical point.  My grammar and choice of words may have
> been poor.  I apologize
> 
> >
> >
> > >If a PIX is so easy to setup and maintain then I would have not
> > >had quite a lot of work over the years in administering them for
> > >people.
> 
> 
> It was a lot easier in 1995/1996 to unbox a PIX and enter in some commands
> to setup NAT than It was to apply a patch and compile new FreeBSD kernel and
> userland utilities.   Now days this just comes down to a matter of
> preference.
> 
> >
> >
> > >I will say that the PIX command line is no worse to setup and
> > >admin than IOS - once you know all of the idiosyncracies of the
> > >PIXos - but that's no different than the idiosyncracies of IOS.
> > >I do find the PIX GUI to be a big piece of crap, though.
> 
> 
> There is at least something we agree on :)
> 
> >
> >
> > >But, the assertion that it's easy to setup is only the case when
> > >your talking about real network admins.  For the general public,
> > >that is frankly absurd.  What is easy to setup is a Linksys RV042.
> > >(which will VPN into a PIX quite nicely, although you have to turn
> > >off stateful packet inspection on it if your running Vista, per
> > 
> >http://support.microsoft.com/kb/934430/en-us<http://support.microsoft.com/kb/93
> 4430/en-us>
> > )
> 
> 
> Both of which are produts of the 21st century.  I think you either really
> misinterpreted my point or you are just grasping for anything.
> 
> ?---- clip----------
> >a bunch of crap of aqusitions
> >--- clip-----------
> 
> Who cares.
> 
> 
> 
> >
> > >If Cisco hadn't maintained the PIX product line for as long
> > >as they did, I would agree that Cisco just bought NTI because
> > >they wanted it's technology.  But you are missing the obvious
> > >here.  Your saying the ASA is a PIX, meaning Cisco isn't killing
> > >the PIX after all.  If so, why?  I'll tell you, it's because
> > >there's a customer base out there that is large!  It is NOT
> > >because it's better or worse to do the same thing that the
> > >PIX does on an IOS router, it's because this large customer
> > >base THINKS it's better to do the stuff the PIX does on a
> > >standalone box that isn't a router.  The baby wants his
> > >bottle and Cisco isn't going to take it away.  Simple as that.
> 
> 
> Interesting standpoint.  I view it more as a customer choice.  There are
> something I find easier on a pix (troubleshooting, captures, packet-tracer)
> and there are something I find much better on IOS (Lan to Lan IPSec) and the
> are both very capible products.   If you want to push your customers onto
> IOS firewalls knock yourself out.  I don't think anyone can argue that
> point.
> 
> >If it only has slight modifications then it's definitely not
> > >next-generation.  Make up your mind, please! :-)
> 
> 
> Oh jesus christ.  If your only argument on why you think the ASA is not a
> PIX is some gramatical sematics on my part then you have bigger problems.
> 
> 
> >
> > The reason -I- think the ASA is worse is because the ASA just
> > perpetuates the nonsense that a router can't be a firewall.
> > Sure it can, it just depends on what firmware is running on it.
> > Cisco missed the boat here to educate the customer base.  I
> > am just thankful Cisco jacked up the price so I can educate
> > my customers without them just hearing "mo money mo money
> > mo money mo money".
> >
> > >Don't you mean ASA5510-SEC-BUN-K9 with the 2GE ports?
> 
> >How you going to get 300mbt through 2 FE ports?
> 
> Gigabit interface are not avaible on the 515.  Why is that a fair
> comparison?
> 
> 
> 
> > >And where does Cisco get off charging an extra $3K for 50 miserable SSL
> > VPN
> > >licenses?
> 
> 
> The same license  is required on IOS to support the same functionality
> 
> >The SSL protocol is OPEN for God's sake.
> 
> 
> They aren't charging for the SSL protocol, they are charging for all the
> additional features that comes with it.  Do you even understand what the SSL
> VPN product is?  It provided proxied connections for http, citrix, rdp,
> exchange, in addition to almost any application you throw at that.  In
> addition it create a full tunnel through TLS and TLS over UDP.
> 
> All of which are not defined in the SSL standard!
> 
> 
> > >Oh I get it, REMOVE support for PPTP VPN's (ie: out of the box Microsoft
> > VPN client that's
> > >FREE) and replace it with SSL VPN client that -costs money-  Yeah, give
> > >me more, baby.  Harder, Harder!
> 
> 
> IPsec license is still free.  L2TP over IPSEC is stil free and works with
> Microsoft out of the box (and is secure!).   PPTP was removed cause it is
> not a secure protocol!
> 
> >
> > >And, I forgot about AIP, what is that, $7K a year for a subscription?
> > >So if you don't pay the $7K a year, then when the latest AIM comes out
> > >that is written to get around the current inspection and is wasting your
> > >employees productivity in spades, you have to buy a new ASA.  Great one,
> > >that!!
> 
> 
> Say what?  There are cheaper Smartnet contracts out there.  Do some
> research.
> 
> >
> >
> > The point was rather a comparison between IOS-based router and
> > PIX or ASA, not between PIX and ASA.
> >
> > >In any case, how many companies have 300Mbit Internet connections?
> > >How many companies have 190Mbit Internet connections?  And how exactly
> > >do you get 190Mbts through a 515 which only had 2 10/100Mbt interfaces
> > >on it? ;-)  These are BigCo comparisons your talking, and frankly,
> > >BigCo's buy what they do because of their previously established
> > >vendor relationships, they are not switching to ASA's because they
> > >care about the price.
> 
> 
> I said nothing about companies or the reason to buy ASA.  It was mearly
> comparing the price of two similar firewalls.  You fabricated the rest.  Yes
> when buying a firewall, or any gear for that matter, you must take a lot
> into concideration.  No one is arguing that.
> 
> 
> > >And most BigCo's buy direct from Cisco anyhow, so the list prices are pure
> > fiction.
> 
> 
> They still get a discount off of list on most gear.  So list prices are a
> good comparison standpoint.  Now I can't say take the list prices from
> Juniper and compare them to Cisco as I get different discounts from each
> company, but to compare Cisco to Cisco it is 100% valid.
> 
> 
> >
> >
> > A much more realistic comparison with product that's sold to
> > people who actually do care about the price is:
> >
> > >PIX-506E-BUN-K9  @  $1,395  vs ASA5505-UL-BUN-K9 @ $995.  So yes,
> > >on the surface it LOOKS like a better deal - until you have to bend
> > >over and take it in the shorts for that insane SSL VPN license.  Oh,
> > >and of course, with the 5505, your screwed there since 50 SSL users
> > >is the licensed limit, you have to go to the 5510 for more.  The old 506E
> > >had no restriction on number of VPN clients.
> 
> 
> A PIX cannot support SSL VPN.  SSL VPN is an addition feature avablie (via a
> license) on the ASA platform. ASA still includes free IPSec VPN client
> termination (and lan to lan).   Yes there is a hard limit on the number of
> _IPSec_ on the ASA platform which some have complained about, but you
> shouldn't be terminating that many clients on a Pix 506 in the first place.
> It has no hardware crypto!
> 
> >CISCO1841-SEC/K9  1841 Security Bundle, Advanced Security, 64FL/256DR
> > >$2495
> >
> > >ASA5505-SSL-10-K9  ASA 5505 VPN Edition w/ 10 SSL Users, 50FW Users,
> > >3DES/AES
> > >$2095
> >
> > >Let's see, with the former I can use all of my free Microsoft VPN clients,
> > >PPTP, L2TP, whatever I want, as many as I want.  I can put in as many
> > >server to server VPN's as I want.  I can drop in a T1 card if needed.  I
> > >can have as much stuff as I want behind it.
> 
> >With the ASA I can have a max 10 SSL users, or I have to switch all my
> >Microsoft VPN clients over to L2TP.  I'm limited to 50 users.
> 
> Yes and those are some valid point of why you should use an IOS based router
> as a firewall.  These reasons are definatly more apparent in SMB
> situations.  Where you have sepearte hardware in a corproate enviroment most
> of this is moot.
> 
> As far as PPTP goes, Dude is 2008!   PPTP has not only proven to be insecure
> but it also doesn't work through PAT as it requires a GRE tunnel (GRE
> doesn't have port numberes).   It's like saying I should run my network with
> RIPv2 cause my routers support it.  Sure it's there, that doesn't mean you
> should use it.
> 
> PIX forces certain level of security onto the users.  I cannot enable telnet
> on the outside interface for example.  Argue this point if you must, but I
> don't see it as a bad thing.   You can setup an IOS based PPTP server for
> termination while you migrate your users to another platform.
> 
> As far as SSL VPN licenses go.  Cisco is currently the cheapest per SSL VPN
> user in the industry.  Seems like to be thats not bad.  If thats still to
> expensive for you, use IPSec, L2TP over IPSec, or an open source solution
> like OpenVPN
> 
> >
> > >And on top of that IOS has had IPv6 for years, the ASA just finally
> > >got a working implementation with version 8.0.3 or so I read.  (I
> > >don't really know, maybe it still doesen't work right)
> 
> 
> According to feature navigator IPv6 IOS Firewall was added in IOS 12.3T,
> although ahead of the curve then the ASA,  12.3T is also ED code and
> shouldn't been used.
> 
> >
> > >I never said CURRENT code was Win 3.1 based, I said I had heard thatthe
> > original PIX code from pre-Cisco days >was Win 3.1 based.
> > >Surely you remember that Win 3.1 will run in real
> > >mode, without the GUI, by just putting command.com as the last statement
> > >in the winstart.bat file.  Win 3.0, don't forget,
> > >would run on an XT, in real mode, with a GUI.  Back in
> > >those days a lot of people who wrote embedded stuff would
> > >use DOS or a stripped Windows merely as a program loader,
> > >so it didn't seem that farfetched to me when I heard it.
> 
> 
> Seriously?!?  I don't even know what to say to that....
> 
> >
> >
> >  In the end its your network.  That was the point.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From nic.passmore at gmail.com  Mon Jul  7 20:14:13 2008
From: nic.passmore at gmail.com (Nic Passmore)
Date: Tue, 8 Jul 2008 10:14:13 +1000
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote
Message-ID: <3d794efd0807071714m78222c0di576fabda817f134e@mail.gmail.com>

Am having a similiar problem here. I find when I apply the dynamic map at
the end of the crypto map that is applied to the interface, the existing
site to site tunnels do not come up.

Haven't had a chance to do any actual diagnostics yet this morning, but was
under the impression it might have something to do with the following
configuration line:

crypto map somemap client configuration address respond

Anyone have any tips?

Cheers,

Nic.

--------------------------------------------
Message: 2
Date: Mon, 07 Jul 2008 12:55:45 -0500
From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
Subject: Re: [c-nsp] 2800 for VPN Server site-to-site and remote
       access
To: <moua0100 at umn.edu>, "'Everton Diniz'" <notrevebr at gmail.com>,
       "'cisco-nsp'" <cisco-nsp at puck.nether.net>
Message-ID: <C497C2D1.50A3%ATolstykh at integrysgroup.com<C497C2D1.50A3%25ATolstykh at integrysgroup.com>
>
Content-Type: text/plain;       charset="iso-8859-1"

Use multiple statements within a single crypto map configuration:

crypto map iosvpn 5 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard5
 reverse-route
crypto map iosvpn 15 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard15
 reverse-route
crypto map iosvpn 25 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard25
 reverse-route
crypto map iosvpn 35 ipsec-isakmp
 set peer X.X.X.X
 set security-association lifetime seconds 28800
 set transform-set aes-sha
 match address vpn_XXXgard35
 reverse-route
crypto map iosvpn 100 ipsec-isakmp dynamic dyn

From tvarriale at comcast.net  Mon Jul  7 20:53:02 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Mon, 7 Jul 2008 19:53:02 -0500
Subject: [c-nsp] Telnet FROM a PIX Appliance?
References: <BMEDLGAENEKCJFGODFOCEEMNCFAA.tedm@toybox.placo.com>
Message-ID: <000a01c8e094$fa901f70$f211a8c0@flamwsugsmul5v>


----- Original Message ----- 
From: "Ted Mittelstaedt" <tedm at toybox.placo.com>
To: "Tony Varriale" <tvarriale at comcast.net>
Cc: <cisco-nsp at puck.nether.net>
Sent: Monday, July 07, 2008 3:09 AM
Subject: RE: [c-nsp] Telnet FROM a PIX Appliance?


>
>
>> -----Original Message-----
>> From: Tony Varriale [mailto:tvarriale at comcast.net]
>> Sent: Sunday, July 06, 2008 7:50 PM
>> To: Ted Mittelstaedt
>> Cc: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?
>>
>>
>> It's fairly well known by people that have been fortunate to been around
>> Cisco that long and/or that know a little PIXen history that the OS was
>> called Finesse.
>>
>> It was a custom built OS and AFAIK has had no stage performances in any
>> other devices.
>>
>
> Well, actually
>
> Cisco's LocalDirector, the "industries first load balancer"

In the context of our discussion, the stage perf was meant as outside of 
NTI/Cisco.  So, I should have clarified (since I've had the pleasure of 
working on those devices).

>
>> But, don't take my word for it.  I'm sure the NTI guys are still
>> around out
>> west somewhere.
>>
>
> Once the atual OS name was supplied, digging up information
> about it proved simple:
>
> http://www.linkedin.com/in/brantleycoile

Well, the OS name wasn't Windows.

>
>> I think your Windows similiarity stretch is incredible creepy.  I
>> feel like
>> I'm getting hoaxed into a pyramid scheme for some reason.
>>
>
> :-)  Cisco Corp. is a pyramid scheme. ;-)

I was suggesting that when I've been approached by people with schemes to 
sell, your Windows pitch sounded very familiar.  Just because the sun shines 
in the USA and Antartica, doesn't mean the continents are connected.

tv 


From mustafa.golam at gmail.com  Mon Jul  7 22:10:05 2008
From: mustafa.golam at gmail.com (Mustafa Golam -)
Date: Tue, 8 Jul 2008 08:10:05 +0600
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
Message-ID: <c72973e60807071910i793e39e0rf463d157dd65ab09@mail.gmail.com>

Hi group,

<Sorry for Cross posting!!>

We are having unusual problem with 3560 G switch for SPAN.
Our scenario:

|-------------------------------|
|                               |
|    Extreme Switch    |
|                               |
|-----||-----------||------------|
      ||3:39    ||
      ||          ||
      ||          ||
      ||          ||
      ||          ||
|------------------------------|
      ||                                          |
      |
      ||________________________|                             |
      |_________________________      Cisco 3560 G   |
                     monitored port fa1/1|                             |

|-----||----------------------|
                                                        ||fa1/2
                                                        || monitor port
                                                        ||



We are trying to SPAN cisco 3560 switch with Extreme Switch.
For the above senario, we want to monitor the traffic of port 3:39
of extreme switch through cisco switch. The same configuration worked
with Cisco 2950 and 4506 switch.  Is there any coveat detail in 3560 G,
that we are missing?

We are using IOS advanceservicepack ios for 3560G.



relevant configuration at Cisco 3560:

monitor session 1 source interface fastethernet1/1
monitor session 1 destination interface fastethernet1/2

system mtu 1998
system mtu jumbo 9000
system mtu routing 1998





Relevant configuration at Extreme End:
=====================================

enable mirroring to port 3:39
configure jumbo-frame-size size 1784
enable jumbo-frame ports all

configure mirroring add vlan VLAN_B


Relevant HW information of Extreme Switch:
==========================================

SWITCH_SS02.1 # sh version

Chassis   : 800128-00-03 07075-00248 Rev 3.0
Slot-1    : 800093-00-03 06415-01441 Rev 3.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
Slot-2    : 800093-00-04 06415-01418 Rev 4.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
Slot-3    : 800093-00-04 06415-01482 Rev 4.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
Slot-4    :
Slot-5    : 800181-00-03 06395-00381 Rev 3.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
Slot-6    :
Slot-7    :
Slot-8    :
Slot-9    :
Slot-10   : 800095-00-02 06345-02449 Rev 2.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
MSM-A     : 800181-00-03 06395-00381 Rev 3.0 BootROM: 1.0.1.11   IMG:
11.6.2.9
MSM-B     :
PSUCTRL-1  : 450105-00-01 06525-00883 Rev 1.0 BootROM: 2.13
PSUCTRL-2  : 450105-00-01 06525-00903 Rev 1.0 BootROM: 2.13

Image   : ExtremeXOS version 11.6.2.9 v1162b9 by release-manager
          on Tue Mar 6 13:23:03 PST 2007
BootROM : 1.0.1.11


If you need any more information, please let me know!!
Thanks in advance!!
-- 
--
*??)
?.???.?*??) ?.?*?)
(?.?? (?.?` *Mustafa Golam
Fedora Ambassador, Bangladesh
-.*.-`,`.*RHCE,CC{D,I,N,V..}P`.CCIE(..)'.'`,.
http://fedoraproject.org/wiki/MustafaGolam
http://mustafa.golam.googlepages.com/home
"Winners never quit------Quiters never win"

From ltd at cisco.com  Mon Jul  7 22:18:01 2008
From: ltd at cisco.com (Lincoln Dale)
Date: Tue, 08 Jul 2008 12:18:01 +1000
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
In-Reply-To: <c72973e60807071910i793e39e0rf463d157dd65ab09@mail.gmail.com>
References: <c72973e60807071910i793e39e0rf463d157dd65ab09@mail.gmail.com>
Message-ID: <4872CE59.4020505@cisco.com>

Mustafa Golam - wrote:
> We are having unusual problem with 3560 G switch for SPAN.
> Our scenario:
>   
you didn't actually say what the problem is that you're having....


cheers,

lincoln.


From ATolstykh at integrysgroup.com  Tue Jul  8 01:52:05 2008
From: ATolstykh at integrysgroup.com (Tolstykh, Andrew)
Date: Tue, 08 Jul 2008 00:52:05 -0500
Subject: [c-nsp] 2800 for VPN Server site-to-site and remote
In-Reply-To: <3d794efd0807071714m78222c0di576fabda817f134e@mail.gmail.com>
Message-ID: <C4986AB5.5130%ATolstykh@integrysgroup.com>

Add no-xauth for all defined isakmp pre-shared keys

On 7/7/08 7:14 PM, "Nic Passmore" <nic.passmore at gmail.com> wrote:

> Am having a similiar problem here. I find when I apply the dynamic map at
> the end of the crypto map that is applied to the interface, the existing
> site to site tunnels do not come up.
> 
> Haven't had a chance to do any actual diagnostics yet this morning, but was
> under the impression it might have something to do with the following
> configuration line:
> 
> crypto map somemap client configuration address respond
> 
> Anyone have any tips?
> 
> Cheers,
> 
> Nic.
> 
> --------------------------------------------
> Message: 2
> Date: Mon, 07 Jul 2008 12:55:45 -0500
> From: "Tolstykh, Andrew" <ATolstykh at integrysgroup.com>
> Subject: Re: [c-nsp] 2800 for VPN Server site-to-site and remote
>        access
> To: <moua0100 at umn.edu>, "'Everton Diniz'" <notrevebr at gmail.com>,
>        "'cisco-nsp'" <cisco-nsp at puck.nether.net>
> Message-ID: 
> <C497C2D1.50A3%ATolstykh at integrysgroup.com<C497C2D1.50A3%25ATolstykh at integrysg
> roup.com>
>> 
> Content-Type: text/plain;       charset="iso-8859-1"
> 
> Use multiple statements within a single crypto map configuration:
> 
> crypto map iosvpn 5 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard5
>  reverse-route
> crypto map iosvpn 15 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard15
>  reverse-route
> crypto map iosvpn 25 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard25
>  reverse-route
> crypto map iosvpn 35 ipsec-isakmp
>  set peer X.X.X.X
>  set security-association lifetime seconds 28800
>  set transform-set aes-sha
>  match address vpn_XXXgard35
>  reverse-route
> crypto map iosvpn 100 ipsec-isakmp dynamic dyn
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


 
The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited.  If you received this in error, please contact the sender and delete the material from any computer.


From golam.mustafa at grameenphone.com  Tue Jul  8 02:59:02 2008
From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan  CN Networks)
Date: Tue, 8 Jul 2008 12:59:02 +0600
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
In-Reply-To: <4873068E.5070207@cisco.com>
Message-ID: <AC2329849D6D2A40AB310DFD7478624E4F258A@DHK01EVS01.grameenphone.com>

Hi Lincoln,
Sorry for my BAD _English_!!

Refer to my previous email:

The problem is: we are not able to monitor Extreme switches'
Port traffic from Cisco 3560 G; even though we can monitor/analyze
it from 2950/4506 with same configuration at Extreme switch and 
similar configuration at Cisco End!!


My asking is: is there any minor detail that we are missing, in SPAN 
[Switched Port Analyzer] for 3560 G?


Does it make sense now? 

N.B.: 1.	We have opened a Level 3 severity TAC request, and expecting
	formal reply from cisco. 
	2.	We have read 
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html and more!


Thanking You,
_--_--_-.??ll??ll??..??ll??ll??.-_--_--_--_
         Mustafa Golam        (  )
       System Engineer           x
CNPN, GrameenPhone Ltd.  /  \
_--_--_--_--_--_--_--_--_--_--_--_
> -----Original Message-----
> From: Lincoln Dale [mailto:ltd at cisco.com]
> Sent: Tuesday, July 08, 2008 12:18 PM
> To: Golam Md. Mustafa Bhuyan CN Networks
> Subject: Re: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
> 
> you still haven't said what the _problem_ is.
> 
> 
> Golam Md. Mustafa Bhuyan CN Networks wrote:
> > Hi Lincoln,
> > Thanks for your reply.
> >
> > Our goal is to monitor network traffic of port 3:39 of extreme
> > Switch from CISCO 3560 G Switch.
> >
> > The problem is: we can monitor traffic of extreme switch port
> > from CISCO 4506/2950 switch with similar physical topology.
> >
> > Relevant URLs:
> >

From ltd at cisco.com  Tue Jul  8 03:42:14 2008
From: ltd at cisco.com (Lincoln Dale)
Date: Tue, 08 Jul 2008 17:42:14 +1000
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
In-Reply-To: <AC2329849D6D2A40AB310DFD7478624E4F258A@DHK01EVS01.grameenphone.com>
References: <AC2329849D6D2A40AB310DFD7478624E4F258A@DHK01EVS01.grameenphone.com>
Message-ID: <48731A56.1000602@cisco.com>

Hi,

> N.B.: 1.	We have opened a Level 3 severity TAC request, and expecting
> 	formal reply from cisco. 

i'm not TAC & don't take what i say as a "formal" reply.  TAC will 
presumably also be getting back to you.

> The problem is: we are not able to monitor Extreme switches'
> Port traffic from Cisco 3560 G; even though we can monitor/analyze
> it from 2950/4506 with same configuration at Extreme switch and 
> similar configuration at Cisco End!!
>
> My asking is: is there any minor detail that we are missing, in SPAN 
> [Switched Port Analyzer] for 3560 G?
>   
there are a few things that i can think might be a possible cause:

1. per 
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/configuration/guide/swspan.html 
make sure the destination SPAN port doesn't belong tin a SPAN source VLAN.
it isn't clear if you're running a .1q trunk between the switches or if 
the source is an 'access' port.

2. you've explicitly configured some jumbo frames on both switches. are 
you attempting to SPAN frames >1524 bytes on a 10/100 interface?


cheers,

lincoln.


From golam.mustafa at grameenphone.com  Tue Jul  8 04:14:59 2008
From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan  CN Networks)
Date: Tue, 8 Jul 2008 14:14:59 +0600
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
In-Reply-To: <48731A56.1000602@cisco.com>
Message-ID: <AC2329849D6D2A40AB310DFD7478624E4F25B8@DHK01EVS01.grameenphone.com>

> 
> i'm not TAC & don't take what i say as a "formal" reply.  TAC will
> presumably also be getting back to you.


I understand and I appreciate your helping mind:)

> 
> there are a few things that i can think might be a possible cause:
> 
> 1. per
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se
> /12.1_19_ea1/configuration/guide/swspan.html
> make sure the destination SPAN port doesn't belong tin a SPAN source
VLAN.
It might be what we were missing.
We will share our feedback, as we did not put source and destination
ports 
in different VLAN.

> it isn't clear if you're running a .1q trunk between the switches or
if
> the source is an 'access' port.
> 
We have configured dot1q trunk link
> 2. you've explicitly configured some jumbo frames on both switches.
are
> you attempting to SPAN frames >1524 bytes on a 10/100 interface?
> 
Yes, But it's Gigabit port.

> 
> cheers,
> 
> lincoln.
Cheers,
Mustafa

From ibrahim.abozaid at gmail.com  Tue Jul  8 04:15:40 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 8 Jul 2008 11:15:40 +0300
Subject: [c-nsp] Frame-relay broadcast queue
Message-ID: <a48927f70807080115u38b10585ta957340ae54571@mail.gmail.com>

Dear All

i was reading about Frame-relay broadcast queue which reserves by default
25% of PVC CIR and takes precedence over normal traffic as it queue routing
updates

by default , 25% of interface bandwidth is reserved for control traffic ,
does this reserved bandwidth is the broadcast queue ?


you comments are highly appreciated .


best regards
--Ibrahim

From golam.mustafa at grameenphone.com  Tue Jul  8 04:30:38 2008
From: golam.mustafa at grameenphone.com (Golam Md. Mustafa Bhuyan  CN Networks)
Date: Tue, 8 Jul 2008 14:30:38 +0600
Subject: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G) Switch
Message-ID: <AC2329849D6D2A40AB310DFD7478624E4F25C5@DHK01EVS01.grameenphone.com>


> -----Original Message-----
> From: Golam Md. Mustafa Bhuyan CN Networks
> Sent: Tuesday, July 08, 2008 2:15 PM
> To: 'Lincoln Dale'
> Cc: cisco-nsp at puck.nether.net; mustafa.golam at gmail.com
> Subject: RE: [c-nsp] SPAN issue Between Extreme and Cisco (3560 G)
Switch
> > 1. per
> >
>
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se
> > /12.1_19_ea1/configuration/guide/swspan.html
> > make sure the destination SPAN port doesn't belong tin a SPAN source
> VLAN.

Hi Lincoln, 
We put source and destination in different Vlan and configured
accordingly. But it did not work.

Thanks for your reply.
Mustafa

From pavel.skovajsa at gmail.com  Tue Jul  8 05:15:58 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 8 Jul 2008 11:15:58 +0200
Subject: [c-nsp] C6509-E air flow
Message-ID: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com>

Hello,
we have a C6509-E with interesting temperature issue. The EARL chip on
module 1 detects temperature over 65C and the whole module shuts down.
We have swapped the chassis, fan, module and sup and still have the
same issue. The interesting part is when we moved the card in module 1
into module 2 - no temperature issue.
>From this I deduce that we have some kind of air flow issues, as
module 1 has worse air flow than module 2. Does somebody have some
nice doc that describes the C6509-E air flow? Or maybe a recomendation
about the room air conditioning, or air flow in the room.

Thanks,
Pavel

From zivl at gilat.net  Tue Jul  8 09:02:11 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 8 Jul 2008 16:02:11 +0300
Subject: [c-nsp] Funny bug?
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>

Hi,
I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess...
The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
Here's a banal output of the show interface command, now you try and find what I mean...
(I swear that's what I've got, didn't touch it!)

FastEthernet0/20 is up, line protocol is up (connected)
  Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4)
  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is off
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue :0/40 (size/max)
  30 second input rate 0 bits/sec, 0 packets/sec
  30 second ouxtput rate 0 bits/sec, 0 packets/sec
     47049228 packets input, 390118490 bytes, 0 no buffer
     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     224115988 packets output, 1355337530 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out


Ziv




 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From pk at nodex.ru  Tue Jul  8 09:27:26 2008
From: pk at nodex.ru (Pavel Kuzin)
Date: Tue, 8 Jul 2008 17:27:26 +0400
Subject: [c-nsp] Funny bug?
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
Message-ID: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru>

You mean 
30 second ouxtput rate 0 bits/sec, 0 packets/sec
                     ^^
?
--
Pavel D.Kuzin
Nodex LTD.

----- Original Message ----- 
From: "Ziv Leyes" <zivl at gilat.net>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 08, 2008 5:02 PM
Subject: [c-nsp] Funny bug?


> Hi,
> I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess...
> The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
> Here's a banal output of the show interface command, now you try and find what I mean...
> (I swear that's what I've got, didn't touch it!)
> 
> FastEthernet0/20 is up, line protocol is up (connected)
>  Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4)
>  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation ARPA, loopback not set
>  Keepalive set (10 sec)
>  Full-duplex, 100Mb/s
>  input flow-control is off, output flow-control is off
>  ARP type: ARPA, ARP Timeout 04:00:00
>  Last input never, output 00:00:00, output hang never
>  Last clearing of "show interface" counters never
>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>  Queueing strategy: fifo
>  Output queue :0/40 (size/max)
>  30 second input rate 0 bits/sec, 0 packets/sec
>  30 second ouxtput rate 0 bits/sec, 0 packets/sec
>     47049228 packets input, 390118490 bytes, 0 no buffer
>     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>     0 watchdog, 0 multicast, 0 pause input
>     0 input packets with dribble condition detected
>     224115988 packets output, 1355337530 bytes, 0 underruns
>     0 output errors, 0 collisions, 2 interface resets
>     0 babbles, 0 late collision, 0 deferred
>     0 lost carrier, 0 no carrier, 0 PAUSE output
>     0 output buffer failures, 0 output buffers swapped out
> 
> 
> Ziv
> 
> 
> 
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From zivl at gilat.net  Tue Jul  8 09:30:41 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Tue, 8 Jul 2008 16:30:41 +0300
Subject: [c-nsp] Funny bug?
In-Reply-To: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru>
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
	<03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188AD8DB87@exch2k7.gilat.local>

Yep!

-----Original Message-----
From: Pavel Kuzin [mailto:pk at nodex.ru]
Sent: Tuesday, July 08, 2008 4:27 PM
To: Ziv Leyes; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Funny bug?

You mean
30 second ouxtput rate 0 bits/sec, 0 packets/sec
                     ^^
?
--
Pavel D.Kuzin
Nodex LTD.

----- Original Message -----
From: "Ziv Leyes" <zivl at gilat.net>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 08, 2008 5:02 PM
Subject: [c-nsp] Funny bug?


> Hi,
> I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess...
> The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
> Here's a banal output of the show interface command, now you try and find what I mean...
> (I swear that's what I've got, didn't touch it!)
>
> FastEthernet0/20 is up, line protocol is up (connected)
>  Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4)
>  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation ARPA, loopback not set
>  Keepalive set (10 sec)
>  Full-duplex, 100Mb/s
>  input flow-control is off, output flow-control is off
>  ARP type: ARPA, ARP Timeout 04:00:00
>  Last input never, output 00:00:00, output hang never
>  Last clearing of "show interface" counters never
>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>  Queueing strategy: fifo
>  Output queue :0/40 (size/max)
>  30 second input rate 0 bits/sec, 0 packets/sec
>  30 second ouxtput rate 0 bits/sec, 0 packets/sec
>     47049228 packets input, 390118490 bytes, 0 no buffer
>     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>     0 watchdog, 0 multicast, 0 pause input
>     0 input packets with dribble condition detected
>     224115988 packets output, 1355337530 bytes, 0 underruns
>     0 output errors, 0 collisions, 2 interface resets
>     0 babbles, 0 late collision, 0 deferred
>     0 lost carrier, 0 no carrier, 0 PAUSE output
>     0 output buffer failures, 0 output buffers swapped out
>
>
> Ziv
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From rbeckett at cisco.com  Tue Jul  8 09:39:46 2008
From: rbeckett at cisco.com (Robert Beckett)
Date: Tue, 8 Jul 2008 06:39:46 -0700 (PDT)
Subject: [c-nsp] Funny bug?
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
Message-ID: <Pine.OSX.4.64.0807080635200.2082@stealth-10-32-242-249.cisco.com>

You actually have two bugs here:

for the "Output queue :0/40"
CSCdx72484 show interface has an inconsistent format in Output queue 
display

for the "ouxtput"
CSCdz44280 5 minute output/input rate does not display correctly on 
port-channel



On Tue, 8 Jul 2008, Ziv Leyes wrote:

> Hi,
> I have a Catalyst 2950 where I've found what seems to be a typo bug, I guess...
> The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 12.1(13)EA1, RELEASE SOFTWARE (fc1)
> Here's a banal output of the show interface command, now you try and find what I mean...
> (I swear that's what I've got, didn't touch it!)
>
> FastEthernet0/20 is up, line protocol is up (connected)
>  Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4)
>  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
>     reliability 255/255, txload 1/255, rxload 1/255
>  Encapsulation ARPA, loopback not set
>  Keepalive set (10 sec)
>  Full-duplex, 100Mb/s
>  input flow-control is off, output flow-control is off
>  ARP type: ARPA, ARP Timeout 04:00:00
>  Last input never, output 00:00:00, output hang never
>  Last clearing of "show interface" counters never
>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>  Queueing strategy: fifo
>  Output queue :0/40 (size/max)
>  30 second input rate 0 bits/sec, 0 packets/sec
>  30 second ouxtput rate 0 bits/sec, 0 packets/sec
>     47049228 packets input, 390118490 bytes, 0 no buffer
>     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>     0 watchdog, 0 multicast, 0 pause input
>     0 input packets with dribble condition detected
>     224115988 packets output, 1355337530 bytes, 0 underruns
>     0 output errors, 0 collisions, 2 interface resets
>     0 babbles, 0 late collision, 0 deferred
>     0 lost carrier, 0 no carrier, 0 PAUSE output
>     0 output buffer failures, 0 output buffers swapped out
>
>
> Ziv
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

rtb  /* e ni kaita mochi wa kuenu */

From streiner at cluebyfour.org  Tue Jul  8 09:42:34 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 8 Jul 2008 09:42:34 -0400 (EDT)
Subject: [c-nsp] C6509-E air flow
In-Reply-To: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com>
References: <323aca890807080215j76d9a30fpd2345f1e5ca271de@mail.gmail.com>
Message-ID: <Pine.LNX.4.64.0807080938280.10888@whammy.cluebyfour.org>

On Tue, 8 Jul 2008, Pavel Skovajsa wrote:

> we have a C6509-E with interesting temperature issue. The EARL chip on
> module 1 detects temperature over 65C and the whole module shuts down.
> We have swapped the chassis, fan, module and sup and still have the
> same issue. The interesting part is when we moved the card in module 1
> into module 2 - no temperature issue.
>> From this I deduce that we have some kind of air flow issues, as
> module 1 has worse air flow than module 2. Does somebody have some
> nice doc that describes the C6509-E air flow? Or maybe a recomendation
> about the room air conditioning, or air flow in the room.

The 6509-E has right-to-left airflow like the non-E version.  Make sure 
nothing is blocking the intake vents on the right side of the chassis and 
that nothing in the cabinet/rack to the right (if there is one) is 
exhausting hot air toward the 6509-E.

I have several 6509s (E and non-E) in production and have had no 
temperature issues with them, aside from one that was located in a dirty 
area and the intake vents got fouled.  Once the obstruction was cleared, 
the temperature alarms went away.

jms

From djweis at internetsolver.com  Tue Jul  8 09:33:18 2008
From: djweis at internetsolver.com (Dave Weis)
Date: Tue, 8 Jul 2008 08:33:18 -0500 (CDT)
Subject: [c-nsp] Funny bug?
In-Reply-To: <03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru>
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
	<03ec01c8e0fe$5d55d3c0$a401a8c0@mainoffice.nodex.ru>
Message-ID: <Pine.LNX.4.63.0807080832510.9442@charmed.internetsolver.com>


If we're being picky there's also a misplaced colon:
>  Output queue :0/40 (size/max)


On Tue, 8 Jul 2008, Pavel Kuzin wrote:

> You mean 30 second ouxtput rate 0 bits/sec, 0 packets/sec
>                    ^^
> ?
> --
> Pavel D.Kuzin
> Nodex LTD.
>
> ----- Original Message ----- From: "Ziv Leyes" <zivl at gilat.net>
> To: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, July 08, 2008 5:02 PM
> Subject: [c-nsp] Funny bug?
>
>
>> Hi,
>> I have a Catalyst 2950 where I've found what seems to be a typo bug, I 
>> guess...
>> The Switch is IOS (tm) C2950 Software (C2950-I6Q4L2-M), Version 
>> 12.1(13)EA1, RELEASE SOFTWARE (fc1)
>> Here's a banal output of the show interface command, now you try and find 
>> what I mean...
>> (I swear that's what I've got, didn't touch it!)
>> 
>> FastEthernet0/20 is up, line protocol is up (connected)
>>  Hardware is Fast Ethernet, address is 000c.ce6d.35d4 (bia 000c.ce6d.35d4)
>>  MTU 1500 bytes, BW 100000 Kbit, DLY 1000 usec,
>>     reliability 255/255, txload 1/255, rxload 1/255
>>  Encapsulation ARPA, loopback not set
>>  Keepalive set (10 sec)
>>  Full-duplex, 100Mb/s
>>  input flow-control is off, output flow-control is off
>>  ARP type: ARPA, ARP Timeout 04:00:00
>>  Last input never, output 00:00:00, output hang never
>>  Last clearing of "show interface" counters never
>>  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
>>  Queueing strategy: fifo
>>  Output queue :0/40 (size/max)
>>  30 second input rate 0 bits/sec, 0 packets/sec
>>  30 second ouxtput rate 0 bits/sec, 0 packets/sec
>>     47049228 packets input, 390118490 bytes, 0 no buffer
>>     Received 20 broadcasts, 0 runts, 0 giants, 0 throttles
>>     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>>     0 watchdog, 0 multicast, 0 pause input
>>     0 input packets with dribble condition detected
>>     224115988 packets output, 1355337530 bytes, 0 underruns
>>     0 output errors, 0 collisions, 2 interface resets
>>     0 babbles, 0 late collision, 0 deferred
>>     0 lost carrier, 0 no carrier, 0 PAUSE output
>>     0 output buffer failures, 0 output buffers swapped out
>> 
>> 
>> Ziv
>> 
>> 
>> 
>> 
>> 
>> 
>> ************************************************************************************
>> This footnote confirms that this email message has been scanned by
>> PineApp Mail-SeCure for the presence of malicious code, vandals & computer 
>> viruses.
>> ************************************************************************************
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

-- 
Dave Weis
djweis at internetsolver.com
http://www.internetsolver.com/


From maillist at webjogger.net  Tue Jul  8 10:41:34 2008
From: maillist at webjogger.net (Adam Greene)
Date: Tue, 8 Jul 2008 10:41:34 -0400
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3
References: <4871D558.9E6F.00B8.0@dps.k12.oh.us>
	<010501c8e034$cdf5fa30$12140a0a@GINKGO>
	<4871FD63.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <014601c8e108$b7fc4390$12140a0a@GINKGO>

Steve,

Just take 10.77.0.1 255.255.0.0 off FastEthernet0/0.1 and put it on 
FastEthernet0/0.77, and you should be good to go.

Thanks,
Adam

----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>; "Adam Greene" <maillist at webjogger.net>
Sent: Monday, July 07, 2008 11:26 AM
Subject: Re: [c-nsp] Question on 802.1q trunks and L2TPv3


Yes, I knew that was a problem, but wasn't sure which way to go.

Is there any way to do this by changing the router instead? The 10.77.0.0/16 
is supposed to be part of the 77 vlan. I'm hoping to be able to do this 
remotely (the site has limited access hours). The router is the nearer 
device and the switch is behind it (from the central site's point of view).

Thanks!

Steve Pfister
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402

Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> "Adam Greene" <maillist at webjogger.net> 7/7/2008 9:24 AM >>>
Steven,

Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on
the switch.

If you want the switch to use an IP address from the 10.77.0.0/16 block, you
have to include vlan 1 as the native vlan on the 3550, and put the
10.77.0.10 address on vlan 1 rather than vlan 77.

Thanks,
Adam


----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, July 07, 2008 8:35 AM
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3


> I've got a 3640 router that's connected to a 3550 switch. The trunking is
> set up as dynamic desirable, and I need to change it to be a dot1q trunk.
> I'm having a little trouble getting that done. I tried doing a:
>
> switchport trunk encapsulation dot1q
> switchport mode trunk
>
> and the switch became unreachable. Do I need to add something like:
>
> switchport trunk native vlan 77
>
> ?
>
> Parts of the config are included below...
>
> Thanks!
>
>
>
> router
> -------
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip proxy-arp
> ip pim sparse-mode
> ip route-cache flow
> speed 100
> full-duplex
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 10.77.0.1 255.255.0.0
> no snmp trap link-status
> no cdp enable
> !
> interface FastEthernet0/0.77
> encapsulation dot1Q 77
> no snmp trap link-status
> no cdp enable
> xconnect 192.168.7.1 77 pw-class pw-dynamic
>
>
> Switch
> --------
> interface FastEthernet0/48
> switchport access vlan 77
> switchport mode dynamic desirable
> speed 100
> duplex full
> spanning-tree portfast
> !
> interface Vlan77
> ip address 10.77.0.10 255.255.0.0
> !
> ip default-gateway 10.77.0.1
>
>
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>







From SPfister at dps.k12.oh.us  Tue Jul  8 10:53:04 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Tue, 08 Jul 2008 10:53:04 -0400
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3
In-Reply-To: <014601c8e108$b7fc4390$12140a0a@GINKGO>
References: <4871D558.9E6F.00B8.0@dps.k12.oh.us>
	<010501c8e034$cdf5fa30$12140a0a@GINKGO>
	<4871FD63.9E6F.00B8.0@dps.k12.oh.us>
	<014601c8e108$b7fc4390$12140a0a@GINKGO>
Message-ID: <4873470D.9E6F.00B8.0@dps.k12.oh.us>

That's what I thought, but I can't do it with the xconnect statement on f0/0.77l

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> "Adam Greene" <maillist at webjogger.net> 7/8/2008 10:41 AM >>>
Steve,

Just take 10.77.0.1 255.255.0.0 off FastEthernet0/0.1 and put it on 
FastEthernet0/0.77, and you should be good to go.

Thanks,
Adam

----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>; "Adam Greene" <maillist at webjogger.net>
Sent: Monday, July 07, 2008 11:26 AM
Subject: Re: [c-nsp] Question on 802.1q trunks and L2TPv3


Yes, I knew that was a problem, but wasn't sure which way to go.

Is there any way to do this by changing the router instead? The 10.77.0.0/16 
is supposed to be part of the 77 vlan. I'm hoping to be able to do this 
remotely (the site has limited access hours). The router is the nearer 
device and the switch is behind it (from the central site's point of view).

Thanks!

Steve Pfister
Technical Coordinator,
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St.
Dayton, OH 45402

Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us 


>>> "Adam Greene" <maillist at webjogger.net> 7/7/2008 9:24 AM >>>
Steven,

Right now you have 10.77.0.0/16 on vlan 1 on the router but on vlan 77 on
the switch.

If you want the switch to use an IP address from the 10.77.0.0/16 block, you
have to include vlan 1 as the native vlan on the 3550, and put the
10.77.0.10 address on vlan 1 rather than vlan 77.

Thanks,
Adam


----- Original Message ----- 
From: "Steven Pfister" <SPfister at dps.k12.oh.us>
To: <cisco-nsp at puck.nether.net>
Sent: Monday, July 07, 2008 8:35 AM
Subject: [c-nsp] Question on 802.1q trunks and L2TPv3


> I've got a 3640 router that's connected to a 3550 switch. The trunking is
> set up as dynamic desirable, and I need to change it to be a dot1q trunk.
> I'm having a little trouble getting that done. I tried doing a:
>
> switchport trunk encapsulation dot1q
> switchport mode trunk
>
> and the switch became unreachable. Do I need to add something like:
>
> switchport trunk native vlan 77
>
> ?
>
> Parts of the config are included below...
>
> Thanks!
>
>
>
> router
> -------
> interface FastEthernet0/0
> no ip address
> no ip redirects
> no ip proxy-arp
> ip pim sparse-mode
> ip route-cache flow
> speed 100
> full-duplex
> !
> interface FastEthernet0/0.1
> encapsulation dot1Q 1 native
> ip address 10.77.0.1 255.255.0.0
> no snmp trap link-status
> no cdp enable
> !
> interface FastEthernet0/0.77
> encapsulation dot1Q 77
> no snmp trap link-status
> no cdp enable
> xconnect 192.168.7.1 77 pw-class pw-dynamic
>
>
> Switch
> --------
> interface FastEthernet0/48
> switchport access vlan 77
> switchport mode dynamic desirable
> speed 100
> duplex full
> spanning-tree portfast
> !
> interface Vlan77
> ip address 10.77.0.10 255.255.0.0
> !
> ip default-gateway 10.77.0.1
>
>
> Steve Pfister
> Technical Coordinator,
> The Office of Information Technology
> Dayton Public Schools
> 115 S. Ludlow St.
> Dayton, OH 45402
>
> Office (937) 542-3149
> Cell (937) 673-6779
> Direct Connect: 137*131747*8
> Email spfister at dps.k12.oh.us 
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp 
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 
>
>








From tedm at toybox.placo.com  Tue Jul  8 11:17:14 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Tue, 8 Jul 2008 08:17:14 -0700
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <d81b6b610807071317l6549cc99p6a7288671ac91e28@mail.gmail.com>
Message-ID: <BMEDLGAENEKCJFGODFOCMEMOCFAA.tedm@toybox.placo.com>


-----Original Message-----
From: Brandon Bennett [mailto:bennetb at gmail.com]
Sent: Monday, July 07, 2008 1:18 PM
To: Ted Mittelstaedt
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Telnet FROM a PIX Appliance?

>And running a production webserver on a 486-DX2 is also not a good
>idea.  I don't see your point here.

I was under the impression you were attempting to argue that
IOS-based firewalls were inherently not as good as a PIX.  I
guess your comment here is acknowledging that's not the case.

>Well the point that Bradly Coile made is that he could not the the
>performance he wanted using traditional IP stacks on those platforms.
>Not so much my opinion, but his.

But of course, I would not expect anyone making and selling something
to diss their own product over something available for free.

>>Please point out any "bake-off's" comparisons that were done at
>>that time.

>Pointless and a waste of time.  If you want to argue PIX popularity
>13 years ago, be my guest.  I will not be subject to it however.

I'll take that as a retraction of your statement that the
NTI stuff was technically superior at that time, then. 'Nuff said.

>>If a PIX is so easy to setup and maintain then I would have not
>>had quite a lot of work over the years in administering them for
>>people.

>It was a lot easier in 1995/1996 to unbox a PIX and enter in some
>commands to setup NAT than It was to apply a patch and compile new
>FreeBSD kernel and userland utilities.   Now days this just comes down
>to a matter of preference.

That is true.  After all that is one thing your paying
for in most commercial products, isn't it?  Not functionality,
merely ease of use.

Once you learn how to use either of them, there's no advantage
to the commercial product in that respect.

There's only a handful of commercial products out there where
the commercial stuff is superior to what you could put together
yourself - given enough time, of course.

>>I will say that the PIX command line is no worse to setup and
>>admin than IOS - once you know all of the idiosyncracies of the
>>PIXos - but that's no different than the idiosyncracies of IOS.
>>I do find the PIX GUI to be a big piece of crap, though.

>There is at least something we agree on :)

:-)

>>?---- clip----------
>>a bunch of crap of aqusitions
>>--- clip-----------

>Who cares.

Anyone who buys and uses products.  Besides ease of use,
support is one of the other big selling points of any
product.  If the company selling such product is poorly
managed and acquired as a result, it very often affects
support.  Thus reducing the value of the product.
Naturally anyone owning an orphaned product is very much
interested in this.  In the case of the PIX, Cisco took
it and ran with it, thus NTI's customer base undoubtedly
breathed a sigh of relief.  That doesen't always happen
with all of Cisco's acquisitions.

>standalone box that isn't a router.  The baby wants his
>bottle and Cisco isn't going to take it away.  Simple as that.

>Interesting standpoint.  I view it more as a customer choice.

Customer choice only from what the vendor offers.  Some vendors
don't offer a lot.

>There are
>something I find easier on a pix (troubleshooting, captures, packet-tracer)
>and there are something I find much better on IOS (Lan to Lan IPSec) and
the
>are both very capible products.   If you want to push your customers onto
IOS
>firewalls knock yourself out.  I don't think anyone can argue that point.

You were before.

>They aren't charging for the SSL protocol, they are charging for all the
>additional features that comes with it.  Do you even understand what the
SSL
>VPN product is?  It provided proxied connections for http, citrix, rdp,
>exchange, in addition to almost any application you throw at that.  In
>addition it create a full tunnel through TLS and TLS over UDP.

Great, then unbundle the SSL VPN stuff and include it with the ASA
and leave the proxy stuff in the $3K add-on.  Most people don't
need it.  Old story of putting one feature a lot of people want
into a separate bundle of a big pile of stuff and making you pay
a lot for the big pile.  Then you feel compelled to at least look
at using some of the stuff in the big pile.  Embrace and extend.

> In the end its your network.  That was the point.

No, in the end it's our customers network, and what they want
and what they have to pay, that's the point.  The PIX was cheaper
than the equivalent IOS-based solutions when it was sold, now
the ASA is not.  I will grant that yes, you can get a lot more
feaatures in the ASA than you used to in the PIX.  But you pay more.
You also get those features in IOS for the same price as what
a hopped-up ASA costs.

As for PPTP being worse or better, that's not Cisco's call to
make.  As you said earlier, it's customer choice.  I'll agree
PPTP has more problems than a newer protocol.  But a customer
that has 200 remotes deployed with PPTP already isn't too
interested in paying the labor to switch them all over just
because they upgraded their firewall.

My main argument was that the IOS solution was better than
the PIX, and I'm just glad that now the ASA (configured with
adequate licensing) costs the same as the equivalent IOS
based solution because now my customers can't knee-jerk
choose the ASA over the IOS based stuff just because it is
significantly cheaper.  Which some used to do with the PIX.
I see nothing in your rebuttal that disproves
that.  The comparisons between PIX and current product were
just for fun, even from you, as that product isn't for sale
any longer.  No need to get so defensive over them.  But the
ASA vs IOS comparisons don't argue for the ASA being more
inexpensive unless you accept a very stripped-down unit.

Ted


From pavel.skovajsa at gmail.com  Tue Jul  8 13:28:57 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 8 Jul 2008 19:28:57 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
Message-ID: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>

Hello,
does anybody know whether ASA or FWSW is able to firewall qinq packets
in transparent mode? Does anybody have some configs of this?
In short we are a service provider who wants to offer firewall
protection to various customer qinq tunnels.

Pavel

From mihai at duras.ro  Tue Jul  8 13:55:08 2008
From: mihai at duras.ro (Mihai Tanasescu)
Date: Tue, 08 Jul 2008 20:55:08 +0300
Subject: [c-nsp] VRF-Lite & Multicast question
Message-ID: <4873A9FC.2020109@duras.ro>

Hello all,



I have just started studying multicast for accomplishing a task that 
I've been giving and don't know where / what I am doing wrong.


My setup is something like the following:


RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)


between Router B and Router C I have 5 links (4 are vrf-lite in Router 
C, the 5th is in the global table and use for MPLS ldp).


I have configured on each router:
ip multicast-routing (in C for example for both global and VRF) , ip pim 
sparse-dense-mode on interfaces and the RP.


If I connect with a cable in Router A I can view the multicast stream.
Same if I connect in Router B.


But in Router C it doesn't work (neither in the global table, neither in 
the VRFs from vrf-lite implementation).


Can you help with an advice or what I could be doing wrong ? (I'm just a 
beginner/newbie when it comes to mcast)



Thanks,
Mihai

From avayner at cisco.com  Tue Jul  8 15:15:40 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 8 Jul 2008 21:15:40 +0200
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <4873A9FC.2020109@duras.ro>
References: <4873A9FC.2020109@duras.ro>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>

Hmm...

Could you share some "show ip mroute" and "show ip mroute count" outputs
both for global and vrf mode on router C?

First thing to check would be the RPF path for the source - do you have
a route back to the source through all the interfaces on router C?

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu
Sent: Tuesday, July 08, 2008 20:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] VRF-Lite & Multicast question

Hello all,



I have just started studying multicast for accomplishing a task that
I've been giving and don't know where / what I am doing wrong.


My setup is something like the following:


RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)


between Router B and Router C I have 5 links (4 are vrf-lite in Router 
C, the 5th is in the global table and use for MPLS ldp).


I have configured on each router:
ip multicast-routing (in C for example for both global and VRF) , ip pim

sparse-dense-mode on interfaces and the RP.


If I connect with a cable in Router A I can view the multicast stream.
Same if I connect in Router B.


But in Router C it doesn't work (neither in the global table, neither in

the VRFs from vrf-lite implementation).


Can you help with an advice or what I could be doing wrong ? (I'm just a

beginner/newbie when it comes to mcast)



Thanks,
Mihai
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From psirt at cisco.com  Tue Jul  8 14:36:40 2008
From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team)
Date: Tue,  8 Jul 2008 14:36:40 -0400
Subject: [c-nsp] Cisco Security Advisory: Multiple Cisco Products Vulnerable
	to DNS Cache Poisoning Attacks
Message-ID: <200807081436.dns@psirt.cisco.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cisco Security Advisory: Multiple Cisco Products Vulnerable to DNS Cache
Poisoning Attacks

Advisory ID: cisco-sa-20080708-dns

http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

Revision 1.0

For Public Release 2008 July 08 1800 UTC (GMT)

Summary
=======

Multiple Cisco products are vulnerable to DNS cache poisoning attacks
due to their use of insufficiently randomized DNS transaction IDs and
UDP source ports in the DNS queries that they produce, which may allow
an attacker to more easily forge DNS answers that can poison DNS caches.

To exploit this vulnerability an attacker must be able to cause a
vulnerable DNS server to perform recursive DNS queries. Therefore, DNS
servers that are only authoritative, or servers where recursion is not
allowed, are not affected.

Cisco has released free software updates that address this vulnerability.

This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml.

This security advisory is being published simultaneously with
announcements from other affected organizations.

Affected Products
=================

Products that cache DNS responses and process DNS messages with the
recursion desired (RD) flag set may be vulnerable to a DNS cache
poisoning attack depending on implementation of the DNS protocol.
Products that process DNS messages with the RD flag set will attempt to
answer the question asked on behalf of the client. A product is only
affected if using a vulnerable implementation of the DNS protocol, the
DNS server functionality for the product is enabled, and the DNS feature
for the product is configured to process recursive DNS query messages.

Vulnerable Products
+------------------

The following Cisco products are capable of acting as DNS servers and
have been found to have the DNS implementation weakness that makes some
types of DNS cache poisoning attacks more likely to succeed:

  * Cisco IOS Software

    A device that is running Cisco IOS Software will be affected if it
    is running a vulnerable version and if it is acting as a DNS server.

    All Cisco IOS Software releases that support the DNS server
    functionality and that have not had their DNS implementation
    improved are affected. For information about specific fixed
    versions, please refer to the Software Versions and Fixes section.

    A device that is running Cisco IOS Software is configured to act
    as a DNS server if the command "ip dns server" is present in the
    configuration. This command is not enabled by default.

  * Cisco Network Registrar

    All Cisco Network Registrar versions are affected, and DNS services
    are enabled by default.

    The DNS server on CNR is enabled via the command-line interface
    (CLI) commands "server dns enable start-on-reboot" or "dns enable
    start-on-reboot" or via the web management interface in the Servers
    page by selecting the appropriate "Start," "Stop," or "Reload"
    button.

  * Cisco Application and Content Networking System

    All Cisco Application and Content Networking System (ACNS) versions
    are affected; DNS services are disabled by default.

    ACNS is configured to act as a DNS server if the command
    "dns enable" is present in the configuration.

  * Cisco Global Site Selector Used in Combination with Cisco Network
    Registrar

    The Cisco Global Site Selector (GSS) is affected when it is used in
    combination with Cisco Network Registrar software to provide a more
    complete DNS solution. Fixed software would come in the form of an
    update of the Cisco Network Registrar software rather than an update
    of the GSS software.

Products Confirmed Not Vulnerable
+--------------------------------

Products that do not offer DNS server capabilities are not affected by
this vulnerability.

The Cisco GSS by itself is not affected by this vulnerability. However,
it is affected when it is used with Cisco Network Registrar software.

No other Cisco products are currently known to be affected by these
vulnerabilities.

Details
=======

The Domain Name System is an integral part of networks that are based
on TCP/IP such as the Internet. Simply stated, the Domain Name System
is a hierarchical database that contains mappings of hostnames and IP
addresses. The DNS protocol is part of the TCP/IP protocol suite and
allows DNS clients to query the DNS database to resolve hostnames to IP
addresses.

A DNS server is an application that implements the DNS protocol and that
has the ability to respond to queries made by DNS clients. When handling
a query from a DNS client, a DNS server can look into its portion of the
global DNS database (if the query is for a portion of the DNS database
for which the DNS server is authoritative), or it can relay the query
to other DNS servers (if it is configured to do so and if the query
is for a portion of the DNS database for which the DNS server is not
authoritative.)

Because of the processing time and bandwidth that is associated with
handling a DNS query, most DNS servers locally store responses that
are received from other DNS servers. The area where these responses
are stored locally is called a "cache." Once a response is stored in a
cache, the DNS server can use the locally stored response for a certain
time (called the "time to live") before having to query DNS servers
again to refresh the local (cached) copy of the response.

A DNS cache poisoning attack is an attack in which an entry in the
DNS cache of a DNS server is changed so the IP address associated
with a hostname in the cache does not point to the correct place. For
example, if www.example.com is mapped to the IP address 192.168.0.1
and this mapping is present in the cache of a DNS server, an attacker
who succeeds in poisoning the DNS cache of this server may be able to
map www.example.com to 10.0.0.1 instead. If this happens, a user who
is trying to visit www.example.com may end up contacting the wrong web
server.

Although DNS cache poisoning attacks are not new, a security researcher
recently presented a technique that allows an attacker to mount
successful DNS cache poisoning attacks with low complexity tools and
low traffic requirements. This technique exploits a weakness in most
implementations of the DNS protocol. The fundamental implementation
weakness is that the DNS transaction ID and source port number used to
validate DNS responses are not sufficiently randomized and can easily
be predicted, which allows an attacker to create forged responses to
DNS queries that will match the expected values. The DNS server will
consider such responses to be valid.

The following Cisco products that offer DNS server functionality have
been found to be susceptible to DNS cache poisoning attacks:

  * Cisco IOS Software: The vulnerability documented in Cisco bug ID
    CSCso81854.

  * Cisco Network Registrar: The vulnerability documented in Cisco
    bug ID CSCsq01298.

  * Cisco Application and Content Networking System (ACNS): The
    vulnerability documented in Cisco bug ID CSCsq21930.

This vulnerability has been assigned Common Vulnerabilities and
Exposures (CVE) ID CVE-2008-1447.

Vulnerability Scoring Details
+----------------------------

Cisco has provided scores for the vulnerabilities in this advisory based
on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in
this Security Advisory is done in accordance with CVSS version 2.0.

CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.

Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of the
vulnerability in individual networks.

Cisco has provided an FAQ to answer additional questions regarding CVSS
at

http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html

Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at

http://intellishield.cisco.com/security/alertmanager/cvss

Cisco Bugs:

* DNS cache prone to poisoning/forged answers attacks (CSCsq21930)

* DNS susceptible to forged query response attacks (CSCsq01298)

* Need to make DNS implementation more resilient against forged answers
(CSCso81854)

CVSS Base Score - 6.4
    Access Vector -            Network
    Access Complexity -        Low
    Authentication -           None
    Confidentiality Impact -   None
    Integrity Impact -         Partial
    Availability Impact -      Partial

CVSS Temporal Score - 5.3
    Exploitability -           Functional
    Remediation Level -        Official-Fix
    Report Confidence -        Confirmed

(same score for the three Cisco bugs listed above.)

Impact
======

Successful exploitation of the vulnerability described in this document
may result in invalid hostname-to-IP address mappings in the cache of an
affected DNS server. This may lead users of this DNS server to contact
the wrong provider of network services. The ultimate impact varies
greatly, ranging from a simple denial of service (for example, making
www.example.com resolve to 127.0.0.1) to phishing and financial fraud.

Software Versions and Fixes
===========================

When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.

In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.

Cisco IOS Software
+-----------------

Each row of the Cisco IOS Software table (below) names a Cisco IOS
Software release train. If a given release train is vulnerable, then
the earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed in
the "First Fixed Release" column of the table. The "Recommended Release"
column indicates the releases which have fixes for all the published
vulnerabilities at the time of this Advisory. A device running a release
in the given train that is earlier than the release in a specific column
(less than the First Fixed Release) is known to be vulnerable. Cisco
recommends upgrading to a release equal to or later than the release in
the "Recommended Releases" column of the table.

+----------------------------------------+
|   Major    |        Availability of    |
|  Release   |     Repaired Releases     |
|------------+---------------------------|
|  Affected  | First Fixed | Recommended |
| 12.0-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
| 12.0       | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0DA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(7)DB   |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.0DB     | release     |             |
|            | 12.0(7)DB   | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(7)DC   |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.0DC     | release     |             |
|            | 12.0(7)DC   | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0S      | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SP     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0ST     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0SZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.0T      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.0W      | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0WC     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.0WT     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Note:       |             |
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(7)XE1  |             |
|            | are         |             |
| 12.0XE     | vulnerable, |             |
|            | release     |             |
|            | 12.0(7)XE1  |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.0XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XH     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XI     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XJ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(7)XK2  |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.0XK     | release     |             |
|            | 12.0(7)XK2  | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0XL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XN     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.0(7)XR1  |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.0XR     | release     |             |
|            | 12.0(7)XR1  | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.0XS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XV     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.0XW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.1-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.1       | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.1AA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1AX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(22)AY1 |             |
|            | are         |             |
| 12.1AY     | vulnerable, | 12.1(22)    |
|            | release     | EA11        |
|            | 12.1(22)AY1 |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.1AZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1CX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1DA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(4)DB1  |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.1DB     | release     |             |
|            | 12.1(4)DB1  | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(4)DC2  |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.1DC     | release     |             |
|            | 12.1(4)DC2  | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1E      | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(11)EA1 |             |
|            | are         |             |
| 12.1EA     | vulnerable, | 12.1(22)    |
|            | release     | EA11        |
|            | 12.1(11)EA1 |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.1EB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EO     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EV     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Note:       |             |
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(8a)EX  |             |
|            | are         |             |
| 12.1EX     | vulnerable, |             |
|            | release     |             |
|            | 12.1(8a)EX  |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.1EY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1EZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1GA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1GB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.1T      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.1XA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(1)XC1  |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.1XC     | release     |             |
|            | 12.1(1)XC1  | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.1XD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XE     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XH     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XI     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XJ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XN     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XO     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XP     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XR     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XT     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XV     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1XZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Note:       |             |
|            | Releases    |             |
|            | prior to    |             |
|            | 12.1(5)YE1  |             |
|            | are         | 12.4(19a)   |
| 12.1YE     | vulnerable, |             |
|            | release     | 12.4(19b)   |
|            | 12.1(5)YE1  |             |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.1YF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YH     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YI     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.1YJ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.2-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2       | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2B      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2BC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2BW     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.2(8)BY   |             |
|            | are         |             |
|            | vulnerable, | 12.4(19a)   |
| 12.2BY     | release     |             |
|            | 12.2(8)BY   | 12.4(19b)   |
|            | and later   |             |
|            | are not     |             |
|            | vulnerable; |             |
|            | first fixed |             |
|            | in 12.4     |             |
|------------+-------------+-------------|
| 12.2BZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2CX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2CY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2CZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.2DA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2DD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2DX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EWA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2EZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2FX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2FY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2FZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXD    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXE    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2IXF    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2JA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2JK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2MB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2MC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2S      | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SBC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SCA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SE     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SED    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEE    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEF    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SEG    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SGA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SO     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SRA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SRB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SRC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SV     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SVA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SVC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SVD    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXD    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXE    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXF    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXH    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SXI    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2SZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2T      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.2(8)     |             |
|            | TPC10d are  |             |
|            | vulnerable, |             |
| 12.2TPC    | release     |             |
|            | 12.2(8)     |             |
|            | TPC10d and  |             |
|            | later are   |             |
|            | not         |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.2UZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XB     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XC     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2XD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XE     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XG     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2XH     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XI     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XJ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XK     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XL     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2XM     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XN     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XNA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XO     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XR     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XT     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2XU     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2XV     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2XW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YB     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YD     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YE     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YH     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YJ     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2YK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YL     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YM     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YN     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.2(18)    |
|            | migrate to  | SXF15;      |
| 12.2YO     | any release | Available   |
|            | in 12.2SY   | on          |
|            |             | 08-AUG-08   |
|------------+-------------+-------------|
| 12.2YP     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YR     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YS     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YT     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YU     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2YV     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2YW     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2YZ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2ZA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2ZB     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.2ZC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2ZD     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2ZE     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2ZF     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.2ZG     | first fixed |             |
|            | in 12.4T    | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.2ZH     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.2ZJ     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.2ZL     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.2ZP     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2ZU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2ZY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.2ZYA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.3-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3       | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3B      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.3BC     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3BW     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.3EU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JEA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JEB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JEC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JL     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.3JX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3T      | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.3TPC    | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.3VA     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3XA     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XB     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3XC     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XD     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3XE     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XF     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3XG     | first fixed |             |
|            | in 12.4T    | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XH     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.3XI     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            |             | 12.3(14)    |
|            |             | YX12        |
|            | Vulnerable; |             |
| 12.3XJ     | first fixed | 12.4(20)T;  |
|            | in 12.3YX   | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XK     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XQ     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3XR     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(19a)   |
| 12.3XS     | first fixed |             |
|            | in 12.4     | 12.4(19b)   |
|------------+-------------+-------------|
| 12.3XU     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            |             | 12.3(14)    |
|            |             | YX12        |
|            | Vulnerable; |             |
| 12.3XW     | first fixed | 12.4(20)T;  |
|            | in 12.3YX   | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.3XY     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            |             | 12.4(19a)   |
|            |             |             |
|            | Vulnerable; | 12.4(19b)   |
| 12.3YA     | first fixed |             |
|            | in 12.4     | 12.4(20)T;  |
|            |             | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YD     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            |             | 12.3(14)    |
|            |             | YX12        |
|            | Vulnerable; |             |
| 12.3YF     | first fixed | 12.4(20)T;  |
|            | in 12.3YX   | Available   |
|            |             | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YG     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YH     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YI     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.3YJ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YK     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Releases    |             |
|            | prior to    |             |
|            | 12.3(14)    |             |
|            | YM12 are    |             |
|            | vulnerable, | 12.3(14)    |
| 12.3YM     | release     | YM12        |
|            | 12.3(14)    |             |
|            | YM12 and    |             |
|            | later are   |             |
|            | not         |             |
|            | vulnerable; |             |
|------------+-------------+-------------|
| 12.3YQ     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YS     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.3YT     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
|            | Vulnerable; |             |
| 12.3YU     | first fixed |             |
|            | in 12.4XB   |             |
|------------+-------------+-------------|
| 12.3YX     | 12.3(14)    | 12.3(14)    |
|            | YX12        | YX12        |
|------------+-------------+-------------|
| 12.3YZ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|  Affected  | First Fixed | Recommended |
| 12.4-Based |   Release   |   Release   |
|  Releases  |             |             |
|------------+-------------+-------------|
|            | 12.4(18b)   |             |
|            |             |             |
|            | 12.4(19a)   | 12.4(19a)   |
| 12.4       |             |             |
|            | 12.4(19b)   | 12.4(19b)   |
|            |             |             |
|            | 12.4(21)    |             |
|------------+-------------+-------------|
| 12.4JA     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4JK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4JMA    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4JMB    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4JMC    | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4JX     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4MD     | 12.4(15)MD  | 12.4(15)MD  |
|------------+-------------+-------------|
| 12.4MR     | 12.4(19)MR  | 12.4(19)MR  |
|------------+-------------+-------------|
| 12.4SW     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | 12.4(15)T6  |             |
|            |             | 12.4(20)T;  |
| 12.4T      | 12.4(20)T;  | Available   |
|            | Available   | on          |
|            | on          | 11-JUL-08   |
|            | 11-JUL-08   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.4XA     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.4XB     | 12.4(2)XB10 |             |
|------------+-------------+-------------|
| 12.4XC     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
|            | 12.4(4)     | 12.4(20)T;  |
|            | XD11;       | Available   |
| 12.4XD     | Available   | on          |
|            | on          | 11-JUL-08   |
|            | 31-JUL-08   |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.4XE     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.4XF     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XG     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.4XJ     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
|------------+-------------+-------------|
| 12.4XK     | Not         |             |
|            | Vulnerable  |             |
|------------+-------------+-------------|
| 12.4XL     | 12.4(15)XL2 | 12.4(15)XL2 |
|------------+-------------+-------------|
| 12.4XM     | 12.4(15)XM1 | 12.4(15)XM1 |
|------------+-------------+-------------|
| 12.4XN     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XQ     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XT     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XV     | Vulnerable; |             |
|            | contact TAC |             |
|------------+-------------+-------------|
| 12.4XW     | 12.4(11)XW8 | 12.4(11)XW6 |
|------------+-------------+-------------|
| 12.4XY     | 12.4(15)XY3 |             |
|------------+-------------+-------------|
|            | Vulnerable; | 12.4(20)T;  |
| 12.4XZ     | first fixed | Available   |
|            | in 12.4T    | on          |
|            |             | 11-JUL-08   |
+----------------------------------------+

Cisco Network Registrar
+----------------------

+---------------------------------------+
|   Affected   |                        |
|   Release    |  First Fixed Release   |
|    Train     |                        |
|--------------+------------------------|
| 6.1.x        | Contact TAC            |
|--------------+------------------------|
|              | 6.3.1.1 patch;         |
| 6.3.x        | available mid-July     |
|              | 2008                   |
|--------------+------------------------|
| 7.0.x        | 7.0.1; available in    |
|              | mid-July 2008          |
+---------------------------------------+

Cisco Network Registrar software is available for download at:

http://www.cisco.com/pcgi-bin/Software/Tablebuild/tablebuild.pl/nr-eval

Cisco Application and Content Networking System
+----------------------------------------------

This issue is fixed in version 5.5.11 of Cisco ACNS software. This
release will be available for download from www.cisco.com in late July
2008.

Cisco ACNS 5.5 software is available for download at:

http://www.cisco.com/pcgi-bin/tablebuild.pl/acns55

Workarounds
===========

There are no workarounds.

Additional information about identification and mitigation of attacks
against DNS is in the Cisco Applied Intelligence white paper "DNS Best
Practices, Network Protections, and Attack Identification," available at
http://www.cisco.com/web/about/security/intelligence/dns-bcp.html.

Obtaining Fixed Software
========================

Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.

Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml.

Do not contact psirt at cisco.com or security-alert at cisco.com for software
upgrades.

Customers with Service Contracts
+-------------------------------

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers using Third Party Support Organizations
+------------------------------------------------

Customers whose Cisco products are provided or maintained through prior
or existing agreements with third-party support organizations, such
as Cisco Partners, authorized resellers, or service providers should
contact that support organization for guidance and assistance with the
appropriate course of action in regards to this advisory.

The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or fix
is the most appropriate for use in the intended network before it is
deployed.

Customers without Service Contracts
+----------------------------------

Customers who purchase direct from Cisco but do not hold a Cisco service
contract, and customers who purchase through third-party vendors but are
unsuccessful in obtaining fixed software through their point of sale
should acquire upgrades by contacting the Cisco Technical Assistance
Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac at cisco.com

Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to a
free upgrade. Free upgrades for non-contract customers must be requested
through the TAC.

Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.

Exploitation and Public Announcements
=====================================

The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.

Although DNS cache poisoning attacks are not new, security researcher
Dan Kaminsky of IOActive recently presented a technique that makes DNS
cache poisoning attacks more likely to succeed. Cisco would like to
thank Dan Kaminsky for notifying vendors about his findings.

Note that vulnerability information for Cisco IOS Software is being
provided in this advisory outside of the announced publication schedule
for Cisco IOS Software described at http://www.cisco.com/go/psirt due to
industry-wide disclosure of the vulnerability.

Status of this Notice: FINAL
============================

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY
ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.

A stand-alone copy or Paraphrase of the text of this document that omits
the distribution URL in the following section is an uncontrolled copy,
and may lack important information or contain factual errors.

Distribution
============

This advisory is posted on Cisco's worldwide website at

http://www.cisco.com/warp/public/707/cisco-sa-20080708-dns.shtml

In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the following
e-mail and Usenet news recipients.

  * cust-security-announce at cisco.com
  * first-teams at first.org
  * bugtraq at securityfocus.com
  * vulnwatch at vulnwatch.org
  * cisco at spot.colorado.edu
  * cisco-nsp at puck.nether.net
  * full-disclosure at lists.grok.org.uk
  * comp.dcom.sys.cisco at newsgate.cisco.com

Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History
================

+-----------------------------------------------------------+
| Revision 1.0  | 2008-July-08  | Initial public release    |
+-----------------------------------------------------------+

Cisco Security Procedures
=========================

Complete information on reporting security vulnerabilities in
Cisco products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html.
This includes instructions for press inquiries regarding Cisco security
notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.

+--------------------------------------------------------------------
Copyright 2007-2008 Cisco Systems, Inc. All rights reserved.
+--------------------------------------------------------------------

Updated: Jul 08, 2008                             Document ID: 107064

+--------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkhztUIACgkQ86n/Gc8U/uCAgACfVRRoJO4w4defnpwbNlfgBm4t
2SMAnjKCKECHtsjN9umqqPrPd2DW4IcC
=XGZw
-----END PGP SIGNATURE-----

From tony at lava.net  Tue Jul  8 17:12:03 2008
From: tony at lava.net (Antonio Querubin)
Date: Tue, 8 Jul 2008 11:12:03 -1000 (HST)
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <4873A9FC.2020109@duras.ro>
References: <4873A9FC.2020109@duras.ro>
Message-ID: <Pine.BSI.4.64.0807081107560.16673@malasada.lava.net>

On Tue, 8 Jul 2008, Mihai Tanasescu wrote:

> I have just started studying multicast for accomplishing a task that I've 
> been giving and don't know where / what I am doing wrong.
>
>
> My setup is something like the following:
>
>
> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)
>
>
> between Router B and Router C I have 5 links (4 are vrf-lite in Router C, the 
> 5th is in the global table and use for MPLS ldp).
>
>
> I have configured on each router:
> ip multicast-routing (in C for example for both global and VRF) , ip pim 
> sparse-dense-mode on interfaces and the RP.
>
>
> If I connect with a cable in Router A I can view the multicast stream.
> Same if I connect in Router B.
>
>
> But in Router C it doesn't work (neither in the global table, neither in the 
> VRFs from vrf-lite implementation).
>
>
> Can you help with an advice or what I could be doing wrong ? (I'm just a 
> beginner/newbie when it comes to mcast)

Do you have an RP on the right-hand-side of your diagram and do you have 
MSDP peering running between the left and right to distribute source info?

Antonio Querubin
whois:  AQ7-ARIN

From markom at markom.info  Tue Jul  8 17:27:44 2008
From: markom at markom.info (Marko Milivojevic)
Date: Tue, 8 Jul 2008 21:27:44 +0000
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
References: <4873A9FC.2020109@duras.ro>
	<67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
Message-ID: <1fb747910807081427y162c1040x25e5213e6e0730f0@mail.gmail.com>

I think this cold be a little bit more complicated case than just
that, since this is esentially "interprovider multicast" :-).

What is configured as RP on C? If it's not the same as in A-B, you
need to configure MSDP between C and whatever is RP in A-B. Even if it
is the same, you may need static mroute or multicast AF BGP between B
and C to make it work.

Not a simplest scenario to start with :-)

Kind regards,
Marko.


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu
> Sent: Tuesday, July 08, 2008 20:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRF-Lite & Multicast question
>
> Hello all,
>
>
>
> I have just started studying multicast for accomplishing a task that
> I've been giving and don't know where / what I am doing wrong.
>
>
> My setup is something like the following:
>
>
> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)
>
>
> between Router B and Router C I have 5 links (4 are vrf-lite in Router
> C, the 5th is in the global table and use for MPLS ldp).
>
>
> I have configured on each router:
> ip multicast-routing (in C for example for both global and VRF) , ip pim
>
> sparse-dense-mode on interfaces and the RP.
>
>
> If I connect with a cable in Router A I can view the multicast stream.
> Same if I connect in Router B.
>
>
> But in Router C it doesn't work (neither in the global table, neither in
>
> the VRFs from vrf-lite implementation).
>
>
> Can you help with an advice or what I could be doing wrong ? (I'm just a
>
> beginner/newbie when it comes to mcast)

From Alley.Hasan at megapath.com  Tue Jul  8 17:30:48 2008
From: Alley.Hasan at megapath.com (Alley Hasan)
Date: Tue, 8 Jul 2008 14:30:48 -0700
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <Pine.BSI.4.64.0807081107560.16673@malasada.lava.net>
References: <4873A9FC.2020109@duras.ro>
	<Pine.BSI.4.64.0807081107560.16673@malasada.lava.net>
Message-ID: <BAF4A6FCEE69464393F7A9786C8B7207010846F2@tartarus.megapath.biz>

Some of the basic things to check:
- Everything should be pingible from everywhere, including the sender
and reciver. Layer 3 connectivity should be complete before anything can
happen.
- Make sure that the RP is pinglible by the sender and the reciever.
- Make sure that the RP address is not mis-typed (its amazing how many
times that ends up being the culprit).
- Throw ip pim sparse on the loopbacks as well.

Hope this helps.


Sr. Network Engineer
Megapath Inc.

CCIE 9651

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Antonio Querubin
Sent: Tuesday, July 08, 2008 2:12 PM
To: Mihai Tanasescu
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRF-Lite & Multicast question

On Tue, 8 Jul 2008, Mihai Tanasescu wrote:

> I have just started studying multicast for accomplishing a task that
I've 
> been giving and don't know where / what I am doing wrong.
>
>
> My setup is something like the following:
>
>
> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C
(vrf-lite)
>
>
> between Router B and Router C I have 5 links (4 are vrf-lite in Router
C, the 
> 5th is in the global table and use for MPLS ldp).
>
>
> I have configured on each router:
> ip multicast-routing (in C for example for both global and VRF) , ip
pim 
> sparse-dense-mode on interfaces and the RP.
>
>
> If I connect with a cable in Router A I can view the multicast stream.
> Same if I connect in Router B.
>
>
> But in Router C it doesn't work (neither in the global table, neither
in the 
> VRFs from vrf-lite implementation).
>
>
> Can you help with an advice or what I could be doing wrong ? (I'm just
a 
> beginner/newbie when it comes to mcast)

Do you have an RP on the right-hand-side of your diagram and do you have

MSDP peering running between the left and right to distribute source
info?

Antonio Querubin
whois:  AQ7-ARIN
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.4.6/1540 - Release Date: 7/8/2008
6:33 AM

From ibrahim.abozaid at gmail.com  Tue Jul  8 19:52:25 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Wed, 9 Jul 2008 02:52:25 +0300
Subject: [c-nsp] Frame-relay broadcast queue
Message-ID: <a48927f70807081652x1a6e5d63wefaab29ee260b2d@mail.gmail.com>

Dear All

i was reading about Frame-relay broadcast queue which reserves by default
25% of PVC CIR and takes precedence over normal traffic as it queue routing
updates

by default , 25% of interface bandwidth is reserved for control traffic ,
does this reserved bandwidth is the broadcast queue ?


you comments are highly appreciated .


best regards
--Ibrahim

From madunix at gmail.com  Wed Jul  9 02:26:39 2008
From: madunix at gmail.com (Mad Unix)
Date: Wed, 9 Jul 2008 08:26:39 +0200
Subject: [c-nsp] Analog Dialer
Message-ID: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>

 have a PRI connecting 60 ppl using BRI and Analog calls
the Router 3800 PRI interface is having Digital modem to accept analog phone
calls
the analog callers cant connect!
What could be wrong?

interface Group-Async1
 description connected tp Dial-in pcs (Analog)
 ip unnumbered GigabitEthernet0/0
 encapsulation ppp
 no ip split-horizon
 dialer in-band
 dialer idle-timeout 3600
 dialer-group 1
 async mode interactive
 peer default ip address pool cisco3662-group-2
 no fair-queue
 ppp authentication chap pap ms-chap callin
 group-range 0/450 0/473
-- 
madunix

From oboehmer at cisco.com  Wed Jul  9 02:39:14 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 9 Jul 2008 08:39:14 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>

Can't tell based on this config alone. can you please show the full
config? (at least the one of the Serialx/y:z (the D-channel), any dialer
interfaces and the "line" config at the end)?
http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which
can easily be adapted to your environment..

	oli


Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:

>  have a PRI connecting 60 ppl using BRI and Analog calls
> the Router 3800 PRI interface is having Digital modem to accept
> analog phone calls
> the analog callers cant connect!
> What could be wrong?
> 
> interface Group-Async1
>  description connected tp Dial-in pcs (Analog)
>  ip unnumbered GigabitEthernet0/0
>  encapsulation ppp
>  no ip split-horizon
>  dialer in-band
>  dialer idle-timeout 3600
>  dialer-group 1
>  async mode interactive
>  peer default ip address pool cisco3662-group-2
>  no fair-queue
>  ppp authentication chap pap ms-chap callin
>  group-range 0/450 0/473
> --
> madunix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From madunix at gmail.com  Wed Jul  9 03:05:36 2008
From: madunix at gmail.com (Mad Unix)
Date: Wed, 9 Jul 2008 09:05:36 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
Message-ID: <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>

Am using interface Group-Async1 to accept analog calls for data transfer


interface GigabitEthernet0/0
 description $ES_LAN$
 ip address 10.16.0.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 ip address 10.16.1.2 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
!
interface Serial0/0/0
 description ---- Elect  ----
 ip address 10.14.11.5 255.255.255.252
!
interface Serial0/0/1
 description ---  Bank ---
 ip address 10.14.11.1 255.255.255.252
 encapsulation ppp

interface Serial4/0:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 2
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!
interface Serial4/1:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!
interface Dialer1
 description connected to Dial-inPCs(ISDN)
 ip address 10.13.1.1 255.255.255.0
 encapsulation ppp
 no ip split-horizon
 dialer in-band
 dialer idle-timeout 3600
 dialer-group 1
 peer default ip address pool Cisco3662-Group-1
 ppp authentication chap pap ms-chap callin
!
interface Group-Async1
 description connected tp Dial-in pcs (Analog)
 ip unnumbered GigabitEthernet0/0
 encapsulation ppp
 no ip split-horizon
 dialer in-band
 dialer idle-timeout 3600
 dialer-group 1
 async mode interactive
 peer default ip address pool cisco3662-group-2
 no fair-queue
 ppp authentication chap pap ms-chap callin
 group-range 0/450 0/473
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip radius source-interface GigabitEthernet0/0
access-list 2 permit 10.5.0.0 0.0.255.255
access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255
access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 101 permit tcp host 10.5.3.10 any eq telnet
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit

On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

> Can't tell based on this config alone. can you please show the full
> config? (at least the one of the Serialx/y:z (the D-channel), any dialer
> interfaces and the "line" config at the end)?
> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
> tion_example09186a0080094a49.shtml<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configuration_example09186a0080094a49.shtml>shows a sample AS5xxx config, which
> can easily be adapted to your environment..
>
>        oli
>
>
> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
>
> >  have a PRI connecting 60 ppl using BRI and Analog calls
> > the Router 3800 PRI interface is having Digital modem to accept
> > analog phone calls
> > the analog callers cant connect!
> > What could be wrong?
> >
> > interface Group-Async1
> >  description connected tp Dial-in pcs (Analog)
> >  ip unnumbered GigabitEthernet0/0
> >  encapsulation ppp
> >  no ip split-horizon
> >  dialer in-band
> >  dialer idle-timeout 3600
> >  dialer-group 1
> >  async mode interactive
> >  peer default ip address pool cisco3662-group-2
> >  no fair-queue
> >  ppp authentication chap pap ms-chap callin
> >  group-range 0/450 0/473
> > --
> > madunix
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
madunix

From madunix at gmail.com  Wed Jul  9 04:30:45 2008
From: madunix at gmail.com (Mad Unix)
Date: Wed, 9 Jul 2008 10:30:45 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
Message-ID: <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>

Any updates

On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com> wrote:

> Am using interface Group-Async1 to accept analog calls for data transfer
>
>
> interface GigabitEthernet0/0
>  description $ES_LAN$
>  ip address 10.16.0.2 255.255.255.0
>  duplex auto
>  speed auto
>  media-type rj45
> !
> interface GigabitEthernet0/1
>  ip address 10.16.1.2 255.255.255.0
>  duplex auto
>  speed auto
>  media-type rj45
> !
> interface Serial0/0/0
>  description ---- Elect  ----
>  ip address 10.14.11.5 255.255.255.252
> !
> interface Serial0/0/1
>  description ---  Bank ---
>  ip address 10.14.11.1 255.255.255.252
>  encapsulation ppp
>
> interface Serial4/0:15
>  no ip address
>  encapsulation ppp
>  no ip route-cache cef
>  dialer rotary-group 1
>  dialer-group 2
>  isdn switch-type primary-net5
>  isdn incoming-voice modem
>  isdn guard-timer 3000
> !
> interface Serial4/1:15
>  no ip address
>  encapsulation ppp
>  no ip route-cache cef
>  dialer rotary-group 1
>  dialer-group 1
>  isdn switch-type primary-net5
>  isdn incoming-voice modem
>  isdn guard-timer 3000
> !
> interface Dialer1
>  description connected to Dial-inPCs(ISDN)
>  ip address 10.13.1.1 255.255.255.0
>  encapsulation ppp
>  no ip split-horizon
>  dialer in-band
>  dialer idle-timeout 3600
>  dialer-group 1
>  peer default ip address pool Cisco3662-Group-1
>  ppp authentication chap pap ms-chap callin
> !
> interface Group-Async1
>  description connected tp Dial-in pcs (Analog)
>  ip unnumbered GigabitEthernet0/0
>  encapsulation ppp
>  no ip split-horizon
>  dialer in-band
>  dialer idle-timeout 3600
>  dialer-group 1
>  async mode interactive
>  peer default ip address pool cisco3662-group-2
>  no fair-queue
>  ppp authentication chap pap ms-chap callin
>  group-range 0/450 0/473
> ip http server
> ip http authentication local
> ip http timeout-policy idle 60 life 86400 requests 10000
> !
> ip radius source-interface GigabitEthernet0/0
> access-list 2 permit 10.5.0.0 0.0.255.255
> access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255
> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255
> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
> access-list 101 permit tcp host 10.5.3.10 any eq telnet
> dialer-list 1 protocol ip permit
> dialer-list 2 protocol ip permit
>
>
> On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
>
>> Can't tell based on this config alone. can you please show the full
>> config? (at least the one of the Serialx/y:z (the D-channel), any dialer
>> interfaces and the "line" config at the end)?
>> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
>> tion_example09186a0080094a49.shtml<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configuration_example09186a0080094a49.shtml>shows a sample AS5xxx config, which
>> can easily be adapted to your environment..
>>
>>        oli
>>
>>
>> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
>>
>> >  have a PRI connecting 60 ppl using BRI and Analog calls
>> > the Router 3800 PRI interface is having Digital modem to accept
>> > analog phone calls
>> > the analog callers cant connect!
>> > What could be wrong?
>> >
>> > interface Group-Async1
>> >  description connected tp Dial-in pcs (Analog)
>> >  ip unnumbered GigabitEthernet0/0
>> >  encapsulation ppp
>> >  no ip split-horizon
>> >  dialer in-band
>> >  dialer idle-timeout 3600
>> >  dialer-group 1
>> >  async mode interactive
>> >  peer default ip address pool cisco3662-group-2
>> >  no fair-queue
>> >  ppp authentication chap pap ms-chap callin
>> >  group-range 0/450 0/473
>> > --
>> > madunix
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
> madunix




-- 
madunix

From benny+usenet at amorsen.dk  Wed Jul  9 04:31:18 2008
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Wed, 09 Jul 2008 10:31:18 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	(Pavel Skovajsa's message of "Tue\, 8 Jul 2008 19\:28\:57 +0200")
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
Message-ID: <1215592278.6067.107.camel@ursa.amorsen.dk>

"Pavel Skovajsa" <pavel.skovajsa at gmail.com> writes:

> does anybody know whether ASA or FWSW is able to firewall qinq packets
> in transparent mode? Does anybody have some configs of this?
> In short we are a service provider who wants to offer firewall
> protection to various customer qinq tunnels.

I don't know the answer to your question, but I do have another one...

Which firewall does MPLS providers use to connect customer VRF's to
the Internet? 6500's with FWSM's? What if they have thousands of
VRF's?

All of the usual enterprise firewalls like ASA, Netscreen, Checkpoint
VSX top out at a few hundred virtual firewalls per box.


/Benny



From oboehmer at cisco.com  Wed Jul  9 05:05:41 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 9 Jul 2008 11:05:41 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>

some patience, please :-) .. we all do this in our spare time..
 
The "line" config is missing (i.e. the lower part of the config). can
you send this as well?
Please re-enable CEF on the serial interface ("ip route-cache cef")
 
    oli

________________________________

From: Mad Unix [mailto:madunix at gmail.com] 
Sent: Wednesday, July 09, 2008 10:31 AM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Analog Dialer


Any updates


On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com> wrote:


	Am using interface Group-Async1 to accept analog calls for data
transfer
	
	
	interface GigabitEthernet0/0
	 description $ES_LAN$
	 ip address 10.16.0.2 255.255.255.0
	 duplex auto
	 speed auto
	 media-type rj45
	!
	interface GigabitEthernet0/1
	 ip address 10.16.1.2 255.255.255.0
	 duplex auto
	 speed auto
	 media-type rj45
	!
	interface Serial0/0/0
	 description ---- Elect  ----
	 ip address 10.14.11.5 255.255.255.252
	!
	interface Serial0/0/1
	 description ---  Bank ---
	 ip address 10.14.11.1 255.255.255.252
	 encapsulation ppp
	
	interface Serial4/0:15
	 no ip address
	 encapsulation ppp
	 no ip route-cache cef
	 dialer rotary-group 1
	 dialer-group 2
	 isdn switch-type primary-net5
	 isdn incoming-voice modem
	 isdn guard-timer 3000
	!
	interface Serial4/1:15
	 no ip address
	 encapsulation ppp
	 no ip route-cache cef
	 dialer rotary-group 1
	 dialer-group 1
	 isdn switch-type primary-net5
	 isdn incoming-voice modem
	 isdn guard-timer 3000
	!
	interface Dialer1
	 description connected to Dial-inPCs(ISDN)
	 ip address 10.13.1.1 255.255.255.0 

	 encapsulation ppp
	 no ip split-horizon
	 dialer in-band
	 dialer idle-timeout 3600
	 dialer-group 1
	
	 peer default ip address pool Cisco3662-Group-1 

	 ppp authentication chap pap ms-chap callin
	!
	interface Group-Async1
	 description connected tp Dial-in pcs (Analog)
	 ip unnumbered GigabitEthernet0/0
	 encapsulation ppp
	 no ip split-horizon
	 dialer in-band
	 dialer idle-timeout 3600
	 dialer-group 1
	 async mode interactive
	 peer default ip address pool cisco3662-group-2
	 no fair-queue
	 ppp authentication chap pap ms-chap callin
	 group-range 0/450 0/473
	
	ip http server
	ip http authentication local
	ip http timeout-policy idle 60 life 86400 requests 10000
	!
	ip radius source-interface GigabitEthernet0/0 
	access-list 2 permit 10.5.0.0 0.0.255.255
	access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0
0.0.255.255
	access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0
0.0.255.255
	access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0
0.255.255.255
	access-list 101 permit tcp host 10.5.3.10 any eq telnet
	dialer-list 1 protocol ip permit
	dialer-list 2 protocol ip permit 


	On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer)
<oboehmer at cisco.com> wrote:
	

		Can't tell based on this config alone. can you please
show the full
		config? (at least the one of the Serialx/y:z (the
D-channel), any dialer
		interfaces and the "line" config at the end)?
	
http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
		tion_example09186a0080094a49.shtml
<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configur
ation_example09186a0080094a49.shtml>  shows a sample AS5xxx config,
which
		can easily be adapted to your environment..
		
		       oli
		
		
		Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
		

		>  have a PRI connecting 60 ppl using BRI and Analog
calls
		> the Router 3800 PRI interface is having Digital modem
to accept
		> analog phone calls
		> the analog callers cant connect!
		> What could be wrong?
		>
		> interface Group-Async1
		>  description connected tp Dial-in pcs (Analog)
		>  ip unnumbered GigabitEthernet0/0
		>  encapsulation ppp
		>  no ip split-horizon
		>  dialer in-band
		>  dialer idle-timeout 3600
		>  dialer-group 1
		>  async mode interactive
		>  peer default ip address pool cisco3662-group-2
		>  no fair-queue
		>  ppp authentication chap pap ms-chap callin
		>  group-range 0/450 0/473
		> --
		> madunix
		
		> _______________________________________________
		> cisco-nsp mailing list  cisco-nsp at puck.nether.net
		> https://puck.nether.net/mailman/listinfo/cisco-nsp
		> archive at http://puck.nether.net/pipermail/cisco-nsp/
		




	-- 
	madunix 




-- 
madunix 

From madunix at gmail.com  Wed Jul  9 05:25:25 2008
From: madunix at gmail.com (Mad Unix)
Date: Wed, 9 Jul 2008 11:25:25 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
Message-ID: <4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>

I have added this but it didnt help it keeps trying to connect to
authenticate then failed

SDC_R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SDC_R2(config)#line 450 473
SDC_R2(config-line)#exec-timeout 0 0
SDC_R2(config-line)#modem Dialin
SDC_R2(config-line)#transport input all
SDC_R2(config-line)#autoselect during-login
SDC_R2(config-line)#autoselect ppp
SDC_R2(config-line)#
SDC_R2(config-line)#exit
SDC_R2(config)#exit


SDC_R2#sh line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise Overruns
Int
      0    0 CTY              -    -      -    -    -     1      0
0/0      -
  Ready
      1    1 AUX   9600/9600  -    -      -    -    -     0      0
0/0      -
  Ready
I 0/450  450 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/451  451 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/452  452 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/453  453 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/454  454 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/455  455 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/456  456 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/457  457 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/458  458 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/459  459 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/460  460 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/461  461 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/462  462 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/463  463 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/464  464 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/465  465 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/466  466 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/467  467 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/468  468 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/469  469 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/470  470 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/471  471 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/472  472 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/473  473 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
*   706  706 VTY              -    -      -    -    -    50      0
0/0      -
  Ready
*   707  707 VTY              -    -      -    -    -     9      0
0/0      -
  Ready
    708  708 VTY              -    -      -    -    -     1      0
0/0      -
  Ready
    709  709 VTY              -    -      -    -    -     0      0
0/0      -
  Idle
    710  710 VTY              -    -      -    -    -     0      0
0/0      -
  Idle

Line(s) not in async mode -or- with no hardware support:
2-449, 474-705



regarding the CEF we have disabled becuase it was disconnecting the Dialer
after atime...
so we added this  no ip route-cache cef

interface Serial4/0:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 2
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!
interface Serial4/1:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!


On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

>  some patience, please :-) .. we all do this in our spare time..
>
> The "line" config is missing (i.e. the lower part of the config). can you
> send this as well?
> Please re-enable CEF on the serial interface ("ip route-cache cef")
>
>     oli
>
>  ------------------------------
> *From:* Mad Unix [mailto:madunix at gmail.com]
> *Sent:* Wednesday, July 09, 2008 10:31 AM
> *To:* Oliver Boehmer (oboehmer)
> *Cc:* cisco-nsp at puck.nether.net
> *Subject:* Re: [c-nsp] Analog Dialer
>
> Any updates
>
> On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com> wrote:
>
>> Am using interface Group-Async1 to accept analog calls for data transfer
>>
>>
>> interface GigabitEthernet0/0
>>  description $ES_LAN$
>>  ip address 10.16.0.2 255.255.255.0
>>  duplex auto
>>  speed auto
>>  media-type rj45
>> !
>> interface GigabitEthernet0/1
>>  ip address 10.16.1.2 255.255.255.0
>>  duplex auto
>>  speed auto
>>  media-type rj45
>> !
>> interface Serial0/0/0
>>  description ---- Elect  ----
>>  ip address 10.14.11.5 255.255.255.252
>> !
>> interface Serial0/0/1
>>  description ---  Bank ---
>>  ip address 10.14.11.1 255.255.255.252
>>  encapsulation ppp
>>
>> interface Serial4/0:15
>>  no ip address
>>  encapsulation ppp
>>  no ip route-cache cef
>>  dialer rotary-group 1
>>  dialer-group 2
>>  isdn switch-type primary-net5
>>  isdn incoming-voice modem
>>  isdn guard-timer 3000
>> !
>> interface Serial4/1:15
>>  no ip address
>>  encapsulation ppp
>>  no ip route-cache cef
>>  dialer rotary-group 1
>>  dialer-group 1
>>  isdn switch-type primary-net5
>>  isdn incoming-voice modem
>>  isdn guard-timer 3000
>> !
>> interface Dialer1
>>  description connected to Dial-inPCs(ISDN)
>>  ip address 10.13.1.1 255.255.255.0
>>  encapsulation ppp
>>  no ip split-horizon
>>  dialer in-band
>>  dialer idle-timeout 3600
>>  dialer-group 1
>>  peer default ip address pool Cisco3662-Group-1
>>  ppp authentication chap pap ms-chap callin
>> !
>> interface Group-Async1
>>  description connected tp Dial-in pcs (Analog)
>>  ip unnumbered GigabitEthernet0/0
>>  encapsulation ppp
>>  no ip split-horizon
>>  dialer in-band
>>  dialer idle-timeout 3600
>>  dialer-group 1
>>  async mode interactive
>>  peer default ip address pool cisco3662-group-2
>>  no fair-queue
>>  ppp authentication chap pap ms-chap callin
>>  group-range 0/450 0/473
>> ip http server
>> ip http authentication local
>> ip http timeout-policy idle 60 life 86400 requests 10000
>> !
>> ip radius source-interface GigabitEthernet0/0
>> access-list 2 permit 10.5.0.0 0.0.255.255
>> access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
>> access-list 101 permit tcp host 10.5.3.10 any eq telnet
>> dialer-list 1 protocol ip permit
>> dialer-list 2 protocol ip permit
>>
>>
>> On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) <
>> oboehmer at cisco.com> wrote:
>>
>>> Can't tell based on this config alone. can you please show the full
>>> config? (at least the one of the Serialx/y:z (the D-channel), any dialer
>>> interfaces and the "line" config at the end)?
>>> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
>>> tion_example09186a0080094a49.shtml shows a sample AS5xxx config, which
>>> can easily be adapted to your environment..
>>>
>>>        oli
>>>
>>>
>>> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
>>>
>>> >  have a PRI connecting 60 ppl using BRI and Analog calls
>>> > the Router 3800 PRI interface is having Digital modem to accept
>>> > analog phone calls
>>> > the analog callers cant connect!
>>> > What could be wrong?
>>> >
>>> > interface Group-Async1
>>> >  description connected tp Dial-in pcs (Analog)
>>> >  ip unnumbered GigabitEthernet0/0
>>> >  encapsulation ppp
>>> >  no ip split-horizon
>>> >  dialer in-band
>>> >  dialer idle-timeout 3600
>>> >  dialer-group 1
>>> >  async mode interactive
>>> >  peer default ip address pool cisco3662-group-2
>>> >  no fair-queue
>>> >  ppp authentication chap pap ms-chap callin
>>> >  group-range 0/450 0/473
>>> > --
>>> > madunix
>>> > _______________________________________________
>>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>
>>
>>
>> --
>> madunix
>
>
>
>
> --
> madunix
>



-- 
madunix

From oboehmer at cisco.com  Wed Jul  9 07:09:58 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 9 Jul 2008 13:09:58 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1CF9A@xmb-ams-333.emea.cisco.com>

Hmm, so how far does the connection go? Do the modems train up? You
might want to go through
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0
080094eb9.shtml or
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a
008019cfa7.shtml
 
    oli

________________________________

From: Mad Unix [mailto:madunix at gmail.com] 
Sent: Wednesday, July 09, 2008 11:25 AM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Analog Dialer


I have added this but it didnt help it keeps trying to connect to
authenticate then failed

SDC_R2#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
SDC_R2(config)#line 450 473 
SDC_R2(config-line)#exec-timeout 0 0 
SDC_R2(config-line)#modem Dialin
SDC_R2(config-line)#transport input all  
SDC_R2(config-line)#autoselect during-login 
SDC_R2(config-line)#autoselect ppp 
SDC_R2(config-line)#
SDC_R2(config-line)#exit
SDC_R2(config)#exit


SDC_R2#sh line
   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise
Overruns  Int
      0    0 CTY              -    -      -    -    -     1      0
0/0      -
  Ready
      1    1 AUX   9600/9600  -    -      -    -    -     0      0
0/0      -
  Ready
I 0/450  450 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/451  451 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/452  452 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/453  453 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/454  454 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/455  455 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/456  456 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/457  457 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/458  458 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/459  459 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/460  460 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/461  461 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/462  462 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/463  463 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/464  464 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/465  465 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/466  466 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/467  467 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/468  468 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/469  469 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/470  470 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/471  471 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/472  472 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
I 0/473  473 TTY              - DialIn    -    -    -     0      0
0/0      -
  Idle
*   706  706 VTY              -    -      -    -    -    50      0
0/0      -
  Ready
*   707  707 VTY              -    -      -    -    -     9      0
0/0      -
  Ready
    708  708 VTY              -    -      -    -    -     1      0
0/0      -
  Ready
    709  709 VTY              -    -      -    -    -     0      0
0/0      -
  Idle
    710  710 VTY              -    -      -    -    -     0      0
0/0      -
  Idle

Line(s) not in async mode -or- with no hardware support: 
2-449, 474-705



regarding the CEF we have disabled becuase it was disconnecting the
Dialer after atime...
so we added this  no ip route-cache cef

interface Serial4/0:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 2
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!
interface Serial4/1:15
 no ip address
 encapsulation ppp
 no ip route-cache cef
 dialer rotary-group 1
 dialer-group 1
 isdn switch-type primary-net5
 isdn incoming-voice modem
 isdn guard-timer 3000
!



On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer)
<oboehmer at cisco.com> wrote:


	some patience, please :-) .. we all do this in our spare time..
	 
	The "line" config is missing (i.e. the lower part of the
config). can you send this as well?
	Please re-enable CEF on the serial interface ("ip route-cache
cef")
	 
	    oli

________________________________

	From: Mad Unix [mailto:madunix at gmail.com] 
	Sent: Wednesday, July 09, 2008 10:31 AM
	To: Oliver Boehmer (oboehmer)
	Cc: cisco-nsp at puck.nether.net
	Subject: Re: [c-nsp] Analog Dialer
	
	
	Any updates
	
	
	On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com>
wrote:
	

		Am using interface Group-Async1 to accept analog calls
for data transfer
		
		
		interface GigabitEthernet0/0
		 description $ES_LAN$
		 ip address 10.16.0.2 255.255.255.0
		 duplex auto
		 speed auto
		 media-type rj45
		!
		interface GigabitEthernet0/1
		 ip address 10.16.1.2 255.255.255.0
		 duplex auto
		 speed auto
		 media-type rj45
		!
		interface Serial0/0/0
		 description ---- Elect  ----
		 ip address 10.14.11.5 255.255.255.252
		!
		interface Serial0/0/1
		 description ---  Bank ---
		 ip address 10.14.11.1 255.255.255.252
		 encapsulation ppp
		
		interface Serial4/0:15
		 no ip address
		 encapsulation ppp
		 no ip route-cache cef
		 dialer rotary-group 1
		 dialer-group 2
		 isdn switch-type primary-net5
		 isdn incoming-voice modem
		 isdn guard-timer 3000
		!
		interface Serial4/1:15
		 no ip address
		 encapsulation ppp
		 no ip route-cache cef
		 dialer rotary-group 1
		 dialer-group 1
		 isdn switch-type primary-net5
		 isdn incoming-voice modem
		 isdn guard-timer 3000
		!
		interface Dialer1
		 description connected to Dial-inPCs(ISDN)
		 ip address 10.13.1.1 255.255.255.0 

		 encapsulation ppp
		 no ip split-horizon
		 dialer in-band
		 dialer idle-timeout 3600
		 dialer-group 1
		
		 peer default ip address pool Cisco3662-Group-1 

		 ppp authentication chap pap ms-chap callin
		!
		interface Group-Async1
		 description connected tp Dial-in pcs (Analog)
		 ip unnumbered GigabitEthernet0/0
		 encapsulation ppp
		 no ip split-horizon
		 dialer in-band
		 dialer idle-timeout 3600
		 dialer-group 1
		 async mode interactive
		 peer default ip address pool cisco3662-group-2
		 no fair-queue
		 ppp authentication chap pap ms-chap callin
		 group-range 0/450 0/473
		
		ip http server
		ip http authentication local
		ip http timeout-policy idle 60 life 86400 requests 10000
		!
		ip radius source-interface GigabitEthernet0/0 
		access-list 2 permit 10.5.0.0 0.0.255.255
		access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0
0.0.255.255
		access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0
0.0.255.255
		access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0
0.255.255.255
		access-list 101 permit tcp host 10.5.3.10 any eq telnet
		dialer-list 1 protocol ip permit
		dialer-list 2 protocol ip permit 


		On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer
(oboehmer) <oboehmer at cisco.com> wrote:
		

			Can't tell based on this config alone. can you
please show the full
			config? (at least the one of the Serialx/y:z
(the D-channel), any dialer
			interfaces and the "line" config at the end)?
	
http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
			tion_example09186a0080094a49.shtml
<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configur
ation_example09186a0080094a49.shtml>  shows a sample AS5xxx config,
which
			can easily be adapted to your environment..
			
			       oli
			
			
			Mad Unix <> wrote on Wednesday, July 09, 2008
8:27 AM:
			

			>  have a PRI connecting 60 ppl using BRI and
Analog calls
			> the Router 3800 PRI interface is having
Digital modem to accept
			> analog phone calls
			> the analog callers cant connect!
			> What could be wrong?
			>
			> interface Group-Async1
			>  description connected tp Dial-in pcs (Analog)
			>  ip unnumbered GigabitEthernet0/0
			>  encapsulation ppp
			>  no ip split-horizon
			>  dialer in-band
			>  dialer idle-timeout 3600
			>  dialer-group 1
			>  async mode interactive
			>  peer default ip address pool
cisco3662-group-2
			>  no fair-queue
			>  ppp authentication chap pap ms-chap callin
			>  group-range 0/450 0/473
			> --
			> madunix
			
			>
_______________________________________________
			> cisco-nsp mailing list
cisco-nsp at puck.nether.net
			>
https://puck.nether.net/mailman/listinfo/cisco-nsp
			> archive at
http://puck.nether.net/pipermail/cisco-nsp/
			




		-- 
		madunix 




	-- 
	madunix 




-- 
madunix 

From david.freedman at uk.clara.net  Wed Jul  9 08:29:54 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 9 Jul 2008 13:29:54 +0100
Subject: [c-nsp] CSCek62099
Message-ID: <FFBEC1DE79841C4C965378BBDA5913FC4CD973@EXVS01.claranet.local>

Have been hitting what I think is this bug on a number of CPE, applying the workaround "ppp multilink fragment delay" fixes the problem, but applying supposedly fixed IOS releases
(tried 12.3-22M and 12.4-19M) does not make the problem go away (i.e workaround has still to be applied) , since I'm sure these releases were tested properly, has anybody else seen this behaviour (no PPPoE headers on CEF MLPPP with single link) and perhaps it is not CSCek62099?

Am about to open TAC case, but thought I would ask..



Dave.

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From eng_mssk at hotmail.com  Wed Jul  9 09:32:44 2008
From: eng_mssk at hotmail.com (Mohammad Khalil)
Date: Wed, 9 Jul 2008 16:32:44 +0300
Subject: [c-nsp] MPLS L2 VPN any to any
Message-ID: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>


Hey all 
i have a problem in a setup
we have 2 Cisco routers acting as MPLS PE routers  , one is 7609 and the other is 7206 
we are trying to implement MPLS L2 VPN between ATM sub interface on one router and Giga ethernet (also sub interface) on the other router
but the xconnect never came up
can anyone help in regard??
Thanks in advance

BR,
Mohammad Khalil

_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE

From markom at markom.info  Wed Jul  9 09:50:54 2008
From: markom at markom.info (Marko Milivojevic)
Date: Wed, 9 Jul 2008 13:50:54 +0000
Subject: [c-nsp] MPLS L2 VPN any to any
In-Reply-To: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
Message-ID: <1fb747910807090650w57fc4bf7mab77da455f90c612@mail.gmail.com>

This is a little bit software-dependent - not all IOS's will support
the configuration.

Did you configure interworking in pseudowire configuration?

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fsinterw.html#wp1055162


On Wed, Jul 9, 2008 at 13:32, Mohammad Khalil <eng_mssk at hotmail.com> wrote:
>
> Hey all
> i have a problem in a setup
> we have 2 Cisco routers acting as MPLS PE routers  , one is 7609 and the other is 7206
> we are trying to implement MPLS L2 VPN between ATM sub interface on one router and Giga ethernet (also sub interface) on the other router
> but the xconnect never came up
> can anyone help in regard??

From ccie15385 at gmail.com  Wed Jul  9 10:01:44 2008
From: ccie15385 at gmail.com (JH Cockburn)
Date: Wed, 9 Jul 2008 16:01:44 +0200
Subject: [c-nsp] MPLS L2 VPN any to any
In-Reply-To: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
Message-ID: <000301c8e1cc$54ea0520$8604030a@africa.enterprise.root>

Hi ,
Make sure about the MTU sizes on the interfaces...must be the same I
think....
Let me know

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil
Sent: Wednesday, July 09, 2008 3:33 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] MPLS L2 VPN any to any


Hey all 
i have a problem in a setup
we have 2 Cisco routers acting as MPLS PE routers  , one is 7609 and the
other is 7206 
we are trying to implement MPLS L2 VPN between ATM sub interface on one
router and Giga ethernet (also sub interface) on the other router
but the xconnect never came up
can anyone help in regard??
Thanks in advance

BR,
Mohammad Khalil

_________________________________________________________________
Explore the seven wonders of the world
http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From James.Munroe at gnb.ca  Wed Jul  9 09:35:40 2008
From: James.Munroe at gnb.ca (Munroe, James   (DSS/MAS))
Date: Wed, 9 Jul 2008 10:35:40 -0300
Subject: [c-nsp] Looking for other's experiences with 12.2.31-SBxx or
	12.2.33-SRC1 on 7204VXRs w/ NPE-2G
Message-ID: <458B3EC21E4A3044998E917199AACB2F5C4B05@GNBEX02.gnb.ca>

Hello,

 

Looking on upgrading our MBGP Route Reflectors to support the new MDT
SAFI address family.  Just curious if anyone has run into trouble with
either 12.2.31-SBxx or 12.2.33-SRC1 code trains for a Cisco 7204VXR
(NPE-2G)?  These 7200's are dedicated RR's serving no other functions
other than our MPLS vpnv4 addressing.

 

Any thoughts or experiences would be appreciated.

 

Thanks,

 

Jim Munroe

 


From mcrocker at crocker.com  Wed Jul  9 10:33:58 2008
From: mcrocker at crocker.com (Matthew Crocker)
Date: Wed, 9 Jul 2008 10:33:58 -0400
Subject: [c-nsp] MPLS capabilities of SUP2
Message-ID: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com>


I'm working with a customer on a network redesign.  The plan is to use  
7206/NPE-G1s as PE routers and 6509/SUP2 as P routers.   The SUP2s  
would only need to switch the MPLS tags they won't need to do anything  
special.  The 7206s will handle the grunt work of maintaining per VRF  
routing tables and adding/removing MPLS tags.

Can the SUP2 handle this or will I need to go to SUP720/3BXL?  I could  
just dumb the 6509s down and run everything L2 with dot1q VLANs but  
looking to the future MPLS would be nice.

The layout would be

CUST <--T1/IP--> [7206] <--GigE/MPLS--> [6509] <--GigE/MPLS--> [6509]  
<--GigE/MPLS--> [7206] <--T1/IP-> CUST


From kelvin_team at yahoo.com  Wed Jul  9 10:49:42 2008
From: kelvin_team at yahoo.com (Kelvin Goei)
Date: Wed, 9 Jul 2008 07:49:42 -0700 (PDT)
Subject: [c-nsp] Intermittent management vlan conectivity
Message-ID: <373570.9745.qm@web56715.mail.re3.yahoo.com>

Hi I have one 6513 edge switch with SUP32, its connected to 2 Up stream Distribution Switch using portchannel. There is another 3550 edge switch connected to the 6513 edge switch with single uplink. All have management Vlan on Vlan2. The problem now is the ping to interface Vlan2 for the edge switch6513 and other 3550 switch connected to it is intermittent. I checked on the interface Vlan2 for both the 6513 and 3550 both have proxy-arp enable, but not on the Distribution Switch. What could be the reason for this? The switch is up all the time, and user traffic on other vlan is ok, just traffic from Vlan2 is intermittent. Any help really appreciated.

Thanks.

Regards,

Kelvin.? 



      

From oboehmer at cisco.com  Wed Jul  9 10:56:09 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Wed, 9 Jul 2008 16:56:09 +0200
Subject: [c-nsp] MPLS capabilities of SUP2
In-Reply-To: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com>
References: <17D99581-751E-41ED-A9BD-CA2E1D5C5543@crocker.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B1D135@xmb-ams-333.emea.cisco.com>

As many others will suggest: The PFC2 on the Sup2 has *no* MPLS
capability, it can't switch MPLS-tagged packets. Period :-|

So unless you're using your Sup2 as pure Layer 2 (then it doesn't care),
you need to buy OSMs or Flexwans to do the tagging, so you want to go
with Sup720 or Sup32..

	oli

Matthew Crocker <> wrote on Wednesday, July 09, 2008 4:34 PM:

> I'm working with a customer on a network redesign.  The plan is to use
> 7206/NPE-G1s as PE routers and 6509/SUP2 as P routers.   The SUP2s
> would only need to switch the MPLS tags they won't need to do anything
> special.  The 7206s will handle the grunt work of maintaining per VRF
> routing tables and adding/removing MPLS tags.
> 
> Can the SUP2 handle this or will I need to go to SUP720/3BXL?  I could
> just dumb the 6509s down and run everything L2 with dot1q VLANs but
> looking to the future MPLS would be nice.
> 
> The layout would be
> 
> CUST <--T1/IP--> [7206] <--GigE/MPLS--> [6509] <--GigE/MPLS--> [6509]
> <--GigE/MPLS--> [7206] <--T1/IP-> CUST
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From squid at oranged.to  Wed Jul  9 11:06:12 2008
From: squid at oranged.to (Jimmy Stewpot)
Date: Wed, 09 Jul 2008 16:06:12 +0100
Subject: [c-nsp] 6500 port capabilities and port mappings
Message-ID: <4874D3E4.50206@oranged.to>

Hello,

I have been working on diagnosing an issue where certain servers have 
been experiencing poor network performance over a pvlan network. Through 
diagnostics I have found a few points which I would like to try and 
understand a little better.

The switch is a 6500 running in hybrid ios/catos. The blade in question 
is a WS-X6516A-GBIC.

When I run the following command I get the "Maximum Allowed Mappings:" 
variable of 32.

show port capabilities 3/14
Model                       WS-X6516A-GBIC
Port                        3/14
Type                        1000BaseT
Auto MDIX                   no
AuxiliaryVlan               no
Broadcast suppression       percentage(0-100)
Channel                     yes
COPS port group             3/13-16
CoS rewrite                 yes
Dot1q-all-tagged            yes
Dot1x                       yes
Duplex                      full
Fast start                  yes
Flow control                receive-(off,on,desired),send-(off,on,desired)
Inline power                no
Jumbo frames                yes
Link debounce timer         yes
Link debounce timer delay   yes
Membership                  static,dynamic
Port ASIC group             3/10,3/12,3/14,3/16
Port VLAN Mapping           Group: 3/9-16     Maximum Allowed Mappings: 32
QOS scheduling              rx-(1p1q4t),tx-(1p2q2t)
Security                    yes
SPAN                        source,destination
Speed                       1000
Sync restart delay          yes
ToS rewrite                 DSCP
Trunk encap type            802.1Q,ISL
Trunk mode                  on,off,desirable,auto,nonegotiate
UDLD                        yes


 From reading through the Cisco documentation I have been able to find 
very little which actually tells me what that means. We currently have 
well over 126 mappings on the port in question and have been having no 
other issues. Can someone tell me what that really means?

Regards,

Jimmy.

From nick.jon.griffin at gmail.com  Wed Jul  9 11:35:17 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Wed, 9 Jul 2008 10:35:17 -0500
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
Message-ID: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>

I am thinking that I should be able to create sub-interfaces on these
devices to be used for multiple vrf's, but maybe I'm confused. I have some
routed core/dist links I need to maintain as well as extended some services
via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable
to configure a subinterface. Am I missing something, does this require a
3750E?

interface fas 1/0/1
no switch
ip address 1.1.1.1 255.255.255.0

int fas 1/0/1.100, etc
ip vrf VRF1 forwarding
ip address 2.2.2.2 255.255.255.0

Hope this makes sense, thanks in advance,

Nick Griffin

From markom at markom.info  Wed Jul  9 11:44:10 2008
From: markom at markom.info (Marko Milivojevic)
Date: Wed, 9 Jul 2008 15:44:10 +0000
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
In-Reply-To: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
References: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
Message-ID: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>

I think that you need to use SVI's (interface vlan xxx) combined with
trunks on these boxes. They don't support subinterfaces, as far as I
recall.

On Wed, Jul 9, 2008 at 15:35, Nick Griffin <nick.jon.griffin at gmail.com> wrote:
> I am thinking that I should be able to create sub-interfaces on these
> devices to be used for multiple vrf's, but maybe I'm confused. I have some
> routed core/dist links I need to maintain as well as extended some services
> via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still unable
> to configure a subinterface. Am I missing something, does this require a
> 3750E?
>
> interface fas 1/0/1
> no switch
> ip address 1.1.1.1 255.255.255.0
>
> int fas 1/0/1.100, etc
> ip vrf VRF1 forwarding
> ip address 2.2.2.2 255.255.255.0
>
> Hope this makes sense, thanks in advance,

From harbor235 at gmail.com  Wed Jul  9 12:10:14 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 9 Jul 2008 12:10:14 -0400
Subject: [c-nsp] GPON
Message-ID: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>

Does anybody have any GPON experience on the list?

If so I am looking for Pros and Cons for implementing this for the CAN.

Is there a power savings or the power requirement just pushed out to the
desktop?
hardware required to build a PON? OLTs, ONT/ONUs, splitters?
How is GPON managed?
Pice comparisons?

Basically whatever info you have outside the classic definition,

harbor235 ;}

From charles at thewybles.com  Wed Jul  9 12:26:48 2008
From: charles at thewybles.com (Charles N Wyble)
Date: Wed, 09 Jul 2008 09:26:48 -0700
Subject: [c-nsp] GPON
In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
Message-ID: <4874E6C8.7050504@thewybles.com>



Hope the resource recommendation helps. :)

Charles Wyble

Mike Johnson wrote:
> Does anybody have any GPON experience on the list?
>   
I don't have any hands on experience with GPON or any PON as of yet
unfortunately. APON is sweeping the United States. Wish they had gone
with E/G PON. Ah well.
> If so I am looking for Pros and Cons for implementing this for the CAN.
>   

Pros and Cons of PON vs what? You looking to provide broadband to end
users? What type of area (rural/suburban/cbd)? Etc.

> Is there a power savings or the power requirement just pushed out to the
> desktop?
>   
Well there are certainly power savings as the equipment is passive. Are
you looking to deploy this in a service provider environment (I presume
you are based on the nature of this list), or in an internal enterprise
network (you mention pushing power out to the desktop).

> hardware required to build a PON? OLTs, ONT/ONUs, splitters?
>   

I just read a fantastic book on EPON and highly recommend it. It covers
various other standards etc (including GPON).
Amazon link: *http://tinyurl.com/5okll7
*I checked it out from the Los Angeles Public Library. So your local
library may have it as well. Or I suppose your company could purchase
it. Might be available on Safari.


> How is GPON managed?
> Pice comparisons?
>
> Basically whatever info you have outside the classic definition,
>
> harbor235 ;}
>
>   


-- 
Charles N Wyble (818) 280-7059
http://charlesnw.blogspot.com



From harbor235 at gmail.com  Wed Jul  9 12:44:21 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Wed, 9 Jul 2008 12:44:21 -0400
Subject: [c-nsp] GPON
In-Reply-To: <4874E6C8.7050504@thewybles.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<4874E6C8.7050504@thewybles.com>
Message-ID: <836bf1f90807090944m1549014fx882c56fa8962b4f3@mail.gmail.com>

Charles,

APON vs GPON

Verizon is installing GPON via there FIOS product in the east as of 2008,
previously they were installing
BPON. I cannot speak of the other providers

PROs and CONs for deploying GPON to the desktop for a large CAN

Power savings yes for the passive equipment but the OLTs and ONT/ONUs do
require power as well
as the managemnet systems required to provision.monitor etc ..

Would it save power if there were no access switches in the mix? Instead of
aggregating
users to access switches build a PON, power requirements are then pushed to
the desktop.
Is this a better solution? does it really save power?  increase/decrease
cost per port?

thanx for the input

harbor235 ;}


On 7/9/08, Charles N Wyble <charles at thewybles.com> wrote:
>
>
>
> Hope the resource recommendation helps. :)
>
> Charles Wyble
>
> Mike Johnson wrote:
> > Does anybody have any GPON experience on the list?
> >
> I don't have any hands on experience with GPON or any PON as of yet
> unfortunately. APON is sweeping the United States. Wish they had gone
> with E/G PON. Ah well.
> > If so I am looking for Pros and Cons for implementing this for the CAN.
> >
>
> Pros and Cons of PON vs what? You looking to provide broadband to end
> users? What type of area (rural/suburban/cbd)? Etc.
>
> > Is there a power savings or the power requirement just pushed out to the
> > desktop?
> >
> Well there are certainly power savings as the equipment is passive. Are
> you looking to deploy this in a service provider environment (I presume
> you are based on the nature of this list), or in an internal enterprise
> network (you mention pushing power out to the desktop).
>
> > hardware required to build a PON? OLTs, ONT/ONUs, splitters?
> >
>
> I just read a fantastic book on EPON and highly recommend it. It covers
> various other standards etc (including GPON).
> Amazon link: *http://tinyurl.com/5okll7
> *I checked it out from the Los Angeles Public Library. So your local
> library may have it as well. Or I suppose your company could purchase
> it. Might be available on Safari.
>
>
> > How is GPON managed?
> > Pice comparisons?
> >
> > Basically whatever info you have outside the classic definition,
> >
> > harbor235 ;}
> >
> >
>
>
> --
> Charles N Wyble (818) 280-7059
> http://charlesnw.blogspot.com
>
>
>

From RTeller at deltadentalwa.com  Wed Jul  9 13:16:01 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Wed, 9 Jul 2008 10:16:01 -0700
Subject: [c-nsp] 3750 stack member failure detection
In-Reply-To: <4870eea3.0c07560a.1598.155e@mx.google.com>
References: <4870eea3.0c07560a.1598.155e@mx.google.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00C84@tiger.deltadentalwa.com>

You could count how many interfaces are available.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony GUENEAU
Sent: Sunday, July 06, 2008 9:11 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3750 stack member failure detection

Hi,

 

Does anybody know how to detect a stack member down within a 3750 stack
through SNMP ?

What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it
?

Thanks.

 

Anthony

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From kapsi1911 at hotmail.com  Wed Jul  9 13:59:02 2008
From: kapsi1911 at hotmail.com (D W)
Date: Wed, 9 Jul 2008 13:59:02 -0400
Subject: [c-nsp] Flat MPLS service from provider
In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
Message-ID: <BLU105-W453399D6BD11F19069EA7AA7960@phx.gbl>


Hello,

Does anyone on this list manage a network or have customers that run a large (500+ sites, scaling up to 1000) flat (single vrf) enterprise network. If so, can you share any lessons learned from this service as opposed to building a hierarchal design (ordering multiple VRF clouds from a provider - core cloud, regional cloud, etc..). I'm in the process of identifying potential issues for a customer considering a flat network design model. Their network is currently regionalized with point-to-point circuits.

Two of the first that came to mind were:

- Summarization (could only do per site, no large regional summarization blocks). Unless defaults are used.

- Difficult to deploy distributed services with no aggregation sites.


Thanks,
Dave

_________________________________________________________________
The i?m Talkaton. Can 30-days of conversation change the world?
http://www.imtalkathon.com/?source=EML_WLH_Talkathon_ChangeWorld

From nick.jon.griffin at gmail.com  Wed Jul  9 14:23:40 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Wed, 9 Jul 2008 13:23:40 -0500
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
In-Reply-To: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
References: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
	<1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
Message-ID: <a2b352c40807091123g3b1fb213m69b6d55b5a039d7a@mail.gmail.com>

I think I must need the metro switch for this: Take a look at "Configuring
the PE Switch B" at this url:

http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.1_14_ax/configuration/guide/swiprout.html#wp1258623



On Wed, Jul 9, 2008 at 10:44 AM, Marko Milivojevic <markom at markom.info>
wrote:

> I think that you need to use SVI's (interface vlan xxx) combined with
> trunks on these boxes. They don't support subinterfaces, as far as I
> recall.
>
> On Wed, Jul 9, 2008 at 15:35, Nick Griffin <nick.jon.griffin at gmail.com>
> wrote:
> > I am thinking that I should be able to create sub-interfaces on these
> > devices to be used for multiple vrf's, but maybe I'm confused. I have
> some
> > routed core/dist links I need to maintain as well as extended some
> services
> > via VRF Lite. I have tried ip serv, adv ip serv, etc and I am still
> unable
> > to configure a subinterface. Am I missing something, does this require a
> > 3750E?
> >
> > interface fas 1/0/1
> > no switch
> > ip address 1.1.1.1 255.255.255.0
> >
> > int fas 1/0/1.100, etc
> > ip vrf VRF1 forwarding
> > ip address 2.2.2.2 255.255.255.0
> >
> > Hope this makes sense, thanks in advance,
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From jeff-kell at utc.edu  Wed Jul  9 14:29:30 2008
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 09 Jul 2008 14:29:30 -0400
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
In-Reply-To: <1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
References: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
	<1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
Message-ID: <4875038A.7040203@utc.edu>

Marko Milivojevic wrote:
> I think that you need to use SVI's (interface vlan xxx) combined with
> trunks on these boxes. They don't support subinterfaces, as far as I
> recall.

Yes, you need trunks for the CE/PE links and SVIs/VLANs for each VRF you 
want to transport across almost all of the Catalysts below 6500.

Some you can GRE-tunnel across a P2P L3 link, but that isn't officially 
supported on some, and is process switched on all.

Dotted interfaces are primarily a true router-ism (WAN).

Jeff

From mail.ag at foghorn.nit.gwu.edu  Wed Jul  9 13:37:51 2008
From: mail.ag at foghorn.nit.gwu.edu (mail.ag)
Date: Wed, 09 Jul 2008 13:37:51 -0400
Subject: [c-nsp] GPON
In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
Message-ID: <4874F76F.2090706@foghorn.nit.gwu.edu>

Mike Johnson wrote:
> Does anybody have any GPON experience on the list?
>
> If so I am looking for Pros and Cons for implementing this for the CAN.
>
> Is there a power savings or the power requirement just pushed out to the
> desktop?
> hardware required to build a PON? OLTs, ONT/ONUs, splitters?
> How is GPON managed?
> Pice comparisons?
>
> Basically whatever info you have outside the classic definition,
>
> harbor235 ;}
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   
We're in the middle of our first deployment of EPON for a dorm near our
campus.  I'm not sure I can address your questions on power
requirements, as our current network topology is fiber to the desk which
has very different power requirements than a standard copper network.

My initial choice would have been to go with GPON because of its
additional downstream bandwidth and potential for more ONT vendors
(assuming a good interop picture).  However, because of lead times and
deadlines, we went with EPON for this site. 

We selected Wave7 Optics as our vendor.  Two things that drove this
decision: an 8 port ONT (8 each of voice/video/data) and GPON/EPON
support in the same chassis.

We're supposed to go live August 1.  I'll have more details then :)

Good luck.


From nick.jon.griffin at gmail.com  Wed Jul  9 16:13:17 2008
From: nick.jon.griffin at gmail.com (Nick Griffin)
Date: Wed, 9 Jul 2008 15:13:17 -0500
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
In-Reply-To: <4875038A.7040203@utc.edu>
References: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
	<1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
	<4875038A.7040203@utc.edu>
Message-ID: <a2b352c40807091313q6d85fefcic1e012c7ab80de6b@mail.gmail.com>

If anyone can confirm that the dotted subinterface configurations can be
configured on the 3750ME's, that would be excellent.


Nick Grififn

On Wed, Jul 9, 2008 at 1:29 PM, Jeff Kell <jeff-kell at utc.edu> wrote:

> Marko Milivojevic wrote:
>
>> I think that you need to use SVI's (interface vlan xxx) combined with
>> trunks on these boxes. They don't support subinterfaces, as far as I
>> recall.
>>
>
> Yes, you need trunks for the CE/PE links and SVIs/VLANs for each VRF you
> want to transport across almost all of the Catalysts below 6500.
>
> Some you can GRE-tunnel across a P2P L3 link, but that isn't officially
> supported on some, and is process switched on all.
>
> Dotted interfaces are primarily a true router-ism (WAN).
>
> Jeff
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From christian at broknrobot.com  Wed Jul  9 17:39:35 2008
From: christian at broknrobot.com (Christian Koch)
Date: Wed, 9 Jul 2008 17:39:35 -0400
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <1215592278.6067.107.camel@ursa.amorsen.dk>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
Message-ID: <c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>

im a bit confused by your use of terms in the question...

are you asking about vrf-aware firewalls?

or are you just unsure of the method a SP delivers layer 3 vpns?






On Wed, Jul 9, 2008 at 4:31 AM, Benny Amorsen
<benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>>
wrote:

> "Pavel Skovajsa" <pavel.skovajsa at gmail.com> writes:
>
> > does anybody know whether ASA or FWSW is able to firewall qinq packets
> > in transparent mode? Does anybody have some configs of this?
> > In short we are a service provider who wants to offer firewall
> > protection to various customer qinq tunnels.
>
> I don't know the answer to your question, but I do have another one...
>
> Which firewall does MPLS providers use to connect customer VRF's to
> the Internet? 6500's with FWSM's? What if they have thousands of
> VRF's?
>
> All of the usual enterprise firewalls like ASA, Netscreen, Checkpoint
> VSX top out at a few hundred virtual firewalls per box.
>
>
> /Benny
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From jleitao.l at gmail.com  Wed Jul  9 18:03:31 2008
From: jleitao.l at gmail.com (Jose Leitao)
Date: Thu, 10 Jul 2008 00:03:31 +0200
Subject: [c-nsp] C3560 show version memory values
Message-ID: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>

Hi everyone,

Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
looking at the output of show version, I noticed something rather
peculiar:

"cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
0K/8184K bytes of memory"

Should this be a concern?, I couldn't find anything related to this,
is this a bug?

Thanks,

JL

From peter at rathlev.dk  Wed Jul  9 18:59:52 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Thu, 10 Jul 2008 00:59:52 +0200
Subject: [c-nsp] C3750-24PS and VRF-Lite/Multi VRF
In-Reply-To: <a2b352c40807091313q6d85fefcic1e012c7ab80de6b@mail.gmail.com>
References: <a2b352c40807090835h11b52a40l21e1a9c6188792e2@mail.gmail.com>
	<1fb747910807090844k275952fdwd4d75679a7f5e0d7@mail.gmail.com>
	<4875038A.7040203@utc.edu>
	<a2b352c40807091313q6d85fefcic1e012c7ab80de6b@mail.gmail.com>
Message-ID: <1215644392.8915.2.camel@svesken.sys.mjna.net>

On Wed, 2008-07-09 at 15:13 -0500, Nick Griffin wrote:
> If anyone can confirm that the dotted subinterface configurations can be
> configured on the 3750ME's, that would be excellent.

I'm not sure, but I think it's only the ES ports (uplinks) on the 3750ME
that can be configured "router wise". Is there any reason why you
wouldn't just use SVIs instead? You can't use the same VLAN on different
psysical ports, but even the 6500/7600 can't do that with subinterfaces
either.

Regards,
Peter



From kgraham at industrial-marshmallow.com  Wed Jul  9 21:04:57 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Wed, 9 Jul 2008 18:04:57 -0700 (PDT)
Subject: [c-nsp] 3750 stack member failure detection
Message-ID: <976875.20274.qm@web907.biz.mail.mud.yahoo.com>

>> Does anybody know how to detect a stack member down within a 3750 stack
>> through SNMP ?
>
> You could count how many interfaces are available.

It'd be a lot more effective to just watch the IF-MIB::ifOperStatus of the
stack ports. I haven't checked, but I would think that counting interfaces
wouldn't work, as they'd show up in IF-MIB::ifTable as soon as the stack
member was provisioned.


From James.Baker at chelmer.co.nz  Wed Jul  9 21:31:57 2008
From: James.Baker at chelmer.co.nz (James Baker)
Date: Thu, 10 Jul 2008 13:31:57 +1200
Subject: [c-nsp] 3750 stack member failure detection
In-Reply-To: <4870eea3.0c07560a.1598.155e@mx.google.com>
References: <4870eea3.0c07560a.1598.155e@mx.google.com>
Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD59985E@chmaexch.chelmer.co.nz>

check out either
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T
ranslate&objectInput=1.3.6.1.4.1.9.9.500

or http://www.oidview.com/mibs/9/CISCO-STACKWISE-MIB.html

or if you use nagios
http://www.nagiosexchange.org/cgi-bin/page.cgi?g=Detailed%2F2430.html;d=
1



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anthony GUENEAU
Sent: Monday, 7 July 2008 4:11 a.m.
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 3750 stack member failure detection

Hi,

 

Does anybody know how to detect a stack member down within a 3750 stack
through SNMP ?

What OID from what Cisco MIB (ENTITY-MIB ??) should I poll to manage it
?

Thanks.

 

Anthony

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
----------

The information contained in this e-mail and any attachments is confidential
and is intended for the attention and use of the named addressee(s) only.
Any views expressed in this message are those of the individual sender and
may not necessarily reflect the views of Chelmer Limited.

#####################################################################################
This e-mail message has been scanned for Viruses and Content and cleared 
by NetIQ MailMarshal
#####################################################################################

From chris.garzon at gmail.com  Wed Jul  9 22:34:47 2008
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 10 Jul 2008 10:34:47 +0800
Subject: [c-nsp] WLAN setup Using separte DHCP server for wireless clients
Message-ID: <876789290807091934g1f28cef6vc44078d28337002b@mail.gmail.com>

Hi got my LW APs to be recognized, now I'm trying to setup my WLC 4404 with
1131 Light weight APs. I used the internal DHCP of the controller for the
APs. and put in on lets say VLAN3. then I have a DHCP server on native VLAN.
Now I want my wireless clients to get the DHCP from my external DHCP. So far
when i test ed the wireless connections I can only get the DHCP from the
internal DHCP of the 4404 not my external DHCP server. Any recommendations
on how I can do this? thanks

chris

From achatz at forthnet.gr  Wed Jul  9 23:28:10 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 10 Jul 2008 06:28:10 +0300
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
Message-ID: <487581CA.1050404@forthnet.gr>

I've got the same on a 3750:

12.2(25)SEE2
cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory.

12.2(44)SE2
cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 0K/12280K bytes of memory.


Probably a bug...since memory is still there:

3750>sh mem
                 Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor    28EC57C    78826116    34405100    44421016    43390576    43310028
       I/O    7400000    12574720     8795768     3778952     3775780     3765032


--
Tassos

Jose Leitao wrote on 10/7/2008 1:03 ??:
> Hi everyone,
> 
> Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
> looking at the output of show version, I noticed something rather
> peculiar:
> 
> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
> 0K/8184K bytes of memory"
> 
> Should this be a concern?, I couldn't find anything related to this,
> is this a bug?
> 
> Thanks,
> 
> JL
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From achatz at forthnet.gr  Thu Jul 10 00:09:13 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 10 Jul 2008 07:09:13 +0300
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
Message-ID: <48758B69.4060004@forthnet.gr>

I've got the same on a 3750:

12.2(25)SEE2
cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 118784K/12280K bytes of memory.

12.2(44)SE2
cisco WS-C3750G-48TS (PowerPC405) processor (revision C0) with 0K/12280K bytes of memory.


Probably a bug...since memory is still there:

3750>sh mem
                 Head    Total(b)     Used(b)     Free(b)   Lowest(b)  Largest(b)
Processor    28EC57C    78826116    34405100    44421016    43390576    43310028
       I/O    7400000    12574720     8795768     3778952     3775780     3765032


-- 
Tassos


Jose Leitao wrote on 10/7/2008 1:03 ??:
> Hi everyone,
> 
> Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
> looking at the output of show version, I noticed something rather
> peculiar:
> 
> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
> 0K/8184K bytes of memory"
> 
> Should this be a concern?, I couldn't find anything related to this,
> is this a bug?
> 
> Thanks,
> 
> JL
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From ganbold at micom.mng.net  Thu Jul 10 00:13:28 2008
From: ganbold at micom.mng.net (Ganbold)
Date: Thu, 10 Jul 2008 12:13:28 +0800
Subject: [c-nsp] Cisco 7513 problem
In-Reply-To: <4859D623.6060302@micom.mng.net>
References: <4851EA54.4000908@micom.mng.net>	<20080613115225.GF15312@rtp-cse-489.cisco.com>	<4858B03D.1000901@micom.mng.net>	<4859048D.2040100@davidcoulson.net>
	<4859D623.6060302@micom.mng.net>
Message-ID: <48758C68.1040602@micom.mng.net>

Ganbold wrote:
> David Coulson wrote:
>> The whole router reloads, or just one of the RSPs? Have you tried it 
>> with just a single RSP? Maybe one is dying?
>
> Router reloads :(
>
>>
>>
>> FYI, I have experienced great stability with 
>> rsp-ik91sv-mz.122-25.S12.bin - Some routers have been running it for 
>> almost 18 months. I'm not saying it's perfect, but I would suspect if 
>> you have so many stability issues that it is maybe a hardware problem.
>
> I see, yesterday we updated IOS to 12.4(19b). Let us see how it works.

Actually it was 12.4(19a), and it works more stable, no more router reloads.


Ganbold

>
> Ganbold
>
>>
>> Ganbold wrote:
>>>
>>> I tried 12.0(32).S10, however router restarts sometimes without any 
>>> suspicious log :(
>>> I have rsp-pv-mz.120-33.S.bin image, maybe I will try that.
>>>
>>> Ganbold
>>
>>
>>
>
>


-- 
Antonym, n.: The opposite of the word you're trying to think of.

From benny+usenet at amorsen.dk  Thu Jul 10 04:37:58 2008
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Thu, 10 Jul 2008 10:37:58 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
Message-ID: <m31w2216e1.fsf@ursa.amorsen.dk>

"Christian Koch" <christian at broknrobot.com> writes:

> im a bit confused by your use of terms in the question...
>
> are you asking about vrf-aware firewalls?

Probably. Most of them seem to only do 250 firewalls per box, or in
the case of the FWSM, per module. What about the service providers
with thousands of VRFs?


/Benny



From christian at broknrobot.com  Thu Jul 10 04:49:52 2008
From: christian at broknrobot.com (Christian Koch)
Date: Thu, 10 Jul 2008 04:49:52 -0400
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <m31w2216e1.fsf@ursa.amorsen.dk>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
Message-ID: <c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>

i dont understand your correlation..

layer 3 vpns and vrf's are not dependant on firewalls

On Thu, Jul 10, 2008 at 4:37 AM, Benny Amorsen
<benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>>
wrote:

> "Christian Koch" <christian at broknrobot.com> writes:
>
> > im a bit confused by your use of terms in the question...
> >
> > are you asking about vrf-aware firewalls?
>
> Probably. Most of them seem to only do 250 firewalls per box, or in
> the case of the FWSM, per module. What about the service providers
> with thousands of VRFs?
>
>
> /Benny
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From pavel.skovajsa at gmail.com  Thu Jul 10 05:16:27 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Thu, 10 Jul 2008 11:16:27 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
Message-ID: <323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>

What if the service provider wants to provide centralized firewalled
internet connection to those customers?

pavel

On Thu, Jul 10, 2008 at 10:49 AM, Christian Koch
<christian at broknrobot.com> wrote:
> i dont understand your correlation..
>
> layer 3 vpns and vrf's are not dependant on firewalls
>
> On Thu, Jul 10, 2008 at 4:37 AM, Benny Amorsen
> <benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>>
> wrote:
>
>> "Christian Koch" <christian at broknrobot.com> writes:
>>
>> > im a bit confused by your use of terms in the question...
>> >
>> > are you asking about vrf-aware firewalls?
>>
>> Probably. Most of them seem to only do 250 firewalls per box, or in
>> the case of the FWSM, per module. What about the service providers
>> with thousands of VRFs?
>>
>>
>> /Benny
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>
>
> --
> ^christian$
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From zivl at gilat.net  Thu Jul 10 05:27:30 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 10 Jul 2008 12:27:30 +0300
Subject: [c-nsp] GPON
In-Reply-To: <836bf1f90807090944m1549014fx882c56fa8962b4f3@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<4874E6C8.7050504@thewybles.com>
	<836bf1f90807090944m1549014fx882c56fa8962b4f3@mail.gmail.com>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188AD8DE31@exch2k7.gilat.local>

What the f.... are you all talking about??? Can you explain?
PON, GPON, BPON, APON.... (?!?!?!?!?)

My friend knows something about Judo and he says IPPON always win... :-)

I guess I'll have to google it a bit...


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Johnson
Sent: Wednesday, July 09, 2008 7:44 PM
To: Charles N Wyble
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GPON

Charles,

APON vs GPON

Verizon is installing GPON via there FIOS product in the east as of 2008,
previously they were installing
BPON. I cannot speak of the other providers

PROs and CONs for deploying GPON to the desktop for a large CAN

Power savings yes for the passive equipment but the OLTs and ONT/ONUs do
require power as well
as the managemnet systems required to provision.monitor etc ..

Would it save power if there were no access switches in the mix? Instead of
aggregating
users to access switches build a PON, power requirements are then pushed to
the desktop.
Is this a better solution? does it really save power?  increase/decrease
cost per port?

thanx for the input

harbor235 ;}


On 7/9/08, Charles N Wyble <charles at thewybles.com> wrote:
>
>
>
> Hope the resource recommendation helps. :)
>
> Charles Wyble
>
> Mike Johnson wrote:
> > Does anybody have any GPON experience on the list?
> >
> I don't have any hands on experience with GPON or any PON as of yet
> unfortunately. APON is sweeping the United States. Wish they had gone
> with E/G PON. Ah well.
> > If so I am looking for Pros and Cons for implementing this for the CAN.
> >
>
> Pros and Cons of PON vs what? You looking to provide broadband to end
> users? What type of area (rural/suburban/cbd)? Etc.
>
> > Is there a power savings or the power requirement just pushed out to the
> > desktop?
> >
> Well there are certainly power savings as the equipment is passive. Are
> you looking to deploy this in a service provider environment (I presume
> you are based on the nature of this list), or in an internal enterprise
> network (you mention pushing power out to the desktop).
>
> > hardware required to build a PON? OLTs, ONT/ONUs, splitters?
> >
>
> I just read a fantastic book on EPON and highly recommend it. It covers
> various other standards etc (including GPON).
> Amazon link: *http://tinyurl.com/5okll7
> *I checked it out from the Los Angeles Public Library. So your local
> library may have it as well. Or I suppose your company could purchase
> it. Might be available on Safari.
>
>
> > How is GPON managed?
> > Pice comparisons?
> >
> > Basically whatever info you have outside the classic definition,
> >
> > harbor235 ;}
> >
> >
>
>
> --
> Charles N Wyble (818) 280-7059
> http://charlesnw.blogspot.com
>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From rodunn at cisco.com  Thu Jul 10 05:30:20 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 10 Jul 2008 05:30:20 -0400
Subject: [c-nsp] Cisco 7513 problem
In-Reply-To: <48758C68.1040602@micom.mng.net>
References: <4851EA54.4000908@micom.mng.net>
	<20080613115225.GF15312@rtp-cse-489.cisco.com>
	<4858B03D.1000901@micom.mng.net>
	<4859048D.2040100@davidcoulson.net>
	<4859D623.6060302@micom.mng.net> <48758C68.1040602@micom.mng.net>
Message-ID: <20080710093020.GJ16325@rtp-cse-489.cisco.com>

It's more stable now on what code?

On Thu, Jul 10, 2008 at 12:13:28PM +0800, Ganbold wrote:
> Ganbold wrote:
> >David Coulson wrote:
> >>The whole router reloads, or just one of the RSPs? Have you tried it 
> >>with just a single RSP? Maybe one is dying?
> >
> >Router reloads :(
> >
> >>
> >>
> >>FYI, I have experienced great stability with 
> >>rsp-ik91sv-mz.122-25.S12.bin - Some routers have been running it for 
> >>almost 18 months. I'm not saying it's perfect, but I would suspect if 
> >>you have so many stability issues that it is maybe a hardware problem.
> >
> >I see, yesterday we updated IOS to 12.4(19b). Let us see how it works.
> 
> Actually it was 12.4(19a), and it works more stable, no more router reloads.
> 
> 
> Ganbold
> 
> >
> >Ganbold
> >
> >>
> >>Ganbold wrote:
> >>>
> >>>I tried 12.0(32).S10, however router restarts sometimes without any 
> >>>suspicious log :(
> >>>I have rsp-pv-mz.120-33.S.bin image, maybe I will try that.
> >>>
> >>>Ganbold
> >>
> >>
> >>
> >
> >
> 
> 
> -- 
> Antonym, n.: The opposite of the word you're trying to think of.

From asturluismi at gmail.com  Thu Jul 10 05:38:42 2008
From: asturluismi at gmail.com (luismi)
Date: Thu, 10 Jul 2008 11:38:42 +0200
Subject: [c-nsp] Script to backup a pix 6.3
Message-ID: <1215682722.10129.2.camel@dsba-ipso>

Hi all,

Is there anyone there who can send me a script (linux shell script,
perl, python, expect...) to do a cisco pix 6.3 backup?

If not I will create a new one, but I would be much better if I don't
need to re-create the wheel again if someone can share a script.

Regards.


From benny+usenet at amorsen.dk  Thu Jul 10 05:40:50 2008
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Thu, 10 Jul 2008 11:40:50 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
Message-ID: <m363revzz1.fsf@ursa.amorsen.dk>

"Pavel Skovajsa" <pavel.skovajsa at gmail.com> writes:

> What if the service provider wants to provide centralized firewalled
> internet connection to those customers?

Exactly. There must be many ISP's which offer hosted firewalls and
Internet access for their MPLS customers. But how? None of the
solutions seem to scale.


/Benny



From ganbold at micom.mng.net  Thu Jul 10 05:42:44 2008
From: ganbold at micom.mng.net (Ganbold)
Date: Thu, 10 Jul 2008 17:42:44 +0800
Subject: [c-nsp] Cisco 7513 problem
In-Reply-To: <20080710093020.GJ16325@rtp-cse-489.cisco.com>
References: <4851EA54.4000908@micom.mng.net>
	<20080613115225.GF15312@rtp-cse-489.cisco.com>
	<4858B03D.1000901@micom.mng.net>
	<4859048D.2040100@davidcoulson.net>
	<4859D623.6060302@micom.mng.net> <48758C68.1040602@micom.mng.net>
	<20080710093020.GJ16325@rtp-cse-489.cisco.com>
Message-ID: <4875D994.60400@micom.mng.net>

Rodney Dunn wrote:
> It's more stable now on what code?
>   

On 12.4(19a).

Ganbold


> On Thu, Jul 10, 2008 at 12:13:28PM +0800, Ganbold wrote:
>   
>> Ganbold wrote:
>>     
>>> David Coulson wrote:
>>>       
>>>> The whole router reloads, or just one of the RSPs? Have you tried it 
>>>> with just a single RSP? Maybe one is dying?
>>>>         
>>> Router reloads :(
>>>
>>>       
>>>> FYI, I have experienced great stability with 
>>>> rsp-ik91sv-mz.122-25.S12.bin - Some routers have been running it for 
>>>> almost 18 months. I'm not saying it's perfect, but I would suspect if 
>>>> you have so many stability issues that it is maybe a hardware problem.
>>>>         
>>> I see, yesterday we updated IOS to 12.4(19b). Let us see how it works.
>>>       
>> Actually it was 12.4(19a), and it works more stable, no more router reloads.
>>
>>
>> Ganbold
>>
>>     
>>> Ganbold
>>>
>>>       
>>>> Ganbold wrote:
>>>>         
>>>>> I tried 12.0(32).S10, however router restarts sometimes without any 
>>>>> suspicious log :(
>>>>> I have rsp-pv-mz.120-33.S.bin image, maybe I will try that.
>>>>>
>>>>> Ganbold
>>>>>           
>>>>
>>>>         
>>>       
>> -- 
>> Antonym, n.: The opposite of the word you're trying to think of.
>>     
>
>
>
>   


-- 
If a nation values anything more than freedom, it will lose its freedom; 
and the irony of it is that if it is comfort or money it values more, it 
will lose that, too. -- W. Somerset Maugham

From rodunn at cisco.com  Thu Jul 10 05:46:34 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 10 Jul 2008 05:46:34 -0400
Subject: [c-nsp] Cisco 7513 problem
In-Reply-To: <4875D994.60400@micom.mng.net>
References: <4851EA54.4000908@micom.mng.net>
	<20080613115225.GF15312@rtp-cse-489.cisco.com>
	<4858B03D.1000901@micom.mng.net>
	<4859048D.2040100@davidcoulson.net>
	<4859D623.6060302@micom.mng.net> <48758C68.1040602@micom.mng.net>
	<20080710093020.GJ16325@rtp-cse-489.cisco.com>
	<4875D994.60400@micom.mng.net>
Message-ID: <20080710094634.GN16325@rtp-cse-489.cisco.com>

That's good news as 12.4 is the sunset code for that platform along
with 12.0S.

sunset meaning until it goes full end of support.

Rodney

On Thu, Jul 10, 2008 at 05:42:44PM +0800, Ganbold wrote:
> Rodney Dunn wrote:
> >It's more stable now on what code?
> >  
> 
> On 12.4(19a).
> 
> Ganbold
> 
> 
> >On Thu, Jul 10, 2008 at 12:13:28PM +0800, Ganbold wrote:
> >  
> >>Ganbold wrote:
> >>    
> >>>David Coulson wrote:
> >>>      
> >>>>The whole router reloads, or just one of the RSPs? Have you tried it 
> >>>>with just a single RSP? Maybe one is dying?
> >>>>        
> >>>Router reloads :(
> >>>
> >>>      
> >>>>FYI, I have experienced great stability with 
> >>>>rsp-ik91sv-mz.122-25.S12.bin - Some routers have been running it for 
> >>>>almost 18 months. I'm not saying it's perfect, but I would suspect if 
> >>>>you have so many stability issues that it is maybe a hardware problem.
> >>>>        
> >>>I see, yesterday we updated IOS to 12.4(19b). Let us see how it works.
> >>>      
> >>Actually it was 12.4(19a), and it works more stable, no more router 
> >>reloads.
> >>
> >>
> >>Ganbold
> >>
> >>    
> >>>Ganbold
> >>>
> >>>      
> >>>>Ganbold wrote:
> >>>>        
> >>>>>I tried 12.0(32).S10, however router restarts sometimes without any 
> >>>>>suspicious log :(
> >>>>>I have rsp-pv-mz.120-33.S.bin image, maybe I will try that.
> >>>>>
> >>>>>Ganbold
> >>>>>          
> >>>>
> >>>>        
> >>>      
> >>-- 
> >>Antonym, n.: The opposite of the word you're trying to think of.
> >>    
> >
> >
> >
> >  
> 
> 
> -- 
> If a nation values anything more than freedom, it will lose its freedom; 
> and the irony of it is that if it is comfort or money it values more, it 
> will lose that, too. -- W. Somerset Maugham

From mihai at duras.ro  Thu Jul 10 06:16:55 2008
From: mihai at duras.ro (Mihai Tanasescu)
Date: Thu, 10 Jul 2008 13:16:55 +0300
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
References: <4873A9FC.2020109@duras.ro>
	<67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
Message-ID: <4875E197.8050607@duras.ro>

Hi Arie,



Sorry for top posting but I guess this time it will be easier as your 
answer was also above mine:)

This is my network topology and schematic:
http://www.screenshots.cc/show.php/15014_draft.jpeg.html

Router C (in my schema RD-1):

RO-BUC-RD1#sh ip mroute count
IP Multicast Statistics
1 routes using 544 bytes of memory
1 groups, 0.00 average sources per group
Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per 
second
Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)

Group: 224.0.1.40, Source count: 0, Packets forwarded: 0, Packets 
received: 0


RO-BUC-RD1#sh ip mroute

Outgoing interface flags: H - Hardware switched, A - Assert winner
 Timers: Uptime/Expires
 Interface state: Interface, Next-Hop or VCD, State/Mode

(*, 224.0.1.40), 2d22h/00:02:15, RP 172.16.103.237, flags: SJPCL
  Incoming interface: GigabitEthernet1/24, RPF nbr 195.170.181.157
  Outgoing interface list: Null

On one of the VRFs:

http://www.pastebin.org/50188
http://www.pastebin.org/50190

On all interfaces interconnecting RC1 and RD1 I have:

ip pim sparse-dense mode

on RC1 I have ip multicast-routing and ip pim rp-address 172.16.103.237.

If I connect with a laptop in a port in RC1 multicast works.

in RD1 I have:

ip pim rp-address 172.16.103.237
ip pim vrf vrf_business rp-address 172.16.103.237
ip pim vrf vrf_default_1 rp-address 172.16.103.237
ip pim vrf vrf_default_2 rp-address 172.16.103.237
ip pim vrf vrf_default_3 rp-address 172.16.103.237
ip pim vrf vrf_default_4 rp-address 172.16.103.237

(VRF business takes default route from vrf_default_3)


What am I missing or what would be the workaround in my case of setup ?



Thanks and sorry for the long post,
Mihai
Arie Vayner (avayner) wrote:
> Hmm...
>
> Could you share some "show ip mroute" and "show ip mroute count" outputs
> both for global and vrf mode on router C?
>
> First thing to check would be the RPF path for the source - do you have
> a route back to the source through all the interfaces on router C?
>
> Arie 
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu
> Sent: Tuesday, July 08, 2008 20:55 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] VRF-Lite & Multicast question
>
> Hello all,
>
>
>
> I have just started studying multicast for accomplishing a task that
> I've been giving and don't know where / what I am doing wrong.
>
>
> My setup is something like the following:
>
>
> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)
>
>
> between Router B and Router C I have 5 links (4 are vrf-lite in Router 
> C, the 5th is in the global table and use for MPLS ldp).
>
>
> I have configured on each router:
> ip multicast-routing (in C for example for both global and VRF) , ip pim
>
> sparse-dense-mode on interfaces and the RP.
>
>
> If I connect with a cable in Router A I can view the multicast stream.
> Same if I connect in Router B.
>
>
> But in Router C it doesn't work (neither in the global table, neither in
>
> the VRFs from vrf-lite implementation).
>
>
> Can you help with an advice or what I could be doing wrong ? (I'm just a
>
> beginner/newbie when it comes to mcast)
>
>
>
> Thanks,
> Mihai
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From mihai at duras.ro  Thu Jul 10 06:35:53 2008
From: mihai at duras.ro (Mihai Tanasescu)
Date: Thu, 10 Jul 2008 13:35:53 +0300
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <4875E197.8050607@duras.ro>
References: <4873A9FC.2020109@duras.ro>
	<67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
	<4875E197.8050607@duras.ro>
Message-ID: <4875E609.2070404@duras.ro>

Hello again,



On a closer look I see for example:


on RC1:
RO-BUC-RC1#sh ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      P - Proxy Capable, S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode
195.170.181.18    POS2/0/0                 3d00h/00:01:31    v2    1 / S P
195.170.181.158   GigabitEthernet7/6       2d22h/00:01:33    v2    1 / 
DR S P
195.170.181.54    GigabitEthernet7/3       2d22h/00:01:44    v2    1 / 
DR S P
195.170.181.58    GigabitEthernet7/4       2d22h/00:01:28    v2    1 / 
DR S P
195.170.181.170   GigabitEthernet7/2       00:02:53/00:01:18 v2    1 / 
DR S P
195.170.181.146   GigabitEthernet7/5       00:02:59/00:01:43 v2    1 / 
DR S P

on the RD1 (vrf-lite directly connected to this)..choosing one VRF for 
which I see an entry above on RC1 for neighbor:

RO-BUC-RD1#sh ip pim vrf vrf_business neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
      P - Proxy Capable, S - State Refresh Capable
Neighbor          Interface                Uptime/Expires    Ver   DR
Address                                                            Prio/Mode


I think the problem might be from here but don't know how to fix it :(


-
Mihai

Mihai Tanasescu wrote:
> Hi Arie,
>
>
>
> Sorry for top posting but I guess this time it will be easier as your 
> answer was also above mine:)
>
> This is my network topology and schematic:
> http://www.screenshots.cc/show.php/15014_draft.jpeg.html
>
> Router C (in my schema RD-1):
>
> RO-BUC-RD1#sh ip mroute count
> IP Multicast Statistics
> 1 routes using 544 bytes of memory
> 1 groups, 0.00 average sources per group
> Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per 
> second
> Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
>
> Group: 224.0.1.40, Source count: 0, Packets forwarded: 0, Packets 
> received: 0
>
>
> RO-BUC-RD1#sh ip mroute
>
> Outgoing interface flags: H - Hardware switched, A - Assert winner
> Timers: Uptime/Expires
> Interface state: Interface, Next-Hop or VCD, State/Mode
>
> (*, 224.0.1.40), 2d22h/00:02:15, RP 172.16.103.237, flags: SJPCL
>  Incoming interface: GigabitEthernet1/24, RPF nbr 195.170.181.157
>  Outgoing interface list: Null
>
> On one of the VRFs:
>
> http://www.pastebin.org/50188
> http://www.pastebin.org/50190
>
> On all interfaces interconnecting RC1 and RD1 I have:
>
> ip pim sparse-dense mode
>
> on RC1 I have ip multicast-routing and ip pim rp-address 172.16.103.237.
>
> If I connect with a laptop in a port in RC1 multicast works.
>
> in RD1 I have:
>
> ip pim rp-address 172.16.103.237
> ip pim vrf vrf_business rp-address 172.16.103.237
> ip pim vrf vrf_default_1 rp-address 172.16.103.237
> ip pim vrf vrf_default_2 rp-address 172.16.103.237
> ip pim vrf vrf_default_3 rp-address 172.16.103.237
> ip pim vrf vrf_default_4 rp-address 172.16.103.237
>
> (VRF business takes default route from vrf_default_3)
>
>
> What am I missing or what would be the workaround in my case of setup ?
>
>
>
> Thanks and sorry for the long post,
> Mihai
> Arie Vayner (avayner) wrote:
>> Hmm...
>>
>> Could you share some "show ip mroute" and "show ip mroute count" outputs
>> both for global and vrf mode on router C?
>>
>> First thing to check would be the RPF path for the source - do you have
>> a route back to the source through all the interfaces on router C?
>>
>> Arie
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu
>> Sent: Tuesday, July 08, 2008 20:55 PM
>> To: cisco-nsp at puck.nether.net
>> Subject: [c-nsp] VRF-Lite & Multicast question
>>
>> Hello all,
>>
>>
>>
>> I have just started studying multicast for accomplishing a task that
>> I've been giving and don't know where / what I am doing wrong.
>>
>>
>> My setup is something like the following:
>>
>>
>> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C (vrf-lite)
>>
>>
>> between Router B and Router C I have 5 links (4 are vrf-lite in 
>> Router C, the 5th is in the global table and use for MPLS ldp).
>>
>>
>> I have configured on each router:
>> ip multicast-routing (in C for example for both global and VRF) , ip pim
>>
>> sparse-dense-mode on interfaces and the RP.
>>
>>
>> If I connect with a cable in Router A I can view the multicast stream.
>> Same if I connect in Router B.
>>
>>
>> But in Router C it doesn't work (neither in the global table, neither in
>>
>> the VRFs from vrf-lite implementation).
>>
>>
>> Can you help with an advice or what I could be doing wrong ? (I'm just a
>>
>> beginner/newbie when it comes to mcast)
>>
>>
>>
>> Thanks,
>> Mihai
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>   
>
>


From mtinka at globaltransit.net  Thu Jul 10 07:23:13 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 10 Jul 2008 19:23:13 +0800
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
Message-ID: <200807101923.16998.mtinka@globaltransit.net>

On Thursday 10 July 2008 06:03:31 Jose Leitao wrote:

> Today I upgraded a 3560 to
> c3560-advipservicesk9-mz.122-44.SE2, and looking at the
> output of show version, I noticed something rather
> peculiar:
>
> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0)
> with 0K/8184K bytes of memory"
>
> Should this be a concern?, I couldn't find anything
> related to this, is this a bug?

We are seeing the same issue on our 3560G's running the same 
code.

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080710/8bad7935/attachment.bin>

From zivl at gilat.net  Thu Jul 10 07:26:59 2008
From: zivl at gilat.net (Ziv Leyes)
Date: Thu, 10 Jul 2008 14:26:59 +0300
Subject: [c-nsp] Script to backup a pix 6.3
In-Reply-To: <1215682722.10129.2.camel@dsba-ipso>
References: <1215682722.10129.2.camel@dsba-ipso>
Message-ID: <EC993E87D960A541A66BF21D62AA42A6188AD8DE6E@exch2k7.gilat.local>

Hi Luismi, (stands for Luis Miguel?)

There are a few useful links I've found for you:
http://www.mangeek.com/portfolio/pixbackup.html
http://3d2f.com/programs/1-918-kiwi-cattools-download.shtml
http://www.networksecurityarchive.org/html/Firewalls/2004-09/msg00227.html

Once I wrote a .vbs script for SecureCRT that takes care of it, but it needs manual running from within the session, let me know if you are interested.
Ziv



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
Sent: Thursday, July 10, 2008 12:39 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Script to backup a pix 6.3

Hi all,

Is there anyone there who can send me a script (linux shell script,
perl, python, expect...) to do a cisco pix 6.3 backup?

If not I will create a new one, but I would be much better if I don't
need to re-create the wheel again if someone can share a script.

Regards.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From k.vdh at solcon.nl  Thu Jul 10 05:46:03 2008
From: k.vdh at solcon.nl (Koen)
Date: Thu, 10 Jul 2008 11:46:03 +0200
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
In-Reply-To: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
Message-ID: <4875DA5B.5060001@solcon.nl>

Hi all,

We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2 WS-X6748-GE-TX 
and we see that the asic temperature is always higher then 40C which is 
the max operational temperature according to the docs.

vss>show environment switch 1 temperature
  chassis id 1 switch_id 1

   switch 1 module 1 outlet temperature: 40C
   switch 1 module 1 inlet temperature: 30C
   switch 1 module 1 device-1 temperature: 31C
   switch 1 module 1 device-2 temperature: 38C
   switch 1 module 1 asic-1 temperature: 59C
   switch 1 module 1 asic-3 temperature: 42C
   switch 1 module 1 asic-4 temperature: 59C
   switch 1 module 1 RP outlet temperature: 34C
   switch 1 module 1 RP inlet temperature: 32C
   switch 1 module 1 EARL outlet temperature: 31C
   switch 1 module 1 EARL inlet temperature: 28C
   switch 1 module 2 outlet temperature: 41C
   switch 1 module 2 inlet temperature: 29C
   switch 1 module 3 outlet temperature: 39C
   switch 1 module 3 inlet temperature: 28C
vss>show environment switch 2 temperature
  chassis id 2 switch_id 2

   switch 2 module 1 outlet temperature: 42C
   switch 2 module 1 inlet temperature: 32C
   switch 2 module 1 device-1 temperature: 36C
   switch 2 module 1 device-2 temperature: 41C
   switch 2 module 1 asic-1 temperature: 61C
   switch 2 module 1 asic-3 temperature: 45C
   switch 2 module 1 asic-4 temperature: 58C
   switch 2 module 1 RP outlet temperature: 39C
   switch 2 module 1 RP inlet temperature: 38C
   switch 2 module 1 EARL outlet temperature: 38C
   switch 2 module 1 EARL inlet temperature: 33C
   switch 2 module 2 outlet temperature: 45C
   switch 2 module 2 inlet temperature: 30C
   switch 2 module 3 outlet temperature: 44C
   switch 2 module 3 inlet temperature: 24C

The fan-trays being used:
switch 1 fan-tray 1:
   switch 1 fan-tray 1 type: FAN-MOD-4HS
   switch 1 fan-tray 1 mode: High-power
   switch 1 fan-tray 1 fan-fail: OK
switch 2 fan-tray 1:
   switch 2 fan-tray 1 type: FAN-MOD-4HS
   switch 2 fan-tray 1 mode: High-power
   switch 2 fan-tray 1 fan-fail: OK

We tried almost everything like opening the server closets (we even got 
ride of the side panels), adding more cooling with apc fan units, etc, 
but we don't seem to get it lower then above temperatures. We think it 
is a internal air flow problem in the chassis... Do you guys also see 
these high temperatures?
Thanks,

Koen

From nickslager at gmail.com  Thu Jul 10 07:42:23 2008
From: nickslager at gmail.com (Nick Slager)
Date: Thu, 10 Jul 2008 21:42:23 +1000
Subject: [c-nsp] Script to backup a pix 6.3
In-Reply-To: <1215682722.10129.2.camel@dsba-ipso>
References: <1215682722.10129.2.camel@dsba-ipso>
Message-ID: <6CCF1D60-759E-4373-BFB5-0FCF1BDC77EF@gmail.com>


On 10/07/2008, at 7:38 PM, luismi wrote:

> Is there anyone there who can send me a script (linux shell script,
> perl, python, expect...) to do a cisco pix 6.3 backup?

RANCID supports the PIX. See http://shrubbery.net/rancid/


Nick



From asturluismi at gmail.com  Thu Jul 10 08:00:05 2008
From: asturluismi at gmail.com (luismi)
Date: Thu, 10 Jul 2008 14:00:05 +0200
Subject: [c-nsp] Script to backup a pix 6.3
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6188AD8DE6E@exch2k7.gilat.local>
References: <1215682722.10129.2.camel@dsba-ipso>
	<EC993E87D960A541A66BF21D62AA42A6188AD8DE6E@exch2k7.gilat.local>
Message-ID: <1215691205.10129.4.camel@dsba-ipso>

Thanks Ziv!


El jue, 10-07-2008 a las 14:26 +0300, Ziv Leyes escribi?:
> Hi Luismi, (stands for Luis Miguel?)
> 
> There are a few useful links I've found for you:
> http://www.mangeek.com/portfolio/pixbackup.html
> http://3d2f.com/programs/1-918-kiwi-cattools-download.shtml
> http://www.networksecurityarchive.org/html/Firewalls/2004-09/msg00227.html
> 
> Once I wrote a .vbs script for SecureCRT that takes care of it, but it needs manual running from within the session, let me know if you are interested.
> Ziv
> 
> 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi
> Sent: Thursday, July 10, 2008 12:39 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Script to backup a pix 6.3
> 
> Hi all,
> 
> Is there anyone there who can send me a script (linux shell script,
> perl, python, expect...) to do a cisco pix 6.3 backup?
> 
> If not I will create a new one, but I would be much better if I don't
> need to re-create the wheel again if someone can share a script.
> 
> Regards.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
> 
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 
> 
> 
> 
>  
> 
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
> ************************************************************************************
> 
> 
> 


From rs at seastrom.com  Thu Jul 10 08:14:58 2008
From: rs at seastrom.com (Robert E. Seastrom)
Date: Thu, 10 Jul 2008 08:14:58 -0400
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
In-Reply-To: <4875DA5B.5060001@solcon.nl> (Koen's message of "Thu,
	10 Jul 2008 11:46:03 +0200")
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>
	<4875DA5B.5060001@solcon.nl>
Message-ID: <86ej62szp9.fsf@seastrom.com>


Koen <k.vdh at solcon.nl> writes:

> We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2
> WS-X6748-GE-TX and we see that the asic temperature is always higher
> then 40C which is the max operational temperature according to the
> docs.

The max operational temperature quoted in documentation is almost
always ambient (or inlet) temperature, not the temperature of any
particular hot spot on the board.  At 30c inlet, you're well within
spec.  Is there something you have read that leads you to believe
things are different in this case?  Can you point me there if so?

-r


From mihai at duras.ro  Thu Jul 10 08:44:23 2008
From: mihai at duras.ro (Mihai Tanasescu)
Date: Thu, 10 Jul 2008 15:44:23 +0300
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <4875E609.2070404@duras.ro>
References: <4873A9FC.2020109@duras.ro>
	<67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
	<4875E197.8050607@duras.ro> <4875E609.2070404@duras.ro>
Message-ID: <48760427.6050107@duras.ro>

Mihai Tanasescu wrote:
> Hello again,
>
>
>
> On a closer look I see for example:
>
>
> on RC1:
> RO-BUC-RC1#sh ip pim neighbor
> PIM Neighbor Table
> Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
>      P - Proxy Capable, S - State Refresh Capable
> Neighbor          Interface                Uptime/Expires    Ver   DR
> Address                                                            
> Prio/Mode
> 195.170.181.18    POS2/0/0                 3d00h/00:01:31    v2    1 / 
> S P
> 195.170.181.158   GigabitEthernet7/6       2d22h/00:01:33    v2    1 / 
> DR S P
> 195.170.181.54    GigabitEthernet7/3       2d22h/00:01:44    v2    1 / 
> DR S P
> 195.170.181.58    GigabitEthernet7/4       2d22h/00:01:28    v2    1 / 
> DR S P
> 195.170.181.170   GigabitEthernet7/2       00:02:53/00:01:18 v2    1 / 
> DR S P
> 195.170.181.146   GigabitEthernet7/5       00:02:59/00:01:43 v2    1 / 
> DR S P
>
> on the RD1 (vrf-lite directly connected to this)..choosing one VRF for 
> which I see an entry above on RC1 for neighbor:
>
> RO-BUC-RD1#sh ip pim vrf vrf_business neighbor
> PIM Neighbor Table
> Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
>      P - Proxy Capable, S - State Refresh Capable
> Neighbor          Interface                Uptime/Expires    Ver   DR
> Address                                                            
> Prio/Mode
>
>
> I think the problem might be from here but don't know how to fix it :(

I was wrong.

If I try the same on the vrf_default_3 (the gateway obtained by route 
leaking for vrf_business), then I can see the pim neighborship relation.

With a tcpdump on my linux machine with VLC I can see the IGMP v2 report 
messages but no reply whatsoever.


Any help ?



>
>
> -
> Mihai
>
> Mihai Tanasescu wrote:
>> Hi Arie,
>>
>>
>>
>> Sorry for top posting but I guess this time it will be easier as your 
>> answer was also above mine:)
>>
>> This is my network topology and schematic:
>> http://www.screenshots.cc/show.php/15014_draft.jpeg.html
>>
>> Router C (in my schema RD-1):
>>
>> RO-BUC-RD1#sh ip mroute count
>> IP Multicast Statistics
>> 1 routes using 544 bytes of memory
>> 1 groups, 0.00 average sources per group
>> Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits 
>> per second
>> Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
>>
>> Group: 224.0.1.40, Source count: 0, Packets forwarded: 0, Packets 
>> received: 0
>>
>>
>> RO-BUC-RD1#sh ip mroute
>>
>> Outgoing interface flags: H - Hardware switched, A - Assert winner
>> Timers: Uptime/Expires
>> Interface state: Interface, Next-Hop or VCD, State/Mode
>>
>> (*, 224.0.1.40), 2d22h/00:02:15, RP 172.16.103.237, flags: SJPCL
>>  Incoming interface: GigabitEthernet1/24, RPF nbr 195.170.181.157
>>  Outgoing interface list: Null
>>
>> On one of the VRFs:
>>
>> http://www.pastebin.org/50188
>> http://www.pastebin.org/50190
>>
>> On all interfaces interconnecting RC1 and RD1 I have:
>>
>> ip pim sparse-dense mode
>>
>> on RC1 I have ip multicast-routing and ip pim rp-address 172.16.103.237.
>>
>> If I connect with a laptop in a port in RC1 multicast works.
>>
>> in RD1 I have:
>>
>> ip pim rp-address 172.16.103.237
>> ip pim vrf vrf_business rp-address 172.16.103.237
>> ip pim vrf vrf_default_1 rp-address 172.16.103.237
>> ip pim vrf vrf_default_2 rp-address 172.16.103.237
>> ip pim vrf vrf_default_3 rp-address 172.16.103.237
>> ip pim vrf vrf_default_4 rp-address 172.16.103.237
>>
>> (VRF business takes default route from vrf_default_3)
>>
>>
>> What am I missing or what would be the workaround in my case of setup ?
>>
>>
>>
>> Thanks and sorry for the long post,
>> Mihai
>> Arie Vayner (avayner) wrote:
>>> Hmm...
>>>
>>> Could you share some "show ip mroute" and "show ip mroute count" 
>>> outputs
>>> both for global and vrf mode on router C?
>>>
>>> First thing to check would be the RPF path for the source - do you have
>>> a route back to the source through all the interfaces on router C?
>>>
>>> Arie
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai Tanasescu
>>> Sent: Tuesday, July 08, 2008 20:55 PM
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] VRF-Lite & Multicast question
>>>
>>> Hello all,
>>>
>>>
>>>
>>> I have just started studying multicast for accomplishing a task that
>>> I've been giving and don't know where / what I am doing wrong.
>>>
>>>
>>> My setup is something like the following:
>>>
>>>
>>> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C 
>>> (vrf-lite)
>>>
>>>
>>> between Router B and Router C I have 5 links (4 are vrf-lite in 
>>> Router C, the 5th is in the global table and use for MPLS ldp).
>>>
>>>
>>> I have configured on each router:
>>> ip multicast-routing (in C for example for both global and VRF) , ip 
>>> pim
>>>
>>> sparse-dense-mode on interfaces and the RP.
>>>
>>>
>>> If I connect with a cable in Router A I can view the multicast stream.
>>> Same if I connect in Router B.
>>>
>>>
>>> But in Router C it doesn't work (neither in the global table, 
>>> neither in
>>>
>>> the VRFs from vrf-lite implementation).
>>>
>>>
>>> Can you help with an advice or what I could be doing wrong ? (I'm 
>>> just a
>>>
>>> beginner/newbie when it comes to mcast)
>>>
>>>
>>>
>>> Thanks,
>>> Mihai
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>   
>>
>>
>
>


From k.vdh at solcon.nl  Thu Jul 10 08:41:36 2008
From: k.vdh at solcon.nl (Koen)
Date: Thu, 10 Jul 2008 14:41:36 +0200
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
In-Reply-To: <86ej62szp9.fsf@seastrom.com>
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>	<4875DA5B.5060001@solcon.nl>
	<86ej62szp9.fsf@seastrom.com>
Message-ID: <48760380.2090703@solcon.nl>

Hi Robert,

I didn't read anything about this but if i look at some others chassis 
like a 6509 the in- and outlet temps are higher but the asic temps are 
31C. Could it be the fan-tray of a 6504-e isn't powerfull enough to cool 
the chassis?
Thanks,

Koen


Robert E. Seastrom wrote:
> Koen <k.vdh at solcon.nl> writes:
> 
>> We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2
>> WS-X6748-GE-TX and we see that the asic temperature is always higher
>> then 40C which is the max operational temperature according to the
>> docs.
> 
> The max operational temperature quoted in documentation is almost
> always ambient (or inlet) temperature, not the temperature of any
> particular hot spot on the board.  At 30c inlet, you're well within
> spec.  Is there something you have read that leads you to believe
> things are different in this case?  Can you point me there if so?
> 
> -r
> 
> 

From SPfister at dps.k12.oh.us  Thu Jul 10 08:58:26 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 10 Jul 2008 08:58:26 -0400
Subject: [c-nsp] Question on 7204vxr modules
Message-ID: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>

We have a 7204vxr currently in use as our border router. As part of a transition of our upstream bandwidth from an ATM connection to gigabit Ethernet, we need to replace some of the modules.

The router currently has a PA-A6-OC3MM module connecting to our service provider (in the lower right slot). The IO controller has 2 FE/E ports (don't have the part number). We want to replace the IO controller with a c7200-I/O-GE+E and the other module with a PA-GE. Our questions are:

- As a first step, we're going to replace the I/O controller with the new one using a FE GBIC, and put the PA-GE in along with the PA-A6-OC3MM until its time to cut over to gigabit Ethernet. Is there any restrictions on where we can put the PA-GE during this time? Can it be any slot?
- Where is the configuration stored? Is it on the flash card? When we put the new IO controller in, can we just move the flash card over?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From cchurc05 at harris.com  Thu Jul 10 09:18:22 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Thu, 10 Jul 2008 08:18:22 -0500
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <200807101923.16998.mtinka@globaltransit.net>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
	<200807101923.16998.mtinka@globaltransit.net>
Message-ID: <FA1BA229357DB640B944218F3585FECA012ADC3B@mspe2k1.cs.myharris.net>

I just checked a couple 3550s with that version, they look fine.  Guess
it's a 3560/3750 thing only.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka
Sent: Thursday, July 10, 2008 7:23 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] C3560 show version memory values

On Thursday 10 July 2008 06:03:31 Jose Leitao wrote:

> Today I upgraded a 3560 to
> c3560-advipservicesk9-mz.122-44.SE2, and looking at the
> output of show version, I noticed something rather
> peculiar:
>
> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0)
> with 0K/8184K bytes of memory"
>
> Should this be a concern?, I couldn't find anything
> related to this, is this a bug?

We are seeing the same issue on our 3560G's running the same 
code.

Mark.

From SPfister at dps.k12.oh.us  Thu Jul 10 09:21:01 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 10 Jul 2008 09:21:01 -0400
Subject: [c-nsp] Question on mystery VOIP traffic
Message-ID: <4875D485.9E6F.00B8.0@dps.k12.oh.us>

I'm trying to track down the source of some strange traffic patterns in our network. All of our remote sites have VOIP from a remote PBX to a central PBX at our main facility. All of this was set up before I got here, and I have very little contact with it.

In checking out the strange traffic, I notice that several of these sites show a rather large amount of outgoing (from the site) UDP traffic to the central site with port numbers usually in the 15k to 20k range, all involving addresses and interfaces associated with voice. The amount of data transferred seems to be fairly large (one of the larger sites is sending 5.5 to 6gb per day), and is usually fairly steady throughout the day, 24x7. One exception to that that I've seen, is at the beginning of last month, the 5.5gb seemed to be once a day rather than spread out, but that was only for the first week. 

The head of telecom here isn't aware of anything that might cause that. Is this normal for VOIP?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From cchurc05 at harris.com  Thu Jul 10 09:26:25 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Thu, 10 Jul 2008 08:26:25 -0500
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
In-Reply-To: <48760380.2090703@solcon.nl>
References: <BLU102-W45811B1EFC7302BFBF293BFA960@phx.gbl>	<4875DA5B.5060001@solcon.nl><86ej62szp9.fsf@seastrom.com>
	<48760380.2090703@solcon.nl>
Message-ID: <FA1BA229357DB640B944218F3585FECA012ADC41@mspe2k1.cs.myharris.net>

How long ago were the switches installed?  Is it possible there is an
accumulation of dust on the module/ASICs?

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Koen
Sent: Thursday, July 10, 2008 8:42 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] High temperatures on cisco 6504-E chassis


Hi Robert,

I didn't read anything about this but if i look at some others chassis 
like a 6509 the in- and outlet temps are higher but the asic temps are 
31C. Could it be the fan-tray of a 6504-e isn't powerfull enough to cool

the chassis?
Thanks,

Koen


Robert E. Seastrom wrote:
> Koen <k.vdh at solcon.nl> writes:
> 
>> We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2
>> WS-X6748-GE-TX and we see that the asic temperature is always higher
>> then 40C which is the max operational temperature according to the
>> docs.
> 
> The max operational temperature quoted in documentation is almost
> always ambient (or inlet) temperature, not the temperature of any
> particular hot spot on the board.  At 30c inlet, you're well within
> spec.  Is there something you have read that leads you to believe
> things are different in this case?  Can you point me there if so?
> 
> -r
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From mmoerman at ebay.com  Thu Jul 10 09:29:58 2008
From: mmoerman at ebay.com (Maarten Moerman)
Date: Thu, 10 Jul 2008 15:29:58 +0200
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
In-Reply-To: <FA1BA229357DB640B944218F3585FECA012ADC41@mspe2k1.cs.myharris.net>
Message-ID: <C49BDB76.E2A4%mmoerman@ebay.com>

Hi Charles,

(i'm a colleague) , we've just installed them, fresh new suite, fresh new
cisco's. There's also no production traffic on it yet, just testing at this
moment. I think they've been up for little over a month.

There's no blocking in airflow, also seems that inlet temps that the cisco
is reporting, is not the temp we see when using a temp reader in front of
the chassis (10C difference)

Maybe it's the fact that these are sup720-3cxl-10ge , with X2 modules
installed (which also seem to get hot, 41C), and this packed in a small
chassis.... 

Just looking for answers from somebody who has similar experience with the
6504 chassis.

Maarten


On 7/10/08 3:26 PM, "Church, Charles" <cchurc05 at harris.com> wrote:

> How long ago were the switches installed?  Is it possible there is an
> accumulation of dust on the module/ASICs?
> 
> Chuck
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Koen
> Sent: Thursday, July 10, 2008 8:42 AM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] High temperatures on cisco 6504-E chassis
> 
> 
> Hi Robert,
> 
> I didn't read anything about this but if i look at some others chassis
> like a 6509 the in- and outlet temps are higher but the asic temps are
> 31C. Could it be the fan-tray of a 6504-e isn't powerfull enough to cool
> 
> the chassis?
> Thanks,
> 
> Koen
> 
> 
> Robert E. Seastrom wrote:
>> Koen <k.vdh at solcon.nl> writes:
>> 
>>> We got 2 WS-C6504-E chassis both with 1 sup 7203CXL and 2
>>> WS-X6748-GE-TX and we see that the asic temperature is always higher
>>> then 40C which is the max operational temperature according to the
>>> docs.
>> 
>> The max operational temperature quoted in documentation is almost
>> always ambient (or inlet) temperature, not the temperature of any
>> particular hot spot on the board.  At 30c inlet, you're well within
>> spec.  Is there something you have read that leads you to believe
>> things are different in this case?  Can you point me there if so?
>> 
>> -r
>> 
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From mihai at duras.ro  Thu Jul 10 09:57:58 2008
From: mihai at duras.ro (Mihai Tanasescu)
Date: Thu, 10 Jul 2008 16:57:58 +0300
Subject: [c-nsp] VRF-Lite & Multicast question
In-Reply-To: <48760427.6050107@duras.ro>
References: <4873A9FC.2020109@duras.ro>
	<67F7C1FAF83A074AA3520D8F155782A501911616@xmb-ams-331.emea.cisco.com>
	<4875E197.8050607@duras.ro> <4875E609.2070404@duras.ro>
	<48760427.6050107@duras.ro>
Message-ID: <48761566.8080506@duras.ro>

Hello again,


I fixed it like this:

ip mroute vrf vrf_business 172.16.103.237 255.255.255.255 
fallback-lookup global
ip mroute vrf vrf_default_3 172.16.103.237 255.255.255.255 
fallback-lookup global

(global table is the one with MPLS also activated)


But why doesn't it work via the VRF ? (from the VRFs business and 
default_3 I can ping 172.16.103.237...via the default gateway; I don't 
have a specific route)



Cheers,
Mihai
Mihai Tanasescu wrote:
> Mihai Tanasescu wrote:
>> Hello again,
>>
>>
>>
>> On a closer look I see for example:
>>
>>
>> on RC1:
>> RO-BUC-RC1#sh ip pim neighbor
>> PIM Neighbor Table
>> Mode: B - Bidir Capable, DR - Designated Router, N - Default DR 
>> Priority,
>>      P - Proxy Capable, S - State Refresh Capable
>> Neighbor          Interface                Uptime/Expires    Ver   DR
>> Address                                                            
>> Prio/Mode
>> 195.170.181.18    POS2/0/0                 3d00h/00:01:31    v2    1 
>> / S P
>> 195.170.181.158   GigabitEthernet7/6       2d22h/00:01:33    v2    1 
>> / DR S P
>> 195.170.181.54    GigabitEthernet7/3       2d22h/00:01:44    v2    1 
>> / DR S P
>> 195.170.181.58    GigabitEthernet7/4       2d22h/00:01:28    v2    1 
>> / DR S P
>> 195.170.181.170   GigabitEthernet7/2       00:02:53/00:01:18 v2    1 
>> / DR S P
>> 195.170.181.146   GigabitEthernet7/5       00:02:59/00:01:43 v2    1 
>> / DR S P
>>
>> on the RD1 (vrf-lite directly connected to this)..choosing one VRF 
>> for which I see an entry above on RC1 for neighbor:
>>
>> RO-BUC-RD1#sh ip pim vrf vrf_business neighbor
>> PIM Neighbor Table
>> Mode: B - Bidir Capable, DR - Designated Router, N - Default DR 
>> Priority,
>>      P - Proxy Capable, S - State Refresh Capable
>> Neighbor          Interface                Uptime/Expires    Ver   DR
>> Address                                                            
>> Prio/Mode
>>
>>
>> I think the problem might be from here but don't know how to fix it :(
>
> I was wrong.
>
> If I try the same on the vrf_default_3 (the gateway obtained by route 
> leaking for vrf_business), then I can see the pim neighborship relation.
>
> With a tcpdump on my linux machine with VLC I can see the IGMP v2 
> report messages but no reply whatsoever.
>
>
> Any help ?
>
>
>
>>
>>
>> -
>> Mihai
>>
>> Mihai Tanasescu wrote:
>>> Hi Arie,
>>>
>>>
>>>
>>> Sorry for top posting but I guess this time it will be easier as 
>>> your answer was also above mine:)
>>>
>>> This is my network topology and schematic:
>>> http://www.screenshots.cc/show.php/15014_draft.jpeg.html
>>>
>>> Router C (in my schema RD-1):
>>>
>>> RO-BUC-RD1#sh ip mroute count
>>> IP Multicast Statistics
>>> 1 routes using 544 bytes of memory
>>> 1 groups, 0.00 average sources per group
>>> Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits 
>>> per second
>>> Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc)
>>>
>>> Group: 224.0.1.40, Source count: 0, Packets forwarded: 0, Packets 
>>> received: 0
>>>
>>>
>>> RO-BUC-RD1#sh ip mroute
>>>
>>> Outgoing interface flags: H - Hardware switched, A - Assert winner
>>> Timers: Uptime/Expires
>>> Interface state: Interface, Next-Hop or VCD, State/Mode
>>>
>>> (*, 224.0.1.40), 2d22h/00:02:15, RP 172.16.103.237, flags: SJPCL
>>>  Incoming interface: GigabitEthernet1/24, RPF nbr 195.170.181.157
>>>  Outgoing interface list: Null
>>>
>>> On one of the VRFs:
>>>
>>> http://www.pastebin.org/50188
>>> http://www.pastebin.org/50190
>>>
>>> On all interfaces interconnecting RC1 and RD1 I have:
>>>
>>> ip pim sparse-dense mode
>>>
>>> on RC1 I have ip multicast-routing and ip pim rp-address 
>>> 172.16.103.237.
>>>
>>> If I connect with a laptop in a port in RC1 multicast works.
>>>
>>> in RD1 I have:
>>>
>>> ip pim rp-address 172.16.103.237
>>> ip pim vrf vrf_business rp-address 172.16.103.237
>>> ip pim vrf vrf_default_1 rp-address 172.16.103.237
>>> ip pim vrf vrf_default_2 rp-address 172.16.103.237
>>> ip pim vrf vrf_default_3 rp-address 172.16.103.237
>>> ip pim vrf vrf_default_4 rp-address 172.16.103.237
>>>
>>> (VRF business takes default route from vrf_default_3)
>>>
>>>
>>> What am I missing or what would be the workaround in my case of setup ?
>>>
>>>
>>>
>>> Thanks and sorry for the long post,
>>> Mihai
>>> Arie Vayner (avayner) wrote:
>>>> Hmm...
>>>>
>>>> Could you share some "show ip mroute" and "show ip mroute count" 
>>>> outputs
>>>> both for global and vrf mode on router C?
>>>>
>>>> First thing to check would be the RPF path for the source - do you 
>>>> have
>>>> a route back to the source through all the interfaces on router C?
>>>>
>>>> Arie
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net
>>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mihai 
>>>> Tanasescu
>>>> Sent: Tuesday, July 08, 2008 20:55 PM
>>>> To: cisco-nsp at puck.nether.net
>>>> Subject: [c-nsp] VRF-Lite & Multicast question
>>>>
>>>> Hello all,
>>>>
>>>>
>>>>
>>>> I have just started studying multicast for accomplishing a task that
>>>> I've been giving and don't know where / what I am doing wrong.
>>>>
>>>>
>>>> My setup is something like the following:
>>>>
>>>>
>>>> RP ---> Router A --- iBGP ---> Router B --- eBGP --> Router C 
>>>> (vrf-lite)
>>>>
>>>>
>>>> between Router B and Router C I have 5 links (4 are vrf-lite in 
>>>> Router C, the 5th is in the global table and use for MPLS ldp).
>>>>
>>>>
>>>> I have configured on each router:
>>>> ip multicast-routing (in C for example for both global and VRF) , 
>>>> ip pim
>>>>
>>>> sparse-dense-mode on interfaces and the RP.
>>>>
>>>>
>>>> If I connect with a cable in Router A I can view the multicast stream.
>>>> Same if I connect in Router B.
>>>>
>>>>
>>>> But in Router C it doesn't work (neither in the global table, 
>>>> neither in
>>>>
>>>> the VRFs from vrf-lite implementation).
>>>>
>>>>
>>>> Can you help with an advice or what I could be doing wrong ? (I'm 
>>>> just a
>>>>
>>>> beginner/newbie when it comes to mcast)
>>>>
>>>>
>>>>
>>>> Thanks,
>>>> Mihai
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>   
>>>
>>>
>>
>>
>
>


From drew.weaver at thenap.com  Thu Jul 10 10:13:01 2008
From: drew.weaver at thenap.com (Drew Weaver)
Date: Thu, 10 Jul 2008 10:13:01 -0400
Subject: [c-nsp] Earl NDE Task (sup 720)
Message-ID: <B7152C470C9BF3448ED33F16A75D81C14D371D5F5A@exchanga.thenap.com>

Was there some point in the software versions for the Cat6500 where the Earl NDE Task process suddenly began using hardly any CPU utilization?

We have 6 catalyst 6500s, 2 of them are farly new, and 4 of them are fairly old, all of them have almost equal load and netflow is configured exactly the same. The only difference being the version of IOS. There is about a 15% CPU utilization difference in that task.

On a one with older code it hangs at around 15-17%, on a one with newer code it is 0-1%.

Does anyone have any insight on this?

-Drew


From mtinka at globaltransit.net  Thu Jul 10 10:18:37 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Thu, 10 Jul 2008 22:18:37 +0800
Subject: [c-nsp] Question on 7204vxr modules
In-Reply-To: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
References: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <200807102218.41850.mtinka@globaltransit.net>

On Thursday 10 July 2008 20:58:26 Steven Pfister wrote:

> - As a first step, we're going to replace the I/O
> controller with the new one using a FE GBIC, and put the
> PA-GE in along with the PA-A6-OC3MM until its time to cut
> over to gigabit Ethernet. Is there any restrictions on
> where we can put the PA-GE during this time? Can it be
> any slot? -

In a non-NPE-G1/G2 deployment, I/O controllers consume 
bandwidth points, and form part of the "left side" of the 
router.

If I understand you correctly, you currently have a 
C7200-I/O-2FE/E installed. This consumes 400 bandwidth 
points on the left side of the router.

When you upgrade to the C7200-I/O-GE+E as planned, you will 
also consume 400 bandwidth points on the left side of the 
router.

From your explanation, your PA-A6-OC3MM is installed in slot 
2 of the router. This consumes 300 bandwidth points on the 
right side of the router.

A PA-GE consumes 400 bandwidth points.

With 400 bandwidth points on your left handside, and 300 
bandwidth points on your right handside, you're left with 
200 bandwidth points and 300 bandwidth points to play with, 
respectively (i.e., a Cisco-supported configuration).

Installing the PA-GE would overflow the supported 
configuration by 200 points on the left side, and 100 
points on the right side.

My recommendation (if it is at all feasible in your network, 
of course) would be to keep the C7200-I/O-2FE/E and only 
enable one Ethernet port. This counts as half and the 
router would only use 200 points on the left handside, 
rather than 400 - this is a Cisco supported configuration 
as long as this condition is maintained, i.e., one of the 
Ethernet interfaces is administratively shutdown.

This way, you can install the PA-GE on the left handside of 
the router and be within the supported values for that 
side, i.e., 600 bandwidth points.

If you really do need the Gig-E-based I/O controller, then 
you may consider oversubscribing the bus accordingly. We 
have previously been in situations where we had no choice 
but to do this, but only because it was a temporary hack.

> Where is the configuration stored?

The configuration is typically stored in NVRAM on the I/O 
controller.

> Is it on  
> the flash card?

No (although it can be).

The PCMCIA flash card will typically hold the IOS image.

> When we put the new IO controller in, can 
> we just move the flash card over?

It would be best if you pre-configured the new I/O 
controller and told it where to find the new IOS, as you 
plan to re-use the existing PCMCIA flash card. Here, you're 
basically setting the Boot environment:

conf t
 boot system flash ...

You would also need to pre-load the 'startup-configuration' 
file onto the new I/O controller, and adjust it 
accordingly, e.g., FastEthernet to GigabitEthernet 
configurations, e.t.c.

Hope this helps.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080710/5f3de5be/attachment.bin>

From cchurc05 at harris.com  Thu Jul 10 10:22:26 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Thu, 10 Jul 2008 09:22:26 -0500
Subject: [c-nsp] Question on mystery VOIP traffic
In-Reply-To: <4875D485.9E6F.00B8.0@dps.k12.oh.us>
References: <4875D485.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <FA1BA229357DB640B944218F3585FECA012ADC5B@mspe2k1.cs.myharris.net>

Not really sure what you mean by 'once per day', might make more sense
if you had a graph of it, NetFlow would be real useful.  That said, if
you think the traffic is all VoIP, it could be something as simple as a
scheduled conference call that occurs at the same time creating so much
traffic.  If you've got access to the call detail reports from the PBX,
you could probably find that there. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister
Sent: Thursday, July 10, 2008 9:21 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Question on mystery VOIP traffic


I'm trying to track down the source of some strange traffic patterns in
our network. All of our remote sites have VOIP from a remote PBX to a
central PBX at our main facility. All of this was set up before I got
here, and I have very little contact with it.

In checking out the strange traffic, I notice that several of these
sites show a rather large amount of outgoing (from the site) UDP traffic
to the central site with port numbers usually in the 15k to 20k range,
all involving addresses and interfaces associated with voice. The amount
of data transferred seems to be fairly large (one of the larger sites is
sending 5.5 to 6gb per day), and is usually fairly steady throughout the
day, 24x7. One exception to that that I've seen, is at the beginning of
last month, the 5.5gb seemed to be once a day rather than spread out,
but that was only for the first week. 

The head of telecom here isn't aware of anything that might cause that.
Is this normal for VOIP?

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jlewis at lewis.org  Thu Jul 10 10:23:23 2008
From: jlewis at lewis.org (Jon Lewis)
Date: Thu, 10 Jul 2008 10:23:23 -0400 (EDT)
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <200807101923.16998.mtinka@globaltransit.net>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
	<200807101923.16998.mtinka@globaltransit.net>
Message-ID: <Pine.LNX.4.61.0807100822010.7234@soloth.lewis.org>

On Thu, 10 Jul 2008, Mark Tinka wrote:

> On Thursday 10 July 2008 06:03:31 Jose Leitao wrote:
>
>> Today I upgraded a 3560 to
>> c3560-advipservicesk9-mz.122-44.SE2, and looking at the
>> output of show version, I noticed something rather
>> peculiar:
>>
>> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0)
>> with 0K/8184K bytes of memory"
>
> We are seeing the same issue on our 3560G's running the same
> code.

The good news is, it's obviously a "display" bug, since if there was 0 
processor memory, you wouldn't be able to do a show ver.

I noticed this one yesterday, and didn't post about it because I saw 
others had also recently noticed it and posted about it elsewhere.

On 3550's:

   30 second input rate 0 bits/sec, 0 packets/sec
   30 second ouxtput rate 0 bits/sec, 0 packets/sec

It seems to only contain the typo when the rate is 0.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From harbor235 at gmail.com  Thu Jul 10 10:24:54 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Thu, 10 Jul 2008 10:24:54 -0400
Subject: [c-nsp] GPON
In-Reply-To: <EC993E87D960A541A66BF21D62AA42A6188AD8DE31@exch2k7.gilat.local>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<4874E6C8.7050504@thewybles.com>
	<836bf1f90807090944m1549014fx882c56fa8962b4f3@mail.gmail.com>
	<EC993E87D960A541A66BF21D62AA42A6188AD8DE31@exch2k7.gilat.local>
Message-ID: <836bf1f90807100724y18502fe1r4f8321a7138adf41@mail.gmail.com>

This is what I am talking about.

http://www.networkworld.com/news/2008/053008-verizon-fios.html


mike j


On 7/10/08, Ziv Leyes <zivl at gilat.net> wrote:
>
> What the f.... are you all talking about??? Can you explain?
> PON, GPON, BPON, APON.... (?!?!?!?!?)
>
> My friend knows something about Judo and he says IPPON always win... :-)
>
> I guess I'll have to google it a bit...
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:
> cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Johnson
> Sent: Wednesday, July 09, 2008 7:44 PM
> To: Charles N Wyble
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] GPON
>
> Charles,
>
> APON vs GPON
>
> Verizon is installing GPON via there FIOS product in the east as of 2008,
> previously they were installing
> BPON. I cannot speak of the other providers
>
> PROs and CONs for deploying GPON to the desktop for a large CAN
>
> Power savings yes for the passive equipment but the OLTs and ONT/ONUs do
> require power as well
> as the managemnet systems required to provision.monitor etc ..
>
> Would it save power if there were no access switches in the mix? Instead of
> aggregating
> users to access switches build a PON, power requirements are then pushed to
> the desktop.
> Is this a better solution? does it really save power?  increase/decrease
> cost per port?
>
> thanx for the input
>
> harbor235 ;}
>
>
> On 7/9/08, Charles N Wyble <charles at thewybles.com> wrote:
> >
> >
> >
> > Hope the resource recommendation helps. :)
> >
> > Charles Wyble
> >
> > Mike Johnson wrote:
> > > Does anybody have any GPON experience on the list?
> > >
> > I don't have any hands on experience with GPON or any PON as of yet
> > unfortunately. APON is sweeping the United States. Wish they had gone
> > with E/G PON. Ah well.
> > > If so I am looking for Pros and Cons for implementing this for the CAN.
> > >
> >
> > Pros and Cons of PON vs what? You looking to provide broadband to end
> > users? What type of area (rural/suburban/cbd)? Etc.
> >
> > > Is there a power savings or the power requirement just pushed out to
> the
> > > desktop?
> > >
> > Well there are certainly power savings as the equipment is passive. Are
> > you looking to deploy this in a service provider environment (I presume
> > you are based on the nature of this list), or in an internal enterprise
> > network (you mention pushing power out to the desktop).
> >
> > > hardware required to build a PON? OLTs, ONT/ONUs, splitters?
> > >
> >
> > I just read a fantastic book on EPON and highly recommend it. It covers
> > various other standards etc (including GPON).
> > Amazon link: *http://tinyurl.com/5okll7
> > *I checked it out from the Los Angeles Public Library. So your local
> > library may have it as well. Or I suppose your company could purchase
> > it. Might be available on Safari.
> >
> >
> > > How is GPON managed?
> > > Pice comparisons?
> > >
> > > Basically whatever info you have outside the classic definition,
> > >
> > > harbor235 ;}
> > >
> > >
> >
> >
> > --
> > Charles N Wyble (818) 280-7059
> > http://charlesnw.blogspot.com
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
>
>
>
>
>
>
> ************************************************************************************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, vandals & computer
> viruses.
>
> ************************************************************************************
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From kyork at cisco.com  Thu Jul 10 10:31:48 2008
From: kyork at cisco.com (Kyle York)
Date: Thu, 10 Jul 2008 07:31:48 -0700
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
Message-ID: <48761D54.4080003@cisco.com>

Greetings,

Jose Leitao wrote:
> Hi everyone,
> 
> Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
> looking at the output of show version, I noticed something rather
> peculiar:
> 
> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
> 0K/8184K bytes of memory"
> 
> Should this be a concern?, I couldn't find anything related to this,
> is this a bug?

It's solely a display issue affecting the 3560/3750 and a few others -- 
nothing to worry about. I believe the fix will be in 12.2(46)SE.

-- 
Kyle A. York
Sr. Subordinate Grunt


From jay at west.net  Thu Jul 10 09:58:08 2008
From: jay at west.net (Jay Hennigan)
Date: Thu, 10 Jul 2008 06:58:08 -0700
Subject: [c-nsp] Question on mystery VOIP traffic
In-Reply-To: <4875D485.9E6F.00B8.0@dps.k12.oh.us>
References: <4875D485.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <48761570.4060005@west.net>

Steven Pfister wrote:
> I'm trying to track down the source of some strange traffic patterns in our network. All of our remote sites have VOIP from a remote PBX to a central PBX at our main facility. All of this was set up before I got here, and I have very little contact with it.
> 
> In checking out the strange traffic, I notice that several of these sites show a rather large amount of outgoing (from the site) UDP traffic to the central site with port numbers usually in the 15k to 20k range, all involving addresses and interfaces associated with voice. The amount of data transferred seems to be fairly large (one of the larger sites is sending 5.5 to 6gb per day), and is usually fairly steady throughout the day, 24x7. One exception to that that I've seen, is at the beginning of last month, the 5.5gb seemed to be once a day rather than spread out, but that was only for the first week. 

A single RTP stream (one phone call) using a G.711 codec us roughly 80 
kbits per second, which if left off-hook all day would wind up at about 
7 gigabits per day of RTP traffic.  SIP, SCCP, MGCP or other signaling 
would add a small amount for call setup/teardown, message lights, and 
overhead.

A site with several users making and receiving phone calls during 
business hours adding up to about 20 to 24 call-hours a day would 
generate the same traffic.

If the PBX is streaming music-on-hold or other constant RTP of some sort 
24/7 this would do it as well, as would rogue RTP streams from a call 
that didn't tear down correctly.

The curious thing in your case is that the traffic is unidirectional 
from the site.  RTP is generally symmetrical.

Ethereal/Wireshark has the ability to capture and decode RTP and play it 
back as audio (in stereo) if you need to dig into it.

--
Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

From jleitao.l at gmail.com  Thu Jul 10 11:10:09 2008
From: jleitao.l at gmail.com (Jose Leitao)
Date: Thu, 10 Jul 2008 17:10:09 +0200
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <48761D54.4080003@cisco.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>
	<48761D54.4080003@cisco.com>
Message-ID: <10d3a0eb0807100810m7cf1e536y4cf1389c4e0c3b8a@mail.gmail.com>

Hi,

Thanks everyone for the replies, does anyone have the Cisco Bug ID?

Thanks,
JL

On Thu, Jul 10, 2008 at 4:31 PM, Kyle York <kyork at cisco.com> wrote:
> Greetings,
>
> Jose Leitao wrote:
>>
>> Hi everyone,
>>
>> Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
>> looking at the output of show version, I noticed something rather
>> peculiar:
>>
>> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
>> 0K/8184K bytes of memory"
>>
>> Should this be a concern?, I couldn't find anything related to this,
>> is this a bug?
>
> It's solely a display issue affecting the 3560/3750 and a few others --
> nothing to worry about. I believe the fix will be in 12.2(46)SE.
>
> --
> Kyle A. York
> Sr. Subordinate Grunt
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rblayzor.bulk at inoc.net  Thu Jul 10 10:39:29 2008
From: rblayzor.bulk at inoc.net (Robert Blayzor)
Date: Thu, 10 Jul 2008 10:39:29 -0400
Subject: [c-nsp] Question on 7204vxr modules
In-Reply-To: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
References: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <CACAB25A-74EA-4FAB-A463-774473760DA9@inoc.net>

On Jul 10, 2008, at 8:58 AM, Steven Pfister wrote:
> The router currently has a PA-A6-OC3MM module connecting to our  
> service provider (in the lower right slot). The IO controller has 2  
> FE/E ports (don't have the part number). We want to replace the IO  
> controller with a c7200-I/O-GE+E and the other module with a PA-GE.  
> Our questions are:



If you're looking at a GE IO controller and a Gig-E PA, you're best  
suited to just upgrade the NPE to a G1 or G2 and skip the IO  
controller and PA installation.  What you're currently planning to do  
is not a supported configuration no matter what slots you choose.

-- 
Robert Blayzor, BOFH
INOC, LLC
rblayzor at inoc.net
http://www.inoc.net/~rblayzor/




From howard at leadmon.net  Thu Jul 10 11:23:59 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Thu, 10 Jul 2008 11:23:59 -0400
Subject: [c-nsp] WCCP with a PIX-515 and CE-590,
	any config suggestions to make this play?
Message-ID: <00f701c8e2a0$fcefae30$f6cf0a90$@net>


 I just happened to end up with a CE-590 falling into my hands, so figured
I'd try and learn a little about it.   In my network here I have a PIX-515
firewall running the 8.x code base.  On the Content Engine I loaded up the
lastest ACNS 5.5.x code for it.   

 Looking at the various docs, it seems like almost a no-brainer to set this
thing up to use WCCP, so off I went.  I put in the configs on both the CE
and PIX and it showed the GRE tunnel was up and happy. Still it doesn't seem
to be caching pages from what I can see on the CE.

I went to a webserver I control at a remote location, as according to the
docs it will actually show the requesting IP as coming from the
cache-engine, plus I would assume on successive page reloads it would get it
from the CE, not keep asking the remote web-server.  Which is not the case,
funny though as if I told the CE I wanted HTTP auth to access things, it
sure enforced that.

On the CE I have the following in the config:
!
http proxy incoming 80
!
wccp router-list 1 xx.xx.xx.xx     (xx is the IP address of the PIX)
wccp web-cache router-list-num 1
wccp version 2
!


On the PIX I have the following.

!
wccp web-cache
wccp interface LAN web-cache redirect in
!


Where of course LAN is my inside interface on my network.

Maybe I am missing something, but from all I can find, making the two talk
WCCP to each other to cache web requests looks like it should be that
simple.   As I am not having much luck, I figured I'd see if anyone here has
worked with this combination before, and what you did to get it all going..


---
Howard Leadmon 




From Loc.Pham at ucsfmedctr.org  Thu Jul 10 11:54:36 2008
From: Loc.Pham at ucsfmedctr.org (Pham, Loc)
Date: Thu, 10 Jul 2008 08:54:36 -0700
Subject: [c-nsp] Link flap on 3550-12G
Message-ID: <81EB7EB41E41834BA4C9EDE1F56980A303192E7F@exmcb03.ucsfmedicalcenter.org>

    Greetings, 

  Time for RMA ? the uplink is basic P2P  L3 routing ....

 

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to up

1y40w: %PM-4-ERR_DISABLE: link-flap error detected on Gi0/7, putting
Gi0/7 in err-disable state

1y40w: %LINK-3-UPDOWN: Interface GigabitEthernet0/7, changed state to
down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down

 

350par1-DIST2-R2# sh ver | i IOS

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(13)EA1a, RELEASE
SOFTWARE (fc1)

350par1-DIST2-R2#

 

Regards,

Loc Pham, CCIE # 17030 - Sr. Network Staff, 

IT Network Architecture & Security, UCSF Medical Center

Office 415-353-4492

 


From kyork at cisco.com  Thu Jul 10 12:13:50 2008
From: kyork at cisco.com (Kyle York)
Date: Thu, 10 Jul 2008 09:13:50 -0700
Subject: [c-nsp] C3560 show version memory values
In-Reply-To: <10d3a0eb0807100810m7cf1e536y4cf1389c4e0c3b8a@mail.gmail.com>
References: <10d3a0eb0807091503m72c48c3akd7e21dfa57052a0b@mail.gmail.com>	<48761D54.4080003@cisco.com>
	<10d3a0eb0807100810m7cf1e536y4cf1389c4e0c3b8a@mail.gmail.com>
Message-ID: <4876353E.2090404@cisco.com>

Greetings,

Jose Leitao wrote:
> Hi,
> 
> Thanks everyone for the replies, does anyone have the Cisco Bug ID?

CSCsq70343. I don't think it's viewable outside yet, but am looking for 
the process to make it so. With any luck it will be viewable in the next 
day or so.

> 
> Thanks,
> JL
> 
> On Thu, Jul 10, 2008 at 4:31 PM, Kyle York <kyork at cisco.com> wrote:
>> Greetings,
>>
>> Jose Leitao wrote:
>>> Hi everyone,
>>>
>>> Today I upgraded a 3560 to c3560-advipservicesk9-mz.122-44.SE2, and
>>> looking at the output of show version, I noticed something rather
>>> peculiar:
>>>
>>> "cisco WS-C3560-24PS (PowerPC405) processor (revision N0) with
>>> 0K/8184K bytes of memory"
>>>
>>> Should this be a concern?, I couldn't find anything related to this,
>>> is this a bug?
>> It's solely a display issue affecting the 3560/3750 and a few others --
>> nothing to worry about. I believe the fix will be in 12.2(46)SE.
>>
>> --
>> Kyle A. York
>> Sr. Subordinate Grunt
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
Kyle A. York
Sr. Subordinate Grunt
BU formerly known as DS

From christian at broknrobot.com  Thu Jul 10 12:18:12 2008
From: christian at broknrobot.com (Christian Koch)
Date: Thu, 10 Jul 2008 12:18:12 -0400
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <m363revzz1.fsf@ursa.amorsen.dk>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
Message-ID: <c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>

that i cant answer.....it just sounded like you were implying a vrf needed
firewall service, which is what was confusing me...

but FWSM scales to 4 per chassis, which is 2000 contexts, 20gbps throughput
..'on paper'...

IOS FW is VRF aware as well, and 7200 makes for a great CE device..



On Thu, Jul 10, 2008 at 5:40 AM, Benny Amorsen
<benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>>
wrote:

> "Pavel Skovajsa" <pavel.skovajsa at gmail.com> writes:
>
> > What if the service provider wants to provide centralized firewalled
> > internet connection to those customers?
>
> Exactly. There must be many ISP's which offer hosted firewalls and
> Internet access for their MPLS customers. But how? None of the
> solutions seem to scale.
>
>
> /Benny
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From icox at cisco.com  Thu Jul 10 12:22:15 2008
From: icox at cisco.com (Ian Cox)
Date: Thu, 10 Jul 2008 09:22:15 -0700
Subject: [c-nsp] Earl NDE Task (sup 720)
In-Reply-To: <B7152C470C9BF3448ED33F16A75D81C14D371D5F5A@exchanga.thenap .com>
References: <B7152C470C9BF3448ED33F16A75D81C14D371D5F5A@exchanga.thenap.com>
Message-ID: <200807101623.m6AGNCDa021664@sj-core-5.cisco.com>


In 12.2(18)SXE code for PFC switched packets the SP sends the packets 
out via inband rather than sending them to the RP. So changing to 
12.2(18)SXE or higher release for PFC switched traffic reduces the 
CPU of the RP, but increases the SP CPU load slightly.  So the fairly 
old ones I guess are running 12.2(18)SXD or earlier code.


Ian

At 10:13 AM 7/10/2008 -0400, Drew Weaver wrote:
>Was there some point in the software versions for the Cat6500 where 
>the Earl NDE Task process suddenly began using hardly any CPU utilization?
>
>We have 6 catalyst 6500s, 2 of them are farly new, and 4 of them are 
>fairly old, all of them have almost equal load and netflow is 
>configured exactly the same. The only difference being the version 
>of IOS. There is about a 15% CPU utilization difference in that task.
>
>On a one with older code it hangs at around 15-17%, on a one with 
>newer code it is 0-1%.
>
>Does anyone have any insight on this?
>
>-Drew
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/


From streiner at cluebyfour.org  Thu Jul 10 12:31:47 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Thu, 10 Jul 2008 12:31:47 -0400 (EDT)
Subject: [c-nsp] Question on 7204vxr modules
In-Reply-To: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
References: <4875CF37.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <Pine.LNX.4.64.0807101209130.3528@whammy.cluebyfour.org>

On Thu, 10 Jul 2008, Steven Pfister wrote:

> We have a 7204vxr currently in use as our border router. As part of a 
> transition of our upstream bandwidth from an ATM connection to gigabit 
> Ethernet, we need to replace some of the modules.
>
> The router currently has a PA-A6-OC3MM module connecting to our service 
> provider (in the lower right slot). The IO controller has 2 FE/E ports 
> (don't have the part number). We want to replace the IO controller with 
> a c7200-I/O-GE+E and the other module with a PA-GE. Our questions are:
>
> - As a first step, we're going to replace the I/O controller with the 
> new one using a FE GBIC, and put the PA-GE in along with the PA-A6-OC3MM 
> until its time to cut over to gigabit Ethernet. Is there any 
> restrictions  on where we can put the PA-GE during this time? Can it be 
> any slot?
> - Where is the configuration stored? Is it on the flash card? When we 
> put the new IO controller in, can we just move the flash card over?

You don't mention what type of processor engine you're using, so there are 
a number of caveats to consider.

You will not get anywhere close to line-rate out of a PA-GE, regardless of 
what processor you're using.  It's a limitation of the PCI buses on that 
platform.  If you need closer to gig-e line-rate on a VXR, you really want 
to replace the processor blade with an NPE-G1 or NPE-G2, plus those 
processors have compact flash slots for storing images and so forth.

Also note that many processors for the 7200/XVR are at or near the 
end of their life cycle, so getting support may be an issue, should you 
need it.  In fact, everything except the NPE-G1 and G2 are at least 
end-of-sale now - the NPE-400 went end-of-sale earlier this year and most 
of the rest are already end-of-life/support.

The config is stored in NVRAM, which I think is on the NPE, but you still 
need a flash/CF clot available for to hold IOS images, crash dumps, etc.

If you're running an older NPE, like a 225, 300, 400 or NSE-1, I don't 
think those have built-in flash/CF slots, so you'd still need an I/O 
controller for its flash slot.

The VXRs have two PCI busses, one covers slots 0/1/3/5 and the other 
covers slots 2/4/6.  Each bus is limited to 600 'bandwidth points', so any 
configuration of port adapters is valid as long as each bus stays under 
600 points.  That can be tricky.  A PA-GE is 400 points by itself.  That's 
another reason to look at an NPE-G1 or G2.  It has built-in GE ports, so 
they don't touch the PCI busses and are not subject to the bandwidth point 
limitations like the PA slots.

jms

From david.freedman at uk.clara.net  Thu Jul 10 13:07:32 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Thu, 10 Jul 2008 18:07:32 +0100
Subject: [c-nsp] 12.0(33)S - bug in "show ip bgp"
Message-ID: <g55esb$c3v$1@ger.gmane.org>

Not having much luck finding this in bugtool/release notes (although I'm
aware of what is fixed in 33S1 , until I find this one no idea if
upgrade will help)

router#sh ip bgp vpnv4 all | in :

<snip>

Route Distinguisher: 1234:9989
Route Distinguisher: 1234:9990
Route Distinguisher: 1234:9991
Route Distinguisher: 1234:9992
Route Distinguisher: 1234:9993
Route Distinguisher: 1234:9995

router#show ip bgp vpnv4 rd 1234:9998
%Unknown RD

router#show ip bgp vpnv4 rd 1234:9990
%Unknown RD

router#show ip bgp vpnv4 rd 1234:9991
%Unknown RD

router#show ip bgp vpnv4 rd 1234:9992
%Unknown RD


Anybody from cisco on here know the bugID for this?


From darius4cisco at gmail.com  Thu Jul 10 15:25:11 2008
From: darius4cisco at gmail.com (Darius L)
Date: Thu, 10 Jul 2008 20:25:11 +0100
Subject: [c-nsp] PBR on 6500
Message-ID: <828277080807101225x7f654c0axb0bdfb62a1e6f4e2@mail.gmail.com>

Hello All,

I have a question about policy based routing on Cat6500. I want to
split HTTP traffic and route it through proxy and route rest of the
traffic straight to the internet.  The only thing that worries me is
will 6500 with sup720 be powerful enough to route 1-10Gbps of traffic
with PBR. I know that sup720 does PBR in hardware (PFC) but I want to
mach with acl on destination port so it will be L4 decision and I'm
not sure will it forward in hardware or will fallback to process
switching.  My configuration would look like this:

Access-list 123 permit tcp any any eq 80
Access-list 123 permit tcp any any eq 443
Access-list 123 permit tcp any any eq ftp
!
Route-map WEB permit 10
 Match ip address 123
 Set ip netx-hop 1.2.3.4
!
Interface vlan123
 Ip vrf TESTS1
 Ip address 2.3.4.5 255.255.255.0
 Ip policy route-map WEB
 Ip route-cache policy
!
I thought I would add another VRF in front of FWSM in 6500 and will
put PBR on it.

My physical design looks like this:
IP Cloud) <=>(Cisco SCE2020) <=>
(Cat6513Sup720<->FWSM<->VRF<->ACE<->(OUT VRF)[rt import/export](VRF
Intenet))<=>ASA55xx

Maybe it's worth to mark "interesting" traffic on SCE with DSCP or
something but I checked that on Cat6500 I can only do mach in
route-map on access-list ?
All suggestions appreciated.

Regards,
Darius

From kgraham at industrial-marshmallow.com  Thu Jul 10 18:02:54 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Thu, 10 Jul 2008 15:02:54 -0700 (PDT)
Subject: [c-nsp] High temperatures on cisco 6504-E chassis
Message-ID: <764448.49361.qm@web907.biz.mail.mud.yahoo.com>

> Maybe it's the fact that these are sup720-3cxl-10ge , with X2 modules
> installed (which also seem to get hot, 41C), and this packed in a small
> chassis.... 

Check CISCO-ENTITY-SENSOR-MIB::entSensorThresholdTable. Looking at some
720C-10GE's, the minor threshhold for the 'asic-#' sensors are 90-95C
with criticals at 105-110C.

Your inlet seem to be high, but no need to be concerned about those asics
temps. Just checked a lightly-populated 9-slot 720C-10GE, w/ inlet at 23C
and the sensors in question are at 34C, 49C, and 51C. 

Comparing similarly configured (and situated) 4 and 9 slots, all of them
seem consistent, so no need to be suspect of the smaller chassis.

From jmayer at loplof.de  Thu Jul 10 18:28:27 2008
From: jmayer at loplof.de (Joerg Mayer)
Date: Fri, 11 Jul 2008 00:28:27 +0200
Subject: [c-nsp] IPV6 relay functionality on cat 3750
Message-ID: <20080710222827.GV4112@thot.informatik.uni-kl.de>

I've just found out that dhcpv6 relay functionality is currenty not
supported on the cat 3750 series
(http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap.html)
Can someone shed some light when to expect this feature?

Thanks
      Joerg
-- 
Joerg Mayer                                           <jmayer at loplof.de>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.

From Andrey_Oleinik at bms-consulting.com  Fri Jul 11 07:42:46 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Fri, 11 Jul 2008 14:42:46 +0300
Subject: [c-nsp] GPON
In-Reply-To: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCBFBEF69A40@BMSEXCH.BMS-CONSULTING.COM>

Can U rephrase ur Q about power?
Anyway try to dig here www.flexlight-networks.com
IMHO this guys are leaders in GPON. If U're interesting I'll give U personal contact of FLN's human.

--
Respect,  Andy Oleynik
Telecom Dpt Chief
BMS Consulting Ltd
10, Stritenska Str., of. 520
Kyiv, 01025, UA
tel +380(44)4619961
tel +380(44)4619963 extn 162
fax +380(44)4619962
www.bms-consulting.com


andyo> -----Original Message-----
andyo> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
andyo> bounces at puck.nether.net] On Behalf Of Mike Johnson
andyo> Sent: Wednesday, July 09, 2008 7:10 PM
andyo> To: cisco-nsp at puck.nether.net
andyo> Subject: [c-nsp] GPON
andyo>
andyo> Does anybody have any GPON experience on the list?
andyo>
andyo> If so I am looking for Pros and Cons for implementing this for the
andyo> CAN.
andyo>
andyo> Is there a power savings or the power requirement just pushed out
andyo> to the
andyo> desktop?
andyo> hardware required to build a PON? OLTs, ONT/ONUs, splitters?
andyo> How is GPON managed?
andyo> Pice comparisons?
andyo>
andyo> Basically whatever info you have outside the classic definition,
andyo>
andyo> harbor235 ;}
andyo> _______________________________________________
andyo> cisco-nsp mailing list  cisco-nsp at puck.nether.net
andyo> https://puck.nether.net/mailman/listinfo/cisco-nsp
andyo> archive at http://puck.nether.net/pipermail/cisco-nsp/

From ghostonthewire at gmail.com  Fri Jul 11 09:20:51 2008
From: ghostonthewire at gmail.com (ghostonthewire)
Date: Fri, 11 Jul 2008 17:20:51 +0400
Subject: [c-nsp] WCCP with a PIX-515 and CE-590,
 any config suggestions to make this play?
In-Reply-To: <00f701c8e2a0$fcefae30$f6cf0a90$@net>
References: <00f701c8e2a0$fcefae30$f6cf0a90$@net>
Message-ID: <48775E33.2020002@gmail.com>

hi, Howard.

Howard Leadmon wrote:
> On the CE I have the following in the config:
> !
> http proxy incoming 80
> !
> wccp router-list 1 xx.xx.xx.xx     (xx is the IP address of the PIX)
> wccp web-cache router-list-num 1
> wccp version 2
> !
> 
> 
> On the PIX I have the following.
> 
> !
> wccp web-cache
> wccp interface LAN web-cache redirect in
> !
> 
> 
> Where of course LAN is my inside interface on my network.
> 
> Maybe I am missing something, but from all I can find, making the two talk
> WCCP to each other to cache web requests looks like it should be that
> simple.   As I am not having much luck, I figured I'd see if anyone here has
> worked with this combination before, and what you did to get it all going..

I do not have hands on expirience on proprietary caching engines. I'm 
happy with Squid + PIX 8.x. But, definitialy you miss

wccp web-cache redirect-list webcache_redirect group-list webcache_group

statement, where webcache_redirect -- source addresses you wanna perform 
caching for, and webcache_group lists your cache engines.

From r.nevot at gmail.com  Fri Jul 11 09:32:21 2008
From: r.nevot at gmail.com (Raul Lopez Nevot)
Date: Fri, 11 Jul 2008 15:32:21 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
Message-ID: <a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>

On Thu, Jul 10, 2008 at 6:18 PM, Christian Koch <christian at broknrobot.com>
wrote:

> but FWSM scales to 4 per chassis, which is 2000 contexts, 20gbps throughput
> ..'on paper'...
>

As far as I heard, now a single FWSM can scale to 50Gbps if you have a
Supervisor 720-10G-3C and don't want stateful inspection...

From robbie.jacka at regions.com  Fri Jul 11 10:03:37 2008
From: robbie.jacka at regions.com (robbie.jacka at regions.com)
Date: Fri, 11 Jul 2008 09:03:37 -0500
Subject: [c-nsp] Link flap on 3550-12G
In-Reply-To: <81EB7EB41E41834BA4C9EDE1F56980A303192E7F@exmcb03.ucsfmedicalcenter.org>
Message-ID: <OF62D36242.EAA8B9BB-ON86257483.004D071C-86257483.004D3CE9@corp.rgbk.com>

What's the other end look like? Link-flap errors like that are generated
when a link goes up/down more than 10 times in 60 seconds. Entirely
possible that you have an issue with the remote end, or physical plant.
--
robbie




                                                                           
             "Pham, Loc"                                                   
             <Loc.Pham at ucsfmed                                             
             ctr.org>                                                   To 
             Sent by:                  "Cisco NSPs"                        
             cisco-nsp-bounces         <cisco-nsp at puck.nether.net>         
             @puck.nether.net                                           cc 
                                                                           
                                                                   Subject 
             07/10/2008 10:54          [c-nsp] Link flap on 3550-12G       
             AM                                                            
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




    Greetings,

  Time for RMA ? the uplink is basic P2P  L3 routing ....



1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to up

1y40w: %PM-4-ERR_DISABLE: link-flap error detected on Gi0/7, putting
Gi0/7 in err-disable state

1y40w: %LINK-3-UPDOWN: Interface GigabitEthernet0/7, changed state to
down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down



350par1-DIST2-R2# sh ver | i IOS

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(13)EA1a, RELEASE
SOFTWARE (fc1)

350par1-DIST2-R2#



Regards,

Loc Pham, CCIE # 17030 - Sr. Network Staff,

IT Network Architecture & Security, UCSF Medical Center

Office 415-353-4492



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From ibrahim.abozaid at gmail.com  Fri Jul 11 13:26:48 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Fri, 11 Jul 2008 20:26:48 +0300
Subject: [c-nsp] BGP route-orgination
Message-ID: <a48927f70807111026n200bae99pd86397edf7a92ffc@mail.gmail.com>

Dear All

i just want to share a point with you , if we used network command to
originate BGP route , the route NH will be automatically set to local BGP
router-id while if we used redistrbtion the route preserves into NH
independent of local router-id so next-hop-self should be used

is that completely right or it depends on IOS version ?


best regards
--Ibrahim

From peter at rathlev.dk  Fri Jul 11 13:55:20 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 11 Jul 2008 19:55:20 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
Message-ID: <1215798920.28688.4.camel@svesken.sys.mjna.net>

On Fri, 2008-07-11 at 15:32 +0200, Raul Lopez Nevot wrote:
> On Thu, Jul 10, 2008 at 6:18 PM, Christian Koch <christian at broknrobot.com>
> wrote:
> 
> > but FWSM scales to 4 per chassis, which is 2000 contexts, 20gbps throughput
> > ..'on paper'...
> >
> 
> As far as I heard, now a single FWSM can scale to 50Gbps if you have a
> Supervisor 720-10G-3C and don't want stateful inspection...

The FWSM has a 6x1GB Etherchannel connection to the switch, so 50 Gbps
seems a little much. Even then, a FWSM without stateful inspection would
be a little pointless. The Sup720 can use L4 access-lists in hardware,
so no reason to throw money away on the extra hardware.

Regarding the scaling: A single FWSM can handle multi gigabit traffic in
hundreds of contexts. Ten of these can do ten times that amount. :-)
Just like having more than one router in a POP, there's nothing keeping
you from having multiple FWSM installations, spreading the customers
among them.

Regards,
Peter



From eugen at imacandi.net  Fri Jul 11 13:12:44 2008
From: eugen at imacandi.net (Eugeniu Patrascu)
Date: Fri, 11 Jul 2008 20:12:44 +0300
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <486A1507.6040107@reub.net>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
	<486A1507.6040107@reub.net>
Message-ID: <4877948C.8020100@imacandi.net>

Reuben Farrelly wrote:
> You also can't ssh from a PIX, but you can of course ssh to it.
>
> So it's not IMHO likely to be a case of "telnet being insecure", but 
> avoiding -all- client sourced access from a PIX out to anything else 
> which the PIX could potentially connect to.
>
> I suspect the thinking is that the PIX itself, if compromised, can't 
> be used as a platform to launch into other devices in the network.  
> Especially given it is probably one device which would normally have 
> direct and unrestricted access to the private and DMZ networks in most 
> topologies...
>
If the PIX would be compromised, the attacker could also setup ACLs/NATs 
so that he has access to the network. So eitherway you don't get better 
security by not having telnet on the device itself.

From gert at greenie.muc.de  Fri Jul 11 14:24:45 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Fri, 11 Jul 2008 20:24:45 +0200
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <4877948C.8020100@imacandi.net>
References: <200807011121.m61BL2Ax084691@puck.nether.net>
	<486A1507.6040107@reub.net> <4877948C.8020100@imacandi.net>
Message-ID: <20080711182445.GF1231@greenie.muc.de>

Hi,

On Fri, Jul 11, 2008 at 08:12:44PM +0300, Eugeniu Patrascu wrote:
> If the PIX would be compromised, the attacker could also setup ACLs/NATs 
> so that he has access to the network. 

Only if he gets "enable" access.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080711/329394cd/attachment.bin>

From r.nevot at gmail.com  Fri Jul 11 14:27:51 2008
From: r.nevot at gmail.com (Raul Lopez Nevot)
Date: Fri, 11 Jul 2008 20:27:51 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <1215798920.28688.4.camel@svesken.sys.mjna.net>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
Message-ID: <a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>

>
> > As far as I heard, now a single FWSM can scale to 50Gbps if you have a
> > Supervisor 720-10G-3C and don't want stateful inspection...
>
> The FWSM has a 6x1GB Etherchannel connection to the switch, so 50 Gbps
> seems a little much. Even then, a FWSM without stateful inspection would
> be a little pointless. The Sup720 can use L4 access-lists in hardware,
> so no reason to throw money away on the extra hardware.
>
> Regarding the scaling: A single FWSM can handle multi gigabit traffic in
> hundreds of contexts. Ten of these can do ten times that amount. :-)
> Just like having more than one router in a POP, there's nothing keeping
> you from having multiple FWSM installations, spreading the customers
> among them.
>

Some people told me about cisco expectation for the future release... this
speeds are achieved by authorizing only the connection on FWSM, and once
authorized, passing connections to the supervisor and not on the
etherchannel (to the supervisor forwarding engine). That's how they will
multiply speeds, not passing all the packets through FWSM (and that's why
it's incompatible with deep protocol inspection.

Yeah, I know it's only a rumor some people near cisco told me. I don't know
if anybody at cisco reading this list can confirm it.

Regards

From r.nevot at gmail.com  Fri Jul 11 14:41:34 2008
From: r.nevot at gmail.com (Raul Lopez Nevot)
Date: Fri, 11 Jul 2008 20:41:34 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
Message-ID: <a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>

>
> Some people told me about cisco expectation for the future release... this
> speeds are achieved by authorizing only the connection on FWSM, and once
> authorized, passing connections to the supervisor and not on the
> etherchannel (to the supervisor forwarding engine). That's how they will
> multiply speeds, not passing all the packets through FWSM (and that's why
> it's incompatible with deep protocol inspection.
>
> Yeah, I know it's only a rumor some people near cisco told me. I don't know
> if anybody at cisco reading this list can confirm it.
>

In fact, it's not a rumor. They call it Trusted Flow Acceleration, and it
comes on version 4.0:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm40/configuration/guide/protct_f.html#wpxref95739

From benny+usenet at amorsen.dk  Fri Jul 11 15:25:25 2008
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 11 Jul 2008 21:25:25 +0200
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
Message-ID: <m3y748b4uy.fsf@ursa.amorsen.dk>

"Raul Lopez Nevot" <r.nevot at gmail.com> writes:

> As far as I heard, now a single FWSM can scale to 50Gbps if you have a
> Supervisor 720-10G-3C and don't want stateful inspection...

Performance is fun and all, but more customers (vrfs) per box would be
more useful I'd think.


/Benny



From RTeller at deltadentalwa.com  Fri Jul 11 16:47:34 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Fri, 11 Jul 2008 13:47:34 -0700
Subject: [c-nsp] Cisco 2851 bug ?
In-Reply-To: <a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
	<a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>

Is anyone aware of a bug or configuration that could cause a sudden
spike in IP input?

uptime is 26 weeks, 3 days, 10 hours, 54 minutes
System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
System restarted at 01:41:34 PST Tue Jan 8 2008
System image file is "flash:c2800nm-ipbasek9-mz.124-17a.bin"
Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.

PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
  66      125056   2917547         42  0.00%  0.00%  0.00%   0 CDP
Protocol
  67    28872876 373263867         77  0.08% 51.78% 47.36%   0 IP Input

Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST


                               555558888899999888888888899999999
    555555544444444446666655555999998888844444333332222233333333
100
 90                                 **********          ********
 80                                 ****************************
 70                                 ****************************
 60                            *********************************
 50                            *********************************
 40                            *********************************
 30                            *********************************
 20                            *********************************
 10 *******          *******************************************
   0....5....1....1....2....2....3....3....4....4....5....5....6
             0    5    0    5    0    5    0    5    0    5    0
               CPU% per second (last 60 seconds)


    9999999                         1
    588886633444434434453334333334346534453335336645645556354344
100 *******
 90 #####**                                                    *
 80 ######*                                                    *
 70 ######*                                                    *
 60 ######*                                                    *
 50 ######*                                                    *
 40 ######*                                                    *
 30 ######*                                                    *
 20 #######                         *                          #
 10 #######            *            **   *   *  ** ** **** *   #
   0....5....1....1....2....2....3....3....4....4....5....5....6
             0    5    0    5    0    5    0    5    0    5    0
               CPU% per minute (last 60 minutes)
              * = maximum CPU%   # = average CPU%


    1 1 11 1  1111 111   1111111111 11 1 7121111 1112 1111 111
1121111111111
 
691760977743309128787415602150180091972430809462896712922076244160072513
100
 90
 80                                      *
 70                                      *
 60                                      *
 50                                      *
 40                                      *
 30                                      *          *
 20 *   *  *         *     **   *        * *  *   * * **       * *  *  *
*
 10
************************************************************************
 
0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
.
             0    5    0    5    0    5    0    5    0    5    0    5
0
                   CPU% per hour (last 72 hours)
                  * = maximum CPU%   # = average CPU%


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################

From paul at gtcomm.net  Fri Jul 11 20:22:36 2008
From: paul at gtcomm.net (Paul)
Date: Fri, 11 Jul 2008 20:22:36 -0400
Subject: [c-nsp]  BGP route-orgination
In-Reply-To: <mailman.6490.1215809276.65431.cisco-nsp@puck.nether.net>
References: <mailman.6490.1215809276.65431.cisco-nsp@puck.nether.net>
Message-ID: <4877F94C.2060302@gtcomm.net>

Correct me if I'm wrong but the IOS usually:

If a network statement is present, next-hop-self is set.
If a network is redistributed from another protocol, EBGP export is 
rewritten to the peer address,
but IBGP carries over the next-hop from the injection point.






From christian at broknrobot.com  Fri Jul 11 21:15:02 2008
From: christian at broknrobot.com (Christian Koch)
Date: Fri, 11 Jul 2008 21:15:02 -0400
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <m3y748b4uy.fsf@ursa.amorsen.dk>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<m3y748b4uy.fsf@ursa.amorsen.dk>
Message-ID: <c93a55220807111815j9a90ca1q2198c85a9860a69b@mail.gmail.com>

what is the constant vrf reference?
just because someone is an mpls vpn customer does not mean they are going to
be a managed firewall customer..i dont know why you keep referencing vrf?

and 2000 customers on a 65/7600 is alot, you dont think so?

On Fri, Jul 11, 2008 at 3:25 PM, Benny Amorsen
<benny+usenet at amorsen.dk<benny%2Busenet at amorsen.dk>>
wrote:

> "Raul Lopez Nevot" <r.nevot at gmail.com> writes:
>
> > As far as I heard, now a single FWSM can scale to 50Gbps if you have a
> > Supervisor 720-10G-3C and don't want stateful inspection...
>
> Performance is fun and all, but more customers (vrfs) per box would be
> more useful I'd think.
>
>
> /Benny
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From Loc.Pham at ucsfmedctr.org  Fri Jul 11 22:30:07 2008
From: Loc.Pham at ucsfmedctr.org (Pham, Loc)
Date: Fri, 11 Jul 2008 19:30:07 -0700
Subject: [c-nsp] Link flap on 3550-12G
References: <OF62D36242.EAA8B9BB-ON86257483.004D071C-86257483.004D3CE9@corp.rgbk.com>
Message-ID: <81EB7EB41E41834BA4C9EDE1F56980A3031930F4@exmcb03.ucsfmedicalcenter.org>

  Not much to offer once they down. I did move the link to another free
port on the box and thing seem to stay. Heck, may be time for a RMA and
a due IOS upgrade ;-)

Regards,
Loc Pham, # 17030 R/S
"We switch our network dedicately :One packet at a time... "
-----Original Message-----
From: robbie.jacka at regions.com [mailto:robbie.jacka at regions.com] 
Sent: Friday, July 11, 2008 7:04 AM
To: Pham, Loc
Cc: Cisco NSPs; cisco-nsp-bounces at puck.nether.net
Subject: Re: [c-nsp] Link flap on 3550-12G

What's the other end look like? Link-flap errors like that are generated
when a link goes up/down more than 10 times in 60 seconds. Entirely
possible that you have an issue with the remote end, or physical plant.
--
robbie




 

             "Pham, Loc"

             <Loc.Pham at ucsfmed

             ctr.org>
To 
             Sent by:                  "Cisco NSPs"

             cisco-nsp-bounces         <cisco-nsp at puck.nether.net>

             @puck.nether.net
cc 
 

 
Subject 
             07/10/2008 10:54          [c-nsp] Link flap on 3550-12G

             AM

 

 

 

 

 





    Greetings,

  Time for RMA ? the uplink is basic P2P  L3 routing ....



1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to up

1y40w: %PM-4-ERR_DISABLE: link-flap error detected on Gi0/7, putting
Gi0/7 in err-disable state

1y40w: %LINK-3-UPDOWN: Interface GigabitEthernet0/7, changed state to
down

1y40w: %LINEPROTO-5-UPDOWN: Line protocol on Interface
GigabitEthernet0/7, changed state to down



350par1-DIST2-R2# sh ver | i IOS

IOS (tm) C3550 Software (C3550-I5Q3L2-M), Version 12.1(13)EA1a, RELEASE
SOFTWARE (fc1)

350par1-DIST2-R2#



Regards,

Loc Pham, CCIE # 17030 - Sr. Network Staff,

IT Network Architecture & Security, UCSF Medical Center

Office 415-353-4492



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





From adrian at creative.net.au  Sat Jul 12 02:12:54 2008
From: adrian at creative.net.au (Adrian Chadd)
Date: Sat, 12 Jul 2008 14:12:54 +0800
Subject: [c-nsp] WCCP with a PIX-515 and CE-590,
	any config suggestions to make this play?
In-Reply-To: <48775E33.2020002@gmail.com>
References: <00f701c8e2a0$fcefae30$f6cf0a90$@net> <48775E33.2020002@gmail.com>
Message-ID: <20080712061254.GJ2904@skywalker.creative.net.au>

.. i just saw this post.

*puts on WCCP hat, wishes he had a PIX hat to put on*

On Fri, Jul 11, 2008, ghostonthewire wrote:
> hi, Howard.
> 
> Howard Leadmon wrote:
> >On the CE I have the following in the config:
> >!
> >http proxy incoming 80
> >!
> >wccp router-list 1 xx.xx.xx.xx     (xx is the IP address of the PIX)

^-- right, so is the cache registering?

> >wccp web-cache router-list-num 1
> >wccp version 2

Ok.

> >On the PIX I have the following.
> >
> >!
> >wccp web-cache
> >wccp interface LAN web-cache redirect in

.. which should redirect traffic from all LAN ports to the WCCP cache,
and hopefully not redirect traffic from the cache itself.

> >Where of course LAN is my inside interface on my network.
> >
> >Maybe I am missing something, but from all I can find, making the two talk
> >WCCP to each other to cache web requests looks like it should be that
> >simple.   As I am not having much luck, I figured I'd see if anyone here 
> >has
> >worked with this combination before, and what you did to get it all going..

if this were a router, I'd do:

"show ip wccp web-cache detail"

to see if the router is seeing the cache, see what redirection/assignment method
its chosen, and make sure that its actively redirecting traffic -to- the thing.

> wccp web-cache redirect-list webcache_redirect group-list webcache_group
> 
> statement, where webcache_redirect -- source addresses you wanna perform 
> caching for, and webcache_group lists your cache engines.

I know the -routers- don't require a web cache group to be defined (but its a
good thing to do, much like enabling MD5 auth :) but I haven't got a PIX
yet to test it out on.



Adrian

-- 
- Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support -
- $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -

From sam_mailinglists at spacething.org  Sat Jul 12 04:55:25 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Sat, 12 Jul 2008 09:55:25 +0100
Subject: [c-nsp] Telnet FROM a PIX Appliance?
In-Reply-To: <20080711182445.GF1231@greenie.muc.de>
References: <200807011121.m61BL2Ax084691@puck.nether.net>	<486A1507.6040107@reub.net>
	<4877948C.8020100@imacandi.net>
	<20080711182445.GF1231@greenie.muc.de>
Message-ID: <4878717D.5010709@spacething.org>

Gert Doering wrote:
> Hi,
>
> On Fri, Jul 11, 2008 at 08:12:44PM +0300, Eugeniu Patrascu wrote:
>   
>> If the PIX would be compromised, the attacker could also setup ACLs/NATs 
>> so that he has access to the network. 
>>     
>
> Only if he gets "enable" access.
>
>   
Still, it's not really a reason - on the old CatOS switches you had to 
be in enable mode before you could outbound telnet; there's no reason 
that couldn't be repeated. And if you realy didn't want telnet on the 
PIX ban it on the AAA server. :)

I imagine, as with all these features, the reason it doesn't exist is 
not enough people want/ask for it.

Sam

From madunix at gmail.com  Sat Jul 12 07:30:41 2008
From: madunix at gmail.com (Mad Unix)
Date: Sat, 12 Jul 2008 13:30:41 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807091400h5e43ad05s86697f07f8ea7b6@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CF9A@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807091400h5e43ad05s86697f07f8ea7b6@mail.gmail.com>
Message-ID: <4d3f56c90807120430j22e11ef4x6814176d00450b18@mail.gmail.com>

till now am not able to accept analog calls through my PRI!

any help


>
> On Wed, Jul 9, 2008 at 1:09 PM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
>
>>  Hmm, so how far does the connection go? Do the modems train up? You
>> might want to go through
>> http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094eb9.shtmlor
>> http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a008019cfa7.shtml
>>
>>     oli
>>
>>  ------------------------------
>> *From:* Mad Unix [mailto:madunix at gmail.com]
>> *Sent:* Wednesday, July 09, 2008 11:25 AM
>>
>> *To:* Oliver Boehmer (oboehmer)
>> *Cc:* cisco-nsp at puck.nether.net
>> *Subject:* Re: [c-nsp] Analog Dialer
>>
>> I have added this but it didnt help it keeps trying to connect to
>> authenticate then failed
>>
>> SDC_R2#conf t
>> Enter configuration commands, one per line.  End with CNTL/Z.
>> SDC_R2(config)#line 450 473
>> SDC_R2(config-line)#exec-timeout 0 0
>> SDC_R2(config-line)#modem Dialin
>> SDC_R2(config-line)#transport input all
>> SDC_R2(config-line)#autoselect during-login
>> SDC_R2(config-line)#autoselect ppp
>> SDC_R2(config-line)#
>> SDC_R2(config-line)#exit
>> SDC_R2(config)#exit
>>
>>
>> SDC_R2#sh line
>>    Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise
>> Overruns  Int
>>       0    0 CTY              -    -      -    -    -     1      0
>> 0/0      -
>>   Ready
>>       1    1 AUX   9600/9600  -    -      -    -    -     0      0
>> 0/0      -
>>   Ready
>> I 0/450  450 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/451  451 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/452  452 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/453  453 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/454  454 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/455  455 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/456  456 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/457  457 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/458  458 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/459  459 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/460  460 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/461  461 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/462  462 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/463  463 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/464  464 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/465  465 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/466  466 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/467  467 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/468  468 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/469  469 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/470  470 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/471  471 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/472  472 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> I 0/473  473 TTY              - DialIn    -    -    -     0      0
>> 0/0      -
>>   Idle
>> *   706  706 VTY              -    -      -    -    -    50      0
>> 0/0      -
>>   Ready
>> *   707  707 VTY              -    -      -    -    -     9      0
>> 0/0      -
>>   Ready
>>     708  708 VTY              -    -      -    -    -     1      0
>> 0/0      -
>>   Ready
>>     709  709 VTY              -    -      -    -    -     0      0
>> 0/0      -
>>   Idle
>>     710  710 VTY              -    -      -    -    -     0      0
>> 0/0      -
>>   Idle
>>
>> Line(s) not in async mode -or- with no hardware support:
>> 2-449, 474-705
>>
>>
>>
>> regarding the CEF we have disabled becuase it was disconnecting the Dialer
>> after atime...
>> so we added this  no ip route-cache cef
>>
>> interface Serial4/0:15
>>  no ip address
>>  encapsulation ppp
>>  no ip route-cache cef
>>  dialer rotary-group 1
>>  dialer-group 2
>>  isdn switch-type primary-net5
>>  isdn incoming-voice modem
>>  isdn guard-timer 3000
>> !
>> interface Serial4/1:15
>>  no ip address
>>  encapsulation ppp
>>  no ip route-cache cef
>>  dialer rotary-group 1
>>  dialer-group 1
>>  isdn switch-type primary-net5
>>  isdn incoming-voice modem
>>  isdn guard-timer 3000
>> !
>>
>>
>> On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer) <
>> oboehmer at cisco.com> wrote:
>>
>>>  some patience, please :-) .. we all do this in our spare time..
>>>
>>> The "line" config is missing (i.e. the lower part of the config). can you
>>> send this as well?
>>> Please re-enable CEF on the serial interface ("ip route-cache cef")
>>>
>>>     oli
>>>
>>>  ------------------------------
>>> *From:* Mad Unix [mailto:madunix at gmail.com]
>>> *Sent:* Wednesday, July 09, 2008 10:31 AM
>>> *To:* Oliver Boehmer (oboehmer)
>>> *Cc:* cisco-nsp at puck.nether.net
>>> *Subject:* Re: [c-nsp] Analog Dialer
>>>
>>>   Any updates
>>>
>>> On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com> wrote:
>>>
>>>> Am using interface Group-Async1 to accept analog calls for data transfer
>>>>
>>>>
>>>> interface GigabitEthernet0/0
>>>>  description $ES_LAN$
>>>>  ip address 10.16.0.2 255.255.255.0
>>>>  duplex auto
>>>>  speed auto
>>>>  media-type rj45
>>>> !
>>>> interface GigabitEthernet0/1
>>>>  ip address 10.16.1.2 255.255.255.0
>>>>  duplex auto
>>>>  speed auto
>>>>  media-type rj45
>>>> !
>>>> interface Serial0/0/0
>>>>  description ---- Elect  ----
>>>>  ip address 10.14.11.5 255.255.255.252
>>>> !
>>>> interface Serial0/0/1
>>>>  description ---  Bank ---
>>>>  ip address 10.14.11.1 255.255.255.252
>>>>  encapsulation ppp
>>>>
>>>> interface Serial4/0:15
>>>>  no ip address
>>>>  encapsulation ppp
>>>>  no ip route-cache cef
>>>>  dialer rotary-group 1
>>>>  dialer-group 2
>>>>  isdn switch-type primary-net5
>>>>  isdn incoming-voice modem
>>>>  isdn guard-timer 3000
>>>> !
>>>> interface Serial4/1:15
>>>>  no ip address
>>>>  encapsulation ppp
>>>>  no ip route-cache cef
>>>>  dialer rotary-group 1
>>>>  dialer-group 1
>>>>  isdn switch-type primary-net5
>>>>  isdn incoming-voice modem
>>>>  isdn guard-timer 3000
>>>> !
>>>> interface Dialer1
>>>>  description connected to Dial-inPCs(ISDN)
>>>>  ip address 10.13.1.1 255.255.255.0
>>>>  encapsulation ppp
>>>>  no ip split-horizon
>>>>  dialer in-band
>>>>  dialer idle-timeout 3600
>>>>  dialer-group 1
>>>>  peer default ip address pool Cisco3662-Group-1
>>>>  ppp authentication chap pap ms-chap callin
>>>> !
>>>> interface Group-Async1
>>>>  description connected tp Dial-in pcs (Analog)
>>>>  ip unnumbered GigabitEthernet0/0
>>>>  encapsulation ppp
>>>>  no ip split-horizon
>>>>  dialer in-band
>>>>  dialer idle-timeout 3600
>>>>  dialer-group 1
>>>>  async mode interactive
>>>>  peer default ip address pool cisco3662-group-2
>>>>  no fair-queue
>>>>  ppp authentication chap pap ms-chap callin
>>>>  group-range 0/450 0/473
>>>> ip http server
>>>> ip http authentication local
>>>> ip http timeout-policy idle 60 life 86400 requests 10000
>>>> !
>>>> ip radius source-interface GigabitEthernet0/0
>>>> access-list 2 permit 10.5.0.0 0.0.255.255
>>>> access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>>>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>>>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
>>>> access-list 101 permit tcp host 10.5.3.10 any eq telnet
>>>> dialer-list 1 protocol ip permit
>>>> dialer-list 2 protocol ip permit
>>>>
>>>>
>>>> On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) <
>>>> oboehmer at cisco.com> wrote:
>>>>
>>>>> Can't tell based on this config alone. can you please show the full
>>>>> config? (at least the one of the Serialx/y:z (the D-channel), any
>>>>> dialer
>>>>> interfaces and the "line" config at the end)?
>>>>>
>>>>> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
>>>>> tion_example09186a0080094a49.shtml<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configuration_example09186a0080094a49.shtml>shows a sample AS5xxx config, which
>>>>> can easily be adapted to your environment..
>>>>>
>>>>>        oli
>>>>>
>>>>>
>>>>> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
>>>>>
>>>>> >  have a PRI connecting 60 ppl using BRI and Analog calls
>>>>> > the Router 3800 PRI interface is having Digital modem to accept
>>>>> > analog phone calls
>>>>> > the analog callers cant connect!
>>>>> > What could be wrong?
>>>>> >
>>>>> > interface Group-Async1
>>>>> >  description connected tp Dial-in pcs (Analog)
>>>>> >  ip unnumbered GigabitEthernet0/0
>>>>> >  encapsulation ppp
>>>>> >  no ip split-horizon
>>>>> >  dialer in-band
>>>>> >  dialer idle-timeout 3600
>>>>> >  dialer-group 1
>>>>> >  async mode interactive
>>>>> >  peer default ip address pool cisco3662-group-2
>>>>> >  no fair-queue
>>>>> >  ppp authentication chap pap ms-chap callin
>>>>> >  group-range 0/450 0/473
>>>>> > --
>>>>> > madunix
>>>>> > _______________________________________________
>>>>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> madunix
>>>
>>>
>>>
>>>
>>> --
>>> madunix
>>>
>>
>>
>>
>> --
>> madunix
>>
>
>
>
> --
> madunix




-- 
madunix

From oboehmer at cisco.com  Sat Jul 12 07:59:24 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sat, 12 Jul 2008 13:59:24 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <4d3f56c90807120430j22e11ef4x6814176d00450b18@mail.gmail.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CF9A@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807091400h5e43ad05s86697f07f8ea7b6@mail.gmail.com>
	<4d3f56c90807120430j22e11ef4x6814176d00450b18@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65E99@xmb-ams-333.emea.cisco.com>

Hi,
 
I am sorry, but I do not know how to help you if you don't provide more
details about the problem. Do the modem train up, i.e. do you get a
connect? If not, please check the modem troubleshooting link below. If
you have problems during PPP or authentication, please check the other
link I've provided to guide you through the process. 
 
    oli

________________________________

From: Mad Unix [mailto:madunix at gmail.com] 
Sent: Saturday, July 12, 2008 1:31 PM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Analog Dialer



till now am not able to accept analog calls through my PRI!

any help





	On Wed, Jul 9, 2008 at 1:09 PM, Oliver Boehmer (oboehmer)
<oboehmer at cisco.com> wrote:
	

		Hmm, so how far does the connection go? Do the modems
train up? You might want to go through
http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0
080094eb9.shtml or
http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a
008019cfa7.shtml
		 
		    oli

________________________________

		
		From: Mad Unix [mailto:madunix at gmail.com] 
		
		Sent: Wednesday, July 09, 2008 11:25 AM 

		To: Oliver Boehmer (oboehmer)
		Cc: cisco-nsp at puck.nether.net
		Subject: Re: [c-nsp] Analog Dialer
		

		I have added this but it didnt help it keeps trying to
connect to authenticate then failed
		
		SDC_R2#conf t
		Enter configuration commands, one per line.  End with
CNTL/Z.
		SDC_R2(config)#line 450 473 
		SDC_R2(config-line)#exec-timeout 0 0 
		SDC_R2(config-line)#modem Dialin
		SDC_R2(config-line)#transport input all  
		SDC_R2(config-line)#autoselect during-login 
		SDC_R2(config-line)#autoselect ppp 
		SDC_R2(config-line)#
		SDC_R2(config-line)#exit
		SDC_R2(config)#exit
		
		
		SDC_R2#sh line
		   Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI
Uses  Noise Overruns  Int
		      0    0 CTY              -    -      -    -    -
1      0    0/0      -
		  Ready
		      1    1 AUX   9600/9600  -    -      -    -    -
0      0    0/0      -
		  Ready
		I 0/450  450 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/451  451 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/452  452 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/453  453 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/454  454 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/455  455 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/456  456 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/457  457 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/458  458 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/459  459 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/460  460 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/461  461 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/462  462 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/463  463 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/464  464 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/465  465 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/466  466 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/467  467 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/468  468 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/469  469 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/470  470 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/471  471 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/472  472 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		I 0/473  473 TTY              - DialIn    -    -    -
0      0    0/0      -
		  Idle
		*   706  706 VTY              -    -      -    -    -
50      0    0/0      -
		  Ready
		*   707  707 VTY              -    -      -    -    -
9      0    0/0      -
		  Ready
		    708  708 VTY              -    -      -    -    -
1      0    0/0      -
		  Ready
		    709  709 VTY              -    -      -    -    -
0      0    0/0      -
		  Idle
		    710  710 VTY              -    -      -    -    -
0      0    0/0      -
		  Idle
		
		Line(s) not in async mode -or- with no hardware support:

		2-449, 474-705
		
		
		
		regarding the CEF we have disabled becuase it was
disconnecting the Dialer after atime...
		so we added this  no ip route-cache cef
		
		interface Serial4/0:15
		 no ip address
		 encapsulation ppp
		 no ip route-cache cef
		 dialer rotary-group 1
		 dialer-group 2
		 isdn switch-type primary-net5
		 isdn incoming-voice modem
		 isdn guard-timer 3000
		!
		interface Serial4/1:15
		 no ip address
		 encapsulation ppp
		 no ip route-cache cef
		 dialer rotary-group 1
		 dialer-group 1
		 isdn switch-type primary-net5
		 isdn incoming-voice modem
		 isdn guard-timer 3000
		!
		
		
		
		On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer
(oboehmer) <oboehmer at cisco.com> wrote:
		

			some patience, please :-) .. we all do this in
our spare time..
			 
			The "line" config is missing (i.e. the lower
part of the config). can you send this as well?
			Please re-enable CEF on the serial interface
("ip route-cache cef")
			 
			    oli

________________________________

			From: Mad Unix [mailto:madunix at gmail.com] 
			Sent: Wednesday, July 09, 2008 10:31 AM
			To: Oliver Boehmer (oboehmer)
			Cc: cisco-nsp at puck.nether.net
			Subject: Re: [c-nsp] Analog Dialer
			
			
			Any updates
			
			
			On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix
<madunix at gmail.com> wrote:
			

				Am using interface Group-Async1 to
accept analog calls for data transfer
				
				
				interface GigabitEthernet0/0
				 description $ES_LAN$
				 ip address 10.16.0.2 255.255.255.0
				 duplex auto
				 speed auto
				 media-type rj45
				!
				interface GigabitEthernet0/1
				 ip address 10.16.1.2 255.255.255.0
				 duplex auto
				 speed auto
				 media-type rj45
				!
				interface Serial0/0/0
				 description ---- Elect  ----
				 ip address 10.14.11.5 255.255.255.252
				!
				interface Serial0/0/1
				 description ---  Bank ---
				 ip address 10.14.11.1 255.255.255.252
				 encapsulation ppp
				
				interface Serial4/0:15
				 no ip address
				 encapsulation ppp
				 no ip route-cache cef
				 dialer rotary-group 1
				 dialer-group 2
				 isdn switch-type primary-net5
				 isdn incoming-voice modem
				 isdn guard-timer 3000
				!
				interface Serial4/1:15
				 no ip address
				 encapsulation ppp
				 no ip route-cache cef
				 dialer rotary-group 1
				 dialer-group 1
				 isdn switch-type primary-net5
				 isdn incoming-voice modem
				 isdn guard-timer 3000
				!
				interface Dialer1
				 description connected to
Dial-inPCs(ISDN)
				 ip address 10.13.1.1 255.255.255.0 

				 encapsulation ppp
				 no ip split-horizon
				 dialer in-band
				 dialer idle-timeout 3600
				 dialer-group 1
				
				 peer default ip address pool
Cisco3662-Group-1 

				 ppp authentication chap pap ms-chap
callin
				!
				interface Group-Async1
				 description connected tp Dial-in pcs
(Analog)
				 ip unnumbered GigabitEthernet0/0
				 encapsulation ppp
				 no ip split-horizon
				 dialer in-band
				 dialer idle-timeout 3600
				 dialer-group 1
				 async mode interactive
				 peer default ip address pool
cisco3662-group-2
				 no fair-queue
				 ppp authentication chap pap ms-chap
callin
				 group-range 0/450 0/473
				
				ip http server
				ip http authentication local
				ip http timeout-policy idle 60 life
86400 requests 10000
				!
				ip radius source-interface
GigabitEthernet0/0 
				access-list 2 permit 10.5.0.0
0.0.255.255
				access-list 100 permit ip 10.4.0.0
0.0.255.255 10.13.0.0 0.0.255.255
				access-list 100 permit ip 10.5.0.0
0.0.255.255 10.13.0.0 0.0.255.255
				access-list 100 permit ip 10.5.0.0
0.0.255.255 10.0.0.0 0.255.255.255
				access-list 101 permit tcp host
10.5.3.10 any eq telnet
				dialer-list 1 protocol ip permit
				dialer-list 2 protocol ip permit 


				On Wed, Jul 9, 2008 at 8:39 AM, Oliver
Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
				

				Can't tell based on this config alone.
can you please show the full
				config? (at least the one of the
Serialx/y:z (the D-channel), any dialer
				interfaces and the "line" config at the
end)?
	
http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
				tion_example09186a0080094a49.shtml
<http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configur
ation_example09186a0080094a49.shtml>  shows a sample AS5xxx config,
which
				can easily be adapted to your
environment..
				
				       oli
				
				
				Mad Unix <> wrote on Wednesday, July 09,
2008 8:27 AM:
				

				>  have a PRI connecting 60 ppl using
BRI and Analog calls
				> the Router 3800 PRI interface is
having Digital modem to accept
				> analog phone calls
				> the analog callers cant connect!
				> What could be wrong?
				>
				> interface Group-Async1
				>  description connected tp Dial-in pcs
(Analog)
				>  ip unnumbered GigabitEthernet0/0
				>  encapsulation ppp
				>  no ip split-horizon
				>  dialer in-band
				>  dialer idle-timeout 3600
				>  dialer-group 1
				>  async mode interactive
				>  peer default ip address pool
cisco3662-group-2
				>  no fair-queue
				>  ppp authentication chap pap ms-chap
callin
				>  group-range 0/450 0/473
				> --
				> madunix
				
				>
_______________________________________________
				> cisco-nsp mailing list
cisco-nsp at puck.nether.net
				>
https://puck.nether.net/mailman/listinfo/cisco-nsp
				> archive at
http://puck.nether.net/pipermail/cisco-nsp/
				




				-- 
				madunix 




			-- 
			madunix 




		-- 
		madunix 




	-- 
	madunix 




-- 
madunix 

From stig.johansen at ementor.no  Sat Jul 12 08:32:20 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Sat, 12 Jul 2008 14:32:20 +0200
Subject: [c-nsp] 7600 MPLS QoS
In-Reply-To: <BAY131-W25C4E8CCBD9148FE6780EDD0940@phx.gbl>
References: <BAY131-W25C4E8CCBD9148FE6780EDD0940@phx.gbl>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B3B@100NOOSLMSG004.common.alpharoot.net>

Hi there,

Short answer: you aren't missing anything. :)

Traditionally the 6500/7600-platform has been rather poor in the
QoS-department, presumably because of the extended use of
hardware-switching. I would think this is just one more of the "wouldn't
it be great if.." features we want to see, but may or may not see
supported in the future..

The 6500/7600-platform does support explicit null LSP's, but the problem
is using this information at the egress PE as you yourself noted. The
"set qos-group" is regretfully not supported at ingress MPLS-interfaces
as far as I can see as well.

I really don't have any viable alternatives for you at this point as I
haven't implemented any of this myself outside a small labtest I did
just now. 

Can't you let the customer-set DSCP manage the QoS on the egress to the
CE? I understand you see this as a benefit to be able to control as the
SP, but shouldn't the customer ideally have a say in this? :)

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of J C
Sent: 7. juli 2008 06:52
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 7600 MPLS QoS


I've been going through all the documentation regarding MPLS and
configuring MPLS QoS on PFC's and I'm stumped on this question.



In the past MPLS networks I've used Pipe Mode with Explicit Null
LSP to configure QoS within the MPLS network. The benefit of this for a
carrier network was that it preserved the customer markings and allowed
us to control the treatment of the traffic right up to (and including)
the egress of the PE to the carrier owned CPE.



>From reading the documentation on the 7600 I don't see anywhere the
ability to use Pipe Mode with Explicit-Null LSP...I only see Uniform
Mode and Short Pipe Mode. Right away Uniform Mode is out of the
question, and Short Pipe mode is the best alternative, but it only
allows you to control the treatment of the traffic until it reaches the
final PE, at which point the traffic has no MPLS EXP bits left on it
and only the original customer markings are left.



So my question is...am I just missing something regarding the 7600
and its ability to support Pipe mode with Explicit-Null? I'm asking
this because I also noticed that 'set qos-groups' is not available to
do on ingress MPLS-MPLS interfaces...



And if this method of MPLS QoS is not supported on the 7600, whats
the next best thing?...Lastly, if Short Pipe Mode is the only
alternative, then how can the SP still control treatment on the Egress
of the final PE...as all MPLS EXP bits will be stripped during the
final 'pop'.



Thanks in advance MPLS guru's!!!!
_________________________________________________________________
Try Chicktionary, a game that tests how many words you can form from the
letters given. Find this and more puzzles at Live Search Games!
http://g.msn.ca/ca55/207
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From stig.johansen at ementor.no  Sat Jul 12 08:50:46 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Sat, 12 Jul 2008 14:50:46 +0200
Subject: [c-nsp] Flat MPLS service from provider
In-Reply-To: <BLU105-W453399D6BD11F19069EA7AA7960@phx.gbl>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<BLU105-W453399D6BD11F19069EA7AA7960@phx.gbl>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B3C@100NOOSLMSG004.common.alpharoot.net>

Hi.

I can't see any big problems with a flat vpn-cloud considering the
following:
- The sites should ideally use a default route into the cloud.
- The sites should have no requirement for segregation inside the cloud.
- The sites should have absolutely common policies regarding all routing
decisions and gateways in/out of the cloud.

Exactly what kind of distributed services are you thinking about?

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of D W
Sent: 9. juli 2008 19:59
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Flat MPLS service from provider


Hello,

Does anyone on this list manage a network or have customers that run a
large (500+ sites, scaling up to 1000) flat (single vrf) enterprise
network. If so, can you share any lessons learned from this service as
opposed to building a hierarchal design (ordering multiple VRF clouds
from a provider - core cloud, regional cloud, etc..). I'm in the process
of identifying potential issues for a customer considering a flat
network design model. Their network is currently regionalized with
point-to-point circuits.

Two of the first that came to mind were:

- Summarization (could only do per site, no large regional summarization
blocks). Unless defaults are used.

- Difficult to deploy distributed services with no aggregation sites.


Thanks,
Dave

_________________________________________________________________
The i'm Talkaton. Can 30-days of conversation change the world?
http://www.imtalkathon.com/?source=EML_WLH_Talkathon_ChangeWorld
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From harbor235 at gmail.com  Sat Jul 12 14:34:38 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Sat, 12 Jul 2008 14:34:38 -0400
Subject: [c-nsp] GPON
In-Reply-To: <68D5E673B49F1D45A5BE41058C8AFDBCBFBEF69A40@BMSEXCH.BMS-CONSULTING.COM>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<68D5E673B49F1D45A5BE41058C8AFDBCBFBEF69A40@BMSEXCH.BMS-CONSULTING.COM>
Message-ID: <836bf1f90807121134pe00a251qdc860fec13a90b11@mail.gmail.com>

What I meant about power i, is the advantage of using GPON to the desktop
a reduction in power because there are no access switches? The only problem
is
that now you need all of these cable modem type of devices at the desktop.
All this does
is to push the power requirement to the desktop and introduces a ton of new
devices to manage.

thanx for the link

harbor235 ;}

On Fri, Jul 11, 2008 at 7:42 AM, Andrey Oleinik <
Andrey_Oleinik at bms-consulting.com> wrote:

> Can U rephrase ur Q about power?
> Anyway try to dig here www.flexlight-networks.com
> IMHO this guys are leaders in GPON. If U're interesting I'll give U
> personal contact of FLN's human.
>
> --
> Respect,  Andy Oleynik
> Telecom Dpt Chief
> BMS Consulting Ltd
> 10, Stritenska Str., of. 520
> Kyiv, 01025, UA
> tel +380(44)4619961
> tel +380(44)4619963 extn 162
> fax +380(44)4619962
> www.bms-consulting.com
>
>
> andyo> -----Original Message-----
> andyo> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> andyo> bounces at puck.nether.net] On Behalf Of Mike Johnson
> andyo> Sent: Wednesday, July 09, 2008 7:10 PM
> andyo> To: cisco-nsp at puck.nether.net
> andyo> Subject: [c-nsp] GPON
> andyo>
> andyo> Does anybody have any GPON experience on the list?
> andyo>
> andyo> If so I am looking for Pros and Cons for implementing this for the
> andyo> CAN.
> andyo>
> andyo> Is there a power savings or the power requirement just pushed out
> andyo> to the
> andyo> desktop?
> andyo> hardware required to build a PON? OLTs, ONT/ONUs, splitters?
> andyo> How is GPON managed?
> andyo> Pice comparisons?
> andyo>
> andyo> Basically whatever info you have outside the classic definition,
> andyo>
> andyo> harbor235 ;}
> andyo> _______________________________________________
> andyo> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> andyo> https://puck.nether.net/mailman/listinfo/cisco-nsp
> andyo> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From junaid.x86 at gmail.com  Sat Jul 12 16:23:03 2008
From: junaid.x86 at gmail.com (Junaid)
Date: Sun, 13 Jul 2008 02:23:03 +0600
Subject: [c-nsp] Restrictions on topology when running OSPF with the
	customer inside VRF
Message-ID: <c10d10920807121323h7e9d66ecia977d07ce3fe27b9@mail.gmail.com>

Hi,

I need some clarification as to what topology in which we can run OSPF
with our customer inside VRF. I ran OSPF on one PE-CE link in area 6.
I could only see in my VRF/OSPF table the intra-area routes and
external routes that were injected by the CE router via
redistribution. The CE router was also connected to other customer
routers via area 0 and other areas. In PE's VRF/OSPF routing table, I
could not see any inter-area route nor other external routes that
other customer routers were injecting via redistribution although I
could see them in my (PE router's) OSPF database. Funny thing is, when
I removed VRF configuration and configured OSPF with the customer in
the global routing table, I was able to see all routes getting
installed in the routing table. Consulting a book, I hit across the
following:

"When backbone areas are used within a VPN customer topology, the only
caveat to be aware
of is that any site configured to run an OSPF backbone area must be
attached directly with
the MPLS VPN Superbackbone, either through a direct link or a virtual
link. This is mandatory
because the PE routers always act as Area Border Routers (ABRs) and
need to be able to
exchange intra-area information with other ABR or backbone area routers."

Does this mean that the PE always need connectivity to Area 0? Is
there any way around? What am I missing?



Regards,

Junaid

From oboehmer at cisco.com  Sun Jul 13 04:25:25 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sun, 13 Jul 2008 10:25:25 +0200
Subject: [c-nsp] Restrictions on topology when running OSPF with
	thecustomer inside VRF
In-Reply-To: <c10d10920807121323h7e9d66ecia977d07ce3fe27b9@mail.gmail.com>
References: <c10d10920807121323h7e9d66ecia977d07ce3fe27b9@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65ED3@xmb-ams-333.emea.cisco.com>

Junaid <> wrote on Saturday, July 12, 2008 10:23 PM:

> Hi,
> 
> I need some clarification as to what topology in which we can run OSPF
> with our customer inside VRF. I ran OSPF on one PE-CE link in area 6.
> I could only see in my VRF/OSPF table the intra-area routes and
> external routes that were injected by the CE router via
> redistribution. The CE router was also connected to other customer
> routers via area 0 and other areas. In PE's VRF/OSPF routing table, I
> could not see any inter-area route nor other external routes that
> other customer routers were injecting via redistribution although I
> could see them in my (PE router's) OSPF database. Funny thing is, when
> I removed VRF configuration and configured OSPF with the customer in
> the global routing table, I was able to see all routes getting
> installed in the routing table. Consulting a book, I hit across the
> following:
> 
> "When backbone areas are used within a VPN customer topology, the only
> caveat to be aware
> of is that any site configured to run an OSPF backbone area must be
> attached directly with
> the MPLS VPN Superbackbone, either through a direct link or a virtual
> link. This is mandatory
> because the PE routers always act as Area Border Routers (ABRs) and
> need to be able to
> exchange intra-area information with other ABR or backbone area
> routers." 
> 
> Does this mean that the PE always need connectivity to Area 0? Is
> there any way around? What am I missing?

well, you don't miss anything. As mentioned in the quoted text, any
MPLS-VPN PE will always consider itself as an ABR, and, as such, will
ignore any summary LSAs arriving from a non-backbone area (the PE-CE in
area 6, in your case).
Rather than working with virtual links, I would just put the PE-CE link
into area 0, or use a different PE-CE routing protocol. Difficult to
recommend something without knowing the VPN customer's topology..

	oli

From asturluismi at gmail.com  Sat Jul 12 15:47:45 2008
From: asturluismi at gmail.com (luismi)
Date: Sat, 12 Jul 2008 21:47:45 +0200
Subject: [c-nsp] Multi-VRF using PBR not working, vrf+vlan configuration.
Message-ID: <1215892065.17360.16.camel@dsba-ipso>

Hi there,

I have this schema in a lab:

R6(1.1.1.1)<no tag>(1.1.1.254)R0(10.10.10.1)<vlan 10>(10.10.10.2)R1

The idea is to receive the traffic from R6 in plain mode, that is,
without mpls tag or vlan tag, just ip.

As soon as the traffice reaches 1.1.1.254 (R6) it would be inserted in a
VRF associated to a vlan for the rest of the network.
But, for some reason I am not able to do ping from R6 to any other IP
than 10.10.10.254, neither I can't do ping from any VRF address to
1.1.1.1, it is not working.

I don't know why it is not working at all.
I reviewed it several times, I read a lot of papers but I still don't
have any clue yet why it is not working.
So here I am, I hope someone here can't give me a hand with this.
I am not planning to use OSPF or BGP, since I don't consider I need it
at all for the final deployment, at least not in the nearest future.
Any other way to do this sceneario will be appreciated too.

R6 is a 1700
R0 is a 7600 (so "MPLS VPN - VRF Selection based on Source IP Address"
is not going to work since as far as I know is not supported ye)
R1 is a 7600

My configs are ...

!R6
interface FastEthernet1/0
 ip address 1.1.1.1 255.255.255.0
 duplex auto
 speed auto
 no clns route-cache

!R0
ip vrf R6
 description R6
 rd 1:6
!
interface FastEthernet0/0
 ip vrf receive R6
 ip address 1.1.1.254 255.255.255.0
 no ip proxy-arp
 ip policy route-map VRF
 duplex auto
 speed auto
 no cdp enable
 no clns route-cache
!
interface FastEthernet1/0.1
 encapsulation dot1Q 10
 ip vrf forwarding R6
 ip address 10.10.10.1 255.255.255.252
!
interface Loopback6
 description Just for tests 
 ip vrf forwarding R6
 ip address 2.2.2.2 255.255.255.255
 no clns route-cache
!
access-list 10 permit 1.1.1.1
!
route-map VRF permit 10
 match ip address 10
 set vrf R6

!R1
ip vrf R6
 description R6
 rd 1:6
!         
interface FastEthernet0/0.1
 encapsulation dot1Q 10
 ip vrf forwarding R6
 ip address 10.10.10.2 255.255.255.252







From madunix at gmail.com  Sun Jul 13 11:27:39 2008
From: madunix at gmail.com (Mad Unix)
Date: Sun, 13 Jul 2008 17:27:39 +0200
Subject: [c-nsp] Analog Dialer
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65E99@xmb-ams-333.emea.cisco.com>
References: <4d3f56c90807082326v532ee3b8sa5b8f91525c081e7@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CDA7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090005o44bd8d6ck319b3e2556497c01@mail.gmail.com>
	<4d3f56c90807090130u3bb11da9wcd423f4512756068@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CEC7@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807090225x35c782c4lfd64df4a4a1db3c4@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B1CF9A@xmb-ams-333.emea.cisco.com>
	<4d3f56c90807091400h5e43ad05s86697f07f8ea7b6@mail.gmail.com>
	<4d3f56c90807120430j22e11ef4x6814176d00450b18@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B65E99@xmb-ams-333.emea.cisco.com>
Message-ID: <4d3f56c90807130827u43965fd5ve7a6f4275ce0a3fc@mail.gmail.com>

it works now
added the following:

aaa session-id common

no network-clock-participate slot 3

network-clock-participate slot 4

network-clock-select 1 E1 4/0

network-clock-select 2 E1 4/1

Thanks


On Sat, Jul 12, 2008 at 1:59 PM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

>  Hi,
>
> I am sorry, but I do not know how to help you if you don't provide more
> details about the problem. Do the modem train up, i.e. do you get a connect?
> If not, please check the modem troubleshooting link below. If you have
> problems during PPP or authentication, please check the other link I've
> provided to guide you through the process.
>
>     oli
>
>  ------------------------------
> *From:* Mad Unix [mailto:madunix at gmail.com]
> *Sent:* Saturday, July 12, 2008 1:31 PM
>
> *To:* Oliver Boehmer (oboehmer)
> *Cc:* cisco-nsp at puck.nether.net
> *Subject:* Re: [c-nsp] Analog Dialer
>
>
> till now am not able to accept analog calls through my PRI!
>
> any help
>
>
>>
>>   On Wed, Jul 9, 2008 at 1:09 PM, Oliver Boehmer (oboehmer) <
>> oboehmer at cisco.com> wrote:
>>
>>>  Hmm, so how far does the connection go? Do the modems train up? You
>>> might want to go through
>>> http://www.cisco.com/en/US/tech/tk801/tk36/technologies_tech_note09186a0080094eb9.shtmlor
>>> http://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186a008019cfa7.shtml
>>>
>>>     oli
>>>
>>>  ------------------------------
>>>  *From:* Mad Unix [mailto:madunix at gmail.com]
>>> *Sent:* Wednesday, July 09, 2008 11:25 AM
>>>
>>> *To:* Oliver Boehmer (oboehmer)
>>> *Cc:* cisco-nsp at puck.nether.net
>>> *Subject:* Re: [c-nsp] Analog Dialer
>>>
>>>   I have added this but it didnt help it keeps trying to connect to
>>> authenticate then failed
>>>
>>> SDC_R2#conf t
>>> Enter configuration commands, one per line.  End with CNTL/Z.
>>> SDC_R2(config)#line 450 473
>>> SDC_R2(config-line)#exec-timeout 0 0
>>> SDC_R2(config-line)#modem Dialin
>>> SDC_R2(config-line)#transport input all
>>> SDC_R2(config-line)#autoselect during-login
>>> SDC_R2(config-line)#autoselect ppp
>>> SDC_R2(config-line)#
>>> SDC_R2(config-line)#exit
>>> SDC_R2(config)#exit
>>>
>>>
>>> SDC_R2#sh line
>>>    Tty Line Typ     Tx/Rx    A Modem  Roty AccO AccI  Uses  Noise
>>> Overruns  Int
>>>       0    0 CTY              -    -      -    -    -     1      0
>>> 0/0      -
>>>   Ready
>>>       1    1 AUX   9600/9600  -    -      -    -    -     0      0
>>> 0/0      -
>>>   Ready
>>> I 0/450  450 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/451  451 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/452  452 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/453  453 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/454  454 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/455  455 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/456  456 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/457  457 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/458  458 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/459  459 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/460  460 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/461  461 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/462  462 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/463  463 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/464  464 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/465  465 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/466  466 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/467  467 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/468  468 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/469  469 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/470  470 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/471  471 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/472  472 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> I 0/473  473 TTY              - DialIn    -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>> *   706  706 VTY              -    -      -    -    -    50      0
>>> 0/0      -
>>>   Ready
>>> *   707  707 VTY              -    -      -    -    -     9      0
>>> 0/0      -
>>>   Ready
>>>     708  708 VTY              -    -      -    -    -     1      0
>>> 0/0      -
>>>   Ready
>>>     709  709 VTY              -    -      -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>>     710  710 VTY              -    -      -    -    -     0      0
>>> 0/0      -
>>>   Idle
>>>
>>> Line(s) not in async mode -or- with no hardware support:
>>> 2-449, 474-705
>>>
>>>
>>>
>>> regarding the CEF we have disabled becuase it was disconnecting the
>>> Dialer after atime...
>>> so we added this  no ip route-cache cef
>>>
>>> interface Serial4/0:15
>>>  no ip address
>>>  encapsulation ppp
>>>  no ip route-cache cef
>>>  dialer rotary-group 1
>>>  dialer-group 2
>>>  isdn switch-type primary-net5
>>>  isdn incoming-voice modem
>>>  isdn guard-timer 3000
>>> !
>>> interface Serial4/1:15
>>>  no ip address
>>>  encapsulation ppp
>>>  no ip route-cache cef
>>>  dialer rotary-group 1
>>>  dialer-group 1
>>>  isdn switch-type primary-net5
>>>  isdn incoming-voice modem
>>>  isdn guard-timer 3000
>>> !
>>>
>>>
>>> On Wed, Jul 9, 2008 at 11:05 AM, Oliver Boehmer (oboehmer) <
>>> oboehmer at cisco.com> wrote:
>>>
>>>>  some patience, please :-) .. we all do this in our spare time..
>>>>
>>>> The "line" config is missing (i.e. the lower part of the config). can
>>>> you send this as well?
>>>> Please re-enable CEF on the serial interface ("ip route-cache cef")
>>>>
>>>>     oli
>>>>
>>>>  ------------------------------
>>>> *From:* Mad Unix [mailto:madunix at gmail.com]
>>>> *Sent:* Wednesday, July 09, 2008 10:31 AM
>>>> *To:* Oliver Boehmer (oboehmer)
>>>> *Cc:* cisco-nsp at puck.nether.net
>>>> *Subject:* Re: [c-nsp] Analog Dialer
>>>>
>>>>   Any updates
>>>>
>>>> On Wed, Jul 9, 2008 at 9:05 AM, Mad Unix <madunix at gmail.com> wrote:
>>>>
>>>>> Am using interface Group-Async1 to accept analog calls for data
>>>>> transfer
>>>>>
>>>>>
>>>>> interface GigabitEthernet0/0
>>>>>  description $ES_LAN$
>>>>>  ip address 10.16.0.2 255.255.255.0
>>>>>  duplex auto
>>>>>  speed auto
>>>>>  media-type rj45
>>>>> !
>>>>> interface GigabitEthernet0/1
>>>>>  ip address 10.16.1.2 255.255.255.0
>>>>>  duplex auto
>>>>>  speed auto
>>>>>  media-type rj45
>>>>> !
>>>>> interface Serial0/0/0
>>>>>  description ---- Elect  ----
>>>>>  ip address 10.14.11.5 255.255.255.252
>>>>> !
>>>>> interface Serial0/0/1
>>>>>  description ---  Bank ---
>>>>>  ip address 10.14.11.1 255.255.255.252
>>>>>  encapsulation ppp
>>>>>
>>>>> interface Serial4/0:15
>>>>>  no ip address
>>>>>  encapsulation ppp
>>>>>  no ip route-cache cef
>>>>>  dialer rotary-group 1
>>>>>  dialer-group 2
>>>>>  isdn switch-type primary-net5
>>>>>  isdn incoming-voice modem
>>>>>  isdn guard-timer 3000
>>>>> !
>>>>> interface Serial4/1:15
>>>>>  no ip address
>>>>>  encapsulation ppp
>>>>>  no ip route-cache cef
>>>>>  dialer rotary-group 1
>>>>>  dialer-group 1
>>>>>  isdn switch-type primary-net5
>>>>>  isdn incoming-voice modem
>>>>>  isdn guard-timer 3000
>>>>> !
>>>>> interface Dialer1
>>>>>  description connected to Dial-inPCs(ISDN)
>>>>>  ip address 10.13.1.1 255.255.255.0
>>>>>  encapsulation ppp
>>>>>  no ip split-horizon
>>>>>  dialer in-band
>>>>>  dialer idle-timeout 3600
>>>>>  dialer-group 1
>>>>>  peer default ip address pool Cisco3662-Group-1
>>>>>  ppp authentication chap pap ms-chap callin
>>>>> !
>>>>> interface Group-Async1
>>>>>  description connected tp Dial-in pcs (Analog)
>>>>>  ip unnumbered GigabitEthernet0/0
>>>>>  encapsulation ppp
>>>>>  no ip split-horizon
>>>>>  dialer in-band
>>>>>  dialer idle-timeout 3600
>>>>>  dialer-group 1
>>>>>  async mode interactive
>>>>>  peer default ip address pool cisco3662-group-2
>>>>>  no fair-queue
>>>>>  ppp authentication chap pap ms-chap callin
>>>>>  group-range 0/450 0/473
>>>>> ip http server
>>>>> ip http authentication local
>>>>> ip http timeout-policy idle 60 life 86400 requests 10000
>>>>> !
>>>>> ip radius source-interface GigabitEthernet0/0
>>>>> access-list 2 permit 10.5.0.0 0.0.255.255
>>>>> access-list 100 permit ip 10.4.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>>>>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.13.0.0 0.0.255.255
>>>>> access-list 100 permit ip 10.5.0.0 0.0.255.255 10.0.0.0 0.255.255.255
>>>>> access-list 101 permit tcp host 10.5.3.10 any eq telnet
>>>>> dialer-list 1 protocol ip permit
>>>>> dialer-list 2 protocol ip permit
>>>>>
>>>>>
>>>>> On Wed, Jul 9, 2008 at 8:39 AM, Oliver Boehmer (oboehmer) <
>>>>> oboehmer at cisco.com> wrote:
>>>>>
>>>>>> Can't tell based on this config alone. can you please show the full
>>>>>> config? (at least the one of the Serialx/y:z (the D-channel), any
>>>>>> dialer
>>>>>> interfaces and the "line" config at the end)?
>>>>>>
>>>>>> http://www.cisco.com/en/US/products/hw/univgate/ps505/products_configura
>>>>>> tion_example09186a0080094a49.shtml shows a sample AS5xxx config,
>>>>>> which
>>>>>> can easily be adapted to your environment..
>>>>>>
>>>>>>        oli
>>>>>>
>>>>>>
>>>>>> Mad Unix <> wrote on Wednesday, July 09, 2008 8:27 AM:
>>>>>>
>>>>>> >  have a PRI connecting 60 ppl using BRI and Analog calls
>>>>>> > the Router 3800 PRI interface is having Digital modem to accept
>>>>>> > analog phone calls
>>>>>> > the analog callers cant connect!
>>>>>> > What could be wrong?
>>>>>> >
>>>>>> > interface Group-Async1
>>>>>> >  description connected tp Dial-in pcs (Analog)
>>>>>> >  ip unnumbered GigabitEthernet0/0
>>>>>> >  encapsulation ppp
>>>>>> >  no ip split-horizon
>>>>>> >  dialer in-band
>>>>>> >  dialer idle-timeout 3600
>>>>>> >  dialer-group 1
>>>>>> >  async mode interactive
>>>>>> >  peer default ip address pool cisco3662-group-2
>>>>>> >  no fair-queue
>>>>>> >  ppp authentication chap pap ms-chap callin
>>>>>> >  group-range 0/450 0/473
>>>>>> > --
>>>>>> > madunix
>>>>>> > _______________________________________________
>>>>>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> madunix
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> madunix
>>>>
>>>
>>>
>>>
>>> --
>>> madunix
>>>
>>
>>
>>
>> --
>> madunix
>
>
>
>
> --
> madunix
>



-- 
madunix

From matt at iseek.com.au  Sun Jul 13 21:03:58 2008
From: matt at iseek.com.au (Matt Carter)
Date: Mon, 14 Jul 2008 11:03:58 +1000
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <c93a55220807111815j9a90ca1q2198c85a9860a69b@mail.gmail.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<1215592278.6067.107.camel@ursa.amorsen.dk>
	<c93a55220807091439i345cfcb2mec2cc71e334b5514@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<m3y748b4uy.fsf@ursa.amorsen.dk>
	<c93a55220807111815j9a90ca1q2198c85a9860a69b@mail.gmail.com>
Message-ID: <7FEDD455961B164D8C4EEA60E22914205B59A6C9EA@EXCHANGE1.intranet.iseek.com.au>

>
> what is the constant vrf reference?
> just because someone is an mpls vpn customer does not mean they are
> going to
> be a managed firewall customer..i dont know why you keep referencing
> vrf?

"Which firewall does MPLS providers use to connect customer VRF's to the Internet? 6500's with FWSM's? What if they have thousands of VRF's?"

pretty hard not to enter that discussion without talking about VRF. :)

>
> and 2000 customers on a 65/7600 is alot, you dont think so?

fraid i'm with raul on this one, i too would like to see platforms supporting much larger numbers of contexts instead of focusing on high forwarding rates per context, which simply blows out per-context cost in environments where that is not required. i'd much rather see myself hitting the forwarding limits of the box before i exhaust my contexts, rather than exhausting contexts and having gigabits of bandwidth leftover.

is 2000 customers a lot when each customer is doing < 1mbps of traffic ? wouldn't one think the aggregate forwarding rate of all the customers is more relevant than the actual numbers of customers?

the sad situation is i've seen environments where for example 200+ individual firewalls have been deployed as although centralising and virtualising may technically be the best solution, because of the low forwarding rate of corporate wan internet firewall an aggregation model using ASA or FWSM ends up being more costly than simply deploying and managing hundreds of individual say PIX501 sized firewalls. it is quite a sad situation when an aggregation model ends up being more costly than deploying X hundred individual units, isnt it supposed to work the other way?

> > > As far as I heard, now a single FWSM can scale to 50Gbps if you
> have a
> > > Supervisor 720-10G-3C and don't want stateful inspection...
> >
> > Performance is fun and all, but more customers (vrfs) per box would
> be
> > more useful I'd think.

agreed.



From christian at broknrobot.com  Sun Jul 13 22:56:09 2008
From: christian at broknrobot.com (Christian Koch)
Date: Sun, 13 Jul 2008 22:56:09 -0400
Subject: [c-nsp] ASA or FRSW in transparent mode over qinq
In-Reply-To: <7FEDD455961B164D8C4EEA60E22914205B59A6C9EA@EXCHANGE1.intranet.iseek.com.au>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<m31w2216e1.fsf@ursa.amorsen.dk>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<m3y748b4uy.fsf@ursa.amorsen.dk>
	<c93a55220807111815j9a90ca1q2198c85a9860a69b@mail.gmail.com>
	<7FEDD455961B164D8C4EEA60E22914205B59A6C9EA@EXCHANGE1.intranet.iseek.com.au>
Message-ID: <c93a55220807131956r5241c65fvd2ff1dc40e2d5ef7@mail.gmail.com>

my point is not every mpls vpn customer is going to be a firewal customer,
so why does it matter if there are say 500 mpls vpn customers on 1 box but
maybe only 30 managed fw's?

On Sun, Jul 13, 2008 at 9:03 PM, Matt Carter <matt at iseek.com.au> wrote:

> >
> > what is the constant vrf reference?
> > just because someone is an mpls vpn customer does not mean they are
> > going to
> > be a managed firewall customer..i dont know why you keep referencing
> > vrf?
>
> "Which firewall does MPLS providers use to connect customer VRF's to the
> Internet? 6500's with FWSM's? What if they have thousands of VRF's?"
>
> pretty hard not to enter that discussion without talking about VRF. :)
>
> >
>
>
>
>
>


-- 
^christian$

From vikassharmas at gmail.com  Mon Jul 14 00:07:50 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 14 Jul 2008 09:37:50 +0530
Subject: [c-nsp] BGP - unsupported parameter - peer reset
Message-ID: <cca140000807132107y7560ac0qfc4b8985773870be@mail.gmail.com>

Hi,

I have mpls network where I am connecting ERX (juniper box) as PE to cisco
12 k (vpnv4 route reflector). At all locations itsworking fine except one
and showing me on ERX unsupported capabilities.

from ERX -

We received an unsupported-capability notification from this peer.
    This indicates that the peer does not ignore unrecognized capabilities.
    We received the notification before we received an open from this peer.
    As a result we cannot guess which capabilities are supported by the
peer.
    We won't advertise capabilities with known interoperability problems.
  Capability advertisements:
    Capabilities option: send
    Dynamic capability negotiation: send
    Deprecated dynamic capability negotiation: send
    Multi-protocol extensions: send
    Route refresh: send
    Route refresh (Cisco proprietary): send
    Four octet AS numbers: send
    Graceful restart:
  Graceful restart negotiation:
    Restart time is 120 seconds
    Stale paths time is 360 seconds
    The last time that the session was in state established:
      We did not send the graceful-restart capability
      We did not receive the graceful-restart capability
  Total of 20782 messages sent, 20639 messages received
  0 update messages sent, 0 update messages received

As per rfc3392, if bgp speaking router does not understand optional
community, it should ignore it and should not try to re-establish the
session. I am attaching the status of sh ip bgp vpnv1 a s for the ref.

on ERX -

sh ip bgp vpnv4 all s
Local router ID 212.74.69.117, local AS 8220
  Administrative state is Start
  BGP Operational state is Up
  Shutdown in overload state is disabled
  Default local preference is 100
  IGP synchronization is disabled
  Default originate is disabled
  Auto summary is disabled
  Always compare MED is disabled
  Compare MED within confederation is disabled
  Advertise inactive routes is disabled
  Advertise best external route to internal peers is disabled
  Enforce first AS is enabled
  Missing MED as worst is disabled
  Route flap dampening is disabled
  Log neighbor changes is enabled
  Fast External Fallover is disabled
  No maximum received AS-path length
  BGP administrative distances are 20 (ext), 200 (int), and 200 (local)
  Client-to-client reflection is enabled
  Cluster ID is not configured (local router ID used)
  Route-target filter is enabled
  Default IPv4-unicast is enabled
  Check next-hops of vpn routes is disabled
  Redistribution of iBGP routes is disabled
  Graceful restart is globally disabled
  Global graceful-restart restart time is 120 seconds
  Global graceful-restart stale paths time is 360 seconds
  Graceful-restart path selection defer time is 360 seconds
  Graceful-restart is not ready to switch to the standby SRP
  The last restart was not graceful
  Address family ipv4:vpn-unicast in core VRF operationally down due to IPv6
     not present
  Local-RIB version 2. FIB version 2.

                                                Messages  Messages  Prefixes
Neighbor           AS State       Up/down time      Sent  Received  Received
212.74.69.112    8220 Idle         2d 06:25:40     18301     18166        0

212.74.69.113    8220 Idle         4d 11:06:33     20934     20788         0

these are two route reflectors connected to this PE. We have one more PE
(again ERX box), which does not have any issue.

For your ref. I am also attaching working and non-working ERX, sh ip bgp v a
nei "" output

working ERX -

 Capability advertisements:
    Capabilities option: sent, received
    Dynamic capability negotiation: sent
    Deprecated dynamic capability negotiation: sent
    Multi-protocol extensions: sent, received
    Route refresh: sent, received
    Route refresh (Cisco proprietary): sent, received
    Four octet AS numbers: sent
    Graceful restart:
  *Multi-protocol extensions negotiation:
    ip-v4 vpn-unicast: sent, received, used
*  Dynamic capability negotiation:
    Multi-protocol extensions: sent
    Route refresh: sent
    Graceful restart: sent
    Route refresh (Cisco proprietary): sent
  Graceful restart negotiation:
    Restart time is 120 seconds
    Stale paths time is 360 seconds
    We did not send the graceful-restart capability

Non- working ERX -

 Capability advertisements:
    Capabilities option: send
    Dynamic capability negotiation: send
    Deprecated dynamic capability negotiation: send
    Multi-protocol extensions: send
    Route refresh: send
    Route refresh (Cisco proprietary): send
    Four octet AS numbers: send
    Graceful restart:
  Graceful restart negotiation:
    Restart time is 120 seconds
    Stale paths time is 360 seconds

Note- I can see the diference as in working I can see multiprotocol extensio
negotiations while I can not see the same in non-working.

Since the message states issue with 12k !!!, which I am not sure abt,
sending this to cisaco-mail ;)

Regards,

Vikas Sharma

From jason at pins.net  Mon Jul 14 01:36:51 2008
From: jason at pins.net (Jason Berenson)
Date: Mon, 14 Jul 2008 01:36:51 -0400
Subject: [c-nsp] VRFs
Message-ID: <487AE5F3.1070301@pins.net>

Greetings,

I know how to route leak between VRFs with BGP but is it possible to set 
a default route within a VRF pointing to an IP in the global routing 
table?  If so can anyone point me to some good documentation or perhaps 
a sample snippit?

Thanks,
Jason

From vikassharmas at gmail.com  Mon Jul 14 01:44:02 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 14 Jul 2008 11:14:02 +0530
Subject: [c-nsp] Cisco BFD support for Juniper / Huawei
Message-ID: <cca140000807132244s347615c1nf25c69910fa8ce9a@mail.gmail.com>

Hi All,

My questio is - does BFD implementation in Cisco support Juniper / Huawei
CPE? Does Cisco's implementation is as pe standard? has anyone tested it?

Regards,
Vikas Sharma

From oboehmer at cisco.com  Mon Jul 14 01:53:19 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 14 Jul 2008 07:53:19 +0200
Subject: [c-nsp] VRFs
In-Reply-To: <487AE5F3.1070301@pins.net>
References: <487AE5F3.1070301@pins.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65F55@xmb-ams-333.emea.cisco.com>

Jason Berenson <> wrote on Monday, July 14, 2008 7:37 AM:

> Greetings,
> 
> I know how to route leak between VRFs with BGP but is it possible to
> set a default route within a VRF pointing to an IP in the global
> routing table?  If so can anyone point me to some good documentation
> or perhaps a sample snippit?

ip route vrf FOO 0.0.0.0 0.0.0.0 <next-hop> global

the next-hop must not be a local address of the PE..

	oli

From mtinka at globaltransit.net  Mon Jul 14 01:12:01 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Mon, 14 Jul 2008 13:12:01 +0800
Subject: [c-nsp] Cisco BFD support for Juniper / Huawei
In-Reply-To: <cca140000807132244s347615c1nf25c69910fa8ce9a@mail.gmail.com>
References: <cca140000807132244s347615c1nf25c69910fa8ce9a@mail.gmail.com>
Message-ID: <200807141312.01907.mtinka@globaltransit.net>

On Monday 14 July 2008 13:44:02 Vikas Sharma wrote:

> My questio is - does BFD implementation in Cisco support
> Juniper / Huawei CPE? Does Cisco's implementation is as
> pe standard? has anyone tested it?

We run BFD between our Cisco and Juniper kit - works fine, 
nothing fancy in the configuration.

I'm guessing you have the configuration for the Cisco side, 
so below is our JunOS deployment of BFD for IS-IS:

user at lab# show protocols isis  
lsp-lifetime 65535;
level 1 {
    authentication-key "xxx"; ## SECRET-DATA
    authentication-type md5;
    wide-metrics-only;
}
interface ge-0/0/0.0 {
    bfd-liveness-detection {
        version automatic;
        minimum-interval 250;
        minimum-receive-interval 250;
        multiplier 3;
    }
    level 2 disable;
    level 1 metric 400;
}
interface ge-0/1/0.0 {
    bfd-liveness-detection {
        version automatic;
        minimum-interval 250;
        minimum-receive-interval 250;
        multiplier 3;
    }
    level 2 disable;
    level 1 metric 400;
}
interface lo0.0 {
    passive;
}

[edit]
user at lab# 

Uncertain about inter-op with Huawei.

Hope this helps.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080714/73364173/attachment.bin>

From Andrey_Oleinik at bms-consulting.com  Mon Jul 14 02:20:20 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Mon, 14 Jul 2008 09:20:20 +0300
Subject: [c-nsp] GPON
In-Reply-To: <836bf1f90807121134pe00a251qdc860fec13a90b11@mail.gmail.com>
References: <836bf1f90807090910h57378c24s7007cb0820ca25b2@mail.gmail.com>
	<68D5E673B49F1D45A5BE41058C8AFDBCBFBEF69A40@BMSEXCH.BMS-CONSULTING.COM>
	<836bf1f90807121134pe00a251qdc860fec13a90b11@mail.gmail.com>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCC18992BC6D@BMSEXCH.BMS-CONSULTING.COM>

Aha. GPON requires ONT installed at the downside of the PON ray. ONT itself can host different interfaces (and provide corresponding services). NOTE: having GPON be able to transport 802.1q and sometimes even Q-in-Q transport someone could select end up ONT's Ethernet interface with switch instead of single PC (or SOHO LAN facility).
That's why GPON is very flexible technology in access areas. Personally me faced this Q when my company was deciding how to use GPON providing services in MDU (multi dwell units) here U have an option to start from single PC and grow to multi access-switch environment.

--
Respect,  Andy Oleynik
Telecom Dpt Chief
BMS Consulting Ltd
10, Stritenska Str., of. 520
Kyiv, 01025, UA
tel +380(44)4619961
tel +380(44)4619963 extn 162
fax +380(44)4619962
www.bms-consulting.com

From: Mike Johnson [mailto:harbor235 at gmail.com]
Sent: Saturday, July 12, 2008 9:35 PM
To: Andrey Oleinik
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GPON

What I meant about power i, is the advantage of using GPON to the desktop
a reduction in power because there are no access switches? The only problem is
that now you need all of these cable modem type of devices at the desktop. All this does
is to push the power requirement to the desktop and introduces a ton of new devices to manage.

thanx for the link

harbor235 ;}
On Fri, Jul 11, 2008 at 7:42 AM, Andrey Oleinik <Andrey_Oleinik at bms-consulting.com<mailto:Andrey_Oleinik at bms-consulting.com>> wrote:
Can U rephrase ur Q about power?
Anyway try to dig here www.flexlight-networks.com<http://www.flexlight-networks.com>
IMHO this guys are leaders in GPON. If U're interesting I'll give U personal contact of FLN's human.

--
Respect,  Andy Oleynik
Telecom Dpt Chief
BMS Consulting Ltd
10, Stritenska Str., of. 520
Kyiv, 01025, UA
tel +380(44)4619961
tel +380(44)4619963 extn 162
fax +380(44)4619962
www.bms-consulting.com<http://www.bms-consulting.com>


andyo> -----Original Message-----
andyo> From: cisco-nsp-bounces at puck.nether.net<mailto:cisco-nsp-bounces at puck.nether.net> [mailto:cisco-nsp-<mailto:cisco-nsp->
andyo> bounces at puck.nether.net<mailto:bounces at puck.nether.net>] On Behalf Of Mike Johnson
andyo> Sent: Wednesday, July 09, 2008 7:10 PM
andyo> To: cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
andyo> Subject: [c-nsp] GPON
andyo>
andyo> Does anybody have any GPON experience on the list?
andyo>
andyo> If so I am looking for Pros and Cons for implementing this for the
andyo> CAN.
andyo>
andyo> Is there a power savings or the power requirement just pushed out
andyo> to the
andyo> desktop?
andyo> hardware required to build a PON? OLTs, ONT/ONUs, splitters?
andyo> How is GPON managed?
andyo> Pice comparisons?
andyo>
andyo> Basically whatever info you have outside the classic definition,
andyo>
andyo> harbor235 ;}
andyo> _______________________________________________
andyo> cisco-nsp mailing list  cisco-nsp at puck.nether.net<mailto:cisco-nsp at puck.nether.net>
andyo> https://puck.nether.net/mailman/listinfo/cisco-nsp
andyo> archive at http://puck.nether.net/pipermail/cisco-nsp/


From luan at t3technology.com  Mon Jul 14 06:10:27 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Mon, 14 Jul 2008 06:10:27 -0400
Subject: [c-nsp] VRFs
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65F55@xmb-ams-333.emea.cisco.com>
References: <487AE5F3.1070301@pins.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B65F55@xmb-ams-333.emea.cisco.com>
Message-ID: <016301c8e599$d6d9bcd0$848d3670$@com>

Hi Oli,
Does this mean that for example, you have 2 LANs, one in a VRF and one in
the global, then they can't communicate?
I have a situation where your WAN is in a VRF, the LAN in the global.  For
Internet access, I use NAT.   Saw the packet come back to the router but
doesn't know how to get out of the VRF and back into the LAN.  I put a route
to a switch address connected to that LAN, then things are okay...but what
if you don't have a switch and just a layer 2 device?  
A while back, there was a gentleman suggested that he had to create 2
loopbacks, one in VRF, and build a tunnel between VRF and Global...but that
is just too much work.  Is there a better way of doing that?  To do:  ip
route vrf FOO x.x.x.0/24 <next-hop> global, where next-hop is just an
interface on the router?

Thanks.

-luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oliver Boehmer
(oboehmer)
Sent: Monday, July 14, 2008 1:53 AM
To: Jason Berenson
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] VRFs

Jason Berenson <> wrote on Monday, July 14, 2008 7:37 AM:

> Greetings,
> 
> I know how to route leak between VRFs with BGP but is it possible to
> set a default route within a VRF pointing to an IP in the global
> routing table?  If so can anyone point me to some good documentation
> or perhaps a sample snippit?

ip route vrf FOO 0.0.0.0 0.0.0.0 <next-hop> global

the next-hop must not be a local address of the PE..

	oli
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From CB at nianet.dk  Mon Jul 14 08:57:17 2008
From: CB at nianet.dk (Christian Bering)
Date: Mon, 14 Jul 2008 14:57:17 +0200
Subject: [c-nsp] SUP720, %BGP_MPLS-3-VPN_REWRITE and %FIB-SP-4-FIBCBLK
Message-ID: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D199@mail2.nianetas.local>

Hi,

We're provisioning a new customer location in a VRF on two PEs working
together using HSRP.

The one PE reports:

Jul 14 13:37:19: %LINEPROTO-5-UPDOWN: Line protocol on Interface
vrf_238_vlan0, changed state to down
Jul 14 13:37:21: %LINEPROTO-5-UPDOWN: Line protocol on Interface
vrf_239_vlan0, changed state to down
Jul 14 13:37:19: %FIB-SP-4-FIBCBLK: Missing cef table for tableid 238
during route update XDR event
Jul 14 13:37:22: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VRF_238_vlan1591, changed state to up
Jul 14 13:37:24: %LINEPROTO-5-UPDOWN: Line protocol on Interface
VRF_239_vlan1592, changed state to up

And later after repeating the above some times:

Jul 14 13:58:50: %BGP_MPLS-3-VPN_REWRITE: prefix
31027:2510:192.168.31.0/24 path nexthop 0.0.0.0 - invalid outlabel
1048577, path ignored
Jul 14 13:58:50: %LSD_CLIENT-3-PCHUNK2: malloc - illegal index: LSD
rewrite pchunks 49FDB864 0
Jul 14 13:58:50: %BGP_MPLS-3-VPN_REWRITE: installing rewrite for
31027:2510:192.168.31.0/24 failed: Resource


The other PE reports:

Jul 14 13:38:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface
vrf_236_vlan0, changed state to down
Jul 14 13:38:13: %LINEPROTO-5-UPDOWN: Line protocol on Interface
vrf_237_vlan0, changed state to down
Jul 14 13:38:13: %FIB-SP-4-FIBCBLK: Missing cef table for tableid 236
during route update XDR event
Jul 14 13:38:15: %LINEPROTO-5-UPDOWN: Line protocol on Interface
Vlan2004, changed state to down
Jul 14 13:38:15: %LINK-3-UPDOWN: Interface Vlan2004, changed state to
down

Bug CSCsg03483, "FIB-4-FIBCBLK: Missing cef table for tableid 1 during
route update XDR" seems like a match but these boxes run SRA7 which
shouldn't be affected.

I have never seen internal VLANs switch LINEPROTO status like above.

What to look for?

-- 
Regards
 Christian Bering
 IP engineer, nianet a/s
 Phone: (+45) 7020 8730

From jason at pins.net  Mon Jul 14 10:21:56 2008
From: jason at pins.net (Jason Berenson)
Date: Mon, 14 Jul 2008 10:21:56 -0400
Subject: [c-nsp] VRFs
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405B65F55@xmb-ams-333.emea.cisco.com>
References: <487AE5F3.1070301@pins.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405B65F55@xmb-ams-333.emea.cisco.com>
Message-ID: <487B6104.9070709@pins.net>

Oliver,

I tried that but it doesn't seem to work.  The IP that exists in the 
global routing table (just an interface on the router) is not pingable 
from within the VRF.  It also does not work as a next hop.

-Jason

Oliver Boehmer (oboehmer) wrote:
> Jason Berenson <> wrote on Monday, July 14, 2008 7:37 AM:
>
>   
>> Greetings,
>>
>> I know how to route leak between VRFs with BGP but is it possible to
>> set a default route within a VRF pointing to an IP in the global
>> routing table?  If so can anyone point me to some good documentation
>> or perhaps a sample snippit?
>>     
>
> ip route vrf FOO 0.0.0.0 0.0.0.0 <next-hop> global
>
> the next-hop must not be a local address of the PE..
>
> 	oli
>   

From zhanghuanjie at gmail.com  Mon Jul 14 10:35:10 2008
From: zhanghuanjie at gmail.com (Zhang Huanjie)
Date: Mon, 14 Jul 2008 22:35:10 +0800
Subject: [c-nsp] IOS XR 3.6.0 BGP next-hop to null 0 bug?
Message-ID: <cbc417510807140735hfa6452bt1b507bdd5e33b284@mail.gmail.com>

I am writing a simple bgp client and want use this client to send blacklist
prefix to router. My goal it to add and remove blackhole routes automatically.

First, I add static route 192.0.2.1/32 to null 0 in a router. Then
start my simple program
opening a bgp session and sending update to this router. The next hop
of are set
to 192.0.2.1.

My program works very well with cisco 6509 rung IOS 12.2(18)SXD, and
blacklist prefix is added to FIB,
here is the show results under 6509:

#show bgp
BGP table version is 31, local router ID is x.x.x.x
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 192.168.100.1/32 192.0.2.1                              0 i
*> 192.168.100.2/32 192.0.2.1                              0 i

#show ip route 192.0.2.1
Routing entry for 192.0.2.1/32
  Known via "static", distance 1, metric 0 (connected)
  Redistributing via ospf xxxx
  Advertised by ospf xxxx subnets
  Routing Descriptor Blocks:
  * directly connected, via Null0
      Route metric is 0, traffic share count is 1

While sending updates to a GSR 12404 running IOS XR 3.6.0, it seems
the router treate 192.0.2.1 always
as inaccessible. None of the prefix is add to FIB. Here is the show:

#show bgp 192.168.100.1
BGP routing table entry for 192.168.100.1/32
Versions:
  Process           bRIB/RIB  SendTblVer
  Speaker                  0           0
Paths: (1 available, no best path)
  Not advertised to any peer
  Path #1: Received by speaker 0
  Local
    192.0.2.1 (inaccessible) from x.x.x.x (x.x.x.x)
      Origin IGP, metric 20, localpref 100, valid, internal

#show ip route 192.0.2.1
Routing entry for 192.0.2.1/32
  Known via "static", distance 1, metric 0 (connected)
  Installed Jul 14 22:07:37.893 for 00:19:32
  Routing Descriptor Blocks
    directly connected, via Null0
      Route metric is 0
  No advertising protos.

#show bgp nexthops

Gateway Address Family: IPv4 Unicast
Table ID: 0xe0000000
Nexthop Count: 4
Critical Trigger Delay: 3000msec
Non-critical Trigger Delay: 10000msec

Nexthop Version: 1, RIB version: 1

Status codes: R/UR Reachable/Unreachable
              C/NC Connected/Not-connected
              L/NL Local/Non-local
              I    Invalid (Policy Match Failed)
Next Hop        Status          Metric        Notf      LastRIBEvent RefCount
192.0.2.1       [UR]        4294967295         1/0    00:19:58 (Cri)       10/19


Is this a bug of IOS XR?


Thanks

-- 
Zhang Huanjie    james at ustc.edu.cn
+86-551-3601897  13505693311
Network Information Center
University of Science and Technology of China

From jeff-kell at utc.edu  Mon Jul 14 11:40:29 2008
From: jeff-kell at utc.edu (Jeff Kell)
Date: Mon, 14 Jul 2008 11:40:29 -0400
Subject: [c-nsp] FWSM with multiple vlans, NAT quandry...
Message-ID: <487B736D.2060208@utc.edu>

I seem to have backed myself into a corner and am looking for suggestions...

Our campus is largely RFC1918 internally.  The original hub-and-spoke 
design was along the lines of assigning a 10.x.x.x/16 or larger block to 
significant buildings, so each building was it's own routed domain 
address block, e.g., 10.building.subnet.host.

This allows some "interesting" access control lists by using 
non-contiguous wildcard masks for certain things.  If routers/switches 
are all on subnet zero, for example, you can permit access to them by 
using something like 'permit ip 10.0.0.0 0.255.0.255' and it covers all 
the buildings in one statement.

Life was good until we started down a VRF-lite path to isolate the 
infrastructure, common areas, and "isolated" functional areas into their 
own VRFs.  So now we have things like:

   10.building.0.x   infrastructure (global VRF)
   10.building.16.x  general campus
   10.building.32.x  business users
   10.building.48.x  guest access
   10.building.64.x  private areas (e.g., security video)

For the most part, each VRF is it's own domain, but there are necessary 
"leaks" we need to manage between VRFs, and we're trying to do it with a 
FWSM.

Each VRF feeds a vlan into the FWSM, and I'm trying to define the 
"allowed" leakage.  For example, network administrators need access to 
several VRFs, system administrators need access to several VRFs, and 
most all of the VRFs need access to the "outside".

There's no need for "real" NAT since the IP address space does not 
overlap, but I'm trying to use NAT control to define which VRFs can 
communicate with other VRFs.

I'd like to use identity NAT, but "only" between the allowed VRFs.  But 
identity NAT defaults to ALL interfaces.

You can use a static identity NAT, but since NAT doesn't allow 
discontiguous network masks, there's a LOT of configuration to be done 
to cover the addresses in use (must duplicate for each building).

Is there a better way to accomplish this?  (other than going back and 
renumbering IPs into a 10.VRF.building-subnet scheme that lends itself 
better to the problem at hand?)

Jeff

From kilobit at gmail.com  Mon Jul 14 12:07:10 2008
From: kilobit at gmail.com (Iddo)
Date: Mon, 14 Jul 2008 18:07:10 +0200
Subject: [c-nsp] high interrupt CPU due to traffic for IP not in arp-cache
Message-ID: <ba6c08fd0807140907v3da387eftdc2cf43f5092bda5@mail.gmail.com>

Hello All,

We are running a 6500/sup720-3BXL wit 12.2.18SXF13
A DoS attack 300,000pps was sent to an IP address which directly
connected, but not in use by a machine.
The arp entry for the target IP address is "incomplete".

This caused interrupt based CPU to 90+ %, which in turn caused
OSPF/BGP etc to timeout.

I can reproduce the results with a packetgenerator.

Can anyone recommend a solution for this?

Thanks in advance,

Iddo

From sam_mailinglists at spacething.org  Mon Jul 14 12:11:34 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Mon, 14 Jul 2008 17:11:34 +0100
Subject: [c-nsp] FWSM with multiple vlans, NAT quandry...
In-Reply-To: <487B736D.2060208@utc.edu>
References: <487B736D.2060208@utc.edu>
Message-ID: <487B7AB6.1090003@spacething.org>

Hi Jeff,

I'm not sure I understand the problem with identity NAT (no 
nat-control). It does default to all interfaces, but the ACL checks will 
happen before the NAT translation is built so you can control your 
access there?

Sam

Jeff Kell wrote:
> I seem to have backed myself into a corner and am looking for 
> suggestions...
>
> Our campus is largely RFC1918 internally.  The original hub-and-spoke 
> design was along the lines of assigning a 10.x.x.x/16 or larger block 
> to significant buildings, so each building was it's own routed domain 
> address block, e.g., 10.building.subnet.host.
>
> This allows some "interesting" access control lists by using 
> non-contiguous wildcard masks for certain things.  If routers/switches 
> are all on subnet zero, for example, you can permit access to them by 
> using something like 'permit ip 10.0.0.0 0.255.0.255' and it covers 
> all the buildings in one statement.
>
> Life was good until we started down a VRF-lite path to isolate the 
> infrastructure, common areas, and "isolated" functional areas into 
> their own VRFs.  So now we have things like:
>
>   10.building.0.x   infrastructure (global VRF)
>   10.building.16.x  general campus
>   10.building.32.x  business users
>   10.building.48.x  guest access
>   10.building.64.x  private areas (e.g., security video)
>
> For the most part, each VRF is it's own domain, but there are 
> necessary "leaks" we need to manage between VRFs, and we're trying to 
> do it with a FWSM.
>
> Each VRF feeds a vlan into the FWSM, and I'm trying to define the 
> "allowed" leakage.  For example, network administrators need access to 
> several VRFs, system administrators need access to several VRFs, and 
> most all of the VRFs need access to the "outside".
>
> There's no need for "real" NAT since the IP address space does not 
> overlap, but I'm trying to use NAT control to define which VRFs can 
> communicate with other VRFs.
>
> I'd like to use identity NAT, but "only" between the allowed VRFs.  
> But identity NAT defaults to ALL interfaces.
>
> You can use a static identity NAT, but since NAT doesn't allow 
> discontiguous network masks, there's a LOT of configuration to be done 
> to cover the addresses in use (must duplicate for each building).
>
> Is there a better way to accomplish this?  (other than going back and 
> renumbering IPs into a 10.VRF.building-subnet scheme that lends itself 
> better to the problem at hand?)
>
> Jeff
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From oboehmer at cisco.com  Mon Jul 14 12:29:15 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 14 Jul 2008 18:29:15 +0200
Subject: [c-nsp] IOS XR 3.6.0 BGP next-hop to null 0 bug?
In-Reply-To: <cbc417510807140735hfa6452bt1b507bdd5e33b284@mail.gmail.com>
References: <cbc417510807140735hfa6452bt1b507bdd5e33b284@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405B6647F@xmb-ams-333.emea.cisco.com>

Zhang Huanjie <> wrote on Monday, July 14, 2008 4:35 PM:

> I am writing a simple bgp client and want use this client to send
> blacklist prefix to router. My goal it to add and remove blackhole
> routes automatically. 
> 
[...]
> 
> 
> While sending updates to a GSR 12404 running IOS XR 3.6.0, it seems
> the router treate 192.0.2.1 always
> as inaccessible. None of the prefix is add to FIB. Here is the show:
> 
> #show bgp 192.168.100.1
> BGP routing table entry for 192.168.100.1/32
> Versions:
>   Process           bRIB/RIB  SendTblVer
>   Speaker                  0           0
> Paths: (1 available, no best path)
>   Not advertised to any peer
>   Path #1: Received by speaker 0
>   Local
>     192.0.2.1 (inaccessible) from x.x.x.x (x.x.x.x)
>       Origin IGP, metric 20, localpref 100, valid, internal
> [..] 
> Is this a bug of IOS XR?

yes, this is a bug in XR3.5/3.6.0, documented in CSCsm76283 (Umbrella
fix for Remote Trigger Blackhole and a BGP CLI output issue). SMUs
should be available..

	oli

From peter at rathlev.dk  Mon Jul 14 12:32:43 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 14 Jul 2008 18:32:43 +0200
Subject: [c-nsp] high interrupt CPU due to traffic for IP not
	in	arp-cache
In-Reply-To: <ba6c08fd0807140907v3da387eftdc2cf43f5092bda5@mail.gmail.com>
References: <ba6c08fd0807140907v3da387eftdc2cf43f5092bda5@mail.gmail.com>
Message-ID: <1216053163.13942.9.camel@svesken.sys.mjna.net>

On Mon, 2008-07-14 at 18:07 +0200, Iddo wrote:
> We are running a 6500/sup720-3BXL wit 12.2.18SXF13
> A DoS attack 300,000pps was sent to an IP address which directly
> connected, but not in use by a machine.
> The arp entry for the target IP address is "incomplete".
> 
> This caused interrupt based CPU to 90+ %, which in turn caused
> OSPF/BGP etc to timeout.
> 
> I can reproduce the results with a packetgenerator.
> 
> Can anyone recommend a solution for this?

The problem would be because the 6500 tries to determine the L2 address
of the destination host via ARP.

There are a couple of solutions. As a simple solution, you can rate
limit packets punted to the RP for ARP resolution. This will generally
rate limit ARP, and should be used carefully since you could be DoS'ed
in another way: Starving your ability to ARP. The command is "mls
rate-limit unicast cef glean <PPS>".

Since the host doesn't exists, you could also blackhole just this host,
e.g. "ip route 10.1.2.3 255.255.255.255 Null0" for the host 10.1.2.3.
For the 6500 this would just throw traffic to that host away, and not
disturb your RP.

Of course there could be a point in blocking this closer to the source,
but that might not be easy.

Regards,
Peter



From lists at visp.me.uk  Mon Jul 14 11:30:01 2008
From: lists at visp.me.uk (Steve Wright)
Date: Mon, 14 Jul 2008 16:30:01 +0100
Subject: [c-nsp] SA-VAM2+  Getting the best performance
Message-ID: 200807141604051216047845000267@webmail.stevewrightonline.co.uk

An embedded and charset-unspecified text was scrubbed...
Name: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080714/7ad81f3b/attachment.ksh>

From dwinkworth at wi.rr.com  Mon Jul 14 13:24:42 2008
From: dwinkworth at wi.rr.com (dwinkworth at wi.rr.com)
Date: Mon, 14 Jul 2008 12:24:42 -0500
Subject: [c-nsp] VRFs
Message-ID: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>

What about the return path?  What did you do to get traffic back into the VRF?

Also, what do you mean it does not work as the next hop?  Did the static route not appear in the routing table after you added it?  Can you give us some config output/"show ip route vrf" output?

---- Jason Berenson <jason at pins.net> wrote: 
> Oliver,
> 
> I tried that but it doesn't seem to work.  The IP that exists in the 
> global routing table (just an interface on the router) is not pingable 
> from within the VRF.  It also does not work as a next hop.
> 
> -Jason
> 
> Oliver Boehmer (oboehmer) wrote:
> > Jason Berenson <> wrote on Monday, July 14, 2008 7:37 AM:
> >
> >   
> >> Greetings,
> >>
> >> I know how to route leak between VRFs with BGP but is it possible to
> >> set a default route within a VRF pointing to an IP in the global
> >> routing table?  If so can anyone point me to some good documentation
> >> or perhaps a sample snippit?
> >>     
> >
> > ip route vrf FOO 0.0.0.0 0.0.0.0 <next-hop> global
> >
> > the next-hop must not be a local address of the PE..
> >
> > 	oli
> >   
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From jason at pins.net  Mon Jul 14 13:38:47 2008
From: jason at pins.net (Jason Berenson)
Date: Mon, 14 Jul 2008 13:38:47 -0400
Subject: [c-nsp] VRFs
In-Reply-To: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>
Message-ID: <487B8F27.5010802@pins.net>

R1#show ip route vrf priv

Routing Table: priv

Gateway of last resort is 209.212.66.1 to network 0.0.0.0

     209.212.64.0/29 is subnetted, 1 subnets
C       209.212.64.176 is directly connected, GigabitEthernet0/1.1000
S*   0.0.0.0/0 [1/0] via 209.212.66.1, GigabitEthernet0/1.1000

ip route 209.212.64.177 255.255.255.255 GigabitEthernet0/1.1000 
209.212.64.177
ip route vrf priv 0.0.0.0 0.0.0.0 GigabitEthernet0/1.1000 209.212.66.1 
global

interface GigabitEthernet0/1.1000
 description << Priv VRF for MON T1/DSL >>
 encapsulation dot1Q 1000
 ip vrf forwarding priv
 ip address 209.212.64.177 255.255.255.248
 no ip redirects
 no cdp enable

So for now I just want the vrf priv to route to the Internet via another 
router.  There's two routers in 209.212.64.176/29.  The other one has 
similar config except it's 209.212.64.178.

Right now a ping drops exactly half the packets:

R1#ping vrf priv 209.212.66.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.212.66.1, timeout is 2 seconds:
!.!.!
Success rate is 60 percent (3/5), round-trip min/avg/max = 1/2/4 ms

I will eventually add certain T1/DSL interfaces to the VRF priv in order 
to "move" them behind a traffic shaping device so diagnostics can be 
performed.

-Jason

dwinkworth at wi.rr.com wrote:
> What about the return path?  What did you do to get traffic back into the VRF?
>
> Also, what do you mean it does not work as the next hop?  Did the static route not appear in the routing table after you added it?  Can you give us some config output/"show ip route vrf" output?
>
> ---- Jason Berenson <jason at pins.net> wrote: 
>   
>> Oliver,
>>
>> I tried that but it doesn't seem to work.  The IP that exists in the 
>> global routing table (just an interface on the router) is not pingable 
>> from within the VRF.  It also does not work as a next hop.
>>
>> -Jason
>>
>> Oliver Boehmer (oboehmer) wrote:
>>     
>>> Jason Berenson <> wrote on Monday, July 14, 2008 7:37 AM:
>>>
>>>   
>>>       
>>>> Greetings,
>>>>
>>>> I know how to route leak between VRFs with BGP but is it possible to
>>>> set a default route within a VRF pointing to an IP in the global
>>>> routing table?  If so can anyone point me to some good documentation
>>>> or perhaps a sample snippit?
>>>>     
>>>>         
>>> ip route vrf FOO 0.0.0.0 0.0.0.0 <next-hop> global
>>>
>>> the next-hop must not be a local address of the PE..
>>>
>>> 	oli
>>>   
>>>       
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>     
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From luan at t3technology.com  Mon Jul 14 13:45:56 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Mon, 14 Jul 2008 13:45:56 -0400
Subject: [c-nsp] SA-VAM2+  Getting the best performance
In-Reply-To: 200807141604051216047845000267@webmail.stevewrightonline.co.uk
References: 200807141604051216047845000267@webmail.stevewrightonline.co.uk
Message-ID: <017501c8e5d9$78434e80$68c9eb80$@com>

For 512 packet size, we also see ~60M.  If you could force the packet to be
~1200-1300 in size, then performance will be better...not that much though.
You should give the VSA a try, throughput could be up to ~160M :)

-luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Wright
Sent: Monday, July 14, 2008 11:30 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] SA-VAM2+ Getting the best performance

Hi everyone,

I'm currently working on some testing for a potential project that would
involve a number of remote sites that require encrypted traffic to flow
between them, as well as them performing BGP with a number of upstreams, and
IX's.

The current router of choice (before the IPSec VPN's were thrown in) was the
7[23]00 with the NPE-G2.

The current design encompases running GRE tunnels (for the IGP to work as we
wish). With no hardware acceleration, the routers processors max out about
25Mbps. With the SA-VAM2+ this increases to about 60Mbps, however is no
where near the level I would have expected unfortunately.

Can anyone with any experience of using the SA-VAM2+/ anyone who has any
extra thoughts on how to improve the throughput?

These routers aren't running any ACL's at present, have a couple of OSPF
processes, and a couple of BGP sessions with only a few routes.

Any thoughts much appreciated,

Thanks,
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From ibrahim.abozaid at gmail.com  Mon Jul 14 18:50:29 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 15 Jul 2008 01:50:29 +0300
Subject: [c-nsp] BGP auto-summary [7:131926]
In-Reply-To: <200807141739.m6EHdKHx003666@groupstudy.com>
References: <200807141739.m6EHdKHx003666@groupstudy.com>
Message-ID: <a48927f70807141550j48200607p4fb766b996d84203@mail.gmail.com>

Hi Ajay

if auto-summary is enabled with classful network command, all spesfic routes
will be summarized to class boundary so for the below example , only
10.0.0.0/8 will be advertised



best regards
--Ibrahim

On Mon, Jul 14, 2008 at 8:39 PM, Ajay Chenampara <ajay_chenampara at yahoo.com>
wrote:

> Hi,
> I was reading the wendell-odom exam guide and have teh following doubt:
>
> When auto-summary is enabled in bgp and the network command has only a
> classful network, what happens if the router has more specific routes?
>
> eg:
>
> ip routing table has routes to
> 10.10.10.0/24, 10.20.0.0/16
>
> router bgp 1
> network 10.0.0.0
> auto-summary
>
> what will the bgp table contain?
>
> will it just be the summary route ?
>
>
>
>
> Message Posted at:
> http://www.groupstudy.com/form/read.php?f=7&i=131926&t=131926
> --------------------------------------------------
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
>
>

From dwinkworth at wi.rr.com  Mon Jul 14 20:19:12 2008
From: dwinkworth at wi.rr.com (Wink)
Date: Mon, 14 Jul 2008 19:19:12 -0500
Subject: [c-nsp] SA-VAM2+  Getting the best performance
In-Reply-To: <017501c8e5d9$78434e80$68c9eb80$@com>
References: 200807141604051216047845000267@webmail.stevewrightonline.co.uk
	<017501c8e5d9$78434e80$68c9eb80$@com>
Message-ID: <487BED00.5000106@wi.rr.com>

deny tcp any eq 443 any
deny tcp any any eq 443

Luan M Nguyen wrote:
> For 512 packet size, we also see ~60M.  If you could force the packet to be
> ~1200-1300 in size, then performance will be better...not that much though.
> You should give the VSA a try, throughput could be up to ~160M :)
>
> -luan
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Wright
> Sent: Monday, July 14, 2008 11:30 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] SA-VAM2+ Getting the best performance
>
> Hi everyone,
>
> I'm currently working on some testing for a potential project that would
> involve a number of remote sites that require encrypted traffic to flow
> between them, as well as them performing BGP with a number of upstreams, and
> IX's.
>
> The current router of choice (before the IPSec VPN's were thrown in) was the
> 7[23]00 with the NPE-G2.
>
> The current design encompases running GRE tunnels (for the IGP to work as we
> wish). With no hardware acceleration, the routers processors max out about
> 25Mbps. With the SA-VAM2+ this increases to about 60Mbps, however is no
> where near the level I would have expected unfortunately.
>
> Can anyone with any experience of using the SA-VAM2+/ anyone who has any
> extra thoughts on how to improve the throughput?
>
> These routers aren't running any ACL's at present, have a couple of OSPF
> processes, and a couple of BGP sessions with only a few routes.
>
> Any thoughts much appreciated,
>
> Thanks,
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.138 / Virus Database: 270.4.10/1551 - Release Date: 7/14/2008 6:49 AM
>
>
>
>   

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.4.10/1551 - Release Date: 7/14/2008 6:49 AM


From peter at rathlev.dk  Mon Jul 14 20:46:29 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Jul 2008 02:46:29 +0200
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
Message-ID: <1216082789.18849.26.camel@svesken.sys.mjna.net>

Hi,

I have a strange-ish problem. I've configured an IPSec tunnel between a
7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
reason traffic only gets encrypted ASA->7200, not the other way.

The traffic that doesn't get encrypted comes from a VRF Lite
subinterface on the "back" of the 7200. This VRF has a static 0/0 route
with a global next hop, and the global table has a static route pointing
the other way.

Traffic can go from behind ASA to behind 7200 with no problems. Traffic
from behind the 7200 doesn't get encrypted for some reason, including
replies from ICMP echos that came encrypted. And the 7200 doesn't
initiate a tunnel either.

Could it be because I can't make the crypto map work for the "ip route
vrf ... global" traffic? The configuration works fine when the host
behind the 7200 isn't in a VRF, but the 7200 being software based I
thought this wouldn't be a problem.

Configuration at the bottom, with Host X behind the 7200 and Host Y
behind the ASA. Host X is not directly connected to the 7200, but behind
another router. Traffic is routed with not problems, so it's only the
encryption that's missing. (The ASA complains about it in logs and I can
see it with tcpdump.)

The 7200 creates the IPSec SA, but only the "decaps" counter goes up:

vamtest#sh cry ips sa

interface: GigabitEthernet0/1
    Crypto map tag: vamtest, local addr [7200-outside]

   protected vrf: (none)
   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
   current_peer [ASA-outside] port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [7200-outside], remote crypto endpt.:
[ASA-outside]
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xA9F53FD7(2851422167)
          
     inbound esp sas:
      spi: 0x4FC8A681(1338549889)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511451/1957)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xA9F53FD7(2851422167)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511454/1955)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     outbound ah sas:
          
     outbound pcp sas:
          
vamtest#

Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
nothing at all for traffic coming from inside. It's just routed, as if
the crypto map didn't exist.

And now the configuration:

! *** 7200 ***
ip vrf A
 rd 64512:1
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp key <bla> address [ASA-outside]
!
crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac 
!
crypto map vamtest 25 ipsec-isakmp
 description SAVAM2test -> ASA Horsens
 set peer [ASA-outside]
 set transform-set sha-3des 
 match address SAVAM2test
!
interface GigabitEthernet0/1
 description Outside
 ip address [7200-outside]
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description Inside, VRF
 encapsulation dot1Q 2081
 ip vrf forwarding A
 ip address [inside net]
 ip tcp adjust-mss 1355
!
ip route 0.0.0.0 0.0.0.0 [Outside next hop]
ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
ip route vrf A [Host Y] [Outside next hop] global
!
ip access-list extended SAVAM2test
 permit ip host [Host X] host [Host Y]
!

! *** ASA ***
access-list SAVAM2test permit ip host [Host Y] host [Host X]
!
crypto map asaoutside_map 60 match address SAVAM2test
crypto map asaoutside_map 60 set peer [7200-outside]
crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
!
tunnel-group [7200-outside] type ipsec-l2l
tunnel-group [7200-outside] ipsec-attributes
 pre-shared-key <bla>
!
static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
!


Thank you,
Peter



From jmaimon at ttec.com  Mon Jul 14 21:32:30 2008
From: jmaimon at ttec.com (Joe Maimon)
Date: Mon, 14 Jul 2008 21:32:30 -0400
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
In-Reply-To: <1216082789.18849.26.camel@svesken.sys.mjna.net>
References: <1216082789.18849.26.camel@svesken.sys.mjna.net>
Message-ID: <487BFE2E.8040906@ttec.com>



Peter Rathlev wrote:
> Hi,
> 

> The traffic that doesn't get encrypted comes from a VRF Lite
> subinterface on the "back" of the 7200. This VRF has a static 0/0 route
> with a global next hop, and the global table has a static route pointing
> the other way.

Sure would make things simpler if inter-vrf traffic could be configured 
to appear as if it went through a logically defined interface.

On the other hand, you can actually do that manually, at the cost of 
handling the packets twice, either with physical interfaces or with tunnels.


From christian at broknrobot.com  Mon Jul 14 21:59:11 2008
From: christian at broknrobot.com (Christian Koch)
Date: Mon, 14 Jul 2008 21:59:11 -0400
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
In-Reply-To: <1216082789.18849.26.camel@svesken.sys.mjna.net>
References: <1216082789.18849.26.camel@svesken.sys.mjna.net>
Message-ID: <c93a55220807141859i399a9f7fycba7a49cfdd0854c@mail.gmail.com>

on the 7200, map ipsec tunnel to the vrf instance? - iskamp profile?



On Mon, Jul 14, 2008 at 8:46 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> Hi,
>
> I have a strange-ish problem. I've configured an IPSec tunnel between a
> 7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
> reason traffic only gets encrypted ASA->7200, not the other way.
>
> The traffic that doesn't get encrypted comes from a VRF Lite
> subinterface on the "back" of the 7200. This VRF has a static 0/0 route
> with a global next hop, and the global table has a static route pointing
> the other way.
>
> Traffic can go from behind ASA to behind 7200 with no problems. Traffic
> from behind the 7200 doesn't get encrypted for some reason, including
> replies from ICMP echos that came encrypted. And the 7200 doesn't
> initiate a tunnel either.
>
> Could it be because I can't make the crypto map work for the "ip route
> vrf ... global" traffic? The configuration works fine when the host
> behind the 7200 isn't in a VRF, but the 7200 being software based I
> thought this wouldn't be a problem.
>
> Configuration at the bottom, with Host X behind the 7200 and Host Y
> behind the ASA. Host X is not directly connected to the 7200, but behind
> another router. Traffic is routed with not problems, so it's only the
> encryption that's missing. (The ASA complains about it in logs and I can
> see it with tcpdump.)
>
> The 7200 creates the IPSec SA, but only the "decaps" counter goes up:
>
> vamtest#sh cry ips sa
>
> interface: GigabitEthernet0/1
>    Crypto map tag: vamtest, local addr [7200-outside]
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
>   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
>   current_peer [ASA-outside] port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 0, #recv errors 0
>
>     local crypto endpt.: [7200-outside], remote crypto endpt.:
> [ASA-outside]
>     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
>     current outbound spi: 0xA9F53FD7(2851422167)
>
>     inbound esp sas:
>      spi: 0x4FC8A681(1338549889)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511451/1957)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0xA9F53FD7(2851422167)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511454/1955)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
> vamtest#
>
> Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
> nothing at all for traffic coming from inside. It's just routed, as if
> the crypto map didn't exist.
>
> And now the configuration:
>
> ! *** 7200 ***
> ip vrf A
>  rd 64512:1
> !
> crypto isakmp policy 25
>  encr 3des
>  hash sha
>  authentication pre-share
> !
> crypto isakmp key <bla> address [ASA-outside]
> !
> crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
> !
> crypto map vamtest 25 ipsec-isakmp
>  description SAVAM2test -> ASA Horsens
>  set peer [ASA-outside]
>  set transform-set sha-3des
>  match address SAVAM2test
> !
> interface GigabitEthernet0/1
>  description Outside
>  ip address [7200-outside]
>  crypto map vamtest
> !
> interface GigabitEthernet0/2.2081
>  description Inside, VRF
>  encapsulation dot1Q 2081
>  ip vrf forwarding A
>  ip address [inside net]
>  ip tcp adjust-mss 1355
> !
> ip route 0.0.0.0 0.0.0.0 [Outside next hop]
> ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
> ip route vrf A [Host Y] [Outside next hop] global
> !
> ip access-list extended SAVAM2test
>  permit ip host [Host X] host [Host Y]
> !
>
> ! *** ASA ***
> access-list SAVAM2test permit ip host [Host Y] host [Host X]
> !
> crypto map asaoutside_map 60 match address SAVAM2test
> crypto map asaoutside_map 60 set peer [7200-outside]
> crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
> !
> tunnel-group [7200-outside] type ipsec-l2l
> tunnel-group [7200-outside] ipsec-attributes
>  pre-shared-key <bla>
> !
> static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
> !
>
>
> Thank you,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From luan at t3technology.com  Mon Jul 14 23:13:14 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Mon, 14 Jul 2008 23:13:14 -0400
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
In-Reply-To: <c93a55220807141859i399a9f7fycba7a49cfdd0854c@mail.gmail.com>
References: <1216082789.18849.26.camel@svesken.sys.mjna.net>
	<c93a55220807141859i399a9f7fycba7a49cfdd0854c@mail.gmail.com>
Message-ID: <01b101c8e628$b89df8a0$29d9e9e0$@com>

Only work if it's a front VRF right?  Might have to move the vrf to the WAN
to be able to utilize the VRF aware IPSEC.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch
Sent: Monday, July 14, 2008 9:59 PM
To: Peter Rathlev
Cc: cisco-nsp
Subject: Re: [c-nsp] Crypto map + traffic via "ip route vrf ... global"

on the 7200, map ipsec tunnel to the vrf instance? - iskamp profile?



On Mon, Jul 14, 2008 at 8:46 PM, Peter Rathlev <peter at rathlev.dk> wrote:

> Hi,
>
> I have a strange-ish problem. I've configured an IPSec tunnel between a
> 7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
> reason traffic only gets encrypted ASA->7200, not the other way.
>
> The traffic that doesn't get encrypted comes from a VRF Lite
> subinterface on the "back" of the 7200. This VRF has a static 0/0 route
> with a global next hop, and the global table has a static route pointing
> the other way.
>
> Traffic can go from behind ASA to behind 7200 with no problems. Traffic
> from behind the 7200 doesn't get encrypted for some reason, including
> replies from ICMP echos that came encrypted. And the 7200 doesn't
> initiate a tunnel either.
>
> Could it be because I can't make the crypto map work for the "ip route
> vrf ... global" traffic? The configuration works fine when the host
> behind the 7200 isn't in a VRF, but the 7200 being software based I
> thought this wouldn't be a problem.
>
> Configuration at the bottom, with Host X behind the 7200 and Host Y
> behind the ASA. Host X is not directly connected to the 7200, but behind
> another router. Traffic is routed with not problems, so it's only the
> encryption that's missing. (The ASA complains about it in logs and I can
> see it with tcpdump.)
>
> The 7200 creates the IPSec SA, but only the "decaps" counter goes up:
>
> vamtest#sh cry ips sa
>
> interface: GigabitEthernet0/1
>    Crypto map tag: vamtest, local addr [7200-outside]
>
>   protected vrf: (none)
>   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
>   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
>   current_peer [ASA-outside] port 500
>     PERMIT, flags={origin_is_acl,}
>    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
>    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
>    #pkts compressed: 0, #pkts decompressed: 0
>    #pkts not compressed: 0, #pkts compr. failed: 0
>    #pkts not decompressed: 0, #pkts decompress failed: 0
>    #send errors 0, #recv errors 0
>
>     local crypto endpt.: [7200-outside], remote crypto endpt.:
> [ASA-outside]
>     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
>     current outbound spi: 0xA9F53FD7(2851422167)
>
>     inbound esp sas:
>      spi: 0x4FC8A681(1338549889)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511451/1957)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     inbound ah sas:
>
>     inbound pcp sas:
>
>     outbound esp sas:
>      spi: 0xA9F53FD7(2851422167)
>        transform: esp-3des esp-sha-hmac ,
>        in use settings ={Tunnel, }
>        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
>        sa timing: remaining key lifetime (k/sec): (4511454/1955)
>        IV size: 8 bytes
>        replay detection support: Y
>        Status: ACTIVE
>
>     outbound ah sas:
>
>     outbound pcp sas:
>
> vamtest#
>
> Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
> nothing at all for traffic coming from inside. It's just routed, as if
> the crypto map didn't exist.
>
> And now the configuration:
>
> ! *** 7200 ***
> ip vrf A
>  rd 64512:1
> !
> crypto isakmp policy 25
>  encr 3des
>  hash sha
>  authentication pre-share
> !
> crypto isakmp key <bla> address [ASA-outside]
> !
> crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac
> !
> crypto map vamtest 25 ipsec-isakmp
>  description SAVAM2test -> ASA Horsens
>  set peer [ASA-outside]
>  set transform-set sha-3des
>  match address SAVAM2test
> !
> interface GigabitEthernet0/1
>  description Outside
>  ip address [7200-outside]
>  crypto map vamtest
> !
> interface GigabitEthernet0/2.2081
>  description Inside, VRF
>  encapsulation dot1Q 2081
>  ip vrf forwarding A
>  ip address [inside net]
>  ip tcp adjust-mss 1355
> !
> ip route 0.0.0.0 0.0.0.0 [Outside next hop]
> ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
> ip route vrf A [Host Y] [Outside next hop] global
> !
> ip access-list extended SAVAM2test
>  permit ip host [Host X] host [Host Y]
> !
>
> ! *** ASA ***
> access-list SAVAM2test permit ip host [Host Y] host [Host X]
> !
> crypto map asaoutside_map 60 match address SAVAM2test
> crypto map asaoutside_map 60 set peer [7200-outside]
> crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
> !
> tunnel-group [7200-outside] type ipsec-l2l
> tunnel-group [7200-outside] ipsec-attributes
>  pre-shared-key <bla>
> !
> static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
> !
>
>
> Thank you,
> Peter
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From security at cytanet.com.cy  Tue Jul 15 01:56:11 2008
From: security at cytanet.com.cy (Michalis Palis)
Date: Tue, 15 Jul 2008 08:56:11 +0300
Subject: [c-nsp] giant packets troubleshooting
Message-ID: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>

Hello all

I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets?  Is their any methodology or any good document which details the way to troubleshoot giant packets?  

All responses will be appreciated. 

From pavel.skovajsa at gmail.com  Tue Jul 15 02:06:26 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 15 Jul 2008 08:06:26 +0200
Subject: [c-nsp] Cisco 2851 bug ?
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>
References: <323aca890807081028m614fc1fayb0691c1bbff27a0a@mail.gmail.com>
	<c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
	<a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>
Message-ID: <323aca890807142306p148c5693t45762350558a34b6@mail.gmail.com>

Hi,
IP Input spike is usually caused by abnormal 'IP input' traffic that
gets punted into the RP from CEF for whatever reason.
A very common cause is broadcast storm. You can see what what packet
is holding the CPU with 'show buffers input interface fa0/1'. However
you need to do this command during a real spike...

Pavel

On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert
<RTeller at deltadentalwa.com> wrote:
> Is anyone aware of a bug or configuration that could cause a sudden
> spike in IP input?
>
> uptime is 26 weeks, 3 days, 10 hours, 54 minutes
> System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
> System restarted at 01:41:34 PST Tue Jan 8 2008
> System image file is "flash:c2800nm-ipbasek9-mz.124-17a.bin"
> Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.
>
> PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>  66      125056   2917547         42  0.00%  0.00%  0.00%   0 CDP
> Protocol
>  67    28872876 373263867         77  0.08% 51.78% 47.36%   0 IP Input
>
> Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST
>
>
>                               555558888899999888888888899999999
>    555555544444444446666655555999998888844444333332222233333333
> 100
>  90                                 **********          ********
>  80                                 ****************************
>  70                                 ****************************
>  60                            *********************************
>  50                            *********************************
>  40                            *********************************
>  30                            *********************************
>  20                            *********************************
>  10 *******          *******************************************
>   0....5....1....1....2....2....3....3....4....4....5....5....6
>             0    5    0    5    0    5    0    5    0    5    0
>               CPU% per second (last 60 seconds)
>
>
>    9999999                         1
>    588886633444434434453334333334346534453335336645645556354344
> 100 *******
>  90 #####**                                                    *
>  80 ######*                                                    *
>  70 ######*                                                    *
>  60 ######*                                                    *
>  50 ######*                                                    *
>  40 ######*                                                    *
>  30 ######*                                                    *
>  20 #######                         *                          #
>  10 #######            *            **   *   *  ** ** **** *   #
>   0....5....1....1....2....2....3....3....4....4....5....5....6
>             0    5    0    5    0    5    0    5    0    5    0
>               CPU% per minute (last 60 minutes)
>              * = maximum CPU%   # = average CPU%
>
>
>    1 1 11 1  1111 111   1111111111 11 1 7121111 1112 1111 111
> 1121111111111
>
> 691760977743309128787415602150180091972430809462896712922076244160072513
> 100
>  90
>  80                                      *
>  70                                      *
>  60                                      *
>  50                                      *
>  40                                      *
>  30                                      *          *
>  20 *   *  *         *     **   *        * *  *   * * **       * *  *  *
> *
>  10
> ************************************************************************
>
> 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
> .
>             0    5    0    5    0    5    0    5    0    5    0    5
> 0
>                   CPU% per hour (last 72 hours)
>                  * = maximum CPU%   # = average CPU%
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From pavel.skovajsa at gmail.com  Tue Jul 15 02:09:23 2008
From: pavel.skovajsa at gmail.com (Pavel Skovajsa)
Date: Tue, 15 Jul 2008 08:09:23 +0200
Subject: [c-nsp] giant packets troubleshooting
In-Reply-To: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
References: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
Message-ID: <323aca890807142309o5c281e83jdccb5bcc9965d6f@mail.gmail.com>

Just to be aware, there has been a cosmetic bug on many cisco
platforms two years ago that clasified all dot1q trunked frame as
giants. The way to see verify this is by looking whether you don't see
giants on all trunk ports.

Pavel

On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis <security at cytanet.com.cy> wrote:
> Hello all
>
> I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets?  Is their any methodology or any good document which details the way to troubleshoot giant packets?
>
> All responses will be appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Andrey_Oleinik at bms-consulting.com  Tue Jul 15 02:21:20 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Tue, 15 Jul 2008 09:21:20 +0300
Subject: [c-nsp] VRFs
In-Reply-To: <487B8F27.5010802@pins.net>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>
	<487B8F27.5010802@pins.net>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM>

sh ip route 209.212.66.1
?

--
Respect,  Andy Oleynik

andyo> -----Original Message-----
andyo> R1#show ip route vrf priv
andyo>
andyo> Routing Table: priv
andyo>
andyo> Gateway of last resort is 209.212.66.1 to network 0.0.0.0
andyo>
andyo>      209.212.64.0/29 is subnetted, 1 subnets
andyo> C       209.212.64.176 is directly connected,
andyo> GigabitEthernet0/1.1000
andyo> S*   0.0.0.0/0 [1/0] via 209.212.66.1, GigabitEthernet0/1.1000
andyo>
andyo> ip route 209.212.64.177 255.255.255.255 GigabitEthernet0/1.1000
andyo> 209.212.64.177
andyo> ip route vrf priv 0.0.0.0 0.0.0.0 GigabitEthernet0/1.1000
andyo> 209.212.66.1
andyo> global
andyo>
andyo> interface GigabitEthernet0/1.1000
andyo>  description << Priv VRF for MON T1/DSL >>
andyo>  encapsulation dot1Q 1000
andyo>  ip vrf forwarding priv
andyo>  ip address 209.212.64.177 255.255.255.248
andyo>  no ip redirects
andyo>  no cdp enable
andyo>


From security at cytanet.com.cy  Tue Jul 15 02:22:14 2008
From: security at cytanet.com.cy (Michalis Palis)
Date: Tue, 15 Jul 2008 09:22:14 +0300
Subject: [c-nsp] giant packets troubleshooting
References: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
	<323aca890807142309o5c281e83jdccb5bcc9965d6f@mail.gmail.com>
Message-ID: <02ef01c8e643$1f666260$0c01a8c0@PCArr2007MP>

On one link for example where  we have an etherchannel between a GSR and a 
4510 switch, we see a lot of giant packets on the router side and no giant 
packets on the switch side


----- Original Message ----- 
From: "Pavel Skovajsa" <pavel.skovajsa at gmail.com>
To: "Michalis Palis" <security at cytanet.com.cy>
Cc: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 15, 2008 9:09 AM
Subject: Re: [c-nsp] giant packets troubleshooting


> Just to be aware, there has been a cosmetic bug on many cisco
> platforms two years ago that clasified all dot1q trunked frame as
> giants. The way to see verify this is by looking whether you don't see
> giants on all trunk ports.
>
> Pavel
>
> On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis <security at cytanet.com.cy> 
> wrote:
>> Hello all
>>
>> I have some interfaces on my networks (gigabit / ethernet) which report a 
>> huge amount of giant packets. What is the cause of giant packets?  Is 
>> their any methodology or any good document which details the way to 
>> troubleshoot giant packets?
>>
>> All responses will be appreciated.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 


From david.freedman at uk.clara.net  Tue Jul 15 04:30:37 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 15 Jul 2008 09:30:37 +0100
Subject: [c-nsp] Per session QoS - Train recommendations
Message-ID: <FFBEC1DE79841C4C965378BBDA5913FC4CD990@EXVS01.claranet.local>

With regards to per-session QoS, I came a cross a number of bugs in 12.2SB which forced me to move to 12.4M to continue using this , of course, in 12.4M "sub-qos-policy" isn't recognised and I reverted to the more familiar "lcp:interface-config=service-policy" directive.

Everything happily using 12.4M now but I have a desire to move back to 12.2 (possibly SRC now),
is anybody doing this in later SB or SRC and truly happy with the way it works?

------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From ibrahim.abozaid at gmail.com  Tue Jul 15 04:47:55 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 15 Jul 2008 11:47:55 +0300
Subject: [c-nsp] giant packets troubleshooting
In-Reply-To: <02ef01c8e643$1f666260$0c01a8c0@PCArr2007MP>
References: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
	<323aca890807142309o5c281e83jdccb5bcc9965d6f@mail.gmail.com>
	<02ef01c8e643$1f666260$0c01a8c0@PCArr2007MP>
Message-ID: <a48927f70807150147o5b3d9f33sfc744c903270e562@mail.gmail.com>

Dear Palis

check interface MTU configuration and its default state from both sides

best regards
--Ibrahim

On Tue, Jul 15, 2008 at 9:22 AM, Michalis Palis <security at cytanet.com.cy>
wrote:

> On one link for example where  we have an etherchannel between a GSR and a
> 4510 switch, we see a lot of giant packets on the router side and no giant
> packets on the switch side
>
>
> ----- Original Message ----- From: "Pavel Skovajsa" <
> pavel.skovajsa at gmail.com>
> To: "Michalis Palis" <security at cytanet.com.cy>
> Cc: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, July 15, 2008 9:09 AM
> Subject: Re: [c-nsp] giant packets troubleshooting
>
>
>
>  Just to be aware, there has been a cosmetic bug on many cisco
>> platforms two years ago that clasified all dot1q trunked frame as
>> giants. The way to see verify this is by looking whether you don't see
>> giants on all trunk ports.
>>
>> Pavel
>>
>> On Tue, Jul 15, 2008 at 7:56 AM, Michalis Palis <security at cytanet.com.cy>
>> wrote:
>>
>>> Hello all
>>>
>>> I have some interfaces on my networks (gigabit / ethernet) which report a
>>> huge amount of giant packets. What is the cause of giant packets?  Is their
>>> any methodology or any good document which details the way to troubleshoot
>>> giant packets?
>>>
>>> All responses will be appreciated.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From stig.johansen at ementor.no  Tue Jul 15 06:38:23 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Tue, 15 Jul 2008 12:38:23 +0200
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
In-Reply-To: <1216082789.18849.26.camel@svesken.sys.mjna.net>
References: <1216082789.18849.26.camel@svesken.sys.mjna.net>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B49@100NOOSLMSG004.common.alpharoot.net>

Make sure the traffic enters the VRF correctly via a ISAKMP-profile.
Check the following quickly hacked example:

Given that the peers are directly connected at outside interfaces with a
192.0.2.0/24-network. If not, adjust peer-ip's and add default route in
global routingtable. No routing *into* VRF's are needed, just outgoing
for the network-destination to be routed out into global-table,
encrypted or not.

Given that 10.10.10.0/24 is behind the 7200 and 10.20.20.0/24 is behind
the ASA/other peer.

!
ip vrf A-vrf
 rd 1:1
!
crypto keyring A-keyring
 pre-shared-key address 192.0.2.2 key very-private-key
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp profile A-profile
   vrf A-vrf
   keyring A-keyring
   match identity address 192.0.2.2 255.255.255.255
!
crypto ipsec transform-set 3dessha esp-3des esp-sha-hmac
!
crypto map vamtest 25 ipsec-isakmp 
 set peer 192.0.2.2
 set transform-set 3dessha 
 set isakmp-profile A-profile
 match address A-acl
!
interface GigabitEthernet0/1
 description OUTSIDE interface
 ip address 192.0.2.1 255.255.255.0
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description INSIDE VRF interface
 encapsulation dot1Q 2081
 ip vrf forwarding A-vrf
 ip address 172.16.10.1 255.255.255.0
!
ip route vrf A-vrf 10.10.10.0 255.255.255.0 172.16.10.2
ip route vrf A-vrf 10.20.20.0 255.255.255.0 GigabitEthernet0/1 192.0.2.2
global
!
ip access-list extended A-acl
 permit ip 10.10.10.0 0.0.0.255 10.20.20.0 0.0.0.255


mvh,
Stig Meireles Johansen
Seniorkonsulent
______________________________
Ementor Norge AS, Brynsalleen 2, BOX 6472 Etterstad, N-0605 Oslo 
Tel +47 22 09 50 00, Direkte +47 24 09 96 94
stig.johansen at ementor.no
www.ementor.no


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev
Sent: 15. juli 2008 02:46
To: cisco-nsp
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"

Hi,

I have a strange-ish problem. I've configured an IPSec tunnel between a
7206 NPE-G1 12.4(12) with SA-VAM2+ and an ASA 5550 7.2(4). For some
reason traffic only gets encrypted ASA->7200, not the other way.

The traffic that doesn't get encrypted comes from a VRF Lite
subinterface on the "back" of the 7200. This VRF has a static 0/0 route
with a global next hop, and the global table has a static route pointing
the other way.

Traffic can go from behind ASA to behind 7200 with no problems. Traffic
from behind the 7200 doesn't get encrypted for some reason, including
replies from ICMP echos that came encrypted. And the 7200 doesn't
initiate a tunnel either.

Could it be because I can't make the crypto map work for the "ip route
vrf ... global" traffic? The configuration works fine when the host
behind the 7200 isn't in a VRF, but the 7200 being software based I
thought this wouldn't be a problem.

Configuration at the bottom, with Host X behind the 7200 and Host Y
behind the ASA. Host X is not directly connected to the 7200, but behind
another router. Traffic is routed with not problems, so it's only the
encryption that's missing. (The ASA complains about it in logs and I can
see it with tcpdump.)

The 7200 creates the IPSec SA, but only the "decaps" counter goes up:

vamtest#sh cry ips sa

interface: GigabitEthernet0/1
    Crypto map tag: vamtest, local addr [7200-outside]

   protected vrf: (none)
   local  ident (addr/mask/prot/port): ([Host X]/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): ([Host Y]/255.255.255.255/0/0)
   current_peer [ASA-outside] port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: [7200-outside], remote crypto endpt.:
[ASA-outside]
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
     current outbound spi: 0xA9F53FD7(2851422167)
          
     inbound esp sas:
      spi: 0x4FC8A681(1338549889)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3002, flow_id: VAM2:2, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511451/1957)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     inbound ah sas:
          
     inbound pcp sas:
          
     outbound esp sas:
      spi: 0xA9F53FD7(2851422167)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 3001, flow_id: VAM2:1, crypto map: vamtest
        sa timing: remaining key lifetime (k/sec): (4511454/1955)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
          
     outbound ah sas:
          
     outbound pcp sas:
          
vamtest#

Debug ("crypto ipsec" + "crypto isakmp" + "errors" for both) says
nothing at all for traffic coming from inside. It's just routed, as if
the crypto map didn't exist.

And now the configuration:

! *** 7200 ***
ip vrf A
 rd 64512:1
!
crypto isakmp policy 25
 encr 3des
 hash sha
 authentication pre-share
!
crypto isakmp key <bla> address [ASA-outside]
!
crypto ipsec transform-set sha-3des esp-3des esp-sha-hmac 
!
crypto map vamtest 25 ipsec-isakmp
 description SAVAM2test -> ASA Horsens
 set peer [ASA-outside]
 set transform-set sha-3des 
 match address SAVAM2test
!
interface GigabitEthernet0/1
 description Outside
 ip address [7200-outside]
 crypto map vamtest
!
interface GigabitEthernet0/2.2081
 description Inside, VRF
 encapsulation dot1Q 2081
 ip vrf forwarding A
 ip address [inside net]
 ip tcp adjust-mss 1355
!
ip route 0.0.0.0 0.0.0.0 [Outside next hop]
ip route [Host X] Gi0/2.2081 [Inside VRF next hop]
ip route vrf A [Host Y] [Outside next hop] global
!
ip access-list extended SAVAM2test
 permit ip host [Host X] host [Host Y]
!

! *** ASA ***
access-list SAVAM2test permit ip host [Host Y] host [Host X]
!
crypto map asaoutside_map 60 match address SAVAM2test
crypto map asaoutside_map 60 set peer [7200-outside]
crypto map asaoutside_map 60 set transform-set ESP-3DES-SHA
!
tunnel-group [7200-outside] type ipsec-l2l
tunnel-group [7200-outside] ipsec-attributes
 pre-shared-key <bla>
!
static (asainside,asaoutside) [Host Y] [Y int.] netmask 255.255.255.255
!


Thank you,
Peter


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From peter at rathlev.dk  Tue Jul 15 07:12:22 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Jul 2008 13:12:22 +0200
Subject: [c-nsp] Crypto map + traffic via "ip route vrf ... global"
In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B49@100NOOSLMSG004.common.alpharoot.net>
References: <1216082789.18849.26.camel@svesken.sys.mjna.net>
	<13A13E9CF0F76342A79031B9E558C0C5187B49@100NOOSLMSG004.common.alpharoot.net>
Message-ID: <1216120342.21870.11.camel@svesken.sys.mjna.net>

Hi Stig,

On Tue, 2008-07-15 at 12:38 +0200, Stig Johansen wrote:
> Make sure the traffic enters the VRF correctly via a ISAKMP-profile.
> Check the following quickly hacked example:

Thank you (and others) very much. It was exactly the VRF part of the
ISAKMP profile that was missing. It seems a little unintuitive to me; I
thought that the traffic on the outside interface was "non VRF" when
going towards the global next hop, and that I could thus use a regular
ISAKMP setup for the IPSec tunnel.

BTW: Is this "crypto isakmp profile" the new "best practice" way of
doing things? It seems to be the only way to make the example work, but
sometimes I feel it's a little overkill to have to define key-ring +
profile instead of just using "crypto key ...". Are there other benefits
of the profile way of doing things?

> Given that the peers are directly connected at outside interfaces with a
> 192.0.2.0/24-network. If not, adjust peer-ip's and add default route in
> global routingtable. No routing *into* VRF's are needed, just outgoing
> for the network-destination to be routed out into global-table,
> encrypted or not.

Ok. I presume the routing back into the VRF is needed if the traffic is
not encrypted. Otherwise the router wouldn't know how to process
incoming traffic. I guess with the ISAKMP/IPSec setup the router can
infer where to route traffic, but without it would have no clue.

Regards,
Peter



From kwbales at kwbales.net  Tue Jul 15 07:57:21 2008
From: kwbales at kwbales.net (Kurt Bales)
Date: Tue, 15 Jul 2008 21:57:21 +1000
Subject: [c-nsp] Shape an L3 interface to 100mbit
Message-ID: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>

Hey Guys,

 

I have a situation where my upstream is policing my connection to 100mb. I
have a GigE interconnect to them, and we are currently connected at 1gb/full
duplex.  I have been requested to shape the traffic leaving our interconnect
to 100mb so as to reduce the performance issues caused by packet loss etc
caused by policing.

 

What is the easiest way to apply 100mb shaping to an L3 (no switchport)
interface on a 3560G?

 

The speed of this link could change in the near future (over the next couple
of days) so I would prefer to use QoS rules to apply shaping to this
interface as opposed to forcing the interconnect to 100/Full (which would be
of no use if the link changed to 250mb).

 

 

Regards,

K.


From risnaini at indo.net.id  Tue Jul 15 07:08:03 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Tue, 15 Jul 2008 18:08:03 +0700
Subject: [c-nsp] The maximum number of match packets Cisco Router can detect
 on ACL at one time.
In-Reply-To: <68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>	<487B8F27.5010802@pins.net>
	<68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM>
Message-ID: <487C8513.9040402@indo.net.id>

Hi,


Might be some you have noted once, the maximum value (number) that Cisco 
ACL can match let say flooding packets.
Here : deny tcp any any eq 1434 (5732 matches) fro example.
Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
detected & matched by ACL.

thanks for share if you will.

a. rahman isnaini r.sutan

From peter at rathlev.dk  Tue Jul 15 08:25:33 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Jul 2008 14:25:33 +0200
Subject: [c-nsp] Shape an L3 interface to 100mbit
In-Reply-To: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
References: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
Message-ID: <1216124733.23559.7.camel@svesken.sys.mjna.net>

On Tue, 2008-07-15 at 21:57 +1000, Kurt Bales wrote:
> I have a situation where my upstream is policing my connection to 100mb. I
> have a GigE interconnect to them, and we are currently connected at 1gb/full
> duplex.  I have been requested to shape the traffic leaving our interconnect
> to 100mb so as to reduce the performance issues caused by packet loss etc
> caused by policing.
>  
> What is the easiest way to apply 100mb shaping to an L3 (no switchport)
> interface on a 3560G?

You could use shaped SRR:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_35_se/configuration/guide/swqos.html
http://tinyurl.com/6y8qer

Since the buffers on the 3560G probably aren't that big, you could run
into trouble, but it's the simplest way to do it.

If the policing is giving you trouble, you could ask them to adjust
burst sizes and things like that until you could were satisfied.

Regards,
Peter



From david.freedman at uk.clara.net  Tue Jul 15 09:08:17 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 15 Jul 2008 14:08:17 +0100
Subject: [c-nsp] giant packets troubleshooting
In-Reply-To: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
References: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
Message-ID: <g5i6nf$hcp$1@ger.gmane.org>


IOS has longstanding cosmetic issues with regards to MPLS / dot1q ,
as long as you dont have any incrementing drops/discards you are fine.

Dave.

Michalis Palis wrote:
> Hello all
> 
> I have some interfaces on my networks (gigabit / ethernet) which report a huge amount of giant packets. What is the cause of giant packets?  Is their any methodology or any good document which details the way to troubleshoot giant packets?  
> 
> All responses will be appreciated. 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From christian at broknrobot.com  Tue Jul 15 09:02:29 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 15 Jul 2008 09:02:29 -0400
Subject: [c-nsp] giant packets troubleshooting
In-Reply-To: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
References: <000e01c8e63f$7c1afa10$0c01a8c0@PCArr2007MP>
Message-ID: <c93a55220807150602m380f8e1flb59343c8a1e082c5@mail.gmail.com>

if you have high mtu such as 9180 on that interface, and packets exceed
1500, counters will increment

On Tue, Jul 15, 2008 at 1:56 AM, Michalis Palis <security at cytanet.com.cy>
wrote:

> Hello all
>
> I have some interfaces on my networks (gigabit / ethernet) which report a
> huge amount of giant packets. What is the cause of giant packets?  Is their
> any methodology or any good document which details the way to troubleshoot
> giant packets?
>
> All responses will be appreciated.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From notrevebr at gmail.com  Tue Jul 15 09:19:02 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Tue, 15 Jul 2008 10:19:02 -0300
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
Message-ID: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com>

Hi all,

I configure a tunnel btw pix and router. The traffic goes to PIX but
do not have return. I see only encaps on the router and decaps on the
PIX.
Is missing anything?

Tks

Router Output and Config
TEHTCVPNRT01#sh cry ip sa

interface: GigabitEthernet0/1
    Crypto map tag: ra-L2L-vpn, local addr 180.200.200.141

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   current_peer 200.150.180.62 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 81, #pkts encrypt: 81, #pkts digest: 81
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 4, #recv errors 0

     local crypto endpt.: 180.200.200.141, remote crypto endpt.:
200.150.180.62      path mtu 1500, ip mtu 1500, ip mtu idb
GigabitEthernet0/1
     current outbound spi: 0xEA23924(245512484)

     inbound esp sas:
      spi: 0x2E3660C5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3004, flow_id: NETGX:4, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429641/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xEA23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3003, flow_id: NETGX:3, crypto map: ra-L2L-vpn
        sa timing: remaining key lifetime (k/sec): (4429640/3573)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:



crypto isakmp policy 11
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 3600
crypto isakmp key 6 L2L address 200.150.180.62 no-xauth
crypto isakmp aggressive-mode disable
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac

crypto map ra-L2L-vpn 2 ipsec-isakmp
  set peer 200.150.180.62
 set transform-set aessha-pixrtr
 match address 120
 reverse-route

interface GigabitEthernet0/1
 ip address 180.200.200.141 255.255.255.192
crypto map ra-L2L-vpn

access-list 120 permit ip 10.180.0.0 0.0.255.255 10.139.1.0 0.0.0.255



++++++++++++++++++++++++++++++++++



PIX output and Config:
local  ident (addr/mask/prot/port): (10.139.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.180.0.0/255.255.0.0/0/0)
   current_peer: 180.200.200.141:500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
    #pkts decaps: 81, #pkts decrypt: 81, #pkts verify 81
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 200.150.180.62 , remote crypto endpt.: 180.200.200.141
     path mtu 1500, ipsec overhead 56, media mtu 1500
     current outbound spi: 2e3660c5

     inbound esp sas:
      spi: 0xea23924(245512484)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 4, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4607999/3478)
        IV size: 8 bytes
        replay detection support: Y


     inbound ah sas:


     inbound pcp sas:


     outbound esp sas:
      spi: 0x2e3660c5(775315653)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel, }
        slot: 0, conn id: 3, crypto map: L2L-ons
        sa timing: remaining key lifetime (k/sec): (4608000/3478)
        IV size: 8 bytes
        replay detection support: Y


     outbound ah sas:


     outbound pcp sas:


ip address outside 200.150.180.62 255.255.255.224
ip address inside 10.139.1.111 255.255.255.0
access-list L2L permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0
access-list L2Lnonat permit ip 10.139.1.0 255.255.255.0 10.180.0.0 255.255.0.0
nat (inside) 0 access-list L2Lnonat
route outside 10.180.0.0 255.255.0.0 180.200.200.141  1
sysopt connection permit-ipsec
crypto ipsec transform-set aessha-pixrtr esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto map L2L 1 ipsec-isakmp
crypto map L2L 1 match address L2L
crypto map L2L 1 set peer 180.200.200.141
crypto map L2L 1 set transform-set aessha-pixrtr
crypto map L2L interface outside
isakmp enable outside
isakmp key L2L address 180.200.200.141 netmask 255.255.255.255 no-xauth
isakmp identity address
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 3600

From dirkjan at os3.nl  Tue Jul 15 08:40:34 2008
From: dirkjan at os3.nl (Dirk-Jan van Helmond)
Date: Tue, 15 Jul 2008 14:40:34 +0200 (CEST)
Subject: [c-nsp] Shape an L3 interface to 100mbit
In-Reply-To: <1216124733.23559.7.camel@svesken.sys.mjna.net>
References: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
	<1216124733.23559.7.camel@svesken.sys.mjna.net>
Message-ID: <74e78f82c8b16d632d04f2deba047f82.squirrel@a61.nl>

> If the policing is giving you trouble, you could ask them to adjust
> burst sizes and things like that until you could were satisfied.

The problem you get with this is that when you police for delay-sensitive
traffic (small tc) your tcp slow-start will get into trouble, and when you
police for tcp (large tc) your delay-sensitive traffic gets into trouble.

Shaping with a low tc is imho the best option.

Regards,
Dirk-Jan




From peter at rathlev.dk  Tue Jul 15 09:40:15 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Tue, 15 Jul 2008 15:40:15 +0200
Subject: [c-nsp] Traffic on IPSec Tunnel btw Pix and Router
In-Reply-To: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com>
References: <3cf174360807150619w5abd85cdj2bde17d40e97127a@mail.gmail.com>
Message-ID: <1216129215.24030.4.camel@svesken.sys.mjna.net>

On Tue, 2008-07-15 at 10:19 -0300, Everton Diniz wrote:
> Hi all,
> 
> I configure a tunnel btw pix and router. The traffic goes to PIX but
> do not have return. I see only encaps on the router and decaps on the
> PIX.
> Is missing anything?

Are you sure the host in the other end is actually responding, and that
this response goes towards the PIX? As far as I can see there's nothing
wrong with the configuration. (I may be wrong, cf. my last mail to this
list. :-))

What happens if you try to trace from the 10.139.1.0/24 host to
something in 10.180.0.0/16? Do you get to the PIX (i.e. can you see the
connection in the logs)?

Regards,
Peter



From paul at paulstewart.org  Tue Jul 15 09:45:59 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 15 Jul 2008 09:45:59 -0400
Subject: [c-nsp] ASA Question - Antivirus
Message-ID: <000901c8e681$1e18f1a0$5a4ad4e0$@org>

Hi folks...

We have a customer looking for a new firewall but it must have antivirus on
it.  The AV cannot be on the fly specifically but on the desktop.  Their
currently solution forces their desktops to have a specific Antivirus agent
installed and updated.  This is something similar to the NAC solution
today....

I'm looking at Cisco ASA 5520 Appliance Content Security Edition Bundle
(Includes CSC-SSM-10, 50-user antivirus/anti-spyware license with 1-year
subscription service*, firewall services, 750 IPsec VPN peers, 2 SSL VPN
peers, 4 Gigabit Ethernet interfaces, and 1 Fast Ethernet interface)
ASA5520-CSC10-K9

Does anyone know how the antivirus/antispyware works on these?  I've read
through numerous marketing material but it's not clear where this is all
done on the fly or if it's desktop agent based?

Thanks in advance,

Paul Stewart



From richard.halfpenny at exa-networks.co.uk  Tue Jul 15 10:41:26 2008
From: richard.halfpenny at exa-networks.co.uk (Richard Halfpenny)
Date: Tue, 15 Jul 2008 15:41:26 +0100
Subject: [c-nsp] ASA Question - Antivirus
In-Reply-To: <000901c8e681$1e18f1a0$5a4ad4e0$@org>
References: <000901c8e681$1e18f1a0$5a4ad4e0$@org>
Message-ID: <487CB716.50607@exa-networks.co.uk>

Paul Stewart wrote:
> Hi folks...
>
> We have a customer looking for a new firewall but it must have antivirus on
> it.  The AV cannot be on the fly specifically but on the desktop.  Their
> currently solution forces their desktops to have a specific Antivirus agent
> installed and updated.  This is something similar to the NAC solution
> today....
>
> I'm looking at Cisco ASA 5520 Appliance Content Security Edition Bundle
> (Includes CSC-SSM-10, 50-user antivirus/anti-spyware license with 1-year
> subscription service*, firewall services, 750 IPsec VPN peers, 2 SSL VPN
> peers, 4 Gigabit Ethernet interfaces, and 1 Fast Ethernet interface)
> ASA5520-CSC10-K9
>
> Does anyone know how the antivirus/antispyware works on these?  I've read
> through numerous marketing material but it's not clear where this is all
> done on the fly or if it's desktop agent based?
>   

Hi Paul,

It is done on the fly.. we have a few educational customers using 
CSC-SSM-20's in ASA5520's as another layer of defence in addition to PC 
based antivirus.  The CSC-SSM's are basically card based servers 
(running Linux) and integrated into the ASA via GigE.  Be careful to get 
the correct module for the traffic mix you intend to run through it though:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_white_paper0900aecd805c3cd6.pdf

Rich.


-- 
Network Operations
Exa Networks Ltd :: AS30740


From paul at paulstewart.org  Tue Jul 15 10:59:04 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 15 Jul 2008 10:59:04 -0400
Subject: [c-nsp] ASA Question - Antivirus
In-Reply-To: <487CB716.50607@exa-networks.co.uk>
References: <000901c8e681$1e18f1a0$5a4ad4e0$@org>
	<487CB716.50607@exa-networks.co.uk>
Message-ID: <001301c8e68b$54c4ded0$fe4e9c70$@org>

Thanks very much... seems to be the common approach now - desktop/border
protection....  I looked at the Juniper stuff too and it seems to follow the
same trend...

Appreciate it,

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard Halfpenny
Sent: Tuesday, July 15, 2008 10:41 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Question - Antivirus

Paul Stewart wrote:
> Hi folks...
>
> We have a customer looking for a new firewall but it must have antivirus
on
> it.  The AV cannot be on the fly specifically but on the desktop.  Their
> currently solution forces their desktops to have a specific Antivirus
agent
> installed and updated.  This is something similar to the NAC solution
> today....
>
> I'm looking at Cisco ASA 5520 Appliance Content Security Edition Bundle
> (Includes CSC-SSM-10, 50-user antivirus/anti-spyware license with 1-year
> subscription service*, firewall services, 750 IPsec VPN peers, 2 SSL VPN
> peers, 4 Gigabit Ethernet interfaces, and 1 Fast Ethernet interface)
> ASA5520-CSC10-K9
>
> Does anyone know how the antivirus/antispyware works on these?  I've read
> through numerous marketing material but it's not clear where this is all
> done on the fly or if it's desktop agent based?
>   

Hi Paul,

It is done on the fly.. we have a few educational customers using 
CSC-SSM-20's in ASA5520's as another layer of defence in addition to PC 
based antivirus.  The CSC-SSM's are basically card based servers 
(running Linux) and integrated into the ASA via GigE.  Be careful to get 
the correct module for the traffic mix you intend to run through it though:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod
_white_paper0900aecd805c3cd6.pdf

Rich.


-- 
Network Operations
Exa Networks Ltd :: AS30740

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From paul at paulstewart.org  Tue Jul 15 11:19:01 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 15 Jul 2008 11:19:01 -0400
Subject: [c-nsp] 2621xm vs 1800?
Message-ID: <001a01c8e68e$1d288b40$5779a1c0$@org>

Hi there...

We have some remote sites with 2621XM's running today.  These routers are
doing PPPOE termination primarily for 40-60 users.  The 2621XM is handling
the load just fine however we've been having random problems with them
lately and wanted to swap out the 2621XM for a different, more current model
to see if the problem goes away (traffic just stops passing on the FE
interfaces after a few weeks - tried multiple IOS versions - happening at
several sites).

My question is whether or not an 1841 would be a downgrade or an upgrade for
PPS and overall load?  Or should we just bite the bullet and get 2801's
instead?

Thanks,

Paul





From rodunn at cisco.com  Tue Jul 15 12:24:27 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 15 Jul 2008 12:24:27 -0400
Subject: [c-nsp] Cisco 2851 bug ?
In-Reply-To: <323aca890807142306p148c5693t45762350558a34b6@mail.gmail.com>
References: <c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>
	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>
	<m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
	<a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>
	<323aca890807142306p148c5693t45762350558a34b6@mail.gmail.com>
Message-ID: <20080715162427.GK4378@rtp-cse-489.cisco.com>

Or you could load the new 12.4(20)T and set up a packet capture
on the punt path. ;)

rtp-rodunn-871#monitor capture point ip process-switched test in ?
  <cr>

rtp-rodunn-871#monitor capture point ip process-switched rodney in
rtp-rodunn-871#mon
rtp-rodunn-871#monitor cap
rtp-rodunn-871#monitor capture buf
rtp-rodunn-871#monitor capture buffer pakdump ?
  circular  Circular Buffer
  clear     Clear contents of capture buffer
  export    Export in Pcap format
  filter    Configure filters
  limit     Limit the packets dumped to the buffer
  linear    Linear Buffer(Default)
  max-size  Maximum size of element in the buffer (in bytes)
  size      Packet Dump buffer size (in Kbytes)
  <cr>

rtp-rodunn-871#monitor capture buffer pakdump 

....

Start the capture and export it to pcap. ;)

This is new functionality in 12.4(20)T so we've got some enhancements to
add to it.

Rodney

On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote:
> Hi,
> IP Input spike is usually caused by abnormal 'IP input' traffic that
> gets punted into the RP from CEF for whatever reason.
> A very common cause is broadcast storm. You can see what what packet
> is holding the CPU with 'show buffers input interface fa0/1'. However
> you need to do this command during a real spike...
> 
> Pavel
> 
> On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert
> <RTeller at deltadentalwa.com> wrote:
> > Is anyone aware of a bug or configuration that could cause a sudden
> > spike in IP input?
> >
> > uptime is 26 weeks, 3 days, 10 hours, 54 minutes
> > System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
> > System restarted at 01:41:34 PST Tue Jan 8 2008
> > System image file is "flash:c2800nm-ipbasek9-mz.124-17a.bin"
> > Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.
> >
> > PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
> >  66      125056   2917547         42  0.00%  0.00%  0.00%   0 CDP
> > Protocol
> >  67    28872876 373263867         77  0.08% 51.78% 47.36%   0 IP Input
> >
> > Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST
> >
> >
> >                               555558888899999888888888899999999
> >    555555544444444446666655555999998888844444333332222233333333
> > 100
> >  90                                 **********          ********
> >  80                                 ****************************
> >  70                                 ****************************
> >  60                            *********************************
> >  50                            *********************************
> >  40                            *********************************
> >  30                            *********************************
> >  20                            *********************************
> >  10 *******          *******************************************
> >   0....5....1....1....2....2....3....3....4....4....5....5....6
> >             0    5    0    5    0    5    0    5    0    5    0
> >               CPU% per second (last 60 seconds)
> >
> >
> >    9999999                         1
> >    588886633444434434453334333334346534453335336645645556354344
> > 100 *******
> >  90 #####**                                                    *
> >  80 ######*                                                    *
> >  70 ######*                                                    *
> >  60 ######*                                                    *
> >  50 ######*                                                    *
> >  40 ######*                                                    *
> >  30 ######*                                                    *
> >  20 #######                         *                          #
> >  10 #######            *            **   *   *  ** ** **** *   #
> >   0....5....1....1....2....2....3....3....4....4....5....5....6
> >             0    5    0    5    0    5    0    5    0    5    0
> >               CPU% per minute (last 60 minutes)
> >              * = maximum CPU%   # = average CPU%
> >
> >
> >    1 1 11 1  1111 111   1111111111 11 1 7121111 1112 1111 111
> > 1121111111111
> >
> > 691760977743309128787415602150180091972430809462896712922076244160072513
> > 100
> >  90
> >  80                                      *
> >  70                                      *
> >  60                                      *
> >  50                                      *
> >  40                                      *
> >  30                                      *          *
> >  20 *   *  *         *     **   *        * *  *   * * **       * *  *  *
> > *
> >  10
> > ************************************************************************
> >
> > 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
> > .
> >             0    5    0    5    0    5    0    5    0    5    0    5
> > 0
> >                   CPU% per hour (last 72 hours)
> >                  * = maximum CPU%   # = average CPU%
> >
> >
> > #########################################################
> > The information contained in this e-mail and subsequent attachments may be privileged,
> > confidential and protected from disclosure.  This transmission is intended for the sole
> > use of the individual and entity to whom it is addressed.  If you are not the intended
> > recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> > think that you have received this message in error, please e-mail the sender at the above
> > e-mail address.
> > #########################################################
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Tue Jul 15 12:26:30 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 15 Jul 2008 12:26:30 -0400
Subject: [c-nsp] The maximum number of match packets Cisco Router can
	detect on ACL at one time.
In-Reply-To: <487C8513.9040402@indo.net.id>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>
	<487B8F27.5010802@pins.net>
	<68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM>
	<487C8513.9040402@indo.net.id>
Message-ID: <20080715162630.GL4378@rtp-cse-489.cisco.com>


There is no limit to the number of times the ACL will match and drop.

The counter depending on how it's defined in the code may wrap but
that should never impact the ACL from matching and dropping/permitting.

Rodney

On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote:
> Hi,
> 
> 
> Might be some you have noted once, the maximum value (number) that Cisco 
> ACL can match let say flooding packets.
> Here : deny tcp any any eq 1434 (5732 matches) fro example.
> Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
> detected & matched by ACL.
> 
> thanks for share if you will.
> 
> a. rahman isnaini r.sutan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul.cosgrove at heanet.ie  Tue Jul 15 12:34:21 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Tue, 15 Jul 2008 17:34:21 +0100
Subject: [c-nsp] Cisco 2851 bug ?
In-Reply-To: <20080715162427.GK4378@rtp-cse-489.cisco.com>
References: <c93a55220807100149y7a00e200t25d891f4d6a8d00c@mail.gmail.com>	<323aca890807100216s53bb84a7ge8e8fbd38741f5db@mail.gmail.com>	<m363revzz1.fsf@ursa.amorsen.dk>	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>	<1215798920.28688.4.camel@svesken.sys.mjna.net>	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>	<a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>	<323aca890807142306p148c5693t45762350558a34b6@mail.gmail.com>
	<20080715162427.GK4378@rtp-cse-489.cisco.com>
Message-ID: <487CD18D.3080708@heanet.ie>

Hi Rodney,

Is that safe to do even if the traffic rate and/or cpu is high?

Looks like a nice feature.

Paul.

Rodney Dunn wrote:
> Or you could load the new 12.4(20)T and set up a packet capture
> on the punt path. ;)
> 
> rtp-rodunn-871#monitor capture point ip process-switched test in ?
>   <cr>
> 
> rtp-rodunn-871#monitor capture point ip process-switched rodney in
> rtp-rodunn-871#mon
> rtp-rodunn-871#monitor cap
> rtp-rodunn-871#monitor capture buf
> rtp-rodunn-871#monitor capture buffer pakdump ?
>   circular  Circular Buffer
>   clear     Clear contents of capture buffer
>   export    Export in Pcap format
>   filter    Configure filters
>   limit     Limit the packets dumped to the buffer
>   linear    Linear Buffer(Default)
>   max-size  Maximum size of element in the buffer (in bytes)
>   size      Packet Dump buffer size (in Kbytes)
>   <cr>
> 
> rtp-rodunn-871#monitor capture buffer pakdump 
> 
> ....
> 
> Start the capture and export it to pcap. ;)
> 
> This is new functionality in 12.4(20)T so we've got some enhancements to
> add to it.
> 
> Rodney
> 
> On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote:
>> Hi,
>> IP Input spike is usually caused by abnormal 'IP input' traffic that
>> gets punted into the RP from CEF for whatever reason.
>> A very common cause is broadcast storm. You can see what what packet
>> is holding the CPU with 'show buffers input interface fa0/1'. However
>> you need to do this command during a real spike...
>>
>> Pavel
>>
>> On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert
>> <RTeller at deltadentalwa.com> wrote:
>>> Is anyone aware of a bug or configuration that could cause a sudden
>>> spike in IP input?
>>>
>>> uptime is 26 weeks, 3 days, 10 hours, 54 minutes
>>> System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
>>> System restarted at 01:41:34 PST Tue Jan 8 2008
>>> System image file is "flash:c2800nm-ipbasek9-mz.124-17a.bin"
>>> Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.
>>>
>>> PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
>>>  66      125056   2917547         42  0.00%  0.00%  0.00%   0 CDP
>>> Protocol
>>>  67    28872876 373263867         77  0.08% 51.78% 47.36%   0 IP Input
>>>
>>> Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST
>>>
>>>
>>>                               555558888899999888888888899999999
>>>    555555544444444446666655555999998888844444333332222233333333
>>> 100
>>>  90                                 **********          ********
>>>  80                                 ****************************
>>>  70                                 ****************************
>>>  60                            *********************************
>>>  50                            *********************************
>>>  40                            *********************************
>>>  30                            *********************************
>>>  20                            *********************************
>>>  10 *******          *******************************************
>>>   0....5....1....1....2....2....3....3....4....4....5....5....6
>>>             0    5    0    5    0    5    0    5    0    5    0
>>>               CPU% per second (last 60 seconds)
>>>
>>>
>>>    9999999                         1
>>>    588886633444434434453334333334346534453335336645645556354344
>>> 100 *******
>>>  90 #####**                                                    *
>>>  80 ######*                                                    *
>>>  70 ######*                                                    *
>>>  60 ######*                                                    *
>>>  50 ######*                                                    *
>>>  40 ######*                                                    *
>>>  30 ######*                                                    *
>>>  20 #######                         *                          #
>>>  10 #######            *            **   *   *  ** ** **** *   #
>>>   0....5....1....1....2....2....3....3....4....4....5....5....6
>>>             0    5    0    5    0    5    0    5    0    5    0
>>>               CPU% per minute (last 60 minutes)
>>>              * = maximum CPU%   # = average CPU%
>>>
>>>
>>>    1 1 11 1  1111 111   1111111111 11 1 7121111 1112 1111 111
>>> 1121111111111
>>>
>>> 691760977743309128787415602150180091972430809462896712922076244160072513
>>> 100
>>>  90
>>>  80                                      *
>>>  70                                      *
>>>  60                                      *
>>>  50                                      *
>>>  40                                      *
>>>  30                                      *          *
>>>  20 *   *  *         *     **   *        * *  *   * * **       * *  *  *
>>> *
>>>  10
>>> ************************************************************************
>>>
>>> 0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
>>> .
>>>             0    5    0    5    0    5    0    5    0    5    0    5
>>> 0
>>>                   CPU% per hour (last 72 hours)
>>>                  * = maximum CPU%   # = average CPU%
>>>
>>>
>>> #########################################################
>>> The information contained in this e-mail and subsequent attachments may be privileged,
>>> confidential and protected from disclosure.  This transmission is intended for the sole
>>> use of the individual and entity to whom it is addressed.  If you are not the intended
>>> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
>>> think that you have received this message in error, please e-mail the sender at the above
>>> e-mail address.
>>> #########################################################
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301

Please consider the environment before printing this e-mail.

From stig.johansen at ementor.no  Tue Jul 15 12:39:32 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Tue, 15 Jul 2008 18:39:32 +0200
Subject: [c-nsp] Shape an L3 interface to 100mbit
In-Reply-To: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
References: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B4B@100NOOSLMSG004.common.alpharoot.net>

Hi there,

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se/12.2_25_se/configuration/guide/swqos.html

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kurt Bales
Sent: 15. juli 2008 13:57
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Shape an L3 interface to 100mbit

Hey Guys,

 

I have a situation where my upstream is policing my connection to 100mb.
I
have a GigE interconnect to them, and we are currently connected at
1gb/full
duplex.  I have been requested to shape the traffic leaving our
interconnect
to 100mb so as to reduce the performance issues caused by packet loss
etc
caused by policing.

 

What is the easiest way to apply 100mb shaping to an L3 (no switchport)
interface on a 3560G?

 

The speed of this link could change in the near future (over the next
couple
of days) so I would prefer to use QoS rules to apply shaping to this
interface as opposed to forcing the interconnect to 100/Full (which
would be
of no use if the link changed to 250mb).

 

 

Regards,

K.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From mack at exchange.alphared.com  Tue Jul 15 13:41:42 2008
From: mack at exchange.alphared.com (mack)
Date: Tue, 15 Jul 2008 12:41:42 -0500
Subject: [c-nsp] SIP/SPA support for 6500
In-Reply-To: <mailman.6987.1216133302.65431.cisco-nsp@puck.nether.net>
References: <mailman.6987.1216133302.65431.cisco-nsp@puck.nether.net>
Message-ID: <6F2FFD7C10F788479E354B84294036C4259E544E@EXCH-MBX.exchange.alphared.local>

What SIP/SPA modules are actually supported in the 6500 running SXH2?

The release notes only list the SIP-400 however the SIP-600 lists support for SXF and higher in 7600 and 6500 chassis.

SPA-1XOC48-POS/RPR is listed in the release notes and requires a SIP-400.
SPA-2XOC48-POS/RPR and SPA-4XOC48-POS/RPR require the SIP-600.
Are the higher port density SPAs actually supported or not?

SPA-OC192POS-XFP lists the 6500 as compatible.
SPA-1XTENGE-XFP lists the 6500 as compatible.
SPA-1X10GE-L-V2 does not have the 6500 listed as compatible.
Is the newer 10GE SPA card actually supported or have the BU wars
caused the SIP/SPA support to be frozen in the 6500?

The ES20 of course doesn't list the 6500 and I doubt it will ever get that support.
Someone can correct me if they believe otherwise.

--
LR Mack McBride
Network Administrator
Alpha Red, Inc.



From paul.cosgrove at heanet.ie  Tue Jul 15 14:49:36 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Tue, 15 Jul 2008 19:49:36 +0100
Subject: [c-nsp] 2621xm vs 1800?
In-Reply-To: <001a01c8e68e$1d288b40$5779a1c0$@org>
References: <001a01c8e68e$1d288b40$5779a1c0$@org>
Message-ID: <487CF140.608@heanet.ie>

Very much an upgrade judging from the following table. More than double 
the PPS & Mbps for Fast/CEF switched packets:-

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf 


Would be interesting to know the cause of the issue though,

Paul.

Paul Stewart wrote:
> Hi there...
> 
> We have some remote sites with 2621XM's running today.  These routers are
> doing PPPOE termination primarily for 40-60 users.  The 2621XM is handling
> the load just fine however we've been having random problems with them
> lately and wanted to swap out the 2621XM for a different, more current model
> to see if the problem goes away (traffic just stops passing on the FE
> interfaces after a few weeks - tried multiple IOS versions - happening at
> several sites).
> 
> My question is whether or not an 1841 would be a downgrade or an upgrade for
> PPS and overall load?  Or should we just bite the bullet and get 2801's
> instead?
> 
> Thanks,
> 
> Paul
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301

Please consider the environment before printing this e-mail.

From paul at paulstewart.org  Tue Jul 15 15:17:55 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 15 Jul 2008 15:17:55 -0400
Subject: [c-nsp] 2621xm vs 1800?
In-Reply-To: <487CF140.608@heanet.ie>
References: <001a01c8e68e$1d288b40$5779a1c0$@org> <487CF140.608@heanet.ie>
Message-ID: <001601c8e6af$7dd167c0$79743740$@org>

Thanks... that's actually the document I was looking for ;)

Our theory to date on the issues with the 2621XM's is possibly the vendor
itself and the memory they have been using.  We have had a number of
problems with a particular batch of them purchased a while ago and the 3rd
party memory they are using specifically (we use 3rd party all the time with
great success normally).

Want to swap one of the sites that is having repeated issues and prove it's
in the router somewhere or in the next hop device (wireless backhaul).

Thanks,

Paul


-----Original Message-----
From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
Sent: Tuesday, July 15, 2008 2:50 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 2621xm vs 1800?

Very much an upgrade judging from the following table. More than double 
the PPS & Mbps for Fast/CEF switched packets:-

http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp
erformance.pdf 


Would be interesting to know the cause of the issue though,

Paul.

Paul Stewart wrote:
> Hi there...
> 
> We have some remote sites with 2621XM's running today.  These routers are
> doing PPPOE termination primarily for 40-60 users.  The 2621XM is handling
> the load just fine however we've been having random problems with them
> lately and wanted to swap out the 2621XM for a different, more current
model
> to see if the problem goes away (traffic just stops passing on the FE
> interfaces after a few weeks - tried multiple IOS versions - happening at
> several sites).
> 
> My question is whether or not an 1841 would be a downgrade or an upgrade
for
> PPS and overall load?  Or should we just bite the bullet and get 2801's
> instead?
> 
> Thanks,
> 
> Paul
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301

Please consider the environment before printing this e-mail.


From Rafael.Rodriguez at msmc.com  Tue Jul 15 15:37:21 2008
From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez)
Date: Tue, 15 Jul 2008 15:37:21 -0400
Subject: [c-nsp] Private VLANS w/ Promiscuous port a trunk port?
Message-ID: <13D27D9DCE0E0945A617043C88DD6194017C776F@SVIPEXC1.msmc.com>

Hello all,

I am trying to figure out if the following will work:

Have a 6500 w/ sup2/msfc2 Native IOS.
Would like to configure some ports as Isolated Private VLAN ports.
These Isolated ports need to only speak to a 802.1q trunk port I have.
I believe I can't configure this 802.1q trunk port as a .1q trunk and a
Promiscuous port "switchport mode private-vlan promiscuous" at the same
time (its either "switchport mode trunk" or switchport mode priavte-vlan
promiscuous" - not both).
The .1q trunk port will carry lots of other VLANS. Behind this .1q trunk
port will be the L3 device responsible for the L3 portion of the Private
VLAN.

I need to make sure the Private VLAN can talk to the L3 device behind
the .1q trunk port... The .1q trunk port is kind of like a
router-on-a-stick.  

# VID 100 Private VLAN
# VID 101 Isolated VLAN

vlan 100
 private-vlan primary

vlan 101
 private-vlan isolated

vlan 100
 priavte-vlan association 101

interface GigabitEthernet1/1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 100-200
 switchport mode trunk
 no ip address
 load-interval 30
 spanning-tree portfast trunk

interface GigabitEthernet1/2
 switchport
 switchport mode private-vlan host
 switchport private-vlan host-association 100 101
 spanning-tree portfast

Will something like that work?

Cheers,
 
RR

From christian at broknrobot.com  Tue Jul 15 21:01:18 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 15 Jul 2008 21:01:18 -0400
Subject: [c-nsp] Private VLANS w/ Promiscuous port a trunk port?
In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194017C776F@SVIPEXC1.msmc.com>
References: <13D27D9DCE0E0945A617043C88DD6194017C776F@SVIPEXC1.msmc.com>
Message-ID: <c93a55220807151801p59518ebcv1de31e9713d165e9@mail.gmail.com>

i am not sure i am correct, but i thought the 'other' side of the trunk had
to support PVLAN's as well...

can anyone clarify if thats wrong or right?

ck

On Tue, Jul 15, 2008 at 3:37 PM, Rafael Rodriguez <Rafael.Rodriguez at msmc.com>
wrote:

> Hello all,
>
> I am trying to figure out if the following will work:
>
> Have a 6500 w/ sup2/msfc2 Native IOS.
> Would like to configure some ports as Isolated Private VLAN ports.
> These Isolated ports need to only speak to a 802.1q trunk port I have.
> I believe I can't configure this 802.1q trunk port as a .1q trunk and a
> Promiscuous port "switchport mode private-vlan promiscuous" at the same
> time (its either "switchport mode trunk" or switchport mode priavte-vlan
> promiscuous" - not both).
> The .1q trunk port will carry lots of other VLANS. Behind this .1q trunk
> port will be the L3 device responsible for the L3 portion of the Private
> VLAN.
>
> I need to make sure the Private VLAN can talk to the L3 device behind
> the .1q trunk port... The .1q trunk port is kind of like a
> router-on-a-stick.
>
> # VID 100 Private VLAN
> # VID 101 Isolated VLAN
>
> vlan 100
>  private-vlan primary
>
> vlan 101
>  private-vlan isolated
>
> vlan 100
>  priavte-vlan association 101
>
> interface GigabitEthernet1/1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan 100-200
>  switchport mode trunk
>  no ip address
>  load-interval 30
>  spanning-tree portfast trunk
>
> interface GigabitEthernet1/2
>  switchport
>  switchport mode private-vlan host
>  switchport private-vlan host-association 100 101
>  spanning-tree portfast
>
> Will something like that work?
>
> Cheers,
>
> RR
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From skeeve at skeeve.org  Tue Jul 15 21:10:31 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Wed, 16 Jul 2008 11:10:31 +1000
Subject: [c-nsp] Shape an L3 interface to 100mbit
In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B4B@100NOOSLMSG004.common.alpharoot.net>
References: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
	<13A13E9CF0F76342A79031B9E558C0C5187B4B@100NOOSLMSG004.common.alpharoot.net>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAGpIqSQVKURDvHCaNRM0A/wBAAAAAA==@skeeve.org>

I'd love to know this too.  I'm not too great on QoS yet.

Any simple examples for a simple shaping policy?

i.e All traffic down to a certain amount, in bound or perhaps outbound.

...Skeeve

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stig Johansen
Sent: Wednesday, 16 July 2008 2:40 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Shape an L3 interface to 100mbit

Hi there,

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se/12.2_25_se/configuration/guide/swqos.html

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kurt Bales
Sent: 15. juli 2008 13:57
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Shape an L3 interface to 100mbit

Hey Guys,

 

I have a situation where my upstream is policing my connection to 100mb.
I
have a GigE interconnect to them, and we are currently connected at
1gb/full
duplex.  I have been requested to shape the traffic leaving our
interconnect
to 100mb so as to reduce the performance issues caused by packet loss
etc
caused by policing.

 

What is the easiest way to apply 100mb shaping to an L3 (no switchport)
interface on a 3560G?

 

The speed of this link could change in the near future (over the next
couple
of days) so I would prefer to use QoS rules to apply shaping to this
interface as opposed to forcing the interconnect to 100/Full (which
would be
of no use if the link changed to 250mb).

 

 

Regards,

K.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From risnaini at indo.net.id  Tue Jul 15 22:05:01 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 16 Jul 2008 09:05:01 +0700
Subject: [c-nsp] The maximum number of match packets Cisco Router can
 detect on ACL at one time.
In-Reply-To: <20080715162630.GL4378@rtp-cse-489.cisco.com>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02>
	<487B8F27.5010802@pins.net>
	<68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM>
	<487C8513.9040402@indo.net.id>
	<20080715162630.GL4378@rtp-cse-489.cisco.com>
Message-ID: <487D574D.8050803@indo.net.id>

Thanks Rodney.
Other thing, though the ACL matches thousand of hits at once..
The log couldn't show this (log buffere has been set to 4096 x 2)

a. rahman isnaini r.sutan

Rodney Dunn wrote:
> There is no limit to the number of times the ACL will match and drop.
> 
> The counter depending on how it's defined in the code may wrap but
> that should never impact the ACL from matching and dropping/permitting.
> 
> Rodney
> 
> On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan wrote:
>> Hi,
>>
>>
>> Might be some you have noted once, the maximum value (number) that Cisco 
>> ACL can match let say flooding packets.
>> Here : deny tcp any any eq 1434 (5732 matches) fro example.
>> Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
>> detected & matched by ACL.
>>
>> thanks for share if you will.
>>
>> a. rahman isnaini r.sutan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From cchurc05 at harris.com  Tue Jul 15 22:42:22 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Tue, 15 Jul 2008 21:42:22 -0500
Subject: [c-nsp] The maximum number of match packets Cisco Router can
	detect on ACL at one time.
In-Reply-To: <487D574D.8050803@indo.net.id>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02><487B8F27.5010802@pins.net><68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM><487C8513.9040402@indo.net.id><20080715162630.GL4378@rtp-cse-489.cisco.com>
	<487D574D.8050803@indo.net.id>
Message-ID: <FA1BA229357DB640B944218F3585FECA01348946@mspe2k1.cs.myharris.net>

If the router is subject to enough traffic where thousands of ACL hits
are happening per second, you DON'T want to have any entries of that ACL
logging.  It's terrible for performance.

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
isnaini r.sutan
Sent: Tuesday, July 15, 2008 10:05 PM
To: Rodney Dunn
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
can detect on ACL at one time.


Thanks Rodney.
Other thing, though the ACL matches thousand of hits at once..
The log couldn't show this (log buffere has been set to 4096 x 2)

a. rahman isnaini r.sutan

Rodney Dunn wrote:
> There is no limit to the number of times the ACL will match and drop.
> 
> The counter depending on how it's defined in the code may wrap but
> that should never impact the ACL from matching and
dropping/permitting.
> 
> Rodney
> 
> On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
wrote:
>> Hi,
>>
>>
>> Might be some you have noted once, the maximum value (number) that
Cisco 
>> ACL can match let say flooding packets.
>> Here : deny tcp any any eq 1434 (5732 matches) fro example.
>> Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
>> detected & matched by ACL.
>>
>> thanks for share if you will.
>>
>> a. rahman isnaini r.sutan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From igoen99 at yahoo.com  Wed Jul 16 00:43:56 2008
From: igoen99 at yahoo.com (Edi Guntoro)
Date: Tue, 15 Jul 2008 21:43:56 -0700 (PDT)
Subject: [c-nsp] Cisco MMPPP
Message-ID: <998326.91276.qm@web54305.mail.re2.yahoo.com>

Dear ciscoers,
Let's say we have a scenario to bring up multiple ppp for our customer to increase bandwidth to the internet.
At the moment we only have access to the LNS, is it possible to have MMPPP for our customer, or is there something to do with the LAC?
any reference?
here is the layout:
regards
Igun

 
u /-----3.5g service---PPP---LAC---LNS1--|
s/                                                             |___internet
e\                                                             |
r \-----cdma service--PPP---LAC---LNS2--|



      

From ben.steele at internode.on.net  Wed Jul 16 01:12:12 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Wed, 16 Jul 2008 14:42:12 +0930
Subject: [c-nsp] Cisco MMPPP
In-Reply-To: <998326.91276.qm@web54305.mail.re2.yahoo.com>
References: <998326.91276.qm@web54305.mail.re2.yahoo.com>
Message-ID: <8C96E5C9-FCC2-4CBC-9533-FA60995F4078@internode.on.net>

the LAC is pretty irrelevant, you need to configure MMPPP capabilities  
on your LNS's, which means an sgbp group on your LNS's for the  
multichassis and "ppp multilink" under your virtual template for the  
MPPP side of things.

I noticed your topology is using 2 seperate wireless services to  
provide the bundle, one word of warning is if the bundles are out of  
sync (speed and latency wise) you will see very poor performance and  
you are better off load balancing with a routing protocol and/or cef.

Ben

On 16/07/2008, at 2:13 PM, Edi Guntoro wrote:

> Dear ciscoers,
> Let's say we have a scenario to bring up multiple ppp for our  
> customer to increase bandwidth to the internet.
> At the moment we only have access to the LNS, is it possible to have  
> MMPPP for our customer, or is there something to do with the LAC?
> any reference?
> here is the layout:
> regards
> Igun
>
>
> u /-----3.5g service---PPP---LAC---LNS1--|
> s/                                                             | 
> ___internet
> e\                                                             |
> r \-----cdma service--PPP---LAC---LNS2--|
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From risnaini at indo.net.id  Wed Jul 16 01:31:26 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 16 Jul 2008 12:31:26 +0700
Subject: [c-nsp] The maximum number of match packets Cisco Router can
 detect on ACL at one time.
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01348946@mspe2k1.cs.myharris.net>
References: <31633517.290161216056282278.JavaMail.root@hrndva-web02-z02><487B8F27.5010802@pins.net><68D5E673B49F1D45A5BE41058C8AFDBCC18992C26D@BMSEXCH.BMS-CONSULTING.COM><487C8513.9040402@indo.net.id><20080715162630.GL4378@rtp-cse-489.cisco.com>
	<487D574D.8050803@indo.net.id>
	<FA1BA229357DB640B944218F3585FECA01348946@mspe2k1.cs.myharris.net>
Message-ID: <487D87AE.7070203@indo.net.id>

Hi charles,

Depends on the engine processor.
Our G1 can handle this, it just the router not shown on the log (we 
saved to a syslog-ng server).


rgs
a. rahman isnaini r.sutan

Church, Charles wrote:
> If the router is subject to enough traffic where thousands of ACL hits
> are happening per second, you DON'T want to have any entries of that ACL
> logging.  It's terrible for performance.
> 
> Chuck
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
> isnaini r.sutan
> Sent: Tuesday, July 15, 2008 10:05 PM
> To: Rodney Dunn
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
> can detect on ACL at one time.
> 
> 
> Thanks Rodney.
> Other thing, though the ACL matches thousand of hits at once..
> The log couldn't show this (log buffere has been set to 4096 x 2)
> 
> a. rahman isnaini r.sutan
> 
> Rodney Dunn wrote:
>> There is no limit to the number of times the ACL will match and drop.
>>
>> The counter depending on how it's defined in the code may wrap but
>> that should never impact the ACL from matching and
> dropping/permitting.
>> Rodney
>>
>> On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
> wrote:
>>> Hi,
>>>
>>>
>>> Might be some you have noted once, the maximum value (number) that
> Cisco 
>>> ACL can match let say flooding packets.
>>> Here : deny tcp any any eq 1434 (5732 matches) fro example.
>>> Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
>>> detected & matched by ACL.
>>>
>>> thanks for share if you will.
>>>
>>> a. rahman isnaini r.sutan
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From alex.wilkinson at dsto.defence.gov.au  Wed Jul 16 02:22:31 2008
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Wed, 16 Jul 2008 14:22:31 +0800
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
Message-ID: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>

Hi all,

I am having problems with a particular device going down every 3-4 days.
The switchport for which this device is connected to is telling me it is
having a lot of "output drops" e.g.

   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 13342805

I 'suspect' that these output drops could be the root cause of the device
attached to this port going down consistently.

Question: Since 'output drops' seems to relate to interface congestion can
          anyone recommed a tool to 'blast' this particular interface in
          order to test {in,out}queues and congestion ?

 -aW

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.



From igoen99 at yahoo.com  Wed Jul 16 02:41:15 2008
From: igoen99 at yahoo.com (Edi Guntoro)
Date: Tue, 15 Jul 2008 23:41:15 -0700 (PDT)
Subject: [c-nsp] Cisco MMPPP
Message-ID: <483648.58202.qm@web54303.mail.re2.yahoo.com>

Thanks Ben,
however what do you mean by "better off load balancing with a routing protocol and/or cef" ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances.
And is it for traffic out to the internet or traffic coming to the customer ?
regards.
Edi





----- Original Message ----
From: Ben Steele <ben.steele at internode.on.net>
To: Edi Guntoro <igoen99 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Wednesday, July 16, 2008 12:12:12 PM
Subject: Re: [c-nsp] Cisco MMPPP

the LAC is pretty irrelevant, you need to configure MMPPP capabilities  
on your LNS's, which means an sgbp group on your LNS's for the  
multichassis and "ppp multilink" under your virtual template for the  
MPPP side of things.

I noticed your topology is using 2 seperate wireless services to  
provide the bundle, one word of warning is if the bundles are out of  
sync (speed and latency wise) you will see very poor performance and  
you are better off load balancing with a routing protocol and/or cef.

Ben

On 16/07/2008, at 2:13 PM, Edi Guntoro wrote:

> Dear ciscoers,
> Let's say we have a scenario to bring up multiple ppp for our  
> customer to increase bandwidth to the internet.
> At the moment we only have access to the LNS, is it possible to have  
> MMPPP for our customer, or is there something to do with the LAC?
> any reference?
> here is the layout:
> regards
> Igun
>
>
> u /-----3.5g service---PPP---LAC---LNS1--|
> s/                                                             | 
> ___internet
> e\                                                             |
> r \-----cdma service--PPP---LAC---LNS2--|
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      

From ben.steele at internode.on.net  Wed Jul 16 03:21:27 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Wed, 16 Jul 2008 16:51:27 +0930
Subject: [c-nsp] Cisco MMPPP
In-Reply-To: <483648.58202.qm@web54303.mail.re2.yahoo.com>
References: <483648.58202.qm@web54303.mail.re2.yahoo.com>
Message-ID: <DC4BA4D3-F91E-43A1-8556-8CDF7C706DB3@internode.on.net>

i'm talking strictly between your LNS and your CPE here, if you find  
your MMPPP is giving poor performance due to physical differences  
between the 2 sessions (ie speed and latency), then try doing  
something a little more creative like multihopping both ppp sessions  
onto the one router and using (as you mentioned) cef per-destination  
load sharing over the 2 unique ppp sessions, or alternatively let a  
routing protocol handle the work and advertise part of your subnet out  
one link and part out the other with redundancy, or even GRE tunnels  
etc etc.. there are quite a few ways you can achieve the desired  
outcome, this is of course only if your mmppp fails.

Cheers

Ben

On 16/07/2008, at 4:11 PM, Edi Guntoro wrote:

> Thanks Ben,
> however what do you mean by "better off load balancing with a  
> routing protocol and/or cef" ? is it disabling the load balancing?  
> as I know this feature enable by default on routing protocol as long  
> as they are equal admin distances.
> And is it for traffic out to the internet or traffic coming to the  
> customer ?
> regards.
> Edi
>
>
>
> ----- Original Message ----
> From: Ben Steele <ben.steele at internode.on.net>
> To: Edi Guntoro <igoen99 at yahoo.com>
> Cc: cisco-nsp at puck.nether.net
> Sent: Wednesday, July 16, 2008 12:12:12 PM
> Subject: Re: [c-nsp] Cisco MMPPP
>
> the LAC is pretty irrelevant, you need to configure MMPPP capabilities
> on your LNS's, which means an sgbp group on your LNS's for the
> multichassis and "ppp multilink" under your virtual template for the
> MPPP side of things.
>
> I noticed your topology is using 2 seperate wireless services to
> provide the bundle, one word of warning is if the bundles are out of
> sync (speed and latency wise) you will see very poor performance and
> you are better off load balancing with a routing protocol and/or cef.
>
> Ben
>
> On 16/07/2008, at 2:13 PM, Edi Guntoro wrote:
>
> > Dear ciscoers,
> > Let's say we have a scenario to bring up multiple ppp for our
> > customer to increase bandwidth to the internet.
> > At the moment we only have access to the LNS, is it possible to have
> > MMPPP for our customer, or is there something to do with the LAC?
> > any reference?
> > here is the layout:
> > regards
> > Igun
> >
> >
> > u /-----3.5g service---PPP---LAC---LNS1--|
> > s/                                                            |
> > ___internet
> > e\                                                            |
> > r \-----cdma service--PPP---LAC---LNS2--|
> >
> >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>


From brad.henshaw at qcn.com.au  Wed Jul 16 02:38:52 2008
From: brad.henshaw at qcn.com.au (Brad Henshaw)
Date: Wed, 16 Jul 2008 16:38:52 +1000
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
Message-ID: <8B25B862BC09784B9B74FB950D4F64D401F30A@qcnapp01.corp.qcn>

Wilkinson, Alex wrote:

> can anyone recommed a tool to 'blast' this particular interface

TTCP with UDP traffic, best directed at a null-routed IP address on the
other side of that interface. 

Pay careful attention to the order of command-line parameters or weird
things will happen.

If you want bidirectional traffic and TCP is sufficient, iperf is much
nicer than TTCP.

Regards,
Brad

From igoen99 at yahoo.com  Wed Jul 16 03:42:05 2008
From: igoen99 at yahoo.com (Edi Guntoro)
Date: Wed, 16 Jul 2008 00:42:05 -0700 (PDT)
Subject: [c-nsp] Cisco MMPPP
Message-ID: <456412.6518.qm@web54303.mail.re2.yahoo.com>



Thanks Ben, 
I understand now. Coz previously, regarding the user I though this is a single user with PC/notebook/windows dialing using two different wireless service... is it possible?
regards






----- Original Message ----
From: Ben Steele <ben.steele at internode.on.net>
To: Edi Guntoro <igoen99 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Wednesday, July 16, 2008 2:21:27 PM
Subject: Re: [c-nsp] Cisco MMPPP

i'm talking strictly between your LNS and your CPE here, if you find your MMPPP is giving poor performance due to physical differences between the 2 sessions (ie speed and latency), then try doing something a little more creative like multihopping both ppp sessions onto the one router and using (as you mentioned) cef per-destination load sharing over the 2 unique ppp sessions, or alternatively let a routing protocol handle the work and advertise part of your subnet out one link and part out the other with redundancy, or even GRE tunnels etc etc.. there are quite a few ways you can achieve the desired outcome, this is of course only if your mmppp fails.

Cheers

Ben


On 16/07/2008, at 4:11 PM, Edi Guntoro wrote:

Thanks Ben,
however what do you mean by "better off load balancing with a routing protocol and/or cef" ? is it disabling the load balancing? as I know this feature enable by default on routing protocol as long as they are equal admin distances.
And is it for traffic out to the internet or traffic coming to the customer ?
regards.
Edi





----- Original Message ----
From: Ben Steele <ben.steele at internode.on.net>
To: Edi Guntoro <igoen99 at yahoo.com>
Cc: cisco-nsp at puck.nether.net
Sent: Wednesday, July 16, 2008 12:12:12 PM
Subject: Re: [c-nsp] Cisco MMPPP

the LAC is pretty irrelevant, you need to configure MMPPP capabilities  
on your LNS's, which means an sgbp group on your LNS's for the  
multichassis and "ppp multilink" under your virtual template for the  
MPPP side of things.

I noticed your topology is using 2 seperate wireless services to  
provide the bundle, one word of warning is if the bundles are out of  
sync (speed and latency wise) you will see very poor performance and  
you are better off load balancing with a routing protocol and/or cef.

Ben

On 16/07/2008, at 2:13 PM, Edi Guntoro wrote:

> Dear ciscoers,
> Let's say we have a scenario to bring up multiple ppp for our  
> customer to increase bandwidth to the internet.
> At the moment we only have access to the LNS, is it possible to have  
> MMPPP for our customer, or is there something to do with the LAC?
> any reference?
> here is the layout:
> regards
> Igun
>
>
> u /-----3.5g service---PPP---LAC---LNS1--|
> s/                                                            | 
> ___internet
> e\                                                            |
> r \-----cdma service--PPP---LAC---LNS2--|
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


      

From ben.steele at internode.on.net  Wed Jul 16 03:47:21 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Wed, 16 Jul 2008 17:17:21 +0930
Subject: [c-nsp] Cisco MMPPP
In-Reply-To: <456412.6518.qm@web54303.mail.re2.yahoo.com>
References: <456412.6518.qm@web54303.mail.re2.yahoo.com>
Message-ID: <CC055E75-A4D9-4BE3-8BCB-9048D716B3D0@internode.on.net>

Yes it's possible to have say windows do multilink ppp through 2  
seperate network devices, never tried it though so not sure how  
reliable their implementation of it is.

Ben

On 16/07/2008, at 5:12 PM, Edi Guntoro wrote:

>
> Thanks Ben,
> I understand now. Coz previously, regarding the user I though this  
> is a single user with PC/notebook/windows dialing using two  
> different wireless service... is it possible?
> regards
>
>
>
>
> ----- Original Message ----
> From: Ben Steele <ben.steele at internode.on.net>
> To: Edi Guntoro <igoen99 at yahoo.com>
> Cc: cisco-nsp at puck.nether.net
> Sent: Wednesday, July 16, 2008 2:21:27 PM
> Subject: Re: [c-nsp] Cisco MMPPP
>
> i'm talking strictly between your LNS and your CPE here, if you find  
> your MMPPP is giving poor performance due to physical differences  
> between the 2 sessions (ie speed and latency), then try doing  
> something a little more creative like multihopping both ppp sessions  
> onto the one router and using (as you mentioned) cef per-destination  
> load sharing over the 2 unique ppp sessions, or alternatively let a  
> routing protocol handle the work and advertise part of your subnet  
> out one link and part out the other with redundancy, or even GRE  
> tunnels etc etc.. there are quite a few ways you can achieve the  
> desired outcome, this is of course only if your mmppp fails.
>
> Cheers
>
> Ben
>
> On 16/07/2008, at 4:11 PM, Edi Guntoro wrote:
>
>> Thanks Ben,
>> however what do you mean by "better off load balancing with a  
>> routing protocol and/or cef" ? is it disabling the load balancing?  
>> as I know this feature enable by default on routing protocol as  
>> long as they are equal admin distances.
>> And is it for traffic out to the internet or traffic coming to the  
>> customer ?
>> regards.
>> Edi
>>
>>
>>
>> ----- Original Message ----
>> From: Ben Steele <ben.steele at internode.on.net>
>> To: Edi Guntoro <igoen99 at yahoo.com>
>> Cc: cisco-nsp at puck.nether.net
>> Sent: Wednesday, July 16, 2008 12:12:12 PM
>> Subject: Re: [c-nsp] Cisco MMPPP
>>
>> the LAC is pretty irrelevant, you need to configure MMPPP  
>> capabilities
>> on your LNS's, which means an sgbp group on your LNS's for the
>> multichassis and "ppp multilink" under your virtual template for the
>> MPPP side of things.
>>
>> I noticed your topology is using 2 seperate wireless services to
>> provide the bundle, one word of warning is if the bundles are out of
>> sync (speed and latency wise) you will see very poor performance and
>> you are better off load balancing with a routing protocol and/or cef.
>>
>> Ben
>>
>> On 16/07/2008, at 2:13 PM, Edi Guntoro wrote:
>>
>> > Dear ciscoers,
>> > Let's say we have a scenario to bring up multiple ppp for our
>> > customer to increase bandwidth to the internet.
>> > At the moment we only have access to the LNS, is it possible to  
>> have
>> > MMPPP for our customer, or is there something to do with the LAC?
>> > any reference?
>> > here is the layout:
>> > regards
>> > Igun
>> >
>> >
>> > u /-----3.5g service---PPP---LAC---LNS1--|
>> > s/                                                            |
>> > ___internet
>> > e\                                                            |
>> > r \-----cdma service--PPP---LAC---LNS2--|
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/cisco-nsp
>> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>
>
>


From janasamit at wlink.com.np  Wed Jul 16 04:45:19 2008
From: janasamit at wlink.com.np (Samit)
Date: Wed, 16 Jul 2008 14:30:19 +0545
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
Message-ID: <487DB51F.1080205@wlink.com.np>

Hi,

Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single 
Cisco700vxr with NPE-G1 ?

Regards,
Samit

From paul.cosgrove at heanet.ie  Wed Jul 16 05:02:32 2008
From: paul.cosgrove at heanet.ie (Paul Cosgrove)
Date: Wed, 16 Jul 2008 10:02:32 +0100
Subject: [c-nsp] 2621xm vs 1800?
In-Reply-To: <001601c8e6af$7dd167c0$79743740$@org>
References: <001a01c8e68e$1d288b40$5779a1c0$@org> <487CF140.608@heanet.ie>
	<001601c8e6af$7dd167c0$79743740$@org>
Message-ID: <487DB928.6010006@heanet.ie>

There is a nice index including this and other similar product 
comparisions (switch performance, vpn performance etc.) at:-

http://www.cisco.com/web/partners/tools/quickreference/index.html

Paul.

Paul Stewart wrote:
> Thanks... that's actually the document I was looking for ;)
> 
> Our theory to date on the issues with the 2621XM's is possibly the vendor
> itself and the memory they have been using.  We have had a number of
> problems with a particular batch of them purchased a while ago and the 3rd
> party memory they are using specifically (we use 3rd party all the time with
> great success normally).
> 
> Want to swap one of the sites that is having repeated issues and prove it's
> in the router somewhere or in the next hop device (wireless backhaul).
> 
> Thanks,
> 
> Paul
> 
> 
> -----Original Message-----
> From: Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] 
> Sent: Tuesday, July 15, 2008 2:50 PM
> To: Paul Stewart
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] 2621xm vs 1800?
> 
> Very much an upgrade judging from the following table. More than double 
> the PPS & Mbps for Fast/CEF switched packets:-
> 
> http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerp
> erformance.pdf 
> 
> 
> Would be interesting to know the cause of the issue though,
> 
> Paul.
> 
> Paul Stewart wrote:
>> Hi there...
>>
>> We have some remote sites with 2621XM's running today.  These routers are
>> doing PPPOE termination primarily for 40-60 users.  The 2621XM is handling
>> the load just fine however we've been having random problems with them
>> lately and wanted to swap out the 2621XM for a different, more current
> model
>> to see if the problem goes away (traffic just stops passing on the FE
>> interfaces after a few weeks - tried multiple IOS versions - happening at
>> several sites).
>>
>> My question is whether or not an 1841 would be a downgrade or an upgrade
> for
>> PPS and overall load?  Or should we just bite the bullet and get 2801's
>> instead?
>>
>> Thanks,
>>
>> Paul
>>
>>
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> 
> 


-- 
HEAnet Limited
Ireland's Education & Research Network
5 George's Dock, IFSC, Dublin 1, Ireland
Tel:  +353.1.6609040
Web:  http://www.heanet.ie
Company registered in Ireland: 275301

Please consider the environment before printing this e-mail.

From stig.johansen at ementor.no  Wed Jul 16 05:51:20 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Wed, 16 Jul 2008 11:51:20 +0200
Subject: [c-nsp] Shape an L3 interface to 100mbit
In-Reply-To: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
References: <20080715115646.F07A27B196@spunkymail-a16.g.dreamhost.com>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B4E@100NOOSLMSG004.common.alpharoot.net>

Hi again,

It may be a bit unclear, but on the 3560/3750-platform, you'll have to
do egress policing by manipulating the DSCP-values on input-interfaces
and tweaking the srr-queues on the output-interfaces.

The old 3550-platform supported egress policing via aggregate-policers,
a bit more logically and without the need for changing any values.

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kurt Bales
Sent: 15. juli 2008 13:57
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Shape an L3 interface to 100mbit

Hey Guys,

 

I have a situation where my upstream is policing my connection to 100mb.
I
have a GigE interconnect to them, and we are currently connected at
1gb/full
duplex.  I have been requested to shape the traffic leaving our
interconnect
to 100mb so as to reduce the performance issues caused by packet loss
etc
caused by policing.

 

What is the easiest way to apply 100mb shaping to an L3 (no switchport)
interface on a 3560G?

 

The speed of this link could change in the near future (over the next
couple
of days) so I would prefer to use QoS rules to apply shaping to this
interface as opposed to forcing the interconnect to 100/Full (which
would be
of no use if the link changed to 250mb).

 

 

Regards,

K.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gkg at gmx.de  Wed Jul 16 06:10:00 2008
From: gkg at gmx.de (Garry)
Date: Wed, 16 Jul 2008 12:10:00 +0200
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <487DB51F.1080205@wlink.com.np>
References: <487DB51F.1080205@wlink.com.np>
Message-ID: <487DC8F8.9020604@gmx.de>

Samit wrote:
> Hi,
>
> Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single 
> Cisco700vxr with NPE-G1 ?

Technically, it is supported, as each of the two buses have 600 
bandwidth points, with an STM-1 interface taking up 300. Question is 
whether it might be recommendable to get a second router for redundancy 
reasons, e.g. if you are terminating several uplinks with that one 
router. If so, I'd advise against doing it all on one router ...

-garry

From rodunn at cisco.com  Wed Jul 16 07:25:59 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 16 Jul 2008 07:25:59 -0400
Subject: [c-nsp] The maximum number of match packets Cisco Router can
	detect on ACL at one time.
In-Reply-To: <487D87AE.7070203@indo.net.id>
References: <487D574D.8050803@indo.net.id>
	<FA1BA229357DB640B944218F3585FECA01348946@mspe2k1.cs.myharris.net>
	<487D87AE.7070203@indo.net.id>
Message-ID: <20080716112559.GF18618@rtp-cse-489.cisco.com>

If I remember correctly they are rate limited.

You should use netflow and match on ACL dst if of Null0 rather
than the log feature of the ACL's.

Rodney

On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote:
> Hi charles,
> 
> Depends on the engine processor.
> Our G1 can handle this, it just the router not shown on the log (we 
> saved to a syslog-ng server).
> 
> 
> rgs
> a. rahman isnaini r.sutan
> 
> Church, Charles wrote:
> >If the router is subject to enough traffic where thousands of ACL hits
> >are happening per second, you DON'T want to have any entries of that ACL
> >logging.  It's terrible for performance.
> >
> >Chuck
> >
> >-----Original Message-----
> >From: cisco-nsp-bounces at puck.nether.net
> >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
> >isnaini r.sutan
> >Sent: Tuesday, July 15, 2008 10:05 PM
> >To: Rodney Dunn
> >Cc: cisco-nsp at puck.nether.net
> >Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
> >can detect on ACL at one time.
> >
> >
> >Thanks Rodney.
> >Other thing, though the ACL matches thousand of hits at once..
> >The log couldn't show this (log buffere has been set to 4096 x 2)
> >
> >a. rahman isnaini r.sutan
> >
> >Rodney Dunn wrote:
> >>There is no limit to the number of times the ACL will match and drop.
> >>
> >>The counter depending on how it's defined in the code may wrap but
> >>that should never impact the ACL from matching and
> >dropping/permitting.
> >>Rodney
> >>
> >>On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
> >wrote:
> >>>Hi,
> >>>
> >>>
> >>>Might be some you have noted once, the maximum value (number) that
> >Cisco 
> >>>ACL can match let say flooding packets.
> >>>Here : deny tcp any any eq 1434 (5732 matches) fro example.
> >>>Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
> >>>detected & matched by ACL.
> >>>
> >>>thanks for share if you will.
> >>>
> >>>a. rahman isnaini r.sutan
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Wed Jul 16 07:26:21 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 16 Jul 2008 07:26:21 -0400
Subject: [c-nsp] Cisco 2851 bug ?
In-Reply-To: <487CD18D.3080708@heanet.ie>
References: <m363revzz1.fsf@ursa.amorsen.dk>
	<c93a55220807100918v6a0ec5t35dce1aa5effe29a@mail.gmail.com>
	<a3e64f390807110632j320e972bhaf88b23f66cb677b@mail.gmail.com>
	<1215798920.28688.4.camel@svesken.sys.mjna.net>
	<a3e64f390807111127v3bf6f316s9dc89ea2bd8c56d9@mail.gmail.com>
	<a3e64f390807111141u5ddecc42vf98e321ca42c954f@mail.gmail.com>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00CC5@tiger.deltadentalwa.com>
	<323aca890807142306p148c5693t45762350558a34b6@mail.gmail.com>
	<20080715162427.GK4378@rtp-cse-489.cisco.com>
	<487CD18D.3080708@heanet.ie>
Message-ID: <20080716112621.GG18618@rtp-cse-489.cisco.com>

Yep. Done in CEF path.

Rodney

On Tue, Jul 15, 2008 at 05:34:21PM +0100, Paul Cosgrove wrote:
> Hi Rodney,
> 
> Is that safe to do even if the traffic rate and/or cpu is high?
> 
> Looks like a nice feature.
> 
> Paul.
> 
> Rodney Dunn wrote:
> >Or you could load the new 12.4(20)T and set up a packet capture
> >on the punt path. ;)
> >
> >rtp-rodunn-871#monitor capture point ip process-switched test in ?
> >  <cr>
> >
> >rtp-rodunn-871#monitor capture point ip process-switched rodney in
> >rtp-rodunn-871#mon
> >rtp-rodunn-871#monitor cap
> >rtp-rodunn-871#monitor capture buf
> >rtp-rodunn-871#monitor capture buffer pakdump ?
> >  circular  Circular Buffer
> >  clear     Clear contents of capture buffer
> >  export    Export in Pcap format
> >  filter    Configure filters
> >  limit     Limit the packets dumped to the buffer
> >  linear    Linear Buffer(Default)
> >  max-size  Maximum size of element in the buffer (in bytes)
> >  size      Packet Dump buffer size (in Kbytes)
> >  <cr>
> >
> >rtp-rodunn-871#monitor capture buffer pakdump 
> >
> >....
> >
> >Start the capture and export it to pcap. ;)
> >
> >This is new functionality in 12.4(20)T so we've got some enhancements to
> >add to it.
> >
> >Rodney
> >
> >On Tue, Jul 15, 2008 at 08:06:26AM +0200, Pavel Skovajsa wrote:
> >>Hi,
> >>IP Input spike is usually caused by abnormal 'IP input' traffic that
> >>gets punted into the RP from CEF for whatever reason.
> >>A very common cause is broadcast storm. You can see what what packet
> >>is holding the CPU with 'show buffers input interface fa0/1'. However
> >>you need to do this command during a real spike...
> >>
> >>Pavel
> >>
> >>On Fri, Jul 11, 2008 at 10:47 PM, Teller, Robert
> >><RTeller at deltadentalwa.com> wrote:
> >>>Is anyone aware of a bug or configuration that could cause a sudden
> >>>spike in IP input?
> >>>
> >>>uptime is 26 weeks, 3 days, 10 hours, 54 minutes
> >>>System returned to ROM by reload at 01:40:08 PST Tue Jan 8 2008
> >>>System restarted at 01:41:34 PST Tue Jan 8 2008
> >>>System image file is "flash:c2800nm-ipbasek9-mz.124-17a.bin"
> >>>Cisco 2851 (revision 53.51) with 251904K/10240K bytes of memory.
> >>>
> >>>PID Runtime(ms)   Invoked      uSecs   5Sec   1Min   5Min TTY Process
> >>> 66      125056   2917547         42  0.00%  0.00%  0.00%   0 CDP
> >>>Protocol
> >>> 67    28872876 373263867         77  0.08% 51.78% 47.36%   0 IP Input
> >>>
> >>>Seattle-WAN   01:00:26 PM Friday Jul 11 2008 DST
> >>>
> >>>
> >>>                              555558888899999888888888899999999
> >>>   555555544444444446666655555999998888844444333332222233333333
> >>>100
> >>> 90                                 **********          ********
> >>> 80                                 ****************************
> >>> 70                                 ****************************
> >>> 60                            *********************************
> >>> 50                            *********************************
> >>> 40                            *********************************
> >>> 30                            *********************************
> >>> 20                            *********************************
> >>> 10 *******          *******************************************
> >>>  0....5....1....1....2....2....3....3....4....4....5....5....6
> >>>            0    5    0    5    0    5    0    5    0    5    0
> >>>              CPU% per second (last 60 seconds)
> >>>
> >>>
> >>>   9999999                         1
> >>>   588886633444434434453334333334346534453335336645645556354344
> >>>100 *******
> >>> 90 #####**                                                    *
> >>> 80 ######*                                                    *
> >>> 70 ######*                                                    *
> >>> 60 ######*                                                    *
> >>> 50 ######*                                                    *
> >>> 40 ######*                                                    *
> >>> 30 ######*                                                    *
> >>> 20 #######                         *                          #
> >>> 10 #######            *            **   *   *  ** ** **** *   #
> >>>  0....5....1....1....2....2....3....3....4....4....5....5....6
> >>>            0    5    0    5    0    5    0    5    0    5    0
> >>>              CPU% per minute (last 60 minutes)
> >>>             * = maximum CPU%   # = average CPU%
> >>>
> >>>
> >>>   1 1 11 1  1111 111   1111111111 11 1 7121111 1112 1111 111
> >>>1121111111111
> >>>
> >>>691760977743309128787415602150180091972430809462896712922076244160072513
> >>>100
> >>> 90
> >>> 80                                      *
> >>> 70                                      *
> >>> 60                                      *
> >>> 50                                      *
> >>> 40                                      *
> >>> 30                                      *          *
> >>> 20 *   *  *         *     **   *        * *  *   * * **       * *  *  *
> >>>*
> >>> 10
> >>>************************************************************************
> >>>
> >>>0....5....1....1....2....2....3....3....4....4....5....5....6....6....7.
> >>>.
> >>>            0    5    0    5    0    5    0    5    0    5    0    5
> >>>0
> >>>                  CPU% per hour (last 72 hours)
> >>>                 * = maximum CPU%   # = average CPU%
> >>>
> >>>
> >>>#########################################################
> >>>The information contained in this e-mail and subsequent attachments may 
> >>>be privileged,
> >>>confidential and protected from disclosure.  This transmission is 
> >>>intended for the sole
> >>>use of the individual and entity to whom it is addressed.  If you are 
> >>>not the intended
> >>>recipient, any dissemination, distribution or copying is strictly 
> >>>prohibited.  If you
> >>>think that you have received this message in error, please e-mail the 
> >>>sender at the above
> >>>e-mail address.
> >>>#########################################################
> >>>_______________________________________________
> >>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >_______________________________________________
> >cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >https://puck.nether.net/mailman/listinfo/cisco-nsp
> >archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> -- 
> HEAnet Limited
> Ireland's Education & Research Network
> 5 George's Dock, IFSC, Dublin 1, Ireland
> Tel:  +353.1.6609040
> Web:  http://www.heanet.ie
> Company registered in Ireland: 275301
> 
> Please consider the environment before printing this e-mail.

From rodunn at cisco.com  Wed Jul 16 07:28:05 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 16 Jul 2008 07:28:05 -0400
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
Message-ID: <20080716112805.GH18618@rtp-cse-489.cisco.com>

What is the configuration of that interface and can you provide
a 'sh int' between two drop periods?

On Wed, Jul 16, 2008 at 02:22:31PM +0800, Wilkinson, Alex wrote:
> Hi all,
> 
> I am having problems with a particular device going down every 3-4 days.
> The switchport for which this device is connected to is telling me it is
> having a lot of "output drops" e.g.
> 
>    Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 13342805
> 
> I 'suspect' that these output drops could be the root cause of the device
> attached to this port going down consistently.
> 
> Question: Since 'output drops' seems to relate to interface congestion can
>           anyone recommed a tool to 'blast' this particular interface in
>           order to test {in,out}queues and congestion ?
> 
>  -aW
> 
> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mtinka at globaltransit.net  Wed Jul 16 07:39:31 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 16 Jul 2008 19:39:31 +0800
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <487DC8F8.9020604@gmx.de>
References: <487DB51F.1080205@wlink.com.np> <487DC8F8.9020604@gmx.de>
Message-ID: <200807161939.32110.mtinka@globaltransit.net>

On Wednesday 16 July 2008 18:10:00 Garry wrote:

> Technically, it is supported, as each of the two buses
> have 600 bandwidth points, with an STM-1 interface taking
> up 300. Question is whether it might be recommendable to
> get a second router for redundancy reasons, e.g. if you
> are terminating several uplinks with that one router. If
> so, I'd advise against doing it all on one router ...

If you can afford a second router, I agree with Garry.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080716/b29470c7/attachment.bin>

From bandhani at gmail.com  Wed Jul 16 07:59:55 2008
From: bandhani at gmail.com (Farhan Jaffer)
Date: Wed, 16 Jul 2008 16:59:55 +0500
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
Message-ID: <11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>

Have you tried 'hold-queue ...' command. This may resolves your problem.


On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
<alex.wilkinson at dsto.defence.gov.au> wrote:
> Hi all,
>
> I am having problems with a particular device going down every 3-4 days.
> The switchport for which this device is connected to is telling me it is
> having a lot of "output drops" e.g.
>
>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 13342805
>
> I 'suspect' that these output drops could be the root cause of the device
> attached to this port going down consistently.
>
> Question: Since 'output drops' seems to relate to interface congestion can
>          anyone recommed a tool to 'blast' this particular interface in
>          order to test {in,out}queues and congestion ?
>
>  -aW
>
> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From risnaini at indo.net.id  Wed Jul 16 08:08:43 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 16 Jul 2008 19:08:43 +0700
Subject: [c-nsp] The maximum number of match packets Cisco Router can
 detect on ACL at one time.
In-Reply-To: <20080716112559.GF18618@rtp-cse-489.cisco.com>
References: <487D574D.8050803@indo.net.id>
	<FA1BA229357DB640B944218F3585FECA01348946@mspe2k1.cs.myharris.net>
	<487D87AE.7070203@indo.net.id>
	<20080716112559.GF18618@rtp-cse-489.cisco.com>
Message-ID: <487DE4CB.4090502@indo.net.id>

OK than, so Cisco Router has a limitation on plotting the maximum 
hits/matches on ACL to a raw log.
Thanks Rodney.

a. rahman isnaini r.sutan

Rodney Dunn wrote:
> If I remember correctly they are rate limited.
> 
> You should use netflow and match on ACL dst if of Null0 rather
> than the log feature of the ACL's.
> 
> Rodney
> 
> On Wed, Jul 16, 2008 at 12:31:26PM +0700, a. rahman isnaini r.sutan wrote:
>> Hi charles,
>>
>> Depends on the engine processor.
>> Our G1 can handle this, it just the router not shown on the log (we 
>> saved to a syslog-ng server).
>>
>>
>> rgs
>> a. rahman isnaini r.sutan
>>
>> Church, Charles wrote:
>>> If the router is subject to enough traffic where thousands of ACL hits
>>> are happening per second, you DON'T want to have any entries of that ACL
>>> logging.  It's terrible for performance.
>>>
>>> Chuck
>>>
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of a. rahman
>>> isnaini r.sutan
>>> Sent: Tuesday, July 15, 2008 10:05 PM
>>> To: Rodney Dunn
>>> Cc: cisco-nsp at puck.nether.net
>>> Subject: Re: [c-nsp] The maximum number of match packets Cisco Router
>>> can detect on ACL at one time.
>>>
>>>
>>> Thanks Rodney.
>>> Other thing, though the ACL matches thousand of hits at once..
>>> The log couldn't show this (log buffere has been set to 4096 x 2)
>>>
>>> a. rahman isnaini r.sutan
>>>
>>> Rodney Dunn wrote:
>>>> There is no limit to the number of times the ACL will match and drop.
>>>>
>>>> The counter depending on how it's defined in the code may wrap but
>>>> that should never impact the ACL from matching and
>>> dropping/permitting.
>>>> Rodney
>>>>
>>>> On Tue, Jul 15, 2008 at 06:08:03PM +0700, a. rahman isnaini r.sutan
>>> wrote:
>>>>> Hi,
>>>>>
>>>>>
>>>>> Might be some you have noted once, the maximum value (number) that
>>> Cisco 
>>>>> ACL can match let say flooding packets.
>>>>> Here : deny tcp any any eq 1434 (5732 matches) fro example.
>>>>> Since I have a problem with 7200 NPE G1, the huge traffic cannot be 
>>>>> detected & matched by ACL.
>>>>>
>>>>> thanks for share if you will.
>>>>>
>>>>> a. rahman isnaini r.sutan
>>>>> _______________________________________________
>>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From Andrey_Oleinik at bms-consulting.com  Wed Jul 16 08:43:37 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Wed, 16 Jul 2008 15:43:37 +0300
Subject: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco
 7200vxr-npeG1)
In-Reply-To: <487DC8F8.9020604@gmx.de>
References: <487DB51F.1080205@wlink.com.np> <487DC8F8.9020604@gmx.de>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCC18992CA13@BMSEXCH.BMS-CONSULTING.COM>

Gentlemen,
Saying about Cisco it's very new and interesting matrices for me (I mean bus/interface bandwidth points).
Is this info available publicly?
Thank U
--
Respect,  Andy Oleynik

...
andyo> > Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single
andyo> > Cisco700vxr with NPE-G1 ?
andyo>
andyo> Technically, it is supported, as each of the two buses have 600
andyo> bandwidth points, with an STM-1 interface taking up 300. Question
andyo> is
andyo> whether it might be recommendable to get a second router for
andyo> redundancy
andyo> reasons, e.g. if you are terminating several uplinks with that one
andyo> router. If so, I'd advise against doing it all on one router ...
...

From mathias.spoerr at at.ibm.com  Wed Jul 16 09:02:57 2008
From: mathias.spoerr at at.ibm.com (Mathias Spoerr)
Date: Wed, 16 Jul 2008 15:02:57 +0200
Subject: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco
 7200vxr-npeG1)
In-Reply-To: <68D5E673B49F1D45A5BE41058C8AFDBCC18992CA13@BMSEXCH.BMS-CONSULTING.COM>
References: <487DB51F.1080205@wlink.com.np> <487DC8F8.9020604@gmx.de>
	<68D5E673B49F1D45A5BE41058C8AFDBCC18992CA13@BMSEXCH.BMS-CONSULTING.COM>
Message-ID: <OF4C0A79F1.F279DB99-ONC1257488.0047A150-C1257488.0047B054@at.ibm.com>

http://www.cisco.com/en/US/prod/collateral/routers/ps341/prod_presentation09186a008009184d.pdf


Regards,
Mathias



From:
Andrey Oleinik <Andrey_Oleinik at bms-consulting.com>
To:
Garry <gkg at gmx.de>
Cc:
"cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Date:
16.07.2008 15:00
Subject:
Re: [c-nsp] bandwidth points table (former Three STM-1 on one Cisco 
7200vxr-npeG1)



Gentlemen,
Saying about Cisco it's very new and interesting matrices for me (I mean 
bus/interface bandwidth points).
Is this info available publicly?
Thank U
--
Respect,  Andy Oleynik

...
andyo> > Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single
andyo> > Cisco700vxr with NPE-G1 ?
andyo>
andyo> Technically, it is supported, as each of the two buses have 600
andyo> bandwidth points, with an STM-1 interface taking up 300. Question
andyo> is
andyo> whether it might be recommendable to get a second router for
andyo> redundancy
andyo> reasons, e.g. if you are terminating several uplinks with that one
andyo> router. If so, I'd advise against doing it all on one router ...
...
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7943 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080716/e02941c6/attachment.bin>

From eric at roxanne.org  Wed Jul 16 09:09:53 2008
From: eric at roxanne.org (Eric Gauthier)
Date: Wed, 16 Jul 2008 09:09:53 -0400
Subject: [c-nsp] ASA connectivity issues
Message-ID: <20080716130953.GA4060@roxanne.org>

Hello,

We've had an ASA5500 online for about two years providing 
VPN services for wireless users on our campus (v8.0(3)).  
Starting over the weekend, we've encountered a problem 
where users can connect and authenticate, but traffic isn't 
passing through the box (i.e. client side show transmit data
but nothing received back).  Moreover, it appears to "come 
and go" in two ways.  First, if your client connects and
you wait long enough (~10 - 20 mins), traffic magically
starts flowing.  Second, the issue in general seems to
disappear over night, which is leading us to think that
its some sort of new client (iphone maybe?) in the
field but Cisco is saying that they haven't heard any
reports of this type of issue.

The last time we made a configuration change was in April,
so we're at a loss for what might be causing this.  We've 
had a TAC case open for a few days, but they haven't made 
much progress.  

Is anyone else seeing similar behavoir?

Eric :)

From streiner at cluebyfour.org  Wed Jul 16 11:00:53 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Wed, 16 Jul 2008 11:00:53 -0400 (EDT)
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <487DB51F.1080205@wlink.com.np>
References: <487DB51F.1080205@wlink.com.np>
Message-ID: <Pine.LNX.4.64.0807161058590.12834@whammy.cluebyfour.org>

On Wed, 16 Jul 2008, Samit wrote:

> Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single Cisco700vxr 
> with NPE-G1 ?

Could it be done?  Yes, but I wouldn't expect to see good performance if 
you try to move anything approaching line-rate traffic on those interfaces.

jms

From avayner at cisco.com  Wed Jul 16 11:21:37 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Wed, 16 Jul 2008 17:21:37 +0200
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <487DB51F.1080205@wlink.com.np>
References: <487DB51F.1080205@wlink.com.np>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A5019AE851@xmb-ams-331.emea.cisco.com>

Samit,

Take a look at the Jacket Card. It would help to extend the bandwidth
point limitation:
http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/port_ad
apter_jacket_card_install/8427J.html

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Samit
Sent: Wednesday, July 16, 2008 11:45 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1

Hi,

Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single
Cisco700vxr with NPE-G1 ?

Regards,
Samit
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From david.freedman at uk.clara.net  Wed Jul 16 11:41:15 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 16 Jul 2008 16:41:15 +0100
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
	<11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>
Message-ID: <487E169B.4020507@uk.clara.net>

It is inadvisable to increase the output hold-queue as far as I am
aware, this could cause packets to be delayed on egress which could
cause TCP timeouts.

Dave.

Farhan Jaffer wrote:
> Have you tried 'hold-queue ...' command. This may resolves your problem.
> 
> 
> On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
> <alex.wilkinson at dsto.defence.gov.au> wrote:
>> Hi all,
>>
>> I am having problems with a particular device going down every 3-4 days.
>> The switchport for which this device is connected to is telling me it is
>> having a lot of "output drops" e.g.
>>
>>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 13342805
>>
>> I 'suspect' that these output drops could be the root cause of the device
>> attached to this port going down consistently.
>>
>> Question: Since 'output drops' seems to relate to interface congestion can
>>          anyone recommed a tool to 'blast' this particular interface in
>>          order to test {in,out}queues and congestion ?
>>
>>  -aW
>>
>> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From david.freedman at uk.clara.net  Wed Jul 16 11:41:15 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Wed, 16 Jul 2008 16:41:15 +0100
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
	<11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>
Message-ID: <487E169B.4020507@uk.clara.net>

It is inadvisable to increase the output hold-queue as far as I am
aware, this could cause packets to be delayed on egress which could
cause TCP timeouts.

Dave.

Farhan Jaffer wrote:
> Have you tried 'hold-queue ...' command. This may resolves your problem.
> 
> 
> On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
> <alex.wilkinson at dsto.defence.gov.au> wrote:
>> Hi all,
>>
>> I am having problems with a particular device going down every 3-4 days.
>> The switchport for which this device is connected to is telling me it is
>> having a lot of "output drops" e.g.
>>
>>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 13342805
>>
>> I 'suspect' that these output drops could be the root cause of the device
>> attached to this port going down consistently.
>>
>> Question: Since 'output drops' seems to relate to interface congestion can
>>          anyone recommed a tool to 'blast' this particular interface in
>>          order to test {in,out}queues and congestion ?
>>
>>  -aW
>>
>> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.
>>
>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From risnaini at indo.net.id  Wed Jul 16 11:34:36 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 16 Jul 2008 22:34:36 +0700
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <Pine.LNX.4.64.0807161058590.12834@whammy.cluebyfour.org>
References: <487DB51F.1080205@wlink.com.np>
	<Pine.LNX.4.64.0807161058590.12834@whammy.cluebyfour.org>
Message-ID: <487E150C.4000209@indo.net.id>

Nope....
You will have no buffer should flooding traffic occurs.

a. r.isnaini rangkayo sutan

Justin M. Streiner wrote:
> On Wed, 16 Jul 2008, Samit wrote:
> 
>> Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single 
>> Cisco700vxr with NPE-G1 ?
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From ASikkema at office.unet.nl  Wed Jul 16 11:10:40 2008
From: ASikkema at office.unet.nl (Andreas Sikkema)
Date: Wed, 16 Jul 2008 17:10:40 +0200
Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
Message-ID: <OF13CB17F8.2C59B292-ONC1257488.004AC308-C1257488.0053217A@office.unet.nl>

Hi,

We're using a Cisco AS5350 as a SIP <-> ISDN PRI gateway. Normally we 
route calls from the incoming ISDN line to a SIP server (and vice versa). 
Currently we're wondering if we can route calls coming in from a specific 
ISDN line to another ISDN line directly without having to go through a SIP 
server. 

I've searched using Google and some pages suggest that these gateways can 
only route from ISDN to VoIP or vice versa. From 
http://www.cisco.com/en/US/tech/tk652/tk90/technologies_tech_note09186a008010fed1.shtml 
I learned a lot more about which dialpeer is matched, but not whether 
there's a preference against routing calls from ISDN to ISDN directly or 
that it's fully supported. 

Does anyone have experience either way? Pointers to relevant documents? 

-- 
Andreas Sikkema
Service Specialist Voice
Unet BV, Almere, the Netherlands

From rolf-web at internet.ao  Wed Jul 16 11:51:03 2008
From: rolf-web at internet.ao (Rolf Mendelsohn)
Date: Wed, 16 Jul 2008 16:51:03 +0100
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <487E169B.4020507@uk.clara.net>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
	<11b0f2da0807160459k1868c2a2n2579a2c19c88e407@mail.gmail.com>
	<487E169B.4020507@uk.clara.net>
Message-ID: <200807161651.03903.rolf-web@internet.ao>

Hi Guys,

This really depends on the speed of the Interface and what is connected on the 
other side.

We had a Serial Satellite link of 5M, which was never running higher than 
4.5M - due to regular bursty traffic.

After increasing the queue (fair-queue 320 256 0) the link now does about 
4.9M, without drops & without any significant increase in latency.

I guess the default WFQ size might be a bit small for some links.
I also think that hold-queue is only relevant if you are using FIFO queuing.

Alternatively WRR queuing could help.

cheers
/rolf

On Wednesday 16 July 2008 16:41:15 David Freedman wrote:
> It is inadvisable to increase the output hold-queue as far as I am
> aware, this could cause packets to be delayed on egress which could
> cause TCP timeouts.
>
> Dave.
>
> Farhan Jaffer wrote:
> > Have you tried 'hold-queue ...' command. This may resolves your problem.
> >
> >
> > On Wed, Jul 16, 2008 at 11:22 AM, Wilkinson, Alex
> >
> > <alex.wilkinson at dsto.defence.gov.au> wrote:
> >> Hi all,
> >>
> >> I am having problems with a particular device going down every 3-4 days.
> >> The switchport for which this device is connected to is telling me it is
> >> having a lot of "output drops" e.g.
> >>
> >>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops:
> >> 13342805
> >>
> >> I 'suspect' that these output drops could be the root cause of the
> >> device attached to this port going down consistently.
> >>
> >> Question: Since 'output drops' seems to relate to interface congestion
> >> can anyone recommed a tool to 'blast' this particular interface in order
> >> to test {in,out}queues and congestion ?
> >>
> >>  -aW
> >>
> >> IMPORTANT: This email remains the property of the Australian Defence
> >> Organisation and is subject to the jurisdiction of section 70 of the
> >> CRIMES ACT 1914.  If you have received this email in error, you are
> >> requested to contact the sender and delete the email.
> >>
> >>
> >> _______________________________________________
> >> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From abalashov at evaristesys.com  Wed Jul 16 12:21:50 2008
From: abalashov at evaristesys.com (Alex Balashov)
Date: Wed, 16 Jul 2008 12:21:50 -0400
Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
In-Reply-To: <OF13CB17F8.2C59B292-ONC1257488.004AC308-C1257488.0053217A@office.unet.nl>
References: <OF13CB17F8.2C59B292-ONC1257488.004AC308-C1257488.0053217A@office.unet.nl>
Message-ID: <487E201E.7050700@evaristesys.com>

Andreas Sikkema wrote:

> We're using a Cisco AS5350 as a SIP <-> ISDN PRI gateway. Normally we 
> route calls from the incoming ISDN line to a SIP server (and vice versa). 
> Currently we're wondering if we can route calls coming in from a specific 
> ISDN line to another ISDN line directly without having to go through a SIP 
> server. 

The answer is yes.

What it *cannot* do is hairpin VoIP calls (in VoIP, out VoIP).  But it 
can cross-connect TDM.

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

From r.nevot at gmail.com  Wed Jul 16 17:53:06 2008
From: r.nevot at gmail.com (Raul Lopez Nevot)
Date: Wed, 16 Jul 2008 23:53:06 +0200
Subject: [c-nsp] configurations
Message-ID: <a3e64f390807161453k13d694d6n397ef7a28ef5ddc5@mail.gmail.com>

Hello,
anybody having a AS5350 with PRI(s) and asterisk running for
incoming/outgoing calls between SIP and ISDN/Analog is willing to post
as5350 config and asterisk config?

just to get straight to the core...

From abalashov at evaristesys.com  Wed Jul 16 18:25:51 2008
From: abalashov at evaristesys.com (Alex Balashov)
Date: Wed, 16 Jul 2008 18:25:51 -0400 (EDT)
Subject: [c-nsp] configurations
In-Reply-To: <a3e64f390807161453k13d694d6n397ef7a28ef5ddc5@mail.gmail.com>
References: <a3e64f390807161453k13d694d6n397ef7a28ef5ddc5@mail.gmail.com>
Message-ID: <20867.97.81.73.247.1216247151.squirrel@webmail.corp.evaristesys.com>


On Wed, July 16, 2008 5:53 pm, Raul Lopez Nevot wrote:

> Hello,
> anybody having a AS5350 with PRI(s) and asterisk running for
> incoming/outgoing calls between SIP and ISDN/Analog is willing to post
> as5350 config and asterisk config?

All the configs I have are rather lengthy (for AS5300s and 5400s) as they
involve considerable routing complexity.

Is there some specific question you have, or are you trying to arrive at
a holistic sense of how to configure such a gateway to front Asterisk?
I'd like to get you the relevant subset of the config that distills it
down to what you're looking for.

-- Alex

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599


From jason at pins.net  Wed Jul 16 18:56:37 2008
From: jason at pins.net (Jason Berenson)
Date: Wed, 16 Jul 2008 18:56:37 -0400
Subject: [c-nsp] Cisco 2651XM and NM
Message-ID: <487E7CA5.6090100@pins.net>

Greetings,

So, according to this at table 3:

http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html

the NM-2FE are not supported on the 2651XM.  Any idea as to how I could 
get 3 FE ports on a 2651XM?  I don't need anywhere near line speed but 
need the link to sync up at 100M full duplex.  If not I guess I'll have 
to just get a 2691.  :(

Thanks,
Jason

From merlyn at Geeks.ORG  Wed Jul 16 19:21:06 2008
From: merlyn at Geeks.ORG (Doug McIntyre)
Date: Wed, 16 Jul 2008 18:21:06 -0500
Subject: [c-nsp] Cisco 2651XM and NM
In-Reply-To: <487E7CA5.6090100@pins.net>
References: <487E7CA5.6090100@pins.net>
Message-ID: <20080716232106.GA90563@geeks.org>

On Wed, Jul 16, 2008 at 06:56:37PM -0400, Jason Berenson wrote:
> So, according to this at table 3:
> 
> http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html
> 
> the NM-2FE are not supported on the 2651XM.  Any idea as to how I could get 
> 3 FE ports on a 2651XM?  I don't need anywhere near line speed but need the 
> link to sync up at 100M full duplex.  If not I guess I'll have to just get 
> a 2691.  :(

Right, anything with a LAN port on an NM card isn't supported in a
26xx(plain or XM) (with the 2691 excepted, maybe they should have
called it the 3610 or something.. :).

There's the NM-16ESW which would fit into the 2651XM and function as
one more FE port with 16 switch ports behind it.

I personally would swap out the chassis for a 3640, which gives you a
little more CPU than the 2651XM, and you can fit alot more cards/ports 
into it.

From jason at pins.net  Wed Jul 16 20:24:08 2008
From: jason at pins.net (Jason Berenson)
Date: Wed, 16 Jul 2008 20:24:08 -0400
Subject: [c-nsp] Cisco 2651XM and NM
In-Reply-To: <20080716232106.GA90563@geeks.org>
References: <487E7CA5.6090100@pins.net> <20080716232106.GA90563@geeks.org>
Message-ID: <487E9128.8050306@pins.net>

Doug,

The only issue is the XM is not EOL and the 3640 is, I think.  I may be 
able to dig up a 3640 in my office, if not I'll probably go with a 2691.

-Jason

Doug McIntyre wrote:
> On Wed, Jul 16, 2008 at 06:56:37PM -0400, Jason Berenson wrote:
>   
>> So, according to this at table 3:
>>
>> http://www.cisco.com/en/US/prod/collateral/routers/ps259/product_data_sheet09186a00801aa71c.html
>>
>> the NM-2FE are not supported on the 2651XM.  Any idea as to how I could get 
>> 3 FE ports on a 2651XM?  I don't need anywhere near line speed but need the 
>> link to sync up at 100M full duplex.  If not I guess I'll have to just get 
>> a 2691.  :(
>>     
>
> Right, anything with a LAN port on an NM card isn't supported in a
> 26xx(plain or XM) (with the 2691 excepted, maybe they should have
> called it the 3610 or something.. :).
>
> There's the NM-16ESW which would fit into the 2651XM and function as
> one more FE port with 16 switch ports behind it.
>
> I personally would swap out the chassis for a 3640, which gives you a
> little more CPU than the 2651XM, and you can fit alot more cards/ports 
> into it.
>   

From alex.wilkinson at dsto.defence.gov.au  Wed Jul 16 20:32:34 2008
From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex)
Date: Thu, 17 Jul 2008 08:32:34 +0800
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <20080716112805.GH18618@rtp-cse-489.cisco.com>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au> 
	<20080716112805.GH18618@rtp-cse-489.cisco.com>
Message-ID: <20080717003234.GA80335@stlux503.dsto.defence.gov.au>

    0n Wed, Jul 16, 2008 at 07:28:05AM -0400, Rodney Dunn wrote: 

    >What is the configuration of that interface and can you provide
    >a 'sh int' between two drop periods?

>From 'running-config'

   interface FastEthernet4/10
   no snmp trap link-status

>From 'show int FastEthernet4/10'

  FastEthernet4/10 is up, line protocol is up (connected)
  Hardware is Fast Ethernet Port, address is 0009.e85e.9879 (bia 0009.e85e.9879)
  MTU 1500 bytes, BW 10000 Kbit, DLY 100 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Half-duplex, 10Mb/s
  input flow-control is unsupported output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 18:17:11
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 118
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 1000 bits/sec, 2 packets/sec
     7 packets input, 524 bytes, 0 no buffer
     Received 0 broadcasts (0 multicast)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 input packets with dribble condition detected
     136771 packets output, 13580522 bytes, 0 underruns
     1 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier
     0 output buffer failures, 0 output buffers swapped out

You will note that it is "Half-duplex, 10Mb/s". That is no mistake since the
device that is connected to this switch-port is only capable of 10Mb/s.

I did a 'clear counters FastEthernet4/10' yesterday and came in this morning
to find our ATM link was down again and "Total output drops" up to 118.

I then reboot the device that is connected to this switch-port and volia, ATM link
comes up and EIGRP neighbour adjacency reforms.

Not sure how to verify if congestion is the root cause of this re-occuring
problem.

 -aW

IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.



From nick.geyer at eds.com  Thu Jul 17 01:16:07 2008
From: nick.geyer at eds.com (Geyer, Nick)
Date: Thu, 17 Jul 2008 15:16:07 +1000
Subject: [c-nsp] NAT and hairpin's
Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>

Hi Everyone,

 

Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;

 

Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;

 

203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)

 

I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).

 

I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.

 

Cheers,

 

Nick Geyer.


From marc at archernet.id.au  Thu Jul 17 01:25:14 2008
From: marc at archernet.id.au (Marc Archer)
Date: Thu, 17 Jul 2008 15:25:14 +1000
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <2f48f6b80807162225i617c08c2h600c8128ebf273c6@mail.gmail.com>

Hi Nick,

We had the same problem at work and used DNS to get around it. The only
solution we found was to have an second internal DNS that would resolv to
the internal IP so that both internal and external users could access the
server from a common DNS name.

Marc.

2008/7/17 Geyer, Nick <nick.geyer at eds.com>:

> Hi Everyone,
>
>
>
> Just wondering if anyone has come up with a way to hairpin traffic using
> a Cisco router? The problem is as follows;
>
>
>
> Say for example I have a router connecting to the Internet and an
> internal LAN doing normal NA, e.g;
>
>
>
> 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
> the "outside" interface)
>
>
>
> I have an application that talks from clients on the Internet to an
> internal server (192.168.1.1), with the appropriate static NAT's setup
> on the router to forward the traffic. The problem is the internal
> clients also need to talk to the server but on the public IP address
> (203.1.2.3). The traffic from the internal clients will hit the router
> but it wont translate and forward the traffic because its coming from
> the "inside" interface (and the static NAT only works for requests from
> the outside interface).
>
>
>
> I don't believe it can be done but just thought I would ask in case
> anyone has come up with a weird and wonderful way.
>
>
>
> Cheers,
>
>
>
> Nick Geyer.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nick.geyer at EDS.COM  Thu Jul 17 01:36:56 2008
From: nick.geyer at EDS.COM (Geyer, Nick)
Date: Thu, 17 Jul 2008 15:36:56 +1000
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <2f48f6b80807162225i617c08c2h600c8128ebf273c6@mail.gmail.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
	<2f48f6b80807162225i617c08c2h600c8128ebf273c6@mail.gmail.com>
Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA0385745B@aubwm232.apac.corp.eds.com>

Hi Marc,

 

That's what I usually do as well.

 

In this scenario though an internal DNS server is not an option as all
traffic is by IP address not hostname. Its got me stumped and I know
Cisco used to say it was not possible, but am just wondering if there is
anything new that could be used/manipulated to do this.

 

Cheers

 

________________________________

From: Marc Archer [mailto:marc at archernet.id.au] 
Sent: Thursday, 17 July 2008 3:25 PM
To: Geyer, Nick
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] NAT and hairpin's

 

Hi Nick,

We had the same problem at work and used DNS to get around it. The only
solution we found was to have an second internal DNS that would resolv
to the internal IP so that both internal and external users could access
the server from a common DNS name.

Marc.

2008/7/17 Geyer, Nick <nick.geyer at eds.com>:

Hi Everyone,



Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;



Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;



203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)



I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).



I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.



Cheers,



Nick Geyer.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

 


From ben.steele at internode.on.net  Thu Jul 17 01:48:02 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Thu, 17 Jul 2008 15:18:02 +0930
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <5524DDA6-F891-444E-AFE8-D22FC61C687E@internode.on.net>

This is where dns doctoring on the asa/pix really comes in handy!

Split dns is usually the way to go but I had another thought, can you  
put the public 203 address as an alias on the server and then setup a  
policy route-map on your lan interface to match packets with a  
destination of your server and port say something like  "permit tcp  
LAN host 203.1.2.3 eq 80" then put a "set ip next-hop SERVER LAN IP"


On 17/07/2008, at 2:46 PM, Geyer, Nick wrote:

> Hi Everyone,
>
>
>
> Just wondering if anyone has come up with a way to hairpin traffic  
> using
> a Cisco router? The problem is as follows;
>
>
>
> Say for example I have a router connecting to the Internet and an
> internal LAN doing normal NA, e.g;
>
>
>
> 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP  
> on
> the "outside" interface)
>
>
>
> I have an application that talks from clients on the Internet to an
> internal server (192.168.1.1), with the appropriate static NAT's setup
> on the router to forward the traffic. The problem is the internal
> clients also need to talk to the server but on the public IP address
> (203.1.2.3). The traffic from the internal clients will hit the router
> but it wont translate and forward the traffic because its coming from
> the "inside" interface (and the static NAT only works for requests  
> from
> the outside interface).
>
>
>
> I don't believe it can be done but just thought I would ask in case
> anyone has come up with a weird and wonderful way.
>
>
>
> Cheers,
>
>
>
> Nick Geyer.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From tedm at toybox.placo.com  Thu Jul 17 02:58:05 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Wed, 16 Jul 2008 23:58:05 -0700
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <2f48f6b80807162225i617c08c2h600c8128ebf273c6@mail.gmail.com>
Message-ID: <BMEDLGAENEKCJFGODFOCOENCCFAA.tedm@toybox.placo.com>



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Marc Archer
> Sent: Wednesday, July 16, 2008 10:25 PM
> To: Geyer, Nick
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] NAT and hairpin's
> 
> 
> Hi Nick,
> 
> We had the same problem at work and used DNS to get around it. The only
> solution we found was to have an second internal DNS that would resolv to
> the internal IP so that both internal and external users could access the
> server from a common DNS name.
> 

IOS nat code will rewrite the DNS query if the DNS server is
on the outside and the clients are on the inside, so that the
clients get the internal number, not the external number.

The only caveat is that you have to statically map an
outside IP number to the inside IP number, you can't port
forward off an overloaded outside interface and have the
DNS magic work.

Ted

From brett at looney.id.au  Thu Jul 17 03:37:37 2008
From: brett at looney.id.au (Brett Looney)
Date: Thu, 17 Jul 2008 15:37:37 +0800
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <05cd01c8e7e0$00ee58d0$02cb0a70$@id.au>

> Just wondering if anyone has come up with a way to hairpin traffic
> using a Cisco router? The problem is as follows;

Sounds just like "NAT on a stick":

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080
094430.shtml

B.


From Simon.Fawcett at uk.fujitsu.com  Thu Jul 17 06:40:11 2008
From: Simon.Fawcett at uk.fujitsu.com (Fawcett Simon)
Date: Thu, 17 Jul 2008 11:40:11 +0100
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <D2F1A6BD22E3DB4186BA4326FDE8FBB5E7DD2C@EUROPEV004.europe.fs.fujitsu.com>

I have done this on an ASA running 7.2 code. It definitely works

What happened was the inside sever was say 10.0.0.1 with an outside
address 1.1.1.1 all client traffic by default was natted to a hide
address 2.2.2.2.

My pc therefore 

Was 10.0.0.2 heading for 1.1.1.1.  I was natted by the hide address so
my source was 2.2.2.2.

The only odd thing about it was that you then needed to permit on the
ouside interface inbound traffic from  2.2.2.2 going to 1.1.1.1 and
everything worked.

I hope this makes sense and helps someone

God bless the ASA

Simon 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geyer, Nick
Sent: 17 July 2008 06:16
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and hairpin's

Hi Everyone,

 

Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;

 

Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;

 

203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)

 

I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).

 

I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.

 

Cheers,

 

Nick Geyer.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From bandhani at gmail.com  Thu Jul 17 07:06:31 2008
From: bandhani at gmail.com (Farhan Jaffer)
Date: Thu, 17 Jul 2008 16:06:31 +0500
Subject: [c-nsp] PtP link over FR
Message-ID: <11b0f2da0807170406j1fe76e01nab8ba193a366a887@mail.gmail.com>

Hi,

There is an interesting situation, let me discuss the scenario first,

Cisco Router A ----(same n/w) ---- Juniper Router -----(FR
point-to-point pvc) ------- Cisco Router B.

PVC is Active & point to point connectivity is OK. But the ping
response from cisco router A to B via FR is unreachable & vice versa.

however if i replace Juniper router with Cisco Router, it works fine.

Is there any IP forwarding like thing? or any other problem.

Thanks very much in advance.

-FJ

From bandhani at gmail.com  Thu Jul 17 08:27:50 2008
From: bandhani at gmail.com (Farhan Jaffer)
Date: Thu, 17 Jul 2008 17:27:50 +0500
Subject: [c-nsp] PtP link over FR
In-Reply-To: <11b0f2da0807170406j1fe76e01nab8ba193a366a887@mail.gmail.com>
References: <11b0f2da0807170406j1fe76e01nab8ba193a366a887@mail.gmail.com>
Message-ID: <11b0f2da0807170527t325518fbw7db3cbf1844bf54d@mail.gmail.com>

Thanks for all.

It was one mistake from my side. I used management interface ip
address for routes on Juniper :)

It's working fine now.

Thanks again.

-FJ


On Thu, Jul 17, 2008 at 4:06 PM, Farhan Jaffer <bandhani at gmail.com> wrote:
> Hi,
>
> There is an interesting situation, let me discuss the scenario first,
>
> Cisco Router A ----(same n/w) ---- Juniper Router -----(FR
> point-to-point pvc) ------- Cisco Router B.
>
> PVC is Active & point to point connectivity is OK. But the ping
> response from cisco router A to B via FR is unreachable & vice versa.
>
> however if i replace Juniper router with Cisco Router, it works fine.
>
> Is there any IP forwarding like thing? or any other problem.
>
> Thanks very much in advance.
>
> -FJ
>

From dwinkworth at wi.rr.com  Thu Jul 17 10:23:22 2008
From: dwinkworth at wi.rr.com (Wink)
Date: Thu, 17 Jul 2008 09:23:22 -0500
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <487F55DA.4040900@wi.rr.com>

see:

ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-behave-tcp-07.txt

and

http://tools.ietf.org/html/rfc4787



See section 7.2 in the first.  It looks like what you are asking for 
will be required of all NAT implementations soon for TCP.  It is already 
a BCP and a "requirement" for UDP.

Geyer, Nick wrote:
> Hi Everyone,
>
>  
>
> Just wondering if anyone has come up with a way to hairpin traffic using
> a Cisco router? The problem is as follows;
>
>  
>
> Say for example I have a router connecting to the Internet and an
> internal LAN doing normal NA, e.g;
>
>  
>
> 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
> the "outside" interface)
>
>  
>
> I have an application that talks from clients on the Internet to an
> internal server (192.168.1.1), with the appropriate static NAT's setup
> on the router to forward the traffic. The problem is the internal
> clients also need to talk to the server but on the public IP address
> (203.1.2.3). The traffic from the internal clients will hit the router
> but it wont translate and forward the traffic because its coming from
> the "inside" interface (and the static NAT only works for requests from
> the outside interface).
>
>  
>
> I don't believe it can be done but just thought I would ask in case
> anyone has come up with a weird and wonderful way.
>
>  
>
> Cheers,
>
>  
>
> Nick Geyer.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM
>
>
>
>   

No virus found in this outgoing message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM


From rodunn at cisco.com  Thu Jul 17 10:37:44 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Thu, 17 Jul 2008 10:37:44 -0400
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <20080717003234.GA80335@stlux503.dsto.defence.gov.au>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
	<20080716112805.GH18618@rtp-cse-489.cisco.com>
	<20080717003234.GA80335@stlux503.dsto.defence.gov.au>
Message-ID: <20080717143744.GA737@rtp-cse-489.cisco.com>

Hard to say without more data.

What is connected to the FE port shouldn't have anything to do with the ATM
link status.

On Thu, Jul 17, 2008 at 08:32:34AM +0800, Wilkinson, Alex wrote:
>     0n Wed, Jul 16, 2008 at 07:28:05AM -0400, Rodney Dunn wrote: 
> 
>     >What is the configuration of that interface and can you provide
>     >a 'sh int' between two drop periods?
> 
> >From 'running-config'
> 
>    interface FastEthernet4/10
>    no snmp trap link-status
> 
> >From 'show int FastEthernet4/10'
> 
>   FastEthernet4/10 is up, line protocol is up (connected)
>   Hardware is Fast Ethernet Port, address is 0009.e85e.9879 (bia 0009.e85e.9879)
>   MTU 1500 bytes, BW 10000 Kbit, DLY 100 usec, 
>      reliability 255/255, txload 1/255, rxload 1/255
>   Encapsulation ARPA, loopback not set
>   Keepalive set (10 sec)
>   Half-duplex, 10Mb/s
>   input flow-control is unsupported output flow-control is unsupported 
>   ARP type: ARPA, ARP Timeout 04:00:00
>   Last input never, output never, output hang never
>   Last clearing of "show interface" counters 18:17:11
>   Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 118
>   Queueing strategy: fifo
>   Output queue: 0/40 (size/max)
>   5 minute input rate 0 bits/sec, 0 packets/sec
>   5 minute output rate 1000 bits/sec, 2 packets/sec
>      7 packets input, 524 bytes, 0 no buffer
>      Received 0 broadcasts (0 multicast)
>      0 runts, 0 giants, 0 throttles
>      0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
>      0 input packets with dribble condition detected
>      136771 packets output, 13580522 bytes, 0 underruns
>      1 output errors, 0 collisions, 0 interface resets
>      0 babbles, 0 late collision, 0 deferred
>      0 lost carrier, 0 no carrier
>      0 output buffer failures, 0 output buffers swapped out
> 
> You will note that it is "Half-duplex, 10Mb/s". That is no mistake since the
> device that is connected to this switch-port is only capable of 10Mb/s.
> 
> I did a 'clear counters FastEthernet4/10' yesterday and came in this morning
> to find our ATM link was down again and "Total output drops" up to 118.
> 
> I then reboot the device that is connected to this switch-port and volia, ATM link
> comes up and EIGRP neighbour adjacency reforms.
> 
> Not sure how to verify if congestion is the root cause of this re-occuring
> problem.
> 
>  -aW
> 
> IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914.  If you have received this email in error, you are requested to contact the sender and delete the email.
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From janasamit at wlink.com.np  Thu Jul 17 12:37:19 2008
From: janasamit at wlink.com.np (Samit)
Date: Thu, 17 Jul 2008 22:22:19 +0545
Subject: [c-nsp] Three STM-1 on one Cisco 7200vxr-npeG1
In-Reply-To: <487DB51F.1080205@wlink.com.np>
References: <487DB51F.1080205@wlink.com.np>
Message-ID: <487F753F.2040209@wlink.com.np>

Thank you all for your feedback.

Regards,
Samit


Samit wrote:
> Hi,
> 
> Is it recommended to run three STM-1 (PA-POS-1OC3)  on a single 
> Cisco700vxr with NPE-G1 ?
> 
> Regards,
> Samit
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From billf at mu.org  Thu Jul 17 13:16:11 2008
From: billf at mu.org (bill fumerola)
Date: Thu, 17 Jul 2008 10:16:11 -0700
Subject: [c-nsp] "Total output drops" - congestion ? - 7200-VXR
In-Reply-To: <20080717003234.GA80335@stlux503.dsto.defence.gov.au>
References: <20080716062231.GC71273@stlux503.dsto.defence.gov.au>
	<20080716112805.GH18618@rtp-cse-489.cisco.com>
	<20080717003234.GA80335@stlux503.dsto.defence.gov.au>
Message-ID: <20080717171611.GD6869@elvis.mu.org>

On Thu, Jul 17, 2008 at 08:32:34AM +0800, Wilkinson, Alex wrote:
>   Half-duplex, 10Mb/s
>
> You will note that it is "Half-duplex, 10Mb/s". That is no mistake since the
> device that is connected to this switch-port is only capable of 10Mb/s.

10Mb/s doesn't infer half-duplex though. are you sure the device requires
half-duplex? what is the device?

also, i'll repeat rodney's point that ATM and Ethernet interface problems
can only be tangentially related.


-- bill

From rick.martin at arkansas.gov  Thu Jul 17 09:47:28 2008
From: rick.martin at arkansas.gov (Rick Martin)
Date: Thu, 17 Jul 2008 08:47:28 -0500
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
References: <83027F7A5EB4D6449A1393A94E4D41DA03857419@aubwm232.apac.corp.eds.com>
Message-ID: <BADE6198EE4757408B3B970CCF6552551A38ECBB@EVS01.sas.arkgov.net>

 We run into this frequently with our public school networks, a couple
of things we try to do;

1. Eliminate the hairpin traffic to the router - DNS trickery as already
mentioned and/or a second nic in target server - we configure our
routers with the public network as a secondary IP on the router, you
would still have the hairpin traffic without the aid of DNS trickery.
The DNS trickery may be nothing more than a local hosts file on each
internal client that the TCP stack would reference before looking to the
configured DNS server. This local hosts file would have DNS mapping to
the local server pointing to the private address.

2. ALWAYS include "ip route-cache same-interface" on a router interface
that might experience hairpin traffic

 If the traffic is not terribly significant the route-cache
same-interface is usually sufficient, if the traffic is expected to be
significant we do everything we can to eliminate the hairpin traffic
altogether.




-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geyer, Nick
Sent: Thursday, July 17, 2008 12:16 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] NAT and hairpin's

Hi Everyone,

 

Just wondering if anyone has come up with a way to hairpin traffic using
a Cisco router? The problem is as follows;

 

Say for example I have a router connecting to the Internet and an
internal LAN doing normal NA, e.g;

 

203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
the "outside" interface)

 

I have an application that talks from clients on the Internet to an
internal server (192.168.1.1), with the appropriate static NAT's setup
on the router to forward the traffic. The problem is the internal
clients also need to talk to the server but on the public IP address
(203.1.2.3). The traffic from the internal clients will hit the router
but it wont translate and forward the traffic because its coming from
the "inside" interface (and the static NAT only works for requests from
the outside interface).

 

I don't believe it can be done but just thought I would ask in case
anyone has come up with a weird and wonderful way.

 

Cheers,

 

Nick Geyer.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From mtinka at globaltransit.net  Thu Jul 17 14:42:09 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 18 Jul 2008 02:42:09 +0800
Subject: [c-nsp] IS-IS: Ignore Attached Bit
Message-ID: <200807180242.14631.mtinka@globaltransit.net>

Folks, is there an elegant way to ignore the attached bit in 
IOS?

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080718/ffc02771/attachment.bin>

From oboehmer at cisco.com  Thu Jul 17 15:25:29 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Thu, 17 Jul 2008 21:25:29 +0200
Subject: [c-nsp] IS-IS: Ignore Attached Bit
In-Reply-To: <200807180242.14631.mtinka@globaltransit.net>
References: <200807180242.14631.mtinka@globaltransit.net>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>

Mark Tinka <> wrote on Thursday, July 17, 2008 8:42 PM:

> Folks, is there an elegant way to ignore the attached bit in
> IOS?

r(config)#router isis
r(config-router)#ignore-attached-bit
r(config-router)#

I'm not kidding.. :-) it's a hidden command, though.. 

	oli

From howard at leadmon.net  Thu Jul 17 16:12:02 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Thu, 17 Jul 2008 16:12:02 -0400
Subject: [c-nsp] OT: Possible List Troll/Spammer..
Message-ID: <009c01c8e849$6334f210$299ed630$@net>


 After posting to the list last week, sure enough I got a Cisco reseller
solicitation from a Matt Martyniuk [mmartyniuk at f5technology.com] to buy or
sell Cisco gear.  I looked back at the past years archive, and I don't see a
single posting from this person on the list, so can only assume they are
trolling/spamming people on here looking for business, as the message read:


"I came across you on puck.nether.net and noticed you use Cisco networking
equipment.  I've done business with many IT professionals on puck and wanted
to see if there was opportunity for us to do some business.  I manage IT
hardware assets for various companies and specialize in Cisco networking
gear."



 Not sure if others are getting this, but I know for a fact I have never
dealt with Function5 before, so figured I would take a moment and let
everyone know..


---
Howard Leadmon 



From mtinka at globaltransit.net  Thu Jul 17 17:41:36 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Fri, 18 Jul 2008 05:41:36 +0800
Subject: [c-nsp] IS-IS: Ignore Attached Bit
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
References: <200807180242.14631.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
Message-ID: <200807180541.37184.mtinka@globaltransit.net>

On Friday 18 July 2008 03:25:29 Oliver Boehmer (oboehmer) 
wrote:

> r(config)#router isis
> r(config-router)#ignore-attached-bit
> r(config-router)#
>
> I'm not kidding.. :-) it's a hidden command, though..

Thank you sir :-).

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080718/bd645953/attachment.bin>

From jarabrow at gmail.com  Thu Jul 17 20:46:47 2008
From: jarabrow at gmail.com (Jared Brown)
Date: Thu, 17 Jul 2008 20:46:47 -0400
Subject: [c-nsp] multilink ds3's
Message-ID: <66a95d4f0807171746p397fe7c0vfc371976fa25ef5b@mail.gmail.com>

Hello,
I wanted to check to see if there would be any issue with multilinking 2
serial ds3's on a pa-2t3 card. I know the IOS supports it, but I was worried
about all the overhead and the proc load. Each end would have a
7206vxr/npe-g1 and pa-2t3 cards. Thanks.

Jared

From paul at paulstewart.org  Thu Jul 17 22:01:04 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Thu, 17 Jul 2008 22:01:04 -0400
Subject: [c-nsp] GigE Max Speed
Message-ID: <000d01c8e87a$23dba330$6b92e990$@org>

Hi there...

One on our our 7606's we have a GigE link that is getting fairly "hot" with
traffic....

GigabitEthernet4/1 is up, line protocol is up (connected)
  Hardware is C6k 1000Mb 802.3, address is 0011.20cc.fdbc (bia
0011.20cc.fdbc)
  Description: xxxxxxxxxxxxxxxxxxx
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 208/255, rxload 145/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 1000Mb/s, media type is LH
  input flow-control is off, output flow-control is on
  Clock mode is auto
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 8w1d, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/2000/438/0 (size/max/drops/flushes); Total output drops:
98911
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 571885000 bits/sec, 124290 packets/sec
  5 minute output rate 817892000 bits/sec, 133528 packets/sec
     420136257397 packets input, 259502587402081 bytes, 0 no buffer
     Received 105842980 broadcasts (56056385 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 438 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     406989787118 packets output, 241435931635384 bytes, 0 underruns
     0 output errors, 0 collisions, 3 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 14 pause output




I've ordered a new x-connect with the idea of running etherchannel... my
real question is how much further can I push this link? There's no latency
or issues that are evident yet but wanted to ask anyways....

Thanks ;)

Paul



From ltd at cisco.com  Thu Jul 17 22:12:34 2008
From: ltd at cisco.com (Lincoln Dale)
Date: Fri, 18 Jul 2008 12:12:34 +1000
Subject: [c-nsp] GigE Max Speed
In-Reply-To: <000d01c8e87a$23dba330$6b92e990$@org>
References: <000d01c8e87a$23dba330$6b92e990$@org>
Message-ID: <487FFC12.9050608@cisco.com>

Paul Stewart wrote:
> Hi there...
>
> One on our our 7606's we have a GigE link that is getting fairly "hot" with
> traffic....
>
> GigabitEthernet4/1 is up, line protocol is up (connected)
>   
..
>   Input queue: 0/2000/438/0 (size/max/drops/flushes); Total output drops:
> 98911
>   5 minute output rate 817892000 bits/sec, 133528 packets/sec
>   
...
>      406989787118 packets output, 241435931635384 bytes, 0 underruns
>
> I've ordered a new x-connect with the idea of running etherchannel... my
> real question is how much further can I push this link? There's no latency
> or issues that are evident yet but wanted to ask anyways....
>   
you're pushing it pretty hard already.  a 5 minute average of 817 Mbps 
would probably imply instantaneously pushing 1 Gbps.

more granular statistics (e.g. setting load-interval to 30 seconds) may 
show more dynamic nature than a 5 minute average, but i'd say getting 15 
or 30 second SNMP counters may show you hitting 1Gbps for periods of time.

latency would be a function of queuing & average queue length.
based on your statistics, you have 98K output queue drops (queue was 
full) based on 406 billion packets -- so it clearly isn't happening 
_too_ often ... yet .. :)


cheers,

lincoln.


From hank at efes.iucc.ac.il  Thu Jul 17 23:31:34 2008
From: hank at efes.iucc.ac.il (Hank Nussbacher)
Date: Fri, 18 Jul 2008 06:31:34 +0300 (IDT)
Subject: [c-nsp] GigE Max Speed
In-Reply-To: <487FFC12.9050608@cisco.com>
References: <000d01c8e87a$23dba330$6b92e990$@org> <487FFC12.9050608@cisco.com>
Message-ID: <Pine.LNX.4.64.0807180630510.32154@efes.iucc.ac.il>

On Fri, 18 Jul 2008, Lincoln Dale wrote:

> Paul Stewart wrote:
>> Hi there...
>> 
>> One on our our 7606's we have a GigE link that is getting fairly "hot" with
>> traffic....
>> 
>> GigabitEthernet4/1 is up, line protocol is up (connected)
>> 
> ..
>>   Input queue: 0/2000/438/0 (size/max/drops/flushes); Total output drops:
>> 98911
>>   5 minute output rate 817892000 bits/sec, 133528 packets/sec
>> 
> ...
>>      406989787118 packets output, 241435931635384 bytes, 0 underruns
>> 
>> I've ordered a new x-connect with the idea of running etherchannel... my
>> real question is how much further can I push this link? There's no latency
>> or issues that are evident yet but wanted to ask anyways....
>> 
> you're pushing it pretty hard already.  a 5 minute average of 817 Mbps would 
> probably imply instantaneously pushing 1 Gbps.
>
> more granular statistics (e.g. setting load-interval to 30 seconds) may show 
> more dynamic nature than a 5 minute average, but i'd say getting 15 or 30 
> second SNMP counters may show you hitting 1Gbps for periods of time.
>
> latency would be a function of queuing & average queue length.
> based on your statistics, you have 98K output queue drops (queue was full) 
> based on 406 billion packets -- so it clearly isn't happening _too_ often ... 
> yet .. :)

Why not add something like:
hold-queue 1024 out
hold-queue 1024 in

-Hank

From swmike at swm.pp.se  Fri Jul 18 01:47:08 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Fri, 18 Jul 2008 07:47:08 +0200 (CEST)
Subject: [c-nsp] GigE Max Speed
In-Reply-To: <000d01c8e87a$23dba330$6b92e990$@org>
References: <000d01c8e87a$23dba330$6b92e990$@org>
Message-ID: <alpine.DEB.1.10.0807180745031.30192@uplift.swm.pp.se>

On Thu, 17 Jul 2008, Paul Stewart wrote:

>  5 minute output rate 817892000 bits/sec, 133528 packets/sec

This can't go up much over around 930-940k (depending on your packet size 
mix), so you have very little headroom left, especially due to..

> I've ordered a new x-connect with the idea of running etherchannel... my 
> real question is how much further can I push this link? There's no 
> latency or issues that are evident yet but wanted to ask anyways....

the 7600 doesn't have much buffers, so even when you're dropping packets, 
don't expect to see more than 3-5 ms of increased latency over the link.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From Andrey_Oleinik at bms-consulting.com  Fri Jul 18 02:52:22 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Fri, 18 Jul 2008 09:52:22 +0300
Subject: [c-nsp] multilink ds3's
In-Reply-To: <66a95d4f0807171746p397fe7c0vfc371976fa25ef5b@mail.gmail.com>
References: <66a95d4f0807171746p397fe7c0vfc371976fa25ef5b@mail.gmail.com>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCC189A04FB0@BMSEXCH.BMS-CONSULTING.COM>

According to my brand new knowledge of Bandwidth Points concept for 7200 in case of absence of other PAs in both chassis ur PA-2T3+ will consume 180 bp of 600 bp of selected bus at each router :O)
Except jokes, as soon as ur configuration is supported I don't see any reason to make U unhappy with it even if multilinking of T3s would appear at processor level.

--
Respect,  Andy Oleynik
Telecom Dpt Chief
BMS Consulting Ltd
10, Stritenska Str., of. 520
Kyiv, 01025, UA
tel +380(44)4619961
tel +380(44)4619963 extn 162
fax +380(44)4619962
www.bms-consulting.com

andyo> -----Original Message-----
andyo> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
andyo> bounces at puck.nether.net] On Behalf Of Jared Brown
andyo> Sent: Friday, July 18, 2008 3:47 AM
andyo> To: cisco-nsp at puck.nether.net
andyo> Subject: [c-nsp] multilink ds3's
andyo>
andyo> Hello,
andyo> I wanted to check to see if there would be any issue with
andyo> multilinking 2
andyo> serial ds3's on a pa-2t3 card. I know the IOS supports it, but I
andyo> was worried
andyo> about all the overhead and the proc load. Each end would have a
andyo> 7206vxr/npe-g1 and pa-2t3 cards. Thanks.
andyo>
andyo> Jared
andyo> _______________________________________________
andyo> cisco-nsp mailing list  cisco-nsp at puck.nether.net
andyo> https://puck.nether.net/mailman/listinfo/cisco-nsp
andyo> archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul at paulstewart.org  Fri Jul 18 06:28:34 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Fri, 18 Jul 2008 06:28:34 -0400
Subject: [c-nsp] GigE Max Speed
In-Reply-To: <487FFC12.9050608@cisco.com>
References: <000d01c8e87a$23dba330$6b92e990$@org> <487FFC12.9050608@cisco.com>
Message-ID: <000f01c8e8c1$0a0f0db0$1e2d2910$@org>

Thanks for all the replies on list and off list.... 

We're going to sit tight until early next week when the new x-connect will
be installed thankfully...;)

Take care,

Paul


-----Original Message-----
From: Lincoln Dale [mailto:ltd at cisco.com] 
Sent: Thursday, July 17, 2008 10:13 PM
To: Paul Stewart
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] GigE Max Speed

Paul Stewart wrote:
> Hi there...
>
> One on our our 7606's we have a GigE link that is getting fairly "hot"
with
> traffic....
>
> GigabitEthernet4/1 is up, line protocol is up (connected)
>   
..
>   Input queue: 0/2000/438/0 (size/max/drops/flushes); Total output drops:
> 98911
>   5 minute output rate 817892000 bits/sec, 133528 packets/sec
>   
...
>      406989787118 packets output, 241435931635384 bytes, 0 underruns
>
> I've ordered a new x-connect with the idea of running etherchannel... my
> real question is how much further can I push this link? There's no latency
> or issues that are evident yet but wanted to ask anyways....
>   
you're pushing it pretty hard already.  a 5 minute average of 817 Mbps 
would probably imply instantaneously pushing 1 Gbps.

more granular statistics (e.g. setting load-interval to 30 seconds) may 
show more dynamic nature than a 5 minute average, but i'd say getting 15 
or 30 second SNMP counters may show you hitting 1Gbps for periods of time.

latency would be a function of queuing & average queue length.
based on your statistics, you have 98K output queue drops (queue was 
full) based on 406 billion packets -- so it clearly isn't happening 
_too_ often ... yet .. :)


cheers,

lincoln.

No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.1/1559 - Release Date: 7/17/2008
6:08 PM


From ASikkema at office.unet.nl  Fri Jul 18 07:28:18 2008
From: ASikkema at office.unet.nl (Andreas Sikkema)
Date: Fri, 18 Jul 2008 13:28:18 +0200
Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
In-Reply-To: <487E201E.7050700@evaristesys.com>
Message-ID: <OFD4DE9C7F.DD9D5CAA-ONC125748A.003E7E3E-C125748A.003EC665@office.unet.nl>

Alex Balashov <abalashov at evaristesys.com> wrote on 16-07-2008 18:21:50:

> Andreas Sikkema wrote:
> 
> > We're using a Cisco AS5350 as a SIP <-> ISDN PRI gateway. Normally we 
> > route calls from the incoming ISDN line to a SIP server (and vice 
versa). 
> > Currently we're wondering if we can route calls coming in from a 
specific 
> > ISDN line to another ISDN line directly without having to go through a 
SIP 
> > server. 
> 
> The answer is yes.

Cool! So I just match the incoming calls from a specific ISDN interface 
and send them out through another. Are there any caveats I should know? I 
can't match specific dialled or dialling numbers, currently there's over 
2000 DID's in use on these lines.

> What it *cannot* do is hairpin VoIP calls (in VoIP, out VoIP).  But it 
> can cross-connect TDM.

Oh, that's no problem, I only want to hairpin TDM.

Thanks!

-- 
Andreas Sikkema

From dwinkworth at wi.rr.com  Fri Jul 18 08:45:01 2008
From: dwinkworth at wi.rr.com (Derick Winkworth)
Date: Fri, 18 Jul 2008 08:45:01 -0400
Subject: [c-nsp] tx-ring-limit on ISR ATM-AIM module...
Message-ID: <4880904D.8020705@wi.rr.com>

All:

I believe I may need to tune down the tx-ring on a 3845 with ATM-AIM 
module.  I'm looking at this, and it doesn't look like it uses the same 
system that the 7200 uses (i.e., with particles/576 bytes per particle 
calculation). 

from "show controller atm0/ima0" I see the following:

############
MXT5100 Channel Info:

    Channel Info (0):
      Chan_ID (0x1425), Open Status SUCCESS, VC(1)VPI/VCI(1/777),
      Tx Ring packets(used/max 0/40), Tx SBD(used/max 0/40)
      Tx PDU(5941481), Tx PDU discard(0)
      Tx SDU size err(0), Tx cell CLP0(123777482), Tx cell CLP1(0)
      Rx PDU(4827762), Rx PDU discard(0), Rx SDU size err(0)
      Rx CRC err(1), Rx cell CLP0(24771185), Rx cell CLP1(0)

#################


So it looks like the tx-ring is just 40 "packets" long.  I'm assuming 
this means 40 AAL5 packets?   Does anyone know what "SBD" stands for?

I tried getting some tech docs on the MXT5100 from Conexant, but you 
need a support account to access that.


Derick


From abalashov at evaristesys.com  Fri Jul 18 09:44:48 2008
From: abalashov at evaristesys.com (Alex Balashov)
Date: Fri, 18 Jul 2008 09:44:48 -0400
Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
In-Reply-To: <OFD4DE9C7F.DD9D5CAA-ONC125748A.003E7E3E-C125748A.003EC665@office.unet.nl>
References: <OFD4DE9C7F.DD9D5CAA-ONC125748A.003E7E3E-C125748A.003EC665@office.unet.nl>
Message-ID: <48809E50.2090100@evaristesys.com>

Andreas Sikkema wrote:

> Cool! So I just match the incoming calls from a specific ISDN interface 
> and send them out through another. Are there any caveats I should know? I 
> can't match specific dialled or dialling numbers, currently there's over 
> 2000 DID's in use on these lines.

No other caveats.

You don't have to match incoming calls on a peer based on an expression 
for "incoming called-number ..." - you can just create a peer that has 
an affinity to a voice port, although it won't work to bind it to a 
trunk-group (that only works for outgoing).

But otherwise, no other things readily come to mind.

-- Alex


-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

From dwinkworth at wi.rr.com  Fri Jul 18 09:31:47 2008
From: dwinkworth at wi.rr.com (Derick Winkworth)
Date: Fri, 18 Jul 2008 09:31:47 -0400
Subject: [c-nsp] tx-ring-limit on ISR ATM-AIM module...
In-Reply-To: <000f01c8e8e0$940dcd70$640f19ac@MEDIACNTR>
References: <4880904D.8020705@wi.rr.com>
	<000f01c8e8e0$940dcd70$640f19ac@MEDIACNTR>
Message-ID: <48809B43.80206@wi.rr.com>

I just found this:

http://www.cisco.com/en/US/tech/tk39/tk824/technologies_tech_note09186a0080094b48.shtml

It looks like it the BD part stands for "buffer description" so its a 
data structure describing a packet in the queue?




Tyson Scott wrote:
> State-Based Decoder
>
> This is my guess based on searches.
>
> Here is the only article that I could find that seemed to make sense.
>
> http://net.educause.edu/elements/attachments/rfi/rfi_1/XACCT_original.pdf
>
>
> Regards,
>  
> Tyson Scott - CCIE #13513 R&S and Security
> Technical Instructor - IPexpert, Inc.
>
> Telephone: +1.810.326.1444 
> Cell: +1.248.504.7309
> Fax: +1.810.454.0130
> Mailto:  tscott at ipexpert.com
>  
> Join our free online support and peer group communities:
> http://www.IPexpert.com/communities
>  
> IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On Demand
> and Audio Certification Training Tools for the Cisco CCIE R&S Lab, CCIE
> Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE Storage
> Lab Certifications.
>
>  
>
> -----Original Message-----
> From: nobody at groupstudy.com [mailto:nobody at groupstudy.com] On Behalf Of
> Derick Winkworth
> Sent: Friday, July 18, 2008 8:45 AM
> To: Cisco NSP; Groupstudy R&S
> Subject: tx-ring-limit on ISR ATM-AIM module...
>
> All:
>
> I believe I may need to tune down the tx-ring on a 3845 with ATM-AIM 
> module.  I'm looking at this, and it doesn't look like it uses the same 
> system that the 7200 uses (i.e., with particles/576 bytes per particle 
> calculation). 
>
> from "show controller atm0/ima0" I see the following:
>
> ############
> MXT5100 Channel Info:
>
>     Channel Info (0):
>       Chan_ID (0x1425), Open Status SUCCESS, VC(1)VPI/VCI(1/777),
>       Tx Ring packets(used/max 0/40), Tx SBD(used/max 0/40)
>       Tx PDU(5941481), Tx PDU discard(0)
>       Tx SDU size err(0), Tx cell CLP0(123777482), Tx cell CLP1(0)
>       Rx PDU(4827762), Rx PDU discard(0), Rx SDU size err(0)
>       Rx CRC err(1), Rx cell CLP0(24771185), Rx cell CLP1(0)
>
> #################
>
>
> So it looks like the tx-ring is just 40 "packets" long.  I'm assuming 
> this means 40 AAL5 packets?   Does anyone know what "SBD" stands for?
>
> I tried getting some tech docs on the MXT5100 from Conexant, but you 
> need a support account to access that.
>
>
> Derick
>
>
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com 
> Version: 8.0.138 / Virus Database: 270.5.0/1558 - Release Date: 7/17/2008 9:56 AM
>
>
>
>   


From leonardo.souza at nec.com.br  Fri Jul 18 10:51:31 2008
From: leonardo.souza at nec.com.br (Leonardo Gama Souza)
Date: Fri, 18 Jul 2008 11:51:31 -0300
Subject: [c-nsp] WS-X4548-GB-RJ45V spec
Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D0174514E@spsrvmail03.nec.br>

Hello list,

 

Does anyone know the specs for the WS-X4548-GB-RJ45V module?

Is the 1 Gbps per port-group (8-to-1 oversubscription) full-duplex?

What is the maximum pps processing?

 

I am facing 'Rx No Packet Buffer' on two ports of the same port-group
and I think I'm hitting those limitations...

Maybe some buffer adjust be needed.

 

Kind regards,

Leonardo  


From eric at atlantech.net  Fri Jul 18 10:58:29 2008
From: eric at atlantech.net (Eric Van Tol)
Date: Fri, 18 Jul 2008 10:58:29 -0400
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <009c01c8e849$6334f210$299ed630$@net>
References: <009c01c8e849$6334f210$299ed630$@net>
Message-ID: <2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Howard Leadmon
> Sent: Thursday, July 17, 2008 4:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Possible List Troll/Spammer..
>
>
>  Not sure if others are getting this, but I know for a fact I have
> never
> dealt with Function5 before, so figured I would take a moment and let
> everyone know..
>
>
> ---
> Howard Leadmon
>

Seems to me that there should be a few simple questions asked prior to joining the list or viewing the archives:

1.  What is your name?
2.  What is your quest?
3.  What is more important - making sure a network product/service gets to market quickly or making sure the network product/service works prior to advertising its availability to customers?

I'm pretty sure the third question would weed out the unscrupulous sales types and hopefully eject them forcibly from whatever chair they are sitting in.

-evt



From mylists at battleop.com  Fri Jul 18 11:08:04 2008
From: mylists at battleop.com (Richey)
Date: Fri, 18 Jul 2008 11:08:04 -0400
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>
References: <009c01c8e849$6334f210$299ed630$@net>
	<2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>
Message-ID: <001d01c8e8e8$13d21190$3b7634b0$@com>

Couldn't resist. 

4.  Do you think it is important that all mailing list members should be
informed of your absence via an auto responder when you take a day off?


Richey

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol
Sent: Friday, July 18, 2008 10:58 AM
To: 'Howard Leadmon'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] OT: Possible List Troll/Spammer..

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Howard Leadmon
> Sent: Thursday, July 17, 2008 4:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Possible List Troll/Spammer..
>
>
>  Not sure if others are getting this, but I know for a fact I have
> never
> dealt with Function5 before, so figured I would take a moment and let
> everyone know..
>
>
> ---
> Howard Leadmon
>

Seems to me that there should be a few simple questions asked prior to
joining the list or viewing the archives:

1.  What is your name?
2.  What is your quest?
3.  What is more important - making sure a network product/service gets to
market quickly or making sure the network product/service works prior to
advertising its availability to customers?

I'm pretty sure the third question would weed out the unscrupulous sales
types and hopefully eject them forcibly from whatever chair they are sitting
in.

-evt


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From tedm at toybox.placo.com  Fri Jul 18 11:56:09 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Fri, 18 Jul 2008 08:56:09 -0700
Subject: [c-nsp] NAT and hairpin's
In-Reply-To: <D2F1A6BD22E3DB4186BA4326FDE8FBB5E7DD2C@EUROPEV004.europe.fs.fujitsu.com>
Message-ID: <BMEDLGAENEKCJFGODFOCCENDCFAA.tedm@toybox.placo.com>


So what happened to the CPU of the ASA when the PC and server
started sending 100Mbt of data to each other?  Or was one of
them running 10BaseT, half-duplex?

Ted

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Fawcett Simon
> Sent: Thursday, July 17, 2008 3:40 AM
> To: Geyer, Nick; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] NAT and hairpin's
> 
> 
> I have done this on an ASA running 7.2 code. It definitely works
> 
> What happened was the inside sever was say 10.0.0.1 with an outside
> address 1.1.1.1 all client traffic by default was natted to a hide
> address 2.2.2.2.
> 
> My pc therefore 
> 
> Was 10.0.0.2 heading for 1.1.1.1.  I was natted by the hide address so
> my source was 2.2.2.2.
> 
> The only odd thing about it was that you then needed to permit on the
> ouside interface inbound traffic from  2.2.2.2 going to 1.1.1.1 and
> everything worked.
> 
> I hope this makes sense and helps someone
> 
> God bless the ASA
> 
> Simon 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Geyer, Nick
> Sent: 17 July 2008 06:16
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] NAT and hairpin's
> 
> Hi Everyone,
> 
>  
> 
> Just wondering if anyone has come up with a way to hairpin traffic using
> a Cisco router? The problem is as follows;
> 
>  
> 
> Say for example I have a router connecting to the Internet and an
> internal LAN doing normal NA, e.g;
> 
>  
> 
> 203.1.2.3 -> ROUTER <- 192.168.1.0/24 (203.1.2.3 being the public IP on
> the "outside" interface)
> 
>  
> 
> I have an application that talks from clients on the Internet to an
> internal server (192.168.1.1), with the appropriate static NAT's setup
> on the router to forward the traffic. The problem is the internal
> clients also need to talk to the server but on the public IP address
> (203.1.2.3). The traffic from the internal clients will hit the router
> but it wont translate and forward the traffic because its coming from
> the "inside" interface (and the static NAT only works for requests from
> the outside interface).
> 
>  
> 
> I don't believe it can be done but just thought I would ask in case
> anyone has come up with a weird and wonderful way.
> 
>  
> 
> Cheers,
> 
>  
> 
> Nick Geyer.
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From cchurc05 at harris.com  Fri Jul 18 13:24:01 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Fri, 18 Jul 2008 12:24:01 -0500
Subject: [c-nsp] IPSec VPN client to router, then router to router
Message-ID: <FA1BA229357DB640B944218F3585FECA01348EC4@mspe2k1.cs.myharris.net>

Anyone,

	I'm having trouble getting the following config to work.  I'm
not sure if this is possible.  I've got 2 878 routers attached to
internet.  Router A supports remote clients.  Router A has a LAN to LAN
IPSec connection to Router B.  B does not support clients.  Is it
possible for the client to establish a connection to Router A, then
access resources off of router B via the LAN-LAN tunnel?  In other
words, packet comes in client tunnel, then is forwarded back out the
LAN-LAN tunnel off of the same interface to get to router B.  Return
traffic takes reverse path, obviously.

Thanks,
 
Chuck 

From daubman at gmail.com  Fri Jul 18 13:35:41 2008
From: daubman at gmail.com (Aaron Daubman)
Date: Fri, 18 Jul 2008 13:35:41 -0400
Subject: [c-nsp] mGRE support for IPv6?
Message-ID: <ae6373410807181035m54c1c611p5b372f85e300692@mail.gmail.com>

Greetings,

Has anybody heard of upcoming (or current, that I totally missed)
support for  mGRE with IPv6 (mGRE over native IPv6 core)?

Thanks,
     Aaron

From markom at markom.info  Fri Jul 18 13:39:46 2008
From: markom at markom.info (Marko Milivojevic)
Date: Fri, 18 Jul 2008 17:39:46 +0000
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <001d01c8e8e8$13d21190$3b7634b0$@com>
References: <009c01c8e849$6334f210$299ed630$@net>
	<2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>
	<001d01c8e8e8$13d21190$3b7634b0$@com>
Message-ID: <1fb747910807181039y5a223bd9tf0f8824ecf7a0c1a@mail.gmail.com>

> Couldn't resist.
>
> 4.  Do you think it is important that all mailing list members should be
> informed of your absence via an auto responder when you take a day off?

In our defense (yes, I'm one of those people), some of us may not have
a choice. When we leave for vacation, we must configure auto
responder, if we are using work e-mail for mailing list
subscriptions...

Some are willing to change (once again, I'm one of those people)
e-mail used for mailing lists and others don't, because they
rightfully consider this to be part of their job. The rest of us have
to live with occasional delete of auto responses...

On a lighter note, I'm one of those who like to know when Oli or
Rodney are away ;-). Almost makes no point in writing an email
otherwise *grin*.

--
Marko
CCIE #18427

From benny+usenet at amorsen.dk  Fri Jul 18 13:55:19 2008
From: benny+usenet at amorsen.dk (Benny Amorsen)
Date: Fri, 18 Jul 2008 19:55:19 +0200
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <1fb747910807181039y5a223bd9tf0f8824ecf7a0c1a@mail.gmail.com>
	(Marko Milivojevic's message of "Fri\,
	18 Jul 2008 17\:39\:46 +0000")
References: <009c01c8e849$6334f210$299ed630$@net>
	<2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>
	<001d01c8e8e8$13d21190$3b7634b0$@com>
	<1fb747910807181039y5a223bd9tf0f8824ecf7a0c1a@mail.gmail.com>
Message-ID: <m33am72i2g.fsf@ursa.amorsen.dk>

"Marko Milivojevic" <markom at markom.info> writes:

> In our defense (yes, I'm one of those people), some of us may not have
> a choice. When we leave for vacation, we must configure auto
> responder, if we are using work e-mail for mailing list
> subscriptions...

If a mail program sends an autoresponse to a list mail, it's simply
broken. I believe even Exchange/Outlook is smart enough to not do
that.


/Benny


From petelists at templin.org  Fri Jul 18 14:04:15 2008
From: petelists at templin.org (Pete Templin)
Date: Fri, 18 Jul 2008 13:04:15 -0500
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <m33am72i2g.fsf@ursa.amorsen.dk>
References: <009c01c8e849$6334f210$299ed630$@net>	<2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>	<001d01c8e8e8$13d21190$3b7634b0$@com>	<1fb747910807181039y5a223bd9tf0f8824ecf7a0c1a@mail.gmail.com>
	<m33am72i2g.fsf@ursa.amorsen.dk>
Message-ID: <4880DB1F.2050506@templin.org>

Benny Amorsen wrote:
> "Marko Milivojevic" <markom at markom.info> writes:
> 
>> In our defense (yes, I'm one of those people), some of us may not have
>> a choice. When we leave for vacation, we must configure auto
>> responder, if we are using work e-mail for mailing list
>> subscriptions...
> 
> If a mail program sends an autoresponse to a list mail, it's simply
> broken. I believe even Exchange/Outlook is smart enough to not do
> that.

No, it isn't, at least in some versions.  Some of us have to use it, at 
least for our work email.  Next item.

I took the time four or five years ago to ask the NANOG list what MUA 
(along with any MTA exclusions) was "NANOG-approved" and provided 
threaded viewing - I was using Outlook for work and Outlook Express for 
personal email, but was willing to change the personal program to 
anything else.  Thunderbird is the result.  Life goes on.

pt


From luan at t3technology.com  Fri Jul 18 14:32:24 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Fri, 18 Jul 2008 14:32:24 -0400
Subject: [c-nsp] mGRE support for IPv6?
In-Reply-To: <ae6373410807181035m54c1c611p5b372f85e300692@mail.gmail.com>
References: <ae6373410807181035m54c1c611p5b372f85e300692@mail.gmail.com>
Message-ID: <007101c8e904$9fdfe290$df9fa7b0$@com>

You are asking at the right time :) as 12.4.20T just got released and it has
support for IPv6 with DMVPN.
I haven't got a chance to play with it yet, but you could check it out for
yourself.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/pro
duct_bulletin_c25-409474.html#wp9001720
Lots of cool features such as the monitor thing that Rodney mentioned
before, also Object Group for ACL just like the PIX.

-Luan


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron Daubman
Sent: Friday, July 18, 2008 1:36 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] mGRE support for IPv6?

Greetings,

Has anybody heard of upcoming (or current, that I totally missed)
support for  mGRE with IPv6 (mGRE over native IPv6 core)?

Thanks,
     Aaron
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From CB at nianet.dk  Fri Jul 18 14:33:51 2008
From: CB at nianet.dk (Christian Bering)
Date: Fri, 18 Jul 2008 20:33:51 +0200
Subject: [c-nsp] 7600, SRB3, high CPU on "BGP Event"
Message-ID: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D1F6@mail2.nianetas.local>

Hi all,

After upgrading a SUP720-3BXL to SRB3, CPU utilization has gone up quite
a bit. The CLI is extremely slow and the input lag is awful.

The process eating up most of the CPU is the "BGP Event" which seems to
run quite often and every time it does, I get the following messages
from 'debug ip bgp event':

Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. penalty
3447, flap count 40165
Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. penalty
3947, flap count 40166
Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum. penalty
4447, flap count 40167

EvD isn't enabled on the box and searching CCO for it shows me an
interface ought to be involved in it if it was:

00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty 1000,
flap count 1

But I have no interfaces flapping and I am puzzled why I am seeing these
messages when debugging BGP events. What would be the cause of these
messages and is it likely they are responsible for the high CPU
utilization?

Thanks in advance,

-- 
Regards
 Christian Bering

From peter at rathlev.dk  Fri Jul 18 14:43:06 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 18 Jul 2008 20:43:06 +0200
Subject: [c-nsp] Aw-too respone: OT: Possible List Troll/Spammer..
In-Reply-To: <001d01c8e8e8$13d21190$3b7634b0$@com>
References: <009c01c8e849$6334f210$299ed630$@net>
	<2C05E949E19A9146AF7BDF9D44085B8635058ED6A0@exchange.aoihq.local>
	<001d01c8e8e8$13d21190$3b7634b0$@com>
Message-ID: <1216406586.3999.6.camel@svesken.sys.mjna.net>

On Fri, 2008-07-18 at 11:08 -0400, Richey wrote:
> 4.  Do you think it is important that all mailing list members should
> be informed of your absence via an auto responder when you take a day
> off?

I'm out of office this millennium. Please contact my boss at
my_boss at onvacation.dk or send me an auto-reply.

And agreed, can't most mail systems make selective auto-responses?

Plenty of regards,
Peter




From luan at t3technology.com  Fri Jul 18 15:03:50 2008
From: luan at t3technology.com (Luan M Nguyen)
Date: Fri, 18 Jul 2008 15:03:50 -0400
Subject: [c-nsp] IPSec VPN client to router, then router to router
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01348EC4@mspe2k1.cs.myharris.net>
References: <FA1BA229357DB640B944218F3585FECA01348EC4@mspe2k1.cs.myharris.net>
Message-ID: <008801c8e909$03be74d0$0b3b5e70$@com>

I am thinking it's possible.  Your client dials in, get IP from a pool on A,
looks at the routing table see the resource through GRE/IPSEC tunnel between
A-B, goes there, then if A advertises the pool network to B, you are set for
the return traffic.
crypto map just have 2 instances...
crypto map Chuck 10 ipsec-isakmp dynamic for dial clients and crypto map
Chuck 20 ipsec-isakmp for GRE/IPSEC tunnel...
It should work right?

-Luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, July 18, 2008 1:24 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec VPN client to router, then router to router

Anyone,

	I'm having trouble getting the following config to work.  I'm
not sure if this is possible.  I've got 2 878 routers attached to
internet.  Router A supports remote clients.  Router A has a LAN to LAN
IPSec connection to Router B.  B does not support clients.  Is it
possible for the client to establish a connection to Router A, then
access resources off of router B via the LAN-LAN tunnel?  In other
words, packet comes in client tunnel, then is forwarded back out the
LAN-LAN tunnel off of the same interface to get to router B.  Return
traffic takes reverse path, obviously.

Thanks,
 
Chuck 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From jfitz at Princeton.EDU  Fri Jul 18 15:42:01 2008
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Fri, 18 Jul 2008 15:42:01 -0400
Subject: [c-nsp] 6500 rfc 2674 support?
Message-ID: <31DA323D-AE39-4AEA-8B76-3BB4B7CCBC29@princeton.edu>

Does anybody know if there is some knob to turn to get the FDB using  
MIB2 (RFC 2674) qBridgeMIB instead of using the dot1 mib with  
"indexing" on the bridge table?

When I go after the qBridgeMIB on a 6500 running 12.2(33)SXH or on a  
3750 running 12.2(44) they return nothing.


  Is there another CISCO MIB that can be accessed without using  
indexing that contains the BRIDGE FDB with vlan info?


It sure would be nice to have this work since all our other switches  
support it.    We are trying to come up with an accurate way to model  
L2 VLANs .



Thanks for any input.



Jeff Fitzwater
OIT Network Systems
Princeton University




From cchurc05 at harris.com  Fri Jul 18 17:12:17 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Fri, 18 Jul 2008 16:12:17 -0500
Subject: [c-nsp] IPSec VPN client to router, then router to router
In-Reply-To: <008801c8e909$03be74d0$0b3b5e70$@com>
References: <FA1BA229357DB640B944218F3585FECA01348EC4@mspe2k1.cs.myharris.net>
	<008801c8e909$03be74d0$0b3b5e70$@com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01348F3F@mspe2k1.cs.myharris.net>

Yep, it's definitely possible.  Just figured out what it was.  My bogon
filter on router B was sending all 172.16/12 stuff to null0, and that
was my local pool on router A.  Doh!!! 

Vijay, no need to lab it, working fine now.

Thanks,

Chuck 

-----Original Message-----
From: Luan M Nguyen [mailto:luan at t3technology.com] 
Sent: Friday, July 18, 2008 3:04 PM
To: Church, Charles; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IPSec VPN client to router, then router to router


I am thinking it's possible.  Your client dials in, get IP from a pool
on A,
looks at the routing table see the resource through GRE/IPSEC tunnel
between
A-B, goes there, then if A advertises the pool network to B, you are set
for
the return traffic.
crypto map just have 2 instances...
crypto map Chuck 10 ipsec-isakmp dynamic for dial clients and crypto map
Chuck 20 ipsec-isakmp for GRE/IPSEC tunnel...
It should work right?

-Luan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles
Sent: Friday, July 18, 2008 1:24 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec VPN client to router, then router to router

Anyone,

	I'm having trouble getting the following config to work.  I'm
not sure if this is possible.  I've got 2 878 routers attached to
internet.  Router A supports remote clients.  Router A has a LAN to LAN
IPSec connection to Router B.  B does not support clients.  Is it
possible for the client to establish a connection to Router A, then
access resources off of router B via the LAN-LAN tunnel?  In other
words, packet comes in client tunnel, then is forwarded back out the
LAN-LAN tunnel off of the same interface to get to router B.  Return
traffic takes reverse path, obviously.

Thanks,
 
Chuck 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From p.mayers at imperial.ac.uk  Fri Jul 18 18:11:19 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Fri, 18 Jul 2008 23:11:19 +0100
Subject: [c-nsp] 6500 rfc 2674 support?
In-Reply-To: <31DA323D-AE39-4AEA-8B76-3BB4B7CCBC29@princeton.edu>
References: <31DA323D-AE39-4AEA-8B76-3BB4B7CCBC29@princeton.edu>
Message-ID: <20080718221119.GA27323@wildfire.net.ic.ac.uk>

On Fri, Jul 18, 2008 at 03:42:01PM -0400, Jeff Fitzwater wrote:
>Does anybody know if there is some knob to turn to get the FDB using  
>MIB2 (RFC 2674) qBridgeMIB instead of using the dot1 mib with  
>"indexing" on the bridge table?
>
>When I go after the qBridgeMIB on a 6500 running 12.2(33)SXH or on a  
>3750 running 12.2(44) they return nothing.

I've never seen a Cisco device that supports this, and I spend a fair 
amount of time grubbing around inside snmpwalk output when new IOSes 
appear.

>
>
>  Is there another CISCO MIB that can be accessed without using  
>indexing that contains the BRIDGE FDB with vlan info?
>
>
>It sure would be nice to have this work since all our other switches  
>support it.    We are trying to come up with an accurate way to model  
>L2 VLANs .

Granted that the @vlan is a (tiny) bit tedious to implement, what's 
inaccurate about using the indexed mode?

One thing to note; the rest of the dot1dBridge mib also changes when 
using indexing; in particular if using PVST, the STP-related items are 
the per-vlan ones too (root, root port, etc.) which is actually really 
useful.

From howard at leadmon.net  Fri Jul 18 19:18:34 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Fri, 18 Jul 2008 19:18:34 -0400
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
Message-ID: <001a01c8e92c$9ca15230$d5e3f690$@net>


 I can't believe this one isn't working, I am sure I am looking over
something stupid.  I needed to mux up 3x T1's between a location.


Information is as follows: (relevant bits)

Location-A:   Cisco 1720
!         
interface Serial0
 description To Location-B
 ip address 38.103.8.238 255.255.255.252
!         
ip route 0.0.0.0 0.0.0.0 38.103.8.237
!




Location-B:  Cat5500 RSM   
!
interface Multilink1
 description T1 MultiLink PPP Bundle to Location-C
 ip address 192.168.98.29 255.255.255.252
 ppp multilink
 multilink-group 1
!
interface Serial1/2:1
 description To Location-A
 ip address 38.103.8.237 255.255.255.252
! 
interface Serial1/5:1
 description T1 3 of 3 (MultiLink)
 no ip address
 encapsulation ppp
 ppp multilink
 multilink-group 1
!         
interface Serial1/6:1
 description T1 2 of 3 (MultiLink)
 no ip address
 encapsulation ppp
 ppp multilink
 multilink-group 1
!         
interface Serial1/7:1
 description T1 1 of 3 (MultiLink)
 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!         
ip route 0.0.0.0 0.0.0.0 to global internet gateway!



Location-C: Cisco 6509 Sup2 w/FlexWan
!
interface Multilink1
 description T1 Bundle to Corporate
 ip address 192.168.98.30 255.255.255.252
 ppp multilink
 multilink-group 1
!
interface Serial3/0/0:0
 description T1 1 of 3 no ip address
 encapsulation ppp
 no fair-queue
 ppp multilink
 multilink-group 1
!
interface Serial3/0/1:0
 description T1 2 of 3 
 no ip address
 encapsulation ppp
 ppp multilink
 multilink-group 1
!
interface Serial3/0/2:0
 description T1 3 of 3 
 no ip address
 encapsulation ppp
 ppp multilink
 multilink-group 1
!
ip route 0.0.0.0 0.0.0.0 192.168.98.29
!



The interfaces are up and running, the multilink bundle looks good, and if I
ping or trace from A to B, or B to A life is good.   If I try and go from B
to C or C to B, again life is good.   If I try and go from A to the internet
via B, or from C via B to the internet all is good.  So it looks like all is
working.  

Where I get bit, is if I try and go from A to C, or C to A.  I can not ping,
and if I trace it dies on router B.   So it looks like single hop is good,
and if I go to another location out off of B (other networks) all is good,
but if I try and cross any other internal interface on the router and cross
the MLPPP link it dies.

I was just going to use CEF to handle the link with per-packet load sharing
with a dynamic routing protocol, but apparently the FlexWan controller
doesn't support it, or it barked about an unknown command.  Anyway trying to
debunk this I stripped it back to the above, just static routes between
A-to-B-to-C, and still it will not route. This is part of a larger network,
and none of the other remote enpoints will cross that multilink line, and I
can't pin down why.

I am open to any suggestions, as I rarely use MLPPP, and am sure I am
missing something, but damn I would think two simple hops with static routes
should just go.   Thanks to any that can offer assistance on debunking this
one..


P.S. - Yes I know I have some routable, and some unroutable IP's, but this
is all behind a firewall, and gateways out, I just haven't gotten them to
pull the old public IP's out, granted that shouldn't matter for an internal
(in essence) isolated network.



---
Howard Leadmon 



From acm at axians.de  Sat Jul 19 01:20:14 2008
From: acm at axians.de (Cheikh-Moussa Ahmad)
Date: Sat, 19 Jul 2008 07:20:14 +0200
Subject: [c-nsp] QoS VLAN trunk Port
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A5017239BE@xmb-ams-331.emea.cisco.com>
References: <FFE1B3A183FE1F4C9CDD3A4B727194380179CBE2@N12050C.nknetworks.com>
	<67F7C1FAF83A074AA3520D8F155782A5017239BE@xmb-ams-331.emea.cisco.com>
Message-ID: <FFE1B3A183FE1F4C9CDD3A4B72719438018A4C7C@N12050C.nknetworks.com>

Hi Guys,



> In general, you enable "mls qos vlan-based" on the trunk, and apply
the
> qos policy on the SVI (interface vlan) - even without any L3 config on
> the SVI.
> 

For Qos this works very well. I have an aditionall requirement.
Now I have to change the Cos values on the trunk Port. 

So there is trunk between an Cisco Catalyst 4500 and a Juniper ERX.
I want to change the CoS Values for every Vlan in a different way.

For Example: VLAN 15 CoS =5
             VLAN 10 CoS =3
             VLAN 20 CoS =1

My idea was to enhance the current policy-map configuration with
the command "set cos x", but unfortunately the switch doesn't accept
this
command, although it is documented in CCO. I checked the Feature
Navigator and
IOS 12.2(40)SG IPBASE has the feature "Class Based Ethernet CoS Matching
& Marking (802.1p & ISL CoS)".

So any ideas, why I can not configure this on my cat4500 ?
Is there another way to achieve this ?

Regards,
 Ahmad


-------------- next part --------------


Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln
Registergericht: Amtsgericht K?ln, Registernummer HRB 30805
Gesch?ftsf?hrer: Tonis R?sche

From christian at broknrobot.com  Sat Jul 19 02:21:21 2008
From: christian at broknrobot.com (Christian Koch)
Date: Sat, 19 Jul 2008 02:21:21 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
Message-ID: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>

Hello -

I have the following topology in lab, testing different failure scenarios.
When i disconnect the link between aR1 and bR1, what would appear to be
normal happens - ospf and ldp neighbor go down.

When i re-connect the link between aR1 and bR1, the interface comes back up,
osfp/ldp neighbor is re-established.

3minutes later, bgp holdtime expires , and all links are up..

aR1-----------------bR1
|                         |
|                         |
|                         |
|                         |
aR2-----------------bR2


Some Notes
- All Links 10GE
- Full ibgp mesh
- Peering is to loopbacks
- OSPF as IGP
- Loopbacks in OSPF
- MPLS Enabled on Interfaces


OSPF cost between aR1 and aR2 is 1
OSPF cost between bR1 and bR2 is 1
OSPF cost between aR1 and bR1 is 250
OSPF cost betwen aR2 and bR2 is 500

MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
MTU 9182 between bR1 and bR2


IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
IOS on bR1 and bR2 is 12.33.SRC - RSP720


i am stumped, any ideas would be helpful in trying to understand why the bgp
session is going down
due to expired hold time, when all links are up..

thanks!

ck

From christian at broknrobot.com  Sat Jul 19 02:38:07 2008
From: christian at broknrobot.com (Christian Koch)
Date: Sat, 19 Jul 2008 02:38:07 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
Message-ID: <c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>

sorry forgot to specify

the bgp session from aR1 to bR2 is the session in question

ck

On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch <christian at broknrobot.com>
wrote:

> Hello -
>
> I have the following topology in lab, testing different failure scenarios.
> When i disconnect the link between aR1 and bR1, what would appear to be
> normal happens - ospf and ldp neighbor go down.
>
> When i re-connect the link between aR1 and bR1, the interface comes back
> up,
> osfp/ldp neighbor is re-established.
>
> 3minutes later, bgp holdtime expires , and all links are up..
>
> aR1-----------------bR1
> |                         |
> |                         |
> |                         |
> |                         |
> aR2-----------------bR2
>
>
> Some Notes
> - All Links 10GE
> - Full ibgp mesh
> - Peering is to loopbacks
> - OSPF as IGP
> - Loopbacks in OSPF
> - MPLS Enabled on Interfaces
>
>
> OSPF cost between aR1 and aR2 is 1
> OSPF cost between bR1 and bR2 is 1
> OSPF cost between aR1 and bR1 is 250
> OSPF cost betwen aR2 and bR2 is 500
>
> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
> MTU 9182 between bR1 and bR2
>
>
> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>
>
> i am stumped, any ideas would be helpful in trying to understand why the
> bgp session is going down
> due to expired hold time, when all links are up..
>
> thanks!
>
> ck
>
>
>
>
>
>


-- 
^christian$

From oboehmer at cisco.com  Sat Jul 19 03:24:23 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sat, 19 Jul 2008 09:24:23 +0200
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
	<c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>

No clue what's happening.. I've seen issues in the past with TCP PMTUD
when the path converges over a link with a different MTU (which is
happening in your case), but as BGP will not send packets larger than
4k, this shouldn't be an issue here.

How long did you take down the link before bringing it back up? I assume
longer than 3 minutes? Have you checked CEF and MPLS along the new path?
You have IP connectivity between the loopbacks aR1 and bR2? Does the
session come back up eventually, or will it stay down?

	oli

Christian Koch <> wrote on Saturday, July 19, 2008 8:38 AM:

> sorry forgot to specify
> 
> the bgp session from aR1 to bR2 is the session in question
> 
> ck
> 
> On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
> <christian at broknrobot.com> wrote:
> 
>> Hello -
>> 
>> I have the following topology in lab, testing different failure
>> scenarios. When i disconnect the link between aR1 and bR1, what
>> would appear to be normal happens - ospf and ldp neighbor go down.
>> 
>> When i re-connect the link between aR1 and bR1, the interface comes
>> back up, osfp/ldp neighbor is re-established.
>> 
>> 3minutes later, bgp holdtime expires , and all links are up..
>> 
>> aR1-----------------bR1
>>>                         |
>>>                         |
>>>                         |
>>>                         | aR2-----------------bR2
>> 
>> 
>> Some Notes
>> - All Links 10GE
>> - Full ibgp mesh
>> - Peering is to loopbacks
>> - OSPF as IGP
>> - Loopbacks in OSPF
>> - MPLS Enabled on Interfaces
>> 
>> 
>> OSPF cost between aR1 and aR2 is 1
>> OSPF cost between bR1 and bR2 is 1
>> OSPF cost between aR1 and bR1 is 250
>> OSPF cost betwen aR2 and bR2 is 500
>> 
>> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
>> MTU 9182 between bR1 and bR2
>> 
>> 
>> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>> 
>> 
>> i am stumped, any ideas would be helpful in trying to understand why
>> the bgp session is going down due to expired hold time, when all
>> links are up.. 
>> 
>> thanks!
>> 
>> ck
>> 
>> 
>> 
>> 
>> 
>> 
> 
> 
> --
> ^christian$
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From christian at broknrobot.com  Sat Jul 19 09:07:58 2008
From: christian at broknrobot.com (Christian Koch)
Date: Sat, 19 Jul 2008 09:07:58 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
	<c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>
Message-ID: <c93a55220807190607s47380114q1d2e3782cde393b8@mail.gmail.com>

hmm, i didnt check cef/mpls on the new path, i should try that.. there is
connectivity between the loopbacks

the session comes back up right after the timer expires.thats what puzzles
me

actually 3-4 is about how long i kept it down for..

Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to down
Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to down
Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down or
detached
Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is DOWN
(Interface not operational)
Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to down
Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to up
Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to up
Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to up
Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to up
Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is UP
Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is DOWN
(Discovery Hello Hold Timer expired)
Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is UP
Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
10.10.10.34/0 (hold time expired) 0 bytes
Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
initialization
Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up

On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

> No clue what's happening.. I've seen issues in the past with TCP PMTUD
> when the path converges over a link with a different MTU (which is
> happening in your case), but as BGP will not send packets larger than
> 4k, this shouldn't be an issue here.
>
> How long did you take down the link before bringing it back up? I assume
> longer than 3 minutes? Have you checked CEF and MPLS along the new path?
> You have IP connectivity between the loopbacks aR1 and bR2? Does the
> session come back up eventually, or will it stay down?
>
>        oli
>
> Christian Koch <> wrote on Saturday, July 19, 2008 8:38 AM:
>
> > sorry forgot to specify
> >
> > the bgp session from aR1 to bR2 is the session in question
> >
> > ck
> >
> > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
> > <christian at broknrobot.com> wrote:
> >
> >> Hello -
> >>
> >> I have the following topology in lab, testing different failure
> >> scenarios. When i disconnect the link between aR1 and bR1, what
> >> would appear to be normal happens - ospf and ldp neighbor go down.
> >>
> >> When i re-connect the link between aR1 and bR1, the interface comes
> >> back up, osfp/ldp neighbor is re-established.
> >>
> >> 3minutes later, bgp holdtime expires , and all links are up..
> >>
> >> aR1-----------------bR1
> >>>                         |
> >>>                         |
> >>>                         |
> >>>                         | aR2-----------------bR2
> >>
> >>
> >> Some Notes
> >> - All Links 10GE
> >> - Full ibgp mesh
> >> - Peering is to loopbacks
> >> - OSPF as IGP
> >> - Loopbacks in OSPF
> >> - MPLS Enabled on Interfaces
> >>
> >>
> >> OSPF cost between aR1 and aR2 is 1
> >> OSPF cost between bR1 and bR2 is 1
> >> OSPF cost between aR1 and bR1 is 250
> >> OSPF cost betwen aR2 and bR2 is 500
> >>
> >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
> >> MTU 9182 between bR1 and bR2
> >>
> >>
> >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
> >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
> >>
> >>
> >> i am stumped, any ideas would be helpful in trying to understand why
> >> the bgp session is going down due to expired hold time, when all
> >> links are up..
> >>
> >> thanks!
> >>
> >> ck
> >>
> >>
> >>
> >>
> >>
> >>
> >
> >
> > --
> > ^christian$
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
^christian$

From Joerg.Koelling at telefonica.de  Sat Jul 19 09:45:49 2008
From: Joerg.Koelling at telefonica.de (Joerg.Koelling at telefonica.de)
Date: Sat, 19 Jul 2008 15:45:49 +0200
Subject: [c-nsp] =?iso-8859-1?q?Joerg_Koelling_ist_au=DFer_Haus=2E?=
Message-ID: <OFEB437B1E.CB9AFE57-ONC125748B.004B9B44-C125748B.004B9B45@o2.com>

Ich werde ab  19.07.2008 nicht im B?ro sein. Ich kehre zur?ck am
12.08.2008.

Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten.
In dringenden F?llen wenden sie sich bitte an meinen Vertreter:

Torsten.Waibel at telefonica.de
+49 5246 80 1966


From tedm at toybox.placo.com  Sat Jul 19 12:19:33 2008
From: tedm at toybox.placo.com (Ted Mittelstaedt)
Date: Sat, 19 Jul 2008 09:19:33 -0700
Subject: [c-nsp] OT: Possible List Troll/Spammer..
In-Reply-To: <009c01c8e849$6334f210$299ed630$@net>
Message-ID: <BMEDLGAENEKCJFGODFOCOENECFAA.tedm@toybox.placo.com>



> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Howard Leadmon
> Sent: Thursday, July 17, 2008 1:12 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] OT: Possible List Troll/Spammer..
>
>
>
>  After posting to the list last week, sure enough I got a Cisco reseller
> solicitation from a Matt Martyniuk [mmartyniuk at f5technology.com] to buy or
> sell Cisco gear.  I looked back at the past years archive, and I
> don't see a
> single posting from this person on the list, so can only assume they are
> trolling/spamming people on here looking for business,
>

Unless your e-mail was part of a generic multi-address e-mail blast, it
isn't spamming, it is the e-mail equivalent of cold-calling,
or "dialing for dollars".  You haven't posted the entire mail so
we can't make that call just by what your posting here.

If you only get a single mail from them and no followup, (assuming
you don't contact them) then if it's NOT part of an e-mail spam
run, I am not sure how this is any more
objectionable than if they called you on the phone.

There isn't any "national do-not-email list, but if these solicitations
bug you, put something in your .sig saying no solicitations.

Ted


From oboehmer at cisco.com  Sat Jul 19 12:29:30 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Sat, 19 Jul 2008 18:29:30 +0200
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <c93a55220807190607s47380114q1d2e3782cde393b8@mail.gmail.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
	<c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>
	<c93a55220807190607s47380114q1d2e3782cde393b8@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5FE@xmb-ams-333.emea.cisco.com>

Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
initialization" looks unexpected, not sure what's happening..
just a hunch, but can you double-check your config regarding loopback
addresses, bgp router-id and things? Possibly add some bgp debug (deb
bgp all events, deb bgp all, deb bgp all keep) and see if something
weird pops up?
What does the neighbor's (10.10.10.3) log say?
 
    oli

________________________________

From: Christian Koch [mailto:christian at broknrobot.com] 
Sent: Saturday, July 19, 2008 3:08 PM
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp
Subject: Re: [c-nsp] BGP Hold Time Expired, but why?


hmm, i didnt check cef/mpls on the new path, i should try that.. there
is connectivity between the loopbacks 

the session comes back up right after the timer expires.thats what
puzzles me

actually 3-4 is about how long i kept it down for..


Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to down
Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to down
Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
or detached
Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
DOWN (Interface not operational)
Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to down
Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to up
Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
changed state to up
Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to up
Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
TenGigabitEthernet2/2, changed state to up
Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is UP
Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
DOWN (Discovery Hello Hold Timer expired)
Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is UP
Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
10.10.10.3 4/0 (hold time expired) 0 bytes
Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
protocol initialization
Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up



On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
<oboehmer at cisco.com> wrote:


	No clue what's happening.. I've seen issues in the past with TCP
PMTUD
	when the path converges over a link with a different MTU (which
is
	happening in your case), but as BGP will not send packets larger
than
	4k, this shouldn't be an issue here.
	
	How long did you take down the link before bringing it back up?
I assume
	longer than 3 minutes? Have you checked CEF and MPLS along the
new path?
	You have IP connectivity between the loopbacks aR1 and bR2? Does
the
	session come back up eventually, or will it stay down?
	
	       oli
	
	Christian Koch <> wrote on Saturday, July 19, 2008 8:38 AM:
	

	> sorry forgot to specify
	>
	> the bgp session from aR1 to bR2 is the session in question
	>
	> ck
	>
	> On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
	> <christian at broknrobot.com> wrote:
	>
	>> Hello -
	>>
	>> I have the following topology in lab, testing different
failure
	>> scenarios. When i disconnect the link between aR1 and bR1,
what
	>> would appear to be normal happens - ospf and ldp neighbor go
down.
	>>
	>> When i re-connect the link between aR1 and bR1, the interface
comes
	>> back up, osfp/ldp neighbor is re-established.
	>>
	>> 3minutes later, bgp holdtime expires , and all links are up..
	>>
	>> aR1-----------------bR1
	>>>                         |
	>>>                         |
	>>>                         |
	>>>                         | aR2-----------------bR2
	>>
	>>
	>> Some Notes
	>> - All Links 10GE
	>> - Full ibgp mesh
	>> - Peering is to loopbacks
	>> - OSPF as IGP
	>> - Loopbacks in OSPF
	>> - MPLS Enabled on Interfaces
	>>
	>>
	>> OSPF cost between aR1 and aR2 is 1
	>> OSPF cost between bR1 and bR2 is 1
	>> OSPF cost between aR1 and bR1 is 250
	>> OSPF cost betwen aR2 and bR2 is 500
	>>
	>> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
	>> MTU 9182 between bR1 and bR2
	>>
	>>
	>> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
	>> IOS on bR1 and bR2 is 12.33.SRC - RSP720
	>>
	>>
	>> i am stumped, any ideas would be helpful in trying to
understand why
	>> the bgp session is going down due to expired hold time, when
all
	>> links are up..
	>>
	>> thanks!
	>>
	>> ck
	>>
	>>
	>>
	>>
	>>
	>>
	>
	>
	> --
	> ^christian$
	
	> _______________________________________________
	> cisco-nsp mailing list  cisco-nsp at puck.nether.net
	> https://puck.nether.net/mailman/listinfo/cisco-nsp
	> archive at http://puck.nether.net/pipermail/cisco-nsp/
	




-- 
^christian$ 

From christian at broknrobot.com  Sat Jul 19 13:06:43 2008
From: christian at broknrobot.com (Christian Koch)
Date: Sat, 19 Jul 2008 13:06:43 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5FE@xmb-ams-333.emea.cisco.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
	<c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>
	<c93a55220807190607s47380114q1d2e3782cde393b8@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5FE@xmb-ams-333.emea.cisco.com>
Message-ID: <c93a55220807191006l205bf849mf52eb0c7ce15b41@mail.gmail.com>

config look ok as far as i can see, i actually dont have bgp router-id set
in the bgp config... you think if i add that with the loopback ip, it would
make a difference?


config

router bgp 65000
 no synchronization
 bgp log-neighbor-changes
 bgp graceful-restart restart-time 120
 bgp graceful-restart stalepath-time 360
 bgp graceful-restart
 bgp dampening
 neighbor Backbone peer-group
 neighbor Backbone remote-as 65000
 neighbor Backbone update-source Loopback1
 neighbor Backbone version 4
 neighbor Backbone send-community
 neighbor 10.10.10.2 peer-group Backbone
 neighbor 10.10.10.3 peer-group Backbone
 no auto-summary





On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
> initialization" looks unexpected, not sure what's happening..
> just a hunch, but can you double-check your config regarding loopback
> addresses, bgp router-id and things? Possibly add some bgp debug (deb
> bgp all events, deb bgp all, deb bgp all keep) and see if something
> weird pops up?
> What does the neighbor's (10.10.10.3) log say?
>
>    oli
>
> ________________________________
>
> From: Christian Koch [mailto:christian at broknrobot.com]
> Sent: Saturday, July 19, 2008 3:08 PM
> To: Oliver Boehmer (oboehmer)
> Cc: cisco-nsp
> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
>
>
> hmm, i didnt check cef/mpls on the new path, i should try that.. there
> is connectivity between the loopbacks
>
> the session comes back up right after the timer expires.thats what
> puzzles me
>
> actually 3-4 is about how long i kept it down for..
>
>
> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
> changed state to down
> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
> TenGigabitEthernet2/2, changed state to down
> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
> or detached
> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
> DOWN (Interface not operational)
> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
> changed state to down
> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
> changed state to up
> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
> changed state to up
> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> TenGigabitEthernet2/2, changed state to up
> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
> TenGigabitEthernet2/2, changed state to up
> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is UP
> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
> DOWN (Discovery Hello Hold Timer expired)
> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is UP
> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
> 10.10.10.3 4/0 (hold time expired) 0 bytes
> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
> protocol initialization
> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
>
>
>
> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
> <oboehmer at cisco.com> wrote:
>
>
>        No clue what's happening.. I've seen issues in the past with TCP
> PMTUD
>        when the path converges over a link with a different MTU (which
> is
>        happening in your case), but as BGP will not send packets larger
> than
>        4k, this shouldn't be an issue here.
>
>        How long did you take down the link before bringing it back up?
> I assume
>        longer than 3 minutes? Have you checked CEF and MPLS along the
> new path?
>        You have IP connectivity between the loopbacks aR1 and bR2? Does
> the
>        session come back up eventually, or will it stay down?
>
>               oli
>
>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38 AM:
>
>
>        > sorry forgot to specify
>        >
>        > the bgp session from aR1 to bR2 is the session in question
>        >
>        > ck
>        >
>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
>        > <christian at broknrobot.com> wrote:
>        >
>        >> Hello -
>        >>
>        >> I have the following topology in lab, testing different
> failure
>        >> scenarios. When i disconnect the link between aR1 and bR1,
> what
>        >> would appear to be normal happens - ospf and ldp neighbor go
> down.
>        >>
>        >> When i re-connect the link between aR1 and bR1, the interface
> comes
>        >> back up, osfp/ldp neighbor is re-established.
>        >>
>        >> 3minutes later, bgp holdtime expires , and all links are up..
>        >>
>        >> aR1-----------------bR1
>        >>>                         |
>        >>>                         |
>        >>>                         |
>        >>>                         | aR2-----------------bR2
>        >>
>        >>
>        >> Some Notes
>        >> - All Links 10GE
>        >> - Full ibgp mesh
>        >> - Peering is to loopbacks
>        >> - OSPF as IGP
>        >> - Loopbacks in OSPF
>        >> - MPLS Enabled on Interfaces
>        >>
>        >>
>        >> OSPF cost between aR1 and aR2 is 1
>        >> OSPF cost between bR1 and bR2 is 1
>        >> OSPF cost between aR1 and bR1 is 250
>        >> OSPF cost betwen aR2 and bR2 is 500
>        >>
>        >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
>        >> MTU 9182 between bR1 and bR2
>        >>
>        >>
>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>        >>
>        >>
>        >> i am stumped, any ideas would be helpful in trying to
> understand why
>        >> the bgp session is going down due to expired hold time, when
> all
>        >> links are up..
>        >>
>        >> thanks!
>        >>
>        >> ck
>        >>
>        >>
>        >>
>        >>
>        >>
>        >>
>        >
>        >
>        > --
>        > ^christian$
>
>        > _______________________________________________
>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>        > https://puck.nether.net/mailman/listinfo/cisco-nsp
>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
>
> --
> ^christian$
>

From gert at greenie.muc.de  Sat Jul 19 14:42:57 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 19 Jul 2008 20:42:57 +0200
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <001a01c8e92c$9ca15230$d5e3f690$@net>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
Message-ID: <20080719184257.GV1231@greenie.muc.de>

Hi,

On Fri, Jul 18, 2008 at 07:18:34PM -0400, Howard Leadmon wrote:
> Location-B:  Cat5500 RSM   

a) what software version is on the RSM?
b) do you have "ip routing" in your config?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080719/df39e821/attachment.bin>

From howard at leadmon.net  Sat Jul 19 17:44:29 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Sat, 19 Jul 2008 17:44:29 -0400
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <20080719184257.GV1231@greenie.muc.de>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<20080719184257.GV1231@greenie.muc.de>
Message-ID: <005101c8e9e8$a279e0c0$e76da240$@net>

    Hello Gert,

 Thanks for the reply.  To answer your questions, yes I have ip routing on
the router, as all the other stuff is working.  As to the IOS version on the
RSM, it's:

IOS (tm) C5RSM Software (C5RSM-IK9O3SV-M), Version 12.2(46a), RELEASE
SOFTWARE (fc1)

 Also as a follow-up on the situation, I tore down the Multilink bundle, and
took a single T1, and put it loaded the /30 that was on the Multilink
interface on it.  When I did that the single T1 line came up, and routed
perfectly.  So it's very much (be it a bug, or whatever) an issue with using
Multilink.

Just for info sake, the IOS on the 6509 is:

IOS (tm) s222_rp Software (s222_rp-ADVIPSERVICESK9_WAN-M), Version
12.2(18)SXF14, RELEASE SOFTWARE (fc1)


 I was going to just use CEF with per-packet across the lines to give them
full utilization, but on the FlexWan controller, when I go into the
interface config's and try and set that up, apparently the ONLY option is
per-destination.  This is the older FlexWan board, so it's a WS-X6182-2PA
card.  Do you or heck does anyone know if I replaced the controller with a
6582 would I be able to use per-packet on that?

Amazing this lil shared T1 project has been such a pain in my side, but
guess some days ya just can't win!



---
Howard Leadmon 



> -----Original Message-----
> From: Gert Doering [mailto:gert at greenie.muc.de]
> Sent: Saturday, July 19, 2008 2:43 PM
> To: Howard Leadmon
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Help with multilink ppp, routing not working
> correctly..
> 
> Hi,
> 
> On Fri, Jul 18, 2008 at 07:18:34PM -0400, Howard Leadmon wrote:
> > Location-B:  Cat5500 RSM
> 
> a) what software version is on the RSM?
> b) do you have "ip routing" in your config?
> 
> gert
> --
> USENET is *not* the non-clickable part of WWW!
> 
> //www.muc.de/~gert/
> Gert Doering - Munich, Germany
> gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-
> muenchen.de


From diogo.montagner at gmail.com  Sat Jul 19 20:25:08 2008
From: diogo.montagner at gmail.com (Diogo Montagner)
Date: Sat, 19 Jul 2008 21:25:08 -0300
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <001a01c8e92c$9ca15230$d5e3f690$@net>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
Message-ID: <84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>

Hi Howard,

If your configuration is all here then you need a static route in B
router pointing to C.

Regards,
./diogo -montagner


On Fri, Jul 18, 2008 at 8:18 PM, Howard Leadmon <howard at leadmon.net> wrote:
>
>  I can't believe this one isn't working, I am sure I am looking over
> something stupid.  I needed to mux up 3x T1's between a location.
>
>
> Information is as follows: (relevant bits)
>
> Location-A:   Cisco 1720
> !
> interface Serial0
>  description To Location-B
>  ip address 38.103.8.238 255.255.255.252
> !
> ip route 0.0.0.0 0.0.0.0 38.103.8.237
> !
>
>
>
>
> Location-B:  Cat5500 RSM
> !
> interface Multilink1
>  description T1 MultiLink PPP Bundle to Location-C
>  ip address 192.168.98.29 255.255.255.252
>  ppp multilink
>  multilink-group 1
> !
> interface Serial1/2:1
>  description To Location-A
>  ip address 38.103.8.237 255.255.255.252
> !
> interface Serial1/5:1
>  description T1 3 of 3 (MultiLink)
>  no ip address
>  encapsulation ppp
>  ppp multilink
>  multilink-group 1
> !
> interface Serial1/6:1
>  description T1 2 of 3 (MultiLink)
>  no ip address
>  encapsulation ppp
>  ppp multilink
>  multilink-group 1
> !
> interface Serial1/7:1
>  description T1 1 of 3 (MultiLink)
>  no ip address
>  encapsulation ppp
>  no fair-queue
>  ppp multilink
>  multilink-group 1
> !
> ip route 0.0.0.0 0.0.0.0 to global internet gateway!
>
>
>
> Location-C: Cisco 6509 Sup2 w/FlexWan
> !
> interface Multilink1
>  description T1 Bundle to Corporate
>  ip address 192.168.98.30 255.255.255.252
>  ppp multilink
>  multilink-group 1
> !
> interface Serial3/0/0:0
>  description T1 1 of 3 no ip address
>  encapsulation ppp
>  no fair-queue
>  ppp multilink
>  multilink-group 1
> !
> interface Serial3/0/1:0
>  description T1 2 of 3
>  no ip address
>  encapsulation ppp
>  ppp multilink
>  multilink-group 1
> !
> interface Serial3/0/2:0
>  description T1 3 of 3
>  no ip address
>  encapsulation ppp
>  ppp multilink
>  multilink-group 1
> !
> ip route 0.0.0.0 0.0.0.0 192.168.98.29
> !
>
>
>
> The interfaces are up and running, the multilink bundle looks good, and if I
> ping or trace from A to B, or B to A life is good.   If I try and go from B
> to C or C to B, again life is good.   If I try and go from A to the internet
> via B, or from C via B to the internet all is good.  So it looks like all is
> working.
>
> Where I get bit, is if I try and go from A to C, or C to A.  I can not ping,
> and if I trace it dies on router B.   So it looks like single hop is good,
> and if I go to another location out off of B (other networks) all is good,
> but if I try and cross any other internal interface on the router and cross
> the MLPPP link it dies.
>
> I was just going to use CEF to handle the link with per-packet load sharing
> with a dynamic routing protocol, but apparently the FlexWan controller
> doesn't support it, or it barked about an unknown command.  Anyway trying to
> debunk this I stripped it back to the above, just static routes between
> A-to-B-to-C, and still it will not route. This is part of a larger network,
> and none of the other remote enpoints will cross that multilink line, and I
> can't pin down why.
>
> I am open to any suggestions, as I rarely use MLPPP, and am sure I am
> missing something, but damn I would think two simple hops with static routes
> should just go.   Thanks to any that can offer assistance on debunking this
> one..
>
>
> P.S. - Yes I know I have some routable, and some unroutable IP's, but this
> is all behind a firewall, and gateways out, I just haven't gotten them to
> pull the old public IP's out, granted that shouldn't matter for an internal
> (in essence) isolated network.
>
>
>
> ---
> Howard Leadmon
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From howard at leadmon.net  Sat Jul 19 20:49:58 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Sat, 19 Jul 2008 20:49:58 -0400
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>
Message-ID: <005301c8ea02$8c1faf20$a45f0d60$@net>

   Hello Diogo,

 Thanks for the reply.. Actually I had a dynamic routing protocol running on
the routers, and even pulled that and tried using static routes.   Actually
as I was just trying to ping interface to interface, no routing at all
should have been needed, as Router-B would have seen both of the /30's as a
connected path.

 Not sure if you saw my earlier response to Gert, but I did afterwards take
and tear down the MLPPP bundle, and then just put the /30 from the bundle on
a single T1 interface.  When I did that, everything worked, traffic moved
perfectly.  So it's without a doubt something very specific to having the
Multilink interface up, as only then does the pathway fail.  The only thing
I can see different when I put it over multilink is that I see a /30 and a
/32 in the routing table from it.  So if I am on router B and do a show ip
route, I see 192.168.98.28/30 and also a 192.168.98.30/32 both pointing to
the Multilink1 interface.   Not quite sure why I get that /32 in the table,
but guessing it's just a quirk of how the MLPPP connection establishes.



---
Howard Leadmon 


> -----Original Message-----
> From: Diogo Montagner [mailto:diogo.montagner at gmail.com]
> Sent: Saturday, July 19, 2008 8:25 PM
> To: Howard Leadmon
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Help with multilink ppp, routing not working
> correctly..
> 
> Hi Howard,
> 
> If your configuration is all here then you need a static route in B
> router pointing to C.
> 
> Regards,
> ./diogo -montagner
> 
> 
> On Fri, Jul 18, 2008 at 8:18 PM, Howard Leadmon <howard at leadmon.net>
> wrote:
> >
> >  I can't believe this one isn't working, I am sure I am looking over
> > something stupid.  I needed to mux up 3x T1's between a location.
> >
> >
> > Information is as follows: (relevant bits)
> >
> > Location-A:   Cisco 1720
> > !
> > interface Serial0
> >  description To Location-B
> >  ip address 38.103.8.238 255.255.255.252
> > !
> > ip route 0.0.0.0 0.0.0.0 38.103.8.237
> > !
> >
> >
> >
> >
> > Location-B:  Cat5500 RSM
> > !
> > interface Multilink1
> >  description T1 MultiLink PPP Bundle to Location-C
> >  ip address 192.168.98.29 255.255.255.252
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial1/2:1
> >  description To Location-A
> >  ip address 38.103.8.237 255.255.255.252
> > !
> > interface Serial1/5:1
> >  description T1 3 of 3 (MultiLink)
> >  no ip address
> >  encapsulation ppp
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial1/6:1
> >  description T1 2 of 3 (MultiLink)
> >  no ip address
> >  encapsulation ppp
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial1/7:1
> >  description T1 1 of 3 (MultiLink)
> >  no ip address
> >  encapsulation ppp
> >  no fair-queue
> >  ppp multilink
> >  multilink-group 1
> > !
> > ip route 0.0.0.0 0.0.0.0 to global internet gateway!
> >
> >
> >
> > Location-C: Cisco 6509 Sup2 w/FlexWan
> > !
> > interface Multilink1
> >  description T1 Bundle to Corporate
> >  ip address 192.168.98.30 255.255.255.252
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial3/0/0:0
> >  description T1 1 of 3 no ip address
> >  encapsulation ppp
> >  no fair-queue
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial3/0/1:0
> >  description T1 2 of 3
> >  no ip address
> >  encapsulation ppp
> >  ppp multilink
> >  multilink-group 1
> > !
> > interface Serial3/0/2:0
> >  description T1 3 of 3
> >  no ip address
> >  encapsulation ppp
> >  ppp multilink
> >  multilink-group 1
> > !
> > ip route 0.0.0.0 0.0.0.0 192.168.98.29
> > !
> >
> >
> >
> > The interfaces are up and running, the multilink bundle looks good,
> and if I
> > ping or trace from A to B, or B to A life is good.   If I try and go
> from B
> > to C or C to B, again life is good.   If I try and go from A to the
> internet
> > via B, or from C via B to the internet all is good.  So it looks like
> all is
> > working.
> >
> > Where I get bit, is if I try and go from A to C, or C to A.  I can
> not ping,
> > and if I trace it dies on router B.   So it looks like single hop is
> good,
> > and if I go to another location out off of B (other networks) all is
> good,
> > but if I try and cross any other internal interface on the router and
> cross
> > the MLPPP link it dies.
> >
> > I was just going to use CEF to handle the link with per-packet load
> sharing
> > with a dynamic routing protocol, but apparently the FlexWan
> controller
> > doesn't support it, or it barked about an unknown command.  Anyway
> trying to
> > debunk this I stripped it back to the above, just static routes
> between
> > A-to-B-to-C, and still it will not route. This is part of a larger
> network,
> > and none of the other remote enpoints will cross that multilink line,
> and I
> > can't pin down why.
> >
> > I am open to any suggestions, as I rarely use MLPPP, and am sure I am
> > missing something, but damn I would think two simple hops with static
> routes
> > should just go.   Thanks to any that can offer assistance on
> debunking this
> > one..
> >
> >
> > P.S. - Yes I know I have some routable, and some unroutable IP's, but
> this
> > is all behind a firewall, and gateways out, I just haven't gotten
> them to
> > pull the old public IP's out, granted that shouldn't matter for an
> internal
> > (in essence) isolated network.
> >
> >
> >
> > ---
> > Howard Leadmon
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >


From notrevebr at gmail.com  Sat Jul 19 21:47:22 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Sat, 19 Jul 2008 22:47:22 -0300
Subject: [c-nsp] SP: L2-Aging messages
Message-ID: <3cf174360807191847i13b04d87g187b38c5a815c792@mail.gmail.com>

Hi all,

Anyone already see this message? I searched on cisco swit and google
and nothing...

Jul 19 23:12:37.057 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging,
entry not found
Jul 19 23:17:37.056 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging,
entry not found
Jul 19 23:22:37.057 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging,
entry not found
Jul 19 22:27:37.058 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging,
entry not found


IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version
12.2(17d)SXB10, RELEASE SOFTWARE (fc1)
cisco WS-C6509 (R7000) processor (revision 2.0) with 458752K/65536K
bytes of memory.
Supervisor Engine 720 (Active)         WS-SUP720-3B       SAL094235C0

From sethm at rollernet.us  Sat Jul 19 22:21:35 2008
From: sethm at rollernet.us (Seth Mattinen)
Date: Sat, 19 Jul 2008 19:21:35 -0700
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <005301c8ea02$8c1faf20$a45f0d60$@net>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>
	<005301c8ea02$8c1faf20$a45f0d60$@net>
Message-ID: <4882A12F.4060401@rollernet.us>

Howard Leadmon wrote:
>    Hello Diogo,
> 
>  Thanks for the reply.. Actually I had a dynamic routing protocol running on
> the routers, and even pulled that and tried using static routes.   Actually
> as I was just trying to ping interface to interface, no routing at all
> should have been needed, as Router-B would have seen both of the /30's as a
> connected path.
> 
>  Not sure if you saw my earlier response to Gert, but I did afterwards take
> and tear down the MLPPP bundle, and then just put the /30 from the bundle on
> a single T1 interface.  When I did that, everything worked, traffic moved
> perfectly.  So it's without a doubt something very specific to having the
> Multilink interface up, as only then does the pathway fail.  The only thing
> I can see different when I put it over multilink is that I see a /30 and a
> /32 in the routing table from it.  So if I am on router B and do a show ip
> route, I see 192.168.98.28/30 and also a 192.168.98.30/32 both pointing to
> the Multilink1 interface.   Not quite sure why I get that /32 in the table,
> but guessing it's just a quirk of how the MLPPP connection establishes.
> 

Try adding 'no peer neighbor-route' to the multilink config?

~Seth

From sukumars at cisco.com  Sat Jul 19 22:57:40 2008
From: sukumars at cisco.com (Sukumar Subburayan (sukumars))
Date: Sat, 19 Jul 2008 19:57:40 -0700
Subject: [c-nsp] SP: L2-Aging messages
In-Reply-To: <3cf174360807191847i13b04d87g187b38c5a815c792@mail.gmail.com>
References: <3cf174360807191847i13b04d87g187b38c5a815c792@mail.gmail.com>
Message-ID: <BB87E6B2C147324A859C6ABDB1C1930E07998F59@xmb-sjc-22d.amer.cisco.com>

Someone has turned on L2-aging debugging on the SP-side. These are
periodic RM (router-mac) entry aging debugs, and these
debug outputs don't indicate any problem.


Please have them do 'remote command switch undebug all'

sukumar
 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
Sent: Sunday, July 20, 2008 7:17 AM
To: cisco-nsp
Subject: [c-nsp] SP: L2-Aging messages

Hi all,

Anyone already see this message? I searched on cisco swit and google and
nothing...

Jul 19 23:12:37.057 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging, entry
not found Jul 19 23:17:37.056 BRA: SP: L2-Aging :
l2_aging_do_rm_rma_aging, entry not found Jul 19 23:22:37.057 BRA: SP:
L2-Aging : l2_aging_do_rm_rma_aging, entry not found Jul 19 22:27:37.058
BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging, entry not found


IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(17d)SXB10,
RELEASE SOFTWARE (fc1) cisco WS-C6509 (R7000) processor (revision 2.0)
with 458752K/65536K bytes of memory.
Supervisor Engine 720 (Active)         WS-SUP720-3B       SAL094235C0
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From howard at leadmon.net  Sat Jul 19 23:18:46 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Sat, 19 Jul 2008 23:18:46 -0400
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <ED89278195E94296B61C4C4B1DA83B66@MOYAPENYA>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<ED89278195E94296B61C4C4B1DA83B66@MOYAPENYA>
Message-ID: <005501c8ea17$55f44b80$01dce280$@net>

   Hello Ben,

 Interesting, it does seem I have that option.  I have not seen it setup
that way, wonder if that is handled any different in IOS than the way I had
it configured.   Would this only be used in the individual serial lines, or
also in the multilink interface config??   Guess I need to RTFM on that..


---
Howard Leadmon 


> -----Original Message-----
> From: Ben Steele [mailto:ben.steele at internode.on.net]
> Sent: Saturday, July 19, 2008 9:20 PM
> To: Howard Leadmon
> Subject: Re: [c-nsp] Help with multilink ppp, routing not working
> correctly..
> 
> Do you have the option for "ppp multlink group 1" instead of "multlink-
> group
> 1" ?
> 


From howard at leadmon.net  Sat Jul 19 23:21:30 2008
From: howard at leadmon.net (Howard Leadmon)
Date: Sat, 19 Jul 2008 23:21:30 -0400
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <4882A12F.4060401@rollernet.us>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>
	<005301c8ea02$8c1faf20$a45f0d60$@net>
	<4882A12F.4060401@rollernet.us>
Message-ID: <005601c8ea17$b71ede20$255c9a60$@net>

   Hello Seth,

 I actually was digging in the command ref and saw that option, and tried
it, didn't seem to change the routing.  I didn't actually shut the
interface, maybe I need to do that.   I am not sure if that /32 route is
even a problem, just that I did notice it happened I the multilink config,
but not when I just used a standard PtoP T1 link.  Thanks for the suggestion
though.. 


---
Howard Leadmon 


> -----Original Message-----
> From: Seth Mattinen [mailto:sethm at rollernet.us]
> Sent: Saturday, July 19, 2008 10:22 PM
> To: Howard Leadmon
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Help with multilink ppp, routing not working
> correctly..
> 
> Howard Leadmon wrote:
> >    Hello Diogo,
> >
> >  Thanks for the reply.. Actually I had a dynamic routing protocol
> running on
> > the routers, and even pulled that and tried using static routes.
> Actually
> > as I was just trying to ping interface to interface, no routing at
> all
> > should have been needed, as Router-B would have seen both of the
> /30's as a
> > connected path.
> >
> >  Not sure if you saw my earlier response to Gert, but I did
> afterwards take
> > and tear down the MLPPP bundle, and then just put the /30 from the
> bundle on
> > a single T1 interface.  When I did that, everything worked, traffic
> moved
> > perfectly.  So it's without a doubt something very specific to having
> the
> > Multilink interface up, as only then does the pathway fail.  The only
> thing
> > I can see different when I put it over multilink is that I see a /30
> and a
> > /32 in the routing table from it.  So if I am on router B and do a
> show ip
> > route, I see 192.168.98.28/30 and also a 192.168.98.30/32 both
> pointing to
> > the Multilink1 interface.   Not quite sure why I get that /32 in the
> table,
> > but guessing it's just a quirk of how the MLPPP connection
> establishes.
> >
> 
> Try adding 'no peer neighbor-route' to the multilink config?
> 
> ~Seth


From sethm at rollernet.us  Sun Jul 20 01:29:57 2008
From: sethm at rollernet.us (Seth Mattinen)
Date: Sat, 19 Jul 2008 22:29:57 -0700
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <005601c8ea17$b71ede20$255c9a60$@net>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<84eb7a820807191725g5c99fec9pa8f259d4e3ec08da@mail.gmail.com>
	<005301c8ea02$8c1faf20$a45f0d60$@net> <4882A12F.4060401@rollernet.us>
	<005601c8ea17$b71ede20$255c9a60$@net>
Message-ID: <4882CD55.1030401@rollernet.us>

Howard Leadmon wrote:
>    Hello Seth,
> 
>  I actually was digging in the command ref and saw that option, and tried
> it, didn't seem to change the routing.  I didn't actually shut the
> interface, maybe I need to do that.   I am not sure if that /32 route is
> even a problem, just that I did notice it happened I the multilink config,
> but not when I just used a standard PtoP T1 link.  Thanks for the suggestion
> though.. 
> 

Yeah, you have to do a shut/no shut before it'll take effect. It should 
remove that /32 from the routing table. I had a problem similar to yours 
bringing up a multilink T1 to Sprint for a client, and 'no peer 
neighbor-route' was the solution in my case. However, your case seems 
exceptionally odd, because it should just work. =)

~Seth

From gert at greenie.muc.de  Sun Jul 20 04:25:17 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Sun, 20 Jul 2008 10:25:17 +0200
Subject: [c-nsp] Help with multilink ppp, routing not working correctly..
In-Reply-To: <005101c8e9e8$a279e0c0$e76da240$@net>
References: <001a01c8e92c$9ca15230$d5e3f690$@net>
	<20080719184257.GV1231@greenie.muc.de>
	<005101c8e9e8$a279e0c0$e76da240$@net>
Message-ID: <20080720082517.GY1231@greenie.muc.de>

Hi,

On Sat, Jul 19, 2008 at 05:44:29PM -0400, Howard Leadmon wrote:
>  Thanks for the reply.  To answer your questions, yes I have ip routing on
> the router, as all the other stuff is working.  

The point of the "ip routing" command is to switch from "host" mode
(the box will speak IP, but not *forward* IP packets) to "router" mode
(forward).

This was a pretty long shot, but it would match the behaviour you've 
seen - interfaces coming up, ping working fine, but no packets being
forwarded.

[..]
>  Also as a follow-up on the situation, I tore down the Multilink bundle, and
> took a single T1, and put it loaded the /30 that was on the Multilink
> interface on it.  When I did that the single T1 line came up, and routed
> perfectly.  So it's very much (be it a bug, or whatever) an issue with using
> Multilink.

Hmmm.  I have never used WAN modules on a RSM, so I'm not really sure how
well supported that stuff is.

>  I was going to just use CEF with per-packet across the lines to give them
> full utilization, but on the FlexWan controller, when I go into the
> interface config's and try and set that up, apparently the ONLY option is
> per-destination.  This is the older FlexWan board, so it's a WS-X6182-2PA
> card.  Do you or heck does anyone know if I replaced the controller with a
> 6582 would I be able to use per-packet on that?

As far as I understand the architecture, 6500 based stuff will never do 
per-packet.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080720/008698ba/attachment.bin>

From kris.amy at eip.net.au  Sun Jul 20 07:17:28 2008
From: kris.amy at eip.net.au (Kris Amy)
Date: Sun, 20 Jul 2008 21:17:28 +1000
Subject: [c-nsp] Route Leaking
Message-ID: <C4A95BE8.23A54%kris.amy@eip.net.au>

Hi,

Just wondering if anyone had some pointers on route-leaking between a VRF
and the global table when both sides are non point to point (Ethernet, /26
and /28)?

In this instance both the vrf and the global table are live (can see the
internet) it just goes via different providers. I'm slightly puzzled as to
what the next hop should be put on the routes since it's not just a /30.

-- 
Kind Regards,
Kris Amy 


From CB at nianet.dk  Sun Jul 20 07:33:39 2008
From: CB at nianet.dk (Christian Bering)
Date: Sun, 20 Jul 2008 13:33:39 +0200
Subject: [c-nsp] VLAN counters for internal VLAN?
Message-ID: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D1FD@mail2.nianetas.local>

Hi all,

Is it possible to see counters for an internal VLAN on a SUP720/RSP720?

-- 
Regards
 Christian Bering

From notrevebr at gmail.com  Sun Jul 20 14:51:05 2008
From: notrevebr at gmail.com (Everton Diniz)
Date: Sun, 20 Jul 2008 15:51:05 -0300
Subject: [c-nsp] SP: L2-Aging messages
In-Reply-To: <BB87E6B2C147324A859C6ABDB1C1930E07998F59@xmb-sjc-22d.amer.cisco.com>
References: <3cf174360807191847i13b04d87g187b38c5a815c792@mail.gmail.com>
	<BB87E6B2C147324A859C6ABDB1C1930E07998F59@xmb-sjc-22d.amer.cisco.com>
Message-ID: <3cf174360807201151j53055373m9d8dad30bdcf2587@mail.gmail.com>

Good.....tks Suku...

On 7/19/08, Sukumar Subburayan (sukumars) <sukumars at cisco.com> wrote:
> Someone has turned on L2-aging debugging on the SP-side. These are
> periodic RM (router-mac) entry aging debugs, and these
> debug outputs don't indicate any problem.
>
>
> Please have them do 'remote command switch undebug all'
>
> sukumar
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Everton Diniz
> Sent: Sunday, July 20, 2008 7:17 AM
> To: cisco-nsp
> Subject: [c-nsp] SP: L2-Aging messages
>
> Hi all,
>
> Anyone already see this message? I searched on cisco swit and google and
> nothing...
>
> Jul 19 23:12:37.057 BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging, entry
> not found Jul 19 23:17:37.056 BRA: SP: L2-Aging :
> l2_aging_do_rm_rma_aging, entry not found Jul 19 23:22:37.057 BRA: SP:
> L2-Aging : l2_aging_do_rm_rma_aging, entry not found Jul 19 22:27:37.058
> BRA: SP: L2-Aging : l2_aging_do_rm_rma_aging, entry not found
>
>
> IOS (tm) s72033_rp Software (s72033_rp-PK9SV-M), Version 12.2(17d)SXB10,
> RELEASE SOFTWARE (fc1) cisco WS-C6509 (R7000) processor (revision 2.0)
> with 458752K/65536K bytes of memory.
> Supervisor Engine 720 (Active)         WS-SUP720-3B       SAL094235C0
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From peter.hicks at poggs.co.uk  Sun Jul 20 15:06:10 2008
From: peter.hicks at poggs.co.uk (Peter Hicks)
Date: Sun, 20 Jul 2008 20:06:10 +0100
Subject: [c-nsp] IPSec SA + EzVPN conflict
Message-ID: <48838CA2.5060105@poggs.co.uk>

Hello

One of my customers has an IPSec VPN to Company A, and wants to migrate his
existing client-based VPN to Company B to the same router (3725 with 12.4(12)
Advanced Enterprise Services on it).

After putting the EzVPN config on, the VPN to Company B came up and hosts there
were reachable.  Nothing at Company A was reachable, yet the SAs were still
established.

Further digging showed that the SAs for Company B's VPN specified a remote
network of 0.0.0.0/0, tunnelling all traffic and not just to the subnet we're
interested in.

Is there a way around this?


Peter

-- 
Peter Hicks | e: my.name at poggs.co.uk | g: 0x5DA31330 | w: www.poggs.com

   A: Because it destroys the flow of the conversation
   Q: Why is top-posting bad?

From avayner at cisco.com  Sun Jul 20 15:06:19 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 20 Jul 2008 21:06:19 +0200
Subject: [c-nsp] QoS VLAN trunk Port
In-Reply-To: <FFE1B3A183FE1F4C9CDD3A4B72719438018A4C7C@N12050C.nknetworks.com>
References: <FFE1B3A183FE1F4C9CDD3A4B727194380179CBE2@N12050C.nknetworks.com>
	<67F7C1FAF83A074AA3520D8F155782A5017239BE@xmb-ams-331.emea.cisco.com>
	<FFE1B3A183FE1F4C9CDD3A4B72719438018A4C7C@N12050C.nknetworks.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A1061C@xmb-ams-331.emea.cisco.com>

Ahmad,

Take a look at "Configuring CoS Mutation":
http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/conf
iguration/guide/qos.html#wp1371466 

Arie

-----Original Message-----
From: Cheikh-Moussa Ahmad [mailto:acm at axians.de] 
Sent: Saturday, July 19, 2008 08:20 AM
To: Arie Vayner (avayner); cisco-nsp at puck.nether.net
Subject: AW: [c-nsp] QoS VLAN trunk Port

Hi Guys,



> In general, you enable "mls qos vlan-based" on the trunk, and apply
the
> qos policy on the SVI (interface vlan) - even without any L3 config on

> the SVI.
> 

For Qos this works very well. I have an aditionall requirement.
Now I have to change the Cos values on the trunk Port. 

So there is trunk between an Cisco Catalyst 4500 and a Juniper ERX.
I want to change the CoS Values for every Vlan in a different way.

For Example: VLAN 15 CoS =5
             VLAN 10 CoS =3
             VLAN 20 CoS =1

My idea was to enhance the current policy-map configuration with the
command "set cos x", but unfortunately the switch doesn't accept this
command, although it is documented in CCO. I checked the Feature
Navigator and IOS 12.2(40)SG IPBASE has the feature "Class Based
Ethernet CoS Matching & Marking (802.1p & ISL CoS)".

So any ideas, why I can not configure this on my cat4500 ?
Is there another way to achieve this ?

Regards,
 Ahmad



From acm at axians.de  Sun Jul 20 16:00:06 2008
From: acm at axians.de (Cheikh-Moussa Ahmad)
Date: Sun, 20 Jul 2008 22:00:06 +0200
Subject: [c-nsp] QoS VLAN trunk Port
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501A1061C@xmb-ams-331.emea.cisco.com>
References: <FFE1B3A183FE1F4C9CDD3A4B727194380179CBE2@N12050C.nknetworks.com>
	<67F7C1FAF83A074AA3520D8F155782A5017239BE@xmb-ams-331.emea.cisco.com>
	<FFE1B3A183FE1F4C9CDD3A4B72719438018A4C7C@N12050C.nknetworks.com>
	<67F7C1FAF83A074AA3520D8F155782A501A1061C@xmb-ams-331.emea.cisco.com>
Message-ID: <FFE1B3A183FE1F4C9CDD3A4B72719438018A4CC6@N12050C.nknetworks.com>

Hi Arie,

thanks fort the hint. In my configuration I do not use QinQ tunnel.
The other thing is with this configuration I only map the cos to dscp vaules.
My aim is to change the cos values.

Do you know how to do so ?

Regards,
 Ahmad



> -----Urspr?ngliche Nachricht-----
> Von: Arie Vayner (avayner) [mailto:avayner at cisco.com]
> Gesendet: Sonntag, 20. Juli 2008 21:06
> An: Cheikh-Moussa Ahmad; cisco-nsp at puck.nether.net
> Betreff: RE: [c-nsp] QoS VLAN trunk Port
> 
> Ahmad,
> 
> Take a look at "Configuring CoS Mutation":
> http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/con
> f
> iguration/guide/qos.html#wp1371466
> 
> Arie
> 
> -----Original Message-----
> From: Cheikh-Moussa Ahmad [mailto:acm at axians.de]
> Sent: Saturday, July 19, 2008 08:20 AM
> To: Arie Vayner (avayner); cisco-nsp at puck.nether.net
> Subject: AW: [c-nsp] QoS VLAN trunk Port
> 
> Hi Guys,
> 
> 
> 
> > In general, you enable "mls qos vlan-based" on the trunk, and apply
> the
> > qos policy on the SVI (interface vlan) - even without any L3 config
> on
> 
> > the SVI.
> >
> 
> For Qos this works very well. I have an aditionall requirement.
> Now I have to change the Cos values on the trunk Port.
> 
> So there is trunk between an Cisco Catalyst 4500 and a Juniper ERX.
> I want to change the CoS Values for every Vlan in a different way.
> 
> For Example: VLAN 15 CoS =5
>              VLAN 10 CoS =3
>              VLAN 20 CoS =1
> 
> My idea was to enhance the current policy-map configuration with the
> command "set cos x", but unfortunately the switch doesn't accept this
> command, although it is documented in CCO. I checked the Feature
> Navigator and IOS 12.2(40)SG IPBASE has the feature "Class Based
> Ethernet CoS Matching & Marking (802.1p & ISL CoS)".
> 
> So any ideas, why I can not configure this on my cat4500 ?
> Is there another way to achieve this ?
> 
> Regards,
>  Ahmad
> 



Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln
Registergericht: Amtsgericht K?ln, Registernummer HRB 30805
Gesch?ftsf?hrer: Tonis R?sche


From rodunn at cisco.com  Sun Jul 20 19:11:16 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Sun, 20 Jul 2008 19:11:16 -0400
Subject: [c-nsp] multilink ds3's
In-Reply-To: <66a95d4f0807171746p397fe7c0vfc371976fa25ef5b@mail.gmail.com>
References: <66a95d4f0807171746p397fe7c0vfc371976fa25ef5b@mail.gmail.com>
Message-ID: <20080720231116.GC3521@rtp-cse-489.cisco.com>

We strongly discourage that because of the packet reordering overhead
at those rates.

If it goes to the BU for support they will deny it.


Rodney

On Thu, Jul 17, 2008 at 08:46:47PM -0400, Jared Brown wrote:
> Hello,
> I wanted to check to see if there would be any issue with multilinking 2
> serial ds3's on a pa-2t3 card. I know the IOS supports it, but I was worried
> about all the overhead and the proc load. Each end would have a
> 7206vxr/npe-g1 and pa-2t3 cards. Thanks.
> 
> Jared
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From mrz at velvet.org  Sun Jul 20 19:15:39 2008
From: mrz at velvet.org (matthew zeier)
Date: Sun, 20 Jul 2008 16:15:39 -0700
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
Message-ID: <4883C71B.9020207@velvet.org>

I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped 
accepting telnet (because rancid started to fail config checks).

Short of rebooting I'm not sure how to fix.  I can login on the console 
(using tacacs auth of all things, so IP works) and can ping it.  But 
telnet gives a connection refused.  I've even go so far as changing the 
IP address on fa0.

Any clues/ideas?

From peter at rathlev.dk  Sun Jul 20 19:38:09 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Mon, 21 Jul 2008 01:38:09 +0200
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <4883C71B.9020207@velvet.org>
References: <4883C71B.9020207@velvet.org>
Message-ID: <1216597089.6905.4.camel@svesken.sys.mjna.net>

On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote:
> I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped 
> accepting telnet (because rancid started to fail config checks).
> 
> Short of rebooting I'm not sure how to fix.  I can login on the console 
> (using tacacs auth of all things, so IP works) and can ping it.  But 
> telnet gives a connection refused.  I've even go so far as changing the 
> IP address on fa0.
> 
> Any clues/ideas?

How do you log in now? Through the management-webinterface? Can you see
the running config, and see if there are any "access-class" defined in
you "line vty" config that would deny you access?

I might also be "management-interface"-related. The IGESM switches we
use (mainly IBM) mostly only accept connections to the interface Vlan
marked with the "management" command. (Btw: Changing the management
interface is a little unintuitive, but well explained in the docs.)

Regards,
Peter



From mrz at velvet.org  Sun Jul 20 21:28:18 2008
From: mrz at velvet.org (matthew zeier)
Date: Sun, 20 Jul 2008 18:28:18 -0700
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <1216597089.6905.4.camel@svesken.sys.mjna.net>
References: <4883C71B.9020207@velvet.org>
	<1216597089.6905.4.camel@svesken.sys.mjna.net>
Message-ID: <4883E632.9050207@velvet.org>



Peter Rathlev wrote:
 > On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote:
 >> I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped
 >> accepting telnet (because rancid started to fail config checks).
 >>
 >> Short of rebooting I'm not sure how to fix.  I can login on the console
 >> (using tacacs auth of all things, so IP works) and can ping it.  But
 >> telnet gives a connection refused.  I've even go so far as changing the
 >> IP address on fa0.
 >>
 >> Any clues/ideas?
 >
 > How do you log in now? Through the management-webinterface? Can you see
 > the running config, and see if there are any "access-class" defined in
 > you "line vty" config that would deny you access?
 >
 > I might also be "management-interface"-related. The IGESM switches we
 > use (mainly IBM) mostly only accept connections to the interface Vlan
 > marked with the "management" command. (Btw: Changing the management
 > interface is a little unintuitive, but well explained in the docs.)

I have four chassis and 8 of these switches all basically with the same 
config.  Only one is no longer accepting telnet.  I can only login to it 
from the serial console.

In fact, the first thing I checked with the vty and access list (there 
isn't one) and then I diff'd the config to the other working switch in 
that same chassis.

I hate these Cisco-but-not-really-Cisco switches so much (no TAC 
support!).  I like the ease of wiring but they're such a pain that I've 
now started buying the pass-through ethernet modules and running 32 
cables to two 3650s!



From dcp at dcptech.com  Sun Jul 20 21:50:57 2008
From: dcp at dcptech.com (David Prall)
Date: Sun, 20 Jul 2008 21:50:57 -0400
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <4883E632.9050207@velvet.org>
References: <4883C71B.9020207@velvet.org><1216597089.6905.4.camel@svesken.sys.mjna.net>
	<4883E632.9050207@velvet.org>
Message-ID: <006801c8ead4$3afbdc90$1bfe200a@cisco.com>

What does "sh line" give you, are all the vty's in use/hung? What does "who"
have to give you?

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier
> Sent: Sunday, July 20, 2008 9:28 PM
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco/HP 3020 refuses telnet
> 
> 
> 
> Peter Rathlev wrote:
>  > On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote:
>  >> I have a Cisco/HP 3020 blade chassis switch that all of a 
> sudden stopped
>  >> accepting telnet (because rancid started to fail config checks).
>  >>
>  >> Short of rebooting I'm not sure how to fix.  I can login 
> on the console
>  >> (using tacacs auth of all things, so IP works) and can 
> ping it.  But
>  >> telnet gives a connection refused.  I've even go so far 
> as changing the
>  >> IP address on fa0.
>  >>
>  >> Any clues/ideas?
>  >
>  > How do you log in now? Through the 
> management-webinterface? Can you see
>  > the running config, and see if there are any 
> "access-class" defined in
>  > you "line vty" config that would deny you access?
>  >
>  > I might also be "management-interface"-related. The IGESM 
> switches we
>  > use (mainly IBM) mostly only accept connections to the 
> interface Vlan
>  > marked with the "management" command. (Btw: Changing the management
>  > interface is a little unintuitive, but well explained in the docs.)
> 
> I have four chassis and 8 of these switches all basically 
> with the same 
> config.  Only one is no longer accepting telnet.  I can only 
> login to it 
> from the serial console.
> 
> In fact, the first thing I checked with the vty and access 
> list (there 
> isn't one) and then I diff'd the config to the other working 
> switch in 
> that same chassis.
> 
> I hate these Cisco-but-not-really-Cisco switches so much (no TAC 
> support!).  I like the ease of wiring but they're such a pain 
> that I've 
> now started buying the pass-through ethernet modules and running 32 
> cables to two 3650s!
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From achatz at forthnet.gr  Mon Jul 21 02:38:44 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Mon, 21 Jul 2008 09:38:44 +0300
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <4883E632.9050207@velvet.org>
References: <4883C71B.9020207@velvet.org>	<1216597089.6905.4.camel@svesken.sys.mjna.net>
	<4883E632.9050207@velvet.org>
Message-ID: <48842EF4.5030805@forthnet.gr>

On our blade switches there is an option on the web interface that allows management from 
all -external- ports. By default this is disabled.

--
Tassos

matthew zeier wrote on 21-Jul-08 04:28:
> 
> 
> Peter Rathlev wrote:
>  > On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote:
>  >> I have a Cisco/HP 3020 blade chassis switch that all of a sudden 
> stopped
>  >> accepting telnet (because rancid started to fail config checks).
>  >>
>  >> Short of rebooting I'm not sure how to fix.  I can login on the console
>  >> (using tacacs auth of all things, so IP works) and can ping it.  But
>  >> telnet gives a connection refused.  I've even go so far as changing the
>  >> IP address on fa0.
>  >>
>  >> Any clues/ideas?
>  >
>  > How do you log in now? Through the management-webinterface? Can you see
>  > the running config, and see if there are any "access-class" defined in
>  > you "line vty" config that would deny you access?
>  >
>  > I might also be "management-interface"-related. The IGESM switches we
>  > use (mainly IBM) mostly only accept connections to the interface Vlan
>  > marked with the "management" command. (Btw: Changing the management
>  > interface is a little unintuitive, but well explained in the docs.)
> 
> I have four chassis and 8 of these switches all basically with the same 
> config.  Only one is no longer accepting telnet.  I can only login to it 
> from the serial console.
> 
> In fact, the first thing I checked with the vty and access list (there 
> isn't one) and then I diff'd the config to the other working switch in 
> that same chassis.
> 
> I hate these Cisco-but-not-really-Cisco switches so much (no TAC 
> support!).  I like the ease of wiring but they're such a pain that I've 
> now started buying the pass-through ethernet modules and running 32 
> cables to two 3650s!
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From Andrey_Oleinik at bms-consulting.com  Mon Jul 21 02:42:58 2008
From: Andrey_Oleinik at bms-consulting.com (Andrey Oleinik)
Date: Mon, 21 Jul 2008 09:42:58 +0300
Subject: [c-nsp] 7600, SRB3, high CPU on "BGP Event"
In-Reply-To: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D1F6@mail2.nianetas.local>
References: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D1F6@mail2.nianetas.local>
Message-ID: <68D5E673B49F1D45A5BE41058C8AFDBCC189A05402@BMSEXCH.BMS-CONSULTING.COM>

Chris,
Some interfaces (like Eth) doesn't provide us with connectivity status at IP level. So U unnecessary need to have ur Ethernet to be flapping to lose IP-connectivity, correct? But I think U just have ur RIB rebuilt too fast due to flaps somewhere behind of ur neis.

--
Respect,  Andy Oleynik
Telecom Dpt Chief
BMS Consulting Ltd
10, Stritenska Str., of. 520
Kyiv, 01025, UA
tel +380(44)4619961
tel +380(44)4619963 extn 162
fax +380(44)4619962
www.bms-consulting.com

andyo> -----Original Message-----
andyo> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
andyo> bounces at puck.nether.net] On Behalf Of Christian Bering
andyo> Sent: Friday, July 18, 2008 9:34 PM
andyo> To: cisco-nsp at puck.nether.net
andyo> Subject: [c-nsp] 7600, SRB3, high CPU on "BGP Event"
andyo>
andyo> Hi all,
andyo>
andyo> After upgrading a SUP720-3BXL to SRB3, CPU utilization has gone up
andyo> quite
andyo> a bit. The CLI is extremely slow and the input lag is awful.
andyo>
andyo> The process eating up most of the CPU is the "BGP Event" which
andyo> seems to
andyo> run quite often and every time it does, I get the following
andyo> messages
andyo> from 'debug ip bgp event':
andyo>
andyo> Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum.
andyo> penalty
andyo> 3447, flap count 40165
andyo> Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum.
andyo> penalty
andyo> 3947, flap count 40166
andyo> Jul 18 20:27:02.430 MET-DST: EvD: charge penalty 500, new accum.
andyo> penalty
andyo> 4447, flap count 40167
andyo>
andyo> EvD isn't enabled on the box and searching CCO for it shows me an
andyo> interface ought to be involved in it if it was:
andyo>
andyo> 00:07:17:EvD(Ethernet1/1):charge penalty 1000, new accum. penalty
andyo> 1000,
andyo> flap count 1
andyo>
andyo> But I have no interfaces flapping and I am puzzled why I am seeing
andyo> these
andyo> messages when debugging BGP events. What would be the cause of
andyo> these
andyo> messages and is it likely they are responsible for the high CPU
andyo> utilization?
andyo>
andyo> Thanks in advance,
andyo>
andyo> --
andyo> Regards
andyo>  Christian Bering
andyo> _______________________________________________
andyo> cisco-nsp mailing list  cisco-nsp at puck.nether.net
andyo> https://puck.nether.net/mailman/listinfo/cisco-nsp
andyo> archive at http://puck.nether.net/pipermail/cisco-nsp/

From stig.johansen at ementor.no  Mon Jul 21 03:33:29 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Mon, 21 Jul 2008 09:33:29 +0200
Subject: [c-nsp] IPSec SA + EzVPN conflict
References: <48838CA2.5060105@poggs.co.uk>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B6D@100NOOSLMSG004.common.alpharoot.net>

Not sure if there is any command to enforce a client-side split-vpn
which breaks the server-side configuration. This would kind of
invalidate the whole securitymodel.

What you could do, is separate the two VPN's in two different VRF's. I
haven't tried putting an EzVPN-config in a VRF before, but maybe it
works? If not, let the EzVPN live in the global routing and stick the
IPSec-tunnel in another VRF. You'll have to do some creative
config/wiring on the LAN-side, but it should be possible.

Best regards,
Stig Meireles Johansen

--
http://en.wikipedia.org/wiki/Posting_style 
For users of modern email clients and intelligent email services like
Google mail, which display entire email threads in logical order and
hide extraneous content, the distinction between different posting
styles is often now less relevant.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Hicks
Sent: 20. juli 2008 21:06
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] IPSec SA + EzVPN conflict

Hello

One of my customers has an IPSec VPN to Company A, and wants to migrate
his
existing client-based VPN to Company B to the same router (3725 with
12.4(12)
Advanced Enterprise Services on it).

After putting the EzVPN config on, the VPN to Company B came up and
hosts there
were reachable.  Nothing at Company A was reachable, yet the SAs were
still
established.

Further digging showed that the SAs for Company B's VPN specified a
remote
network of 0.0.0.0/0, tunnelling all traffic and not just to the subnet
we're
interested in.

Is there a way around this?


Peter

-- 
Peter Hicks | e: my.name at poggs.co.uk | g: 0x5DA31330 | w: www.poggs.com

   A: Because it destroys the flow of the conversation
   Q: Why is top-posting bad?
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From almog.purepeak at gmail.com  Mon Jul 21 05:04:54 2008
From: almog.purepeak at gmail.com (almog ohayon)
Date: Mon, 21 Jul 2008 12:04:54 +0300
Subject: [c-nsp] bgp traffic index
Message-ID: <3b53747c0807210204x46576767l581e4637b910735d@mail.gmail.com>

hi,
i've configured BGP accounting policy exactly as written in the Cisco
documentation and it's not working.
this is an example from testing environment - i've 1 router in AS100 which
is connected in F0/0 to 2 routers : AS200 + AS300.

this is the configuration:
---------------------------------------------------------------
router bgp 100
 neighbor 1.1.1.2 remote-as 200
 neighbor 1.1.1.3 remote-as 300
 table-map INDEX
!
ip as-path access-list 2 permit _200_
ip as-path access-list 3 permit _300_
!
route-map INDEX permit 10
match as-path 2
set traffic-index 2
!
route-map INDEX permit 20
 match as-path 3
 set traffic-index 3
!
route-map INDEX permit 30
 set traffic-index 4
!
interface f0/0
 ip address 1.1.1.1 255.255.255.0
 bgp-policy accounting
------------------------------------------------------------------
the problem is when i enter the command : show cef interface
policy-statistics i get 0 in the entire rows :

*Router_1# show cef interface policy-statistics
:
F0/0 is up (if_number 1)
Bucket    Packets               Bytes

1          0                      0
2          0                      0
3          0                      0
4          0                      0
5          0                      0
6          0                      0
7          0                      0
8          0                      0
*

From p.mayers at imperial.ac.uk  Mon Jul 21 06:21:18 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 21 Jul 2008 11:21:18 +0100
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <4883C71B.9020207@velvet.org>
References: <4883C71B.9020207@velvet.org>
Message-ID: <4884631E.8020402@imperial.ac.uk>

matthew zeier wrote:
> I have a Cisco/HP 3020 blade chassis switch that all of a sudden stopped 
> accepting telnet (because rancid started to fail config checks).
> 
> Short of rebooting I'm not sure how to fix.  I can login on the console 
> (using tacacs auth of all things, so IP works) and can ping it.  But 
> telnet gives a connection refused.  I've even go so far as changing the 
> IP address on fa0.
> 
> Any clues/ideas?

Something might have eaten all the VTYs.

If that's so, you can actually see who's connected via SNMP (if you've 
got it setup) and even terminate their connection - a colleague of mine 
discovered this:

snmpwalk -c READCOMM -v 2c $SWITCH .1.3.6.1.2.1.6.13.1.1
TCP-MIB::tcpConnState.192.168.1.1.22.192.168.1.41.1022 = established(5)
# lots more

then:

snmpset -c WRITECOMM -v 2c $SWITCH 
TCP-MIB::tcpConnState.$DSTIP.$DPORT.$SRCIP.$SPORT i 12

You'll want to fix this permanently if this is the problem:

line vty 0 15
  session-timeout 1440
  exec-timeout 1440 0

From sam_mailinglists at spacething.org  Mon Jul 21 06:23:38 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Mon, 21 Jul 2008 11:23:38 +0100
Subject: [c-nsp] Reconstructing a spanning-tree break
Message-ID: <488463AA.30603@spacething.org>

Hi,

In the "sh span vlan X detail" command there's output similar to the 
following:

  Root port is 47 (GigabitEthernet1/47), cost of root path is 14
  Topology change flag not set, detected flag not set
  Number of topology changes 11 last change occurred 2d00h ago
          from GigabitEthernet1/47

What is the meaning of the number of "Number of topology changes". Is 
this only incremented when a BPDU with the TC bit set it received? Or is 
it set when a switch sends a TCN? Or perhaps even against a root port 
that has gone down or stopped receiving BPDUs?

We have had a strange spanning-tree occurance that we are trying to 
reconstruct.

Looking at the ports listed under topology changes, we have this occurance:

SW7 >------< SW8
 |            X
 |            |
/|\           |
SW3          SW4 (R)
 |           \|/
 |            |
/|\           |
SW1 -------< SW2

SW4 is the root switch.
X is a blocking port
Arrows represent the port that received a topology change (all at the 
same time).

So SW4 received a TC from SW2, which received a TC from SW3, which 
received a TC from SW7, which recevied a TC from SW8.

But SW8 claims to have recevied a TC from SW7. :| This doesn't seem to 
make sense unless SW8 is listing the port for some other reason?

"logging event link-status" (or "spanning-tree logging" was not 
configured on any switch so don't know if any of the ports went up or down.

SW3 and SW4 are L3 switches, running HSRP. Oridinarily SW4 is active and 
SW3 is standby, but for a period of time both went active.

Can anyone explain what happened here?

Sam

From vikassharmas at gmail.com  Mon Jul 21 07:29:45 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 21 Jul 2008 16:59:45 +0530
Subject: [c-nsp] BGP - unsupported parameter - peer reset
In-Reply-To: <cca140000807132107y7560ac0qfc4b8985773870be@mail.gmail.com>
References: <cca140000807132107y7560ac0qfc4b8985773870be@mail.gmail.com>
Message-ID: <cca140000807210429w68ca6786lf23060d9407e899@mail.gmail.com>

Hi,

To my astonishment, everything started working fine after enabling mpls on
juniper ERX globally. Can any one tell me the reason?

My understanding which proved to be wrong in case of ERX is -

The issue we have is bgp session not establishing (not, bgp is not
advertising the vpnv4 routes). ERX can advertise ipv4:vpn unicast (vpnv4
routes) only after mpbgp is in establish state. The statement from juniper
holds true not only for juniper but for any other vendor as until mpls is
not configured it will not advertise any vpnv4 routes.

The process for bgp is -

First bgp session is established then only bgp advertise the routes /
prefixes

The process for mpbgp is -

First the mpbgp session is establish then only one can see any vpnv4 routes

My point is to establish mpbgp session we do not need to enable mpls. After
mpbgp session only vpnv4 prefixes can be seen in mpbgp table.

Thus the answer from Juniper is not to the point. Still we do not know the
reason for mpbgp session not establishing and in the logs it is clearly
stating the reason is capability mismatch.

Further to this mbbgp and mpls are entirely two different independent
protocols and configured separately, one under bgp process and another under
mpls and mpls is just a transport protocol.

Summary of the above is - advertisement of vpnv4 routes, mpbgp session
establishment and enabling mpls are different process. Thus juniper has to
rework on the issue and let us know the actual reason.

Regards,
Vikas Sharma

On 7/14/08, Vikas Sharma <vikassharmas at gmail.com> wrote:
>
> Hi,
>
> I have mpls network where I am connecting ERX (juniper box) as PE to cisco
> 12 k (vpnv4 route reflector). At all locations itsworking fine except one
> and showing me on ERX unsupported capabilities.
>
> from ERX -
>
> We received an unsupported-capability notification from this peer.
>     This indicates that the peer does not ignore unrecognized capabilities.
>     We received the notification before we received an open from this peer.
>     As a result we cannot guess which capabilities are supported by the
> peer.
>     We won't advertise capabilities with known interoperability problems.
>   Capability advertisements:
>     Capabilities option: send
>     Dynamic capability negotiation: send
>     Deprecated dynamic capability negotiation: send
>     Multi-protocol extensions: send
>     Route refresh: send
>     Route refresh (Cisco proprietary): send
>     Four octet AS numbers: send
>     Graceful restart:
>   Graceful restart negotiation:
>     Restart time is 120 seconds
>     Stale paths time is 360 seconds
>     The last time that the session was in state established:
>       We did not send the graceful-restart capability
>       We did not receive the graceful-restart capability
>   Total of 20782 messages sent, 20639 messages received
>   0 update messages sent, 0 update messages received
>
> As per rfc3392, if bgp speaking router does not understand optional
> community, it should ignore it and should not try to re-establish the
> session. I am attaching the status of sh ip bgp vpnv1 a s for the ref.
>
> on ERX -
>
> sh ip bgp vpnv4 all s
> Local router ID 212.74.69.117, local AS 8220
>   Administrative state is Start
>   BGP Operational state is Up
>   Shutdown in overload state is disabled
>   Default local preference is 100
>   IGP synchronization is disabled
>   Default originate is disabled
>   Auto summary is disabled
>   Always compare MED is disabled
>   Compare MED within confederation is disabled
>   Advertise inactive routes is disabled
>   Advertise best external route to internal peers is disabled
>   Enforce first AS is enabled
>   Missing MED as worst is disabled
>   Route flap dampening is disabled
>   Log neighbor changes is enabled
>   Fast External Fallover is disabled
>   No maximum received AS-path length
>   BGP administrative distances are 20 (ext), 200 (int), and 200 (local)
>   Client-to-client reflection is enabled
>   Cluster ID is not configured (local router ID used)
>   Route-target filter is enabled
>   Default IPv4-unicast is enabled
>   Check next-hops of vpn routes is disabled
>   Redistribution of iBGP routes is disabled
>   Graceful restart is globally disabled
>   Global graceful-restart restart time is 120 seconds
>   Global graceful-restart stale paths time is 360 seconds
>   Graceful-restart path selection defer time is 360 seconds
>   Graceful-restart is not ready to switch to the standby SRP
>   The last restart was not graceful
>   Address family ipv4:vpn-unicast in core VRF operationally down due to
> IPv6
>      not present
>   Local-RIB version 2. FIB version 2.
>
>                                                 Messages  Messages
> Prefixes
> Neighbor           AS State       Up/down time      Sent  Received
> Received
> 212.74.69.112    8220 Idle         2d 06:25:40     18301     18166
> 0
>
> 212.74.69.113    8220 Idle         4d 11:06:33     20934     20788
> 0
>
> these are two route reflectors connected to this PE. We have one more PE
> (again ERX box), which does not have any issue.
>
> For your ref. I am also attaching working and non-working ERX, sh ip bgp v
> a nei "" output
>
> working ERX -
>
>  Capability advertisements:
>     Capabilities option: sent, received
>     Dynamic capability negotiation: sent
>     Deprecated dynamic capability negotiation: sent
>     Multi-protocol extensions: sent, received
>     Route refresh: sent, received
>     Route refresh (Cisco proprietary): sent, received
>     Four octet AS numbers: sent
>     Graceful restart:
>   *Multi-protocol extensions negotiation:
>     ip-v4 vpn-unicast: sent, received, used
> *  Dynamic capability negotiation:
>     Multi-protocol extensions: sent
>     Route refresh: sent
>     Graceful restart: sent
>     Route refresh (Cisco proprietary): sent
>   Graceful restart negotiation:
>     Restart time is 120 seconds
>     Stale paths time is 360 seconds
>     We did not send the graceful-restart capability
>
> Non- working ERX -
>
>  Capability advertisements:
>     Capabilities option: send
>     Dynamic capability negotiation: send
>     Deprecated dynamic capability negotiation: send
>     Multi-protocol extensions: send
>     Route refresh: send
>     Route refresh (Cisco proprietary): send
>     Four octet AS numbers: send
>     Graceful restart:
>   Graceful restart negotiation:
>     Restart time is 120 seconds
>     Stale paths time is 360 seconds
>
> Note- I can see the diference as in working I can see multiprotocol
> extensio negotiations while I can not see the same in non-working.
>
> Since the message states issue with 12k !!!, which I am not sure abt,
> sending this to cisaco-mail ;)
>
> Regards,
>
> Vikas Sharma
>
>
>
>
>
>
>

From A.L.M.Buxey at lboro.ac.uk  Mon Jul 21 07:52:58 2008
From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk)
Date: Mon, 21 Jul 2008 12:52:58 +0100
Subject: [c-nsp] Reconstructing a spanning-tree break
In-Reply-To: <488463AA.30603@spacething.org>
References: <488463AA.30603@spacething.org>
Message-ID: <20080721115258.GA19623@lboro.ac.uk>

Hi,

> "logging event link-status" (or "spanning-tree logging" was not configured 
> on any switch so don't know if any of the ports went up or down.

no syslog either. what about the uptime of the switches...did one or
more fail due to loss of power?

are you running PVST?

alan

From almog.purepeak at gmail.com  Mon Jul 21 08:24:43 2008
From: almog.purepeak at gmail.com (almog ohayon)
Date: Mon, 21 Jul 2008 15:24:43 +0300
Subject: [c-nsp] Fwd:  bgp traffic index
In-Reply-To: <3b53747c0807210524s64ba7903u5e2ddc0dd2b2c8a2@mail.gmail.com>
References: <3b53747c0807210204x46576767l581e4637b910735d@mail.gmail.com>
	<ac036ce50807210323p74712ef9ma6d9e2689da7c0f9@mail.gmail.com>
	<3b53747c0807210524s64ba7903u5e2ddc0dd2b2c8a2@mail.gmail.com>
Message-ID: <3b53747c0807210524v376e81e6k7bc622e53c4ce008@mail.gmail.com>

---------- Forwarded message ----------
From: almog ohayon <almog.purepeak at gmail.com>
Date: Mon, Jul 21, 2008 at 3:24 PM
Subject: Re: [c-nsp] bgp traffic index
To: Raymond Macharia <rmacharia at gmail.com>


cef was enabled globally.
even after i've enabled ip route-cache flow it's not working.
important note: when i enter sh ip cef detailed i can see that the prefix is
marked with the correct taffic-index but
when i write show cef interface policy-statistics it's show me nothing ...
what kind of traffic is the router refer to in the following command ??
any traffic ?? even ping ??




On Mon, Jul 21, 2008 at 1:23 PM, Raymond Macharia <rmacharia at gmail.com>
wrote:

> Hi
> have you enabled CEF globally. usually comes enabled but its good to check
> also on the interface do you have "ip route-cache flow" enabled?
>
> Regards
>
> Raymond
>
> On Mon, Jul 21, 2008 at 12:04 PM, almog ohayon <almog.purepeak at gmail.com>
> wrote:
> > hi,
> > i've configured BGP accounting policy exactly as written in the Cisco
> > documentation and it's not working.
> > this is an example from testing environment - i've 1 router in AS100
> which
> > is connected in F0/0 to 2 routers : AS200 + AS300.
> >
> > this is the configuration:
> > ---------------------------------------------------------------
> > router bgp 100
> >  neighbor 1.1.1.2 remote-as 200
> >  neighbor 1.1.1.3 remote-as 300
> >  table-map INDEX
> > !
> > ip as-path access-list 2 permit _200_
> > ip as-path access-list 3 permit _300_
> > !
> > route-map INDEX permit 10
> > match as-path 2
> > set traffic-index 2
> > !
> > route-map INDEX permit 20
> >  match as-path 3
> >  set traffic-index 3
> > !
> > route-map INDEX permit 30
> >  set traffic-index 4
> > !
> > interface f0/0
> >  ip address 1.1.1.1 255.255.255.0
> >  bgp-policy accounting
> > ------------------------------------------------------------------
> > the problem is when i enter the command : show cef interface
> > policy-statistics i get 0 in the entire rows :
> >
> > *Router_1# show cef interface policy-statistics
> > :
> > F0/0 is up (if_number 1)
> > Bucket    Packets               Bytes
> >
> > 1          0                      0
> > 2          0                      0
> > 3          0                      0
> > 4          0                      0
> > 5          0                      0
> > 6          0                      0
> > 7          0                      0
> > 8          0                      0
> > *
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
>
>
>
> --
> Raymond Macharia
>

From vikassharmas at gmail.com  Mon Jul 21 08:30:59 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 21 Jul 2008 18:00:59 +0530
Subject: [c-nsp] FWSM and AAA
Message-ID: <cca140000807210530v15653422o9e85c4edf3e0f643@mail.gmail.com>

Hi,

I have a setup where user dialin in to access server (BRAS) and get
authenticated via AAA. Now I want to implement fwsm so that all traffic
first go to fwsm then to anywhere in the network. But since user is getting
all attributes e.g. ip address, vrf from aaa, I am not able to understand
the traffic flow. Can anyone help me out to understand this?

1st packet should go to fwsm anf then to vrf, the issue id I can not map
vlan to vrf as I am getting all these information from AAA.

Regards
Vikas Sharma

From sam_mailinglists at spacething.org  Mon Jul 21 08:39:34 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Mon, 21 Jul 2008 13:39:34 +0100
Subject: [c-nsp] Reconstructing a spanning-tree break
In-Reply-To: <20080721115258.GA19623@lboro.ac.uk>
References: <488463AA.30603@spacething.org>
	<20080721115258.GA19623@lboro.ac.uk>
Message-ID: <48848386.1030503@spacething.org>

A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>   
>> "logging event link-status" (or "spanning-tree logging" was not configured 
>> on any switch so don't know if any of the ports went up or down.
>>     
>
> no syslog either. what about the uptime of the switches...did one or
> more fail due to loss of power?
>
> are you running PVST?
>
> alan
>   
Hi Alan,

It's Rapid-PVST. Thanks for your reply. I've since found out some other 
information (SW2 was reloaded) that makes things a bit confusing to 
explain the entire situation here, and I wouldn't expect anyone here to 
sit through my entire timeline of events :)

It would be helpful if someone could answer just the first question, 
regarding the meaning of "topology changes" under "sh span vlan x detail".

 Root port is 47 (GigabitEthernet1/47), cost of root path is 14
 Topology change flag not set, detected flag not set
 Number of topology changes 11 last change occurred 2d00h ago
         from GigabitEthernet1/47

That is, what type of packet (TCN, TCA, BPDU with TC set) or event 
(missing root BDPU, transition to fowarding) causes this counter to 
increment (and record the port underneath).

And, how, after a spanning-tree convergance/event (caused by the 
reloading of SW2) the ports listed under the topology change can end up 
pointing at each other (as in this example):

SW7 >------< SW8
 |            X
 |            |
/|\           |
SW3          SW4 (R)
 |           \|/
 |            |
/|\           |
SW1 -------< SW2

SW4 is the root switch.
X is a blocking port
Arrows represent the port that received a topology change (all at the 
same time) listed under "sh spantree vlan X detail".

What happened to make the ports listed on SW7 and SW8 point at each 
other? I can envisage this scenario:

SW2 is reloaded causing the blocking port on SW8 to go forwarding. After 
SW2 is reloaded the port goes back to blocking, and SW8 issues a TCN.

But this would mean that SW8 logged the _outgoing_ port it sent the TCN 
on, while all the others logged the report that _received_ the TCN on.

I can't find any information to support this hyposis. The name "topology 
change" also suggests that it could be looking at the TC bit in BPDUs, 
not the TCNs.

If anyone can explain this to me I will be very grateful,

Sam

(I'm actually beginning to suspect that SW2 continued to forward BPDUs 
but not HSRP packets and knowledge of how the counters work should help 
me work this possibility).

From almog.purepeak at gmail.com  Mon Jul 21 08:46:54 2008
From: almog.purepeak at gmail.com (almog ohayon)
Date: Mon, 21 Jul 2008 15:46:54 +0300
Subject: [c-nsp] Fwd: bgp traffic index
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0FA57@xmb-ams-333.emea.cisco.com>
References: <3b53747c0807210204x46576767l581e4637b910735d@mail.gmail.com>
	<ac036ce50807210323p74712ef9ma6d9e2689da7c0f9@mail.gmail.com>
	<3b53747c0807210524s64ba7903u5e2ddc0dd2b2c8a2@mail.gmail.com>
	<3b53747c0807210524v376e81e6k7bc622e53c4ce008@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0FA57@xmb-ams-333.emea.cisco.com>
Message-ID: <3b53747c0807210546wba40880t8599eb158123f0fd@mail.gmail.com>

3600 Software (C3640-JS-M), Version 12.4(18), RELEASE SOFTWARE (fc1)

On Mon, Jul 21, 2008 at 3:30 PM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

> which platform is this?
>
>        oli
>
> almog ohayon <> wrote on Monday, July 21, 2008 2:25 PM:
>
> > ---------- Forwarded message ----------
> > From: almog ohayon <almog.purepeak at gmail.com>
> > Date: Mon, Jul 21, 2008 at 3:24 PM
> > Subject: Re: [c-nsp] bgp traffic index
> > To: Raymond Macharia <rmacharia at gmail.com>
> >
> >
> > cef was enabled globally.
> > even after i've enabled ip route-cache flow it's not working.
> > important note: when i enter sh ip cef detailed i can see that the
> > prefix is marked with the correct taffic-index but
> > when i write show cef interface policy-statistics it's show me
> > nothing ... what kind of traffic is the router refer to in the
> > following command ??
> > any traffic ?? even ping ??
> >
> >
> >
> >
> > On Mon, Jul 21, 2008 at 1:23 PM, Raymond Macharia
> > <rmacharia at gmail.com> wrote:
> >
> >> Hi
> >> have you enabled CEF globally. usually comes enabled but its good to
> >> check also on the interface do you have "ip route-cache flow"
> >> enabled?
> >>
> >> Regards
> >>
> >> Raymond
> >>
> >> On Mon, Jul 21, 2008 at 12:04 PM, almog ohayon
> >> <almog.purepeak at gmail.com> wrote:
> >>> hi,
> >>> i've configured BGP accounting policy exactly as written in the
> >>> Cisco documentation and it's not working.
> >>> this is an example from testing environment - i've 1 router in
> >>> AS100 which is connected in F0/0 to 2 routers : AS200 + AS300.
> >>>
> >>> this is the configuration:
> >>> ---------------------------------------------------------------
> >>>  router bgp 100 neighbor 1.1.1.2 remote-as 200
> >>>  neighbor 1.1.1.3 remote-as 300
> >>>  table-map INDEX
> >>> !
> >>> ip as-path access-list 2 permit _200_
> >>> ip as-path access-list 3 permit _300_
> >>> !
> >>> route-map INDEX permit 10
> >>> match as-path 2
> >>> set traffic-index 2
> >>> !
> >>> route-map INDEX permit 20
> >>>  match as-path 3
> >>>  set traffic-index 3
> >>> !
> >>> route-map INDEX permit 30
> >>>  set traffic-index 4
> >>> !
> >>> interface f0/0
> >>>  ip address 1.1.1.1 255.255.255.0
> >>>  bgp-policy accounting
> >>> ------------------------------------------------------------------
> >>> the problem is when i enter the command : show cef interface
> >>> policy-statistics i get 0 in the entire rows :
> >>>
> >>> *Router_1# show cef interface policy-statistics
> >>>>
> >>> F0/0 is up (if_number 1)
> >>> Bucket    Packets               Bytes
> >>>
> >>> 1          0                      0
> >>> 2          0                      0
> >>> 3          0                      0
> >>> 4          0                      0
> >>> 5          0                      0
> >>> 6          0                      0
> >>> 7          0                      0
> >>> 8          0                      0
> >>> *
> >>> _______________________________________________
> >>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>>
> >>
> >>
> >>
> >> --
> >> Raymond Macharia
> >>
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From cchurc05 at harris.com  Mon Jul 21 09:41:06 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 21 Jul 2008 08:41:06 -0500
Subject: [c-nsp] Cisco/HP 3020 refuses telnet
In-Reply-To: <48842EF4.5030805@forthnet.gr>
References: <4883C71B.9020207@velvet.org>	<1216597089.6905.4.camel@svesken.sys.mjna.net><4883E632.9050207@velvet.org>
	<48842EF4.5030805@forthnet.gr>
Message-ID: <FA1BA229357DB640B944218F3585FECA01349010@mspe2k1.cs.myharris.net>

Is it possible it's out of memory?  That can cause telnet to fail, but
console access would still work. 

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos
Chatzithomaoglou
Sent: Monday, July 21, 2008 2:39 AM
To: matthew zeier
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco/HP 3020 refuses telnet


On our blade switches there is an option on the web interface that
allows management from 
all -external- ports. By default this is disabled.

--
Tassos

matthew zeier wrote on 21-Jul-08 04:28:
> 
> 
> Peter Rathlev wrote:
>  > On Sun, 2008-07-20 at 16:15 -0700, matthew zeier wrote:
>  >> I have a Cisco/HP 3020 blade chassis switch that all of a sudden 
> stopped
>  >> accepting telnet (because rancid started to fail config checks).
>  >>
>  >> Short of rebooting I'm not sure how to fix.  I can login on the
console
>  >> (using tacacs auth of all things, so IP works) and can ping it.
But
>  >> telnet gives a connection refused.  I've even go so far as
changing the
>  >> IP address on fa0.
>  >>
>  >> Any clues/ideas?
>  >
>  > How do you log in now? Through the management-webinterface? Can you
see
>  > the running config, and see if there are any "access-class" defined
in
>  > you "line vty" config that would deny you access?
>  >
>  > I might also be "management-interface"-related. The IGESM switches
we
>  > use (mainly IBM) mostly only accept connections to the interface
Vlan
>  > marked with the "management" command. (Btw: Changing the management
>  > interface is a little unintuitive, but well explained in the docs.)
> 
> I have four chassis and 8 of these switches all basically with the
same 
> config.  Only one is no longer accepting telnet.  I can only login to
it 
> from the serial console.
> 
> In fact, the first thing I checked with the vty and access list (there

> isn't one) and then I diff'd the config to the other working switch in

> that same chassis.
> 
> I hate these Cisco-but-not-really-Cisco switches so much (no TAC 
> support!).  I like the ease of wiring but they're such a pain that
I've 
> now started buying the pass-through ethernet modules and running 32 
> cables to two 3650s!
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.garzon at gmail.com  Mon Jul 21 11:01:18 2008
From: chris.garzon at gmail.com (Dracul)
Date: Mon, 21 Jul 2008 23:01:18 +0800
Subject: [c-nsp] Maximizing Router capabilities
Message-ID: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>

Hi list,
I am trying to maximize my router's capabilty by maximizing its DRAM and
Flash. Now I am trying to maximize IOS capabilities. Which is better to
load, advance IP IOS or Enterprise IOS?

THanks!
Chris

From Michael.Balasko at cityofhenderson.com  Mon Jul 21 11:24:00 2008
From: Michael.Balasko at cityofhenderson.com (Michael Balasko)
Date: Mon, 21 Jul 2008 08:24:00 -0700
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
Message-ID: <9AF22D15085E7D409ED5710CBC779E9306B7C9CA@COHNTCS09.ci.henderson.nv.us>

You load the one you are licensed for...

Michael Balasko



-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
Sent: Monday, July 21, 2008 8:01 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Maximizing Router capabilities

Hi list,
I am trying to maximize my router's capabilty by maximizing its DRAM and
Flash. Now I am trying to maximize IOS capabilities. Which is better to
load, advance IP IOS or Enterprise IOS?

THanks!
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul at paulstewart.org  Mon Jul 21 11:31:23 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Mon, 21 Jul 2008 11:31:23 -0400
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
Message-ID: <00dd01c8eb46$d7811c20$86835460$@org>

If it's possible ($$$), we prefer to use advanced enterprise....
Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
Sent: Monday, July 21, 2008 11:01 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Maximizing Router capabilities

Hi list,
I am trying to maximize my router's capabilty by maximizing its DRAM and
Flash. Now I am trying to maximize IOS capabilities. Which is better to
load, advance IP IOS or Enterprise IOS?

THanks!
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.3/1564 - Release Date: 7/21/2008
6:42 AM


From jlewis at lewis.org  Mon Jul 21 11:39:42 2008
From: jlewis at lewis.org (Jon Lewis)
Date: Mon, 21 Jul 2008 11:39:42 -0400 (EDT)
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
Message-ID: <Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>

On Mon, 21 Jul 2008, Dracul wrote:

> Hi list,
> I am trying to maximize my router's capabilty by maximizing its DRAM and
> Flash. Now I am trying to maximize IOS capabilities. Which is better to
> load, advance IP IOS or Enterprise IOS?

cisco.com/go/fn

Use the image that supports the set of features you need or think you may 
need.

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From chris.garzon at gmail.com  Mon Jul 21 11:50:09 2008
From: chris.garzon at gmail.com (Dracul)
Date: Mon, 21 Jul 2008 23:50:09 +0800
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
Message-ID: <876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>

Thanks all,
Assuming budget is not a hindrance. So should I go for the advance
enterprise? Advance enterprise is different from advanced-ip series?

regards,
Chris

On Mon, Jul 21, 2008 at 11:39 PM, Jon Lewis <jlewis at lewis.org> wrote:

> On Mon, 21 Jul 2008, Dracul wrote:
>
>  Hi list,
>> I am trying to maximize my router's capabilty by maximizing its DRAM and
>> Flash. Now I am trying to maximize IOS capabilities. Which is better to
>> load, advance IP IOS or Enterprise IOS?
>>
>
> cisco.com/go/fn
>
> Use the image that supports the set of features you need or think you may
> need.
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
>



-- 
===
Support www.gawadkalinga.org

From petelists at templin.org  Mon Jul 21 11:57:17 2008
From: petelists at templin.org (Pete Templin)
Date: Mon, 21 Jul 2008 10:57:17 -0500
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
	<876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
Message-ID: <4884B1DD.9020608@templin.org>

Dracul wrote:
> Thanks all,
> Assuming budget is not a hindrance. So should I go for the advance
> enterprise? Advance enterprise is different from advanced-ip series?

Yes, they're different.

It's not about budget, it's about what's right for your network. 
Feature-loaded sometimes translates to bug-loaded.

pt



From kgraham at industrial-marshmallow.com  Mon Jul 21 11:57:39 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Mon, 21 Jul 2008 08:57:39 -0700 (PDT)
Subject: [c-nsp] Maximizing Router capabilities
Message-ID: <512120.26027.qm@web905.biz.mail.mud.yahoo.com>

> Assuming budget is not a hindrance. So should I go for the advance
> enterprise? Advance enterprise is different from advanced-ip series?

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin0900aecd80281b17.html

From jcdarby at usgs.gov  Mon Jul 21 12:00:16 2008
From: jcdarby at usgs.gov (Justin C. Darby)
Date: Mon, 21 Jul 2008 11:00:16 -0500
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
	<876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
Message-ID: <BDD9DF21-83AC-4861-9390-B6A218A1CC65@usgs.gov>

You should really shop by feature set. Advanced Enterprise IOS  
licenses are expensive. If you don't need all of the features present,  
you should only license the features you need.

Expanding DRAM and Flash beyond what is required for the image you  
need is also sometimes expensive, depending on which router you have.

We can't tell you which IOS does what unless we know which router  
you're using. Features change by platform. Ideally, you can figure out  
which features you need by reading through the IOS documentation at http://cisco.com/go/ios 
  , then use the feature navigator linked below to find an appropriate  
image for your router.

Justin

On Jul 21, 2008, at 10:50 AM, Dracul wrote:

> Thanks all,
> Assuming budget is not a hindrance. So should I go for the advance
> enterprise? Advance enterprise is different from advanced-ip series?
>
> regards,
> Chris
>
> On Mon, Jul 21, 2008 at 11:39 PM, Jon Lewis <jlewis at lewis.org> wrote:
>
>> On Mon, 21 Jul 2008, Dracul wrote:
>>
>> Hi list,
>>> I am trying to maximize my router's capabilty by maximizing its  
>>> DRAM and
>>> Flash. Now I am trying to maximize IOS capabilities. Which is  
>>> better to
>>> load, advance IP IOS or Enterprise IOS?
>>>
>>
>> cisco.com/go/fn
>>
>> Use the image that supports the set of features you need or think  
>> you may
>> need.
>>
>> ----------------------------------------------------------------------
>> Jon Lewis                   |  I route
>> Senior Network Engineer     |  therefore you are
>> Atlantic Net                |
>> _________ http://www.lewis.org/~jlewis/pgp for PGP public  
>> key_________
>>
>
>
>
> -- 
> ===
> Support www.gawadkalinga.org
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From isplists at duracom.net  Mon Jul 21 12:16:02 2008
From: isplists at duracom.net (Rhino Lists)
Date: Mon, 21 Jul 2008 11:16:02 -0500
Subject: [c-nsp] Transparent Proxy
Message-ID: <02e601c8eb4d$11d351d0$3579f570$@net>

I don't know what I am doing wrong trying to set this up, I want to filter
all port 80 traffic through a proxy.

I have a 3662 configured the following way:

Int f0/0
 Main Internet Feed

Int f/01
 Network Users (That I want to force through a Proxy)
 ip policy route-map our-proxy

access-list 111 deny   tcp any any neq www
access-list 111 deny   tcp host 192.168.1.188 any
access-list 111 permit tcp any any log
route-map our-proxy permit 10
 match ip address 111
 set ip next-hop 192.168.1.188









From avayner at cisco.com  Mon Jul 21 12:29:05 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 21 Jul 2008 18:29:05 +0200
Subject: [c-nsp] Transparent Proxy
In-Reply-To: <02e601c8eb4d$11d351d0$3579f570$@net>
References: <02e601c8eb4d$11d351d0$3579f570$@net>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A10ACD@xmb-ams-331.emea.cisco.com>

Hi,

Take a look at WCCP. It should be supported on most of the proxy servers
out there:
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp
_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rhino Lists
Sent: Monday, July 21, 2008 19:16 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Transparent Proxy

I don't know what I am doing wrong trying to set this up, I want to
filter all port 80 traffic through a proxy.

I have a 3662 configured the following way:

Int f0/0
 Main Internet Feed

Int f/01
 Network Users (That I want to force through a Proxy)  ip policy
route-map our-proxy

access-list 111 deny   tcp any any neq www
access-list 111 deny   tcp host 192.168.1.188 any
access-list 111 permit tcp any any log
route-map our-proxy permit 10
 match ip address 111
 set ip next-hop 192.168.1.188








_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From juno.guy31 at gmail.com  Mon Jul 21 12:44:34 2008
From: juno.guy31 at gmail.com (Juno Guy)
Date: Mon, 21 Jul 2008 12:44:34 -0400
Subject: [c-nsp] Nexus Question
Message-ID: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>

Does anyone know where I can find or what the power draw are for the Nexus -
48x1GE and 32x10GE LCs?

Also, anyone heard when the NX7018 will be out?


thx,

Juno

From avayner at cisco.com  Mon Jul 21 13:00:21 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Mon, 21 Jul 2008 19:00:21 +0200
Subject: [c-nsp] Nexus Question
In-Reply-To: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>
References: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A10AF1@xmb-ams-331.emea.cisco.com>

Juno,

This should be what you asked for:
http://www.cisco.com/en/US/docs/switches/datacenter/hw/nexus7000/install
ation/guide/n7k_sys_specs.html

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juno Guy
Sent: Monday, July 21, 2008 19:45 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Nexus Question

Does anyone know where I can find or what the power draw are for the
Nexus - 48x1GE and 32x10GE LCs?

Also, anyone heard when the NX7018 will be out?


thx,

Juno
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From tstevens at cisco.com  Mon Jul 21 13:04:07 2008
From: tstevens at cisco.com (Tim Stevenson)
Date: Mon, 21 Jul 2008 10:04:07 -0700
Subject: [c-nsp] Nexus Question
In-Reply-To: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.co
 m>
References: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>
Message-ID: <XFE-SJC-211IIZS2TRq00003dee@xfe-sjc-211.amer.cisco.com>

At 09:44 AM 7/21/2008, Juno Guy observed:
>Does anyone know where I can find or what the power draw are for the Nexus -
>48x1GE and 32x10GE LCs?

The cisco power calculator:

http://tools.cisco.com/cpc/


>Also, anyone heard when the NX7018 will be out?

Target is end of this calendar year, subject to change.

Tim



>thx,
>
>Juno
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/



Tim Stevenson, tstevens at cisco.com
Routing & Switching CCIE #5561
Technical Marketing Engineer, Data Center BU
Cisco Systems, http://www.cisco.com
IP Phone: 408-526-6759
********************************************************
The contents of this message may be *Cisco Confidential*
and are intended for the specified recipients only.


From jcdarby at usgs.gov  Mon Jul 21 13:18:35 2008
From: jcdarby at usgs.gov (Justin C. Darby)
Date: Mon, 21 Jul 2008 12:18:35 -0500
Subject: [c-nsp] Nexus Question
In-Reply-To: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>
References: <5212a3230807210944l613d8ceauc9807ea855e7d8cd@mail.gmail.com>
Message-ID: <4884C4EB.4010608@usgs.gov>

I don't know about the 32-port 10GE cards, but here's a 'show env power' 
from the N7K I'm working with to replace our 6506 and 6509:

Power Supply:
Voltage: 50 Volts
-----------------------------------------------------
PS  Model                Power       Power     Status
                         (Watts)     (Amp)          
-----------------------------------------------------
1   N7K-AC-6.0KW         6000.00    120.00     Ok                 
2   N7K-AC-6.0KW         6000.00    120.00     Ok                 
3   ------------            0.00      0.00     Absent             


Mod Model                Power     Power       Power     Power       Status
                         Requested Requested   Allocated Allocated        
                         (Watts)   (Amp)       (Watts)   
(Amp)              
--- -------------------  -------   ----------  --------- ----------  
----------
1    N7K-M148GT-11        400.00    8.00       0.00      0.00        
Powered-Dn
2    N7K-M148GT-11        400.00    8.00       400.00    8.00        
Powered-Up
5    N7K-SUP1             210.00    4.20       210.00    4.20        
Powered-Up
6    N7K-SUP1             210.00    4.20       210.00    4.20        
Powered-Up
Xb1  N7K-C7010-FAB-1      60.00     1.20       60.00     1.20        
Powered-Up
Xb2  N7K-C7010-FAB-1      60.00     1.20       60.00     1.20        
Powered-Up
Xb3  N7K-C7010-FAB-1      60.00     1.20       60.00     1.20        
Powered-Up
Xb4  N7K-C7010-FAB-1      60.00     1.20       60.00     1.20        
Powered-Up
Xb5  N7K-C7010-FAB-1      60.00     1.20       60.00     1.20        
Powered-Up

Power Usage Summary:
--------------------
Power Supply redundancy mode:                 Redundant
Power Supply redundancy operational mode:     Redundant

Total Power Capacity                             6000.00 W

Power reserved for Supervisor(s)                  420.00 W
Power reserved for Fan Module(s)                 2184.00 W
Power reserved for Fabric Module(s)               300.00 W
Power currently used by Modules                   400.00 W

                                                -------------
Total Power Available                            2696.00 W
                                                -------------

The N7K-M148GT-11 in slot one is dead and being RMA'd (I had a lovely 
Friday afternoon). :)

The Cisco Power Calculator (should be available to people using guest 
access) at http://tools.cisco.com/cpc/ has the N7K and its associated 
modules listed.

Justin

Juno Guy wrote:
> Does anyone know where I can find or what the power draw are for the Nexus -
> 48x1GE and 32x10GE LCs?
>
> Also, anyone heard when the NX7018 will be out?
>
>
> thx,
>
> Juno
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From gert at greenie.muc.de  Mon Jul 21 14:05:36 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Mon, 21 Jul 2008 20:05:36 +0200
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
Message-ID: <20080721180536.GJ1231@greenie.muc.de>

Hi,

On Mon, Jul 21, 2008 at 11:01:18PM +0800, Dracul wrote:
> I am trying to maximize my router's capabilty by maximizing its DRAM and
> Flash. Now I am trying to maximize IOS capabilities. Which is better to
> load, advance IP IOS or Enterprise IOS?

"whatever you have paid for" - this is an obvious troll, isn't it?

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080721/f42bba0e/attachment-0001.bin>

From danletkeman at gmail.com  Mon Jul 21 14:05:53 2008
From: danletkeman at gmail.com (Dan Letkeman)
Date: Mon, 21 Jul 2008 13:05:53 -0500
Subject: [c-nsp] 7961G won't boot
Message-ID: <dcbb85870807211105o4977595bn59e501a87e3654bd@mail.gmail.com>

Hello,

I have a 7961G that won't boot up.  It powers on via poe, shows the
cisco splash screen with the checkmark in the bottom left corner, then
shows the upgrading screen for a few seconds, then says error on the
upgrading screen, then goes back to the cisco splash screen and there
is a circle with a dot in the middle of it on the bottom left corner.

Is there anyway to fix this?

Thanks,
Dan.

From rubensk at gmail.com  Mon Jul 21 15:58:55 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 21 Jul 2008 16:58:55 -0300
Subject: [c-nsp] ME6524 alternative
Message-ID: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>

Hi.

After an initial deployment with many ME6500's (ME6524-24GT-8S to be
exact), we are finding too difficult to deal with Cisco for the
expansion. What clear alternatives are available from other vendors or
either from Cisco as a nice MPLS router with Ethernet only interfaces,
even with less backplane or with 10/100 access interfaces ?


Rubens

From dcp at dcptech.com  Mon Jul 21 15:59:08 2008
From: dcp at dcptech.com (David Prall)
Date: Mon, 21 Jul 2008 15:59:08 -0400
Subject: [c-nsp] 7961G won't boot
In-Reply-To: <dcbb85870807211105o4977595bn59e501a87e3654bd@mail.gmail.com>
References: <dcbb85870807211105o4977595bn59e501a87e3654bd@mail.gmail.com>
Message-ID: <009301c8eb6c$40457bf0$1bfe200a@cisco.com>

Dan,
I've done this with 7960's, not a 7961.
Have a look at the process for conversion of the phones, here it is for the
7960 couldn't find the same for a 7961:
http://www.cisco.com/en/US/products/hw/phones/ps379/products_tech_note09186a
0080094584.shtml

http://tinyurl.com/23tw2c

Hope it helps,
David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
> Sent: Monday, July 21, 2008 2:06 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7961G won't boot
> 
> Hello,
> 
> I have a 7961G that won't boot up.  It powers on via poe, shows the
> cisco splash screen with the checkmark in the bottom left corner, then
> shows the upgrading screen for a few seconds, then says error on the
> upgrading screen, then goes back to the cisco splash screen and there
> is a circle with a dot in the middle of it on the bottom left corner.
> 
> Is there anyway to fix this?
> 
> Thanks,
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From nvoth at estreet.com  Mon Jul 21 16:09:21 2008
From: nvoth at estreet.com (Nick Voth)
Date: Mon, 21 Jul 2008 14:09:21 -0600
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <mailman.7943.1216663542.65431.cisco-nsp@puck.nether.net>
Message-ID: <C4AA4911.1A6E7%nvoth@estreet.com>

Hello folks,

Please pardon me asking what I'm sure has been answered before. I've looked
through the archives and the Cisco site, but I'm still confused about what I
need to do.

I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP
traffic to and from a specific VoIP proxy.

Let's say the VoIP proxy is 209.120.xxx.xxx

The customer's current config on their 1841 is below. Can someone give me an
idea of how I can accomplish this? Remember, I just basically need priority
queuing of any traffic to and from that VoIP proxy listed above

Thanks very much for any help!

-Nick Voth

---------Customer's CPE config------------>>>>
interface FastEthernet0/0
 ip address 67.101.xxx.xxx 255.255.255.248
 duplex auto
 speed auto
 no keepalive
!
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 service-module t1 fdl both
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-Template1
 ip address negotiated
 ppp chap hostname xxxxx
 ppp chap password 7 01465656080E535773
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
----------



From cchurc05 at harris.com  Mon Jul 21 17:15:06 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Mon, 21 Jul 2008 16:15:06 -0500
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <C4AA4911.1A6E7%nvoth@estreet.com>
References: <mailman.7943.1216663542.65431.cisco-nsp@puck.nether.net>
	<C4AA4911.1A6E7%nvoth@estreet.com>
Message-ID: <FA1BA229357DB640B944218F3585FECA01349203@mspe2k1.cs.myharris.net>

Nick,

	You can use a class-map to match that traffic using an
access-list.  If you really want to be specific, you can do a match-all,
and match it to 'protocol' as well.  Then define a policy-map that
prioritizes that class to a certain speed.  Then attach the output
policy to the interface.  I think you can only apply a priority policy
to a physical interface, versus a subint or a virtual one.  You can't
enforce prioritization towards you.  It's up to the other providers.  If
they're respecting IP PREC or DSCP, you're probably all set.  Otherwise,
you can control it a bit with input policies to limit non-VoIP traffic
(using shaping), but it's far from an exact science. 

Chuck 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Voth
Sent: Monday, July 21, 2008 4:09 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] QoS for VoIP to specific proxy


Hello folks,

Please pardon me asking what I'm sure has been answered before. I've
looked
through the archives and the Cisco site, but I'm still confused about
what I
need to do.

I have a client who's Cisco 1841 CPE router needs to simply prioritize
SIP
traffic to and from a specific VoIP proxy.

Let's say the VoIP proxy is 209.120.xxx.xxx

The customer's current config on their 1841 is below. Can someone give
me an
idea of how I can accomplish this? Remember, I just basically need
priority
queuing of any traffic to and from that VoIP proxy listed above

Thanks very much for any help!

-Nick Voth

---------Customer's CPE config------------>>>>
interface FastEthernet0/0
 ip address 67.101.xxx.xxx 255.255.255.248
 duplex auto
 speed auto
 no keepalive
!
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 service-module t1 fdl both
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-Template1
 ip address negotiated
 ppp chap hostname xxxxx
 ppp chap password 7 01465656080E535773
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
----------


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Mon Jul 21 17:36:09 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 21 Jul 2008 14:36:09 -0700
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
Message-ID: <48850149.8010005@justinshore.com>

Rubens Kuhl Jr. wrote:
> Hi.
> 
> After an initial deployment with many ME6500's (ME6524-24GT-8S to be
> exact), we are finding too difficult to deal with Cisco for the
> expansion. What clear alternatives are available from other vendors or
> either from Cisco as a nice MPLS router with Ethernet only interfaces,
> even with less backplane or with 10/100 access interfaces ?

Out of curiosity, what problems are you having?  Is it a hardware issue 
or a service issue?  I have a couple ME6524s and have been happy with 
them.  We also have some ME3750s and they've been good too.  The MEs are 
designed for specific solutions.

Justin





From rubensk at gmail.com  Mon Jul 21 17:43:10 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 21 Jul 2008 18:43:10 -0300
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <48850149.8010005@justinshore.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<48850149.8010005@justinshore.com>
Message-ID: <6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>

>> After an initial deployment with many ME6500's (ME6524-24GT-8S to be
>> exact), we are finding too difficult to deal with Cisco for the
>> expansion. What clear alternatives are available from other vendors or
>> either from Cisco as a nice MPLS router with Ethernet only interfaces,
>> even with less backplane or with 10/100 access interfaces ?
>
> Out of curiosity, what problems are you having?  Is it a hardware issue or a
> service issue?  I have a couple ME6524s and have been happy with them.  We
> also have some ME3750s and they've been good too.  The MEs are designed for
> specific solutions.

Cost issues and the relationship wit the local subsidiary; we have
very little problems with the ME6500, one being the BFD with SVIs
issue that you don't like either if I recall correctly.

Are you sure ME3750s are doing good for your network ? We had tons of
issues with 3750-Metro, a product that I strongly recommend for my
competitors... we haven't tested ME3400 which sound very nice (but
doesn't have MPLS) or 4500 with Sup-VI (no MPLS on the software yet).


Rubens

From ben.steele at internode.on.net  Mon Jul 21 19:39:38 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Tue, 22 Jul 2008 09:09:38 +0930
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <C4AA4911.1A6E7%nvoth@estreet.com>
References: <C4AA4911.1A6E7%nvoth@estreet.com>
Message-ID: <463C0AB7D7B74ED9AA2C192077CF585F@MOYAPENYA>

Hi Nick,

You want something like this:

class-map match-all VoIP-Control
match protocol sip
match access-group 101

class-map match-all VoIP-Data
match dscp ef/match precedence 5/match protocol rtp **
match access-group 101

access-list 101 permit ip any host 202.x.VOIP.PROXY

policy-map QOS-OUT
class VoIP-Control
 bandwidth 60
class VoIP-Data
 priority percent 50
class class-default
 fair-queue 2048

then apply the policy-map to your interface like so "service-policy output 
QOS-OUT"

Make sure you have a bandwidth statement set on your interface "bandwidth x" 
where x is in kilobits.

The value in the classes under the policy-map: "bandwidth 60" is saying 
guarentee this much bandwidth in kilobits to this particular class.

The value in the classes under the policy-map: "priority percent 50" is 
saying give 50 percent of the bandwidth you specified in your bandwidth 
statement on your interface LLQ(low latency queuing) to this class, you want 
to use priority for your real time traffic (ie the rtp stream), bandwidth is 
fine for the normal control traffic and other traffic ie www etc. if you 
were wanting to prioritise that.

You would modify these bandwidth and priority values to your needs based on 
the number of simultaneous calls you plan to offer.

** pick one that best suits you, if your voip equipment is marking a tos bit 
then great, otherwise match protocol rtp should work unless you are on an 
old IOS.

You can't QoS inbound so to speak, best you can do is police traffic, I 
suggest you not worry about this for now as for VoIP to be effective the QoS 
has to be bi-directional so the other end should be matching you aswell.

Ben
----- Original Message ----- 
From: "Nick Voth" <nvoth at estreet.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 22, 2008 5:39 AM
Subject: [c-nsp] QoS for VoIP to specific proxy


> Hello folks,
>
> Please pardon me asking what I'm sure has been answered before. I've 
> looked
> through the archives and the Cisco site, but I'm still confused about what 
> I
> need to do.
>
> I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP
> traffic to and from a specific VoIP proxy.
>
> Let's say the VoIP proxy is 209.120.xxx.xxx
>
> The customer's current config on their 1841 is below. Can someone give me 
> an
> idea of how I can accomplish this? Remember, I just basically need 
> priority
> queuing of any traffic to and from that VoIP proxy listed above
>
> Thanks very much for any help!
>
> -Nick Voth
>
> ---------Customer's CPE config------------>>>>
> interface FastEthernet0/0
> ip address 67.101.xxx.xxx 255.255.255.248
> duplex auto
> speed auto
> no keepalive
> !
> !
> interface Serial0/0/0
> no ip address
> encapsulation frame-relay IETF
> no ip mroute-cache
> service-module t1 timeslots 1-24
> service-module t1 fdl both
> frame-relay lmi-type ansi
> !
> interface Serial0/0/0.1 point-to-point
> frame-relay interface-dlci 16 ppp Virtual-Template1
> !
> interface Virtual-Template1
> ip address negotiated
> ppp chap hostname xxxxx
> ppp chap password 7 01465656080E535773
> ppp ipcp dns request
> ppp ipcp route default
> ppp ipcp address accept
> ----------
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From ben.steele at internode.on.net  Mon Jul 21 19:39:42 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Tue, 22 Jul 2008 09:09:42 +0930
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <C4AA4911.1A6E7%nvoth@estreet.com>
References: <C4AA4911.1A6E7%nvoth@estreet.com>
Message-ID: <37B13D9B508B46198528B0BD49C65548@MOYAPENYA>

Hi Nick,

You want something like this:

class-map match-all VoIP-Control
match protocol sip
match access-group 101

class-map match-all VoIP-Data
match dscp ef/match precedence 5/match protocol rtp **
match access-group 101

access-list 101 permit ip any host 202.x.VOIP.PROXY

policy-map QOS-OUT
class VoIP-Control
 bandwidth 60
class VoIP-Data
 priority percent 50
class class-default
 fair-queue 2048

then apply the policy-map to your interface like so "service-policy output 
QOS-OUT"

Make sure you have a bandwidth statement set on your interface "bandwidth x" 
where x is in kilobits.

The value in the classes under the policy-map: "bandwidth 60" is saying 
guarentee this much bandwidth in kilobits to this particular class.

The value in the classes under the policy-map: "priority percent 50" is 
saying give 50 percent of the bandwidth you specified in your bandwidth 
statement on your interface LLQ(low latency queuing) to this class, you want 
to use priority for your real time traffic (ie the rtp stream), bandwidth is 
fine for the normal control traffic and other traffic ie www etc. if you 
were wanting to prioritise that.

You would modify these bandwidth and priority values to your needs based on 
the number of simultaneous calls you plan to offer.

** pick one that best suits you, if your voip equipment is marking a tos bit 
then great, otherwise match protocol rtp should work unless you are on an 
old IOS.

You can't QoS inbound so to speak, best you can do is police traffic, I 
suggest you not worry about this for now as for VoIP to be effective the QoS 
has to be bi-directional so the other end should be matching you aswell.

Ben
----- Original Message ----- 
From: "Nick Voth" <nvoth at estreet.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 22, 2008 5:39 AM
Subject: [c-nsp] QoS for VoIP to specific proxy


> Hello folks,
>
> Please pardon me asking what I'm sure has been answered before. I've 
> looked
> through the archives and the Cisco site, but I'm still confused about what 
> I
> need to do.
>
> I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP
> traffic to and from a specific VoIP proxy.
>
> Let's say the VoIP proxy is 209.120.xxx.xxx
>
> The customer's current config on their 1841 is below. Can someone give me 
> an
> idea of how I can accomplish this? Remember, I just basically need 
> priority
> queuing of any traffic to and from that VoIP proxy listed above
>
> Thanks very much for any help!
>
> -Nick Voth
>
> ---------Customer's CPE config------------>>>>
> interface FastEthernet0/0
> ip address 67.101.xxx.xxx 255.255.255.248
> duplex auto
> speed auto
> no keepalive
> !
> !
> interface Serial0/0/0
> no ip address
> encapsulation frame-relay IETF
> no ip mroute-cache
> service-module t1 timeslots 1-24
> service-module t1 fdl both
> frame-relay lmi-type ansi
> !
> interface Serial0/0/0.1 point-to-point
> frame-relay interface-dlci 16 ppp Virtual-Template1
> !
> interface Virtual-Template1
> ip address negotiated
> ppp chap hostname xxxxx
> ppp chap password 7 01465656080E535773
> ppp ipcp dns request
> ppp ipcp route default
> ppp ipcp address accept
> ----------
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From nvoth at estreet.com  Mon Jul 21 20:01:50 2008
From: nvoth at estreet.com (Nick Voth)
Date: Mon, 21 Jul 2008 18:01:50 -0600
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <FA1BA229357DB640B944218F3585FECA01349203@mspe2k1.cs.myharris.net>
Message-ID: <C4AA7F8E.1A736%nvoth@estreet.com>

Thanks very much Charles. I'll use this as a template.

-Nick


> From: "Church, Charles" <cchurc05 at harris.com>
> Date: Mon, 21 Jul 2008 16:15:06 -0500
> To: Nick Voth <nvoth at estreet.com>, <cisco-nsp at puck.nether.net>
> Conversation: [c-nsp] QoS for VoIP to specific proxy
> Subject: RE: [c-nsp] QoS for VoIP to specific proxy
> 
> Nick,
> 
> You can use a class-map to match that traffic using an
> access-list.  If you really want to be specific, you can do a match-all,
> and match it to 'protocol' as well.  Then define a policy-map that
> prioritizes that class to a certain speed.  Then attach the output
> policy to the interface.  I think you can only apply a priority policy
> to a physical interface, versus a subint or a virtual one.  You can't
> enforce prioritization towards you.  It's up to the other providers.  If
> they're respecting IP PREC or DSCP, you're probably all set.  Otherwise,
> you can control it a bit with input policies to limit non-VoIP traffic
> (using shaping), but it's far from an exact science.
> 
> Chuck 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Voth
> Sent: Monday, July 21, 2008 4:09 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] QoS for VoIP to specific proxy
> 
> 
> Hello folks,
> 
> Please pardon me asking what I'm sure has been answered before. I've
> looked
> through the archives and the Cisco site, but I'm still confused about
> what I
> need to do.
> 
> I have a client who's Cisco 1841 CPE router needs to simply prioritize
> SIP
> traffic to and from a specific VoIP proxy.
> 
> Let's say the VoIP proxy is 209.120.xxx.xxx
> 
> The customer's current config on their 1841 is below. Can someone give
> me an
> idea of how I can accomplish this? Remember, I just basically need
> priority
> queuing of any traffic to and from that VoIP proxy listed above
> 
> Thanks very much for any help!
> 
> -Nick Voth
> 
> ---------Customer's CPE config------------>>>>
> interface FastEthernet0/0
>  ip address 67.101.xxx.xxx 255.255.255.248
>  duplex auto
>  speed auto
>  no keepalive
> !
> !
> interface Serial0/0/0
>  no ip address
>  encapsulation frame-relay IETF
>  no ip mroute-cache
>  service-module t1 timeslots 1-24
>  service-module t1 fdl both
>  frame-relay lmi-type ansi
> !
> interface Serial0/0/0.1 point-to-point
>  frame-relay interface-dlci 16 ppp Virtual-Template1
> !
> interface Virtual-Template1
>  ip address negotiated
>  ppp chap hostname xxxxx
>  ppp chap password 7 01465656080E535773
>  ppp ipcp dns request
>  ppp ipcp route default
>  ppp ipcp address accept
> ----------
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



From nvoth at estreet.com  Mon Jul 21 20:02:35 2008
From: nvoth at estreet.com (Nick Voth)
Date: Mon, 21 Jul 2008 18:02:35 -0600
Subject: [c-nsp] QoS for VoIP to specific proxy
In-Reply-To: <463C0AB7D7B74ED9AA2C192077CF585F@MOYAPENYA>
Message-ID: <C4AA7FBB.1A738%nvoth@estreet.com>

Thanks very much Ben. This makes sense. Thanks for your help!

-Nick Voth


> From: Ben Steele <ben.steele at internode.on.net>
> Date: Tue, 22 Jul 2008 09:09:38 +0930
> To: Nick Voth <nvoth at estreet.com>, <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] QoS for VoIP to specific proxy
> 
> Hi Nick,
> 
> You want something like this:
> 
> class-map match-all VoIP-Control
> match protocol sip
> match access-group 101
> 
> class-map match-all VoIP-Data
> match dscp ef/match precedence 5/match protocol rtp **
> match access-group 101
> 
> access-list 101 permit ip any host 202.x.VOIP.PROXY
> 
> policy-map QOS-OUT
> class VoIP-Control
>  bandwidth 60
> class VoIP-Data
>  priority percent 50
> class class-default
>  fair-queue 2048
> 
> then apply the policy-map to your interface like so "service-policy output
> QOS-OUT"
> 
> Make sure you have a bandwidth statement set on your interface "bandwidth x"
> where x is in kilobits.
> 
> The value in the classes under the policy-map: "bandwidth 60" is saying
> guarentee this much bandwidth in kilobits to this particular class.
> 
> The value in the classes under the policy-map: "priority percent 50" is
> saying give 50 percent of the bandwidth you specified in your bandwidth
> statement on your interface LLQ(low latency queuing) to this class, you want
> to use priority for your real time traffic (ie the rtp stream), bandwidth is
> fine for the normal control traffic and other traffic ie www etc. if you
> were wanting to prioritise that.
> 
> You would modify these bandwidth and priority values to your needs based on
> the number of simultaneous calls you plan to offer.
> 
> ** pick one that best suits you, if your voip equipment is marking a tos bit
> then great, otherwise match protocol rtp should work unless you are on an
> old IOS.
> 
> You can't QoS inbound so to speak, best you can do is police traffic, I
> suggest you not worry about this for now as for VoIP to be effective the QoS
> has to be bi-directional so the other end should be matching you aswell.
> 
> Ben
> ----- Original Message -----
> From: "Nick Voth" <nvoth at estreet.com>
> To: <cisco-nsp at puck.nether.net>
> Sent: Tuesday, July 22, 2008 5:39 AM
> Subject: [c-nsp] QoS for VoIP to specific proxy
> 
> 
>> Hello folks,
>> 
>> Please pardon me asking what I'm sure has been answered before. I've
>> looked
>> through the archives and the Cisco site, but I'm still confused about what
>> I
>> need to do.
>> 
>> I have a client who's Cisco 1841 CPE router needs to simply prioritize SIP
>> traffic to and from a specific VoIP proxy.
>> 
>> Let's say the VoIP proxy is 209.120.xxx.xxx
>> 
>> The customer's current config on their 1841 is below. Can someone give me
>> an
>> idea of how I can accomplish this? Remember, I just basically need
>> priority
>> queuing of any traffic to and from that VoIP proxy listed above
>> 
>> Thanks very much for any help!
>> 
>> -Nick Voth
>> 
>> ---------Customer's CPE config------------>>>>
>> interface FastEthernet0/0
>> ip address 67.101.xxx.xxx 255.255.255.248
>> duplex auto
>> speed auto
>> no keepalive
>> !
>> !
>> interface Serial0/0/0
>> no ip address
>> encapsulation frame-relay IETF
>> no ip mroute-cache
>> service-module t1 timeslots 1-24
>> service-module t1 fdl both
>> frame-relay lmi-type ansi
>> !
>> interface Serial0/0/0.1 point-to-point
>> frame-relay interface-dlci 16 ppp Virtual-Template1
>> !
>> interface Virtual-Template1
>> ip address negotiated
>> ppp chap hostname xxxxx
>> ppp chap password 7 01465656080E535773
>> ppp ipcp dns request
>> ppp ipcp route default
>> ppp ipcp address accept
>> ----------
>> 
>> 
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> 



From david.freedman at uk.clara.net  Mon Jul 21 20:55:39 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Tue, 22 Jul 2008 01:55:39 +0100
Subject: [c-nsp] Disabling per-interface mls qos in 12.2SX, Possible?
Message-ID: <FFBEC1DE79841C4C965378BBDA5913FC4CD9B7@EXVS01.claranet.local>

Currently running a combination of SXF and SXH2a on 65xx, Sup720-3BXL

Trying to disable PFC qos for a number of interfaces according to the documentation here:

http://www.cisco.com/en/US/docs/ios/qos/command/reference/qos_m2.html#wp1011524

which states that this should be possible (introduced in 12.2(14)SX)

However, the parser does not accept this command per-interface 

router (config)#int g6/1
router (config-if)#no mls qos ?
  cos                cos keyword
  dscp-mutation      mutation keyword
  exp-mutation       exp mutation keyword
  mpls               mpls keyword
  queue-mode         queueing mode
  statistics-export  qos statistics export enable or disable
  trust              trust keyword

Note lack of <cr>

Trying the command just disables mls qos for the entire box.

Does anybody know if this is possible or just a documentation error / clarification issue?
or am I completely misunderstanding this?


Dave.



------------------------------------------------
David Freedman
Group Network Engineering 
Claranet Limited
http://www.clara.net


From christian at broknrobot.com  Mon Jul 21 20:58:30 2008
From: christian at broknrobot.com (Christian Koch)
Date: Mon, 21 Jul 2008 20:58:30 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405C0F61F@xmb-ams-333.emea.cisco.com>
References: <c93a55220807182321m56160614v90b53b9ad216270e@mail.gmail.com>
	<c93a55220807182338k6774e626gb61c9a6187a7d31a@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5D3@xmb-ams-333.emea.cisco.com>
	<c93a55220807190607s47380114q1d2e3782cde393b8@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F5FE@xmb-ams-333.emea.cisco.com>
	<c93a55220807191006l205bf849mf52eb0c7ce15b41@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C0F61F@xmb-ams-333.emea.cisco.com>
Message-ID: <c93a55220807211758t791bd7bajdf6d687923345cbf@mail.gmail.com>

same issue, no differences...got me




On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

>  I don't know, but I would try it..  Looks weird..
>
>     oli
>
>  ------------------------------
> *From:* Christian Koch [mailto:christian at broknrobot.com]
> *Sent:* Saturday, July 19, 2008 7:07 PM
>
> *To:* Oliver Boehmer (oboehmer)
> *Cc:* cisco-nsp
> *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why?
>
>  config look ok as far as i can see, i actually dont have bgp router-id
> set in the bgp config... you think if i add that with the loopback ip, it
> would make a difference?
>
>
> config
>
> router bgp 65000
>  no synchronization
>  bgp log-neighbor-changes
>  bgp graceful-restart restart-time 120
>  bgp graceful-restart stalepath-time 360
>  bgp graceful-restart
>  bgp dampening
>  neighbor Backbone peer-group
>  neighbor Backbone remote-as 65000
>  neighbor Backbone update-source Loopback1
>  neighbor Backbone version 4
>  neighbor Backbone send-community
>  neighbor 10.10.10.2 peer-group Backbone
>  neighbor 10.10.10.3 peer-group Backbone
>  no auto-summary
>
>
>
>
>
> On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
>
>> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
>> initialization" looks unexpected, not sure what's happening..
>> just a hunch, but can you double-check your config regarding loopback
>> addresses, bgp router-id and things? Possibly add some bgp debug (deb
>> bgp all events, deb bgp all, deb bgp all keep) and see if something
>> weird pops up?
>> What does the neighbor's (10.10.10.3) log say?
>>
>>    oli
>>
>> ________________________________
>>
>> From: Christian Koch [mailto:christian at broknrobot.com]
>> Sent: Saturday, July 19, 2008 3:08 PM
>> To: Oliver Boehmer (oboehmer)
>> Cc: cisco-nsp
>> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
>>
>>
>> hmm, i didnt check cef/mpls on the new path, i should try that.. there
>> is connectivity between the loopbacks
>>
>> the session comes back up right after the timer expires.thats what
>> puzzles me
>>
>> actually 3-4 is about how long i kept it down for..
>>
>>
>> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to down
>> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
>> TenGigabitEthernet2/2, changed state to down
>> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
>> or detached
>> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
>> DOWN (Interface not operational)
>> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to down
>> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to up
>> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface
>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is UP
>> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
>> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
>> DOWN (Discovery Hello Hold Timer expired)
>> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is UP
>> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
>> 10.10.10.3 4/0 (hold time expired) 0 bytes
>> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
>> protocol initialization
>> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
>>
>>
>>
>> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
>> <oboehmer at cisco.com> wrote:
>>
>>
>>        No clue what's happening.. I've seen issues in the past with TCP
>> PMTUD
>>        when the path converges over a link with a different MTU (which
>> is
>>        happening in your case), but as BGP will not send packets larger
>> than
>>        4k, this shouldn't be an issue here.
>>
>>        How long did you take down the link before bringing it back up?
>> I assume
>>        longer than 3 minutes? Have you checked CEF and MPLS along the
>> new path?
>>        You have IP connectivity between the loopbacks aR1 and bR2? Does
>> the
>>        session come back up eventually, or will it stay down?
>>
>>               oli
>>
>>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38 AM:
>>
>>
>>        > sorry forgot to specify
>>        >
>>        > the bgp session from aR1 to bR2 is the session in question
>>        >
>>        > ck
>>        >
>>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
>>        > <christian at broknrobot.com> wrote:
>>        >
>>        >> Hello -
>>        >>
>>        >> I have the following topology in lab, testing different
>> failure
>>        >> scenarios. When i disconnect the link between aR1 and bR1,
>> what
>>        >> would appear to be normal happens - ospf and ldp neighbor go
>> down.
>>        >>
>>        >> When i re-connect the link between aR1 and bR1, the interface
>> comes
>>        >> back up, osfp/ldp neighbor is re-established.
>>        >>
>>        >> 3minutes later, bgp holdtime expires , and all links are up..
>>        >>
>>        >> aR1-----------------bR1
>>        >>>                         |
>>        >>>                         |
>>        >>>                         |
>>        >>>                         | aR2-----------------bR2
>>        >>
>>        >>
>>        >> Some Notes
>>        >> - All Links 10GE
>>        >> - Full ibgp mesh
>>        >> - Peering is to loopbacks
>>        >> - OSPF as IGP
>>        >> - Loopbacks in OSPF
>>        >> - MPLS Enabled on Interfaces
>>        >>
>>        >>
>>        >> OSPF cost between aR1 and aR2 is 1
>>        >> OSPF cost between bR1 and bR2 is 1
>>        >> OSPF cost between aR1 and bR1 is 250
>>        >> OSPF cost betwen aR2 and bR2 is 500
>>        >>
>>        >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
>>        >> MTU 9182 between bR1 and bR2
>>        >>
>>        >>
>>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>>        >>
>>        >>
>>        >> i am stumped, any ideas would be helpful in trying to
>> understand why
>>        >> the bgp session is going down due to expired hold time, when
>> all
>>        >> links are up..
>>        >>
>>        >> thanks!
>>        >>
>>        >> ck
>>        >>
>>        >>
>>        >>
>>        >>
>>        >>
>>        >>
>>        >
>>        >
>>        > --
>>        > ^christian$
>>
>>        > _______________________________________________
>>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>        > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> --
>> ^christian$
>>
>
>

From risnaini at indo.net.id  Mon Jul 21 23:16:47 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Tue, 22 Jul 2008 10:16:47 +0700
Subject: [c-nsp] Transparent Proxy
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501A10ACD@xmb-ams-331.emea.cisco.com>
References: <02e601c8eb4d$11d351d0$3579f570$@net>
	<67F7C1FAF83A074AA3520D8F155782A501A10ACD@xmb-ams-331.emea.cisco.com>
Message-ID: <4885511F.5080109@indo.net.id>

Yap, use WCCP.


Your config below is not tranparent.
Once your proxy down, all 80 failed.

rgs
a. rahman isnaini rangkayo sutan

Arie Vayner (avayner) wrote:
> Hi,
> 
> Take a look at WCCP. It should be supported on most of the proxy servers
> out there:
> http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_wccp
> _ps6350_TSD_Products_Configuration_Guide_Chapter.html
> 
> Arie 
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rhino Lists
> Sent: Monday, July 21, 2008 19:16 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Transparent Proxy
> 
> I don't know what I am doing wrong trying to set this up, I want to
> filter all port 80 traffic through a proxy.
> 
> I have a 3662 configured the following way:
> 
> Int f0/0
>  Main Internet Feed
> 
> Int f/01
>  Network Users (That I want to force through a Proxy)  ip policy
> route-map our-proxy
> 
> access-list 111 deny   tcp any any neq www
> access-list 111 deny   tcp host 192.168.1.188 any
> access-list 111 permit tcp any any log
> route-map our-proxy permit 10
>  match ip address 111
>  set ip next-hop 192.168.1.188
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From achatz at forthnet.gr  Tue Jul 22 03:05:37 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 22 Jul 2008 10:05:37 +0300
Subject: [c-nsp] RSP720 rommon images
Message-ID: <488586C1.8010508@forthnet.gr>

Hi,

Does anyone know where i can download the latest rommon images shown below?

http://www.cisco.com/en/US/docs/routers/7600/rommon/rsp720_rommon.html#wp157863

I'm mostly interested in the following two:

rsp720_rp-rm2.srec.122-33r.SRD2
rsp720_sp-rm2.srec.122-33r.SRD2

I found only SRB3 rommons on CCO, but i'm already using SRB4.

-- 
Tassos

From gulerozgur at yahoo.co.uk  Tue Jul 22 05:25:29 2008
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Tue, 22 Jul 2008 09:25:29 +0000 (GMT)
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <c93a55220807211758t791bd7bajdf6d687923345cbf@mail.gmail.com>
Message-ID: <173076.22280.qm@web25505.mail.ukl.yahoo.com>

Is this a GSR?



--- On Tue, 22/7/08, Christian Koch <christian at broknrobot.com> wrote:
From: Christian Koch <christian at broknrobot.com>
Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
Date: Tuesday, 22 July, 2008, 1:58 AM

same issue, no differences...got me




On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

>  I don't know, but I would try it..  Looks weird..
>
>     oli
>
>  ------------------------------
> *From:* Christian Koch [mailto:christian at broknrobot.com]
> *Sent:* Saturday, July 19, 2008 7:07 PM
>
> *To:* Oliver Boehmer (oboehmer)
> *Cc:* cisco-nsp
> *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why?
>
>  config look ok as far as i can see, i actually dont have bgp router-id
> set in the bgp config... you think if i add that with the loopback ip, it
> would make a difference?
>
>
> config
>
> router bgp 65000
>  no synchronization
>  bgp log-neighbor-changes
>  bgp graceful-restart restart-time 120
>  bgp graceful-restart stalepath-time 360
>  bgp graceful-restart
>  bgp dampening
>  neighbor Backbone peer-group
>  neighbor Backbone remote-as 65000
>  neighbor Backbone update-source Loopback1
>  neighbor Backbone version 4
>  neighbor Backbone send-community
>  neighbor 10.10.10.2 peer-group Backbone
>  neighbor 10.10.10.3 peer-group Backbone
>  no auto-summary
>
>
>
>
>
> On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
>
>> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
>> initialization" looks unexpected, not sure what's happening..
>> just a hunch, but can you double-check your config regarding loopback
>> addresses, bgp router-id and things? Possibly add some bgp debug (deb
>> bgp all events, deb bgp all, deb bgp all keep) and see if something
>> weird pops up?
>> What does the neighbor's (10.10.10.3) log say?
>>
>>    oli
>>
>> ________________________________
>>
>> From: Christian Koch [mailto:christian at broknrobot.com]
>> Sent: Saturday, July 19, 2008 3:08 PM
>> To: Oliver Boehmer (oboehmer)
>> Cc: cisco-nsp
>> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
>>
>>
>> hmm, i didnt check cef/mpls on the new path, i should try that.. there
>> is connectivity between the loopbacks
>>
>> the session comes back up right after the timer expires.thats what
>> puzzles me
>>
>> actually 3-4 is about how long i kept it down for..
>>
>>
>> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to down
>> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
Interface
>> TenGigabitEthernet2/2, changed state to down
>> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
>> or detached
>> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
>> DOWN (Interface not operational)
>> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface
TenGigabitEthernet2/2,
>> changed state to down
>> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface
TenGigabitEthernet2/2,
>> changed state to up
>> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
Interface
>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
UP
>> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
>> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
>> DOWN (Discovery Hello Hold Timer expired)
>> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
UP
>> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
>> 10.10.10.3 4/0 (hold time expired) 0 bytes
>> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
>> protocol initialization
>> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
>>
>>
>>
>> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
>> <oboehmer at cisco.com> wrote:
>>
>>
>>        No clue what's happening.. I've seen issues in the past
with TCP
>> PMTUD
>>        when the path converges over a link with a different MTU (which
>> is
>>        happening in your case), but as BGP will not send packets
larger
>> than
>>        4k, this shouldn't be an issue here.
>>
>>        How long did you take down the link before bringing it back up?
>> I assume
>>        longer than 3 minutes? Have you checked CEF and MPLS along the
>> new path?
>>        You have IP connectivity between the loopbacks aR1 and bR2?
Does
>> the
>>        session come back up eventually, or will it stay down?
>>
>>               oli
>>
>>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38
AM:
>>
>>
>>        > sorry forgot to specify
>>        >
>>        > the bgp session from aR1 to bR2 is the session in question
>>        >
>>        > ck
>>        >
>>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
>>        > <christian at broknrobot.com> wrote:
>>        >
>>        >> Hello -
>>        >>
>>        >> I have the following topology in lab, testing
different
>> failure
>>        >> scenarios. When i disconnect the link between aR1 and
bR1,
>> what
>>        >> would appear to be normal happens - ospf and ldp
neighbor go
>> down.
>>        >>
>>        >> When i re-connect the link between aR1 and bR1, the
interface
>> comes
>>        >> back up, osfp/ldp neighbor is re-established.
>>        >>
>>        >> 3minutes later, bgp holdtime expires , and all links
are up..
>>        >>
>>        >> aR1-----------------bR1
>>        >>>                         |
>>        >>>                         |
>>        >>>                         |
>>        >>>                         | aR2-----------------bR2
>>        >>
>>        >>
>>        >> Some Notes
>>        >> - All Links 10GE
>>        >> - Full ibgp mesh
>>        >> - Peering is to loopbacks
>>        >> - OSPF as IGP
>>        >> - Loopbacks in OSPF
>>        >> - MPLS Enabled on Interfaces
>>        >>
>>        >>
>>        >> OSPF cost between aR1 and aR2 is 1
>>        >> OSPF cost between bR1 and bR2 is 1
>>        >> OSPF cost between aR1 and bR1 is 250
>>        >> OSPF cost betwen aR2 and bR2 is 500
>>        >>
>>        >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
>>        >> MTU 9182 between bR1 and bR2
>>        >>
>>        >>
>>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>>        >>
>>        >>
>>        >> i am stumped, any ideas would be helpful in trying to
>> understand why
>>        >> the bgp session is going down due to expired hold
time, when
>> all
>>        >> links are up..
>>        >>
>>        >> thanks!
>>        >>
>>        >> ck
>>        >>
>>        >>
>>        >>
>>        >>
>>        >>
>>        >>
>>        >
>>        >
>>        > --
>>        > ^christian$
>>
>>        > _______________________________________________
>>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>        > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> --
>> ^christian$
>>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


      __________________________________________________________
Not happy with your email address?.
Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html

From mtinka at globaltransit.net  Tue Jul 22 07:26:45 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Tue, 22 Jul 2008 19:26:45 +0800
Subject: [c-nsp] Transparent Proxy
In-Reply-To: <02e601c8eb4d$11d351d0$3579f570$@net>
References: <02e601c8eb4d$11d351d0$3579f570$@net>
Message-ID: <200807221926.45503.mtinka@globaltransit.net>

On Tuesday 22 July 2008 00:16:02 Rhino Lists wrote:


> access-list 111 deny   tcp any any neq www
> access-list 111 deny   tcp host 192.168.1.188 any
> access-list 111 permit tcp any any log

Try this for your ACL, instead:

deny ? tcp host ip.of.squid.box any eq www
permit tcp your.ip.net.block your.block.net.mask any eq www

Obviously, make sure your (I'm assuming) Squid box is setup 
to properly capture the redirected packets and forward them 
to port it's listening on for processing.

However, as others have noted, consider WCCP - it scales 
better.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080722/3798df65/attachment.bin>

From christian at broknrobot.com  Tue Jul 22 07:54:13 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 22 Jul 2008 07:54:13 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <173076.22280.qm@web25505.mail.ukl.yahoo.com>
References: <c93a55220807211758t791bd7bajdf6d687923345cbf@mail.gmail.com>
	<173076.22280.qm@web25505.mail.ukl.yahoo.com>
Message-ID: <c93a55220807220454g587c9cd2tbb82c6d351b9c6f9@mail.gmail.com>

they are all 7609-S

On Tue, Jul 22, 2008 at 5:25 AM, Ozgur Guler <gulerozgur at yahoo.co.uk> wrote:

> Is this a GSR?
>
>
>
> --- On *Tue, 22/7/08, Christian Koch <christian at broknrobot.com>* wrote:
>
> From: Christian Koch <christian at broknrobot.com>
> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
> To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
> Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
> Date: Tuesday, 22 July, 2008, 1:58 AM
>
>
> same issue, no differences...got me
>
>
>
>
> On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:
>
> >  I don't know, but I would try it..  Looks weird..
> >
> >     oli
> >
> >  ------------------------------
> > *From:* Christian Koch [mailto:christian at broknrobot.com]
> > *Sent:*
>  Saturday, July 19, 2008 7:07 PM
> >
> > *To:* Oliver Boehmer (oboehmer)
> > *Cc:* cisco-nsp
> > *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why?
> >
> >  config look ok as far as i can see, i actually dont have bgp router-id
> > set in the bgp config... you think if i add that with the loopback ip, it
> > would make a difference?
> >
> >
> > config
> >
> > router bgp 65000
> >  no synchronization
> >  bgp log-neighbor-changes
> >  bgp graceful-restart restart-time 120
> >  bgp graceful-restart stalepath-time 360
> >  bgp graceful-restart
> >  bgp dampening
> >  neighbor Backbone peer-group
> >  neighbor Backbone remote-as 65000
> >  neighbor Backbone update-source Loopback1
> >  neighbor Backbone version 4
> >  neighbor Backbone send-community
> >  neighbor 10.10.10.2 peer-group Backbone
> >  neighbor 10.10.10.3 peer-group Backbone
> >  no
>  auto-summary
> >
> >
> >
> >
> >
> > On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
> > oboehmer at cisco.com> wrote:
> >
> >> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
> >> initialization" looks unexpected, not sure what's happening..
> >> just a hunch, but can you double-check your config regarding loopback
> >> addresses, bgp router-id and things? Possibly add some bgp debug (deb
> >> bgp all events, deb bgp all, deb bgp all keep) and see if something
> >> weird pops up?
> >> What does the neighbor's (10.10.10.3) log say?
> >>
> >>    oli
> >>
> >> ________________________________
> >>
> >> From: Christian Koch [mailto:christian at broknrobot.com]
> >> Sent: Saturday, July 19, 2008 3:08 PM
> >> To: Oliver Boehmer (oboehmer)
> >> Cc: cisco-nsp
> >> Subject: Re: [c-nsp]
>  BGP Hold Time Expired, but why?
> >>
> >>
> >> hmm, i didnt check cef/mpls on the new path, i should try that.. there
> >> is connectivity between the loopbacks
> >>
> >> the session comes back up right after the timer expires.thats what
> >> puzzles me
> >>
> >> actually 3-4 is about how long i kept it down for..
> >>
> >>
> >> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
> >> changed state to down
> >> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
> Interface
> >> TenGigabitEthernet2/2, changed state to down
> >> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
> >> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
> >> or detached
> >> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
> >> DOWN (Interface not
>  operational)
> >> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface
> TenGigabitEthernet2/2,
> >> changed state to down
> >> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface
> TenGigabitEthernet2/2,
> >> changed state to up
> >> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
> >> changed state to up
> >> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
> >> TenGigabitEthernet2/2, changed state to up
> >> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
> Interface
> >> TenGigabitEthernet2/2, changed state to up
> >> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
> UP
> >> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
> >> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
> >> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4)
>  is
> >> DOWN (Discovery Hello Hold Timer expired)
> >> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
> UP
> >> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
> >> 10.10.10.3 4/0 (hold time expired) 0 bytes
> >> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
> >> protocol initialization
> >> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
> >>
> >>
> >>
> >> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
> >> <oboehmer at cisco.com> wrote:
> >>
> >>
> >>        No clue what's happening.. I've seen issues in the past
> with TCP
> >> PMTUD
> >>        when the path converges over a link with a different MTU (which
> >> is
> >>        happening in your case), but as BGP will not send packets
> larger
> >> than
> >>
>   4k, this shouldn't be an issue here.
> >>
> >>        How long did you take down the link before bringing it back up?
> >> I assume
> >>        longer than 3 minutes? Have you checked CEF and MPLS along the
> >> new path?
> >>        You have IP connectivity between the loopbacks aR1 and bR2?
> Does
> >> the
> >>        session come back up eventually, or will it stay down?
> >>
> >>               oli
> >>
> >>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38
> AM:
> >>
> >>
> >>        > sorry forgot to specify
> >>        >
> >>        > the bgp session from aR1 to bR2 is the session in question
> >>        >
> >>        > ck
> >>        >
> >>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
> >>        > <christian at broknrobot.com>
>  wrote:
> >>        >
> >>        >> Hello -
> >>        >>
> >>        >> I have the following topology in lab, testing
> different
> >> failure
> >>        >> scenarios. When i disconnect the link between aR1 and
> bR1,
> >> what
> >>        >> would appear to be normal happens - ospf and ldp
> neighbor go
> >> down.
> >>        >>
> >>        >> When i re-connect the link between aR1 and bR1, the
> interface
> >> comes
> >>        >> back up, osfp/ldp neighbor is re-established.
> >>        >>
> >>        >> 3minutes later, bgp holdtime expires , and all links
> are up..
> >>        >>
> >>        >> aR1-----------------bR1
> >>        >>>                         |
> >>        >>>                         |
> >>
>  >>>                         |
> >>        >>>                         | aR2-----------------bR2
> >>        >>
> >>        >>
> >>        >> Some Notes
> >>        >> - All Links 10GE
> >>        >> - Full ibgp mesh
> >>        >> - Peering is to loopbacks
> >>        >> - OSPF as IGP
> >>        >> - Loopbacks in OSPF
> >>        >> - MPLS Enabled on Interfaces
> >>        >>
> >>        >>
> >>        >> OSPF cost between aR1 and aR2 is 1
> >>        >> OSPF cost between bR1 and bR2 is 1
> >>        >> OSPF cost between aR1 and bR1 is 250
> >>        >> OSPF cost betwen aR2 and bR2 is 500
> >>        >>
> >>        >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
> >>        >> MTU 9182
>  between bR1 and bR2
> >>        >>
> >>        >>
> >>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
> >>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
> >>        >>
> >>        >>
> >>        >> i am stumped, any ideas would be helpful in trying to
> >> understand why
> >>        >> the bgp session is going down due to expired hold
> time, when
> >> all
> >>        >> links are up..
> >>        >>
> >>        >> thanks!
> >>        >>
> >>        >> ck
> >>        >>
> >>        >>
> >>        >>
> >>        >>
> >>        >>
> >>        >>
> >>        >
> >>        >
> >>        > --
> >>        > ^christian$
> >>
> >>
>  > _______________________________________________
> >>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>        > https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>
> >>
> >>
> >>
> >>
> >> --
> >> ^christian$
> >>
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> ------------------------------
> Not happy with your email address?
>  Get the one you really want <http://uk.docs.yahoo.com/ymail/new.html> -
> millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>
>

From christian at broknrobot.com  Tue Jul 22 07:58:32 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 22 Jul 2008 07:58:32 -0400
Subject: [c-nsp] RSP720 rommon images
In-Reply-To: <488586C1.8010508@forthnet.gr>
References: <488586C1.8010508@forthnet.gr>
Message-ID: <c93a55220807220458m26aa6885of106e1c1e7553cf9@mail.gmail.com>

yeah, go to CCO > download software > router software > platform > RSP Type
> ROMMON



http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=IOS%20ROMMON%20Software&mdfid=268438002&treeName=Routers&mdfLevel=Model&url=null&modelName=Cisco+7609+Router&isPlatform=N&treeMdfId=268437899&modifmdfid=281939433&imname=Cisco+7600+Series+Route+Switch+Processor+720+with+10+Gigabit+Ethernet+Uplinks&hybrid=Y&imst=Y



On Tue, Jul 22, 2008 at 3:05 AM, Tassos Chatzithomaoglou <achatz at forthnet.gr>
wrote:

> Hi,
>
> Does anyone know where i can download the latest rommon images shown below?
>
>
> http://www.cisco.com/en/US/docs/routers/7600/rommon/rsp720_rommon.html#wp157863
>
> I'm mostly interested in the following two:
>
> rsp720_rp-rm2.srec.122-33r.SRD2
> rsp720_sp-rm2.srec.122-33r.SRD2
>
> I found only SRB3 rommons on CCO, but i'm already using SRB4.
>
> --
> Tassos
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From achatz at forthnet.gr  Tue Jul 22 08:02:39 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 22 Jul 2008 15:02:39 +0300
Subject: [c-nsp] RSP720 rommon images
In-Reply-To: <c93a55220807220458m26aa6885of106e1c1e7553cf9@mail.gmail.com>
References: <488586C1.8010508@forthnet.gr>
	<c93a55220807220458m26aa6885of106e1c1e7553cf9@mail.gmail.com>
Message-ID: <4885CC5F.2040404@forthnet.gr>

Christian,

The only rommon available there is for the CEF720 67xx modules.

--
Tassos

Christian Koch wrote on 22/7/2008 2:58 ??:
> yeah, go to CCO > download software > router software > platform > RSP 
> Type > ROMMON
> 
> 
> 
> http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=IOS%20ROMMON%20Software&mdfid=268438002&treeName=Routers&mdfLevel=Model&url=null&modelName=Cisco+7609+Router&isPlatform=N&treeMdfId=268437899&modifmdfid=281939433&imname=Cisco+7600+Series+Route+Switch+Processor+720+with+10+Gigabit+Ethernet+Uplinks&hybrid=Y&imst=Y 
> <http://tools.cisco.com/support/downloads/go/PlatformList.x?sftType=IOS%20ROMMON%20Software&mdfid=268438002&treeName=Routers&mdfLevel=Model&url=null&modelName=Cisco+7609+Router&isPlatform=N&treeMdfId=268437899&modifmdfid=281939433&imname=Cisco+7600+Series+Route+Switch+Processor+720+with+10+Gigabit+Ethernet+Uplinks&hybrid=Y&imst=Y>
> 
> 
> 
> On Tue, Jul 22, 2008 at 3:05 AM, Tassos Chatzithomaoglou 
> <achatz at forthnet.gr <mailto:achatz at forthnet.gr>> wrote:
> 
>     Hi,
> 
>     Does anyone know where i can download the latest rommon images shown
>     below?
> 
>     http://www.cisco.com/en/US/docs/routers/7600/rommon/rsp720_rommon.html#wp157863
> 
>     I'm mostly interested in the following two:
> 
>     rsp720_rp-rm2.srec.122-33r.SRD2
>     rsp720_sp-rm2.srec.122-33r.SRD2
> 
>     I found only SRB3 rommons on CCO, but i'm already using SRB4.
> 
>     -- 
>     Tassos
>     _______________________________________________
>     cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     <mailto:cisco-nsp at puck.nether.net>
>     https://puck.nether.net/mailman/listinfo/cisco-nsp
>     archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From gulerozgur at yahoo.co.uk  Tue Jul 22 08:06:09 2008
From: gulerozgur at yahoo.co.uk (Ozgur Guler)
Date: Tue, 22 Jul 2008 12:06:09 +0000 (GMT)
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <c93a55220807220454g587c9cd2tbb82c6d351b9c6f9@mail.gmail.com>
Message-ID: <63047.54522.qm@web25508.mail.ukl.yahoo.com>

When you do "show ip bgp nei detail"? while the sessions are flapping, 
Do you see anything wrong in the TCP parameters? 
I remember a bug in 12.0S where TCP window size becomes 0 for BGP causing it to flap. Or if it is an MTU problem you might see that the BGP Keepalives are being throttled. 

--- On Tue, 22/7/08, Christian Koch <christian at broknrobot.com> wrote:
From: Christian Koch <christian at broknrobot.com>
Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
To: "Ozgur Guler" <gulerozgur at yahoo.co.uk>
Cc: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>, "cisco-nsp" <cisco-nsp at puck.nether.net>
Date: Tuesday, 22 July, 2008, 12:54 PM

they are all 7609-S

On Tue, Jul 22, 2008 at 5:25 AM, Ozgur Guler <gulerozgur at yahoo.co.uk> wrote:


Is this a GSR?



--- On Tue, 22/7/08, Christian Koch <christian at broknrobot.com> wrote:

From: Christian Koch <christian at broknrobot.com>
Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>

Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
Date: Tuesday, 22 July, 2008, 1:58 AM

same issue, no differences...got me





On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) <
oboehmer at cisco.com> wrote:

>  I don't know, but I would try it..  Looks weird..

>
>     oli
>
>  ------------------------------
> *From:* Christian Koch [mailto:christian at broknrobot.com]
> *Sent:*
 Saturday, July 19, 2008 7:07 PM
>
> *To:* Oliver Boehmer (oboehmer)
> *Cc:* cisco-nsp
> *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why?
>
>  config look ok as far as i can see, i actually dont have bgp router-id

> set in the bgp config... you think if i add that with the loopback ip, it
> would make a difference?
>
>
> config
>
> router bgp 65000
>  no synchronization
>  bgp log-neighbor-changes

>  bgp graceful-restart restart-time 120
>  bgp graceful-restart stalepath-time 360
>  bgp graceful-restart
>  bgp dampening
>  neighbor Backbone peer-group
>  neighbor Backbone remote-as 65000

>  neighbor Backbone update-source Loopback1
>  neighbor Backbone version 4
>  neighbor Backbone send-community
>  neighbor 10.10.10.2 peer-group Backbone

>  neighbor 10.10.10.3 peer-group Backbone
>  no
 auto-summary
>
>
>
>
>
> On Sat, Jul 19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
> oboehmer at cisco.com> wrote:

>
>> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
>> initialization" looks unexpected, not sure what's happening..
>> just a hunch, but can you double-check your config regarding loopback

>> addresses, bgp router-id and things? Possibly add some bgp debug (deb
>> bgp all events, deb bgp all, deb bgp all keep) and see if something
>> weird pops up?
>> What does the neighbor's (10.10.10.3) log say?

>>
>>    oli
>>
>> ________________________________
>>
>> From: Christian Koch [mailto:christian at broknrobot.com]

>> Sent: Saturday, July 19, 2008 3:08 PM
>> To: Oliver Boehmer (oboehmer)
>> Cc: cisco-nsp
>> Subject: Re: [c-nsp]
 BGP Hold Time Expired, but why?
>>
>>
>> hmm, i didnt check cef/mpls on the new path, i should try that.. there
>> is connectivity between the loopbacks
>>
>> the session comes back up right after the timer expires.thats what

>> puzzles me
>>
>> actually 3-4 is about how long i kept it down for..
>>
>>
>> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to down

>> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
Interface
>> TenGigabitEthernet2/2, changed state to down
>> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on

>> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
>> or detached
>> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is

>> DOWN (Interface not
 operational)
>> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface
TenGigabitEthernet2/2,
>> changed state to down
>> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface
TenGigabitEthernet2/2,

>> changed state to up
>> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface

>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
Interface
>> TenGigabitEthernet2/2, changed state to up
>> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is

UP
>> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
>> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4)
 is
>> DOWN (Discovery Hello Hold Timer expired)
>> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
UP
>> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor

>> 10.10.10.3 4/0 (hold time expired) 0 bytes
>> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP

>> protocol initialization
>> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
>>
>>
>>
>> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)

>> <oboehmer at cisco.com> wrote:
>>
>>
>>        No clue what's happening.. I've seen issues in the past
with TCP

>> PMTUD
>>        when the path converges over a link with a different MTU (which
>> is
>>        happening in your case), but as BGP will not send packets
larger
>> than
>>      
  4k, this shouldn't be an issue here.
>>
>>        How long did you take down the link before bringing it back up?
>> I assume
>>        longer than 3 minutes? Have you checked CEF and MPLS along the

>> new path?
>>        You have IP connectivity between the loopbacks aR1 and bR2?
Does
>> the
>>        session come back up eventually, or will it stay down?
>>
>>               oli

>>
>>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38
AM:
>>
>>
>>        > sorry forgot to specify
>>        >
>>        > the bgp session from aR1 to bR2 is the session in question

>>        >
>>        > ck
>>        >
>>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
>>        > <christian at broknrobot.com>
 wrote:
>>        >
>>        >> Hello -
>>        >>
>>        >> I have the following topology in lab, testing
different
>> failure
>>        >> scenarios. When i disconnect the link between aR1 and

bR1,
>> what
>>        >> would appear to be normal happens - ospf and ldp
neighbor go
>> down.
>>        >>
>>        >> When i re-connect the link between aR1 and bR1, the

interface
>> comes
>>        >> back up, osfp/ldp neighbor is re-established.
>>        >>
>>        >> 3minutes later, bgp holdtime expires , and all links
are up..

>>        >>
>>        >> aR1-----------------bR1
>>        >>>                         |
>>        >>>                         |
>>       
 >>>                         |
>>        >>>                         | aR2-----------------bR2
>>        >>
>>        >>
>>        >> Some Notes

>>        >> - All Links 10GE
>>        >> - Full ibgp mesh
>>        >> - Peering is to loopbacks
>>        >> - OSPF as IGP
>>        >> - Loopbacks in OSPF

>>        >> - MPLS Enabled on Interfaces
>>        >>
>>        >>
>>        >> OSPF cost between aR1 and aR2 is 1
>>        >> OSPF cost between bR1 and bR2 is 1

>>        >> OSPF cost between aR1 and bR1 is 250
>>        >> OSPF cost betwen aR2 and bR2 is 500
>>        >>
>>        >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2

>>        >> MTU 9182
 between bR1 and bR2
>>        >>
>>        >>
>>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720

>>        >>
>>        >>
>>        >> i am stumped, any ideas would be helpful in trying to
>> understand why
>>        >> the bgp session is going down due to expired hold

time, when
>> all
>>        >> links are up..
>>        >>
>>        >> thanks!
>>        >>
>>        >> ck
>>        >>

>>        >>
>>        >>
>>        >>
>>        >>
>>        >>
>>        >
>>        >
>>        > --
>>        > ^christian$

>>
>>       
 > _______________________________________________
>>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>        > https://puck.nether.net/mailman/listinfo/cisco-nsp

>>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>>
>>
>>
>> --

>> ^christian$
>>
>
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/




       
Not happy with your email address?

  Get the one you 

really want - millions of new email addresses available now at  Yahoo!




      __________________________________________________________
Not happy with your email address?.
Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html

From christian at broknrobot.com  Tue Jul 22 08:35:31 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 22 Jul 2008 08:35:31 -0400
Subject: [c-nsp] BGP Hold Time Expired, but why?
In-Reply-To: <63047.54522.qm@web25508.mail.ukl.yahoo.com>
References: <c93a55220807220454g587c9cd2tbb82c6d351b9c6f9@mail.gmail.com>
	<63047.54522.qm@web25508.mail.ukl.yahoo.com>
Message-ID: <c93a55220807220535r3238a9c6q4f0cfea5007f3481@mail.gmail.com>

nothing out of the norm, i will try in a few minutes to take the link down
and snap a view though

thanks

On Tue, Jul 22, 2008 at 8:06 AM, Ozgur Guler <gulerozgur at yahoo.co.uk> wrote:

> When you do "show ip bgp nei detail"  while the sessions are flapping,
> Do you see anything wrong in the TCP parameters?
> I remember a bug in 12.0S where TCP window size becomes 0 for BGP causing
> it to flap. Or if it is an MTU problem you might see that the BGP Keepalives
> are being throttled.
>
> --- On *Tue, 22/7/08, Christian Koch <christian at broknrobot.com>* wrote:
>
> From: Christian Koch <christian at broknrobot.com>
> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
> To: "Ozgur Guler" <gulerozgur at yahoo.co.uk>
> Cc: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>, "cisco-nsp" <
> cisco-nsp at puck.nether.net>
> Date: Tuesday, 22 July, 2008, 12:54 PM
>
>
> they are all 7609-S
>
> On Tue, Jul 22, 2008 at 5:25 AM, Ozgur Guler <gulerozgur at yahoo.co.uk>
> wrote:
>
>>  Is this a GSR?
>>
>>
>>
>> --- On *Tue, 22/7/08, Christian Koch <christian at broknrobot.com>* wrote:
>>
>> From: Christian Koch <christian at broknrobot.com>
>> Subject: Re: [c-nsp] BGP Hold Time Expired, but why?
>> To: "Oliver Boehmer (oboehmer)" <oboehmer at cisco.com>
>> Cc: "cisco-nsp" <cisco-nsp at puck.nether.net>
>> Date: Tuesday, 22 July, 2008, 1:58 AM
>>
>>
>> same issue, no differences...got me
>>
>>
>>
>>
>>
>> On Sun, Jul 20, 2008 at 2:53 AM, Oliver Boehmer (oboehmer) <
>> oboehmer at cisco.com> wrote:
>>
>> >  I don't know, but I would try it..  Looks weird..
>>
>> >
>> >     oli
>> >
>> >  ------------------------------
>> > *From:* Christian Koch [mailto:christian at broknrobot.com]
>> > *Sent:*
>>  Saturday, July 19, 2008 7:07 PM
>> >
>> > *To:* Oliver Boehmer (oboehmer)
>> > *Cc:* cisco-nsp
>> > *Subject:* Re: [c-nsp] BGP Hold Time Expired, but why?
>> >
>> >  config look ok as far as i can see, i
>>  actually dont have bgp router-id
>>
>> > set in the bgp config... you think if i add that with the loopback ip, it
>> > would make a difference?
>> >
>> >
>> > config
>> >
>> > router bgp 65000
>> >  no synchronization
>> >  bgp log-neighbor-changes
>>
>> >  bgp graceful-restart restart-time 120
>> >  bgp graceful-restart stalepath-time 360
>> >  bgp graceful-restart
>> >  bgp dampening
>> >  neighbor Backbone peer-group
>> >  neighbor Backbone remote-as 65000
>>
>> >  neighbor Backbone update-source Loopback1
>> >  neighbor Backbone version 4
>> >  neighbor Backbone send-community
>> >  neighbor 10.10.10.2 peer-group Backbone
>>
>> >  neighbor 10.10.10.3 peer-group Backbone
>> >  no
>>  auto-summary
>> >
>> >
>> >
>> >
>> >
>> > On Sat, Jul
>>  19, 2008 at 12:29 PM, Oliver Boehmer (oboehmer) <
>> > oboehmer at cisco.com> wrote:
>>
>> >
>> >> Hmm, "%BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP protocol
>> >> initialization" looks unexpected, not sure what's happening..
>> >> just a hunch, but can you double-check your config regarding loopback
>>
>> >> addresses, bgp router-id and things? Possibly add some bgp debug (deb
>> >> bgp all events, deb bgp all, deb bgp all keep) and see if something
>> >> weird pops up?
>> >> What does the neighbor's (10.10.10.3) log say?
>>
>> >>
>> >>    oli
>> >>
>> >> ________________________________
>> >>
>> >> From: Christian Koch [mailto:christian at broknrobot.com]
>>
>> >> Sent: Saturday, July 19, 2008 3:08 PM
>> >> To: Oliver Boehmer (oboehmer)
>> >> Cc: cisco-nsp
>> >> Subject: Re: [c-nsp]
>>  BGP Hold Time Expired, but why?
>> >>
>> >>
>> >> hmm, i didnt check cef/mpls on the new path, i should try that.. there
>> >> is connectivity between the loopbacks
>> >>
>> >> the session comes back up right after the timer expires.thats what
>>
>> >> puzzles me
>> >>
>> >> actually 3-4 is about how long i kept it down for..
>> >>
>> >>
>> >> Jul 16 14:29:22 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> >> changed state to down
>>
>> >> Jul 16 14:29:22 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol on
>> Interface
>> >> TenGigabitEthernet2/2, changed state to down
>> >> Jul 16 14:29:22 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>>
>> >> TenGigabitEthernet2/2 from FULL to DOWN, Neighbor Down: Interface down
>> >> or detached
>> >> Jul 16 14:29:22 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
>>
>> >> DOWN (Interface not
>>  operational)
>> >> Jul 16 14:29:22 EDT: %LINK-SP-3-UPDOWN: Interface
>> TenGigabitEthernet2/2,
>> >> changed state to down
>> >> Jul 16 14:29:23 EDT: %LINK-SP-3-UPDOWN: Interface
>> TenGigabitEthernet2/2,
>>
>> >> changed state to up
>> >> Jul 16 14:29:23 EDT: %LINK-3-UPDOWN: Interface TenGigabitEthernet2/2,
>> >> changed state to up
>> >> Jul 16 14:29:23 EDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface
>>
>> >> TenGigabitEthernet2/2, changed state to up
>> >> Jul 16 14:29:23 EDT: %LINEPROTO-SP-5-UPDOWN: Line protocol
>>  on
>> Interface
>> >> TenGigabitEthernet2/2, changed state to up
>> >> Jul 16 14:29:33 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (11) is
>>
>> UP
>> >> Jul 16 14:30:19 EDT: %OSPF-5-ADJCHG: Process 10, Nbr 10.10.10.2 on
>> >> TenGigabitEthernet2/2 from LOADING to FULL, Loading Done
>> >> Jul 16 14:30:37 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4)
>>  is
>> >> DOWN (Discovery Hello Hold Timer expired)
>> >> Jul 16 14:31:39 EDT: %LDP-5-NBRCHG: LDP Neighbor 10.10.10.2:0 (4) is
>> UP
>> >> Jul 16 14:32:38 EDT: %BGP-3-NOTIFICATION: received from neighbor
>>
>> >> 10.10.10.3
>>  4/0 (hold time expired) 0 bytes
>> >> Jul 16 14:32:38 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Down BGP
>>
>> >> protocol initialization
>> >> Jul 16 14:32:45 EDT: %BGP-5-ADJCHANGE: neighbor 10.10.10.3 Up
>> >>
>> >>
>> >>
>> >> On Sat, Jul 19, 2008 at 3:24 AM, Oliver Boehmer (oboehmer)
>>
>> >> <oboehmer at cisco.com> wrote:
>> >>
>> >>
>> >>        No clue what's happening.. I've seen issues in the past
>> with TCP
>>
>> >> PMTUD
>> >>        when the path converges over a link with a different MTU (which
>> >> is
>> >>        happening in your case), but as BGP will not send packets
>> larger
>> >> than
>> >>
>>   4k, this shouldn't be an
>>  issue here.
>> >>
>> >>        How long did you take down the link before bringing it back up?
>> >> I assume
>> >>        longer than 3 minutes? Have you checked CEF and MPLS along the
>>
>> >> new path?
>> >>        You have IP connectivity between the loopbacks aR1 and bR2?
>> Does
>> >> the
>> >>        session come back up eventually, or will it stay down?
>> >>
>> >>               oli
>>
>> >>
>> >>        Christian Koch <> wrote on Saturday, July 19, 2008 8:38
>> AM:
>> >>
>> >>
>> >>        > sorry forgot to specify
>> >>        >
>> >>        > the bgp session from aR1 to bR2 is the session in question
>>
>> >>        >
>> >>        > ck
>> >>        >
>> >>        > On Sat, Jul 19, 2008 at 2:21 AM, Christian Koch
>> >>        > <christian at broknrobot.com>
>>  wrote:
>> >>        >
>> >>        >> Hello -
>> >>        >>
>> >>        >> I have the following topology in lab, testing
>> different
>> >> failure
>> >>        >> scenarios. When i disconnect the link between aR1 and
>>
>> bR1,
>> >> what
>> >>        >> would appear to be normal happens - ospf and ldp
>> neighbor go
>> >> down.
>> >>        >>
>> >>        >> When i re-connect the link between aR1 and bR1, the
>>
>> interface
>> >> comes
>> >>        >> back up, osfp/ldp neighbor is re-established.
>> >>        >>
>> >>        >> 3minutes later, bgp holdtime expires , and all links
>> are up..
>>
>> >>        >>
>> >>        >> aR1-----------------bR1
>> >>        >>>
>>           |
>> >>        >>>                         |
>> >>
>>  >>>                         |
>> >>        >>>                         | aR2-----------------bR2
>> >>        >>
>> >>        >>
>> >>        >> Some Notes
>>
>> >>        >> - All Links 10GE
>> >>        >> - Full ibgp mesh
>> >>        >> - Peering is to loopbacks
>> >>        >> - OSPF as IGP
>> >>        >> - Loopbacks in OSPF
>>
>> >>        >> - MPLS Enabled on Interfaces
>> >>        >>
>> >>        >>
>> >>        >> OSPF cost between aR1 and aR2 is 1
>> >>        >> OSPF cost between bR1 and bR2 is 1
>>
>> >>        >> OSPF cost between aR1 and bR1 is 250
>> >>        >> OSPF cost betwen aR2 and bR2 is 500
>> >>        >>
>> >>
>>   >> MTU 9216 between aR1 and aR2, aR1 and bR1, aR2 AND BR2
>>
>> >>        >> MTU 9182
>>  between bR1 and bR2
>> >>        >>
>> >>        >>
>> >>        >> IOS on aR1 and aR2 is 12.2.33.SRB2 -  SUP720
>> >>        >> IOS on bR1 and bR2 is 12.33.SRC - RSP720
>>
>> >>        >>
>> >>        >>
>> >>        >> i am stumped, any ideas would be helpful in trying to
>> >> understand why
>> >>        >> the bgp session is going down due to expired hold
>>
>> time, when
>> >> all
>> >>        >> links are up..
>> >>        >>
>> >>        >> thanks!
>> >>        >>
>> >>        >> ck
>> >>        >>
>>
>> >>        >>
>> >>        >>
>> >>        >>
>> >>        >>
>> >>        >>
>> >>
>>  >
>> >>        >
>> >>        > --
>> >>        > ^christian$
>>
>> >>
>> >>
>>  > _______________________________________________
>> >>        > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> >>        > https://puck.nether.net/mailman/listinfo/cisco-nsp
>>
>> >>        > archive at http://puck.nether.net/pipermail/cisco-nsp/
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> --
>>
>> >> ^christian$
>> >>
>> >
>> >
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
>> ------------------------------
>> Not happy with your email address?
>>  Get the one you really want <http://uk.docs.yahoo.com/ymail/new.html> -
>> millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>
>>
>
>
> ------------------------------
> Not happy with your email address?
>  Get the one you really want <http://uk.docs.yahoo.com/ymail/new.html> -
> millions of new email addresses available now at Yahoo!<http://uk.docs.yahoo.com/ymail/new.html>
>

From paul at paulstewart.org  Tue Jul 22 09:39:45 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Jul 2008 09:39:45 -0400
Subject: [c-nsp] VPN Question - IOS
Message-ID: <000001c8ec00$68612050$392360f0$@org>

Hi there...

We have a remote access VPN configuration deployed on a 2800 router....
everything works great except I'd like to "force" VPN users to send all
their traffic via the VPN when connected.  I'm missing something obvious I
believe...  

Example would be once a VPN user is connected and opens an SSH session to a
router, I want that SSH session to come via the VPN router's IP address -
not their home IP address.

192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
was setup by a networking "expert" long before my time...:(

Config looks like this:

crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RemoteAccess
 key xxxxxxxxxxxxxxxx
 dns xxxxxxxxxxxxxxxxxxx
 wins xxxxxxxxxxxxxxxxx
 domain xxxxxxxxxxxxxxxxxxx
 pool VPNPool1
 acl 100
 save-password
 include-local-lan
 netmask 255.255.255.0
crypto isakmp profile VPN-Profile
   match identity group RemoteAccess
   client authentication list vpn_xauth1
   isakmp authorization list vpn_group1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile
 set transform-set ESP-3DES-SHA
 set isakmp-profile VPN-Profile


interface Virtual-Template2 type tunnel
 ip unnumbered Loopback1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile

ip local pool VPNPool1 192.168.250.2 192.168.250.254

access-list 100 permit ip 192.192.61.0 0.0.0.255 any
access-list 100 permit ip 192.168.250.0 0.0.0.255 any



This has something to do with split tunneling and the ACL 100 but so far I
haven't got this working....

Thanks very much,

Paul




From koug at intracom.gr  Tue Jul 22 10:44:23 2008
From: koug at intracom.gr (John Kougoulos)
Date: Tue, 22 Jul 2008 17:44:23 +0300 (GTB Daylight Time)
Subject: [c-nsp] VPN Question - IOS
In-Reply-To: <000001c8ec00$68612050$392360f0$@org>
References: <000001c8ec00$68612050$392360f0$@org>
Message-ID: <alpine.WNT.1.10.0807221742010.4576@pckoug1.intranet.gr>

Hello,

try removing the following lines:

acl 100
include-local-lan
netmask 255.255.255.0

The IP address that will be used is the one assigned by the pool VPNPool1, 
unless you configure some kind of NAT translation

BR,
John

On Tue, 22 Jul 2008, Paul Stewart wrote:

> Hi there...
>
> We have a remote access VPN configuration deployed on a 2800 router....
> everything works great except I'd like to "force" VPN users to send all
> their traffic via the VPN when connected.  I'm missing something obvious I
> believe...
>
> Example would be once a VPN user is connected and opens an SSH session to a
> router, I want that SSH session to come via the VPN router's IP address -
> not their home IP address.
>
> 192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
> was setup by a networking "expert" long before my time...:(
>
> Config looks like this:
>
> crypto isakmp client configuration group RemoteAccess
> key xxxxxxxxxxxxxxxx
> dns xxxxxxxxxxxxxxxxxxx
> wins xxxxxxxxxxxxxxxxx
> domain xxxxxxxxxxxxxxxxxxx
> pool VPNPool1
> acl 100
> save-password
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile VPN-Profile
>   match identity group RemoteAccess
>   client authentication list vpn_xauth1
>   isakmp authorization list vpn_group1
>   client configuration address respond
>   virtual-template 2
> !
>
>
> This has something to do with split tunneling and the ACL 100 but so far I
> haven't got this working....
>
> Thanks very much,
>
> Paul
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From streiner at cluebyfour.org  Tue Jul 22 11:38:37 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 22 Jul 2008 11:38:37 -0400 (EDT)
Subject: [c-nsp] VPN Question - IOS
In-Reply-To: <000001c8ec00$68612050$392360f0$@org>
References: <000001c8ec00$68612050$392360f0$@org>
Message-ID: <Pine.LNX.4.64.0807221134200.13886@whammy.cluebyfour.org>

On Tue, 22 Jul 2008, Paul Stewart wrote:

> We have a remote access VPN configuration deployed on a 2800 router....
> everything works great except I'd like to "force" VPN users to send all
> their traffic via the VPN when connected.  I'm missing something obvious I
> believe...
>
> Example would be once a VPN user is connected and opens an SSH session to a
> router, I want that SSH session to come via the VPN router's IP address -
> not their home IP address.
>
> 192.192.61.0/24 is our "internal" LAN network - yeah yeah, I know... this
> was setup by a networking "expert" long before my time...:(

Sounds like you want to disable split tunneling.  With split tunneling, 
only traffic you define as "interesting" is sent over the VPN, and 
everything else follows the normal default route from the user's PC, 
presumably over their regular Internet connection.

jms

> Config looks like this:
>
> crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group RemoteAccess
> key xxxxxxxxxxxxxxxx
> dns xxxxxxxxxxxxxxxxxxx
> wins xxxxxxxxxxxxxxxxx
> domain xxxxxxxxxxxxxxxxxxx
> pool VPNPool1
> acl 100
> save-password
> include-local-lan
> netmask 255.255.255.0
> crypto isakmp profile VPN-Profile
>   match identity group RemoteAccess
>   client authentication list vpn_xauth1
>   isakmp authorization list vpn_group1
>   client configuration address respond
>   virtual-template 2
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
> !
> crypto ipsec profile VPN-Profile
> set transform-set ESP-3DES-SHA
> set isakmp-profile VPN-Profile
>
>
> interface Virtual-Template2 type tunnel
> ip unnumbered Loopback1
> tunnel mode ipsec ipv4
> tunnel protection ipsec profile VPN-Profile
>
> ip local pool VPNPool1 192.168.250.2 192.168.250.254
>
> access-list 100 permit ip 192.192.61.0 0.0.0.255 any
> access-list 100 permit ip 192.168.250.0 0.0.0.255 any
>
>
>
> This has something to do with split tunneling and the ACL 100 but so far I
> haven't got this working....
>
> Thanks very much,
>
> Paul
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From justin at justinshore.com  Tue Jul 22 11:45:31 2008
From: justin at justinshore.com (Justin Shore)
Date: Tue, 22 Jul 2008 08:45:31 -0700
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>	
	<48850149.8010005@justinshore.com>
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
Message-ID: <4886009B.8070107@justinshore.com>

Rubens Kuhl Jr. wrote:
> Cost issues and the relationship wit the local subsidiary; we have
> very little problems with the ME6500, one being the BFD with SVIs
> issue that you don't like either if I recall correctly.

Cost is high but it can cut both ways.  That leads to a long discussion 
for another day and I'm sure you're already familiar with all the 
talking points.

The BFD on SVIs is definitely something that bit me on all my SX/SR 
platforms.  I still don't have a working solution for that problem.

> Are you sure ME3750s are doing good for your network ? We had tons of
> issues with 3750-Metro, a product that I strongly recommend for my
> competitors... we haven't tested ME3400 which sound very nice (but
> doesn't have MPLS) or 4500 with Sup-VI (no MPLS on the software yet).

We haven't had any problems with them.  I just returned from the MetroE 
training course in SJC and the ME3750 played an important role in the 
course.  It worked fine in the class.  I think it's important that 
people understand what the ME devices were designed for and deploy them 
with that in mind.  This is something that I failed at initially.  The 
ME3750 wasn't designed to be a generic DC-powered L3 switch.  It was 
purpose-built for L2VPN termination and some aggregation.  When people 
like myself think that it's an all-encompassing MPLS box then they get 
sorely disappointed.  I was.  But it works well for what it was designed 
to do.

Justin


From rubensk at gmail.com  Tue Jul 22 12:20:09 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Tue, 22 Jul 2008 13:20:09 -0300
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <4886009B.8070107@justinshore.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<48850149.8010005@justinshore.com>
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
	<4886009B.8070107@justinshore.com>
Message-ID: <6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>

>> Cost issues and the relationship wit the local subsidiary; we have
>> very little problems with the ME6500, one being the BFD with SVIs
>> issue that you don't like either if I recall correctly.
>
> Cost is high but it can cut both ways.  That leads to a long discussion for
> another day and I'm sure you're already familiar with all the talking
> points.

Yeap, but we've got a 3x price hike on the ME6500 from our initial
purchase to current quotes, which left us no choice but to evaluate
alternatives.

> The BFD on SVIs is definitely something that bit me on all my SX/SR
> platforms.  I still don't have a working solution for that problem.

I would really love to just hear what Cisco says about why BFD on SVIs
are a bad thing. They might have a good point.


>> Are you sure ME3750s are doing good for your network ? We had tons of
>> issues with 3750-Metro, a product that I strongly recommend for my
>> competitors... we haven't tested ME3400 which sound very nice (but
>> doesn't have MPLS) or 4500 with Sup-VI (no MPLS on the software yet).
>
> We haven't had any problems with them.  I just returned from the MetroE
> training course in SJC and the ME3750 played an important role in the
> course.  It worked fine in the class.  I think it's important that people
> understand what the ME devices were designed for and deploy them with that
> in mind.  This is something that I failed at initially.  The ME3750 wasn't
> designed to be a generic DC-powered L3 switch.  It was purpose-built for
> L2VPN termination and some aggregation.  When people like myself think that
> it's an all-encompassing MPLS box then they get sorely disappointed.  I was.
>  But it works well for what it was designed to do.

It's good to know that Cisco changed the speech regarding this
product. I think that if one uses only as PE (no other P or PEs
relying on it for LDP of a critical backbone), and it uses only 2
uplinks (no ring or mesh, two uplinks to a P backbone), no L3VPN, it
might work. In the mean time, I'm glad that all the 3750-Metro we've
got were operational leases: we will return them all, so I won't have
to write !@%?#%?#@ on the customer satisfaction surveys anymore.


Rubens

From denyipanyany at gmail.com  Tue Jul 22 14:04:23 2008
From: denyipanyany at gmail.com (Deny IP Any Any)
Date: Tue, 22 Jul 2008 14:04:23 -0400
Subject: [c-nsp] L2 switch needs: 2960G vs 3560G
Message-ID: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>

I'm looking for a 24-port GigE 1RU layer 2 switch, and comparing the
3560G-24TS to a C2960G-24TC-L. They seem to have similar backplane, and
similar pps forwarding. I just need L2.  They seem pretty similar on
paper, except the 3560 is a almost double the price of the 2960. Any
reason to get the 3560?


-- 
deny ip any any (4393649193 matches)

From ploopster at gmail.com  Tue Jul 22 14:34:36 2008
From: ploopster at gmail.com (Sridhar Ayengar)
Date: Tue, 22 Jul 2008 14:34:36 -0400
Subject: [c-nsp] L2 switch needs: 2960G vs 3560G
In-Reply-To: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
Message-ID: <4886283C.7000605@gmail.com>

Deny IP Any Any wrote:
> I'm looking for a 24-port GigE 1RU layer 2 switch, and comparing the
> 3560G-24TS to a C2960G-24TC-L. They seem to have similar backplane, and
> similar pps forwarding. I just need L2.  They seem pretty similar on
> paper, except the 3560 is a almost double the price of the 2960. Any
> reason to get the 3560?

I don't think so.  The main selling point on the 3xxx series versus the 
2xxx series is Layer 3 switching.

Peace...  Sridhar

From evans.584 at osu.edu  Tue Jul 22 14:39:58 2008
From: evans.584 at osu.edu (Kyle Evans)
Date: Tue, 22 Jul 2008 14:39:58 -0400
Subject: [c-nsp] L2 switch needs: 2960G vs 3560G
In-Reply-To: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
Message-ID: <4886297E.9060002@osu.edu>

The 3560 includes Dynamic Arp Inspection and IP Source Guard, but the 
2960 does not.

Kyle


Deny IP Any Any wrote:
> I'm looking for a 24-port GigE 1RU layer 2 switch, and comparing the
> 3560G-24TS to a C2960G-24TC-L. They seem to have similar backplane, and
> similar pps forwarding. I just need L2.  They seem pretty similar on
> paper, except the 3560 is a almost double the price of the 2960. Any
> reason to get the 3560?
>
>
>   

From justin at justinshore.com  Tue Jul 22 15:26:26 2008
From: justin at justinshore.com (Justin Shore)
Date: Tue, 22 Jul 2008 12:26:26 -0700
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>	
	<48850149.8010005@justinshore.com>	
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>	
	<4886009B.8070107@justinshore.com>
	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
Message-ID: <48863462.3060107@justinshore.com>

Rubens Kuhl Jr. wrote:
> Yeap, but we've got a 3x price hike on the ME6500 from our initial
> purchase to current quotes, which left us no choice but to evaluate
> alternatives.

Ouch.  Are you dealing with a partner or Cisco Direct?  There isn't any 
excuse for the price to go up, period.  If you like I could hook you up 
with our Cisco Direct guys.  If you got your order in this week you 
might be a decent discount simply because their fiscal year ends this 
month and the sales folks are hungry.

>> The BFD on SVIs is definitely something that bit me on all my SX/SR
>> platforms.  I still don't have a working solution for that problem.
> 
> I would really love to just hear what Cisco says about why BFD on SVIs
> are a bad thing. They might have a good point.

What I was told was that it was an "unintended feature".  Basically that 
means that while it worked it wasn't ever part of the intended design 
and wasn't ever tested.  It could have adverse affects on other things; 
then again it also might not affect anything.  They simply wouldn't know 
unless they incorporated that into the QA procedures and there has to be 
demand for that to happen.  So tell your account team every chance you 
get.  In fact I would recommend having your account team hook you up on 
a call with the product manager responsible for BFD support on your 
hardware and ask for it yourself (because often times I think requests 
like that tend to get overlooked).

> It's good to know that Cisco changed the speech regarding this
> product. I think that if one uses only as PE (no other P or PEs
> relying on it for LDP of a critical backbone), and it uses only 2
> uplinks (no ring or mesh, two uplinks to a P backbone), no L3VPN, it
> might work. In the mean time, I'm glad that all the 3750-Metro we've
> got were operational leases: we will return them all, so I won't have
> to write !@%?#%?#@ on the customer satisfaction surveys anymore.

Yeah, it's good to know what they're meant for.  I was thinking like a 
dumbass when I bought a pair of ME6524s for the core in a very small 
pop.  I didn't know much about the underlying platform and didn't even 
think about the TCAM on that box.  I was just thinking that they'd be a 
decent device for the price and throughput in that small POP and that 
they didn't need to be too fancy.  I ran out of TCAM back in January 
when the global route table exceeded the Sup2's limited reach.  I'll be 
replacing them in the future and pushing them closer to the edge where 
they belong.

The ME3750 was really meant primarily as a PE device but also as a P in 
a MetroE access ring.  In our training lab the ME3750 was used mainly as 
the access edge.  Most of the labs used it as a L2 edge switch 
essentially but a few labs had us extended the IGP to it, enable MPLS 
and push VCs all the way to it.  It worked fine, except for when I 
skipped an important step in the instructions...  They intended for it 
to be deployed in GigE rings too.  As they put it in the class, fiber is 
expensive.  You can't home-run every PE to an aggregation router.  It's 
just not cost-effective or reasonable.  But it is cost-effective to have 
half a dozen of them ringed together and home-run the edges back to the 
aggregation layer (ME6524s or larger hardware.  In fact much of the 
class dealt with building the access ring, tuning STP/RSTP/MST, etc. 
It's a good class if you're interested.

Justin


From RTeller at deltadentalwa.com  Tue Jul 22 15:50:41 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 22 Jul 2008 12:50:41 -0700
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <4886297E.9060002@osu.edu>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>

I am in the process of installing two Cisco 6500 chassis and was curious
what types of PDU's people are using.


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From steve at ibctech.ca  Tue Jul 22 16:41:43 2008
From: steve at ibctech.ca (Steve Bertrand)
Date: Tue, 22 Jul 2008 16:41:43 -0400
Subject: [c-nsp] Native and management VLAN confusion
Message-ID: <48864607.8020001@ibctech.ca>

Hi everyone,

We have a scenario regarding VLANs in which I'm confused as to how to 
access the remote switches:


         COE
         2924 XL
         native vlan 1
           |
           |
         trunk
           |
         vlans 500, 501, 502
           |
           |
         intermediary network
         5500
         /   |    \
        /    |      \
    trunk   trunk    trunk
    /        |          \
CPE        CPE2       CPE3
2924 XL    2924XL     2924XL
vlan 500   vlan 501   vlan 502


Untagged traffic does not pass from CPE to COE through the intermediary.

I'm confused as to how I need to configure things VLAN-wise in order to 
be able to remotely manage the CPE switches from the CO, through the 
independent intermediary. The native and management VLAN is 1 on the CPE 
side.

Could someone point me in the direction on the most appropriate way to 
make the CPE gear reachable?

Thanks,

Steve

From paul at paulstewart.org  Tue Jul 22 17:00:48 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Jul 2008 17:00:48 -0400
Subject: [c-nsp] Native and management VLAN confusion
In-Reply-To: <48864607.8020001@ibctech.ca>
References: <48864607.8020001@ibctech.ca>
Message-ID: <007601c8ec3e$05eb8df0$11c2a9d0$@org>

Hi Steve...

Traditionally (if possible) you would have separate management VLAN's to
each site for management purposes.  The intermediary is most likely not
permitting VLAN1 and/or untagged traffic (quite common).

Hope this helps...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steve Bertrand
Sent: Tuesday, July 22, 2008 4:42 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Native and management VLAN confusion

Hi everyone,

We have a scenario regarding VLANs in which I'm confused as to how to 
access the remote switches:


         COE
         2924 XL
         native vlan 1
           |
           |
         trunk
           |
         vlans 500, 501, 502
           |
           |
         intermediary network
         5500
         /   |    \
        /    |      \
    trunk   trunk    trunk
    /        |          \
CPE        CPE2       CPE3
2924 XL    2924XL     2924XL
vlan 500   vlan 501   vlan 502


Untagged traffic does not pass from CPE to COE through the intermediary.

I'm confused as to how I need to configure things VLAN-wise in order to 
be able to remotely manage the CPE switches from the CO, through the 
independent intermediary. The native and management VLAN is 1 on the CPE 
side.

Could someone point me in the direction on the most appropriate way to 
make the CPE gear reachable?

Thanks,

Steve
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From rubensk at gmail.com  Tue Jul 22 17:14:46 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Tue, 22 Jul 2008 18:14:46 -0300
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <48863462.3060107@justinshore.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<48850149.8010005@justinshore.com>
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
	<4886009B.8070107@justinshore.com>
	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
	<48863462.3060107@justinshore.com>
Message-ID: <6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>

> Ouch.  Are you dealing with a partner or Cisco Direct?  There isn't any
> excuse for the price to go up, period.  If you like I could hook you up with
> our Cisco Direct guys.  If you got your order in this week you might be a
> decent discount simply because their fiscal year ends this month and the
> sales folks are hungry.

Thru partner. Cisco insists to tell us that there is no Cisco Direct
in our country, although I know there is and know some customers that
use such channel.

The partner is trying very hard to sell us this month, but they can
only work on their margins.


>>> The BFD on SVIs is definitely something that bit me on all my SX/SR
>>> platforms.  I still don't have a working solution for that problem.
>>
>> I would really love to just hear what Cisco says about why BFD on SVIs
>> are a bad thing. They might have a good point.
>
> What I was told was that it was an "unintended feature".  Basically that
> means that while it worked it wasn't ever part of the intended design and
> wasn't ever tested.  It could have adverse affects on other things; then
> again it also might not affect anything.  They simply wouldn't know unless
> they incorporated that into the QA procedures and there has to be demand for
> that to happen.  So tell your account team every chance you get.  In fact I
> would recommend having your account team hook you up on a call with the
> product manager responsible for BFD support on your hardware and ask for it
> yourself (because often times I think requests like that tend to get
> overlooked).

They seem to be listening about this, but the only real measure is the
latency till it's implemented.


>> It's good to know that Cisco changed the speech regarding this
>> product. I think that if one uses only as PE (no other P or PEs
>> relying on it for LDP of a critical backbone), and it uses only 2
>> uplinks (no ring or mesh, two uplinks to a P backbone), no L3VPN, it
>> might work. In the mean time, I'm glad that all the 3750-Metro we've
>> got were operational leases: we will return them all, so I won't have
>> to write !@%?#%?#@ on the customer satisfaction surveys anymore.
>
> Yeah, it's good to know what they're meant for.  I was thinking like a
> dumbass when I bought a pair of ME6524s for the core in a very small pop.  I
> didn't know much about the underlying platform and didn't even think about
> the TCAM on that box.  I was just thinking that they'd be a decent device
> for the price and throughput in that small POP and that they didn't need to
> be too fancy.  I ran out of TCAM back in January when the global route table
> exceeded the Sup2's limited reach.  I'll be replacing them in the future and
> pushing them closer to the edge where they belong.

That's the only place in the network we have 7600s with PFC XL... but
you could try filtering some routes down to the non-XL TCAM capacity
and pointing a default route to the these prefixes.


> The ME3750 was really meant primarily as a PE device but also as a P in a
> MetroE access ring.  In our training lab the ME3750 was used mainly as the

After the MPLS bugs we've seen here, you wouldn't even try using it as
P even for the ring only. May be the 3750 IP Services, with no MPLS,
combined with 2 ME6524 on the ring would be a good fit. That's the
option we're exploring for some cities where we can do ring-only:
using L2 (Extreme Summit X150 is the most likely candidate, but Cisco
ME3400 with METROACCESS would do the job if one prefers to stick to
Cisco); some cities are too complex to cover with ring-only, so in
those we need full L3/MPLS.

> access edge.  Most of the labs used it as a L2 edge switch essentially but a
> few labs had us extended the IGP to it, enable MPLS and push VCs all the way

Humm, 3750s do L2 like a charm...

> to it.  It worked fine, except for when I skipped an important step in the
> instructions...  They intended for it to be deployed in GigE rings too.  As
> they put it in the class, fiber is expensive.  You can't home-run every PE
> to an aggregation router.  It's just not cost-effective or reasonable.  But

But then you need a PE you can trust for being a P, even for a limited
number of PEs.

> it is cost-effective to have half a dozen of them ringed together and
> home-run the edges back to the aggregation layer (ME6524s or larger
> hardware.  In fact much of the class dealt with building the access ring,
> tuning STP/RSTP/MST, etc. It's a good class if you're interested.

I think such rings would be better served by using REP (Cisco) or
EAPS(Extreme); ME6524 doesn't support REP today, but that's probably
just one version away.

Rubens

From streiner at cluebyfour.org  Tue Jul 22 17:21:35 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 22 Jul 2008 17:21:35 -0400 (EDT)
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
Message-ID: <Pine.LNX.4.64.0807221715000.13886@whammy.cluebyfour.org>

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I am in the process of installing two Cisco 6500 chassis and was curious
> what types of PDU's people are using.

Note that most of my stuff is not in areas with raised floors, so power 
and data usually need to feed in from the top of the cabinet/relay rack.

Right now, I'm just pulling two pairs of 208V/20A circuits in L6-20 
receptacles above the cabinet where the 6509 will be located.  One pair 
comes off of a generator-backed/line-conditioned emergency power panel and 
the other pair comes off of a UPS output panel.

I do use PDUs smaller gear that will live in the same cabinet and I 
normally feed these from 120V/30A circuit, presented as an L5-30 
receptacle above the cabinet.  I'll pull one of these from an emergency 
power panel and one from a UPS panel and drop a PDU from each into each 
cabinet, so single-powered boxes can be run from either and dual-powered 
boxes can be run from both normal/emergency and UPS power.

jms

From streiner at cluebyfour.org  Tue Jul 22 17:46:55 2008
From: streiner at cluebyfour.org (Justin M. Streiner)
Date: Tue, 22 Jul 2008 17:46:55 -0400 (EDT)
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
Message-ID: <Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I am in the process of installing two Cisco 6500 chassis and was curious
> what types of PDU's people are using.

If you do want your 6509s to be fed from PDUs, there are several vendors 
out there that make them, with varying levels of bells and whistles, i.e. 
everything from 'dumb' rackmountable power strips to intelligent PDUs with
dual inputs, built-in automatic transfer switches, and remote management/
monitoring options.

The following vendors (not an all-inclusive list, and there options may 
differ if you need AC or DC power) have stuff that you may want to look 
at:
Tripp Lite
APC
ADC (mostly DC kit)
Eaton
Liebert

jms

From jlewis at lewis.org  Tue Jul 22 18:40:22 2008
From: jlewis at lewis.org (Jon Lewis)
Date: Tue, 22 Jul 2008 18:40:22 -0400 (EDT)
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
Message-ID: <Pine.LNX.4.61.0807221816540.7234@soloth.lewis.org>

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I am in the process of installing two Cisco 6500 chassis and was curious
> what types of PDU's people are using.

On a similar note, I'm about to turn up a few 6500s using DC power. 
Since we run our own DC plant, we have the option of running the power 
through local (to the racks where the 6500s are) DC fuse panels or 
directly from the DC breakers which are off in another part of the 
facility.

I'm used to (in other colo environments) always getting DC power through a 
local fuse panel.  I like the idea that if the wiring needs to be 
disconnected for any reason, it's easy to pull the appropriate fuse (and 
know that it's remained pulled) while working on the wiring.  Others are 
saying it's just fine to go direct from the remote breakers into the gear.

Relying on a breaker in another room, that someone else might flip without 
your knowledge, seems like a recipe for getting hurt.  Does anyone 
actually do this?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________

From paul at paulstewart.org  Tue Jul 22 19:09:40 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Jul 2008 19:09:40 -0400
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <Pine.LNX.4.61.0807221816540.7234@soloth.lewis.org>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>	<4886297E.9060002@osu.edu>	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.61.0807221816540.7234@soloth.lewis.org>
Message-ID: <008701c8ec50$07a14f10$16e3ed30$@org>

While I'm no expert on power, we always have a panel near the equipment even
when we own most facilities we are located in.  Also a nice safety factor if
you think the breaker is pulled you don't have to worry about someone
accidently putting it back online ;)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis
Sent: Tuesday, July 22, 2008 6:40 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I am in the process of installing two Cisco 6500 chassis and was curious
> what types of PDU's people are using.

On a similar note, I'm about to turn up a few 6500s using DC power. 
Since we run our own DC plant, we have the option of running the power 
through local (to the racks where the 6500s are) DC fuse panels or 
directly from the DC breakers which are off in another part of the 
facility.

I'm used to (in other colo environments) always getting DC power through a 
local fuse panel.  I like the idea that if the wiring needs to be 
disconnected for any reason, it's easy to pull the appropriate fuse (and 
know that it's remained pulled) while working on the wiring.  Others are 
saying it's just fine to go direct from the remote breakers into the gear.

Relying on a breaker in another room, that someone else might flip without 
your knowledge, seems like a recipe for getting hurt.  Does anyone 
actually do this?

----------------------------------------------------------------------
  Jon Lewis                   |  I route
  Senior Network Engineer     |  therefore you are
  Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date: 7/21/2008
6:36 PM


From lists at hojmark.org  Tue Jul 22 17:29:54 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Tue, 22 Jul 2008 23:29:54 +0200
Subject: [c-nsp] 7600 vs MX experience?
In-Reply-To: <001001c8df9d$0f60f0d0$2e22d270$@org>
References: <48704344.1030808@punk.co.nz><6bb5f5b10807061204x4d2c47eat8411ccbea40da933@mail.gmail.com>
	<001001c8df9d$0f60f0d0$2e22d270$@org>
Message-ID: <C2B883709E51442CBE5BEC68F0DB3E35@hojmark.net>

> But, what can folks tell me about shared support in general?
> I always thought it was Smartnet or nothing hence why I'm
> asking... is this "3rd party Cisco support" that I've seen
> advertised a few times?

Shared Support is a service that Cisco sels to a tier 1 partner,
and that partner then sells some service to the customer (that
service must not be branded 'Cisco shared support'). The partner
in all practical sense functions as the TAC and RMA department
for the customer. (The customer, for example, cannot open a TAC
case with Cisco directly).

Cisco Shared Support is obviously much cheaper for the partner
to buy from Cisco than SMARTnet (since they have to do much of
the work themselves), but whether the customer is getting cheaper
(and/or better!) service, varies with the partner.

-A
(Who works for a small tier 1 Cisco partner in Denmark)


From paul at paulstewart.org  Tue Jul 22 19:11:16 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Jul 2008 19:11:16 -0400
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>	<4886297E.9060002@osu.edu>	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>
Message-ID: <008801c8ec50$3fceb7b0$bf6c2710$@org>

For what it's worth...

We use a lot of APC for our AC powered equipment - really like it much
better than Tripplite in particular....

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner
Sent: Tuesday, July 22, 2008 5:47 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I am in the process of installing two Cisco 6500 chassis and was curious
> what types of PDU's people are using.

If you do want your 6509s to be fed from PDUs, there are several vendors 
out there that make them, with varying levels of bells and whistles, i.e. 
everything from 'dumb' rackmountable power strips to intelligent PDUs with
dual inputs, built-in automatic transfer switches, and remote management/
monitoring options.

The following vendors (not an all-inclusive list, and there options may 
differ if you need AC or DC power) have stuff that you may want to look 
at:
Tripp Lite
APC
ADC (mostly DC kit)
Eaton
Liebert

jms
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
No virus found in this incoming message.
Checked by AVG - http://www.avg.com 
Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date: 7/21/2008
6:36 PM


From RTeller at deltadentalwa.com  Tue Jul 22 19:57:56 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 22 Jul 2008 16:57:56 -0700
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <008801c8ec50$3fceb7b0$bf6c2710$@org>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>
	<008801c8ec50$3fceb7b0$bf6c2710$@org>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD4@tiger.deltadentalwa.com>

I believe I have determined how big of a circuit I will need, as long as
my calculations are correct. So it looks like I will need 2 30amp pdu's
to support 2 6509-E chassis. Did I miss anything?

 

Current Utilization

6509E Module

Amps (250vdc)

Amps (208vdc)

Max Watts

Comments

VS-S720-10G-3C

1.69052

2.031875

422.63

Sup

WS-X6748-GE-TX

1.47

1.766826923

367.50

Switch

WS-SVC-FWM-1-K9

0.85892

1.032355769

214.73

Firewall

ACE10-6500-K9

1.09832

1.320096154

274.58

NLB

WS-C6509-E-FAN 

0.84

1.009615385

210.00

Fan

Totals

5.95776

7.160769231

1,489.44

 

Projected Utilization

6509E Module

Amps (250vdc)

Amps (208vdc)

Max Watts

Comments

VS-S720-10G-3C

1.69052

2.031875

422.63

Sup

WS-X6748-GE-TX

1.47

1.766826923

367.50

Switch

WS-X6748-GE-TX

1.47

1.766826923

367.50

Switch

WS-SVC-FWM-1-K9

0.85892

1.032355769

214.73

Firewall

ACE10-6500-K9

1.09832

1.320096154

274.58

NLB

WS-SVC-WISM-1-K9

1.02

1.225961538

255.00

Wireless

WS-C6509-E-FAN 

0.84

1.009615385

210.00

Fan

Totals

8.44776

10.15355769

2,111.94

 

 

 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, July 22, 2008 4:11 PM
To: 'Justin M. Streiner'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

 

For what it's worth...

 

We use a lot of APC for our AC powered equipment - really like it much

better than Tripplite in particular....

 

Paul

 

 

-----Original Message-----

From: cisco-nsp-bounces at puck.nether.net

[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
Streiner

Sent: Tuesday, July 22, 2008 5:47 PM

To: cisco-nsp at puck.nether.net

Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

 

On Tue, 22 Jul 2008, Teller, Robert wrote:

 

> I am in the process of installing two Cisco 6500 chassis and was
curious

> what types of PDU's people are using.

 

If you do want your 6509s to be fed from PDUs, there are several vendors


out there that make them, with varying levels of bells and whistles,
i.e. 

everything from 'dumb' rackmountable power strips to intelligent PDUs
with

dual inputs, built-in automatic transfer switches, and remote
management/

monitoring options.

 

The following vendors (not an all-inclusive list, and there options may 

differ if you need AC or DC power) have stuff that you may want to look 

at:

Tripp Lite

APC

ADC (mostly DC kit)

Eaton

Liebert

 

jms

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.

Checked by AVG - http://www.avg.com 

Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date:
7/21/2008

6:36 PM

 

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

 


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################

From RTeller at deltadentalwa.com  Tue Jul 22 20:03:38 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 22 Jul 2008 17:03:38 -0700
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD4@tiger.deltadentalwa.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>
	<008801c8ec50$3fceb7b0$bf6c2710$@org>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD4@tiger.deltadentalwa.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD5@tiger.deltadentalwa.com>

I believe I have determined how big of a circuit I will need, as long as
my calculations are correct. So it looks like I will need 2 30amp pdu's
to support 2 6509-E chassis. Did I miss anything?

Current Utilization				
6509E Module	Amps (250vdc)	Amps (208vdc)	Max Watts	Comments
VS-S720-10G-3C	1.69052	2.031875	422.63	Sup
WS-X6748-GE-TX	1.47	1.766826923	367.50	Switch
WS-SVC-FWM-1-K9	0.85892	1.032355769	214.73	Firewall
ACE10-6500-K9	1.09832	1.320096154	274.58	NLB
WS-C6509-E-FAN 	0.84	1.009615385	210.00	Fan

Totals	5.95 amps	7.16 amps	1,489.44 watts	


Projected Utilization				
6509E Module	Amps (250vdc)	Amps (208vdc)	Max Watts	Comments
VS-S720-10G-3C	1.69052	2.031875	422.63	Sup
WS-X6748-GE-TX	1.47	1.766826923	367.50	Switch
WS-X6748-GE-TX	1.47	1.766826923	367.50	Switch
WS-SVC-FWM-1-K9	0.85892	1.032355769	214.73	Firewall
ACE10-6500-K9	1.09832	1.320096154	274.58	NLB
WS-SVC-WISM-1-K9	1.02	1.225961538	255.00	Wireless
WS-C6509-E-FAN 	0.84	1.009615385	210.00	Fan

Totals	8.44 amps	10.15 amps	2,111.94 watts	

 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, July 22, 2008 4:11 PM
To: 'Justin M. Streiner'; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

 

For what it's worth...

 

We use a lot of APC for our AC powered equipment - really like it much

better than Tripplite in particular....

 

Paul

 

 

-----Original Message-----

From: cisco-nsp-bounces at puck.nether.net

[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
Streiner

Sent: Tuesday, July 22, 2008 5:47 PM

To: cisco-nsp at puck.nether.net

Subject: Re: [c-nsp] Cisco 6500 Chassis PDU

 

On Tue, 22 Jul 2008, Teller, Robert wrote:

 

> I am in the process of installing two Cisco 6500 chassis and was
curious

> what types of PDU's people are using.

 

If you do want your 6509s to be fed from PDUs, there are several vendors


out there that make them, with varying levels of bells and whistles,
i.e. 

everything from 'dumb' rackmountable power strips to intelligent PDUs
with

dual inputs, built-in automatic transfer switches, and remote
management/

monitoring options.

 

The following vendors (not an all-inclusive list, and there options may 

differ if you need AC or DC power) have stuff that you may want to look 

at:

Tripp Lite

APC

ADC (mostly DC kit)

Eaton

Liebert

 

jms

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

No virus found in this incoming message.

Checked by AVG - http://www.avg.com 

Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date:
7/21/2008

6:36 PM

 

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/

 


#########################################################
The information contained in this e-mail and subsequent attachments may
be privileged, 
confidential and protected from disclosure.  This transmission is
intended for the sole 
use of the individual and entity to whom it is addressed.  If you are
not the intended 
recipient, any dissemination, distribution or copying is strictly
prohibited.  If you 
think that you have received this message in error, please e-mail the
sender at the above 
e-mail address.
#########################################################
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From wmaton at ryouko.imsb.nrc.ca  Tue Jul 22 20:29:32 2008
From: wmaton at ryouko.imsb.nrc.ca (Wiliam F. Maton Sotomayor)
Date: Tue, 22 Jul 2008 20:29:32 -0400 (EDT)
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD4@tiger.deltadentalwa.com>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com>
	<4886297E.9060002@osu.edu>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.64.0807221738230.13886@whammy.cluebyfour.org>
	<008801c8ec50$3fceb7b0$bf6c2710$@org>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DD4@tiger.deltadentalwa.com>
Message-ID: <Pine.LNX.4.64.0807222024290.15307@ryouko.imsb.nrc.ca>


Another data point:

We power each of our 6509's using two 2500W power supplies.  We've got 
2-pole 20A 208V breakers for each of those supplies.  Left-side is 
UPS/emergency, and right-side is normal power, each into the outlet. 
Now, in our remote sites, we opted to use remote-switchable PDU's (APC) to 
take care of cold booting, again with the same-size circuits.

On Tue, 22 Jul 2008, Teller, Robert wrote:

> I believe I have determined how big of a circuit I will need, as long as
> my calculations are correct. So it looks like I will need 2 30amp pdu's
> to support 2 6509-E chassis. Did I miss anything?
>
>
>
> Current Utilization
>
> 6509E Module
>
> Amps (250vdc)
>
> Amps (208vdc)
>
> Max Watts
>
> Comments
>
> VS-S720-10G-3C
>
> 1.69052
>
> 2.031875
>
> 422.63
>
> Sup
>
> WS-X6748-GE-TX
>
> 1.47
>
> 1.766826923
>
> 367.50
>
> Switch
>
> WS-SVC-FWM-1-K9
>
> 0.85892
>
> 1.032355769
>
> 214.73
>
> Firewall
>
> ACE10-6500-K9
>
> 1.09832
>
> 1.320096154
>
> 274.58
>
> NLB
>
> WS-C6509-E-FAN
>
> 0.84
>
> 1.009615385
>
> 210.00
>
> Fan
>
> Totals
>
> 5.95776
>
> 7.160769231
>
> 1,489.44
>
>
>
> Projected Utilization
>
> 6509E Module
>
> Amps (250vdc)
>
> Amps (208vdc)
>
> Max Watts
>
> Comments
>
> VS-S720-10G-3C
>
> 1.69052
>
> 2.031875
>
> 422.63
>
> Sup
>
> WS-X6748-GE-TX
>
> 1.47
>
> 1.766826923
>
> 367.50
>
> Switch
>
> WS-X6748-GE-TX
>
> 1.47
>
> 1.766826923
>
> 367.50
>
> Switch
>
> WS-SVC-FWM-1-K9
>
> 0.85892
>
> 1.032355769
>
> 214.73
>
> Firewall
>
> ACE10-6500-K9
>
> 1.09832
>
> 1.320096154
>
> 274.58
>
> NLB
>
> WS-SVC-WISM-1-K9
>
> 1.02
>
> 1.225961538
>
> 255.00
>
> Wireless
>
> WS-C6509-E-FAN
>
> 0.84
>
> 1.009615385
>
> 210.00
>
> Fan
>
> Totals
>
> 8.44776
>
> 10.15355769
>
> 2,111.94
>
>
>
>
>
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
> Sent: Tuesday, July 22, 2008 4:11 PM
> To: 'Justin M. Streiner'; cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Cisco 6500 Chassis PDU
>
>
>
> For what it's worth...
>
>
>
> We use a lot of APC for our AC powered equipment - really like it much
>
> better than Tripplite in particular....
>
>
>
> Paul
>
>
>
>
>
> -----Original Message-----
>
> From: cisco-nsp-bounces at puck.nether.net
>
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M.
> Streiner
>
> Sent: Tuesday, July 22, 2008 5:47 PM
>
> To: cisco-nsp at puck.nether.net
>
> Subject: Re: [c-nsp] Cisco 6500 Chassis PDU
>
>
>
> On Tue, 22 Jul 2008, Teller, Robert wrote:
>
>
>
>> I am in the process of installing two Cisco 6500 chassis and was
> curious
>
>> what types of PDU's people are using.
>
>
>
> If you do want your 6509s to be fed from PDUs, there are several vendors
>
>
> out there that make them, with varying levels of bells and whistles,
> i.e.
>
> everything from 'dumb' rackmountable power strips to intelligent PDUs
> with
>
> dual inputs, built-in automatic transfer switches, and remote
> management/
>
> monitoring options.
>
>
>
> The following vendors (not an all-inclusive list, and there options may
>
> differ if you need AC or DC power) have stuff that you may want to look
>
> at:
>
> Tripp Lite
>
> APC
>
> ADC (mostly DC kit)
>
> Eaton
>
> Liebert
>
>
>
> jms
>
> _______________________________________________
>
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
> No virus found in this incoming message.
>
> Checked by AVG - http://www.avg.com
>
> Version: 8.0.138 / Virus Database: 270.5.3/1565 - Release Date:
> 7/21/2008
>
> 6:36 PM
>
>
>
> _______________________________________________
>
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>
> https://puck.nether.net/mailman/listinfo/cisco-nsp
>
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be privileged,
> confidential and protected from disclosure.  This transmission is intended for the sole
> use of the individual and entity to whom it is addressed.  If you are not the intended
> recipient, any dissemination, distribution or copying is strictly prohibited.  If you
> think that you have received this message in error, please e-mail the sender at the above
> e-mail address.
> #########################################################
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


wfms

From mtinka at globaltransit.net  Tue Jul 22 22:30:09 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Wed, 23 Jul 2008 10:30:09 +0800
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <48863462.3060107@justinshore.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
	<48863462.3060107@justinshore.com>
Message-ID: <200807231030.10478.mtinka@globaltransit.net>

On Wednesday 23 July 2008 03:26:26 Justin Shore wrote:

> What I was told was that it was an "unintended feature". 
> Basically that means that while it worked it wasn't ever
> part of the intended design and wasn't ever tested.  It
> could have adverse affects on other things; then again it
> also might not affect anything.  They simply wouldn't
> know unless they incorporated that into the QA procedures
> and there has to be demand for that to happen.  So tell
> your account team every chance you get.  In fact I would
> recommend having your account team hook you up on a call
> with the product manager responsible for BFD support on
> your hardware and ask for it yourself (because often
> times I think requests like that tend to get overlooked).

It's been a couple of weeks since I bugged our account team 
for it.

Perhaps I should send another reminder :-)...

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080723/c896adcf/attachment.bin>

From nimal at fnbs.net  Tue Jul 22 22:54:20 2008
From: nimal at fnbs.net (Nimal David Sirimanne)
Date: Wed, 23 Jul 2008 10:54:20 +0800
Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity
Message-ID: <48869D5C.2030403@fnbs.net>

Hi guys,

Need some advise.

I am looking to acquire some 24 port ethernet LAN switches that also 
have fibre connectors. The fibre connections are going to be long 
distance (apprx 5km ++) and single mode . I was looking at the cisco 
website, and think the Catalyst 3750 series might fit the need. The 
product data sheet says it supports the following connectors:

1000BASE-SX, -LX/LH, -ZX, and CWDM SFP-based ports: LC fiber connectors 
(single-
mode, or multimode fiber)

I believe we would need to order the switch toghether with these 
additional connectors? Am i right in this? Would this switch fit my 
basic needs for fibre connectivity? Thanks!

Nimal

From paul at paulstewart.org  Tue Jul 22 23:15:33 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Tue, 22 Jul 2008 23:15:33 -0400
Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity
In-Reply-To: <48869D5C.2030403@fnbs.net>
References: <48869D5C.2030403@fnbs.net>
Message-ID: <000001c8ec72$60aa75b0$21ff6110$@org>

Any special requirements for the switch?  3750 seems like a bit of overkill
in my opinion but it depends on what you want the switch to do?

If you're just looking for 24 ports 10/100 and a fiber uplink then a 2960
would work just as well for basic switch requirements... the SFP determines
that kind of fiber connectors, and mode.. in this case single mode LX
(1000BASE-LX) sounds like all you need for 5km especially....

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_da
ta_sheet0900aecd80322c0c.html

Hope this helps...

Paul


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nimal David
Sirimanne
Sent: Tuesday, July 22, 2008 10:54 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity

Hi guys,

Need some advise.

I am looking to acquire some 24 port ethernet LAN switches that also 
have fibre connectors. The fibre connections are going to be long 
distance (apprx 5km ++) and single mode . I was looking at the cisco 
website, and think the Catalyst 3750 series might fit the need. The 
product data sheet says it supports the following connectors:

1000BASE-SX, -LX/LH, -ZX, and CWDM SFP-based ports: LC fiber connectors 
(single-
mode, or multimode fiber)

I believe we would need to order the switch toghether with these 
additional connectors? Am i right in this? Would this switch fit my 
basic needs for fibre connectivity? Thanks!

Nimal
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From mb at adv.gcomm.com.au  Tue Jul 22 22:18:33 2008
From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au)
Date: Wed, 23 Jul 2008 12:18:33 +1000
Subject: [c-nsp] 3750's, 7200 NPE-G1 and GEC advice
Message-ID: <20080723121833.x4f77taveeosk0ss@webmail.datafx.com.au>

Hi,

Just after some "best practice" advice on the following:

We have two 3750's(3750E-24TD-S) stacked, and a 7200 w/NPE -G1 - We are 
wanting to connect two of the GigE ports of the NPE to both 3750's(In 
case one switch fails) - We currently have it setup as port-channels, 
which is working fine, but wanted to confirm if this was the "correct" 
method to achieve redundancy, and also additional bandwidth between the 
3750's + 7200.

During minimal testing, we lose ~2 packets if a cable is 
disconnected(If the session(ping) is running over that cable) - Is 
there anyway to reduce this?

Any suggestions are greatly appreciated.

Current conf..

7200:

! interface Port-channel1 description GEC_to_3750s no ip address duplex 
full hold-queue 150 in ! interface GigabitEthernet0/1 description 
TO_3750_1_0_24 no ip address duplex full speed auto media-type rj45 
negotiation auto channel-group 1 ! interface GigabitEthernet0/2 
description TO_3750_2_0_24 no ip address duplex full speed auto 
media-type rj45 negotiation auto channel-group 1 !

3750s:

interface Port-channel1 description GEC_to_7200 switchport trunk 
encapsulation dot1q switchport mode trunk ! interface 
GigabitEthernet1/0/24 description TO_7200_GE_0_1 switchport trunk 
encapsulation dot1q duplex full channel-group 1 mode on spanning-tree 
portfast ! interface GigabitEthernet2/0/24 description TO_7200_GE_0_2 
switchport trunk encapsulation dot1q duplex full channel-group 1 mode 
on spanning-tree portfast



-------------------------------------------------------------------------
This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/



From danletkeman at gmail.com  Wed Jul 23 00:09:45 2008
From: danletkeman at gmail.com (Dan Letkeman)
Date: Tue, 22 Jul 2008 23:09:45 -0500
Subject: [c-nsp] combining multiple dsl lines
Message-ID: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>

I have a customer that is wanting to combine 4 adsl connection through
one router.  In the past I have setup systems where I have taken
groups of ip's from the internal network and have route-map'd them to
different adsl connections.  Is there a way to "combine" the dsl
connections or is using route-map's still the better way to go?

Thanks,
Dan.

From ben.steele at internode.on.net  Wed Jul 23 00:18:44 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Wed, 23 Jul 2008 13:48:44 +0930
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
Message-ID: <04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>

Depends a lot on the adsl connections, are they ppp ? does the remote  
end support multilink? if so then multilink ppp is a good option  
providing all 4 lines are the same characteristics.

Otherwise other options are cef load balancing, what type will depend  
on whether you are using NAT or not as you want to make sure the  
packet flow takes the right path, load balancing using the source/dest  
port algorithm works quite well though, probably wouldn't reccomend  
per packet over adsl.

The route-map way is ok but wouldn't utilise the links as well as cef  
load balancing or ppp multlink could.

Another option worth throwing in is the use of ip sla on your routes  
so as to remove them from the equation should one link go down, can  
also be done with the route-map using verify-availability on the next- 
hop option.

Ben

On 23/07/2008, at 1:39 PM, Dan Letkeman wrote:

> I have a customer that is wanting to combine 4 adsl connection through
> one router.  In the past I have setup systems where I have taken
> groups of ip's from the internal network and have route-map'd them to
> different adsl connections.  Is there a way to "combine" the dsl
> connections or is using route-map's still the better way to go?
>
> Thanks,
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From risnaini at indo.net.id  Wed Jul 23 00:43:51 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 23 Jul 2008 11:43:51 +0700
Subject: [c-nsp] 3750's, 7200 NPE-G1 and GEC advice
In-Reply-To: <20080723121833.x4f77taveeosk0ss@webmail.datafx.com.au>
References: <20080723121833.x4f77taveeosk0ss@webmail.datafx.com.au>
Message-ID: <4886B707.2040206@indo.net.id>

Hi,

I'll do the same thing as what you've done to achieve that.
Anyway 2 packets loss mean 2 second (normal windows ping ?) or 2000 ms..

rgs
a. rahman isnaini r.sutan

mb at adv.gcomm.com.au wrote:
> Hi,
> 
> Just after some "best practice" advice on the following:
> 
> We have two 3750's(3750E-24TD-S) stacked, and a 7200 w/NPE -G1 - We are 
> wanting to connect two of the GigE ports of the NPE to both 3750's(In 
> case one switch fails) - We currently have it setup as port-channels, 
> which is working fine, but wanted to confirm if this was the "correct" 
> method to achieve redundancy, and also additional bandwidth between the 
> 3750's + 7200.
> 
> During minimal testing, we lose ~2 packets if a cable is disconnected(If 
> the session(ping) is running over that cable) - Is there anyway to 
> reduce this?
> 
> Any suggestions are greatly appreciated.
> 
> Current conf..
> 
> 7200:
> 
> ! interface Port-channel1 description GEC_to_3750s no ip address duplex 
> full hold-queue 150 in ! interface GigabitEthernet0/1 description 
> TO_3750_1_0_24 no ip address duplex full speed auto media-type rj45 
> negotiation auto channel-group 1 ! interface GigabitEthernet0/2 
> description TO_3750_2_0_24 no ip address duplex full speed auto 
> media-type rj45 negotiation auto channel-group 1 !
> 
> 3750s:
> 
> interface Port-channel1 description GEC_to_7200 switchport trunk 
> encapsulation dot1q switchport mode trunk ! interface 
> GigabitEthernet1/0/24 description TO_7200_GE_0_1 switchport trunk 
> encapsulation dot1q duplex full channel-group 1 mode on spanning-tree 
> portfast ! interface GigabitEthernet2/0/24 description TO_7200_GE_0_2 
> switchport trunk encapsulation dot1q duplex full channel-group 1 mode on 
> spanning-tree portfast
> 
> 
> 
> -------------------------------------------------------------------------
> This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From nimal at fnbs.net  Wed Jul 23 02:20:40 2008
From: nimal at fnbs.net (Nimal David Sirimanne)
Date: Wed, 23 Jul 2008 14:20:40 +0800
Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity
In-Reply-To: <000001c8ec72$60aa75b0$21ff6110$@org>
References: <48869D5C.2030403@fnbs.net> <000001c8ec72$60aa75b0$21ff6110$@org>
Message-ID: <4886CDB8.3070605@fnbs.net>

Hi Paul,

Thanks for the advice! and yes, 3750's look like their a tad overkill. 
2960's are just what i need.

Need to ask somemore noob questions. Based on the product lit, i need to 
get a device with an SFP transceiver to plug in a fibre connector?. And 
SFP ports are included in switches that have "dual-purpose uplinks"? So 
my choices right now are:

WS-C2960-24PC-L

? 24 Ethernet 10/100 PoE ports and 2 dual-purpose uplinks
? 1 RU fixed-configuration
? LAN Base Image installed

WS-C2960-24TC-L

? 24 Ethernet 10/100 ports and 2 dual-purpose uplinks (each dual-purpose 
uplink port has one 10/100/1000 Ethernet port and 1 SFP-based Gigabit 
Ethernet port, 1 port active)
? 1 RU fixed-configuration
? LAN Base Image installed

I'm terribly confused. Any help on this matter is much appreciated. Any 
site that actually deciphers these "PC-L" or "TC-L" or any of the cisco 
abbreviations?

Paul Stewart wrote:
> Any special requirements for the switch?  3750 seems like a bit of overkill
> in my opinion but it depends on what you want the switch to do?
>
> If you're just looking for 24 ports 10/100 and a fiber uplink then a 2960
> would work just as well for basic switch requirements... the SFP determines
> that kind of fiber connectors, and mode.. in this case single mode LX
> (1000BASE-LX) sounds like all you need for 5km especially....
>
> http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/product_da
> ta_sheet0900aecd80322c0c.html
>
> Hope this helps...
>
> Paul
>
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nimal David
> Sirimanne
> Sent: Tuesday, July 22, 2008 10:54 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity
>
> Hi guys,
>
> Need some advise.
>
> I am looking to acquire some 24 port ethernet LAN switches that also 
> have fibre connectors. The fibre connections are going to be long 
> distance (apprx 5km ++) and single mode . I was looking at the cisco 
> website, and think the Catalyst 3750 series might fit the need. The 
> product data sheet says it supports the following connectors:
>
> 1000BASE-SX, -LX/LH, -ZX, and CWDM SFP-based ports: LC fiber connectors 
> (single-
> mode, or multimode fiber)
>
> I believe we would need to order the switch toghether with these 
> additional connectors? Am i right in this? Would this switch fit my 
> basic needs for fibre connectivity? Thanks!
>
> Nimal
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>   



From acm at axians.de  Wed Jul 23 02:28:33 2008
From: acm at axians.de (Cheikh-Moussa Ahmad)
Date: Wed, 23 Jul 2008 08:28:33 +0200
Subject: [c-nsp] QoS VLAN trunk Port
In-Reply-To: <FFE1B3A183FE1F4C9CDD3A4B72719438018A4CC6@N12050C.nknetworks.com>
References: <FFE1B3A183FE1F4C9CDD3A4B727194380179CBE2@N12050C.nknetworks.com><67F7C1FAF83A074AA3520D8F155782A5017239BE@xmb-ams-331.emea.cisco.com><FFE1B3A183FE1F4C9CDD3A4B72719438018A4C7C@N12050C.nknetworks.com><67F7C1FAF83A074AA3520D8F155782A501A1061C@xmb-ams-331.emea.cisco.com>
	<FFE1B3A183FE1F4C9CDD3A4B72719438018A4CC6@N12050C.nknetworks.com>
Message-ID: <FFE1B3A183FE1F4C9CDD3A4B72719438018A51B7@N12050C.nknetworks.com>


Hi Guys,

I found out that the parameter "set cos" is only available for atm
and frame relay interfaces. Does anyone knows, how to change the Cos
values on a trunk interface ? Is that not possible ? I can't believe
that
no one had a similar issue.

Hints are appreciated.

Regards,
 Ahmad
-------------- next part --------------


Sitz der NK Networks & Services GmbH: Von-der-Wettern-Stra?e 15, 51149 K?ln
Registergericht: Amtsgericht K?ln, Registernummer HRB 30805
Gesch?ftsf?hrer: Tonis R?sche

From gert at greenie.muc.de  Wed Jul 23 02:55:55 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 23 Jul 2008 08:55:55 +0200
Subject: [c-nsp] REP (was: ME6524 alternative)
In-Reply-To: <6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<48850149.8010005@justinshore.com>
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
	<4886009B.8070107@justinshore.com>
	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
	<48863462.3060107@justinshore.com>
	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
Message-ID: <20080723065555.GZ1231@greenie.muc.de>

Hi,

On Tue, Jul 22, 2008 at 06:14:46PM -0300, Rubens Kuhl Jr. wrote:
> I think such rings would be better served by using REP (Cisco) or
> EAPS(Extreme)

You've made me curious, so I went and looked what REP is, hoping for
great innovation - and I find myself somewhat disappointed, it seems to 
be "something similar to RPVST or MST, just incompatible".

Since it still disables a port (instead of using all links available 
in the network, using L2 SPF 'routing', like HP's mesh technology does),
I can't see an immediate advantage of REP vs. RPVST or MST...?

curious,

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080723/37ec9acf/attachment.bin>

From peter at rathlev.dk  Wed Jul 23 04:25:57 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 23 Jul 2008 10:25:57 +0200
Subject: [c-nsp] Need advise on Cisco Switch/Fibre Connectivity
In-Reply-To: <4886CDB8.3070605@fnbs.net>
References: <48869D5C.2030403@fnbs.net>
	<000001c8ec72$60aa75b0$21ff6110$@org>  <4886CDB8.3070605@fnbs.net>
Message-ID: <1216801557.27101.1.camel@svesken.sys.mjna.net>

Hi Nimal,

On Wed, 2008-07-23 at 14:20 +0800, Nimal David Sirimanne wrote:
> Need to ask somemore noob questions. Based on the product lit, i need to 
> get a device with an SFP transceiver to plug in a fibre connector?. And 
> SFP ports are included in switches that have "dual-purpose uplinks"? So 
> my choices right now are:
> 
> WS-C2960-24PC-L
> 
> ? 24 Ethernet 10/100 PoE ports and 2 dual-purpose uplinks
> ? 1 RU fixed-configuration
> ? LAN Base Image installed
> 
> WS-C2960-24TC-L
> 
> ? 24 Ethernet 10/100 ports and 2 dual-purpose uplinks (each dual-purpose 
> uplink port has one 10/100/1000 Ethernet port and 1 SFP-based Gigabit 
> Ethernet port, 1 port active)
> ? 1 RU fixed-configuration
> ? LAN Base Image installed
> 
> I'm terribly confused. Any help on this matter is much appreciated. Any 
> site that actually deciphers these "PC-L" or "TC-L" or any of the cisco 
> abbreviations?

The WS-C2960-24TC-L is a "plain" switch, whereas the WS-C2960-24PC-L has
PoE ports (Power over Ethernet). It is the only difference bewteen these
two switches.

Regards,
Peter



From asad747 at cyber.net.pk  Wed Jul 23 06:56:43 2008
From: asad747 at cyber.net.pk (Asad Ul-Islam)
Date: Wed, 23 Jul 2008 15:56:43 +0500
Subject: [c-nsp] SVI or Subinterfaces?
Message-ID: <627A8EBB53354D6383856F59C9537D97@CYBERNET60472>

Dear all

 

We are ISP and have Catalyst 6513. And I want to terminate Trunks on it. Can
someone tell me what is the better approach to achieve this.


1) using Subinterfaces on Trunk links. or

 

2) Using SVIs

 

Which will provide more flexibility and scalability and what are the
limitations of each method?

 

 

Best Regards,

Asad Ul-Islam



 


From linkconnect at googlemail.com  Wed Jul 23 06:37:22 2008
From: linkconnect at googlemail.com (Wayne Lee)
Date: Wed, 23 Jul 2008 11:37:22 +0100
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
	<04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
Message-ID: <3044d0930807230337i6473cd09obad063938df2bec3@mail.gmail.com>

On Wed, Jul 23, 2008 at 5:18 AM, Ben Steele <ben.steele at internode.on.net> wrote:
> Depends a lot on the adsl connections, are they ppp ? does the remote end
> support multilink? if so then multilink ppp is a good option providing all 4
> lines are the same characteristics.
>
> Otherwise other options are cef load balancing, what type will depend on
> whether you are using NAT or not as you want to make sure the packet flow
> takes the right path, load balancing using the source/dest port algorithm
> works quite well though, probably wouldn't reccomend per packet over adsl.
>
> The route-map way is ok but wouldn't utilise the links as well as cef load
> balancing or ppp multlink could.
>
> Another option worth throwing in is the use of ip sla on your routes so as
> to remove them from the equation should one link go down, can also be done
> with the route-map using verify-availability on the next-hop option.
>
> Ben
>

We have used cef per packet with great success on PPPoA DSL links here
in the UK, we use radius to add/remove the extra routes when a
connection bounces. The CPE is a linux box which is not running any
NAT. Works for us


Wayne

From peter at rathlev.dk  Wed Jul 23 07:02:41 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Wed, 23 Jul 2008 13:02:41 +0200
Subject: [c-nsp] SVI or Subinterfaces?
In-Reply-To: <627A8EBB53354D6383856F59C9537D97@CYBERNET60472>
References: <627A8EBB53354D6383856F59C9537D97@CYBERNET60472>
Message-ID: <1216810961.28209.9.camel@svesken.sys.mjna.net>

Hi Asad,

On Wed, 2008-07-23 at 15:56 +0500, Asad Ul-Islam wrote:
> We are ISP and have Catalyst 6513. And I want to terminate Trunks on it. Can
> someone tell me what is the better approach to achieve this.
> 
> 1) using Subinterfaces on Trunk links. or
> 2) Using SVIs
> 
> Which will provide more flexibility and scalability and what are the
> limitations of each method?

On LAN cards on the Catalyst 6500 platform there is no local VLAN
significance, which means that with a subinterface definition like this:

interface GigabitEthernet1/1.100
 encapsulation dot1q 100
!

you can't use VLAN 100 anywhere else on the box. This also means that
you cannot do local switching, i.e. using this VLAN on more than one
physical port. You can't do this:

interface GigabitEthernet1/1.100
 description CPE A
 encapsulation dot1q 100
!
interface GigabitEthernet1/2.100
 description CPE B
 encapsulation dot1q 100
!

You'd get a "Command rejected: VLAN 100 not available" when defining the
second port.

On the other hand, with LAN cards facing the core, you cannot use EoMPLS
on SVIs, only on subinterfaces and physical ports.

With the MUX-UNI feature (SXH and newer) you can combine regular
switchport trunks and subinterfaces, using the latter for subinterface
based EoMPLS. You cannot do any L3 termination on them though, they can
only be used for EoMPLS.

We use regular switchport trunks and SVIs everywhere and then of course
make sure to limit VLANs to ports where they are relevant. (No open
trunks.) We only use physical ports where we do EoMPLS.

Hope this helps,
Peter



From peder at networkoblivion.com  Wed Jul 23 08:20:25 2008
From: peder at networkoblivion.com (Peder @ NetworkOblivion)
Date: Wed, 23 Jul 2008 07:20:25 -0500
Subject: [c-nsp] Changes to "show policy-map interface"
Message-ID: <48872209.50401@networkoblivion.com>

I was just looking at a router running a recent version of IOS and I 
noticed that the output of "show policy-map int" has changed quite a 
bit.  Here is the output:

Router# sho policy-map interface
  Serial0/0/0
   Service-policy output: voip
     Class-map: VoIP (match-any)
       1354294 packets, 93771165 bytes
       5 minute offered rate 0 bps, drop rate 0 bps
       Match: access-group 102
         1354294 packets, 93771165 bytes
         5 minute rate 0 bps

       Queueing
         Strict Priority
         Output Queue: Conversation 264
         Bandwidth 100 (kbps) Burst 2500 (Bytes)
         (pkts matched/bytes matched) 5717/457522
         (total drops/bytes drops) 0/0

     Class-map: class-default (match-any)
       54794552 packets, 12108835008 bytes
       5 minute offered rate 3000 bps, drop rate 0 bps
       Match: any
       Queueing
         Flow Based Fair Queueing
         Maximum Number of Hashed Queues 256
         (total queued/total drops/no-buffer drops) 0/2728/0


It used to just show the output under "Class-map: VoIP (match-any)", but 
now it appers that there is a new section labeled "Queueing" where there 
is some new data that doesn't match the data above it.  Any idea how the 
"pkts matched" under queueing relates to the "packets" under the VoIP 
class-map itself?  They aren't even close to the same.

From sthaug at nethelp.no  Wed Jul 23 08:43:09 2008
From: sthaug at nethelp.no (sthaug at nethelp.no)
Date: Wed, 23 Jul 2008 14:43:09 +0200 (CEST)
Subject: [c-nsp] REP
In-Reply-To: <20080723065555.GZ1231@greenie.muc.de>
References: <48863462.3060107@justinshore.com>
	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
	<20080723065555.GZ1231@greenie.muc.de>
Message-ID: <20080723.144309.74742302.sthaug@nethelp.no>

> > I think such rings would be better served by using REP (Cisco) or
> > EAPS(Extreme)
> 
> You've made me curious, so I went and looked what REP is, hoping for
> great innovation - and I find myself somewhat disappointed, it seems to 
> be "something similar to RPVST or MST, just incompatible".
> 
> Since it still disables a port (instead of using all links available 
> in the network, using L2 SPF 'routing', like HP's mesh technology does),
> I can't see an immediate advantage of REP vs. RPVST or MST...?

The fact that REP and EAPS are explicitly *not* compatible with regular
IEEE spanning tree is one of the great attractions of these protocols.
This means that a customer who sends STP traffic into your network can
*not* influence your ring topology/failover.

Additionally, REP and EAPS are explicitly made for a ring architecture,
and can therefore be made simpler and/or converge more rapidly.

We have lots of EAPS rings. It works for us. We might be interested in
using ME3400 with REP for the same type of rings if it had decent CAM
size.  Unfortunately, it doesn't - 8K MAC addresses is uncomfortably
close to the number of MAC addresses we already have in many of our
rings.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

From justin at justinshore.com  Wed Jul 23 09:55:16 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 23 Jul 2008 06:55:16 -0700
Subject: [c-nsp] REP
In-Reply-To: <20080723.144309.74742302.sthaug@nethelp.no>
References: <48863462.3060107@justinshore.com>	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>	<20080723065555.GZ1231@greenie.muc.de>
	<20080723.144309.74742302.sthaug@nethelp.no>
Message-ID: <48873844.7080605@justinshore.com>

sthaug at nethelp.no wrote:
> The fact that REP and EAPS are explicitly *not* compatible with regular
> IEEE spanning tree is one of the great attractions of these protocols.
> This means that a customer who sends STP traffic into your network can
> *not* influence your ring topology/failover.

Honestly this is a moot point anyway because only a mis-configured 
network would ever allow a customer to interact with the SP's STP.  If a 
SP is dropping MetroE at the edge without bpdufilter enabled then 
something is seriously wrong.  If the SP is doing L2VPN then 
dot1g-tunnel and L2PT take care of inhibiting interaction between the CE 
and PE with STP.  Otherwise in all other cases the SP should explicitly 
enabled bpdufilter on all Ethernet CE-facing interfaces as part of the 
standard template that a SP deploys.

> Additionally, REP and EAPS are explicitly made for a ring architecture,
> and can therefore be made simpler and/or converge more rapidly.

I have never seen the point in more STP-like protocols when you can 
configure 802.1w or 1s w/ 1w to converge just as quickly with uniform 
support on all platforms to boot.  EAPS does not offer any benefits and 
in fact it offer serious limitations thanks to its infancy.  Every 
vendor has interpreted RFC 3619 differently since it was published 
nearly 5 years ago.  For example Pannaway supports EAPS but their 
implementation is limited to not allowing EAPS rings to cross VLANs. 
That's a serious design limitation.

> We have lots of EAPS rings. It works for us. We might be interested in
> using ME3400 with REP for the same type of rings if it had decent CAM
> size.  Unfortunately, it doesn't - 8K MAC addresses is uncomfortably
> close to the number of MAC addresses we already have in many of our
> rings.

Are you learning customer MACs for the service you're offering?  That 
would be the case if you're simply transporting PtP VLANs.  However if 
you're doing L2VPN or dot1q-tunnels then you shouldn't be learning MACs.

Justin

From rodunn at cisco.com  Wed Jul 23 09:57:25 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 23 Jul 2008 09:57:25 -0400
Subject: [c-nsp] Changes to "show policy-map interface"
In-Reply-To: <48872209.50401@networkoblivion.com>
References: <48872209.50401@networkoblivion.com>
Message-ID: <20080723135725.GA2399@rtp-cse-489.cisco.com>

What code is it?

On Wed, Jul 23, 2008 at 07:20:25AM -0500, Peder @ NetworkOblivion wrote:
> I was just looking at a router running a recent version of IOS and I 
> noticed that the output of "show policy-map int" has changed quite a 
> bit.  Here is the output:
> 
> Router# sho policy-map interface
>  Serial0/0/0
>   Service-policy output: voip
>     Class-map: VoIP (match-any)
>       1354294 packets, 93771165 bytes
>       5 minute offered rate 0 bps, drop rate 0 bps
>       Match: access-group 102
>         1354294 packets, 93771165 bytes
>         5 minute rate 0 bps
> 
>       Queueing
>         Strict Priority
>         Output Queue: Conversation 264
>         Bandwidth 100 (kbps) Burst 2500 (Bytes)
>         (pkts matched/bytes matched) 5717/457522
>         (total drops/bytes drops) 0/0
> 
>     Class-map: class-default (match-any)
>       54794552 packets, 12108835008 bytes
>       5 minute offered rate 3000 bps, drop rate 0 bps
>       Match: any
>       Queueing
>         Flow Based Fair Queueing
>         Maximum Number of Hashed Queues 256
>         (total queued/total drops/no-buffer drops) 0/2728/0
> 
> 
> It used to just show the output under "Class-map: VoIP (match-any)", but 
> now it appers that there is a new section labeled "Queueing" where there 
> is some new data that doesn't match the data above it.  Any idea how the 
> "pkts matched" under queueing relates to the "packets" under the VoIP 
> class-map itself?  They aren't even close to the same.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From peder at networkoblivion.com  Wed Jul 23 10:13:29 2008
From: peder at networkoblivion.com (Peder @ NetworkOblivion)
Date: Wed, 23 Jul 2008 09:13:29 -0500
Subject: [c-nsp] Changes to "show policy-map interface"
In-Reply-To: <20080723135725.GA2399@rtp-cse-489.cisco.com>
References: <48872209.50401@networkoblivion.com>
	<20080723135725.GA2399@rtp-cse-489.cisco.com>
Message-ID: <48873C89.6070301@networkoblivion.com>

It is 12.4.3 from Nov 2007.  I guess it isn't really recent, but it is a 
12.4 revision.

Rodney Dunn wrote:
> What code is it?
> 
> On Wed, Jul 23, 2008 at 07:20:25AM -0500, Peder @ NetworkOblivion wrote:
>> I was just looking at a router running a recent version of IOS and I 
>> noticed that the output of "show policy-map int" has changed quite a 
>> bit.  Here is the output:
>>
>> Router# sho policy-map interface
>>  Serial0/0/0
>>   Service-policy output: voip
>>     Class-map: VoIP (match-any)
>>       1354294 packets, 93771165 bytes
>>       5 minute offered rate 0 bps, drop rate 0 bps
>>       Match: access-group 102
>>         1354294 packets, 93771165 bytes
>>         5 minute rate 0 bps
>>
>>       Queueing
>>         Strict Priority
>>         Output Queue: Conversation 264
>>         Bandwidth 100 (kbps) Burst 2500 (Bytes)
>>         (pkts matched/bytes matched) 5717/457522
>>         (total drops/bytes drops) 0/0
>>
>>     Class-map: class-default (match-any)
>>       54794552 packets, 12108835008 bytes
>>       5 minute offered rate 3000 bps, drop rate 0 bps
>>       Match: any
>>       Queueing
>>         Flow Based Fair Queueing
>>         Maximum Number of Hashed Queues 256
>>         (total queued/total drops/no-buffer drops) 0/2728/0
>>
>>
>> It used to just show the output under "Class-map: VoIP (match-any)", but 
>> now it appers that there is a new section labeled "Queueing" where there 
>> is some new data that doesn't match the data above it.  Any idea how the 
>> "pkts matched" under queueing relates to the "packets" under the VoIP 
>> class-map itself?  They aren't even close to the same.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From p.mayers at imperial.ac.uk  Wed Jul 23 10:54:43 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Wed, 23 Jul 2008 15:54:43 +0100
Subject: [c-nsp] REP
In-Reply-To: <48873844.7080605@justinshore.com>
References: <48863462.3060107@justinshore.com>	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>	<20080723065555.GZ1231@greenie.muc.de>	<20080723.144309.74742302.sthaug@nethelp.no>
	<48873844.7080605@justinshore.com>
Message-ID: <48874633.5090003@imperial.ac.uk>

> <list of points why STP shouldn't interact>

...the key thing being "should not", rather than "will not". Using an 
entirely different protocol protects to a degree against human or 
machine error e.g. forgetting the bpduguard config.

> I have never seen the point in more STP-like protocols when you can 
> configure 802.1w or 1s w/ 1w to converge just as quickly with uniform 
> support on all platforms to boot.  EAPS does not offer any benefits and 
> in fact it offer serious limitations thanks to its infancy.  Every 
> vendor has interpreted RFC 3619 differently since it was published 
> nearly 5 years ago.  For example Pannaway supports EAPS but their 
> implementation is limited to not allowing EAPS rings to cross VLANs. 
> That's a serious design limitation.

We've tuned metro rings for 100ms convergence. I've *never* seen STP 
come anywhere even close to that, and I frankly doubt it has the capability.

802.1s is (IMNSHO) a bad joke. There are topologies where it's not just 
worse than PVST, it's actively harmful. This would be significantly 
alleviated if:

  * Cisco could run >1 MST "process"
  * 802.1s had some way of versioning the config, as opposed to breaking 
the 802.1s domain into pieces every time you update the config (or 
mandating you decide on vlan->instance mappings on day 0 and never 
change it - yeah, right...)

EAPS (and Foundry MRP) aren't universal solutions, but correctly applied 
they bring significant benefits in my experience.

In addition, there are cases where might want STP to pass through a ring 
topology without being either tunnelled or blocked. We're running an 
architecture like that in our datacentre, where the two DC routers with 
ACE modules see:

  r1 -- p2p -- r1
   |           |
   \-- CLOUD --/

...but the "cloud" is actually a ring of 5 (soon to be 6) Foundry 
switches, protected with an MRP ring.

If you don't need such, then all fine and well, but other people do find 
uses for non-STP protocols, and vendors sell boxes on the back of that - 
so there is clearly market demand.

> Are you learning customer MACs for the service you're offering?  That 
> would be the case if you're simply transporting PtP VLANs.  However if 
> you're doing L2VPN or dot1q-tunnels then you shouldn't be learning MACs.

When you say L2VPN, you mean point-to-point? What about multipoint e.g. 
VPLS? It's difficult to see how you could avoid MAC learning in a 
multipoint case.

...which is one reason I prefer L3VPNs, but there's a market for L2VPN.

From dan at beanfield.com  Wed Jul 23 10:10:42 2008
From: dan at beanfield.com (Dan Armstrong)
Date: Wed, 23 Jul 2008 10:10:42 -0400
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>	<48850149.8010005@justinshore.com>	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>	<4886009B.8070107@justinshore.com>	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>	<48863462.3060107@justinshore.com>
	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
Message-ID: <48873BE2.7070305@beanfield.com>

Not to push this thread off topic,


But we *hate* the Cisco model of the 'valueless' reseller.  We deal with 
a Cisco rep, we deal with a Cisco SE, our discount is set by Cisco, we 
deal with Cisco's TAC - but when it's time to buy something, we get 
shuffled off to some twit that does absolutely nothing and makes a cut?  
It drives us nuts.  It's confusing, and unnecessarily complicated. 


We'll never be able to get away from Cisco completely, but when possible 
this stupid crap drives us to the point we will do anything to avoid 
buying from Cisco, and look to their competitors. 




Rubens Kuhl Jr. wrote:
>> Ouch.  Are you dealing with a partner or Cisco Direct?  There isn't any
>> excuse for the price to go up, period.  If you like I could hook you up with
>> our Cisco Direct guys.  If you got your order in this week you might be a
>> decent discount simply because their fiscal year ends this month and the
>> sales folks are hungry.
>>     
>
> Thru partner. Cisco insists to tell us that there is no Cisco Direct
> in our country, although I know there is and know some customers that
> use such channel.
>
> The partner is trying very hard to sell us this month, but they can
> only work on their margins.
>
>
>   
>>>> The BFD on SVIs is definitely something that bit me on all my SX/SR
>>>> platforms.  I still don't have a working solution for that problem.
>>>>         
>>> I would really love to just hear what Cisco says about why BFD on SVIs
>>> are a bad thing. They might have a good point.
>>>       
>> What I was told was that it was an "unintended feature".  Basically that
>> means that while it worked it wasn't ever part of the intended design and
>> wasn't ever tested.  It could have adverse affects on other things; then
>> again it also might not affect anything.  They simply wouldn't know unless
>> they incorporated that into the QA procedures and there has to be demand for
>> that to happen.  So tell your account team every chance you get.  In fact I
>> would recommend having your account team hook you up on a call with the
>> product manager responsible for BFD support on your hardware and ask for it
>> yourself (because often times I think requests like that tend to get
>> overlooked).
>>     
>
> They seem to be listening about this, but the only real measure is the
> latency till it's implemented.
>
>
>   
>>> It's good to know that Cisco changed the speech regarding this
>>> product. I think that if one uses only as PE (no other P or PEs
>>> relying on it for LDP of a critical backbone), and it uses only 2
>>> uplinks (no ring or mesh, two uplinks to a P backbone), no L3VPN, it
>>> might work. In the mean time, I'm glad that all the 3750-Metro we've
>>> got were operational leases: we will return them all, so I won't have
>>> to write !@%?#%?#@ on the customer satisfaction surveys anymore.
>>>       
>> Yeah, it's good to know what they're meant for.  I was thinking like a
>> dumbass when I bought a pair of ME6524s for the core in a very small pop.  I
>> didn't know much about the underlying platform and didn't even think about
>> the TCAM on that box.  I was just thinking that they'd be a decent device
>> for the price and throughput in that small POP and that they didn't need to
>> be too fancy.  I ran out of TCAM back in January when the global route table
>> exceeded the Sup2's limited reach.  I'll be replacing them in the future and
>> pushing them closer to the edge where they belong.
>>     
>
> That's the only place in the network we have 7600s with PFC XL... but
> you could try filtering some routes down to the non-XL TCAM capacity
> and pointing a default route to the these prefixes.
>
>
>   
>> The ME3750 was really meant primarily as a PE device but also as a P in a
>> MetroE access ring.  In our training lab the ME3750 was used mainly as the
>>     
>
> After the MPLS bugs we've seen here, you wouldn't even try using it as
> P even for the ring only. May be the 3750 IP Services, with no MPLS,
> combined with 2 ME6524 on the ring would be a good fit. That's the
> option we're exploring for some cities where we can do ring-only:
> using L2 (Extreme Summit X150 is the most likely candidate, but Cisco
> ME3400 with METROACCESS would do the job if one prefers to stick to
> Cisco); some cities are too complex to cover with ring-only, so in
> those we need full L3/MPLS.
>
>   
>> access edge.  Most of the labs used it as a L2 edge switch essentially but a
>> few labs had us extended the IGP to it, enable MPLS and push VCs all the way
>>     
>
> Humm, 3750s do L2 like a charm...
>
>   
>> to it.  It worked fine, except for when I skipped an important step in the
>> instructions...  They intended for it to be deployed in GigE rings too.  As
>> they put it in the class, fiber is expensive.  You can't home-run every PE
>> to an aggregation router.  It's just not cost-effective or reasonable.  But
>>     
>
> But then you need a PE you can trust for being a P, even for a limited
> number of PEs.
>
>   
>> it is cost-effective to have half a dozen of them ringed together and
>> home-run the edges back to the aggregation layer (ME6524s or larger
>> hardware.  In fact much of the class dealt with building the access ring,
>> tuning STP/RSTP/MST, etc. It's a good class if you're interested.
>>     
>
> I think such rings would be better served by using REP (Cisco) or
> EAPS(Extreme); ME6524 doesn't support REP today, but that's probably
> just one version away.
>
> Rubens
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   


From rubensk at gmail.com  Wed Jul 23 11:27:12 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Wed, 23 Jul 2008 12:27:12 -0300
Subject: [c-nsp] ME6524 alternative
In-Reply-To: <48873BE2.7070305@beanfield.com>
References: <6bb5f5b10807211258r76361be4mdfcb63fb5ccac540@mail.gmail.com>
	<48850149.8010005@justinshore.com>
	<6bb5f5b10807211443y53f41709n6bbc66b91b49f5e3@mail.gmail.com>
	<4886009B.8070107@justinshore.com>
	<6bb5f5b10807220920k71e5c0d7n971292b9f8f79fd6@mail.gmail.com>
	<48863462.3060107@justinshore.com>
	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
	<48873BE2.7070305@beanfield.com>
Message-ID: <6bb5f5b10807230827p2ddc7ffbxdb6aec99b6427ea@mail.gmail.com>

I don't have a problem with a reseller getting a piece of the action
if it's a vendor choice to do so. I always tell vendors that we will
compare the product by the price we can get it, no matter how many
hands it come across... on a competitive market like selling
networking gear to service providers, they know that... every time
Cisco or a reseller complains it has no margins, say something like
"it's not my problem", "that's a self-inflicted pain" and so forth...
either they stop wining and gives you the discount you want, or you
buy from someone else.

The math they make is that sometimes a channel will bring a customer;
if that probability is higher than the discount you have to give to
put the middle man, they make a profit on an aggregate level.

Not Cisco, but many other vendors considers us to be a channel as we
buy CPEs to provide them as service, and let us buy directly from
distributors or from the manufacturer, which puts more pressure on
Cisco. Sometimes it doesn't work (as it didn't in this 3x price hike
for the ME6524), sometimes it does.

Rubens


On Wed, Jul 23, 2008 at 11:10 AM, Dan Armstrong <dan at beanfield.com> wrote:
> Not to push this thread off topic,
>
>
> But we *hate* the Cisco model of the 'valueless' reseller.  We deal with a
> Cisco rep, we deal with a Cisco SE, our discount is set by Cisco, we deal
> with Cisco's TAC - but when it's time to buy something, we get shuffled off
> to some twit that does absolutely nothing and makes a cut?  It drives us
> nuts.  It's confusing, and unnecessarily complicated.
>
> We'll never be able to get away from Cisco completely, but when possible
> this stupid crap drives us to the point we will do anything to avoid buying
> from Cisco, and look to their competitors.
>
>
>
> Rubens Kuhl Jr. wrote:
>>>
>>> Ouch.  Are you dealing with a partner or Cisco Direct?  There isn't any
>>> excuse for the price to go up, period.  If you like I could hook you up
>>> with
>>> our Cisco Direct guys.  If you got your order in this week you might be a
>>> decent discount simply because their fiscal year ends this month and the
>>> sales folks are hungry.
>>>
>>
>> Thru partner. Cisco insists to tell us that there is no Cisco Direct
>> in our country, although I know there is and know some customers that
>> use such channel.
>>
>> The partner is trying very hard to sell us this month, but they can
>> only work on their margins.
>>
>>
>>
>>>>>
>>>>> The BFD on SVIs is definitely something that bit me on all my SX/SR
>>>>> platforms.  I still don't have a working solution for that problem.
>>>>>
>>>>
>>>> I would really love to just hear what Cisco says about why BFD on SVIs
>>>> are a bad thing. They might have a good point.
>>>>
>>>
>>> What I was told was that it was an "unintended feature".  Basically that
>>> means that while it worked it wasn't ever part of the intended design and
>>> wasn't ever tested.  It could have adverse affects on other things; then
>>> again it also might not affect anything.  They simply wouldn't know
>>> unless
>>> they incorporated that into the QA procedures and there has to be demand
>>> for
>>> that to happen.  So tell your account team every chance you get.  In fact
>>> I
>>> would recommend having your account team hook you up on a call with the
>>> product manager responsible for BFD support on your hardware and ask for
>>> it
>>> yourself (because often times I think requests like that tend to get
>>> overlooked).
>>>
>>
>> They seem to be listening about this, but the only real measure is the
>> latency till it's implemented.
>>
>>
>>
>>>>
>>>> It's good to know that Cisco changed the speech regarding this
>>>> product. I think that if one uses only as PE (no other P or PEs
>>>> relying on it for LDP of a critical backbone), and it uses only 2
>>>> uplinks (no ring or mesh, two uplinks to a P backbone), no L3VPN, it
>>>> might work. In the mean time, I'm glad that all the 3750-Metro we've
>>>> got were operational leases: we will return them all, so I won't have
>>>> to write !@%?#%?#@ on the customer satisfaction surveys anymore.
>>>>
>>>
>>> Yeah, it's good to know what they're meant for.  I was thinking like a
>>> dumbass when I bought a pair of ME6524s for the core in a very small pop.
>>>  I
>>> didn't know much about the underlying platform and didn't even think
>>> about
>>> the TCAM on that box.  I was just thinking that they'd be a decent device
>>> for the price and throughput in that small POP and that they didn't need
>>> to
>>> be too fancy.  I ran out of TCAM back in January when the global route
>>> table
>>> exceeded the Sup2's limited reach.  I'll be replacing them in the future
>>> and
>>> pushing them closer to the edge where they belong.
>>>
>>
>> That's the only place in the network we have 7600s with PFC XL... but
>> you could try filtering some routes down to the non-XL TCAM capacity
>> and pointing a default route to the these prefixes.
>>
>>
>>
>>>
>>> The ME3750 was really meant primarily as a PE device but also as a P in a
>>> MetroE access ring.  In our training lab the ME3750 was used mainly as
>>> the
>>>
>>
>> After the MPLS bugs we've seen here, you wouldn't even try using it as
>> P even for the ring only. May be the 3750 IP Services, with no MPLS,
>> combined with 2 ME6524 on the ring would be a good fit. That's the
>> option we're exploring for some cities where we can do ring-only:
>> using L2 (Extreme Summit X150 is the most likely candidate, but Cisco
>> ME3400 with METROACCESS would do the job if one prefers to stick to
>> Cisco); some cities are too complex to cover with ring-only, so in
>> those we need full L3/MPLS.
>>
>>
>>>
>>> access edge.  Most of the labs used it as a L2 edge switch essentially
>>> but a
>>> few labs had us extended the IGP to it, enable MPLS and push VCs all the
>>> way
>>>
>>
>> Humm, 3750s do L2 like a charm...
>>
>>
>>>
>>> to it.  It worked fine, except for when I skipped an important step in
>>> the
>>> instructions...  They intended for it to be deployed in GigE rings too.
>>>  As
>>> they put it in the class, fiber is expensive.  You can't home-run every
>>> PE
>>> to an aggregation router.  It's just not cost-effective or reasonable.
>>>  But
>>>
>>
>> But then you need a PE you can trust for being a P, even for a limited
>> number of PEs.
>>
>>
>>>
>>> it is cost-effective to have half a dozen of them ringed together and
>>> home-run the edges back to the aggregation layer (ME6524s or larger
>>> hardware.  In fact much of the class dealt with building the access ring,
>>> tuning STP/RSTP/MST, etc. It's a good class if you're interested.
>>>
>>
>> I think such rings would be better served by using REP (Cisco) or
>> EAPS(Extreme); ME6524 doesn't support REP today, but that's probably
>> just one version away.
>>
>> Rubens
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>
>

From rodunn at cisco.com  Wed Jul 23 11:47:59 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 23 Jul 2008 11:47:59 -0400
Subject: [c-nsp] Changes to "show policy-map interface"
In-Reply-To: <48873C89.6070301@networkoblivion.com>
References: <48872209.50401@networkoblivion.com>
	<20080723135725.GA2399@rtp-cse-489.cisco.com>
	<48873C89.6070301@networkoblivion.com>
Message-ID: <20080723154759.GB4023@rtp-cse-489.cisco.com>

I suspect that is packets classified vs. the queueing engine acutally
kicking in for the packets (ie: there was congestion and we had to queue
those 5717) briefly.

On Wed, Jul 23, 2008 at 09:13:29AM -0500, Peder @ NetworkOblivion wrote:
> It is 12.4.3 from Nov 2007.  I guess it isn't really recent, but it is a 
> 12.4 revision.
> 
> Rodney Dunn wrote:
> >What code is it?
> >
> >On Wed, Jul 23, 2008 at 07:20:25AM -0500, Peder @ NetworkOblivion wrote:
> >>I was just looking at a router running a recent version of IOS and I 
> >>noticed that the output of "show policy-map int" has changed quite a 
> >>bit.  Here is the output:
> >>
> >>Router# sho policy-map interface
> >> Serial0/0/0
> >>  Service-policy output: voip
> >>    Class-map: VoIP (match-any)
> >>      1354294 packets, 93771165 bytes
> >>      5 minute offered rate 0 bps, drop rate 0 bps
> >>      Match: access-group 102
> >>        1354294 packets, 93771165 bytes
> >>        5 minute rate 0 bps
> >>
> >>      Queueing
> >>        Strict Priority
> >>        Output Queue: Conversation 264
> >>        Bandwidth 100 (kbps) Burst 2500 (Bytes)
> >>        (pkts matched/bytes matched) 5717/457522
> >>        (total drops/bytes drops) 0/0
> >>
> >>    Class-map: class-default (match-any)
> >>      54794552 packets, 12108835008 bytes
> >>      5 minute offered rate 3000 bps, drop rate 0 bps
> >>      Match: any
> >>      Queueing
> >>        Flow Based Fair Queueing
> >>        Maximum Number of Hashed Queues 256
> >>        (total queued/total drops/no-buffer drops) 0/2728/0
> >>
> >>
> >>It used to just show the output under "Class-map: VoIP (match-any)", but 
> >>now it appers that there is a new section labeled "Queueing" where there 
> >>is some new data that doesn't match the data above it.  Any idea how the 
> >>"pkts matched" under queueing relates to the "packets" under the VoIP 
> >>class-map itself?  They aren't even close to the same.
> >>_______________________________________________
> >>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rubensk at gmail.com  Wed Jul 23 12:16:51 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Wed, 23 Jul 2008 13:16:51 -0300
Subject: [c-nsp] REP
In-Reply-To: <48874633.5090003@imperial.ac.uk>
References: <48863462.3060107@justinshore.com>
	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>
	<20080723065555.GZ1231@greenie.muc.de>
	<20080723.144309.74742302.sthaug@nethelp.no>
	<48873844.7080605@justinshore.com> <48874633.5090003@imperial.ac.uk>
Message-ID: <6bb5f5b10807230916w6f0fd5f0l30de3d9f0dab923f@mail.gmail.com>

On Wed, Jul 23, 2008 at 11:54 AM, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>> <list of points why STP shouldn't interact>
>
> ...the key thing being "should not", rather than "will not". Using an
> entirely different protocol protects to a degree against human or machine
> error e.g. forgetting the bpduguard config.

I agree. It's an extra protection that doesn't hurt... but I prefer to
do bpudfilter, as the customer won't interfere with our STP and
vice-versa. spanning-tree portfast bpdufilter default (or something
like that) is a good tool do impose that beyond normal human error
(forgetting to insert a command) but not advanced human error
(configuring a customer interface as a backbone interface, for
instance).


>> I have never seen the point in more STP-like protocols when you can
>> configure 802.1w or 1s w/ 1w to converge just as quickly with uniform
>> support on all platforms to boot.  EAPS does not offer any benefits and in
>> fact it offer serious limitations thanks to its infancy.  Every vendor has
>> interpreted RFC 3619 differently since it was published nearly 5 years ago.
>>  For example Pannaway supports EAPS but their implementation is limited to
>> not allowing EAPS rings to cross VLANs. That's a serious design limitation.
>
> We've tuned metro rings for 100ms convergence. I've *never* seen STP come
> anywhere even close to that, and I frankly doubt it has the capability.

It hasn't, and we discovered that the bad way, with a loop that took
us a painful downtime.  And that's why we are looking at non-standard
ring protocols, not because our customers also use STP.

One point that could be argued, is what would be the performance of
Rapid PVST+ or their IEEE counterparts on a ring-only topology.

> 802.1s is (IMNSHO) a bad joke. There are topologies where it's not just
> worse than PVST, it's actively harmful. This would be significantly
> alleviated if:


>  * Cisco could run >1 MST "process"
>  * 802.1s had some way of versioning the config, as opposed to breaking the
> 802.1s domain into pieces every time you update the config (or mandating you
> decide on vlan->instance mappings on day 0 and never change it - yeah,
> right...)

We tried to migrate to MST, but just couldn't find a way to migrate
gradually from Rapid PVST+.


> EAPS (and Foundry MRP) aren't universal solutions, but correctly applied
> they bring significant benefits in my experience.

Also in the market, Allied Telesis has EPSR or something like that. It
would be a Good Thing if all those Ethernet ring protocols were
replaced by a standard one, but that doesn't prevent a network from
running different rings with different vendors, as they all provide
similar performance.

> When you say L2VPN, you mean point-to-point? What about multipoint e.g.
> VPLS? It's difficult to see how you could avoid MAC learning in a multipoint
> case.
>
> ...which is one reason I prefer L3VPNs, but there's a market for L2VPN.

I second that.

Rubens

From Chris.Kilian at aolbb.co.uk  Wed Jul 23 12:38:50 2008
From: Chris.Kilian at aolbb.co.uk (Chris Kilian)
Date: Wed, 23 Jul 2008 17:38:50 +0100
Subject: [c-nsp] Port-Channel Setup Issues
Message-ID: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA7D@SGBS201V1.CPWBB.LOCAL>

Hi All

I am trying to setup a 4 port port-channel between a Cisco 7609 and a Cisco ME3400, despite various attempts to complete this I keep running into the same issue, although the physical ports come up the Port-channel wont at all, looking at the port channel itself it remains in a down/down status on the 7609.

The ME3400 is setup with the physcial interfaces as follows.

inter Fa0/1
switchport access vlan xxx
switchport mode dot1q-tunnel
speed 100
duplex full
channel-group 1 mode on

The 7609 is setup as follows.

interface Port-channel1
 switchport
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan xxx
 switchport mode trunk
 mtu 9216
 no ip address
 load-interval 30
end
Anyone got any ideas?





This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please notify the sender immediately by e-mail. Please then immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. For the purposes of this E-Mail "the Company" means The Carphone Warehouse Group Plc and/or any of its subsidiaries. The Carphone Warehouse Group Plc (Registered in England No. 3253714) 1 Portal Way, London W3 6RS.

AOL Broadband, [AOLBroadband.co.uk] [AOLbb.co.uk] and AOL logos are trade marks of AOL LLC and are used under licence. The AOL Broadband service is provided to customers in the UK by TPH Services SARL, a Carphone Warehouse plc company.





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From dcp at dcptech.com  Wed Jul 23 13:57:28 2008
From: dcp at dcptech.com (David Prall)
Date: Wed, 23 Jul 2008 13:57:28 -0400
Subject: [c-nsp] Port-Channel Setup Issues
In-Reply-To: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA7D@SGBS201V1.CPWBB.LOCAL>
References: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA7D@SGBS201V1.CPWBB.LOCAL>
Message-ID: <00c301c8eced$95775850$1bfe200a@cisco.com>

What does "int po1" look like on the ME3400. What do the physical interfaces
look like on the 7600. The physical on the ME3400 is configured as an
etherchannel without any negotation, if the otherside is configured any
other method it won't come up.

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Kilian
> Sent: Wednesday, July 23, 2008 12:39 PM
> To: 'cisco-nsp at puck.nether.net'
> Subject: [c-nsp] Port-Channel Setup Issues
> 
> Hi All
> 
> I am trying to setup a 4 port port-channel between a Cisco 
> 7609 and a Cisco ME3400, despite various attempts to complete 
> this I keep running into the same issue, although the 
> physical ports come up the Port-channel wont at all, looking 
> at the port channel itself it remains in a down/down status 
> on the 7609.
> 
> The ME3400 is setup with the physcial interfaces as follows.
> 
> inter Fa0/1
> switchport access vlan xxx
> switchport mode dot1q-tunnel
> speed 100
> duplex full
> channel-group 1 mode on
> 
> The 7609 is setup as follows.
> 
> interface Port-channel1
>  switchport
>  switchport trunk encapsulation dot1q
>  switchport trunk allowed vlan xxx
>  switchport mode trunk
>  mtu 9216
>  no ip address
>  load-interval 30
> end
> Anyone got any ideas?
> 
> 
> 
> 
> 
> This communication together with any attachments transmitted 
> with it ("this E-Mail") is intended only for the use of the 
> addressee and may contain information which is privileged and 
> confidential. If the reader of this E-Mail is not the 
> intended recipient, or the employee or agent responsible for 
> delivering it to the intended recipient, you are hereby 
> notified that any use, dissemination, forwarding, printing or 
> copying of this E-Mail is strictly prohibited. Addressees 
> should check this E-mail for viruses. The Company makes no 
> representations as regards the absence of viruses in this 
> E-Mail. If you have received this E-Mail in error please 
> notify the sender immediately by e-mail. Please then 
> immediately delete, erase or otherwise destroy this E-Mail 
> and any copies of it. Any opinions expressed in this E-Mail 
> are those of the author and do not necessarily constitute the 
> views of the Company. Nothing in this E-Mail shall bind the 
> Company in any contract or obligation. For the !
>  purposes of this E-Mail "the Company" means The Carphone 
> Warehouse Group Plc and/or any of its subsidiaries. The 
> Carphone Warehouse Group Plc (Registered in England No. 
> 3253714) 1 Portal Way, London W3 6RS.
> 
> AOL Broadband, [AOLBroadband.co.uk] [AOLbb.co.uk] and AOL 
> logos are trade marks of AOL LLC and are used under licence. 
> The AOL Broadband service is provided to customers in the UK 
> by TPH Services SARL, a Carphone Warehouse plc company.
> 
> 
> 
> 
> 
>  
>  
> **************************************************************
> **********************
> This footnote confirms that this email message has been scanned by
> PineApp Mail-SeCure for the presence of malicious code, 
> vandals & computer viruses.
> **************************************************************
> **********************
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From shane at castlepoint.net  Wed Jul 23 14:10:12 2008
From: shane at castlepoint.net (Shane Amante)
Date: Wed, 23 Jul 2008 12:10:12 -0600
Subject: [c-nsp] REP
In-Reply-To: <6bb5f5b10807230916w6f0fd5f0l30de3d9f0dab923f@mail.gmail.com>
References: <48863462.3060107@justinshore.com>	<6bb5f5b10807221414m1d415837t3dac1ba353da7943@mail.gmail.com>	<20080723065555.GZ1231@greenie.muc.de>	<20080723.144309.74742302.sthaug@nethelp.no>	<48873844.7080605@justinshore.com>
	<48874633.5090003@imperial.ac.uk>
	<6bb5f5b10807230916w6f0fd5f0l30de3d9f0dab923f@mail.gmail.com>
Message-ID: <48877404.2060706@castlepoint.net>

Rubens,

Rubens Kuhl Jr. wrote:
> Also in the market, Allied Telesis has EPSR or something like that. It
> would be a Good Thing if all those Ethernet ring protocols were
> replaced by a standard one,

Fortunately, there is hope in this regard.  Take a look at ITU G.8032.
<http://www.ieee802.org/1/files/public/docs2008/liaison-itut-g8032-overview-0308.pdf>

There are a number of vendors that are already in the process of 
implementing this.  It would be good if people find value in it to 
"encourage" their particular vendors to implement it as well.  This 
would help SP's move away from the proprietary ring protection protocols 
like: Extreme EAPS, Foundry's MRP, Force10's FRRP, Cisco's REP, etc. 
(When you have at least 4 different vendors doing nearly the same thing 
in incompatible ways, it's surprising there isn't a standard).

It should be noted that the above is the first "version" of G.8032. 
Take a look at p. 13 in that URL for planned enhancement to future 
revisions of G.8032.

-shane


> but that doesn't prevent a network from
> running different rings with different vendors, as they all provide
> similar performance.



From SPfister at dps.k12.oh.us  Wed Jul 23 14:34:33 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Wed, 23 Jul 2008 14:34:33 -0400
Subject: [c-nsp] Renaming interfaces on a PIX 525
Message-ID: <48874178.9E6F.00B8.0@dps.k12.oh.us>

We have a pair of PIX 525s (active/standby), and the 2900 switch they're attached to is going to be replaced very shortly. The outside interface, which is currently Ethernet0, will then be moved to GigabitEthernet1. What's the best way to do this? Can I just rename the Ethernet0 interface to outside.old, and rename the GigabitEthernet interface to outside, then move the ip addressing? Will that work?

Thanks!

--Steve

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us



From maddison at iquest.net  Wed Jul 23 15:24:13 2008
From: maddison at iquest.net (Matt Addison)
Date: Wed, 23 Jul 2008 15:24:13 -0400
Subject: [c-nsp] Cisco 6500 Chassis PDU
In-Reply-To: <Pine.LNX.4.61.0807221816540.7234@soloth.lewis.org>
References: <c979a8a40807221104r3eabe6f6kffbcd8c73c308f59@mail.gmail.com><4886297E.9060002@osu.edu><06C1E76E03FE9C4B85BFA9C75365D9DA0FC00DC4@tiger.deltadentalwa.com>
	<Pine.LNX.4.61.0807221816540.7234@soloth.lewis.org>
Message-ID: <DC5B236BCDAABA4C87C86F962FFCC541020BEC5F@exchange.iquest.org>

> Relying on a breaker in another room, that someone else might flip
without 
> your knowledge, seems like a recipe for getting hurt.  Does anyone 
> actually do this?

We do this in our telco room, but it's only a few hundred sf and the
BDFB is under 40' away from any direct connected equipment (and on the
same aisle)- although we are in the process of replacing these with FAPs
to save fuse positions on the BDFB (since we'd really rather not have to
add another main distribution panel onto a live DC bus...)

In any case, it's not that much different than what AC electricians have
to deal with since most of the time your switchboard/panelboard isn't in
the same room as the equipment you're working on, just deal with it the
same way they do- by locking/tagging out the circuit while you're
working on it. Hell even if it's same-rack work you should probably do
this lest you step away for a few minutes and some other guy comes along
and says "oh, fuse popped out with no tag, let me just stick that back
in..."

~Matt

From mathias.spoerr at at.ibm.com  Wed Jul 23 16:40:18 2008
From: mathias.spoerr at at.ibm.com (Mathias Spoerr)
Date: Wed, 23 Jul 2008 22:40:18 +0200
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <48874178.9E6F.00B8.0@dps.k12.oh.us>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>

Hello Steve,

when I remember correctly -> when you rename the interface, then also the 
related config parts, where the interface name is used, are changed.

Regards,
Mathias




From:
"Steven Pfister" <SPfister at dps.k12.oh.us>
To:
<cisco-nsp at puck.nether.net>
Date:
23.07.2008 20:39
Subject:
[c-nsp] Renaming interfaces on a PIX 525



We have a pair of PIX 525s (active/standby), and the 2900 switch they're 
attached to is going to be replaced very shortly. The outside interface, 
which is currently Ethernet0, will then be moved to GigabitEthernet1. 
What's the best way to do this? Can I just rename the Ethernet0 interface 
to outside.old, and rename the GigabitEthernet interface to outside, then 
move the ip addressing? Will that work?

Thanks!

--Steve

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7943 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080723/ab050cee/attachment-0001.bin>

From jeff-kell at utc.edu  Wed Jul 23 16:50:49 2008
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 23 Jul 2008 16:50:49 -0400
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
	<OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>
Message-ID: <488799A9.6040208@utc.edu>

Mathias Spoerr wrote:
> Hello Steve,
>
> when I remember correctly -> when you rename the interface, then also the 
> related config parts, where the interface name is used, are changed.

Keep a good backup of the config just in case, especially if you're 
talking about trying this with PDM/ASDM.  They don't "rename"/"change" 
very well, they really try to delete/re-add, and the delete part deletes 
all associated configuration references to the original.

Jeff

From SPfister at dps.k12.oh.us  Wed Jul 23 16:59:32 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Wed, 23 Jul 2008 16:59:32 -0400
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <488799A9.6040208@utc.edu>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
	<OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>
	<488799A9.6040208@utc.edu>
Message-ID: <48876373.9E6F.00B8.0@dps.k12.oh.us>

I think I'm probably going to do this from the command line. Would I be able to have two interfaces marked as outside? Do something like:

int gig1
  nameif outside
  security-level 0
int eth0
  nameif old.outside
  security-level 6
  no ip address
int gig1
  ip address <address from eth0> standby <standby address from eth0>

(after backing up the config, of course...)

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Jeff Kell <jeff-kell at utc.edu> 7/23/2008 4:50 PM >>>
Mathias Spoerr wrote:
> Hello Steve,
>
> when I remember correctly -> when you rename the interface, then also the 
> related config parts, where the interface name is used, are changed.

Keep a good backup of the config just in case, especially if you're 
talking about trying this with PDM/ASDM.  They don't "rename"/"change" 
very well, they really try to delete/re-add, and the delete part deletes 
all associated configuration references to the original.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/


From mksmith at adhost.com  Wed Jul 23 17:18:11 2008
From: mksmith at adhost.com (Michael K. Smith - Adhost)
Date: Wed, 23 Jul 2008 14:18:11 -0700
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <48874178.9E6F.00B8.0@dps.k12.oh.us>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <17838240D9A5544AAA5FF95F8D520316045EF666@ad-exh01.adhost.lan>

Hello Steven:

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Steven Pfister
> Sent: Wednesday, July 23, 2008 11:35 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Renaming interfaces on a PIX 525
> 
> We have a pair of PIX 525s (active/standby), and the 2900 switch they're
> attached to is going to be replaced very shortly. The outside interface, which
> is currently Ethernet0, will then be moved to GigabitEthernet1. What's the
> best way to do this? Can I just rename the Ethernet0 interface to outside.old,
> and rename the GigabitEthernet interface to outside, then move the ip
> addressing? Will that work?
> 

You will have to rename the Ethernet interface first, which will break a lot of stuff, then name the Gigabit Ethernet interface, which will *not* un-break anything.  After you change the name you will have to do the following:

1) Reenter your statics (they will go away when you un-name E0)
2) Re-apply your access-group command for any ACL's your outside ACL
3) Re-enter any admin outside access (ssh, http, etc.)
4) Re-apply your global statement if used.
5) Clear ARP on your upstream device(s).  

Make sure you have a backup and that you're doing this from either console or the inside network.

Regards,

Mike


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 475 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080723/fe946666/attachment.bin>

From lists at hojmark.org  Wed Jul 23 17:19:28 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Wed, 23 Jul 2008 23:19:28 +0200
Subject: [c-nsp] IS-IS: Ignore Attached Bit
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
References: <200807180242.14631.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
Message-ID: <4B63426A1BCD43979AD91469CB7AD3B2@hojmark.net>

> r(config)#router isis
> r(config-router)#ignore-attached-bit
> r(config-router)#

When/why would you want to do that?

-A


From svemulap at cisco.com  Wed Jul 23 17:42:16 2008
From: svemulap at cisco.com (Shankar Vemulapalli (svemulap))
Date: Wed, 23 Jul 2008 14:42:16 -0700
Subject: [c-nsp] IS-IS: Ignore Attached Bit
In-Reply-To: <4B63426A1BCD43979AD91469CB7AD3B2@hojmark.net>
References: <200807180242.14631.mtinka@globaltransit.net><70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
	<4B63426A1BCD43979AD91469CB7AD3B2@hojmark.net>
Message-ID: <70BC84B185C3EE448EDB7AB8956D3B0E0611A49A@xmb-sjc-234.amer.cisco.com>

Asbjorn -  This is useful in the case of L2-->L1 Route-Leaking where you
*may* not want L1-Router to use its
default to point to L1L2 router and L1L2 end up in dropping the traffic.
With Route-Leaking, L1-Router does
get the specific routes.   This way, for any traffic that L1 doesn't
know, it will drop itself rather than 
sending to L1L2 and then L1L2 dropping it.   Hope it is clear.
-Shankar

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark
- Lists
Sent: Wednesday, July 23, 2008 2:19 PM
To: Oliver Boehmer (oboehmer); mtinka at globaltransit.net
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IS-IS: Ignore Attached Bit

> r(config)#router isis
> r(config-router)#ignore-attached-bit
> r(config-router)#

When/why would you want to do that?

-A

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From danletkeman at gmail.com  Wed Jul 23 18:12:15 2008
From: danletkeman at gmail.com (Dan Letkeman)
Date: Wed, 23 Jul 2008 17:12:15 -0500
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
	<04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
Message-ID: <dcbb85870807231512t76d12a5crfdc900a568874db4@mail.gmail.com>

The adsl connections are PPPoE and they do not support multilink.  I
am using nat on the router as well.

I guess I will stick with route-map's for now as I know how to
configure it and it works well in this configuration.

Thanks for the info!
Dan.

On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele
<ben.steele at internode.on.net> wrote:
> Depends a lot on the adsl connections, are they ppp ? does the remote end
> support multilink? if so then multilink ppp is a good option providing all 4
> lines are the same characteristics.
>
> Otherwise other options are cef load balancing, what type will depend on
> whether you are using NAT or not as you want to make sure the packet flow
> takes the right path, load balancing using the source/dest port algorithm
> works quite well though, probably wouldn't reccomend per packet over adsl.
>
> The route-map way is ok but wouldn't utilise the links as well as cef load
> balancing or ppp multlink could.
>
> Another option worth throwing in is the use of ip sla on your routes so as
> to remove them from the equation should one link go down, can also be done
> with the route-map using verify-availability on the next-hop option.
>
> Ben
>
> On 23/07/2008, at 1:39 PM, Dan Letkeman wrote:
>
>> I have a customer that is wanting to combine 4 adsl connection through
>> one router.  In the past I have setup systems where I have taken
>> groups of ip's from the internal network and have route-map'd them to
>> different adsl connections.  Is there a way to "combine" the dsl
>> connections or is using route-map's still the better way to go?
>>
>> Thanks,
>> Dan.
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

From justin at justinshore.com  Wed Jul 23 19:06:40 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 23 Jul 2008 16:06:40 -0700
Subject: [c-nsp] uRPF and IPSec SPA compatibility issues?
Message-ID: <4887B980.2000108@justinshore.com>

I enabled uRPF on a couple SVIs on our 7600s last week remotely while in 
training.  I was trying to track down some RFC 1918 traffic leaking into 
our network between lectures.  I was going to use an ACL with an 
explicit deny w/ log-input to locate it.  One of the SVIs was for one of 
our SP server farms.  The other was connected to a pair of ASAs for our 
corporate LAN.  Incidentally I never found the source of the traffic and 
was distracted by more important things.  I did not remove the uRPF 
config because it was something I forgot to add during the deployment 
and as an access edge interface it really should be there.  The uRPF 
config is simple:


Late in the week I got a report that an internal admin couldn't access 
devices in our data center via VPN.  VPN connections terminate on the 
same 7600s using IPSec SPAs running in VRF mode.  The DC devices that he 
was trying to access were in a management VRF downstream from the 7600s 
in the DC itself.  All L3 interfaces in the 7600s have been explicitly 
configured with the 'crypto engine slot' command and outside.  Specifically:

crypto engine slot 3/0 outside




From justin at justinshore.com  Wed Jul 23 19:23:24 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 23 Jul 2008 16:23:24 -0700
Subject: [c-nsp]  uRPF and IPSec SPA compatibility issues?  part 2
Message-ID: <4887BD6C.1080601@justinshore.com>

Whoops.  I somehow told Thunderbird to send the message (ctrl-enter I 
think) and couldn't find a way to stop it.  Here's the uRPF config:

ip verify unicast source reachable-via rx 150

ACL 150 has a permit for DHCP traffic and a deny any w/ log-input for 
everything else.

So I was troubleshooting the problem today, now that I'm back in the 
office.  I could VPN in and successfully authenticate.  I got the 
expected routes and everything looked fine.  However I couldn't ping 
anything.  Looking at the IPSec counters on the primary 7600 showed 0 
packets in or out and no errors for my VPN connection.  I assumed that 
the IPSec SPA was hosed again and in need of some TLC with a hammer but 
before I reset it I thought I'd look for another possible cause. 
Looking back through my RANCID logs the only things that changed on the 
7600s last week prior to Friday (problem was reported Thursday) was the 
uRPF changes I made.  I couldn't imagine that being the cause but for 
grins I decided to try it anyway.  I removed the uRPF config from the 
corporate LAN SVI and ping across my connected VPN session started 
working instantly.

I can not for the life of me figure out why uRPF was causing the packets 
to be dropped.  The verification drop counters were incrementing so I 
think it's safe to assume that this is where the traffic went.  Actually 
I can think of a possible cause.  What is the order of operation for 
processing frames coming in a SVI when crypto is configured on the 
interface?  If the IPSec payload was decrypted first and then the 
packets were placed back in the interface's buffer to be run through the 
uRPF checks then the decrypted payload is what uRPF would see and in 
that case it should drop the packets.

My understanding of the IPSec SPAs running in VRF mode is that uRPF and 
all the other normal interface actions (QoS, netflow, ACLs, etc) would 
happen and then the encrypted packets would be sent over to the ingress 
interface of the IPSec SPA for processing.  Coming out the backside of 
the SPA the traffic would be dropped into the appropriate inside VPN 
VLAN that's associated with the VRF in question.  That's how I thought 
it was supposed to work but clearly that's not what's happening, or I'm 
missing something.

Any thoughts?  We're nearing the end of our SmartNet renewal process so 
next week I should be able to ask TAC.  I thought I'd check here first.

Thanks
  Justin

From ben.steele at internode.on.net  Wed Jul 23 19:37:11 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Thu, 24 Jul 2008 09:07:11 +0930
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <dcbb85870807231512t76d12a5crfdc900a568874db4@mail.gmail.com>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
	<04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
	<dcbb85870807231512t76d12a5crfdc900a568874db4@mail.gmail.com>
Message-ID: <D6A75BD25DB8460CB09B6CF24BC2F988@MOYAPENYA>

If you really want to use route-maps to force your traffic down a certain 
interface at least use it with verify-availability incase your hop goes down 
so you have a back up path, no point forcing traffic down a dsl line that 
has died.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html


----- Original Message ----- 
From: "Dan Letkeman" <danletkeman at gmail.com>
To: "Ben Steele" <ben.steele at internode.on.net>; <cisco-nsp at puck.nether.net>
Sent: Thursday, July 24, 2008 7:42 AM
Subject: Re: [c-nsp] combining multiple dsl lines


> The adsl connections are PPPoE and they do not support multilink.  I
> am using nat on the router as well.
>
> I guess I will stick with route-map's for now as I know how to
> configure it and it works well in this configuration.
>
> Thanks for the info!
> Dan.
>
> On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele
> <ben.steele at internode.on.net> wrote:
>> Depends a lot on the adsl connections, are they ppp ? does the remote end
>> support multilink? if so then multilink ppp is a good option providing 
>> all 4
>> lines are the same characteristics.
>>
>> Otherwise other options are cef load balancing, what type will depend on
>> whether you are using NAT or not as you want to make sure the packet flow
>> takes the right path, load balancing using the source/dest port algorithm
>> works quite well though, probably wouldn't reccomend per packet over 
>> adsl.
>>
>> The route-map way is ok but wouldn't utilise the links as well as cef 
>> load
>> balancing or ppp multlink could.
>>
>> Another option worth throwing in is the use of ip sla on your routes so 
>> as
>> to remove them from the equation should one link go down, can also be 
>> done
>> with the route-map using verify-availability on the next-hop option.
>>
>> Ben
>>
>> On 23/07/2008, at 1:39 PM, Dan Letkeman wrote:
>>
>>> I have a customer that is wanting to combine 4 adsl connection through
>>> one router.  In the past I have setup systems where I have taken
>>> groups of ip's from the internal network and have route-map'd them to
>>> different adsl connections.  Is there a way to "combine" the dsl
>>> connections or is using route-map's still the better way to go?
>>>
>>> Thanks,
>>> Dan.
>>> _______________________________________________
>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
>>
> 


From justin at justinshore.com  Wed Jul 23 19:44:34 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 23 Jul 2008 16:44:34 -0700
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <17838240D9A5544AAA5FF95F8D520316045EF666@ad-exh01.adhost.lan>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
	<17838240D9A5544AAA5FF95F8D520316045EF666@ad-exh01.adhost.lan>
Message-ID: <4887C262.40207@justinshore.com>

Michael K. Smith - Adhost wrote:
> You will have to rename the Ethernet interface first, which will break a lot of stuff, then name the Gigabit Ethernet interface, which will *not* un-break anything.  After you change the name you will have to do the following:
> 
> 1) Reenter your statics (they will go away when you un-name E0)
> 2) Re-apply your access-group command for any ACL's your outside ACL
> 3) Re-enter any admin outside access (ssh, http, etc.)
> 4) Re-apply your global statement if used.
> 5) Clear ARP on your upstream device(s).  
> 
> Make sure you have a backup and that you're doing this from either console or the inside network.

Steven,

These guys pretty much summed it up already.  Renaming an interface on a 
PIX/ASA sucks.  I've been bit by this before too, only I didn't have the 
opportunity to ask if the PIX would freak out before I made the change. 
  An hour later I had everything working again.  I've made the feature 
request before for a simple way to change interface names but there 
hasn't been enough demand for it to warrant the work I'm afraid.  You 
would think it would be a fairly easy thing to implement though.

Michael's list is right on.  The only commands that I can think of that 
are missing from his list are mtu, ip verify, & crypto isakmp enable. 
Basically every single instance of the word "outside" in the config with 
the exception of ACL remarks, object-groups, and names (ie, instances 
that aren't CLI elements that require an interface name but are more 
textual in nature) will have to be re-entered.

You might be thinking that you can simply download a copy of the 
startup-config to a tftp server, modify it and upload it back over top 
of the startup-config (or running-config).  First off I can't remember 
where the startup-config is located on the PIX/ASAs or if it can be 
accessed.  Second, copying over top of the running-config merges the 
configs together.  You won't get the desired results.  In theory you 
could load all of your changes into a config file beginning with all the 
no's to all the statics and whatnot and follow that up with the new 
config.  Then when you do the tftp merge you should get what you want, I 
think.

I never found a quick way to modify the config.  If you could delete the 
config, reload and paste modified config back in via the console then 
that would be the fastest.

Good luck.
  Justin

From danletkeman at gmail.com  Wed Jul 23 19:46:23 2008
From: danletkeman at gmail.com (Dan Letkeman)
Date: Wed, 23 Jul 2008 18:46:23 -0500
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <D6A75BD25DB8460CB09B6CF24BC2F988@MOYAPENYA>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
	<04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
	<dcbb85870807231512t76d12a5crfdc900a568874db4@mail.gmail.com>
	<D6A75BD25DB8460CB09B6CF24BC2F988@MOYAPENYA>
Message-ID: <dcbb85870807231646r55d67a9dwe20a84bc280b7115@mail.gmail.com>

Yes, I have done that before and it works well.

Thanks
Dan.

On Wed, Jul 23, 2008 at 6:37 PM, Ben Steele <ben.steele at internode.on.net> wrote:
> If you really want to use route-maps to force your traffic down a certain
> interface at least use it with verify-availability incase your hop goes down
> so you have a back up path, no point forcing traffic down a dsl line that
> has died.
>
> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtpbrtrk.html
>
>
> ----- Original Message ----- From: "Dan Letkeman" <danletkeman at gmail.com>
> To: "Ben Steele" <ben.steele at internode.on.net>; <cisco-nsp at puck.nether.net>
> Sent: Thursday, July 24, 2008 7:42 AM
> Subject: Re: [c-nsp] combining multiple dsl lines
>
>
>> The adsl connections are PPPoE and they do not support multilink.  I
>> am using nat on the router as well.
>>
>> I guess I will stick with route-map's for now as I know how to
>> configure it and it works well in this configuration.
>>
>> Thanks for the info!
>> Dan.
>>
>> On Tue, Jul 22, 2008 at 11:18 PM, Ben Steele
>> <ben.steele at internode.on.net> wrote:
>>>
>>> Depends a lot on the adsl connections, are they ppp ? does the remote end
>>> support multilink? if so then multilink ppp is a good option providing
>>> all 4
>>> lines are the same characteristics.
>>>
>>> Otherwise other options are cef load balancing, what type will depend on
>>> whether you are using NAT or not as you want to make sure the packet flow
>>> takes the right path, load balancing using the source/dest port algorithm
>>> works quite well though, probably wouldn't reccomend per packet over
>>> adsl.
>>>
>>> The route-map way is ok but wouldn't utilise the links as well as cef
>>> load
>>> balancing or ppp multlink could.
>>>
>>> Another option worth throwing in is the use of ip sla on your routes so
>>> as
>>> to remove them from the equation should one link go down, can also be
>>> done
>>> with the route-map using verify-availability on the next-hop option.
>>>
>>> Ben
>>>
>>> On 23/07/2008, at 1:39 PM, Dan Letkeman wrote:
>>>
>>>> I have a customer that is wanting to combine 4 adsl connection through
>>>> one router.  In the past I have setup systems where I have taken
>>>> groups of ip's from the internal network and have route-map'd them to
>>>> different adsl connections.  Is there a way to "combine" the dsl
>>>> connections or is using route-map's still the better way to go?
>>>>
>>>> Thanks,
>>>> Dan.
>>>> _______________________________________________
>>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>>>
>>
>
>

From ben.steele at internode.on.net  Wed Jul 23 19:47:07 2008
From: ben.steele at internode.on.net (Ben Steele)
Date: Thu, 24 Jul 2008 09:17:07 +0930
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <3044d0930807230337i6473cd09obad063938df2bec3@mail.gmail.com>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com><04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net>
	<3044d0930807230337i6473cd09obad063938df2bec3@mail.gmail.com>
Message-ID: <FD785D4224B043CA8FEF6E361BF837AD@MOYAPENYA>

You're still going to need something on the CPE side to detect a failed 
route unless you plan on running a routing protocol to your customers, I 
won't bother going into the Linux side of things seeing as this is a Cisco 
list but in my experience per-packet is only good if the lines are really 
well matched or you don't plan on running any/much real-time traffic over 
it, ie voip, unfortunately with the nature of dsl and its vulnerability to 
weather and various other nasties in your last mile copper run things just 
have to many variables for me to consider it a reliable inplementation for 
someone planning to use it with per-packet and real time traffic where out 
of order packets can become a problem.

Good to hear you are having success with it though.

>
> We have used cef per packet with great success on PPPoA DSL links here
> in the UK, we use radius to add/remove the extra routes when a
> connection bounces. The CPE is a linux box which is not running any
> NAT. Works for us
>
>
> Wayne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From john at vanoppen.com  Wed Jul 23 20:22:14 2008
From: john at vanoppen.com (John van Oppen)
Date: Wed, 23 Jul 2008 17:22:14 -0700
Subject: [c-nsp] combining multiple dsl lines
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com><04BF76FE-6621-4B1C-9AD1-8D70A864417B@internode.on.net><3044d0930807230337i6473cd09obad063938df2bec3@mail.gmail.com>
	<FD785D4224B043CA8FEF6E361BF837AD@MOYAPENYA>
Message-ID: <DB9EA494D2E5614D842C2BC65C2D172255181E@mail-ww.vanoppen.com>

We use per-packet all the time, in our experience the lines tend to all
degrade together since the degradation seems to be in the building trunk
or off somewhere in the ATM cloud on the provider (qwest in this
case)...    We do also run eBGP with private ASNs to all customers who
have multiple links as well to detect failed lines.


That being said, it sounded like the original requester did not have
control of both ends of the line which makes most real solutions a bit
moot.


John van Oppen
Spectrum Networks LLC
206.973.8302 (Direct)
206.973.8300 (main office)

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele
Sent: Wednesday, July 23, 2008 4:47 PM
To: Wayne Lee; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] combining multiple dsl lines

You're still going to need something on the CPE side to detect a failed 
route unless you plan on running a routing protocol to your customers, I

won't bother going into the Linux side of things seeing as this is a
Cisco 
list but in my experience per-packet is only good if the lines are
really 
well matched or you don't plan on running any/much real-time traffic
over 
it, ie voip, unfortunately with the nature of dsl and its vulnerability
to 
weather and various other nasties in your last mile copper run things
just 
have to many variables for me to consider it a reliable inplementation
for 
someone planning to use it with per-packet and real time traffic where
out 
of order packets can become a problem.

Good to hear you are having success with it though.

>
> We have used cef per packet with great success on PPPoA DSL links here
> in the UK, we use radius to add/remove the extra routes when a
> connection bounces. The CPE is a linux box which is not running any
> NAT. Works for us
>
>
> Wayne
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From dhooper at emerge.net.au  Wed Jul 23 20:52:04 2008
From: dhooper at emerge.net.au (Daniel Hooper)
Date: Thu, 24 Jul 2008 08:52:04 +0800
Subject: [c-nsp] combining multiple dsl lines
In-Reply-To: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
References: <dcbb85870807222109o6a1dd5cak2c5bd2469804b730@mail.gmail.com>
Message-ID: <AF85579EB84D4F45A0CBB63DC6747F0225D163@md.team.emerge.net.au>

www.cisco.com/go/oer ios performance routing as it's known now might
work for you

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
Sent: Wednesday, 23 July 2008 12:10 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] combining multiple dsl lines

I have a customer that is wanting to combine 4 adsl connection through
one router.  In the past I have setup systems where I have taken
groups of ip's from the internal network and have route-map'd them to
different adsl connections.  Is there a way to "combine" the dsl
connections or is using route-map's still the better way to go?

Thanks,
Dan.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From jeff-kell at utc.edu  Wed Jul 23 21:29:57 2008
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 23 Jul 2008 21:29:57 -0400
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <4887C262.40207@justinshore.com>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>	<17838240D9A5544AAA5FF95F8D520316045EF666@ad-exh01.adhost.lan>
	<4887C262.40207@justinshore.com>
Message-ID: <4887DB15.4090607@utc.edu>

Justin Shore wrote:
> You might be thinking that you can simply download a copy of the 
> startup-config to a tftp server, modify it and upload it back over top 
> of the startup-config (or running-config).  First off I can't remember 
> where the startup-config is located on the PIX/ASAs or if it can be 
> accessed.  

It can be done on an ASA by copying the new configuration to a different 
filename in flash, and issuing a 'boot config flash:filename' directive 
to the current config.

Not sure if the PIX supports this convention.

Jeff

From jimmy at pacnet.net  Wed Jul 23 21:55:11 2008
From: jimmy at pacnet.net (Jimmy Halim)
Date: Thu, 24 Jul 2008 09:55:11 +0800
Subject: [c-nsp] unable to ping from some source IP
In-Reply-To: <207A8FA83882D643BDA4398E6365CDDB025C3F97@W3HKEXCHVS1.asianetcom.com>
References: <207A8FA83882D643BDA4398E6365CDDB025C3F97@W3HKEXCHVS1.asianetcom.com>
Message-ID: <01c501c8ed30$4eee91d0$6e05820a@asianetcom.com>

 
Hi guys,
 
I have a very strange issue encountered.
I am not able to ping to one of customer's WAN IP (203.192.163.162) from
some source IP.
I am 100% sure that is nothing filtering it from our side.
 
Anything wrong prohibiting it from below customer router's config?
 
Cheers,
Jimmy
 
------------------------------------------------------------------------
Current configuration : 1340 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime localtime
service password-encryption
!
hostname PAC_3640
!
no logging rate-limit
no logging monitor
!
clock timezone gmt 8
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
!
call rsvp-sync
!         
!
!
interface FastEthernet1/0
 ip address 122.152.143.225 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no keepalive
 speed 100
 full-duplex
 no cdp enable
!
interface Serial1/0               ----------------------> WAN Interface
 bandwidth 2048
 ip address 203.192.163.162 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 fair-queue
 no cdp enable
!
no ip classless
ip route 0.0.0.0 0.0.0.0 203.192.163.161
no ip http server
!
no cdp run
!         
dial-peer cor custom

---------------------------------------------------------------------------

From chris.garzon at gmail.com  Wed Jul 23 22:31:42 2008
From: chris.garzon at gmail.com (Dracul)
Date: Thu, 24 Jul 2008 10:31:42 +0800
Subject: [c-nsp] Cisco WLC 4404 Snmp problems
Message-ID: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>

Hi list,

Anyone encountered not able to get SNMP data from a Cisco WLC 4404? I got a
no response when I do:

[10:18:31 root at TEST1>~]# snmpwalk -v 2c 192.168.1.2 -c public
Timeout: No Response from 192.168.1.2

all snmp settings are activated via web config, all versions are enabled.

When I did a similar query in one of my switches I get the response I need.

[10:18:40 root at TEST1>~]# snmpwalk -v 2c 192.168.1.253 -c public
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3560 Software
(C3560-IPBASE-M), Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 22-Feb-07 14:40 by myl
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.564
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (68954835) 7 days,
23:32:28.35
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: Switch
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 55
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.10001 = INTEGER: 10001

----> SNIP <-------------

Any IDeas?

regards,
Chris

From lmeade at signal.ca  Thu Jul 24 00:13:04 2008
From: lmeade at signal.ca (Leslie Meade)
Date: Wed, 23 Jul 2008 21:13:04 -0700
Subject: [c-nsp] 6509e upgrades to native ios
Message-ID: <EAF4FF4AB2142D499F2F5A3B9D85152903537C14@exch-bo.MGVFS.McLeanNet>

I have been reading and following the following document for upgrading
from cat os to native ios

 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note
09186a008015bfa6.shtml#conv_32

 

I am stuck at reloading the router, I get this error ( I am consoled
into the console port on the sup 32)

 

Router#reload

Reload to the ROM monitor only allowed from console line 
unless the configuration register boot bits are non-zero

 

 

I do a sh bootvar and it shows me

 

Router#sh bootvar 
BOOT variable = c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin,1; 
CONFIG_FILE variable = 
BOOTLDR variable = 
Configuration register is 0x2102 (will be 0x0 at next reload)

 

 

How do I reload the sup32 ? If is reset the config-register back to
0X2102 I am allowed to reload it...

 

Any ideas ??

 

 

 

 


From uri at tomsknet.ru  Wed Jul 23 23:43:09 2008
From: uri at tomsknet.ru (Yuri Selivanov)
Date: Thu, 24 Jul 2008 10:43:09 +0700
Subject: [c-nsp] unable to ping from some source IP
In-Reply-To: <01c501c8ed30$4eee91d0$6e05820a@asianetcom.com>
References: <207A8FA83882D643BDA4398E6365CDDB025C3F97@W3HKEXCHVS1.asianetcom.com>
	<01c501c8ed30$4eee91d0$6e05820a@asianetcom.com>
Message-ID: <20080724034309.GA43166@oit.tomsknet.ru>

	Hi!

> Hi guys,
>  
> I have a very strange issue encountered.
> I am not able to ping to one of customer's WAN IP (203.192.163.162) from
> some source IP.

> I am 100% sure that is nothing filtering it from our side.
> Anything wrong prohibiting it from below customer router's config?

	Your customer uses *classful* routing (no ip classless), so
when the router tries to forward icmp responses back to your host it DOES
NOT consider default route *if* your host's ip_addr belongs to 203.192.163/24
or 122/8.

> Cheers,
> Jimmy
>  
> ------------------------------------------------------------------------
> Current configuration : 1340 bytes
> !
> version 12.1
> no service single-slot-reload-enable
> service timestamps debug datetime
> service timestamps log datetime localtime
> service password-encryption
> !
> hostname PAC_3640
> !
> no logging rate-limit
> no logging monitor
> !
> clock timezone gmt 8
> ip subnet-zero
> !
> !
> no ip finger
> no ip domain-lookup
> !
> call rsvp-sync
> !         
> !
> !
> interface FastEthernet1/0
>  ip address 122.152.143.225 255.255.255.224
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  no keepalive
>  speed 100
>  full-duplex
>  no cdp enable
> !
> interface Serial1/0               ----------------------> WAN Interface
>  bandwidth 2048
>  ip address 203.192.163.162 255.255.255.252
>  no ip redirects
>  no ip unreachables
>  no ip proxy-arp
>  fair-queue
>  no cdp enable
> !
> no ip classless
> ip route 0.0.0.0 0.0.0.0 203.192.163.161
> no ip http server
> !
> no cdp run
> !         
> dial-peer cor custom
> 
> ---------------------------------------------------------------------------
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-- 
Best Regards,
Yuri Selivanov -- [URI2-RIPE]

From spinthiras.mario at gmail.com  Thu Jul 24 03:07:31 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Thu, 24 Jul 2008 10:07:31 +0300
Subject: [c-nsp] Port-Channel Setup Issues
In-Reply-To: <00c301c8eced$95775850$1bfe200a@cisco.com>
References: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA7D@SGBS201V1.CPWBB.LOCAL>
	<00c301c8eced$95775850$1bfe200a@cisco.com>
Message-ID: <4f890e580807240007s31ef8f3bma965ac81426d0b71@mail.gmail.com>

I would like to see both (physical) ports configuration , and I would also
like to see a summary of your etherchannels (show etherchannel 1 summary).
did you set both modes on both physical interfaces to on ? Are you doing
PagP on both ? I would suggest LACP (channel-protocol lacp). I also notice
you have a jumbo frame MTU on your port channel interface. Note that I have
had trouble with MTUs + aggregated interfaces. You must have the same
physical characteristics on all physical ports to be able to bring the link
up. I can only assume a lot now since you have to post the command output I
need.


Regards,
Mario

From spinthiras.mario at gmail.com  Thu Jul 24 03:15:25 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Thu, 24 Jul 2008 10:15:25 +0300
Subject: [c-nsp] Cisco WLC 4404 Snmp problems
In-Reply-To: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>
References: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>
Message-ID: <4f890e580807240015s44cd7d26yaf418953ce797367@mail.gmail.com>

Plenty to be honest. Paste a "show run | sec snmp" . Do you declare an ACL
to protect snmp? Is the host you checked from authorized to access snmp? Is
snmp configured correctly?

Regards,
Mario

From serge.devorop at gmail.com  Thu Jul 24 04:30:36 2008
From: serge.devorop at gmail.com (Sergey Voropaev)
Date: Thu, 24 Jul 2008 12:30:36 +0400
Subject: [c-nsp]  Nemtwork Management System for ip-multicast at layer 2
Message-ID: <f08d629a0807240130s6bd8500dv545d82492c8246e3@mail.gmail.com>

Salute guys!

Could any one advice NMS for monitoring ip multicast network at L3
devices like as routers and also at L2 igmp-snooping enable switches?
The main purpose for example is to draw network diagram for particular
mcast group including all source and recievers, and source and
receivers must be drawn with detailing of switches' ports this nodes
belong to. I already tried cisco Multicast Manager and CA cpectrum.
But this products do not not understand igmp snooping and can not
parse IGMP information from L2 switches.

From spinthiras.mario at gmail.com  Thu Jul 24 05:37:02 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Thu, 24 Jul 2008 12:37:02 +0300
Subject: [c-nsp] Nemtwork Management System for ip-multicast at layer 2
In-Reply-To: <f08d629a0807240130s6bd8500dv545d82492c8246e3@mail.gmail.com>
References: <f08d629a0807240130s6bd8500dv545d82492c8246e3@mail.gmail.com>
Message-ID: <4f890e580807240237i55d9c0e0ub591af343ccac655@mail.gmail.com>

I am not aware of specific NMSs that do this but a best bet would be to
explore Zenoss which might be able to help you out with their zenpack
plugins and a few external binaries.

Regards,
Mario.

On Thu, Jul 24, 2008 at 11:30 AM, Sergey Voropaev <serge.devorop at gmail.com>
wrote:

> Salute guys!
>
> Could any one advice NMS for monitoring ip multicast network at L3
> devices like as routers and also at L2 igmp-snooping enable switches?
> The main purpose for example is to draw network diagram for particular
> mcast group including all source and recievers, and source and
> receivers must be drawn with detailing of switches' ports this nodes
> belong to. I already tried cisco Multicast Manager and CA cpectrum.
> But this products do not not understand igmp snooping and can not
> parse IGMP information from L2 switches.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From mathias.spoerr at at.ibm.com  Thu Jul 24 05:53:00 2008
From: mathias.spoerr at at.ibm.com (Mathias Spoerr)
Date: Thu, 24 Jul 2008 11:53:00 +0200
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <48876373.9E6F.00B8.0@dps.k12.oh.us>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
	<OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>
	<488799A9.6040208@utc.edu> <48876373.9E6F.00B8.0@dps.k12.oh.us>
Message-ID: <OF7D6C6105.4384362A-ONC1257490.003581B5-C1257490.00364B9D@at.ibm.com>

you cannot configure the same IP address on two interfaces, except one is 
shutdown. I would suggest the following procedure:
* use a new name for the new outside interface, shut it down, and 
configure IP, name, sec level...
* do a "show run | i outside" to see where the name of the outside 
interface is used (static, route...)
* delete the config for the old outside interface and reconfigure the 
static, route, global... commands to the new interface name
* if you want to have "outside" as name for the new interface, then rename 
it

Mathias






From:
"Steven Pfister" <SPfister at dps.k12.oh.us>
To:
Mathias Spoerr/Austria/IBM at IBMAT, "Jeff Kell" <jeff-kell at utc.edu>
Cc:
<cisco-nsp at puck.nether.net>
Date:
23.07.2008 23:01
Subject:
Re: [c-nsp] Renaming interfaces on a PIX 525



I think I'm probably going to do this from the command line. Would I be 
able to have two interfaces marked as outside? Do something like:

int gig1
  nameif outside
  security-level 0
int eth0
  nameif old.outside
  security-level 6
  no ip address
int gig1
  ip address <address from eth0> standby <standby address from eth0>

(after backing up the config, of course...)

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Jeff Kell <jeff-kell at utc.edu> 7/23/2008 4:50 PM >>>
Mathias Spoerr wrote:
> Hello Steve,
>
> when I remember correctly -> when you rename the interface, then also 
the 
> related config parts, where the interface name is used, are changed.

Keep a good backup of the config just in case, especially if you're 
talking about trying this with PDM/ASDM.  They don't "rename"/"change" 
very well, they really try to delete/re-add, and the delete part deletes 
all associated configuration references to the original.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7943 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080724/639b93c8/attachment-0001.bin>

From SPfister at dps.k12.oh.us  Thu Jul 24 08:44:02 2008
From: SPfister at dps.k12.oh.us (Steven Pfister)
Date: Thu, 24 Jul 2008 08:44:02 -0400
Subject: [c-nsp] Renaming interfaces on a PIX 525
In-Reply-To: <OF7D6C6105.4384362A-ONC1257490.003581B5-C1257490.00364B9D@at.ibm.com>
References: <48874178.9E6F.00B8.0@dps.k12.oh.us>
	<OFFFCB419E.F8E8B806-ONC125748F.00715759-C125748F.00718E8C@at.ibm.com>
	<488799A9.6040208@utc.edu> <48876373.9E6F.00B8.0@dps.k12.oh.us>
	<OF7D6C6105.4384362A-ONC1257490.003581B5-C1257490.00364B9D@at.ibm.com>
Message-ID: <488840D4.9E6F.00B8.0@dps.k12.oh.us>

I wasn't actually proposing to have the same ip address on two interfaces, but to take it off one before putting it on another.

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402
 
Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us


>>> Mathias Spoerr <mathias.spoerr at at.ibm.com> 7/24/2008 5:53 AM >>>
you cannot configure the same IP address on two interfaces, except one is 
shutdown. I would suggest the following procedure:
* use a new name for the new outside interface, shut it down, and 
configure IP, name, sec level...
* do a "show run | i outside" to see where the name of the outside 
interface is used (static, route...)
* delete the config for the old outside interface and reconfigure the 
static, route, global... commands to the new interface name
* if you want to have "outside" as name for the new interface, then rename 
it

Mathias






From:
"Steven Pfister" <SPfister at dps.k12.oh.us>
To:
Mathias Spoerr/Austria/IBM at IBMAT, "Jeff Kell" <jeff-kell at utc.edu>
Cc:
<cisco-nsp at puck.nether.net>
Date:
23.07.2008 23:01
Subject:
Re: [c-nsp] Renaming interfaces on a PIX 525



I think I'm probably going to do this from the command line. Would I be 
able to have two interfaces marked as outside? Do something like:

int gig1
  nameif outside
  security-level 0
int eth0
  nameif old.outside
  security-level 6
  no ip address
int gig1
  ip address <address from eth0> standby <standby address from eth0>

(after backing up the config, of course...)

Thanks!

Steve Pfister
Technical Coordinator, 
The Office of Information Technology
Dayton Public Schools
115 S. Ludlow St. 
Dayton, OH 45402

Office (937) 542-3149
Cell (937) 673-6779
Direct Connect: 137*131747*8
Email spfister at dps.k12.oh.us 


>>> Jeff Kell <jeff-kell at utc.edu> 7/23/2008 4:50 PM >>>
Mathias Spoerr wrote:
> Hello Steve,
>
> when I remember correctly -> when you rename the interface, then also 
the 
> related config parts, where the interface name is used, are changed.

Keep a good backup of the config just in case, especially if you're 
talking about trying this with PDM/ASDM.  They don't "rename"/"change" 
very well, they really try to delete/re-add, and the delete part deletes 
all associated configuration references to the original.

Jeff
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/cisco-nsp 
archive at http://puck.nether.net/pipermail/cisco-nsp/ 





From cchurc05 at harris.com  Thu Jul 24 09:48:51 2008
From: cchurc05 at harris.com (Church, Charles)
Date: Thu, 24 Jul 2008 08:48:51 -0500
Subject: [c-nsp] 6509e upgrades to native ios
In-Reply-To: <EAF4FF4AB2142D499F2F5A3B9D85152903537C14@exch-bo.MGVFS.McLeanNet>
References: <EAF4FF4AB2142D499F2F5A3B9D85152903537C14@exch-bo.MGVFS.McLeanNet>
Message-ID: <FA1BA229357DB640B944218F3585FECA013D7F8A@mspe2k1.cs.myharris.net>

Did you get into the MSFC via 'switch con' or 'session'.  I'm guessing
session, since that's internal telnet.  Try 'switch con' or 'switch con
SLOT#'

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade
Sent: Thursday, July 24, 2008 12:13 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6509e upgrades to native ios


I have been reading and following the following document for upgrading
from cat os to native ios

 

http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note
09186a008015bfa6.shtml#conv_32

 

I am stuck at reloading the router, I get this error ( I am consoled
into the console port on the sup 32)

 

Router#reload

Reload to the ROM monitor only allowed from console line 
unless the configuration register boot bits are non-zero

 

 

I do a sh bootvar and it shows me

 

Router#sh bootvar 
BOOT variable = c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin,1; 
CONFIG_FILE variable = 
BOOTLDR variable = 
Configuration register is 0x2102 (will be 0x0 at next reload)

 

 

How do I reload the sup32 ? If is reset the config-register back to
0X2102 I am allowed to reload it...

 

Any ideas ??

 

 

 

 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From MatlockK at exempla.org  Thu Jul 24 10:33:16 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Thu, 24 Jul 2008 08:33:16 -0600
Subject: [c-nsp] Cisco WLC 4404 Snmp problems
In-Reply-To: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>
References: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AF66A@LMC-MAIL2.exempla.org>

Do you also have the community 'public' added into the 'communities'
section (Management: SNMP: Communities), and the IP (and netmask)
reflect the IP you are doing the query from?

Say for example you want to allow queries in 'public' from 192.168.1.50,
you can add that in as 

IP: 192.168.1.50
Netmask: 255.255.255.255

And that will ONLY allow SNMP queries in community 'public' from that 1
IP only.

Adjust the IP and netmask to correspond to the netblock you are using
for SNMP monitoring.

Ken Matlock
Network Analyst
(303) 467-4671
matlockk at exempla.org

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
Sent: Wednesday, July 23, 2008 8:32 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Cisco WLC 4404 Snmp problems

Hi list,

Anyone encountered not able to get SNMP data from a Cisco WLC 4404? I
got a
no response when I do:

[10:18:31 root at TEST1>~]# snmpwalk -v 2c 192.168.1.2 -c public
Timeout: No Response from 192.168.1.2

all snmp settings are activated via web config, all versions are
enabled.

When I did a similar query in one of my switches I get the response I
need.

[10:18:40 root at TEST1>~]# snmpwalk -v 2c 192.168.1.253 -c public
SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3560 Software
(C3560-IPBASE-M), Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 22-Feb-07 14:40 by myl
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.564
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (68954835) 7 days,
23:32:28.35
SNMPv2-MIB::sysContact.0 = STRING:
SNMPv2-MIB::sysName.0 = STRING: Switch
SNMPv2-MIB::sysLocation.0 = STRING:
SNMPv2-MIB::sysServices.0 = INTEGER: 6
SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
IF-MIB::ifNumber.0 = INTEGER: 55
IF-MIB::ifIndex.1 = INTEGER: 1
IF-MIB::ifIndex.5 = INTEGER: 5
IF-MIB::ifIndex.10001 = INTEGER: 10001

----> SNIP <-------------

Any IDeas?

regards,
Chris
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From digravin at umn.edu  Thu Jul 24 11:07:21 2008
From: digravin at umn.edu (Frank DiGravina)
Date: Thu, 24 Jul 2008 10:07:21 -0500
Subject: [c-nsp] control-plane policing
Message-ID: <48889AA9.8040608@umn.edu>

So,

Since our soon-to-be-production router interfaces will be publicly exposed,
we are considering using CoPP to mitigate that exposure.   I have cobbled
together a policy map, a set of class maps and corresponding access-lists.
I am running on 7609s's using 122-33.SRB3.  The issue I am having relates
to BGP (re) establishment.  BGP does not establish as it should, returns 
to an
idle state and then finally transfers the correct route count.   The 
peering interfaces in question
are 10 gig ones.  I have included the class-map for my critical 
traffic.  See
below:

policy-map control-plane-in
  class cp-critical-in
   police 5000000 1000000 1000000    conform-action transmit     
exceed-action drop     violate-action drop

ip access-list extended cp-critical-in
 remark OSPF
 permit ospf host 146.57.252.130 any
 permit ospf host 146.57.252.141 any
 permit ospf host 146.57.252.150 any
 permit ospf host 146.57.252.165 any
 remark PIM
 permit pim host 146.57.252.130 any
 permit pim host 146.57.252.141 any
 permit pim host 146.57.252.150 any
 permit pim host 146.57.252.165 any
 remark IGMP
 permit igmp any 224.0.0.0 15.255.255.255
 remark BGP
 permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq bgp
 permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq 646  <--- ldp
 deny   ip any any

Initially, I did not have a police statement for the above class map.  
And things
did not work at all.  This is apparently needed.  Please see:

http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dos.pdf

Has anyone implemented CoPP successfully?  Is the above configuration 
flawed?

All reccomendation are welcome.

Thanks in advance for the responses!


--F.

-- 
Frank DiGravina
University of Minnesota
Networking & Telecommunications
Network Operations
Phone: 612-626-9074
Cell:  612-386-0449
E-Mail: digravin at umn.edu
Helpline: 612-301-HELP


From ian.mackinnon at lumison.net  Thu Jul 24 11:18:27 2008
From: ian.mackinnon at lumison.net (Ian MacKinnon)
Date: Thu, 24 Jul 2008 16:18:27 +0100
Subject: [c-nsp] control-plane policing
In-Reply-To: <48889AA9.8040608@umn.edu>
References: <48889AA9.8040608@umn.edu>
Message-ID: <48889D43.9000500@lumison.net>

Hi Frank,

check out
http://aharp.ittns.northwestern.edu/papers/copp.html
It says
  remark BGP
  permit tcp host [BGP neighbor addr] eq bgp host [local BGP addr]
  permit tcp host [BGP neighbor addr] host [local BGP addr] eq bgp

ie source port=BGP as well as destination


Frank DiGravina wrote:
> So,
>
> Since our soon-to-be-production router interfaces will be publicly exposed,
> we are considering using CoPP to mitigate that exposure. I have cobbled
> together a policy map, a set of class maps and corresponding access-lists.
> I am running on 7609s's using 122-33.SRB3. The issue I am having relates
> to BGP (re) establishment. BGP does not establish as it should, returns
> to an
> idle state and then finally transfers the correct route count. The
> peering interfaces in question
> are 10 gig ones. I have included the class-map for my critical traffic. See
> below:
>
> policy-map control-plane-in
> class cp-critical-in
> police 5000000 1000000 1000000 conform-action transmit exceed-action
> drop violate-action drop
>
> ip access-list extended cp-critical-in
> remark OSPF
> permit ospf host 146.57.252.130 any
> permit ospf host 146.57.252.141 any
> permit ospf host 146.57.252.150 any
> permit ospf host 146.57.252.165 any
> remark PIM
> permit pim host 146.57.252.130 any
> permit pim host 146.57.252.141 any
> permit pim host 146.57.252.150 any
> permit pim host 146.57.252.165 any
> remark IGMP
> permit igmp any 224.0.0.0 15.255.255.255
> remark BGP
> permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq bgp
> permit tcp 146.57.252.0 0.0.0.255 146.57.252.0 0.0.0.255 eq 646 <--- ldp
> deny ip any any
>
> Initially, I did not have a police statement for the above class map.
> And things
> did not work at all. This is apparently needed. Please see:
>
> http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/dos.pdf
>
>
> Has anyone implemented CoPP successfully? Is the above configuration
> flawed?
>
> All reccomendation are welcome.
>
> Thanks in advance for the responses!
>
>
> --F.
>



--

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the sender. Any
offers or quotation of service are subject to formal specification.
Errors and omissions excepted.  Please note that any views or opinions
presented in this email are solely those of the author and do not
necessarily represent those of Lumison and nPlusOne.
Finally, the recipient should check this email and any attachments for the
presence of viruses.  Lumison and nPlusOne accept no liability for any
damage caused by any virus transmitted by this email.


From lmeade at signal.ca  Thu Jul 24 11:26:50 2008
From: lmeade at signal.ca (Leslie Meade)
Date: Thu, 24 Jul 2008 08:26:50 -0700
Subject: [c-nsp] 6509e upgrades to native ios
References: <EAF4FF4AB2142D499F2F5A3B9D85152903537C14@exch-bo.MGVFS.McLeanNet>
	<FA1BA229357DB640B944218F3585FECA013D7F8A@mspe2k1.cs.myharris.net>
Message-ID: <EAF4FF4AB2142D499F2F5A3B9D8515298696@exch-bo.MGVFS.McLeanNet>

Oppss....
I re-read the doco again and it did say
switch console
 
 
my bad
 
 
Thanks for the pointer
 
Leslie
 

________________________________

From: Church, Charles [mailto:cchurc05 at harris.com]
Sent: Thu 7/24/2008 6:48 AM
To: Leslie Meade; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509e upgrades to native ios



Did you get into the MSFC via 'switch con' or 'session'.  I'm guessing
session, since that's internal telnet.  Try 'switch con' or 'switch con
SLOT#'

Chuck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leslie Meade
Sent: Thursday, July 24, 2008 12:13 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 6509e upgrades to native ios


I have been reading and following the following document for upgrading
from cat os to native ios



http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note
09186a008015bfa6.shtml#conv_32



I am stuck at reloading the router, I get this error ( I am consoled
into the console port on the sup 32)



Router#reload

Reload to the ROM monitor only allowed from console line
unless the configuration register boot bits are non-zero





I do a sh bootvar and it shows me



Router#sh bootvar
BOOT variable = c6msfc2a-ipbase_wan-mz.122-18.SXF8.bin,1;
CONFIG_FILE variable =
BOOTLDR variable =
Configuration register is 0x2102 (will be 0x0 at next reload)





How do I reload the sup32 ? If is reset the config-register back to
0X2102 I am allowed to reload it...



Any ideas ??









_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From chunt at reachone.com  Thu Jul 24 12:06:30 2008
From: chunt at reachone.com (Christopher Hunt)
Date: Thu, 24 Jul 2008 09:06:30 -0700
Subject: [c-nsp] multiple OAM loopback replies
Message-ID: <4888A886.9060705@reachone.com>

I'm having trouble with one of our subscriber ADSL lines and I'm seeing 
duplicate OAM replies on their PVC. Anyone know what might cause this? 
OAM cells drop (and then IP drops too) when line is under load (>3kbps). 
Here's the debug atm oam interface atm3/0.6208 output:

Jul 23 15:31:29.514 PDT: ATM OAM(ATM3/0.6208): Timer: VCD#1483 VC 6/208 
Status:2 CTag:0x153 Tries:0
Jul 23 15:31:29.514 PDT: ATM OAM LOOP(ATM3/0.6208) O: VCD#1483 VC 6/208 
CTag:0x154
Jul 23 15:31:29.522 PDT: ATM OAM LOOP(ATM3/0) I: VCD#1483 VC 6/208 
LoopInd:0 CTag:0x154 OAM Cell Type 5
Jul 23 15:31:29.534 PDT: ATM OAM LOOP(ATM3/0) I: VCD#1483 VC 6/208 
LoopInd:0 CTag:0x154 OAM Cell Type 5
Jul 23 15:31:29.546 PDT: ATM OAM LOOP(ATM3/0) I: VCD#1483 VC 6/208 
LoopInd:0 CTag:0x154 OAM Cell Type 5
Jul 23 15:31:29.634 PDT: ATM OAM LOOP(ATM3/0) I: VCD#1483 VC 6/208 
LoopInd:0 CTag:0x154 OAM Cell Type 5

-Chris

From masood at nexlinx.net.pk  Thu Jul 24 16:29:23 2008
From: masood at nexlinx.net.pk (Masood Ahmad Shah)
Date: Fri, 25 Jul 2008 01:29:23 +0500
Subject: [c-nsp] PPPoE tunnel and Firewall
Message-ID: <004801c8edcb$f8cc6d30$ea654790$@net.pk>

I?m really getting confused while adding firewall for DSL subscribers. I
want to protect my PPPoE subscriber from malicious traffic. Adding a
firewall between DSLAMs and BRAS is kinda confused for me. The final
topology is going to be like 

 

 

CPE?------>DSLAM?-------?Firewall?------BRAS------->Ineternet

 

>From CPE to BRAS is PPPoE tunnel. The question ? Can firewall protect PPPoE
customers from malicious traffic while sitting in transparent mode in front
of BRAS?. I wonder , firewall will skip the PPPoE tunnels traffic. 

 

If yes, than how do you guys protect BRAS internal traffic from one
subscriber to another. 

 

 

  


From peder at networkoblivion.com  Thu Jul 24 16:38:40 2008
From: peder at networkoblivion.com (Peder @ NetworkOblivion)
Date: Thu, 24 Jul 2008 15:38:40 -0500
Subject: [c-nsp] 7204 NPE Bus Error
Message-ID: <4888E850.8000900@networkoblivion.com>

Does anybody know how to figure out what a bus error means on a 7204VXR 
with NPE300?  We have one that works fine for about 2 weeks and then it 
crashes.  If you reboot it, it goes in an endless bus error loop.  If 
you leave it off and fiddle with the cards, memory, etc and re-seat it 
all, eventually it will boot, but this sometimes takes days to get in there.

There is a link on cisco.com titled Troubleshooting Bus Error Crashes, 
but it isn't really much help.

It gets an error during the bootstrap and then another error upon 
loading IOS and then just loops 2 or 3 times before freezing.  There is 
an entry that says "possible software fault", but I can't imagine that 
is the case as there are errors before it even gets to IOS.  Here is the 
log from a fresh boot.



System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], 
DEVELOPMENT SOFTWARE
Copyright (c) 1994-1999 by cisco Systems, Inc.
C7200 platform with 262144 Kbytes of main memory



Self decompressing the image : 
#####################################################################
###################################################################################################
###################################################################################################
################# [OK]

=== Flushing messages () ===


*** System received a Bus Error exception ***

signal= 0xa, code= 0x1c, context= 0x6087a8d0

PC = 0x60362a38, Cause = 0x4020, Status Reg = 0x34008002
  System Bootstrap, Version 12.0(19990210:195103) [12.0XE 105], 
DEVELOPMENT SOFTWARE
Copyright (c) 1994-1999 by cisco Systems, Inc.
C7200 platform with 262144 Kbytes of main memory



Self decompressing the image : 
#####################################################################
###################################################################################################
################################################################## [OK]
                Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

            cisco Systems, Inc.
            170 West Tasman Drive
            San Jose, California 95134-1706



Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.3(26), RELEASE 
SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 19:27 by dchih



  : Data Bus Error exception, CPU signal 10, PC = 0x61F3F138



--------------------------------------------------------------------
    Possible software fault. Upon reccurence,  please collect
    crashinfo, "show tech" and contact Cisco Technical Support.
--------------------------------------------------------------------


-Traceback= 61F3F138 607F41D4 607F431C 607F2E98 607EEF60 607E9F68 
60783190 607FC398 6088E990
60782F90 60714030 60714470 607DDC94 607DDC78
$0 : 00000000, AT : 632E0000, v0 : 0000000B, v1 : 63670000
a0 : 20000000, a1 : 63686A88, a2 : 00000028, a3 : 622AF9CC
t0 : 00000000, t1 : 00000000, t2 : 00000008, t3 : 00000008
t4 : 00000000, t5 : 639224AC, t6 : 639224A8, t7 : 639224A4
s0 : 00000009, s1 : 20000000, s2 : 63686A84, s3 : 00000000
s4 : 63686A84, s5 : 63434878, s6 : 00000024, s7 : 00000021
t8 : 639224EC, t9 : 00000000, k0 : 3040D001, k1 : BE840244
gp : 632EE318, sp : 638F9138, s8 : 62280000, ra : 607F41D4
EPC  : 61F3F138, ErrorEPC : FE9A6CDB, SREG     : 3400C103
MDLO : 00000009, MDHI     : 00000010, BadVaddr : 3E665C36
DATA_START : 0x61F4DEF0
Cause 0000401C (Code 0x7): Data Bus Error exception


=== Flushing messages () ===


*** System received a Bus Error exception ***

signal= 0xa, code= 0x1c, context= 0x636a2c04

PC = 0x60815e38, Cause = 0x4020, Status Reg = 0x34008002



From danletkeman at gmail.com  Thu Jul 24 19:15:24 2008
From: danletkeman at gmail.com (Dan Letkeman)
Date: Thu, 24 Jul 2008 18:15:24 -0500
Subject: [c-nsp] route-map local destination device
Message-ID: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>

Hello,

I have a router that is doing some route-map's for various
destinations.  On the fa0/0 port I have "ip policy route-map inet" and
the route-map's are done like this

route-map inet permit 10
 match ip address 111
 set ip next-hop 187.174.55.2
!
route-map inet permit 40
 match ip address 222
 set ip next-hop 187.174.55.2
!
route-map inet permit 50
 match ip address 333
 set ip next-hop 187.174.55.2

Ip access lists match various internal ip's or ip ranges.

Now if have a device that is connected directly to the router with an
ip of 10.1.1.1, but none of the internal devices can ping it because
they are being route-map'd to different gateway's.  Is there a way to
bypass the route-map if it is a certain destination?

Thanks,
Dan.

From RTeller at deltadentalwa.com  Thu Jul 24 19:21:36 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Thu, 24 Jul 2008 16:21:36 -0700
Subject: [c-nsp] route-map local destination device
In-Reply-To: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
References: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E1D@tiger.deltadentalwa.com>

Put a deny at the beginning of your access-list

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman
Sent: Thursday, July 24, 2008 4:15 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] route-map local destination device

Hello,

I have a router that is doing some route-map's for various
destinations.  On the fa0/0 port I have "ip policy route-map inet" and
the route-map's are done like this

route-map inet permit 10
 match ip address 111
 set ip next-hop 187.174.55.2
!
route-map inet permit 40
 match ip address 222
 set ip next-hop 187.174.55.2
!
route-map inet permit 50
 match ip address 333
 set ip next-hop 187.174.55.2

Ip access lists match various internal ip's or ip ranges.

Now if have a device that is connected directly to the router with an
ip of 10.1.1.1, but none of the internal devices can ping it because
they are being route-map'd to different gateway's.  Is there a way to
bypass the route-map if it is a certain destination?

Thanks,
Dan.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From tom at snnap.net  Thu Jul 24 20:15:59 2008
From: tom at snnap.net (Tom Storey)
Date: Fri, 25 Jul 2008 09:15:59 +0900 (EIT)
Subject: [c-nsp] DC power options for 1841
Message-ID: <50765.172.25.144.4.1216944959.squirrel@imap.snnap.net>

Hi all,

The ISP I work for has a number of remote tower sites to which I would
like to add console, remote access, and perhaps some SLA monitoring to.

Looking at the possibility of using the 1841 with a HWIC-8A/AS (which
would be superb), but unfortunately the 1841 doesnt have an (official) DC
power supply option.

Wondering if anyone has come across a suitable 48v DC power supply from a
3rd party, or has other suggestions for running an 1841 off of DC.

Some of the towers cabinets are very small and space is at a premium, so
installing inverters etc is not an option unless they are very small and
efficient.

Cheers,
Tom


From spinthiras.mario at gmail.com  Thu Jul 24 20:34:56 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 25 Jul 2008 03:34:56 +0300
Subject: [c-nsp] route-map local destination device
In-Reply-To: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
References: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
Message-ID: <4f890e580807241734k7c33cfffo1c623702dd721b1b@mail.gmail.com>

deny ip any 10.1.1.1 0.0.0.0

On Fri, Jul 25, 2008 at 2:15 AM, Dan Letkeman <danletkeman at gmail.com> wrote:

> Hello,
>
> I have a router that is doing some route-map's for various
> destinations.  On the fa0/0 port I have "ip policy route-map inet" and
> the route-map's are done like this
>
> route-map inet permit 10
>  match ip address 111
>  set ip next-hop 187.174.55.2
> !
> route-map inet permit 40
>  match ip address 222
>  set ip next-hop 187.174.55.2
> !
> route-map inet permit 50
>  match ip address 333
>  set ip next-hop 187.174.55.2
>
> Ip access lists match various internal ip's or ip ranges.
>
> Now if have a device that is connected directly to the router with an
> ip of 10.1.1.1, but none of the internal devices can ping it because
> they are being route-map'd to different gateway's.  Is there a way to
> bypass the route-map if it is a certain destination?
>
> Thanks,
> Dan.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From spinthiras.mario at gmail.com  Thu Jul 24 20:39:42 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 25 Jul 2008 03:39:42 +0300
Subject: [c-nsp] PPPoE tunnel and Firewall
In-Reply-To: <004801c8edcb$f8cc6d30$ea654790$@net.pk>
References: <004801c8edcb$f8cc6d30$ea654790$@net.pk>
Message-ID: <4f890e580807241739w3b909a4bvaa7ee3868bcf6bc9@mail.gmail.com>

It will not. If you are looking into something along the lines of DPI or
even standard filtering per ip/port it will still work. PPPoE is L2
encapsulation. It will still look for the L3 information inside the frame.

On Thu, Jul 24, 2008 at 11:29 PM, Masood Ahmad Shah <masood at nexlinx.net.pk>
wrote:

> I'm really getting confused while adding firewall for DSL subscribers. I
> want to protect my PPPoE subscriber from malicious traffic. Adding a
> firewall between DSLAMs and BRAS is kinda confused for me. The final
> topology is going to be like
>
>
>
>
>
> CPE?------>DSLAM?-------?Firewall?------BRAS------->Ineternet
>
>
>
> >From CPE to BRAS is PPPoE tunnel. The question " Can firewall protect
> PPPoE
> customers from malicious traffic while sitting in transparent mode in front
> of BRAS". I wonder , firewall will skip the PPPoE tunnels traffic.
>
>
>
> If yes, than how do you guys protect BRAS internal traffic from one
> subscriber to another.
>
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From spinthiras.mario at gmail.com  Fri Jul 25 05:20:50 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 25 Jul 2008 12:20:50 +0300
Subject: [c-nsp] Surviving denial of service from certain IPs
Message-ID: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>

Greetings to everyone,


I recently looked into the minimal resource usage of a Cisco router in the
case of a denial of service attack. In such cases what is the minimal
configuration one can apply to a router to make sure that a certain range of
IPs attacking you keeps the router alive and uses much less resources. Two
things I came up with (one of which everyone probably does on a normal
basis) is access lists and another would be a route-map to point all
unwanted sources to null0. Would a route-map hurt the router less than an
access list plain out ? What I'm referring to is basically PBR pointing
matches to null0. An example configuration would be:

!
interface FastEthernet0/0
ip policy route-map unwanted
!
!
ip access-list extended unwacl
 deny   ip any any
 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map unwanted permit 10
 match ip address unwacl
 set default interface Null0
!



Is this more optimal than a plain old access list? Is this used in any way?


Regards,
Mario

From peter at rathlev.dk  Fri Jul 25 04:42:26 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 25 Jul 2008 10:42:26 +0200
Subject: [c-nsp] route-map local destination device
In-Reply-To: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
References: <dcbb85870807241615u2a28dc3cx932eb5f8cf8293c@mail.gmail.com>
Message-ID: <1216975346.10077.2.camel@svesken.sys.mjna.net>

On Thu, 2008-07-24 at 18:15 -0500, Dan Letkeman wrote:
> route-map inet permit 10
>  match ip address 111
>  set ip next-hop 187.174.55.2
> !
<snip>
> Ip access lists match various internal ip's or ip ranges.
> 
> Now if have a device that is connected directly to the router with an
> ip of 10.1.1.1, but none of the internal devices can ping it because
> they are being route-map'd to different gateway's.  Is there a way to
> bypass the route-map if it is a certain destination?

Depending on your platform, you might also use "set ip default
next-hop", to allow the router to do a route lookup and only use the
policy routing if there is no specific route to the destination. (= only
a default.)

Regards,
Peter



From avayner at cisco.com  Fri Jul 25 07:04:46 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 25 Jul 2008 13:04:46 +0200
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>

Mario,

There is a more elegant way.
You could use loose mode uRPF on your ingress interfaces.
If you want to block a specific source prefix, you just set a route to
null0 for that prefix, and uRPF would block it in the most efficient way
possible on a Cisco router.

The generic uRPF guide:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Loose mode uRPF:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_uni
cast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html

The command reference:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.ht
ml#wp1033222

This solution can be integrated together with Remote Triggered Black
Holing for a distributed solution using BGP communities:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
/prod_white_paper0900aecd80313fac.pdf

Let me know if you require further info.

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mario Spinthiras
Sent: Friday, July 25, 2008 12:21 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Surviving denial of service from certain IPs

Greetings to everyone,


I recently looked into the minimal resource usage of a Cisco router in
the case of a denial of service attack. In such cases what is the
minimal configuration one can apply to a router to make sure that a
certain range of IPs attacking you keeps the router alive and uses much
less resources. Two things I came up with (one of which everyone
probably does on a normal
basis) is access lists and another would be a route-map to point all
unwanted sources to null0. Would a route-map hurt the router less than
an access list plain out ? What I'm referring to is basically PBR
pointing matches to null0. An example configuration would be:

!
interface FastEthernet0/0
ip policy route-map unwanted
!
!
ip access-list extended unwacl
 deny   ip any any
 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map unwanted permit 10
 match ip address unwacl
 set default interface Null0
!



Is this more optimal than a plain old access list? Is this used in any
way?


Regards,
Mario
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From spinthiras.mario at gmail.com  Fri Jul 25 08:31:04 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Fri, 25 Jul 2008 15:31:04 +0300
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
Message-ID: <4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>

Arie hello and thank you for your feedback.


What I want to know is how would route-map methods effectively help stop
such attacks and what the resource usage comparison is when putting ACLs and
other methods on the scale. uRPF is all very nice but what about something
along the lines of a 100 Mbps stub network?

Regards,
Mario


On Fri, Jul 25, 2008 at 2:04 PM, Arie Vayner (avayner) <avayner at cisco.com>wrote:

> Mario,
>
> There is a more elegant way.
> You could use loose mode uRPF on your ingress interfaces.
> If you want to block a specific source prefix, you just set a route to
> null0 for that prefix, and uRPF would block it in the most efficient way
> possible on a Cisco router.
>
> The generic uRPF guide:
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
> _unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html>
>
> Loose mode uRPF:
> http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_uni
> cast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_unicast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html>
>
> The command reference:
> http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.ht
> ml#wp1033222<http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.html#wp1033222>
>
> This solution can be integrated together with Remote Triggered Black
> Holing for a distributed solution using BGP communities:
> http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
> /prod_white_paper0900aecd80313fac.pdf<http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd80313fac.pdf>
>
> Let me know if you require further info.
>
> Arie
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mario Spinthiras
> Sent: Friday, July 25, 2008 12:21 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Surviving denial of service from certain IPs
>
> Greetings to everyone,
>
>
> I recently looked into the minimal resource usage of a Cisco router in
> the case of a denial of service attack. In such cases what is the
> minimal configuration one can apply to a router to make sure that a
> certain range of IPs attacking you keeps the router alive and uses much
> less resources. Two things I came up with (one of which everyone
> probably does on a normal
> basis) is access lists and another would be a route-map to point all
> unwanted sources to null0. Would a route-map hurt the router less than
> an access list plain out ? What I'm referring to is basically PBR
> pointing matches to null0. An example configuration would be:
>
> !
> interface FastEthernet0/0
> ip policy route-map unwanted
> !
> !
> ip access-list extended unwacl
>  deny   ip any any
>  permit ip 192.168.1.0 0.0.0.255 any
> !
> !
> route-map unwanted permit 10
>  match ip address unwacl
>  set default interface Null0
> !
>
>
>
> Is this more optimal than a plain old access list? Is this used in any
> way?
>
>
> Regards,
> Mario
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm Regards,
Mario A. Spinthiras

From alex at bytemark.co.uk  Fri Jul 25 08:37:16 2008
From: alex at bytemark.co.uk (Alex Howells)
Date: Fri, 25 Jul 2008 13:37:16 +0100
Subject: [c-nsp] nvram writing config issue
Message-ID: <4889C8FC.4050502@bytemark.co.uk>

Not seen this one before, thought I'd ask the oracles what the fix is?

Directory of nvram:/

   28  -rw-       31882                    <no date>  startup-config
   29  ----        3647                    <no date>  private-config
    1  ----          12                    <no date>  persistent-data

switch#write mem
Building configuration...

% Warning: Saving this config to nvram may corrupt any network
management or security files stored at the end of nvram.
Continue? [no]:

If you don't save the config --

% Configuration buffer full, can't add command: interface FastEthernet0/37
%Aborting Save. Compress the config.[OK]

If you do save the config --

Jul 25 13:35:39.242 BST: %SYS-4-CONFIG_NV_OVERRUN: Non config data
present at the end of nvram is corrupted

Switch is a WS-C2960-48TT-L running 12.2(25)SEE4.

Thanks,
Alex

From avayner at cisco.com  Fri Jul 25 09:25:57 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Fri, 25 Jul 2008 15:25:57 +0200
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
	<4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A661F2@xmb-ams-331.emea.cisco.com>

Mario,
 
It all depends on which platform you are using.
Also, it is important to say whether the 100Mbps attack is using 64 byte
packets or larger packets. This is the case as routers usually care more
about packet per second than bits per second.
 
I would say that uRPF would be much more efficient if its possible to
implement it, as it is done in a more early stage of packet processing.
Also, if you can avoid ACL lookups, and use uRPF (which uses the CEF
tree structure), you gain performance.
 
This all changes a bit when we talk about hardware based platforms which
use TCAM. There both options may present the same performance.
 
Arie


________________________________

	From: Mario Spinthiras [mailto:spinthiras.mario at gmail.com] 
	Sent: Friday, July 25, 2008 15:31 PM
	To: Arie Vayner (avayner)
	Cc: cisco-nsp at puck.nether.net
	Subject: Re: [c-nsp] Surviving denial of service from certain
IPs
	
	

	Arie hello and thank you for your feedback.
	
	
	What I want to know is how would route-map methods effectively
help stop such attacks and what the resource usage comparison is when
putting ACLs and other methods on the scale. uRPF is all very nice but
what about something along the lines of a 100 Mbps stub network?
	
	Regards,
	Mario
	
	
	
	On Fri, Jul 25, 2008 at 2:04 PM, Arie Vayner (avayner)
<avayner at cisco.com> wrote:
	

		Mario,
		
		There is a more elegant way.
		You could use loose mode uRPF on your ingress
interfaces.
		If you want to block a specific source prefix, you just
set a route to
		null0 for that prefix, and uRPF would block it in the
most efficient way
		possible on a Cisco router.
		
		The generic uRPF guide:
	
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cfg
	
_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html
<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_cf
g_unicast_rpf_ps6441_TSD_Products_Configuration_Guide_Chapter.html> 
		
		Loose mode uRPF:
	
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_uni
	
cast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html
<http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_un
icast_rpf_loose_ps6441_TSD_Products_Configuration_Guide_Chapter.html> 
		
		The command reference:
	
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.ht
		ml#wp1033222
<http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_i3.h
tml#wp1033222> 
		
		This solution can be integrated together with Remote
Triggered Black
		Holing for a distributed solution using BGP communities:
	
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642
		/prod_white_paper0900aecd80313fac.pdf
<http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps664
2/prod_white_paper0900aecd80313fac.pdf> 
		
		Let me know if you require further info.
		
		Arie
		

		-----Original Message-----
		From: cisco-nsp-bounces at puck.nether.net
		[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Mario Spinthiras
		Sent: Friday, July 25, 2008 12:21 PM
		To: cisco-nsp at puck.nether.net
		Subject: [c-nsp] Surviving denial of service from
certain IPs
		
		Greetings to everyone,
		
		
		I recently looked into the minimal resource usage of a
Cisco router in
		the case of a denial of service attack. In such cases
what is the
		minimal configuration one can apply to a router to make
sure that a
		certain range of IPs attacking you keeps the router
alive and uses much
		less resources. Two things I came up with (one of which
everyone
		probably does on a normal
		basis) is access lists and another would be a route-map
to point all
		unwanted sources to null0. Would a route-map hurt the
router less than
		an access list plain out ? What I'm referring to is
basically PBR
		pointing matches to null0. An example configuration
would be:
		
		!
		interface FastEthernet0/0
		ip policy route-map unwanted
		!
		!
		ip access-list extended unwacl
		 deny   ip any any
		 permit ip 192.168.1.0 0.0.0.255 any
		!
		!
		route-map unwanted permit 10
		 match ip address unwacl
		 set default interface Null0
		!
		
		
		
		Is this more optimal than a plain old access list? Is
this used in any
		way?
		
		
		Regards,
		Mario
		
		_______________________________________________
		cisco-nsp mailing list  cisco-nsp at puck.nether.net
		https://puck.nether.net/mailman/listinfo/cisco-nsp
		archive at http://puck.nether.net/pipermail/cisco-nsp/
		




	-- 
	Warm Regards,
	Mario A. Spinthiras
	


From peter at rathlev.dk  Fri Jul 25 09:24:22 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 25 Jul 2008 15:24:22 +0200
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
	<4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
Message-ID: <1216992262.13810.5.camel@svesken.sys.mjna.net>

On Fri, 2008-07-25 at 15:31 +0300, Mario Spinthiras wrote:
> What I want to know is how would route-map methods effectively help stop
> such attacks and what the resource usage comparison is when putting ACLs and
> other methods on the scale. uRPF is all very nice but what about something
> along the lines of a 100 Mbps stub network?

I'd go for the access lists, since they are made for exactly that. In a
debugging situation the ACL would, for me, be the more logical choice to
look for.

I'm not sure, but I have this feeling that ACLs are also more effective
with regard to performance than route-maps. I'd almost bet that
route-maps are at least not _more_ optimal than ACLs.

> > interface FastEthernet0/0
> >  ip policy route-map unwanted
> > !
> > ip access-list extended unwacl
> >  deny   ip any any
> >  permit ip 192.168.1.0 0.0.0.255 any
> > !

Since "any" also matches 192.168.1.0/24 the above would not work as
intended. You probably want to swap the two ACL lines.

> > route-map unwanted permit 10
> >  match ip address unwacl
> >  set default interface Null0
> > !

Wouldn't "set default interface" only be used if you have no specific
(e.g. connected) route to the destination? If you want to throw traffic
away it should be "set interface" I think.

Regards,
Peter



From peter at rathlev.dk  Fri Jul 25 10:18:52 2008
From: peter at rathlev.dk (Peter Rathlev)
Date: Fri, 25 Jul 2008 16:18:52 +0200
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <4f890e580807250632p6eac63e6k3a6d49a7b7f9495@mail.gmail.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
	<4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
	<1216992262.13810.5.camel@svesken.sys.mjna.net>
	<4f890e580807250632p6eac63e6k3a6d49a7b7f9495@mail.gmail.com>
Message-ID: <1216995532.14729.6.camel@svesken.sys.mjna.net>

Hi Mario,

On Fri, 2008-07-25 at 16:32 +0300, Mario Spinthiras wrote:
> set interface does not work.

How does it not work? Will it not accept the command, or does it not
give you what you expect? And what platform/IOS is it?

>  As far as the ACL statements , it seems as if the route-map treats
> the ACL differently. deny any any works fine despite the sequential
> nature of the ACL matching process.

Hm... I find that strange. But maybe IOS is strange sometimes. :-)

Arie's solution with uRPF is probably the best, and it's really quite
simple. When you configure an interface with "ip verify unicast source
reachable-via any" and then use Null0-routes for unwanted traffic. That
way packets sourced from or destined to that prefix are thrown away.

Regards,
Peter



From Chris.Kilian at aolbb.co.uk  Fri Jul 25 11:02:54 2008
From: Chris.Kilian at aolbb.co.uk (Chris Kilian)
Date: Fri, 25 Jul 2008 16:02:54 +0100
Subject: [c-nsp] PagpP vs LACP on Etherchannels between Cisco 7609 and Cisco
	ME3400's
Message-ID: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA82@SGBS201V1.CPWBB.LOCAL>

Hi All

I posted a few days ago about some issues that I was having with setting up a port channel between a Cisco 7609 and a Cisco ME3400.I have resolved this issue by using the following on all physical interfaces.

channel-group mode on

This brought up the port-channel right away and things appear to be working fine, my question now is this, as this is the only channel setting on the physical interfaces no channel-protocol set at all, yet if I bounce one of the physical interfaces I am seeing debug messages detailing PagP. Would this therefore mean that despite not having a channel-group protocol set it defaults to use PagP.  The message when doing a debug etherchannel all and dropping one physcial in the port channel was this.

Jul 25 14:43:50: %LINK-3-UPDOWN: Interface GigabitEthernet1/6, changed state to down
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport

when unshutting the interface the following was seen

20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport

Just as an addition the reason that we cant use LACP as we wanted is due to IOS limitations in the Metro Access IOS image running on the ME3400's only allowing up to 4 ports as NNI ports with the remainder as UNI, by upgrading to a full release of th metro access IOS you can enable all ports as NNO ports, as we have in excess of 100 ME3400's this is not desirable.



Chris Kilian






This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please notify the sender immediately by e-mail. Please then immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. For the purposes of this E-Mail "the Company" means The Carphone Warehouse Group Plc and/or any of its subsidiaries. The Carphone Warehouse Group Plc (Registered in England No. 3253714) 1 Portal Way, London W3 6RS.

AOL Broadband, [AOLBroadband.co.uk] [AOLbb.co.uk] and AOL logos are trade marks of AOL LLC and are used under licence. The AOL Broadband service is provided to customers in the UK by TPH Services SARL, a Carphone Warehouse plc company.





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************



From rich.davies at gmail.com  Fri Jul 25 12:35:36 2008
From: rich.davies at gmail.com (Rich Davies)
Date: Fri, 25 Jul 2008 12:35:36 -0400
Subject: [c-nsp] Cisco 5814 / 7206 dial shelf interconnect question
Message-ID: <3e4b8fe10807250935m426ab836t319700fd57c7ba7b@mail.gmail.com>

Hello

I have a question regarding the Cisco 5814/7206 NAS.   The 5814 dial-shelf
controller (DSC) is connected to the 7206 via a dial-shelf interface
(DSI).  This connection is ethernet-based even though Cisco calls it a
proprietary DSI connection.  When you do a "show dsi" to look at the status
of the DSI interface it shows UP/UP and has various info that you'd expect
an ethernet <http://www.tek-tips.com/viewthread.cfm?qid=1488866&page=1#>interface
to have (plus the physical connector IS ethernet-based).   This
being the case, I am trying to determine if the DSI is a generic ethernet
connection (running layer 2 between the 5814 and 7206 for dial shelf to dial
shelf controller communication).

If this is the case and its just an ethernet conn running layer 2, is it
possible to put a switch in between of the 5814 and 7206?  (put the DSI link
in it's own VLAN).  Reason I ask is I have seen a moderate failure rate of
7206's acting as a dial shelf for a 5814, and it usually requires an onsite
visit (trying to get away from that).   If i can put a switch in between and
use VLAN's I could create a layer of redundancy for 5814's (have the ability
to map the port to another VLAN in the event of a 7206 dial shelf outage).

Any thoughts on this?   The DSI interface does indeed seem to be layer 2 and
MAC based was hoping someone else out there has tried this?


Thanks,

Rich Davies
rich.davies at gmail.com

From felixnkansah at gmail.com  Fri Jul 25 13:25:24 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Fri, 25 Jul 2008 17:25:24 +0000
Subject: [c-nsp] NAC for Thin-Clients?
Message-ID: <18dba4e50807251025y46f7c692y1993bfc88649bf68@mail.gmail.com>

Hi,

An enterprise customer of mine is replacing all workstations/PCs in their
network with thin-clients.

They require a NAC-like solution, one that provides posture assessments and
remediation for the thin-client users.

AFAIK, Cisco's present NAC offering doesnt seem to fit into this requirement
here (posture assessment for terminal services-like workstations). The
required solution would have to assess the various user virtual systems for
compliance (patches, viruses, etc) before allowing them to operate.

Please let me know if you have deployed a posture assessment and remediation
solution for this kind of scenario?

Links would also be appreciated.

Regards,

Felix

From bms314 at gmail.com  Fri Jul 25 13:30:20 2008
From: bms314 at gmail.com (Brian)
Date: Fri, 25 Jul 2008 12:30:20 -0500
Subject: [c-nsp] 3750 integrated WLC keepalive problem
Message-ID: <7aaaf7f0807251030i65ce49bcyc77311f936f8764b@mail.gmail.com>

Hello,

I have a couple of 3750 integrated WLC's that are continually rebooting
themselves.  I was able to configure the controller and each are on version
4.2.130.  3750's are on version 12.2(44)SE2.  When doing a debug platform
wireless-controller, I see the following:

22:27:01: WRLS: Missed keepalive src 127.0.1.1 missed 1
22:27:07: wcp-tx: src/dst:127.0.20.20/127.0.1.1 ver:1 sap2/1
22:27:07: typ:req len:61 seq:3816 flg:0 sts:1
22:27:07: 00 00 00 01 00 00 00 18 00 00 00 04 7F 00 14 14
22:27:07: 00 00 20 00 01 3B 04 BB 1F 49 45 50 46 44 46 41

After 15 misses, it sends a reset and reboots.  I believe this has to do
with the service-port interface on the controller.  Is it an requirement
that this interface is routable?  When issuing a show platform
wireless-controller, I see it assigns service VLAN 4095 and
127.0.1.1address.  I just have a dummy address configured on the
Controller and I
tried to configure it with 127.0.1.1.  I have another controller set up the
same way without this issue.  Am I missing something obvious?


LDCH37502#show platform wireless-controller
Wireless Controller in Switch 1
Operational Status of the Controller : wait_for_keepalive
Service VLAN                         : 4095
Service Port Mac Address             : 001c.588a.xxxx
Service IP Address                   : 127.0.1.1
Management IP Address                : 10.3.20.13
Management VLAN                      : 20
Software Version                     : 4.2.130.0
Keepalive Version(controller/switch) : 1/1
Keepalives Missed                    : 15
Controller accepts http/https        : 0/1
Controller's Status Line             : up
Watchdog resets of Controller        : 204
Controller resets total              : 205
Unacknowledged control messages      : 3600



Thanks,
Brian

From jfitz at Princeton.EDU  Fri Jul 25 14:44:02 2008
From: jfitz at Princeton.EDU (Jeff Fitzwater)
Date: Fri, 25 Jul 2008 14:44:02 -0400
Subject: [c-nsp] DFC module insert message?
Message-ID: <FAC915E9-7760-427A-8845-DE4F356B0814@Princeton.EDU>

I have 6500 with sup-720 with PFC3CXL and I just inserted new DFCXL  
8port 10G module which  logged some strange messages but still came up  
and appears OK.

Any ideas on these before I get  in touch with cisco tech ?

These messages appeared just before initial module diags finished and  
module came online....

17:22:40.583 FW[Mod 12]: AR#0 WARNING: Cannot HALT Dic#0
17:22:40.591 FW[Mod 12]: ME_AR#0 WARNING: Cannot FLUSH Dic#0
17:22:40.631 FW[Mod 12]: AR#1 WARNING: Cannot HALT Dic#0
17:22:40.643 FW[Mod 12]: ME_AR#1 WARNING: Cannot FLUSH Dic#0
17:22:40.683 FW[Mod 12]: AR#0 WARNING: Cannot HALT Dic#1
17:22:40.691 FW[Mod 12]: ME_AR#0 WARNING: Cannot FLUSH Dic#1
17:22:40.735 FW[Mod 12]: AR#1 WARNING: Cannot HALT Dic#1
17:22:40.743 FW[Mod 12]: ME_AR#1 WARNING: Cannot FLUSH Dic#1



Thanks for any help;

Jeff Fitzwater
OIT Network Systems
Princeton University

From sgranger at randfinancial.com  Fri Jul 25 15:05:57 2008
From: sgranger at randfinancial.com (Sean Granger)
Date: Fri, 25 Jul 2008 14:05:57 -0500
Subject: [c-nsp] OT : Environmental Monitoring
Message-ID: <s889ddd0.013@mail.randfinancial.com>

Wanted to bounce this around the list, to see what people are using?
Anything providing a Java/AJAX applet from it's own webserver for real-time updates, for anywhere monitoring, rather than having to install 3rd party software??
Email, SMS (via adapter and/or gateway), SNMP ... standard issue.

Regards!


From bms314 at gmail.com  Fri Jul 25 15:21:52 2008
From: bms314 at gmail.com (Brian)
Date: Fri, 25 Jul 2008 14:21:52 -0500
Subject: [c-nsp] 3750 integrated WLC keepalive problem
In-Reply-To: <7aaaf7f0807251030i65ce49bcyc77311f936f8764b@mail.gmail.com>
References: <7aaaf7f0807251030i65ce49bcyc77311f936f8764b@mail.gmail.com>
Message-ID: <7aaaf7f0807251221k468473cbs4d3cea4507588fa3@mail.gmail.com>

I'm starting to wonder if this is a compatibility issue with the switch
IOS.  The release notes for 12.2(44)SE only mention compatibility for WLC
version 4.1.x.  This seems hard to believe.  Does anyone have a 3750 WLC
with version 4.2 or later?

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/release/notes/OL14630.html#wp798159

Brian

On Fri, Jul 25, 2008 at 12:30 PM, Brian <bms314 at gmail.com> wrote:

> Hello,
>
> I have a couple of 3750 integrated WLC's that are continually rebooting
> themselves.  I was able to configure the controller and each are on version
> 4.2.130.  3750's are on version 12.2(44)SE2.  When doing a debug platform
> wireless-controller, I see the following:
>
> 22:27:01: WRLS: Missed keepalive src 127.0.1.1 missed 1
> 22:27:07: wcp-tx: src/dst:127.0.20.20/127.0.1.1 ver:1 sap2/1
> 22:27:07: typ:req len:61 seq:3816 flg:0 sts:1
> 22:27:07: 00 00 00 01 00 00 00 18 00 00 00 04 7F 00 14 14
> 22:27:07: 00 00 20 00 01 3B 04 BB 1F 49 45 50 46 44 46 41
>
> After 15 misses, it sends a reset and reboots.  I believe this has to do
> with the service-port interface on the controller.  Is it an requirement
> that this interface is routable?  When issuing a show platform
> wireless-controller, I see it assigns service VLAN 4095 and 127.0.1.1address.  I just have a dummy address configured on the Controller and I
> tried to configure it with 127.0.1.1.  I have another controller set up
> the same way without this issue.  Am I missing something obvious?
>
>
> LDCH37502#show platform wireless-controller
> Wireless Controller in Switch 1
> Operational Status of the Controller : wait_for_keepalive
> Service VLAN                         : 4095
> Service Port Mac Address             : 001c.588a.xxxx
> Service IP Address                   : 127.0.1.1
> Management IP Address                : 10.3.20.13
> Management VLAN                      : 20
> Software Version                     : 4.2.130.0
> Keepalive Version(controller/switch) : 1/1
> Keepalives Missed                    : 15
> Controller accepts http/https        : 0/1
> Controller's Status Line             : up
> Watchdog resets of Controller        : 204
> Controller resets total              : 205
> Unacknowledged control messages      : 3600
>
>
>
> Thanks,
> Brian
>

From gustavo at acmesecurity.org  Fri Jul 25 15:32:31 2008
From: gustavo at acmesecurity.org (Gustavo Rodrigues Ramos)
Date: Fri, 25 Jul 2008 16:32:31 -0300
Subject: [c-nsp] Surviving denial of service from certain IPs
In-Reply-To: <4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
References: <4f890e580807250220u6496aa5dw9987425314ed29b1@mail.gmail.com>
	<67F7C1FAF83A074AA3520D8F155782A501A66149@xmb-ams-331.emea.cisco.com>
	<4f890e580807250531q236f6087m42286f424c711e61@mail.gmail.com>
Message-ID: <73d1f88a0807251232h30c5fe54x37045a30e22dcf70@mail.gmail.com>

Hello Mario, uRPF would be my first choice (between ACL, route-maps or
whatsoever). For example, I used to block denial of service attacks in
the 7500 platform using only uRPF without performance issues (and
routing around 140 Mbps through the box).

Gustavo.


On Fri, Jul 25, 2008 at 9:31 AM, Mario Spinthiras
<spinthiras.mario at gmail.com> wrote:
> Arie hello and thank you for your feedback.
>
>
> What I want to know is how would route-map methods effectively help stop
> such attacks and what the resource usage comparison is when putting ACLs and
> other methods on the scale. uRPF is all very nice but what about something
> along the lines of a 100 Mbps stub network?

From dr at cluenet.de  Fri Jul 25 16:50:42 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Fri, 25 Jul 2008 22:50:42 +0200
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <BDD9DF21-83AC-4861-9390-B6A218A1CC65@usgs.gov>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
	<876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
	<BDD9DF21-83AC-4861-9390-B6A218A1CC65@usgs.gov>
Message-ID: <20080725205042.GA16503@srv01.cluenet.de>

On Mon, Jul 21, 2008 at 11:00:16AM -0500, Justin C. Darby wrote:
> You should really shop by feature set. Advanced Enterprise IOS  
> licenses are expensive.

Except on ASR1000, where the full-blown Advanced Enterprise image
(positioned for "Enterprise users") is 10kUSD list, vs. the stripped-down
Advanced IP image (positioned for "Service Providers") is 15kUSD.

Well, let's pretend we're not a Service Provider then and take the
full feature set for less bucks. :)


Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From justin at justinshore.com  Fri Jul 25 19:32:29 2008
From: justin at justinshore.com (Justin Shore)
Date: Fri, 25 Jul 2008 18:32:29 -0500
Subject: [c-nsp] OT:  Ethernet over DS3 or OC3 bridge
Message-ID: <488A628D.2020505@justinshore.com>

Does anyone have any suggestions for a Ethernet to DS3 or OC3 bridge?  I 
need multiple DS3 support for the longer-term but a single DS3 would 
work.  I was looking at the Overture ISG 45 but it appears to only 
support a single DS3.

http://www.overturenetworks.com/products/isg_45.htm

I couldn't find a DS3 bridge for RAD but I think the Optimux-155 is a 
OC3 bridge.

Basically I need an inexpensive way to transport Ethernet over TDM links 
for an Ethernet venture.  Our transport provider can't do Ethernet at 
this point in time and they've suggested DS3 in the mean time.  DS3 
interfaces are very expensive for 7200s.  I'm thinking a lower cost DS3 
to Ethernet bridge of some sort.  Suggestions?

Thanks
  Justin




From shane at castlepoint.net  Fri Jul 25 22:09:39 2008
From: shane at castlepoint.net (Shane Amante)
Date: Fri, 25 Jul 2008 20:09:39 -0600
Subject: [c-nsp] OT:  Ethernet over DS3 or OC3 bridge
In-Reply-To: <488A628D.2020505@justinshore.com>
References: <488A628D.2020505@justinshore.com>
Message-ID: <213905A7-5CA4-4AFF-AD81-5AE8E41A8873@castlepoint.net>

Justin,

On Jul 25, 2008, at 5:32 PM, Justin Shore wrote:
> Does anyone have any suggestions for a Ethernet to DS3 or OC3  
> bridge?  I need multiple DS3 support for the longer-term but a  
> single DS3 would work.  I was looking at the Overture ISG 45 but it  
> appears to only support a single DS3.
>
> http://www.overturenetworks.com/products/isg_45.htm
>
> I couldn't find a DS3 bridge for RAD but I think the Optimux-155 is  
> a OC3 bridge.
>
> Basically I need an inexpensive way to transport Ethernet over TDM  
> links for an Ethernet venture.  Our transport provider can't do  
> Ethernet at this point in time and they've suggested DS3 in the mean  
> time.  DS3 interfaces are very expensive for 7200s.  I'm thinking a  
> lower cost DS3 to Ethernet bridge of some sort.  Suggestions?

If you want more DS3 ports, for N x DS3, perhaps an Overture ISG-2200  
or ISG-5000:
http://www.overturenetworks.com/products/isg_2200.htm
http://www.overturenetworks.com/products/isg_5000.htm

Both are "modular" chassis.  The 2200 supports 1 "option slot" you can  
install a 3-port DS3 card into to start with, then later pull it out  
an insert a 1-port OC-3c into.  The 5000 is a 4-slot chassis.  Both  
chassis work with the same modules.

-shane

From brian at meganet.net  Fri Jul 25 21:55:18 2008
From: brian at meganet.net (Brian Wallingford)
Date: Fri, 25 Jul 2008 21:55:18 -0400 (EDT)
Subject: [c-nsp] OT:  Ethernet over DS3 or OC3 bridge
In-Reply-To: <488A628D.2020505@justinshore.com>
References: <488A628D.2020505@justinshore.com>
Message-ID: <Pine.GSO.4.58.0807252151500.21610@evccyr>

We've done very well with the Zhone (formerly Paradyne, formerly
Net-to-Net) DNE 4500-P-6.  Handles 6 ds3/fastether flawlessly.  They're
available on the used market at an excellent price point with enough
digging, but it doesn't appear on quick perusal that Zhone is still
producing them.

hth,
brian

On Fri, 25 Jul 2008, Justin Shore wrote:

:Does anyone have any suggestions for a Ethernet to DS3 or OC3 bridge?  I
:need multiple DS3 support for the longer-term but a single DS3 would
:work.  I was looking at the Overture ISG 45 but it appears to only
:support a single DS3.
:
:http://www.overturenetworks.com/products/isg_45.htm
:
:I couldn't find a DS3 bridge for RAD but I think the Optimux-155 is a
:OC3 bridge.
:
:Basically I need an inexpensive way to transport Ethernet over TDM links
:for an Ethernet venture.  Our transport provider can't do Ethernet at
:this point in time and they've suggested DS3 in the mean time.  DS3
:interfaces are very expensive for 7200s.  I'm thinking a lower cost DS3
:to Ethernet bridge of some sort.  Suggestions?
:
:Thanks
:  Justin
:
:
:
:_______________________________________________
:cisco-nsp mailing list  cisco-nsp at puck.nether.net
:https://puck.nether.net/mailman/listinfo/cisco-nsp
:archive at http://puck.nether.net/pipermail/cisco-nsp/

From lobo at allstream.net  Sat Jul 26 00:43:48 2008
From: lobo at allstream.net (Jose)
Date: Sat, 26 Jul 2008 00:43:48 -0400
Subject: [c-nsp] Policing individual vlans on 3750
Message-ID: <488AAB84.3000308@allstream.net>

Hi everyone.  Ran into a little snag this afternoon when I needed to 
police layer 2 customers on a single port in a similar fashion to the 
way we do it on the 3550-24s.  Normally we would we create the aggregate 
policer, use a class map that matches on vlan id and another one that 
matches any ip per customer...we combine these under a single policy-map 
and apply it to the interface.


When trying this similar process on the 3750, we noticed that we aren't 
able to match on vlan:

copsw01(config)#class-map match-all ARPI3-IP-Trunk

copsw01(config-cmap)#match ?

  access-group     Access group

  input-interface  Select one or more input interfaces to match

  ip               IP specific values


So now we're left wondering how can we have a trunk port police 
invididual vlans if the option is not there to choose?  BTW, the version 
of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.

Thanks.

Jose


From skeeve at skeeve.org  Sat Jul 26 02:02:01 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Sat, 26 Jul 2008 16:02:01 +1000
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a switch.

I understand that it is done differently on a 3550 and a 3560, but I need
some examples as I am stumped in trying to make it happen, and all efforts
have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something as
an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From Reinhold.Fischer at gmx.net  Sat Jul 26 02:21:46 2008
From: Reinhold.Fischer at gmx.net (Reinhold Fischer)
Date: Sat, 26 Jul 2008 08:21:46 +0200
Subject: [c-nsp] DFC module insert message?
In-Reply-To: <FAC915E9-7760-427A-8845-DE4F356B0814@Princeton.EDU>
References: <FAC915E9-7760-427A-8845-DE4F356B0814@Princeton.EDU>
Message-ID: <20080726062146.GA6028@susi>

On Fri, Jul 25, 2008 at 02:44:02PM -0400, Jeff Fitzwater wrote:
> I have 6500 with sup-720 with PFC3CXL and I just inserted new DFCXL  
> 8port 10G module which  logged some strange messages but still came up  
> and appears OK.
> 
> Any ideas on these before I get  in touch with cisco tech ?
> 
> These messages appeared just before initial module diags finished and  
> module came online....
> 
> 17:22:40.583 FW[Mod 12]: AR#0 WARNING: Cannot HALT Dic#0
> 17:22:40.591 FW[Mod 12]: ME_AR#0 WARNING: Cannot FLUSH Dic#0
> 17:22:40.631 FW[Mod 12]: AR#1 WARNING: Cannot HALT Dic#0
> 17:22:40.643 FW[Mod 12]: ME_AR#1 WARNING: Cannot FLUSH Dic#0
> 17:22:40.683 FW[Mod 12]: AR#0 WARNING: Cannot HALT Dic#1
> 17:22:40.691 FW[Mod 12]: ME_AR#0 WARNING: Cannot FLUSH Dic#1
> 17:22:40.735 FW[Mod 12]: AR#1 WARNING: Cannot HALT Dic#1
> 17:22:40.743 FW[Mod 12]: ME_AR#1 WARNING: Cannot FLUSH Dic#1
> 
> 
Jeff,

i have seen them also (WS-X6708-10G-3C, Sup720-PFC3B, IOS SXH2a) and
asked Cisco Anvanced Services about it. The answer was that it
is nothing to worry about. It should be seen as a cosmetical issue,
and there is an internal bug-id to remove the message during module
initialization in future software releases.

reinhold

From skeeve at skeeve.org  Sat Jul 26 03:07:02 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Sat, 26 Jul 2008 17:07:02 +1000
Subject: [c-nsp] Blocking Forged Source Addresses
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>


What is the best strategy to Block Forged Source Addresses on a Cisco border
router?

.Skeeve

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From lukasz at bromirski.net  Sat Jul 26 03:49:05 2008
From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=)
Date: Sat, 26 Jul 2008 09:49:05 +0200
Subject: [c-nsp] Blocking Forged Source Addresses
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>
Message-ID: <488AD6F1.1090304@bromirski.net>

Skeeve Stevens wrote:
> What is the best strategy to Block Forged Source Addresses on a Cisco border
> router?

It was just recently discussed. Use uRPF.

-- 
"Don't expect me to cry for all the     |               ?ukasz Bromirski
  reasons you had to die" -- Kurt Cobain |    http://lukasz.bromirski.net

From gert at greenie.muc.de  Sat Jul 26 04:22:38 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 26 Jul 2008 10:22:38 +0200
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <20080725205042.GA16503@srv01.cluenet.de>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
	<876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
	<BDD9DF21-83AC-4861-9390-B6A218A1CC65@usgs.gov>
	<20080725205042.GA16503@srv01.cluenet.de>
Message-ID: <20080726082238.GJ1231@greenie.muc.de>

Hi,

On Fri, Jul 25, 2008 at 10:50:42PM +0200, Daniel Roesen wrote:
> On Mon, Jul 21, 2008 at 11:00:16AM -0500, Justin C. Darby wrote:
> > You should really shop by feature set. Advanced Enterprise IOS  
> > licenses are expensive.
> 
> Except on ASR1000, where the full-blown Advanced Enterprise image
> (positioned for "Enterprise users") is 10kUSD list, vs. the stripped-down
> Advanced IP image (positioned for "Service Providers") is 15kUSD.

Well, and for the AdvEnt image, you need more RAM and FLASH, which amounts
to 7kUSD, no?

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080726/1a7e885a/attachment.bin>

From lobo at allstream.net  Sat Jul 26 09:00:02 2008
From: lobo at allstream.net (Jose)
Date: Sat, 26 Jul 2008 09:00:02 -0400
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
Message-ID: <488B1FD2.7040405@allstream.net>

Hi everyone.  Ran into a little snag this afternoon when I needed to 
police layer 2 customers on a single port in a similar fashion to the 
way we do it on the 3550-24s.  Normally we would we create the aggregate 
policer, use a class map that matches on vlan id and another one that 
matches any ip per customer...we combine these under a single policy-map 
and apply it to the interface.


When trying this similar process on the 3750, we noticed that we aren't 
able to match on vlan:

copsw01(config)#class-map match-all ARPI3-IP-Trunk

copsw01(config-cmap)#match ?

 access-group     Access group

 input-interface  Select one or more input interfaces to match

 ip               IP specific values


So now we're left wondering how can we have a trunk port police 
invididual vlans if the option is not there to choose?  BTW, the version 
of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.

Thanks.

Jose

From mtinka at globaltransit.net  Sat Jul 26 09:42:43 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Sat, 26 Jul 2008 21:42:43 +0800
Subject: [c-nsp] IS-IS: Ignore Attached Bit
In-Reply-To: <4B63426A1BCD43979AD91469CB7AD3B2@hojmark.net>
References: <200807180242.14631.mtinka@globaltransit.net>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405BBEAC0@xmb-ams-333.emea.cisco.com>
	<4B63426A1BCD43979AD91469CB7AD3B2@hojmark.net>
Message-ID: <200807262142.49131.mtinka@globaltransit.net>

On Thursday 24 July 2008 05:19:28 Asbjorn Hojmark - Lists 
wrote:

> > r(config)#router isis
> > r(config-router)#ignore-attached-bit
> > r(config-router)#
>
> When/why would you want to do that?

Just to add to what Shankar mentioned, in our particular 
case, we only use IS-IS to carry our infrastructure and 
Loopback addresses.

ALL customer prefixes (either from their own blocks or 
assigned from ours) are maintained in iBGP.

We hold full BGP tables on most of our edge routers. We 
don't run BGP in the core (core is based on MPLS 
forwarding), and the core are L1/L2 IS's strung together.

Ignoring the ATT bit ensures we do not send traffic to 
destinations BGP might not know about, only to drop 
it "higher up" in the network. Moreover, since we use IS-IS 
only for infrastructure and Loopback address reachability, 
those routes are specifically carried within the network - 
so no need for a default route.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080726/a8869755/attachment.bin>

From ibrahim.abozaid at gmail.com  Sat Jul 26 11:05:49 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Sat, 26 Jul 2008 18:05:49 +0300
Subject: [c-nsp] Interface Queues
Message-ID: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>

Hi All

i am a bit confused between Interface queues that can be configured using
tx-queue-limit and hold-queue  , what is the difference between these queues
?


appreciate your replies .

best regards
--Ibrahim

From mksmith at adhost.com  Sat Jul 26 13:17:08 2008
From: mksmith at adhost.com (Michael Smith)
Date: Sat, 26 Jul 2008 10:17:08 -0700
Subject: [c-nsp] OT:  Ethernet over DS3 or OC3 bridge
In-Reply-To: <488A628D.2020505@justinshore.com>
Message-ID: <C4B0AA24.2E2D4%mksmith@adhost.com>

Hello Justin:


> From: Justin Shore <justin at justinshore.com>
> Date: Fri, 25 Jul 2008 18:32:29 -0500
> To: 'Cisco-nsp' <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] OT:  Ethernet over DS3 or OC3 bridge
> 
> Does anyone have any suggestions for a Ethernet to DS3 or OC3 bridge?  I
> need multiple DS3 support for the longer-term but a single DS3 would
> work.  I was looking at the Overture ISG 45 but it appears to only
> support a single DS3.
> 
> http://www.overturenetworks.com/products/isg_45.htm
> 
> I couldn't find a DS3 bridge for RAD but I think the Optimux-155 is a
> OC3 bridge.
> 
> Basically I need an inexpensive way to transport Ethernet over TDM links
> for an Ethernet venture.  Our transport provider can't do Ethernet at
> this point in time and they've suggested DS3 in the mean time.  DS3
> interfaces are very expensive for 7200s.  I'm thinking a lower cost DS3
> to Ethernet bridge of some sort.  Suggestions?
> 
> Thanks
>   Justin

I've had good success with http://www.ds3switch.com/.  Also, I think the RAD
box is 
http://www.rad-direct.com/product-t3-converter-ric-t3.htm?utm_source=adwords
&utm_campaign=converters&utm_medium=cpc&_kk=ds3%20to%20ethernet&_kt=ea8bc72d
-c5b7-404d-8a21-b37947055693

Regards,

Mike


From mack at exchange.alphared.com  Sat Jul 26 14:18:24 2008
From: mack at exchange.alphared.com (mack)
Date: Sat, 26 Jul 2008 13:18:24 -0500
Subject: [c-nsp] OER/DRIP specs protocol format
Message-ID: <6F2FFD7C10F788479E354B84294036C4259E5A88@EXCH-MBX.exchange.alphared.local>

Does anyone have a link to the protocol the Optimized Edge Routing uses to communicate?
I am curious what the protocol is and what it does.
>From the documentation it uses port 3949 which corresponds to something called
"Dynamic Routing Information Protocol".

--
LR Mack McBride
Network Administrator
Alpha Red, Inc.



From dr at cluenet.de  Sat Jul 26 14:47:09 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Sat, 26 Jul 2008 20:47:09 +0200
Subject: [c-nsp] Maximizing Router capabilities
In-Reply-To: <20080726082238.GJ1231@greenie.muc.de>
References: <876789290807210801q121b977bm2511105660eecc4c@mail.gmail.com>
	<Pine.LNX.4.61.0807211138240.7234@soloth.lewis.org>
	<876789290807210850j40b8bcafv7d2fe9225bed5554@mail.gmail.com>
	<BDD9DF21-83AC-4861-9390-B6A218A1CC65@usgs.gov>
	<20080725205042.GA16503@srv01.cluenet.de>
	<20080726082238.GJ1231@greenie.muc.de>
Message-ID: <20080726184709.GB30036@srv01.cluenet.de>

On Sat, Jul 26, 2008 at 10:22:38AM +0200, Gert Doering wrote:
> > > You should really shop by feature set. Advanced Enterprise IOS  
> > > licenses are expensive.
> > 
> > Except on ASR1000, where the full-blown Advanced Enterprise image
> > (positioned for "Enterprise users") is 10kUSD list, vs. the stripped-down
> > Advanced IP image (positioned for "Service Providers") is 15kUSD.
> 
> Well, and for the AdvEnt image, you need more RAM and FLASH, which amounts
> to 7kUSD, no?

The smalles ASR1K (1002) comes with 4GB RAM by default, the others
(replacable routing engines) do come with 2GB by default. I'm not
aware of any special RAM upgrades required for AdvEnt.

Upgrade from 2G to 4G is 2kUSD list btw.


Regards,
Daniel
-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From dr at cluenet.de  Sat Jul 26 14:53:43 2008
From: dr at cluenet.de (Daniel Roesen)
Date: Sat, 26 Jul 2008 20:53:43 +0200
Subject: [c-nsp] Funny bug?
In-Reply-To: <Pine.OSX.4.64.0807080635200.2082@stealth-10-32-242-249.cisco.com>
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
	<Pine.OSX.4.64.0807080635200.2082@stealth-10-32-242-249.cisco.com>
Message-ID: <20080726185343.GC30036@srv01.cluenet.de>

On Tue, Jul 08, 2008 at 06:39:46AM -0700, Robert Beckett wrote:
> You actually have two bugs here:
> 
> for the "Output queue :0/40"
> CSCdx72484 show interface has an inconsistent format in Output queue 
> display
> 
> for the "ouxtput"
> CSCdz44280 5 minute output/input rate does not display correctly on 
> port-channel

Three bugs.

  Last input never, output 00:00:00, output hang never
  ^^^^^^^^^^^^^^^^^
...
     47049228 packets input, 390118490 bytes, 0 no buffer
     ^^^^^^^^^^^^^^^^^^^^^^

"never" and a value larger than 0 doesn't fit.

But we're used to counting problems nowadays, aren't we? :)

Best regards,
Daniel

-- 
CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0

From gert at greenie.muc.de  Sat Jul 26 15:26:20 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Sat, 26 Jul 2008 21:26:20 +0200
Subject: [c-nsp] Funny bug?
In-Reply-To: <20080726185343.GC30036@srv01.cluenet.de>
References: <EC993E87D960A541A66BF21D62AA42A6188AD8DB70@exch2k7.gilat.local>
	<Pine.OSX.4.64.0807080635200.2082@stealth-10-32-242-249.cisco.com>
	<20080726185343.GC30036@srv01.cluenet.de>
Message-ID: <20080726192620.GL1231@greenie.muc.de>

Hi,

On Sat, Jul 26, 2008 at 08:53:43PM +0200, Daniel Roesen wrote:
> But we're used to counting problems nowadays, aren't we? :)

I've actually given up trying to keep track of Cisco counter bugs...

"Too many for a single brain to remember"

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080726/518749c9/attachment.bin>

From sshafi at gmail.com  Sat Jul 26 16:44:27 2008
From: sshafi at gmail.com (Lala Lander)
Date: Sat, 26 Jul 2008 13:44:27 -0700
Subject: [c-nsp] OER/DRIP specs protocol format
In-Reply-To: <6F2FFD7C10F788479E354B84294036C4259E5A88@EXCH-MBX.exchange.alphared.local>
References: <6F2FFD7C10F788479E354B84294036C4259E5A88@EXCH-MBX.exchange.alphared.local>
Message-ID: <afa2a8cd0807261344o5ddf8fa6t3b1c8d35edcc5125@mail.gmail.com>

Please try here as there are couple of awesome white papers here on PfR.

www.cisco.com/go/srnd

On Sat, Jul 26, 2008 at 11:18 AM, mack <mack at exchange.alphared.com> wrote:

> Does anyone have a link to the protocol the Optimized Edge Routing uses to
> communicate?
> I am curious what the protocol is and what it does.
> >From the documentation it uses port 3949 which corresponds to something
> called
> "Dynamic Routing Information Protocol".
>
> --
> LR Mack McBride
> Network Administrator
> Alpha Red, Inc.
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From avayner at cisco.com  Sat Jul 26 17:25:47 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sat, 26 Jul 2008 23:25:47 +0200
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
In-Reply-To: <488B1FD2.7040405@allstream.net>
References: <488B1FD2.7040405@allstream.net>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A66385@xmb-ams-331.emea.cisco.com>

Jose,

Take a look at vlan-based QOS
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1703760

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jose
Sent: Saturday, July 26, 2008 16:00 PM
To: Cisco
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)

Hi everyone.  Ran into a little snag this afternoon when I needed to
police layer 2 customers on a single port in a similar fashion to the
way we do it on the 3550-24s.  Normally we would we create the aggregate
policer, use a class map that matches on vlan id and another one that
matches any ip per customer...we combine these under a single policy-map
and apply it to the interface.


When trying this similar process on the 3750, we noticed that we aren't
able to match on vlan:

copsw01(config)#class-map match-all ARPI3-IP-Trunk

copsw01(config-cmap)#match ?

 access-group     Access group

 input-interface  Select one or more input interfaces to match

 ip               IP specific values


So now we're left wondering how can we have a trunk port police
invididual vlans if the option is not there to choose?  BTW, the version
of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.

Thanks.

Jose
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From scott at labyrinth.org  Sat Jul 26 23:40:25 2008
From: scott at labyrinth.org (Scott Keoseyan)
Date: Sat, 26 Jul 2008 23:40:25 -0400
Subject: [c-nsp] NAC for Thin-Clients?
In-Reply-To: <18dba4e50807251025y46f7c692y1993bfc88649bf68@mail.gmail.com>
References: <18dba4e50807251025y46f7c692y1993bfc88649bf68@mail.gmail.com>
Message-ID: <81F470E9-F61E-4F0D-A3E2-989E062ACC81@labyrinth.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If it's a thinclient, isn't it running firmware or something else  
that you are probably not going to be able to load anything onto (the  
endpoint) component anyways?

I would look into some sort of authentication to lock the ports  
down.  If there's no real O/S on the client endpoint then there's  
little point in loading any kind of posture-checking... there won't  
be a posture to check.


Scott

On Jul 25, 2008, at 1:25 PM, Felix Nkansah wrote:

> Hi,
>
> An enterprise customer of mine is replacing all workstations/PCs in  
> their
> network with thin-clients.
>
> They require a NAC-like solution, one that provides posture  
> assessments and
> remediation for the thin-client users.
>
> AFAIK, Cisco's present NAC offering doesnt seem to fit into this  
> requirement
> here (posture assessment for terminal services-like workstations). The
> required solution would have to assess the various user virtual  
> systems for
> compliance (patches, viruses, etc) before allowing them to operate.
>
> Please let me know if you have deployed a posture assessment and  
> remediation
> solution for this kind of scenario?
>
> Links would also be appreciated.
>
> Regards,
>
> Felix
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)

iEYEARECAAYFAkiL7ikACgkQA7TpMPAlvEdtZwCfRfnR2anUOaFp1Mj0LbwBUQO3
f+cAn1JJQ+0cQKXJYXDo4q/qhU1FHNUK
=zsAP
-----END PGP SIGNATURE-----

From dhooper at emerge.net.au  Sun Jul 27 04:33:04 2008
From: dhooper at emerge.net.au (Daniel Hooper)
Date: Sun, 27 Jul 2008 16:33:04 +0800
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
Message-ID: <AF85579EB84D4F45A0CBB63DC6747F0225D17C@md.team.emerge.net.au>

This is for a 3550


!
class-map match-all PORT_POLICER
  match ip dscp default
class-map match-all VLAN10_POLICER
  match vlan  10
  match class-map PORT_POLICER
class-map match-all VLAN20_POLICER
  match vlan  20
  match class-map PORT_POLICER
!
!
policy-map TRUNK_POLICER
  class VLAN10_POLICER
    police 10000 64000 exceed-action drop
  class VLAN20_POLICER
    police 10000 64000 exceed-action drop
!

-Dan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Saturday, 26 July 2008 2:02 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Rate-limiting VLAN passing through a switch


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a
switch.

I understand that it is done differently on a 3550 and a 3560, but I
need
some examples as I am stumped in trying to make it happen, and all
efforts
have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something
as
an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From skeeve at skeeve.org  Sun Jul 27 07:22:20 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Sun, 27 Jul 2008 21:22:20 +1000
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
In-Reply-To: <AF85579EB84D4F45A0CBB63DC6747F0225D17C@md.team.emerge.net.au>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
	<AF85579EB84D4F45A0CBB63DC6747F0225D17C@md.team.emerge.net.au>
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAOFOeIBrOAVPmvG0uePVbwoBAAAAAA==@skeeve.org>

Hey Daniel,

Is that rate-limiting them to 100k?

...Skeeve

-----Original Message-----
From: Daniel Hooper [mailto:dhooper at emerge.net.au] 
Sent: Sunday, 27 July 2008 6:33 PM
To: skeeve at skeeve.org; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting VLAN passing through a switch

This is for a 3550


!
class-map match-all PORT_POLICER
  match ip dscp default
class-map match-all VLAN10_POLICER
  match vlan  10
  match class-map PORT_POLICER
class-map match-all VLAN20_POLICER
  match vlan  20
  match class-map PORT_POLICER
!
!
policy-map TRUNK_POLICER
  class VLAN10_POLICER
    police 10000 64000 exceed-action drop
  class VLAN20_POLICER
    police 10000 64000 exceed-action drop
!

-Dan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Saturday, 26 July 2008 2:02 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Rate-limiting VLAN passing through a switch


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a
switch.

I understand that it is done differently on a 3550 and a 3560, but I
need
some examples as I am stumped in trying to make it happen, and all
efforts
have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something
as
an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From avayner at cisco.com  Sun Jul 27 07:31:13 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 27 Jul 2008 13:31:13 +0200
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A663CB@xmb-ams-331.emea.cisco.com>

Steeve,

For 3550:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1145280

For 3560:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1703760

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Saturday, July 26, 2008 09:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Rate-limiting VLAN passing through a switch


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a
switch.

I understand that it is done differently on a 3550 and a 3560, but I
need some examples as I am stumped in trying to make it happen, and all
efforts have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something
as an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net
--
I'm a groove licked love child king of the verse Si vis pacem, para
bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From avayner at cisco.com  Sun Jul 27 07:32:01 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Sun, 27 Jul 2008 13:32:01 +0200
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A663CC@xmb-ams-331.emea.cisco.com>

Sorry, not Steeve, but Skeeve...
Arie 

-----Original Message-----
From: Arie Vayner (avayner) 
Sent: Sunday, July 27, 2008 14:31 PM
To: 'skeeve at skeeve.org'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting VLAN passing through a switch

Steeve,

For 3550:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1145280

For 3560:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1703760

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Saturday, July 26, 2008 09:02 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Rate-limiting VLAN passing through a switch


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a
switch.

I understand that it is done differently on a 3550 and a 3560, but I
need some examples as I am stumped in trying to make it happen, and all
efforts have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something
as an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net
--
I'm a groove licked love child king of the verse Si vis pacem, para
bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From chris.garzon at gmail.com  Sun Jul 27 11:07:15 2008
From: chris.garzon at gmail.com (Dracul)
Date: Sun, 27 Jul 2008 23:07:15 +0800
Subject: [c-nsp] Cisco WLC 4404 Snmp problems
In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7037AF66A@LMC-MAIL2.exempla.org>
References: <876789290807231931r47ab91f5o29874c219734cfb7@mail.gmail.com>
	<4288131ED5E3024C9CD4782CECCAD2C7037AF66A@LMC-MAIL2.exempla.org>
Message-ID: <876789290807270807j1f8b55d9w1243938a125e1604@mail.gmail.com>

Thanks for the suggestions guys. After several tests, I've found that when
accessing it through the service port IP address, SNMP is okay. But management
interface wouldn't let me through. Hmmm I guess the other interfaces block
snmp or shh or telnet.

On Thu, Jul 24, 2008 at 10:33 PM, Matlock, Kenneth L
<MatlockK at exempla.org>wrote:

> Do you also have the community 'public' added into the 'communities'
> section (Management: SNMP: Communities), and the IP (and netmask)
> reflect the IP you are doing the query from?
>
> Say for example you want to allow queries in 'public' from 192.168.1.50,
> you can add that in as
>
> IP: 192.168.1.50
> Netmask: 255.255.255.255
>
> And that will ONLY allow SNMP queries in community 'public' from that 1
> IP only.
>
> Adjust the IP and netmask to correspond to the netblock you are using
> for SNMP monitoring.
>
> Ken Matlock
> Network Analyst
> (303) 467-4671
> matlockk at exempla.org
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dracul
> Sent: Wednesday, July 23, 2008 8:32 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Cisco WLC 4404 Snmp problems
>
> Hi list,
>
> Anyone encountered not able to get SNMP data from a Cisco WLC 4404? I
> got a
> no response when I do:
>
> [10:18:31 root at TEST1>~]# snmpwalk -v 2c 192.168.1.2 -c public
> Timeout: No Response from 192.168.1.2
>
> all snmp settings are activated via web config, all versions are
> enabled.
>
> When I did a similar query in one of my switches I get the response I
> need.
>
> [10:18:40 root at TEST1>~]# snmpwalk -v 2c 192.168.1.253 -c public
> SNMPv2-MIB::sysDescr.0 = STRING: Cisco IOS Software, C3560 Software
> (C3560-IPBASE-M), Version 12.2(25)SEE3, RELEASE SOFTWARE (fc2)
> Copyright (c) 1986-2007 by Cisco Systems, Inc.
> Compiled Thu 22-Feb-07 14:40 by myl
> SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.564
> DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (68954835) 7 days,
> 23:32:28.35
> SNMPv2-MIB::sysContact.0 = STRING:
> SNMPv2-MIB::sysName.0 = STRING: Switch
> SNMPv2-MIB::sysLocation.0 = STRING:
> SNMPv2-MIB::sysServices.0 = INTEGER: 6
> SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00
> IF-MIB::ifNumber.0 = INTEGER: 55
> IF-MIB::ifIndex.1 = INTEGER: 1
> IF-MIB::ifIndex.5 = INTEGER: 5
> IF-MIB::ifIndex.10001 = INTEGER: 10001
>
> ----> SNIP <-------------
>
> Any IDeas?
>
> regards,
> Chris
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
===
Support www.gawadkalinga.org

From dcp at dcptech.com  Sun Jul 27 11:22:32 2008
From: dcp at dcptech.com (David Prall)
Date: Sun, 27 Jul 2008 11:22:32 -0400
Subject: [c-nsp] nvram writing config issue
In-Reply-To: <4889C8FC.4050502@bytemark.co.uk>
References: <4889C8FC.4050502@bytemark.co.uk>
Message-ID: <00ae01c8effc$9a7ab830$1bfe200a@cisco.com>

That dir nvram: will tell you how much nvram you actually have, I believe
64K. sh run should display how large the configuration is. "service
compress-config" will compress the config so that it fits in the limited
nvram you have, but boot times will be slowed since the config must be
decompressed at startup.

My 3560 is using 30K for config, but it is a very basic config. And
primarily routed interfaces. I also have 512K of nvram.

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alex Howells
> Sent: Friday, July 25, 2008 8:37 AM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] nvram writing config issue
> 
> Not seen this one before, thought I'd ask the oracles what the fix is?
> 
> Directory of nvram:/
> 
>    28  -rw-       31882                    <no date>  startup-config
>    29  ----        3647                    <no date>  private-config
>     1  ----          12                    <no date>  persistent-data
> 
> switch#write mem
> Building configuration...
> 
> % Warning: Saving this config to nvram may corrupt any network
> management or security files stored at the end of nvram.
> Continue? [no]:
> 
> If you don't save the config --
> 
> % Configuration buffer full, can't add command: interface 
> FastEthernet0/37
> %Aborting Save. Compress the config.[OK]
> 
> If you do save the config --
> 
> Jul 25 13:35:39.242 BST: %SYS-4-CONFIG_NV_OVERRUN: Non config data
> present at the end of nvram is corrupted
> 
> Switch is a WS-C2960-48TT-L running 12.2(25)SEE4.
> 
> Thanks,
> Alex
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From alex at bytemark.co.uk  Sun Jul 27 11:43:56 2008
From: alex at bytemark.co.uk (Alex Howells)
Date: Sun, 27 Jul 2008 16:43:56 +0100
Subject: [c-nsp] nvram writing config issue
In-Reply-To: <00ae01c8effc$9a7ab830$1bfe200a@cisco.com>
References: <4889C8FC.4050502@bytemark.co.uk>
	<00ae01c8effc$9a7ab830$1bfe200a@cisco.com>
Message-ID: <488C97BC.9090505@bytemark.co.uk>

David Prall wrote:
> That dir nvram: will tell you how much nvram you actually have, I believe
> 64K. sh run should display how large the configuration is. "service
> compress-config" will compress the config so that it fits in the limited
> nvram you have, but boot times will be slowed since the config must be
> decompressed at startup.

Doesn't look like my 2960 will do service compress-config. Shall have to 
configure it to boot using config on flash :)

Thanks for the pointers though everyone.

From kgraham at industrial-marshmallow.com  Sun Jul 27 14:15:50 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Sun, 27 Jul 2008 11:15:50 -0700 (PDT)
Subject: [c-nsp] nvram writing config issue
Message-ID: <285308.67357.qm@web901.biz.mail.mud.yahoo.com>

> Doesn't look like my 2960 will do service compress-config. Shall have to 
> configure it to boot using config on flash :)

For simulated-nvram platforms, you can't compress the config, though "boot
buffersize" will allow you to increase the size. You'll need to get your
config back down below 64k, save it, increase boot buffersize, reboot, and 
then you're good to configure away...

From alex at bytemark.co.uk  Sun Jul 27 14:19:16 2008
From: alex at bytemark.co.uk (Alex Howells)
Date: Sun, 27 Jul 2008 19:19:16 +0100
Subject: [c-nsp] nvram writing config issue
In-Reply-To: <285308.67357.qm@web901.biz.mail.mud.yahoo.com>
References: <285308.67357.qm@web901.biz.mail.mud.yahoo.com>
Message-ID: <488CBC24.1070407@bytemark.co.uk>

Kevin Graham wrote:
>> Doesn't look like my 2960 will do service compress-config. Shall have to 
>> configure it to boot using config on flash :)
> 
> For simulated-nvram platforms, you can't compress the config, though "boot
> buffersize" will allow you to increase the size. You'll need to get your
> config back down below 64k, save it, increase boot buffersize, reboot, and 
> then you're good to configure away...

Presumably there's no way to increase it without a reload?

From rodunn at cisco.com  Sun Jul 27 14:49:19 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Sun, 27 Jul 2008 14:49:19 -0400
Subject: [c-nsp] Interface Queues
In-Reply-To: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
References: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
Message-ID: <20080727184919.GC16786@rtp-cse-489.cisco.com>

On what platform?

On Sat, Jul 26, 2008 at 06:05:49PM +0300, Ibrahim Abo Zaid wrote:
> Hi All
> 
> i am a bit confused between Interface queues that can be configured using
> tx-queue-limit and hold-queue  , what is the difference between these queues
> ?
> 
> 
> appreciate your replies .
> 
> best regards
> --Ibrahim
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul at paulstewart.org  Sun Jul 27 17:30:48 2008
From: paul at paulstewart.org (Paul Stewart)
Date: Sun, 27 Jul 2008 17:30:48 -0400
Subject: [c-nsp] System Controller Errors - Sup720
Message-ID: <000b01c8f030$0a702fc0$1f508f40$@org>

Hi there.

 

About once every 3-5 days we get this in our logs:

 

Jul 27 03:34:26: %SYSTEM_CONTROLLER-SP-STDBY-3-ERROR: Error condition
detected: TM_DATA_PARITY_ERROR

Jul 27 03:34:26: %SYSTEM_CONTROLLER-SP-STDBY-3-EXCESSIVE_RESET: System
Controller is getting reset so frequently

 

Cisco 7606, Sup720/MSFC3 - Cisco.com not much help on this topic and Google
searches indicate "if it only happens once in a while don't worry".

But what causes this error and should I really be alarmed?

 

Thanks,

 

Paul

 

 

 


From rubensk at gmail.com  Sun Jul 27 23:09:27 2008
From: rubensk at gmail.com (Rubens Kuhl Jr.)
Date: Mon, 28 Jul 2008 00:09:27 -0300
Subject: [c-nsp] 7603-S
Message-ID: <6bb5f5b10807272009le65c4ecufb341ff83ceea4b@mail.gmail.com>

Hi.

CCO datasheets weren't heplful where a 7603-S can or cannot
- Be ordered with Advanced IP Services IOS
- Be ordered with AC power
- Be ordered with a XL sup (either SUP720-3BXL or RSP720-3CXL)

(Product Configurator access has been cut off for our CCO account, so
we couldn't otherwise validate the claims of our sales rep. that
7603-S cannot have Adv. IP Services or AC power)


Rubens

From felixnkansah at gmail.com  Sun Jul 27 23:17:14 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Mon, 28 Jul 2008 03:17:14 +0000
Subject: [c-nsp] NAC for Thin-Clients?
In-Reply-To: <81F470E9-F61E-4F0D-A3E2-989E062ACC81@labyrinth.org>
References: <18dba4e50807251025y46f7c692y1993bfc88649bf68@mail.gmail.com>
	<81F470E9-F61E-4F0D-A3E2-989E062ACC81@labyrinth.org>
Message-ID: <18dba4e50807272017j6479ffd2q90db72e98bbcab85@mail.gmail.com>

Hi Scott,

Thanks for your reply.

As a matter of fact, I am not referring to loading any agent or application
at the hardware client side.

The thin clients would work like terminals to actual user virtual systems -
operating system, applications, etc.

What that means is that users' OS would have to be periodically patched,
antivirus updated, running applications approved, etc. All these and many
more contained within each user's virtual space.

The customer wants posture assessment of the user virtual systems (though
located on a central thin-client server) and not the thin client hardware
themselves. It is possible for one user to have viruses on his virtual PC
because of not updating his antivirus signatures or patches or etc.

My client wants a solution that would assess each user's virtual system and
restrict network access if it should be found to be non-compliant. Note that
a user may access his system from any thin-client.

I want to believe that this makes my requirements clearer. Perhaps you could
suggest a solution or technology for me.

Thanks,

Felix

From dhooper at emerge.net.au  Sun Jul 27 23:25:24 2008
From: dhooper at emerge.net.au (Daniel Hooper)
Date: Mon, 28 Jul 2008 11:25:24 +0800
Subject: [c-nsp] Rate-limiting VLAN passing through a switch
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAOFOeIBrOAVPmvG0uePVbwoBAAAAAA==@skeeve.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAADCZitkUvcRGj/biK2ixLfkBAAAAAA==@skeeve.org>
	<AF85579EB84D4F45A0CBB63DC6747F0225D17C@md.team.emerge.net.au>
	<!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAOFOeIBrOAVPmvG0uePVbwoBAAAAAA==@skeeve.org>
Message-ID: <AF85579EB84D4F45A0CBB63DC6747F0225D187@md.team.emerge.net.au>

Hi Skeeve,

mthunt.kal#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
mthunt.kal(config)#policy-map VLAN_POLICER
mthunt.kal(config-pmap)#class VLAN2_POLICER
mthunt.kal(config-pmap-c)#police ?
  <8000-1000000000>  Bits per second
  aggregate          Choose aggregate policer for current class


The example I used is only 10 kilobits a second.

For a 3mbit pipe you'd configure the policer to 3000000.

Best of luck, I tore my hair out for a while with the policers on the
3550, I haven't even looked on the 3560's how to go about this,
something about srr-queue springs to mind for that platform.

VLAN Policers are very quirky with the 3550, as you can see I have 2
class-map's configured per VLAN, this is required and it won't let you
apply the service-policy to the interface until you get it right.

-Dan

-----Original Message-----
From: Skeeve Stevens [mailto:skeeve at skeeve.org] 
Sent: Sunday, 27 July 2008 7:22 PM
To: Daniel Hooper; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting VLAN passing through a switch

Hey Daniel,

Is that rate-limiting them to 100k?

...Skeeve

-----Original Message-----
From: Daniel Hooper [mailto:dhooper at emerge.net.au] 
Sent: Sunday, 27 July 2008 6:33 PM
To: skeeve at skeeve.org; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Rate-limiting VLAN passing through a switch

This is for a 3550


!
class-map match-all PORT_POLICER
  match ip dscp default
class-map match-all VLAN10_POLICER
  match vlan  10
  match class-map PORT_POLICER
class-map match-all VLAN20_POLICER
  match vlan  20
  match class-map PORT_POLICER
!
!
policy-map TRUNK_POLICER
  class VLAN10_POLICER
    police 10000 64000 exceed-action drop
  class VLAN20_POLICER
    police 10000 64000 exceed-action drop
!

-Dan

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens
Sent: Saturday, 26 July 2008 2:02 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] Rate-limiting VLAN passing through a switch


Ok guys,

I am been trying to rate-limit a layer 2 vlan which passes through a
switch.

I understand that it is done differently on a 3550 and a 3560, but I
need
some examples as I am stumped in trying to make it happen, and all
efforts
have seemed to have failed so far.

Thoughts?  Any example of rate-limiting a vlan to like 3MB or something
as
an example would be good.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From dcp at dcptech.com  Sun Jul 27 23:38:34 2008
From: dcp at dcptech.com (David Prall)
Date: Sun, 27 Jul 2008 23:38:34 -0400
Subject: [c-nsp] 7603-S
In-Reply-To: <6bb5f5b10807272009le65c4ecufb341ff83ceea4b@mail.gmail.com>
References: <6bb5f5b10807272009le65c4ecufb341ff83ceea4b@mail.gmail.com>
Message-ID: <015301c8f063$6c9790c0$1bfe200a@cisco.com>

Rubens,
There are bundles for the XL sup's, both Single and Redundant. Advanced IP
Services can be ordered, as can Advanced Enterprise. The only power option
is DC though.

David

--
http://dcp.dcptech.com
  

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net 
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of 
> Rubens Kuhl Jr.
> Sent: Sunday, July 27, 2008 11:09 PM
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] 7603-S
> 
> Hi.
> 
> CCO datasheets weren't heplful where a 7603-S can or cannot
> - Be ordered with Advanced IP Services IOS
> - Be ordered with AC power
> - Be ordered with a XL sup (either SUP720-3BXL or RSP720-3CXL)
> 
> (Product Configurator access has been cut off for our CCO account, so
> we couldn't otherwise validate the claims of our sales rep. that
> 7603-S cannot have Adv. IP Services or AC power)
> 
> 
> Rubens
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From vikassharmas at gmail.com  Mon Jul 28 00:59:15 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 28 Jul 2008 10:29:15 +0530
Subject: [c-nsp] mpls option A with LAC and LNS
Message-ID: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>

Hi,

Need help to resolve the below situation. The scenario of LAC / LNS and mpls
option A -

In case, the customer belong to the ISP dials and latch in the same ISP
(i.e. using ISP infrastructure), I can authenticate (since they will latch
on LNS, a radius client), using radius and radius will return certain
attribute including vrf / pool name etc. and then customer will go to it's
own vrf and to it's own network.

But in my case, customers come from other ISP domain (dialing and coming on
their lac) and we are using back to back vrf to connect LAC and LNS. Now the
problem is, how to authenticate the users and return vrf and ip pool name
from the radius as LNS can not act as radius client now. The only option I
can see is to forward the fraffic to firewall, which can act as radius
client and query to radius server, radius server can inturn return the vlan
which can be mapped to respective vrf.

If anyone have done it b4, pls let me know.

Regards,
Vikas Sharma

From abalashov at evaristesys.com  Mon Jul 28 01:35:37 2008
From: abalashov at evaristesys.com (Alex Balashov)
Date: Mon, 28 Jul 2008 01:35:37 -0400
Subject: [c-nsp] OT: Different accounting queries for particular NASs in
	FreeRADIUS.
Message-ID: <488D5AA9.5010102@evaristesys.com>

Greetings,

Sorry if this is a little off-topic, but I figured I'd try.

I have several different types of Cisco devices logging accounting 
records to a FreeRADIUS server, which in turn logs them to an MS SQL 
backend.

The problem is that the devices all use slightly different dictionaries 
and provide various attributes, but right now I have a global set of 
accounting-related SQL queries in mssql.conf.  I was wondering if there 
is an easy, straightforward way to bind particular accounting 
configuration stanzas to particular NASs or types of NASs.

Cheers,

-- Alex

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

From oboehmer at cisco.com  Mon Jul 28 01:58:59 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 28 Jul 2008 07:58:59 +0200
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>

Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:

> Hi,
> 
> Need help to resolve the below situation. The scenario of LAC / LNS
> and mpls option A -
> 
> In case, the customer belong to the ISP dials and latch in the same
> ISP (i.e. using ISP infrastructure), I can authenticate (since they
> will latch on LNS, a radius client), using radius and radius will
> return certain attribute including vrf / pool name etc. and then
> customer will go to it's own vrf and to it's own network.
> 
> But in my case, customers come from other ISP domain (dialing and
> coming on their lac) and we are using back to back vrf to connect LAC
> and LNS. Now the problem is, how to authenticate the users and return
> vrf and ip pool name from the radius as LNS can not act as radius
> client now. The only option I can see is to forward the fraffic to
> firewall, which can act as radius client and query to radius server,
> radius server can inturn return the vlan which can be mapped to
> respective vrf. 

you can use vrf-aware Radius to send Radius the radius requests within
the VRF (which, I think, solves your problem, but I'm not sure I
entirely understood your topology):

aaa authentication ppp VRFCUST group VRFGROUP
aaa authorization network VRFCUST group VRFGROUP
aaa accounting network  VRFCUST group VRFGROUP
!
aaa group server radius VRFGROUP
 server-private x.x.x.x key zzzzz
 ip radius source-interface ...
 ip vrf forwarding <vrf-name>
!
int virtual-template1
 ppp authentication chap pap VRFCUST
 ppp authorization VRFCUST
 ppp accounting VRFCUST
 
However: The L2TP packets also arrive within a VRF, so you need to use
vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your vpdn-group).

hope this helps..

	oli


From vikassharmas at gmail.com  Mon Jul 28 02:23:37 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 28 Jul 2008 11:53:37 +0530
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
Message-ID: <cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>

Hi Oli,

Thanks for the prompt responce. I think I need to slightly modify this.

Though I have used the term LAC and LNS, I am not using L2TP to get the data
from the other operator. I am using Inter-AS option A, back to back vrf. The
issue I can see once the data is at my ASBR, it will not have any control
plane information (as other operator has already put it in to the respective
vrf). In that case I will not be able to use my radius to authenticate the
user. In summary, my radius will not be used at all.

Regards,
Vikas Sharma


On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
>
> > Hi,
> >
> > Need help to resolve the below situation. The scenario of LAC / LNS
> > and mpls option A -
> >
> > In case, the customer belong to the ISP dials and latch in the same
> > ISP (i.e. using ISP infrastructure), I can authenticate (since they
> > will latch on LNS, a radius client), using radius and radius will
> > return certain attribute including vrf / pool name etc. and then
> > customer will go to it's own vrf and to it's own network.
> >
> > But in my case, customers come from other ISP domain (dialing and
> > coming on their lac) and we are using back to back vrf to connect LAC
> > and LNS. Now the problem is, how to authenticate the users and return
> > vrf and ip pool name from the radius as LNS can not act as radius
> > client now. The only option I can see is to forward the fraffic to
> > firewall, which can act as radius client and query to radius server,
> > radius server can inturn return the vlan which can be mapped to
> > respective vrf.
>
> you can use vrf-aware Radius to send Radius the radius requests within
> the VRF (which, I think, solves your problem, but I'm not sure I
> entirely understood your topology):
>
> aaa authentication ppp VRFCUST group VRFGROUP
> aaa authorization network VRFCUST group VRFGROUP
> aaa accounting network  VRFCUST group VRFGROUP
> !
> aaa group server radius VRFGROUP
> server-private x.x.x.x key zzzzz
> ip radius source-interface ...
> ip vrf forwarding <vrf-name>
> !
> int virtual-template1
> ppp authentication chap pap VRFCUST
> ppp authorization VRFCUST
> ppp accounting VRFCUST
>
> However: The L2TP packets also arrive within a VRF, so you need to use
> vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your vpdn-group).
>
> hope this helps..
>
>        oli
>
>

From oboehmer at cisco.com  Mon Jul 28 03:29:24 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 28 Jul 2008 09:29:24 +0200
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
	<cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>

Ah, ok.. may I ask why you would want to authenticate the "users"? And
against which user database? 
Which service(s) do you provide for the other operator? More than just
traffic?

	oli

Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
2008 8:24 AM:

> Hi Oli,
> 
> Thanks for the prompt responce. I think I need to slightly modify
> this. 
> 
> Though I have used the term LAC and LNS, I am not using L2TP to get
> the data from the other operator. I am using Inter-AS option A, back
> to back vrf. The issue I can see once the data is at my ASBR, it will
> not have any control plane information (as other operator has already
> put it in to the respective vrf). In that case I will not be able to
> use my radius to authenticate the user. In summary, my radius will
> not be used at all.      
> 
> Regards,
> Vikas Sharma
> 
> 
> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> 
> 	Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> 
> 	> Hi,
> 	>
> 	> Need help to resolve the below situation. The scenario of LAC
/ LNS
> 	> and mpls option A -
> 	>
> 	> In case, the customer belong to the ISP dials and latch in the
same
> 	> ISP (i.e. using ISP infrastructure), I can authenticate (since
they
> 	> will latch on LNS, a radius client), using radius and radius
will
> 	> return certain attribute including vrf / pool name etc. and
then
> 	> customer will go to it's own vrf and to it's own network.
> 	>
> 	> But in my case, customers come from other ISP domain (dialing
and
> 	> coming on their lac) and we are using back to back vrf to
connect
> 	LAC > and LNS. Now the problem is, how to authenticate the users
and
> 	return > vrf and ip pool name from the radius as LNS can not act
as
> 	radius > client now. The only option I can see is to forward the
> 	fraffic to > firewall, which can act as radius client and query
to
> 	radius server, > radius server can inturn return the vlan which
can
> 	be mapped to > respective vrf.
> 
> 	you can use vrf-aware Radius to send Radius the radius requests
> 	within the VRF (which, I think, solves your problem, but I'm not
> 	sure I entirely understood your topology):
> 
> 	aaa authentication ppp VRFCUST group VRFGROUP
> 	aaa authorization network VRFCUST group VRFGROUP
> 	aaa accounting network  VRFCUST group VRFGROUP
> 	!
> 	aaa group server radius VRFGROUP
> 	server-private x.x.x.x key zzzzz
> 	ip radius source-interface ...
> 	ip vrf forwarding <vrf-name>
> 	!
> 	int virtual-template1
> 	ppp authentication chap pap VRFCUST
> 	ppp authorization VRFCUST
> 	ppp accounting VRFCUST
> 
> 	However: The L2TP packets also arrive within a VRF, so you need
to
> 	use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your
> vpdn-group). 
> 
> 	hope this helps..
> 
> 	       oli

From stig.johansen at ementor.no  Mon Jul 28 04:21:17 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Mon, 28 Jul 2008 10:21:17 +0200
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
References: <488B1FD2.7040405@allstream.net>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B86@100NOOSLMSG004.common.alpharoot.net>

Hi there,

Just remember that the 3750 non-metro platform has several limitations,
especially for egress QoS, which I would think you would be interested
in using.

The short story is: The 3750-platform does only queueing and scheduling
on egress-interfaces. Any policing or prioritization you want to be be
done on a egress-interface would have to be done by manipulating
CoS/DSCP-values and configuring the output-queues accordingly.

For inbound QoS in your case, you'll have to enable VLAN-based QoS as
suggested by Arie. Follow this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
se/12.2_44_se/configuration/guide/swqos.html#wp1703591

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jose
Sent: 26. juli 2008 15:00
To: Cisco
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)

Hi everyone.  Ran into a little snag this afternoon when I needed to 
police layer 2 customers on a single port in a similar fashion to the 
way we do it on the 3550-24s.  Normally we would we create the aggregate

policer, use a class map that matches on vlan id and another one that 
matches any ip per customer...we combine these under a single policy-map

and apply it to the interface.


When trying this similar process on the 3750, we noticed that we aren't 
able to match on vlan:

copsw01(config)#class-map match-all ARPI3-IP-Trunk

copsw01(config-cmap)#match ?

 access-group     Access group

 input-interface  Select one or more input interfaces to match

 ip               IP specific values


So now we're left wondering how can we have a trunk port police 
invididual vlans if the option is not there to choose?  BTW, the version

of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.

Thanks.

Jose
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From vikassharmas at gmail.com  Mon Jul 28 04:25:45 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 28 Jul 2008 13:55:45 +0530
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
	<cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>
Message-ID: <cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>

Hi Oli,

Authentication is required to keep users in their respective VRFs. These all
attributes will come from Radius. We are getting services from other
operator. User are using their infracture and coming in to my network.

We provide mpls vpn / internet services to the customer.

Regards,
Vikas Sharma


On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Ah, ok.. may I ask why you would want to authenticate the "users"? And
> against which user database?
> Which service(s) do you provide for the other operator? More than just
> traffic?
>
>        oli
>
> Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
> 2008 8:24 AM:
>
> > Hi Oli,
> >
> > Thanks for the prompt responce. I think I need to slightly modify
> > this.
> >
> > Though I have used the term LAC and LNS, I am not using L2TP to get
> > the data from the other operator. I am using Inter-AS option A, back
> > to back vrf. The issue I can see once the data is at my ASBR, it will
> > not have any control plane information (as other operator has already
> > put it in to the respective vrf). In that case I will not be able to
> > use my radius to authenticate the user. In summary, my radius will
> > not be used at all.
> >
> > Regards,
> > Vikas Sharma
> >
> >
> > On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> >       Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> >
> >       > Hi,
> >       >
> >       > Need help to resolve the below situation. The scenario of LAC
> / LNS
> >       > and mpls option A -
> >       >
> >       > In case, the customer belong to the ISP dials and latch in the
> same
> >       > ISP (i.e. using ISP infrastructure), I can authenticate (since
> they
> >       > will latch on LNS, a radius client), using radius and radius
> will
> >       > return certain attribute including vrf / pool name etc. and
> then
> >       > customer will go to it's own vrf and to it's own network.
> >       >
> >       > But in my case, customers come from other ISP domain (dialing
> and
> >       > coming on their lac) and we are using back to back vrf to
> connect
> >       LAC > and LNS. Now the problem is, how to authenticate the users
> and
> >       return > vrf and ip pool name from the radius as LNS can not act
> as
> >       radius > client now. The only option I can see is to forward the
> >       fraffic to > firewall, which can act as radius client and query
> to
> >       radius server, > radius server can inturn return the vlan which
> can
> >       be mapped to > respective vrf.
> >
> >       you can use vrf-aware Radius to send Radius the radius requests
> >       within the VRF (which, I think, solves your problem, but I'm not
> >       sure I entirely understood your topology):
> >
> >       aaa authentication ppp VRFCUST group VRFGROUP
> >       aaa authorization network VRFCUST group VRFGROUP
> >       aaa accounting network  VRFCUST group VRFGROUP
> >       !
> >       aaa group server radius VRFGROUP
> >       server-private x.x.x.x key zzzzz
> >       ip radius source-interface ...
> >       ip vrf forwarding <vrf-name>
> >       !
> >       int virtual-template1
> >       ppp authentication chap pap VRFCUST
> >       ppp authorization VRFCUST
> >       ppp accounting VRFCUST
> >
> >       However: The L2TP packets also arrive within a VRF, so you need
> to
> >       use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your
> > vpdn-group).
> >
> >       hope this helps..
> >
> >              oli
>

From p.mayers at imperial.ac.uk  Mon Jul 28 04:27:41 2008
From: p.mayers at imperial.ac.uk (Phil Mayers)
Date: Mon, 28 Jul 2008 09:27:41 +0100
Subject: [c-nsp] NAC for Thin-Clients?
In-Reply-To: <18dba4e50807272017j6479ffd2q90db72e98bbcab85@mail.gmail.com>
References: <18dba4e50807251025y46f7c692y1993bfc88649bf68@mail.gmail.com>
	<81F470E9-F61E-4F0D-A3E2-989E062ACC81@labyrinth.org>
	<18dba4e50807272017j6479ffd2q90db72e98bbcab85@mail.gmail.com>
Message-ID: <20080728082741.GB16443@wildfire.net.ic.ac.uk>

>
>The customer wants posture assessment of the user virtual systems (though
>located on a central thin-client server) and not the thin client hardware
>themselves. It is possible for one user to have viruses on his virtual PC
>because of not updating his antivirus signatures or patches or etc.
>
>My client wants a solution that would assess each user's virtual system and
>restrict network access if it should be found to be non-compliant. Note that
>a user may access his system from any thin-client.
>
>I want to believe that this makes my requirements clearer. Perhaps you could
>suggest a solution or technology for me.

Hmm.

Obviously you can't do port-based NAC becase the switch ports will be 
shared by >1 system, possibly very many?

Cisco support EAP over UDP, which allows you to do 802.1x (and thus NAC) 
through non-802.1x switches to a supporting router. You'd need the cisco 
NAC client I suspect, and it's non-standard so it might be a bit of a 
lock-in.

What virtualisation technology are the user systems on? It might be 
possible to instruct the hypervisor to move a virtual system off the 
"normal" virtual switch/bridge to a "banned" one, and implement this by 
extracting last-seen times from windows update / AV console logs (we do 
this with non-virtual systems)

>
>Thanks,
>
>Felix
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

From oboehmer at cisco.com  Mon Jul 28 04:33:46 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 28 Jul 2008 10:33:46 +0200
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
	<cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>
	<cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405CB8D60@xmb-ams-333.emea.cisco.com>

Well. I guess the easiest method is to have the operator forward you the
sessions via L2TP to your LNS so you can terminate and authenticate
them, using the method I indicated in my initial reply.

I don't know ISG well enough to advice, but
http://www.cisco.com/en/US/docs/ios/12_2sb/isg/configuration/guide/isb_i
p.html shows how this can be used to handle "IP sessions". Maybe someone
else will be able to comment further.  

	oli

Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
2008 10:26 AM:

> Hi Oli,
> 
> Authentication is required to keep users in their respective VRFs.
> These all attributes will come from Radius. We are getting services
> from other operator. User are using their infracture and coming in to
> my network.   
> 
> We provide mpls vpn / internet services to the customer.
> 
> Regards,
> Vikas Sharma
> 
> 
> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> 
> 	Ah, ok.. may I ask why you would want to authenticate the
"users"?
> 	And against which user database?
> 	Which service(s) do you provide for the other operator? More
than
> 	just traffic?
> 
> 	       oli
> 
> 	Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday,
July
> 	28, 2008 8:24 AM:
> 
> 	> Hi Oli,
> 	>
> 	> Thanks for the prompt responce. I think I need to slightly
modify
> 	> this.
> 	>
> 	> Though I have used the term LAC and LNS, I am not using L2TP
to get
> 	> the data from the other operator. I am using Inter-AS option
A,
> 	back > to back vrf. The issue I can see once the data is at my
ASBR,
> 	it will > not have any control plane information (as other
operator
> 	has already > put it in to the respective vrf). In that case I
will
> 	not be able to > use my radius to authenticate the user. In
summary,
> 	my radius will > not be used at all.
> 	>
> 	> Regards,
> 	> Vikas Sharma
> 	>
> 	>
> 	> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com>
wrote:
> 	>
> 	>       Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> 	>
> 	>       > Hi,
> 	>       >
> 	>       > Need help to resolve the below situation. The scenario
of
> 	LAC / LNS
> 	>       > and mpls option A -
> 	>       >
> 	>       > In case, the customer belong to the ISP dials and
latch in
> 	the same
> 	>       > ISP (i.e. using ISP infrastructure), I can
authenticate
> 	(since they
> 	>       > will latch on LNS, a radius client), using radius and
> 	radius will
> 	>       > return certain attribute including vrf / pool name
etc. and
> 	then
> 	>       > customer will go to it's own vrf and to it's own
network.
> 	>       >
> 	>       > But in my case, customers come from other ISP domain
> 	(dialing and
> 	>       > coming on their lac) and we are using back to back vrf
to
> 	connect
> 	>       LAC > and LNS. Now the problem is, how to authenticate
the
> 	users and
> 	>       return > vrf and ip pool name from the radius as LNS can
not
> 	act as
> 	>       radius > client now. The only option I can see is to
forward
> 	the >       fraffic to > firewall, which can act as radius
client
> 	and query to
> 	>       radius server, > radius server can inturn return the
vlan
> 	which can
> 	>       be mapped to > respective vrf.
> 	>
> 	>       you can use vrf-aware Radius to send Radius the radius
> 	requests >       within the VRF (which, I think, solves your
> 	problem, but I'm not >       sure I entirely understood your
> 	topology): >
> 	>       aaa authentication ppp VRFCUST group VRFGROUP
> 	>       aaa authorization network VRFCUST group VRFGROUP
> 	>       aaa accounting network  VRFCUST group VRFGROUP
> 	>       !
> 	>       aaa group server radius VRFGROUP
> 	>       server-private x.x.x.x key zzzzz
> 	>       ip radius source-interface ...
> 	>       ip vrf forwarding <vrf-name>
> 	>       !
> 	>       int virtual-template1
> 	>       ppp authentication chap pap VRFCUST
> 	>       ppp authorization VRFCUST
> 	>       ppp accounting VRFCUST
> 	>
> 	>       However: The L2TP packets also arrive within a VRF, so
you
> 	need to
> 	>       use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in
your
> 	> vpdn-group).
> 	>
> 	>       hope this helps..
> 	>
> 	>              oli

From CB at nianet.dk  Mon Jul 28 04:40:21 2008
From: CB at nianet.dk (Christian Bering)
Date: Mon, 28 Jul 2008 10:40:21 +0200
Subject: [c-nsp] Output drops on same ASIC on ME3400 and Cat2970
Message-ID: <D2A46EC72B5C2D4FAF017F2C8EA3E72A68D248@mail2.nianetas.local>

Hi all,

I have a couple of switches that show the same amount of output drops on
four consequtive ports.

On an ME3400 I am seeing the same amount of output drops (45,949
discards so far today) on ports gig0/9 through gig0/12.

On a Cat2970 I am seeing the same amount of output drops (167,699
discards so far today) on ports gig0/1 through gig0/4.

These two switches have a trunk port between them on gig0/11 on the
ME3400 and gig0/3 on the Cat2970.

I find this odd enough in itself but what makes it even odder is that
the (in total 8) ports are configured very differently. Some are VLAN
trunks, some are access ports, and one port is even a dot1q-tunnel.

The drops do not seem to be related to traffic levels; some of the ports
are at less than 1 kbps utilised.

As far as I understand the architecture of both platforms, ports are
grouped together in 4 on each ASIC.

What could possibly explain why four ports on the same ASIC show the
same amount of output drops?

I can add that I saw the same behaviour on a Cat3560 last week (again
four ports on the same ASIC showing same amount of drops) but after
removing UDLD from one of the ports (copper), the drops stopped. On the
ME3400 and the Cat2970, UDLD is not running on the ports in question.

Thanks in advance,

-- 
Regards
 Christian Bering
 IP engineer, nianet a/s
 Phone: (+45) 7020 8730

From stig.johansen at ementor.no  Mon Jul 28 04:48:27 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Mon, 28 Jul 2008 10:48:27 +0200
Subject: [c-nsp] mpls option A with LAC and LNS
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com><70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com><cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com><70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>
	<cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B87@100NOOSLMSG004.common.alpharoot.net>

Hi there,

You should separate the customers in the LAC at your service provider.
Either in different VRF's or at least in different IP-subnets. The best
would be if you could get the provider to use *your* RADIUS-server for
authenticating. They could do a proxy and stripping unwanted
parameters/adding their internal parameters at their end. This way you
could control which IP-subnet the different users (your customers) get
and do some VRF-selection based on source-addresses at your "LNS".

Since the PPP-connection is terminated in the LAC at the
service-provider, you won't be able to do any re-negotiating as in a
LAC/LNS L2TP-setup. The alternative would then be to do a
user-authentication in a firewall, but I belive this would be a negative
impact for the users.

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
Sent: 28. juli 2008 10:26
To: Oliver Boehmer (oboehmer)
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] mpls option A with LAC and LNS

Hi Oli,

Authentication is required to keep users in their respective VRFs. These
all
attributes will come from Radius. We are getting services from other
operator. User are using their infracture and coming in to my network.

We provide mpls vpn / internet services to the customer.

Regards,
Vikas Sharma


On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>
> Ah, ok.. may I ask why you would want to authenticate the "users"? And
> against which user database?
> Which service(s) do you provide for the other operator? More than just
> traffic?
>
>        oli
>
> Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
> 2008 8:24 AM:
>
> > Hi Oli,
> >
> > Thanks for the prompt responce. I think I need to slightly modify
> > this.
> >
> > Though I have used the term LAC and LNS, I am not using L2TP to get
> > the data from the other operator. I am using Inter-AS option A, back
> > to back vrf. The issue I can see once the data is at my ASBR, it
will
> > not have any control plane information (as other operator has
already
> > put it in to the respective vrf). In that case I will not be able to
> > use my radius to authenticate the user. In summary, my radius will
> > not be used at all.
> >
> > Regards,
> > Vikas Sharma
> >
> >
> > On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> >       Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> >
> >       > Hi,
> >       >
> >       > Need help to resolve the below situation. The scenario of
LAC
> / LNS
> >       > and mpls option A -
> >       >
> >       > In case, the customer belong to the ISP dials and latch in
the
> same
> >       > ISP (i.e. using ISP infrastructure), I can authenticate
(since
> they
> >       > will latch on LNS, a radius client), using radius and radius
> will
> >       > return certain attribute including vrf / pool name etc. and
> then
> >       > customer will go to it's own vrf and to it's own network.
> >       >
> >       > But in my case, customers come from other ISP domain
(dialing
> and
> >       > coming on their lac) and we are using back to back vrf to
> connect
> >       LAC > and LNS. Now the problem is, how to authenticate the
users
> and
> >       return > vrf and ip pool name from the radius as LNS can not
act
> as
> >       radius > client now. The only option I can see is to forward
the
> >       fraffic to > firewall, which can act as radius client and
query
> to
> >       radius server, > radius server can inturn return the vlan
which
> can
> >       be mapped to > respective vrf.
> >
> >       you can use vrf-aware Radius to send Radius the radius
requests
> >       within the VRF (which, I think, solves your problem, but I'm
not
> >       sure I entirely understood your topology):
> >
> >       aaa authentication ppp VRFCUST group VRFGROUP
> >       aaa authorization network VRFCUST group VRFGROUP
> >       aaa accounting network  VRFCUST group VRFGROUP
> >       !
> >       aaa group server radius VRFGROUP
> >       server-private x.x.x.x key zzzzz
> >       ip radius source-interface ...
> >       ip vrf forwarding <vrf-name>
> >       !
> >       int virtual-template1
> >       ppp authentication chap pap VRFCUST
> >       ppp authorization VRFCUST
> >       ppp accounting VRFCUST
> >
> >       However: The L2TP packets also arrive within a VRF, so you
need
> to
> >       use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your
> > vpdn-group).
> >
> >       hope this helps..
> >
> >              oli
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From david.freedman at uk.clara.net  Mon Jul 28 05:56:18 2008
From: david.freedman at uk.clara.net (David Freedman)
Date: Mon, 28 Jul 2008 10:56:18 +0100
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B87@100NOOSLMSG004.common.alpharoot.net>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com><70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com><cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com><70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>	<cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>
	<13A13E9CF0F76342A79031B9E558C0C5187B87@100NOOSLMSG004.common.alpharoot.net>
Message-ID: <g6k4bh$p9r$1@ger.gmane.org>

If you are really desperate there is "VRF source selection"

http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/vrfselec.html

But this is rather insecure as it uses the IP address to decide which
VRF to use, users can spoof IPs and inject traffic into another VRF
unless the access provider is doing uRPF when the users are terminated.

Another solution may be to create a tunnel from the user's CPE to your
kit and drop the tunnel into a VRF at your headend.
You can, for example use Client initiated l2tp + radius
(http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gtvoltun.html)
or just plain old GRE (with appropriate security)

The tunneling solutions will of course reduce your client's payload size
and hence throughput will be affected.

Dave.




Stig Johansen wrote:
> Hi there,
> 
> You should separate the customers in the LAC at your service provider.
> Either in different VRF's or at least in different IP-subnets. The best
> would be if you could get the provider to use *your* RADIUS-server for
> authenticating. They could do a proxy and stripping unwanted
> parameters/adding their internal parameters at their end. This way you
> could control which IP-subnet the different users (your customers) get
> and do some VRF-selection based on source-addresses at your "LNS".
> 
> Since the PPP-connection is terminated in the LAC at the
> service-provider, you won't be able to do any re-negotiating as in a
> LAC/LNS L2TP-setup. The alternative would then be to do a
> user-authentication in a firewall, but I belive this would be a negative
> impact for the users.
> 
> Best regards,
> Stig Meireles Johansen
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
> Sent: 28. juli 2008 10:26
> To: Oliver Boehmer (oboehmer)
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] mpls option A with LAC and LNS
> 
> Hi Oli,
> 
> Authentication is required to keep users in their respective VRFs. These
> all
> attributes will come from Radius. We are getting services from other
> operator. User are using their infracture and coming in to my network.
> 
> We provide mpls vpn / internet services to the customer.
> 
> Regards,
> Vikas Sharma
> 
> 
> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>> Ah, ok.. may I ask why you would want to authenticate the "users"? And
>> against which user database?
>> Which service(s) do you provide for the other operator? More than just
>> traffic?
>>
>>        oli
>>
>> Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
>> 2008 8:24 AM:
>>
>>> Hi Oli,
>>>
>>> Thanks for the prompt responce. I think I need to slightly modify
>>> this.
>>>
>>> Though I have used the term LAC and LNS, I am not using L2TP to get
>>> the data from the other operator. I am using Inter-AS option A, back
>>> to back vrf. The issue I can see once the data is at my ASBR, it
> will
>>> not have any control plane information (as other operator has
> already
>>> put it in to the respective vrf). In that case I will not be able to
>>> use my radius to authenticate the user. In summary, my radius will
>>> not be used at all.
>>>
>>> Regards,
>>> Vikas Sharma
>>>
>>>
>>> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
>>>
>>>       Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
>>>
>>>       > Hi,
>>>       >
>>>       > Need help to resolve the below situation. The scenario of
> LAC
>> / LNS
>>>       > and mpls option A -
>>>       >
>>>       > In case, the customer belong to the ISP dials and latch in
> the
>> same
>>>       > ISP (i.e. using ISP infrastructure), I can authenticate
> (since
>> they
>>>       > will latch on LNS, a radius client), using radius and radius
>> will
>>>       > return certain attribute including vrf / pool name etc. and
>> then
>>>       > customer will go to it's own vrf and to it's own network.
>>>       >
>>>       > But in my case, customers come from other ISP domain
> (dialing
>> and
>>>       > coming on their lac) and we are using back to back vrf to
>> connect
>>>       LAC > and LNS. Now the problem is, how to authenticate the
> users
>> and
>>>       return > vrf and ip pool name from the radius as LNS can not
> act
>> as
>>>       radius > client now. The only option I can see is to forward
> the
>>>       fraffic to > firewall, which can act as radius client and
> query
>> to
>>>       radius server, > radius server can inturn return the vlan
> which
>> can
>>>       be mapped to > respective vrf.
>>>
>>>       you can use vrf-aware Radius to send Radius the radius
> requests
>>>       within the VRF (which, I think, solves your problem, but I'm
> not
>>>       sure I entirely understood your topology):
>>>
>>>       aaa authentication ppp VRFCUST group VRFGROUP
>>>       aaa authorization network VRFCUST group VRFGROUP
>>>       aaa accounting network  VRFCUST group VRFGROUP
>>>       !
>>>       aaa group server radius VRFGROUP
>>>       server-private x.x.x.x key zzzzz
>>>       ip radius source-interface ...
>>>       ip vrf forwarding <vrf-name>
>>>       !
>>>       int virtual-template1
>>>       ppp authentication chap pap VRFCUST
>>>       ppp authorization VRFCUST
>>>       ppp accounting VRFCUST
>>>
>>>       However: The L2TP packets also arrive within a VRF, so you
> need
>> to
>>>       use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your
>>> vpdn-group).
>>>
>>>       hope this helps..
>>>
>>>              oli
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 


From vikassharmas at gmail.com  Mon Jul 28 05:44:56 2008
From: vikassharmas at gmail.com (Vikas Sharma)
Date: Mon, 28 Jul 2008 15:14:56 +0530
Subject: [c-nsp] mpls option A with LAC and LNS
In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B87@100NOOSLMSG004.common.alpharoot.net>
References: <cca140000807272159w1458cfe4p861a04382fcea22c@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405C615A1@xmb-ams-333.emea.cisco.com>
	<cca140000807272323u6857122do52da0d2dc685b309@mail.gmail.com>
	<70B7A1CCBFA5C649BD562B6D9F7ED78405CB8CD5@xmb-ams-333.emea.cisco.com>
	<cca140000807280125m144aabdbu51274b287c6b5c61@mail.gmail.com>
	<13A13E9CF0F76342A79031B9E558C0C5187B87@100NOOSLMSG004.common.alpharoot.net>
Message-ID: <cca140000807280244k7c2920f9q6c0334407c350b96@mail.gmail.com>

Hi Oli / Stig,

Thanks for the reply.

Oli - Let me see if I can use ISG..

Stig - Here "user-authentication in a firewall" the issue is I do not have
control plane information, I just have IP subnet and VRF. On that basis my
authentication will not work.

Even I thought of creating vrf's on the operator ASBR, but the issue is I
have to create so many e-bgp session based on every customer, my router will
be down :)

Regards,
Vikas Sharma


On 7/28/08, Stig Johansen <stig.johansen at ementor.no> wrote:
>
> Hi there,
>
> You should separate the customers in the LAC at your service provider.
> Either in different VRF's or at least in different IP-subnets. The best
> would be if you could get the provider to use *your* RADIUS-server for
> authenticating. They could do a proxy and stripping unwanted
> parameters/adding their internal parameters at their end. This way you
> could control which IP-subnet the different users (your customers) get
> and do some VRF-selection based on source-addresses at your "LNS".
>
> Since the PPP-connection is terminated in the LAC at the
> service-provider, you won't be able to do any re-negotiating as in a
> LAC/LNS L2TP-setup. The alternative would then be to do a
>
> vsharma6 at nms4:~$ telnet mas1.zrh
> mas1.zrh: node name or service name not known
> vsharma6 at nms4:~$ telnet MAS1.ZRH
> MAS1.ZRH: node name or service name not known
>  but I belive this would be a negative
> impact for the users.
>
> Best regards,
> Stig Meireles Johansen
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vikas Sharma
> Sent: 28. juli 2008 10:26
> To: Oliver Boehmer (oboehmer)
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] mpls option A with LAC and LNS
>
> Hi Oli,
>
> Authentication is required to keep users in their respective VRFs. These
> all
> attributes will come from Radius. We are getting services from other
> operator. User are using their infracture and coming in to my network.
>
> We provide mpls vpn / internet services to the customer.
>
> Regards,
> Vikas Sharma
>
>
> On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> >
> > Ah, ok.. may I ask why you would want to authenticate the "users"? And
> > against which user database?
> > Which service(s) do you provide for the other operator? More than just
> > traffic?
> >
> >        oli
> >
> > Vikas Sharma <mailto:vikassharmas at gmail.com> wrote on Monday, July 28,
> > 2008 8:24 AM:
> >
> > > Hi Oli,
> > >
> > > Thanks for the prompt responce. I think I need to slightly modify
> > > this.
> > >
> > > Though I have used the term LAC and LNS, I am not using L2TP to get
> > > the data from the other operator. I am using Inter-AS option A, back
> > > to back vrf. The issue I can see once the data is at my ASBR, it
> will
> > > not have any control plane information (as other operator has
> already
> > > put it in to the respective vrf). In that case I will not be able to
> > > use my radius to authenticate the user. In summary, my radius will
> > > not be used at all.
> > >
> > > Regards,
> > > Vikas Sharma
> > >
> > >
> > > On 7/28/08, Oliver Boehmer (oboehmer) <oboehmer at cisco.com> wrote:
> > >
> > >       Vikas Sharma <> wrote on Monday, July 28, 2008 6:59 AM:
> > >
> > >       > Hi,
> > >       >
> > >       > Need help to resolve the below situation. The scenario of
> LAC
> > / LNS
> > >       > and mpls option A -
> > >       >
> > >       > In case, the customer belong to the ISP dials and latch in
> the
> > same
> > >       > ISP (i.e. using ISP infrastructure), I can authenticate
> (since
> > they
> > >       > will latch on LNS, a radius client), using radius and radius
> > will
> > >       > return certain attribute including vrf / pool name etc. and
> > then
> > >       > customer will go to it's own vrf and to it's own network.
> > >       >
> > >       > But in my case, customers come from other ISP domain
> (dialing
> > and
> > >       > coming on their lac) and we are using back to back vrf to
> > connect
> > >       LAC > and LNS. Now the problem is, how to authenticate the
> users
> > and
> > >       return > vrf and ip pool name from the radius as LNS can not
> act
> > as
> > >       radius > client now. The only option I can see is to forward
> the
> > >       fraffic to > firewall, which can act as radius client and
> query
> > to
> > >       radius server, > radius server can inturn return the vlan
> which
> > can
> > >       be mapped to > respective vrf.
> > >
> > >       you can use vrf-aware Radius to send Radius the radius
> requests
> > >       within the VRF (which, I think, solves your problem, but I'm
> not
> > >       sure I entirely understood your topology):
> > >
> > >       aaa authentication ppp VRFCUST group VRFGROUP
> > >       aaa authorization network VRFCUST group VRFGROUP
> > >       aaa accounting network  VRFCUST group VRFGROUP
> > >       !
> > >       aaa group server radius VRFGROUP
> > >       server-private x.x.x.x key zzzzz
> > >       ip radius source-interface ...
> > >       ip vrf forwarding <vrf-name>
> > >       !
> > >       int virtual-template1
> > >       ppp authentication chap pap VRFCUST
> > >       ppp authorization VRFCUST
> > >       ppp accounting VRFCUST
> > >
> > >       However: The L2TP packets also arrive within a VRF, so you
> need
> > to
> > >       use vrf-aware vpdn as well (specifiy "vpn vrf <name>" in your
> > > vpdn-group).
> > >
> > >       hope this helps..
> > >
> > >              oli
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Chris.Kilian at aolbb.co.uk  Mon Jul 28 04:48:25 2008
From: Chris.Kilian at aolbb.co.uk (Chris Kilian)
Date: Mon, 28 Jul 2008 09:48:25 +0100
Subject: [c-nsp] FW: PagpP vs LACP on Etherchannels between Cisco 7609 and
	Cisco	ME3400's
Message-ID: <589977100D803D4E8EA5A17F9C7641AF72A9D5EA88@SGBS201V1.CPWBB.LOCAL>


See below.

router#show inter port-channel 102
Port-channel102 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 0014.a922.2b46 (bia 0014.a922.2b45)
  Description:
  MTU 9216 bytes, BW 400000 Kbit, DLY 10 usec,
     reliability 255/255, txload 46/255, rxload 11/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s
  input flow-control is off, output flow-control is on
  Members in this channel: Gi1/30 Gi1/31 Gi1/32 Gi1/33
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 5d08h
  Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  30 second input rate 18690000 bits/sec, 7519 packets/sec
  30 second output rate 72238000 bits/sec, 9642 packets/sec
     3363799646 packets input, 926913458117 bytes, 0 no buffer
     Received 776467 broadcasts (317854 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     4545371638 packets output, 4459109668674 bytes, 0 underruns
     0 output errors, 0 collisions, 5 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

router#show etherchannel
Channel-group listing:
-----------------------
Group: 102
----------
Group state = L2
Ports: 4   Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol:    -
Minimum Links: 0

This is the interface from one of the physical interfaces' they are all the same

router#show run inter gig1/30

interface GigabitEthernet1/30
description  xxxxxxxxxxxxxxxxxxxx
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan xxx-xxx
switchport mode trunk
mtu 9216
no ip address
load-interval 30
speed 100
duplex full
channel-group 102 mode on
end


Chris Kilian
Tier 2 Network Engineer
AOL Broadband
80 Hammersmith Road,
London, UK, W14 8UD
Tel: +44 207 348 4762
Mobile: +44 07515031780
AIM: chriskilianck

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Kilian
Sent: 25 July 2008 16:03
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] PagpP vs LACP on Etherchannels between Cisco 7609 and Cisco ME3400's

Hi All

I posted a few days ago about some issues that I was having with setting up a port channel between a Cisco 7609 and a Cisco ME3400.I have resolved this issue by using the following on all physical interfaces.

channel-group mode on

This brought up the port-channel right away and things appear to be working fine, my question now is this, as this is the only channel setting on the physical interfaces no channel-protocol set at all, yet if I bounce one of the physical interfaces I am seeing debug messages detailing PagP. Would this therefore mean that despite not having a channel-group protocol set it defaults to use PagP.  The message when doing a debug etherchannel all and dropping one physcial in the port channel was this.

Jul 25 14:43:50: %LINK-3-UPDOWN: Interface GigabitEthernet1/6, changed state to down
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport

when unshutting the interface the following was seen

20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport
20w3d: FEC: pagp_switch_is_in_port_channel: Gi1/6 is not part of any agport

Just as an addition the reason that we cant use LACP as we wanted is due to IOS limitations in the Metro Access IOS image running on the ME3400's only allowing up to 4 ports as NNI ports with the remainder as UNI, by upgrading to a full release of th metro access IOS you can enable all ports as NNO ports, as we have in excess of 100 ME3400's this is not desirable.



Chris Kilian






This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please notify the sender immediately by e-mail. Please then immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. For the !
 purposes of this E-Mail "the Company" means The Carphone Warehouse Group Plc and/or any of its subsidiaries. The Carphone Warehouse Group Plc (Registered in England No. 3253714) 1 Portal Way, London W3 6RS.

AOL Broadband, [AOLBroadband.co.uk] [AOLbb.co.uk] and AOL logos are trade marks of AOL LLC and are used under licence. The AOL Broadband service is provided to customers in the UK by TPH Services SARL, a Carphone Warehouse plc company.







************************************************************************************
This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/





************************************************************************************
This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************






This communication together with any attachments transmitted with it ("this E-Mail") is intended only for the use of the addressee and may contain information which is privileged and confidential. If the reader of this E-Mail is not the intended recipient, or the employee or agent responsible for delivering it to the intended recipient, you are hereby notified that any use, dissemination, forwarding, printing or copying of this E-Mail is strictly prohibited. Addressees should check this E-mail for viruses. The Company makes no representations as regards the absence of viruses in this E-Mail. If you have received this E-Mail in error please notify the sender immediately by e-mail. Please then immediately delete, erase or otherwise destroy this E-Mail and any copies of it. Any opinions expressed in this E-Mail are those of the author and do not necessarily constitute the views of the Company. Nothing in this E-Mail shall bind the Company in any contract or obligation. For the purposes of this E-Mail "the Company" means The Carphone Warehouse Group Plc and/or any of its subsidiaries. The Carphone Warehouse Group Plc (Registered in England No. 3253714) 1 Portal Way, London W3 6RS.

AOL Broadband, [AOLBroadband.co.uk] [AOLbb.co.uk] and AOL logos are trade marks of AOL LLC and are used under licence. The AOL Broadband service is provided to customers in the UK by TPH Services SARL, a Carphone Warehouse plc company.





 
 
************************************************************************************
This footnote confirms that this email message has been scanned by
PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses.
************************************************************************************




From sam_mailinglists at spacething.org  Mon Jul 28 07:30:03 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Mon, 28 Jul 2008 12:30:03 +0100
Subject: [c-nsp] Polling module status in the absence of STACK-MIB
Message-ID: <488DADBB.8010606@spacething.org>

Hi,

Does anyone know of a way to SNMP poll for module status on devices that 
don't support STACK-MIB (e.g. 4500s). (With STACK-MIB this is as simple 
as walking .1.3.6.1.4.1.9.5.1.3.1.1.10)

I've been looking at the ENTITY-MIB but that doesn't seem to have the 
neccessary data?

Annoying the ENTITY-MIB also only contains the one single trap, 
entConfigChange, so these devices don't look to be able to generate 
module down traps either.

Sam

From sam_mailinglists at spacething.org  Mon Jul 28 07:51:14 2008
From: sam_mailinglists at spacething.org (Sam Stickland)
Date: Mon, 28 Jul 2008 12:51:14 +0100
Subject: [c-nsp] Polling module status in the absence of STACK-MIB
In-Reply-To: <488DADBB.8010606@spacething.org>
References: <488DADBB.8010606@spacething.org>
Message-ID: <488DB2B2.80907@spacething.org>

Ha, I've been looking for this for a week, and then just after I send 
the email I finally find it.

http://www.oidview.com/mibs/9/CISCO-ENTITY-FRU-CONTROL-MIB.html

cefcModuleOperStatus      1.3.6.1.4.1.9.9.117.1.2.1.1.2

Sam

Sam Stickland wrote:
> Hi,
>
> Does anyone know of a way to SNMP poll for module status on devices 
> that don't support STACK-MIB (e.g. 4500s). (With STACK-MIB this is as 
> simple as walking .1.3.6.1.4.1.9.5.1.3.1.1.10)
>
> I've been looking at the ENTITY-MIB but that doesn't seem to have the 
> neccessary data?
>
> Annoying the ENTITY-MIB also only contains the one single trap, 
> entConfigChange, so these devices don't look to be able to generate 
> module down traps either.
>
> Sam
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From oboehmer at cisco.com  Mon Jul 28 08:09:32 2008
From: oboehmer at cisco.com (Oliver Boehmer (oboehmer))
Date: Mon, 28 Jul 2008 14:09:32 +0200
Subject: [c-nsp] OER/DRIP specs protocol format
In-Reply-To: <6F2FFD7C10F788479E354B84294036C4259E5A88@EXCH-MBX.exchange.alphared.local>
References: <6F2FFD7C10F788479E354B84294036C4259E5A88@EXCH-MBX.exchange.alphared.local>
Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405CB8F77@xmb-ams-333.emea.cisco.com>

mack <> wrote on Saturday, July 26, 2008 8:18 PM:

> Does anyone have a link to the protocol the Optimized Edge Routing
> uses to communicate? I am curious what the protocol is and what it
> does. 
> From the documentation it uses port 3949 which corresponds to
> something called "Dynamic Routing Information Protocol".

sorry, we haven't published the protocol specs, it's Cisco proprietary..
There is an API which we can share under NDA with interested parties
(see http://www.flukenetworks.com/pfr for an application)

	oli

From justin at justinshore.com  Mon Jul 28 10:08:21 2008
From: justin at justinshore.com (Justin Shore)
Date: Mon, 28 Jul 2008 09:08:21 -0500
Subject: [c-nsp] Blocking Forged Source Addresses
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>
References: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>
Message-ID: <488DD2D5.1020807@justinshore.com>

Skeeve Stevens wrote:
> What is the best strategy to Block Forged Source Addresses on a Cisco border
> router?

Skeeve,

What specifically are you looking for?  How do you determine that the 
source traffic is forged?  Are you wanting to ensure that no traffic 
enters your network for the outside that claims to be from a source 
already inside of your network?  BOGONs?  Hijacked netblocks?  There's a 
lot of stuff to block.  uRPF is generally part of the solution but of 
course it depends on what you're trying to accomplish.

Justin

From mksmith at adhost.com  Mon Jul 28 10:21:43 2008
From: mksmith at adhost.com (Michael Smith)
Date: Mon, 28 Jul 2008 07:21:43 -0700
Subject: [c-nsp] Blocking Forged Source Addresses
In-Reply-To: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAANMOoJjc59NCjOLzrEa2y/8BAAAAAA==@skeeve.org>
Message-ID: <C4B32407.2EF55%mksmith@adhost.com>

Hello Skeeve:


> From: Skeeve Stevens <skeeve at skeeve.org>
> Organization: eintellego
> Reply-To: <skeeve at skeeve.org>
> Date: Sat, 26 Jul 2008 17:07:02 +1000
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] Blocking Forged Source Addresses
> 
> 
> What is the best strategy to Block Forged Source Addresses on a Cisco border
> router?
> 
> .Skeeve
> 
I would recommend taking a look at the Cymru Secure IOS template at
http://www.cymru.com/Documents/secure-ios-template.html.  It gives you a
great set of ACL's for blocking all manner of bogons, including traffic from
our internal nets, plus the uRPF configuration as well.

If you elect to go with this template you should probably check in
periodically on the site for updated ACL's because the IOS template blocks
unallocated space, and since IP space gets allocated quite frequently, you
can end up blocking traffic unintentionally for those nets.

Regards,

Mike


From troy at i2bnetworks.com  Mon Jul 28 15:24:56 2008
From: troy at i2bnetworks.com (Troy Beisigl)
Date: Mon, 28 Jul 2008 12:24:56 -0700
Subject: [c-nsp] 32 bit ASN
Message-ID: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com>

Hi,

Does anyone know if the 32 bit ASN support is going to get implemented  
in the 12008 or 7500 RSP8 series? If not, what is recommended as  
replacements?

Thanks,

-Troy

From ibrahim.abozaid at gmail.com  Mon Jul 28 17:11:15 2008
From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid)
Date: Tue, 29 Jul 2008 00:11:15 +0300
Subject: [c-nsp] Interface Queues
In-Reply-To: <20080727184919.GC16786@rtp-cse-489.cisco.com>
References: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
	<20080727184919.GC16786@rtp-cse-489.cisco.com>
Message-ID: <a48927f70807281411g544d6dcfy87e35997b0bef4c1@mail.gmail.com>

Hi Rodeny

Thanks for your reply , i think this isn't specific for a given platform but
it is common on low-end CE routers especially with serial interfaces

best regards
--Ibrahim

On Sun, Jul 27, 2008 at 9:49 PM, Rodney Dunn <rodunn at cisco.com> wrote:

> On what platform?
>
> On Sat, Jul 26, 2008 at 06:05:49PM +0300, Ibrahim Abo Zaid wrote:
> > Hi All
> >
> > i am a bit confused between Interface queues that can be configured using
> > tx-queue-limit and hold-queue  , what is the difference between these
> queues
> > ?
> >
> >
> > appreciate your replies .
> >
> > best regards
> > --Ibrahim
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From dnewman at networktest.com  Mon Jul 28 17:24:17 2008
From: dnewman at networktest.com (David Newman)
Date: Mon, 28 Jul 2008 14:24:17 -0700
Subject: [c-nsp] ASR series
Message-ID: <488E3901.6050701@networktest.com>

I would be grateful for any experience with ASR series routers -- how 
are you using them, how do they compare with other aggregation boxes 
you've used before.

Please email me privately and I'll post a summary if there's interest.

thanks

dn


From agristina+cisco-nsp at gmail.com  Mon Jul 28 19:43:53 2008
From: agristina+cisco-nsp at gmail.com (Andrew Gristina)
Date: Mon, 28 Jul 2008 16:43:53 -0700
Subject: [c-nsp] ASR series
In-Reply-To: <488E3901.6050701@networktest.com>
References: <488E3901.6050701@networktest.com>
Message-ID: <70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>

I suspect the feedback is self selecting in this forum.

Is this paid or unpaid market research for you at networktest.com?  At
least you were honest enough to use your work email.

Operationally I haven't found them that different from other Cisco
routers (other than the hardware).  There is a really nice summary of
the ASR differences from Networkers (there were some really good ones
from the ASR introduction a few years ago).


On Mon, Jul 28, 2008 at 2:24 PM, David Newman <dnewman at networktest.com> wrote:
> I would be grateful for any experience with ASR series routers -- how are
> you using them, how do they compare with other aggregation boxes you've used
> before.
>
> Please email me privately and I'll post a summary if there's interest.
>
> thanks
>
> dn

From lobo at allstream.net  Mon Jul 28 23:47:52 2008
From: lobo at allstream.net (Jose)
Date: Mon, 28 Jul 2008 23:47:52 -0400
Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C5187B86@100NOOSLMSG004.common.alpharoot.net>
References: <488B1FD2.7040405@allstream.net>
	<13A13E9CF0F76342A79031B9E558C0C5187B86@100NOOSLMSG004.common.alpharoot.net>
Message-ID: <488E92E8.6060900@allstream.net>

Thanks for the tips Stig/Arie.

So it appears that I've managed to get it to work but not before 
upgrading the IOS to 12.2(44)SE2 as it wasn't working properly before 
that.  Here's the config that I ended up going with in case anyone else 
is looking to get this working.  This example policies one vlan to 5Mbps 
and the other to 1Mbps:

mac access-list extended mac
 permit any any
!
access-list 129 permit ip any any
!
class-map match-any cm-1
  match access-group name mac
class-map match-any cm-1-ip
  match access-group 129
class-map match-all cm-interface-1
  match input-interface  FastEthernet1/0/1 - FastEthernet1/0/2
!
!
policy-map port-plcmap-667
  class cm-interface-1
    police 1000000 8000 exceed-action drop
policy-map vlan-plcmap2
  class cm-1
    trust dscp
   service-policy port-plcmap-667
  class cm-1-ip
    trust dscp
   service-policy port-plcmap-667
policy-map port-plcmap
  class cm-interface-1
    police 5000000 8000 exceed-action drop
policy-map vlan-plcmap
  class cm-1
    trust dscp
   service-policy port-plcmap
  class cm-1-ip
    trust dscp
   service-policy port-plcmap
!
interface FastEthernet1/0/1
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 666,667
 switchport mode trunk
 mls qos vlan-based
!
interface FastEthernet1/0/2
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 666,667
 switchport mode trunk
 mls qos vlan-based
!
interface Vlan666
 description test policing vlan
 no ip address
 service-policy input vlan-plcmap
!
interface Vlan667
 no ip address
 service-policy input vlan-plcmap2
!

It's important to re-iterate that mls qos vlan-based be enabled on the 
interfaces you will be using as without this command all of the above is 
useless.

Thanks.

Jose


Stig Johansen wrote:
> Hi there,
>
> Just remember that the 3750 non-metro platform has several limitations,
> especially for egress QoS, which I would think you would be interested
> in using.
>
> The short story is: The 3750-platform does only queueing and scheduling
> on egress-interfaces. Any policing or prioritization you want to be be
> done on a egress-interface would have to be done by manipulating
> CoS/DSCP-values and configuring the output-queues accordingly.
>
> For inbound QoS in your case, you'll have to enable VLAN-based QoS as
> suggested by Arie. Follow this link:
>
> http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/relea
> se/12.2_44_se/configuration/guide/swqos.html#wp1703591
>
> Best regards,
> Stig Meireles Johansen
>
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jose
> Sent: 26. juli 2008 15:00
> To: Cisco
> Subject: [c-nsp] Policing individual vlans per port on 3750 (non metro)
>
> Hi everyone.  Ran into a little snag this afternoon when I needed to 
> police layer 2 customers on a single port in a similar fashion to the 
> way we do it on the 3550-24s.  Normally we would we create the aggregate
>
> policer, use a class map that matches on vlan id and another one that 
> matches any ip per customer...we combine these under a single policy-map
>
> and apply it to the interface.
>
>
> When trying this similar process on the 3750, we noticed that we aren't 
> able to match on vlan:
>
> copsw01(config)#class-map match-all ARPI3-IP-Trunk
>
> copsw01(config-cmap)#match ?
>
>  access-group     Access group
>
>  input-interface  Select one or more input interfaces to match
>
>  ip               IP specific values
>
>
> So now we're left wondering how can we have a trunk port police 
> invididual vlans if the option is not there to choose?  BTW, the version
>
> of IOS we're using is c3750-ipbasek9-mz.122-25.SEE2.
>
> Thanks.
>
> Jose
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ NOD32 3301 (20080727) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
>   


From mtinka at globaltransit.net  Mon Jul 28 23:17:28 2008
From: mtinka at globaltransit.net (Mark Tinka)
Date: Tue, 29 Jul 2008 11:17:28 +0800
Subject: [c-nsp] ASR series
In-Reply-To: <70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>
References: <488E3901.6050701@networktest.com>
	<70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>
Message-ID: <200807291117.29590.mtinka@globaltransit.net>

On Tuesday 29 July 2008 07:43:53 Andrew Gristina wrote:

> Operationally I haven't found them that different from
> other Cisco routers (other than the hardware).

Same here, not that different.

Just that with current IOS XE 2.1.1, some line cards are not 
supported, but that will come with later revisions.

The one thing I'd like, though (which I mentioned on this 
list some time back), is a method to elegantly gracefully 
shutdown the system, seeing as it has a hard drive and all.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080729/f56a4546/attachment.bin>

From saku+cisco-nsp at ytti.fi  Tue Jul 29 02:24:30 2008
From: saku+cisco-nsp at ytti.fi (Saku Ytti)
Date: Tue, 29 Jul 2008 09:24:30 +0300
Subject: [c-nsp] ASR series
In-Reply-To: <70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>
References: <488E3901.6050701@networktest.com>
	<70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>
Message-ID: <20080729062430.GA23459@mx.ytti.net>

On (2008-07-28 16:43 -0700), Andrew Gristina wrote:
 
> Operationally I haven't found them that different from other Cisco
> routers (other than the hardware).  There is a really nice summary of
> the ASR differences from Networkers (there were some really good ones
> from the ASR introduction a few years ago).

ASR introduction /few years/ ago? So that would be summer 2006 at least?
I don't think there was public information about the ASR OP is asking
about. Several years ago there was 7400 which was also called ASR, luckily
it has been killed dead.

-- 
  ++ytti

From routerrails at gmail.com  Tue Jul 29 04:16:01 2008
From: routerrails at gmail.com (Router Guy)
Date: Mon, 28 Jul 2008 22:16:01 -1000
Subject: [c-nsp] suggestion for replacing Redback Smartedge
In-Reply-To: <a99ced690807290113p18f2484exa749bb587b40fe7@mail.gmail.com>
References: <a99ced690807290113p18f2484exa749bb587b40fe7@mail.gmail.com>
Message-ID: <a99ced690807290116o48bc039cyc95f902fa25556f5@mail.gmail.com>

Hi,

I am looking at replacing Redback Smartedge router. The main goal is
to provide l2 and l3 vpn with multi-services, metro ethernet, ATM, T1
and etc. It needs to be able to do QOS, bandwidth throttling, QinQ,
fast convegence time for voice. What's best option from cisco? Would
you recommand another vendor?

Thanks,
Guy

From avayner at cisco.com  Tue Jul 29 07:50:36 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 29 Jul 2008 13:50:36 +0200
Subject: [c-nsp] suggestion for replacing Redback Smartedge
In-Reply-To: <a99ced690807290116o48bc039cyc95f902fa25556f5@mail.gmail.com>
References: <a99ced690807290113p18f2484exa749bb587b40fe7@mail.gmail.com>
	<a99ced690807290116o48bc039cyc95f902fa25556f5@mail.gmail.com>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501A669DC@xmb-ams-331.emea.cisco.com>

Guy,

>From Cisco you should be looking at platforms like 7600 with ES20 cards,
maybe 7200 for some solutions, ASR1000 and maybe GSR if the scale is
right.

Arie 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Router Guy
Sent: Tuesday, July 29, 2008 11:16 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] suggestion for replacing Redback Smartedge

Hi,

I am looking at replacing Redback Smartedge router. The main goal is to
provide l2 and l3 vpn with multi-services, metro ethernet, ATM, T1 and
etc. It needs to be able to do QOS, bandwidth throttling, QinQ, fast
convegence time for voice. What's best option from cisco? Would you
recommand another vendor?

Thanks,
Guy
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From skeeve at skeeve.org  Tue Jul 29 08:00:34 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Tue, 29 Jul 2008 22:00:34 +1000
Subject: [c-nsp] Cisco 880 Series
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAKlFVMzM5lhOhB58DcN5igcBAAAAAA==@skeeve.org>

I am perplexed.

Can someone who knows more about the Cisco 880 series explain why there is
an Ethernet model (881) and a SHDSL model (888), but seemingly no ADSL
model?  I would have thought, that as a CPE, that the ADSL (877, etc) would
have sold a hell of a lot more devices than the other two.

Also, the 3G add-on, is it just a PCIe Card in the front? Or is it
integrated.  The Cisco website isn't too detailed yet on these units.

Or. is it yet to come (which would be odd)

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From skeeve at skeeve.org  Tue Jul 29 08:12:40 2008
From: skeeve at skeeve.org (Skeeve Stevens)
Date: Tue, 29 Jul 2008 22:12:40 +1000
Subject: [c-nsp] K9 (IP Advanced Security) vs. SEC-K9 simplified features
Message-ID: <!&!AAAAAAAAAAAYAAAAAAAAAN5U5OuspydJheQZRk7Gfl7CgAAAEAAAAEEVm8QDzGxEj/5Eq2NY30UBAAAAAA==@skeeve.org>


I realise there is the feature navigator which provides in-depth details of
features of the different IOS sets, but, does anyone know (2 hours of
searching Cisco.com failed) where there is a simple explanation about the
features that isn't the graphic @
http://www.cisco.com/en/US/products/sw/iosswrel/ps5460/index.html

I need a little more explanation when I am selling to customers and whether
they should buy the -SEC-K9 or -K9.

I am interested in which Routing Protocols (OSPF, BGP, EIGRP, etc), IP SLA,
QoS, nBAR and so on. 

Essentially, more than the graphic, but less than the detailed feature
guide.

Also, if I am right:

-K9 = Advanced Security
-SEC-K9 = Advanced IP Services

Makes a lot of sense to me. not, but I will live with that.

Also, -K9 - Advanced Security, based on the graphic linked above, doesn't do
ATM, but isn't DSL basically ATM? Or does it mean real ATM? Which in the
800/1800/2800 world, as far as I know, there is no ATM anyhow.

--
Skeeve Stevens, RHCE
skeeve at skeeve.org / www.skeeve.org
Cell +61 (0)414 753 383 / skype://skeeve

eintellego - skeeve at eintellego.net - www.eintellego.net 
--
I'm a groove licked love child king of the verse 
Si vis pacem, para bellum



From j.varaillon at cosmoline.com  Tue Jul 29 08:51:51 2008
From: j.varaillon at cosmoline.com (Jean-Christophe VARAILLON)
Date: Tue, 29 Jul 2008 15:51:51 +0300
Subject: [c-nsp] ASN Gateway - SAMI
Message-ID: <007701c8f179$df39c0a0$d901a8c0@varaillonlap>

Hi,

I was wondering if someone could post a relevant configuration including
both the ASN-GW (SAMI) and the 7600 part.

The ASN gateway on the SAMI card, uses a paralelle architecture where six
IOSs run simultaneously, using six configuration files. Can those
configuration files be identical? Should they be identical?

Also, since the SAMI card has no physical interfaces, theoritically
speaking, does this mean that I could have only 2 VLANs, one toward the CSN
backbone and one toward the ASN for the R6 bearer? Where is the virtual
template feeting then?

Thank you

Christophe


From rodunn at cisco.com  Tue Jul 29 09:31:02 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 29 Jul 2008 09:31:02 -0400
Subject: [c-nsp] Interface Queues
In-Reply-To: <a48927f70807281411g544d6dcfy87e35997b0bef4c1@mail.gmail.com>
References: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
	<20080727184919.GC16786@rtp-cse-489.cisco.com>
	<a48927f70807281411g544d6dcfy87e35997b0bef4c1@mail.gmail.com>
Message-ID: <20080729133102.GB4816@rtp-cse-489.cisco.com>

The tx-queue-limit I always saw was for the 75xx
due to the QA asic forwarding. It set the memd txacc
queues.

For the traditional boxes it's hold-queue out or tx ring.
The tx ring is the fifo queue to the device driver.

The hold-queue is where we back packets up when the tx
ring is congested. That's if there isn't a QOS policy
applied at which point you have queue-limit under the
individual classes.

ATM is a bit more complex with per VC queues. I'm not sure
if they have a tx-queue-limit concept.

Rodney


On Tue, Jul 29, 2008 at 12:11:15AM +0300, Ibrahim Abo Zaid wrote:
> Hi Rodeny
> 
> Thanks for your reply , i think this isn't specific for a given platform but it
> is common on low-end CE routers especially with serial interfaces 
> 
> best regards
> --Ibrahim
> 
> On Sun, Jul 27, 2008 at 9:49 PM, Rodney Dunn <rodunn at cisco.com> wrote:
> 
>     On what platform?
>    
>     On Sat, Jul 26, 2008 at 06:05:49PM +0300, Ibrahim Abo Zaid wrote:
>     > Hi All
>     >
>     > i am a bit confused between Interface queues that can be configured using
>     > tx-queue-limit and hold-queue  , what is the difference between these
>     queues
>     > ?
>     >
>     >
>     > appreciate your replies .
>     >
>     > best regards
>     > --Ibrahim
>     > _______________________________________________
>     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     > https://puck.nether.net/mailman/listinfo/cisco-nsp
>     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From amaged at cisco.com  Tue Jul 29 11:57:42 2008
From: amaged at cisco.com (Ahmed Maged (amaged))
Date: Tue, 29 Jul 2008 17:57:42 +0200
Subject: [c-nsp] Interface Queues
In-Reply-To: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
References: <a48927f70807260805u718e7594wfede22d2fd6cfd08@mail.gmail.com>
Message-ID: <0BB7A1080B7DBD4494E09FF171D2ACEA01BDA25E@xmb-ams-33c.emea.cisco.com>

The answer below doesn't fit for all platforms/interfaces but I hope it
helps.

 

In the case of 7200 and low-end, years ago: tx-queue-limit referred to
the "Fifo memory between the intelligent scheduler and the wire" 

 

That memory was too large for VoIP and caused too much jitter even with
PQ and so on.

 

 

As for hold-queue:

 

when packets are switched in IOs, there is an interface hold-queue that
will receive the packtes received from the interface.

 

every received packet generates an interrupt indicating it requires
service.

 

the interface ISR (interrupt service routine) will determine if this
packet is to be forwarded via cef, or locally destined or cannot be fast
switched and has to be process switched by IP INPUT.

 

Cheers,

Ahmed

 

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ibrahim Abo Zaid
Sent: Saturday, July 26, 2008 6:06 PM
To: cisco-nsp at puck.nether.net; cisco at groupstudy.com
Subject: [c-nsp] Interface Queues

 

Hi All

 

i am a bit confused between Interface queues that can be configured
using

tx-queue-limit and hold-queue  , what is the difference between these
queues

?

 

 

appreciate your replies .

 

best regards

--Ibrahim

_______________________________________________

cisco-nsp mailing list  cisco-nsp at puck.nether.net

https://puck.nether.net/mailman/listinfo/cisco-nsp

archive at http://puck.nether.net/pipermail/cisco-nsp/


From harbor235 at gmail.com  Tue Jul 29 12:43:10 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Tue, 29 Jul 2008 12:43:10 -0400
Subject: [c-nsp] Layer 2 question
Message-ID: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>

What happens if a layer 2 switch receives a frame that needs to be forwarded
out the same
port that the incoming frame was received on?

Im realize that a typical layer 2 switch would never forward that packet
upstream in the first place.
However, If it did in fact happen what does the upstream L2 switch do?

I have a situation that a non standard layer 2 device may in fact do what I
described above.

mike

From rbf+cisco-nsp at panix.com  Tue Jul 29 13:00:32 2008
From: rbf+cisco-nsp at panix.com (Brett Frankenberger)
Date: Tue, 29 Jul 2008 12:00:32 -0500
Subject: [c-nsp] Layer 2 question
In-Reply-To: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
Message-ID: <20080729170031.GA24302@panix.com>

On Tue, Jul 29, 2008 at 12:43:10PM -0400, Mike Johnson wrote:
>
> What happens if a layer 2 switch receives a frame that needs to be
> forwarded out the same port that the incoming frame was received on?

It will discard it.   

Back when Layer 2 switches were typically used to connect multiple
shared-media Ethernet segments, this happened all the time -- every
time two nodes on the same shared-media Ethernet segment communicated.

These days, most switch ports connect only to a single device, but the
operation of Layer 2 switching (which is just bridging) hasn't changed.

> Im realize that a typical layer 2 switch would never forward that
> packet upstream in the first place. However, If it did in fact happen
> what does the upstream L2 switch do?

Consider the case of a hub (not a switch) connected to a switch port,
and multiple devices on that hub communicating with each other.  The
switch sees all the packets, and doesn't forward them.

     -- Brett

From agristina+cisco-nsp at gmail.com  Tue Jul 29 13:10:27 2008
From: agristina+cisco-nsp at gmail.com (Andrew Gristina)
Date: Tue, 29 Jul 2008 10:10:27 -0700
Subject: [c-nsp] ASR series
In-Reply-To: <20080729062430.GA23459@mx.ytti.net>
References: <488E3901.6050701@networktest.com>
	<70bb1b8f0807281643x7c37d79cv1c3d7b56dab02c46@mail.gmail.com>
	<20080729062430.GA23459@mx.ytti.net>
Message-ID: <70bb1b8f0807291010j2262cbe3u58cc9811b919d043@mail.gmail.com>

Maybe it was last Networkers, I really don't have the preso's in front
of me.  Anyway, while it maybe covered at this year's networkers, I
didn't go so there was information available before this year.  I
don't know if Networkers information is public, I would guess no due
to all the trouble to log in and get old networker's presentations.
It was an RST series preso, I remember that.


On Mon, Jul 28, 2008 at 11:24 PM, Saku Ytti <saku+cisco-nsp at ytti.fi> wrote:
> On (2008-07-28 16:43 -0700), Andrew Gristina wrote:
>
>> Operationally I haven't found them that different from other Cisco
>> routers (other than the hardware).  There is a really nice summary of
>> the ASR differences from Networkers (there were some really good ones
>> from the ASR introduction a few years ago).
>
> ASR introduction /few years/ ago? So that would be summer 2006 at least?
> I don't think there was public information about the ASR OP is asking
> about. Several years ago there was 7400 which was also called ASR, luckily
> it has been killed dead.
>
> --
>  ++ytti
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From achatz at forthnet.gr  Tue Jul 29 13:22:03 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Tue, 29 Jul 2008 20:22:03 +0300
Subject: [c-nsp] interpretation of sysTrafficPeakTime
Message-ID: <488F51BB.3020504@forthnet.gr>


According to the cisco-stack-mib:

sysTrafficPeakTime OBJECT-TYPE
         SYNTAX        TimeTicks
         MAX-ACCESS    read-only
         STATUS        current
DESCRIPTION   "The time (in hundredths of a second) since the peak traffic meter value
occurred."
         ::= { systemGrp 20 }


Can someone please interpret the above description?


I'm thinking of 2 different values here:

1) current time (present) <=== peak time (past)     : the value should increase as time passes by (*)

2) power-on/reset time (past) ===> peak time (past) : the value should stay constant as time passes by (*)


If i was to interpret it, i would probably choose the 1st one, but according to my sample snmp outputs on some 
6500s/7600s the 2nd seems to be the correct one.

(*) having only one peak traffic time

--
Tassos

From harbor235 at gmail.com  Tue Jul 29 13:34:31 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Tue, 29 Jul 2008 13:34:31 -0400
Subject: [c-nsp] Layer 2 question
In-Reply-To: <20080729170031.GA24302@panix.com>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
	<20080729170031.GA24302@panix.com>
Message-ID: <836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>

Agreed, but is there a device that will do just that. The reason I ask is
because that is exactly
what is needed in a GPON network architecture.

mike


On 7/29/08, Brett Frankenberger
<rbf+cisco-nsp at panix.com<rbf%2Bcisco-nsp at panix.com>>
wrote:
>
> On Tue, Jul 29, 2008 at 12:43:10PM -0400, Mike Johnson wrote:
> >
> > What happens if a layer 2 switch receives a frame that needs to be
> > forwarded out the same port that the incoming frame was received on?
>
> It will discard it.
>
> Back when Layer 2 switches were typically used to connect multiple
> shared-media Ethernet segments, this happened all the time -- every
> time two nodes on the same shared-media Ethernet segment communicated.
>
> These days, most switch ports connect only to a single device, but the
> operation of Layer 2 switching (which is just bridging) hasn't changed.
>
> > Im realize that a typical layer 2 switch would never forward that
> > packet upstream in the first place. However, If it did in fact happen
> > what does the upstream L2 switch do?
>
> Consider the case of a hub (not a switch) connected to a switch port,
> and multiple devices on that hub communicating with each other.  The
> switch sees all the packets, and doesn't forward them.
>
>     -- Brett
>

From swmike at swm.pp.se  Tue Jul 29 13:50:16 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 29 Jul 2008 19:50:16 +0200 (CEST)
Subject: [c-nsp] Layer 2 question
In-Reply-To: <836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
	<20080729170031.GA24302@panix.com>
	<836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0807291949180.7740@uplift.swm.pp.se>

On Tue, 29 Jul 2008, Mike Johnson wrote:

> Agreed, but is there a device that will do just that. The reason I ask 
> is because that is exactly what is needed in a GPON network 
> architecture.

Don't you want to solve this with local-proxy-arp instead, so all traffic 
passes the router upstream and you can implement filtering etc?

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From harbor235 at gmail.com  Tue Jul 29 14:12:09 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Tue, 29 Jul 2008 14:12:09 -0400
Subject: [c-nsp] Layer 2 question
In-Reply-To: <alpine.DEB.1.10.0807291949180.7740@uplift.swm.pp.se>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
	<20080729170031.GA24302@panix.com>
	<836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>
	<alpine.DEB.1.10.0807291949180.7740@uplift.swm.pp.se>
Message-ID: <836bf1f90807291112p2aecace2m7cc4fe7436aca3e8@mail.gmail.com>

Proxy arp would be perfromed on a layer3 interface, the frames will never
get there because of the layer 2 switch.
Also, a layer3 device will not proxy-arp for hosts requiring arp information
on the same segment, different segments is another story.


mike


On 7/29/08, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
>
> On Tue, 29 Jul 2008, Mike Johnson wrote:
>
> Agreed, but is there a device that will do just that. The reason I ask is
>> because that is exactly what is needed in a GPON network architecture.
>>
>
> Don't you want to solve this with local-proxy-arp instead, so all traffic
> passes the router upstream and you can implement filtering etc?
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From swmike at swm.pp.se  Tue Jul 29 14:17:07 2008
From: swmike at swm.pp.se (Mikael Abrahamsson)
Date: Tue, 29 Jul 2008 20:17:07 +0200 (CEST)
Subject: [c-nsp] Layer 2 question
In-Reply-To: <836bf1f90807291112p2aecace2m7cc4fe7436aca3e8@mail.gmail.com>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
	<20080729170031.GA24302@panix.com>
	<836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>
	<alpine.DEB.1.10.0807291949180.7740@uplift.swm.pp.se>
	<836bf1f90807291112p2aecace2m7cc4fe7436aca3e8@mail.gmail.com>
Message-ID: <alpine.DEB.1.10.0807292014270.7740@uplift.swm.pp.se>

On Tue, 29 Jul 2008, Mike Johnson wrote:

> Proxy arp would be perfromed on a layer3 interface, the frames will never
> get there because of the layer 2 switch.
> Also, a layer3 device will not proxy-arp for hosts requiring arp information
> on the same segment, different segments is another story.

Local-proxy-arp will do proxy-arp for everything, including within the 
IP subnet. This will force all customers to have the upstream L3 unit in 
their ARP tables for all hosts within the subnet.

It's used in conjunction with forced-forwarding of packets to the uplink 
ports of L2 switches as port of a total security scheme to avoid customers 
being able to do man in the middle attacks on L2 segments. It should work 
in your scenario as well.

-- 
Mikael Abrahamsson    email: swmike at swm.pp.se

From elmi at 4ever.de  Tue Jul 29 14:40:01 2008
From: elmi at 4ever.de (Elmar K. Bins)
Date: Tue, 29 Jul 2008 20:40:01 +0200
Subject: [c-nsp] Is proxy-arp evil?
Message-ID: <20080729184001.GD17128@ronin.4ever.de>

Hi knowledgeable fellows,

I think I should bounce this off the people on this list before
I shoot myself in the foot...

My setup looks like this:

                                  +--- [Server]
[ISP]---| a.b.c.d/28 |--[Router]--+--- [Server]
                                  +--- [Server]

Access network to the ISP is a.b.c.d/28, transfer network between
"Router" (a WS-3750G in L3 mode) and Servers is something else (think
192.168.1.0/24) with every server having a unique address on that
transfer network (like .2, .3 and .4).

Every server also has one address from the access network, called
"service address" on a loopback/dummy and the router is configured
with static routes for that service address to each of the servers'
transfer addresses:


3750#show run | i relevant
!
interface vlan 10
 description OUTSIDE
 ip address a.b.c.+2 255.255.255.240
!
interface vlan 11
 description INSIDE
 ip address 192.168.1.1 255.255.255.0
!
ip route 0.0.0.0 0.0.0.0 a.b.c.+1
ip route a.b.c.+3 255.255.255.255 192.168.1.2
ip route a.b.c.+3 255.255.255.255 192.168.1.3
ip route a.b.c.+3 255.255.255.255 192.168.1.4
!
ip cef
ip cef load-sharing algorithm tunnel


This setup does work flawlessly as long as the service address is not
from the ISP transfer block. CEF does a pretty good balancing job to
the inside, the forwarding on a 3750 is not bad either.

As soon as the service address is from the transfer block, I need to
make traffic happen towards the routing system to be able to push
it further (and control the routing).

The solution I do see is to use 

interface vlan 11
 ip local-proxy-arp

on the inside interface.


In my lab environment this seems to work flawlessly, but maybe I am
overlooking an obvious alternative solution (renumbering the entire
setup and adding a transfer network is not an option in the short run).

Am I being st00pid? Is that how one is supposed to do it? Is there
a way around proxy-arp (which I frankly never liked)?

Any ideas/thoughts...
			Elmi.

-- 

"Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche
 Eigenschaft von Vergleichen angesehen werden."       (Marius Fr?nzel in desd)

--------------------------------------------------------------[ ELMI-RIPE ]---


From harbor235 at gmail.com  Tue Jul 29 14:41:06 2008
From: harbor235 at gmail.com (Mike Johnson)
Date: Tue, 29 Jul 2008 14:41:06 -0400
Subject: [c-nsp] Layer 2 question
In-Reply-To: <alpine.DEB.1.10.0807292014270.7740@uplift.swm.pp.se>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
	<20080729170031.GA24302@panix.com>
	<836bf1f90807291034i3c20a209r3d9bfdf1442af03c@mail.gmail.com>
	<alpine.DEB.1.10.0807291949180.7740@uplift.swm.pp.se>
	<836bf1f90807291112p2aecace2m7cc4fe7436aca3e8@mail.gmail.com>
	<alpine.DEB.1.10.0807292014270.7740@uplift.swm.pp.se>
Message-ID: <836bf1f90807291141y71044514o3df3c79894c49c9@mail.gmail.com>

Mikael,

Nice feature, I did not know about that. However, is that feature only for
the 6500 or do other catalyst
lines use it as well?

-Mike


On 7/29/08, Mikael Abrahamsson <swmike at swm.pp.se> wrote:
>
> On Tue, 29 Jul 2008, Mike Johnson wrote:
>
> Proxy arp would be perfromed on a layer3 interface, the frames will never
>> get there because of the layer 2 switch.
>> Also, a layer3 device will not proxy-arp for hosts requiring arp
>> information
>> on the same segment, different segments is another story.
>>
>
> Local-proxy-arp will do proxy-arp for everything, including within the IP
> subnet. This will force all customers to have the upstream L3 unit in their
> ARP tables for all hosts within the subnet.
>
> It's used in conjunction with forced-forwarding of packets to the uplink
> ports of L2 switches as port of a total security scheme to avoid customers
> being able to do man in the middle attacks on L2 segments. It should work in
> your scenario as well.
>
> --
> Mikael Abrahamsson    email: swmike at swm.pp.se
>

From Bryan.Welch at digeo.com  Tue Jul 29 14:46:07 2008
From: Bryan.Welch at digeo.com (Bryan Welch)
Date: Tue, 29 Jul 2008 11:46:07 -0700
Subject: [c-nsp] IPsec Throughput on Cisco 800 series routers
Message-ID: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>

Greetings, anyone have any 800 series routers deployed to remote sites
to terminate vpn tunnels?  We have an 871 deployed to a remote
location/country that we are experiencing some throughput issues with.

 

Router seems to handle the traffic just fine, no errors what so ever.

 

 

 

TIA,

 

 

Bryan


From jasongurtz at npumail.com  Tue Jul 29 16:18:49 2008
From: jasongurtz at npumail.com (Jason Gurtz)
Date: Tue, 29 Jul 2008 16:18:49 -0400
Subject: [c-nsp] =?utf-7?q?IPsec_Throughput_on_Cisco_800_series_routers?=
In-Reply-To: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
References: =?utf-7?B?K0FEdy03Qjk4QzZEMTkzRkI5NjRBOUJGOTU2MzU2QUNDQkND?=
	=?utf-7?B?OEFCQzU2RCtBRUEtZGlnZW8tbWFpbDEuZGlnZW8uY29tK0FENC0=?=
Message-ID: <A92EAF652EC423438D55C14C60771C87CF3A9E@exchgsrv.NPUTILITIES.local>

+AD4- Greetings, anyone have any 800 series routers deployed to remote sites
+AD4- to terminate vpn tunnels?  We have an 871 deployed to a remote
+AD4- location/country that we are experiencing some throughput issues with.

We have some out there.  They seem to have no problem saturating the
+AH4-600Kb of upload bandwidth we have on a PPPoE aDSL line.  Our traffic is
primarily live video, no VoIP so far...

+AH4-JasonG

-- 

From avayner at cisco.com  Tue Jul 29 16:22:49 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Tue, 29 Jul 2008 22:22:49 +0200
Subject: [c-nsp] interpretation of sysTrafficPeakTime
In-Reply-To: <488F51BB.3020504@forthnet.gr>
References: <488F51BB.3020504@forthnet.gr>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501AC43C2@xmb-ams-331.emea.cisco.com>

Tasso,

Your analysis makes sense.
It seems that this OID is basically what you can see with this command:
Router#show catalyst6000 traffic-meter
  traffic meter =   1%  Never cleared
           peak =   1%        reached at 20:14:17 UTC Tue Jul 29 2008 

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos
Chatzithomaoglou
Sent: Tuesday, July 29, 2008 20:22 PM
To: cisco-nsp
Subject: [c-nsp] interpretation of sysTrafficPeakTime


According to the cisco-stack-mib:

sysTrafficPeakTime OBJECT-TYPE
         SYNTAX        TimeTicks
         MAX-ACCESS    read-only
         STATUS        current
DESCRIPTION   "The time (in hundredths of a second) since the peak
traffic meter value
occurred."
         ::= { systemGrp 20 }


Can someone please interpret the above description?


I'm thinking of 2 different values here:

1) current time (present) <=== peak time (past)     : the value should
increase as time passes by (*)

2) power-on/reset time (past) ===> peak time (past) : the value should
stay constant as time passes by (*)


If i was to interpret it, i would probably choose the 1st one, but
according to my sample snmp outputs on some 6500s/7600s the 2nd seems to
be the correct one.

(*) having only one peak traffic time

--
Tassos
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Tue Jul 29 16:51:26 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Tue, 29 Jul 2008 22:51:26 +0200
Subject: [c-nsp] Layer 2 question
In-Reply-To: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
References: <836bf1f90807290943x654c64aesf30017b8084686f2@mail.gmail.com>
Message-ID: <20080729205126.GI288@greenie.muc.de>

Hi,

On Tue, Jul 29, 2008 at 12:43:10PM -0400, Mike Johnson wrote:
> What happens if a layer 2 switch receives a frame that needs to be forwarded
> out the same
> port that the incoming frame was received on?

"drop"

> Im realize that a typical layer 2 switch would never forward that packet
> upstream in the first place.
> However, If it did in fact happen what does the upstream L2 switch do?

This is a very typical scenario if you hook an ethernet *hub* to an L2
switch port, and have two devices connected to the hub talk to each other.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080729/31f69168/attachment.bin>

From lists at hojmark.org  Tue Jul 29 17:08:15 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Tue, 29 Jul 2008 23:08:15 +0200
Subject: [c-nsp] 7603-S
In-Reply-To: <6bb5f5b10807272009le65c4ecufb341ff83ceea4b@mail.gmail.com>
References: <6bb5f5b10807272009le65c4ecufb341ff83ceea4b@mail.gmail.com>
Message-ID: <0768C11287A249579FB2548B251E2DEB@hojmark.net>

> CCO datasheets weren't heplful where a 7603-S can or cannot
> - Be ordered with Advanced IP Services IOS

Yes

> - Be ordered with AC power

No.

> - Be ordered with a XL sup (either SUP720-3BXL or RSP720-3CXL)

Yes, both.


The 7604 is the same price and offers an additional slot.

-A


From brandon at sterling.net  Tue Jul 29 16:46:49 2008
From: brandon at sterling.net (Brandon Price)
Date: Tue, 29 Jul 2008 13:46:49 -0700
Subject: [c-nsp] OC48 with 6513?
Message-ID: <F6B2477BF61F844C978B6AB5FBB597719EB282@exchange.sterling.net>


Guys,

Looking for some general pointers on what gear I should be looking at.

We are starting a new POP and there is a local fiber provider that can
hand us EITHER 1GB ethernet or OC48.

My question is, what gear would I need to terminate the OC48 into our
existing CAT6513 SUP720-3B?

Would I need a Packet Over Sonet interface to take full advantage of the
link?

Also what type of lower end router could I buy for the POP that could
terminate the OC48 and handle channelized DS3s for customer connections?

The reason we are considering OC48 over 1GBE is that the monthy cost is
the same and we could make use of the extra bandwidth.

I am fairly clueless when it comes to SONET stuff, so your assistance is
appreciated.


Thanks

Brandon



From cisco.ssn at gmail.com  Tue Jul 29 17:55:05 2008
From: cisco.ssn at gmail.com (Shaun)
Date: Wed, 30 Jul 2008 05:55:05 +0800
Subject: [c-nsp] CBWFQ question
Message-ID: <7993134a0807291455y7f760783v5a4ec39ca191b145@mail.gmail.com>

Does removing or adding CBWFQ on an interface drop the link? Or does it
depend on traffic levels? Type of interface? I have had opinions both ways.

From philxor at gmail.com  Tue Jul 29 18:43:43 2008
From: philxor at gmail.com (Phil Bedard)
Date: Tue, 29 Jul 2008 18:43:43 -0400
Subject: [c-nsp] OC48 with 6513?
In-Reply-To: <F6B2477BF61F844C978B6AB5FBB597719EB282@exchange.sterling.net>
References: <F6B2477BF61F844C978B6AB5FBB597719EB282@exchange.sterling.net>
Message-ID: <D503C950-3160-472C-9CF4-A327327B4B21@gmail.com>

To terminate the OC48 you are looking at a SIP-400/OC48 POS card,  
which would run you close to $40k at discount.  There are some OC48- 
 >GigE transceiver type devices that may run you a bit cheaper, but  
you still need one on each end.

You could use a 7304 I believe to terminate the OC48 and customer  
connections.  Otherwise you could look at a Juniper M10i.

Phil


On Jul 29, 2008, at 4:46 PM, Brandon Price wrote:

>
> Guys,
>
> Looking for some general pointers on what gear I should be looking at.
>
> We are starting a new POP and there is a local fiber provider that can
> hand us EITHER 1GB ethernet or OC48.
>
> My question is, what gear would I need to terminate the OC48 into our
> existing CAT6513 SUP720-3B?
>
> Would I need a Packet Over Sonet interface to take full advantage of  
> the
> link?
>
> Also what type of lower end router could I buy for the POP that could
> terminate the OC48 and handle channelized DS3s for customer  
> connections?
>
> The reason we are considering OC48 over 1GBE is that the monthy cost  
> is
> the same and we could make use of the extra bandwidth.
>
> I am fairly clueless when it comes to SONET stuff, so your  
> assistance is
> appreciated.
>
>
> Thanks
>
> Brandon
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From RTeller at deltadentalwa.com  Tue Jul 29 18:49:14 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 29 Jul 2008 15:49:14 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <20080729184001.GD17128@ronin.4ever.de>
References: <20080729184001.GD17128@ronin.4ever.de>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>

I am working on implementing two 6509 chassis setup using vss and
ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
modules?



#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From tvarriale at comcast.net  Tue Jul 29 19:10:36 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 29 Jul 2008 18:10:36 -0500
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
Message-ID: <003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend 
piggy-backing on someone that has experience.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be 
> privileged,
> confidential and protected from disclosure.  This transmission is intended 
> for the sole
> use of the individual and entity to whom it is addressed.  If you are not 
> the intended
> recipient, any dissemination, distribution or copying is strictly 
> prohibited.  If you
> think that you have received this message in error, please e-mail the 
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 


From ptimmins at clearrate.com  Tue Jul 29 18:27:31 2008
From: ptimmins at clearrate.com (Paul G. Timmins)
Date: Tue, 29 Jul 2008 18:27:31 -0400
Subject: [c-nsp] CBWFQ question
In-Reply-To: <7993134a0807291455y7f760783v5a4ec39ca191b145@mail.gmail.com>
Message-ID: <B98837F93D40A74D8656EAE7C1F57C5611D305@EXCHANGE1.corp.clearrate.net>

I just tried it on a 7206 VXR running 12.4 on an NPE-400, on a frame
relay t1 interface with a ping running, and there was no change in
packet loss or delay on addition or removal. I don't seem to ever have
had it cause any drops or resets on T1s or FastEthernet on the 7206 VXR
platform. YMMV.

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun
Sent: Tuesday, July 29, 2008 5:55 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] CBWFQ question

Does removing or adding CBWFQ on an interface drop the link? Or does it
depend on traffic levels? Type of interface? I have had opinions both
ways.
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From RTeller at deltadentalwa.com  Tue Jul 29 19:19:53 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 29 Jul 2008 16:19:53 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E63@tiger.deltadentalwa.com>

Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net] 
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend 
piggy-backing on someone that has experience.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be 
> privileged,
> confidential and protected from disclosure.  This transmission is
intended 
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not 
> the intended
> recipient, any dissemination, distribution or copying is strictly 
> prohibited.  If you
> think that you have received this message in error, please e-mail the 
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/ 




From tvarriale at comcast.net  Tue Jul 29 19:27:00 2008
From: tvarriale at comcast.net (Tony Varriale)
Date: Tue, 29 Jul 2008 18:27:00 -0500
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E63@tiger.deltadentalwa.com>
Message-ID: <006f01c8f1d2$9a350010$f211a8c0@flamwsugsmul5v>

If you want something somewhat Cisco centric, the Networkers slides on the 
ACE blades are ok.  They cover some nice basics about load balancing and 
about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on the 
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/




From RTeller at deltadentalwa.com  Tue Jul 29 19:40:25 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 29 Jul 2008 16:40:25 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <006f01c8f1d2$9a350010$f211a8c0@flamwsugsmul5v>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E63@tiger.deltadentalwa.com>
	<006f01c8f1d2$9a350010$f211a8c0@flamwsugsmul5v>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E65@tiger.deltadentalwa.com>

My plan is to collapse my core switch(3750), pix, and css devices into
two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
the best way to segregate the internal lan and middle tier dmz's.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net] 
Sent: Tuesday, July 29, 2008 4:27 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

If you want something somewhat Cisco centric, the Networkers slides on
the 
ACE blades are ok.  They cover some nice basics about load balancing and

about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on
the 
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message ----- 
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/






From christian at broknrobot.com  Tue Jul 29 20:00:47 2008
From: christian at broknrobot.com (Christian Koch)
Date: Tue, 29 Jul 2008 20:00:47 -0400
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
Message-ID: <c93a55220807291700u5590fe9fw9befbd10b30d8f7d@mail.gmail.com>

i found some of the docs on cisco.com to be pretty useful..

ACE
http://www.cisco.com/en/US/products/ps6906/tsd_products_support_model_home.html

FWSM
http://www.cisco.com/en/US/products/hw/modules/ps2706/ps4452/tsd_products_support_model_home.html

the virtualization design guide should be able to give you some ideas to
start from

as Tony mentioned, the fwsm is similar to asa/pix code, the cpress book is
decent, i found it very basic

unfortunately the full FWSM book doesnt come out until i think september..




On Tue, Jul 29, 2008 at 6:49 PM, Teller, Robert
<RTeller at deltadentalwa.com>wrote:

> I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments may be
> privileged,
> confidential and protected from disclosure.  This transmission is intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From Bryan.Welch at digeo.com  Tue Jul 29 20:17:36 2008
From: Bryan.Welch at digeo.com (Bryan Welch)
Date: Tue, 29 Jul 2008 17:17:36 -0700
Subject: [c-nsp] =?utf-7?q?IPsec_Throughput_on_Cisco_800_series_routers?=
In-Reply-To: <A92EAF652EC423438D55C14C60771C87CF3A9E@exchgsrv.NPUTILITIES.local>
References: =?utf-7?B?K0FEdy03Qjk4QzZEMTkzRkI5NjRBOUJGOTU2MzU2QUNDQkND?=
	=?utf-7?B?OEFCQzU2RCtBRUEtZGlnZW8tbWFpbDEuZGlnZW8uY29tK0FENC0gK0FEdy0=?=
	=?utf-7?B?QTkyRUFGNjUyRUM0MjM0MzhENTVDMTRDNjA3NzFDODc=?=
	=?utf-7?B?Q0YzQTlFK0FFQS1leGNoZ3Nydi5OUFVUSUxJVElFUy5sb2Nh?=
	=?utf-7?B?bCtBRDQt?=
Message-ID: <7B98C6D193FB964A9BF956356ACCBCC8ABC595@digeo-mail1.digeo.com>

Jason, what method are you using for the IPSec tunnel, PTP or EZvpn?



Bryan

-----Original Message-----
From: cisco-nsp-bounces+AEA-puck.nether.net +AFs-mailto:cisco-nsp-bounces+AEA-puck.nether.net+AF0- On Behalf Of Jason Gurtz
Sent: Tuesday, July 29, 2008 1:19 PM
To: cisco-nsp+AEA-puck.nether.net
Subject: Re: +AFs-c-nsp+AF0- IPsec Throughput on Cisco 800 series routers

+AD4- Greetings, anyone have any 800 series routers deployed to remote sites 
+AD4- to terminate vpn tunnels?  We have an 871 deployed to a remote 
+AD4- location/country that we are experiencing some throughput issues with.

We have some out there.  They seem to have no problem saturating the +AH4-600Kb of upload bandwidth we have on a PPPoE aDSL line.  Our traffic is primarily live video, no VoIP so far...

+AH4-JasonG

-- 

From MLouis at nwnit.com  Tue Jul 29 21:18:53 2008
From: MLouis at nwnit.com (Mike Louis)
Date: Tue, 29 Jul 2008 21:18:53 -0400
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
Message-ID: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BABA@mncmx1.NWNIT.CORP>

Last time I checked the 3750 did not support the pagp extensions for vss. You would get an stp loop if you tried. Has this support changed?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 7:42 PM
To: Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????


My plan is to collapse my core switch(3750), pix, and css devices into
two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
the best way to segregate the internal lan and middle tier dmz's.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:27 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

If you want something somewhat Cisco centric, the Networkers slides on
the
ACE blades are ok.  They cover some nice basics about load balancing and

about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on
the
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From RTeller at deltadentalwa.com  Tue Jul 29 22:06:33 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 29 Jul 2008 19:06:33 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BABA@mncmx1.NWNIT.CORP>
References: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BABA@mncmx1.NWNIT.CORP>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E66@tiger.deltadentalwa.com>

I will be replacing the 3750 with the 6509's

-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com] 
Sent: Tuesday, July 29, 2008 6:19 PM
To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????

Last time I checked the 3750 did not support the pagp extensions for
vss. You would get an stp loop if you tried. Has this support changed?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 7:42 PM
To: Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net
<cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????


My plan is to collapse my core switch(3750), pix, and css devices into
two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
the best way to segregate the internal lan and middle tier dmz's.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:27 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

If you want something somewhat Cisco centric, the Networkers slides on
the
ACE blades are ok.  They cover some nice basics about load balancing and

about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on
the
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.




From pshuleski at gmail.com  Tue Jul 29 22:43:21 2008
From: pshuleski at gmail.com (Pete S.)
Date: Tue, 29 Jul 2008 22:43:21 -0400
Subject: [c-nsp] IPsec Throughput on Cisco 800 series routers
In-Reply-To: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
References: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
Message-ID: <50f158990807291943n27d8ce97v5162585d68ea497c@mail.gmail.com>

During our ipsec testing (best case scenario, back to back encrypted
tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
understandably so, only reaching about 6-8Mbps.  Still more than
enough to saturate most DSL, and some cable connections.   The router
CPU was of course at or near maxed out during both tests.  CBWFQ also
held out extremely well in the tests, although i cannot remember
specifics, just that the call did not drop or get choppy.  I think the
throughput speeds were similar.

The 871 is our standard remote client hardware VPN solution, and we
haven't had any issues yet.  If you aren't maxing out the CPU, you're
probably not having a throughput issue.



On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com> wrote:
> Greetings, anyone have any 800 series routers deployed to remote sites
> to terminate vpn tunnels?  We have an 871 deployed to a remote
> location/country that we are experiencing some throughput issues with.
>
>
>
> Router seems to handle the traffic just fine, no errors what so ever.
>
>
>
>
>
>
>
> TIA,
>
>
>
>
>
> Bryan
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From soonkian.wong at gmail.com  Tue Jul 29 22:51:30 2008
From: soonkian.wong at gmail.com (Soon Kian)
Date: Wed, 30 Jul 2008 10:51:30 +0800
Subject: [c-nsp] MPLS multilink MTU
Message-ID: <371cac6a0807291951n12d6e948p6a1b25b38c9a3278@mail.gmail.com>

Hi Guys,

Wondering if any one met with such problem before ?

a. Setup: MPLS PE - MPLS PE (using 2 x E1 with mlppp multilink)
b. If only 1 x E1 is in bundle, I could ping vrf up to 1500 df. However when
both E1 are in the multilink, I only could ping up to 1496
c. IOS: c7200-jk9s-mz.124-18.bin
d. E1 Controller: PA-MC-8E1/120

Configuration:

interface Multilink11
 ip address x.x.x.x
 no ip redirects
 no ip proxy-arp
 carrier-delay 10
 mpls label protocol ldp
 mpls ip
 mpls mtu 1600
 no cdp enable
 ppp multilink
 ppp multilink group 11
 no clns route-cache

interface Serial1/7:0
 bandwidth 2048
 ip address x.x.x.x 255.255.255.252
 encapsulation ppp
 ppp multilink
 ppp multilink group 11
 no clns route-cache

interface Serial2/5:0
bandwidth 2048
 ip address x.x.x.x 255.255.255.252
 encapsulation ppp
 no fair-queue
 ppp multilink
 ppp multilink group 11
 no clns route-cache

router>sh ppp multilink
Bundle up for 19:47:41, total bandwidth 4096, load 42/255
  Receive buffer limit 24000 bytes, frag timeout 1000 ms
    0/0 fragments/bytes in reassembly list
    37 lost fragments, 122838 reordered
    632/475896 discarded fragments/bytes, 0 lost received
    0x203DB4 received sequence, 0x16EF7F sent sequence
  Member links: 2 active, 0 inactive (max not set, min not set)
    Se2/5:0, since 19:47:52
    Se1/7:0, since 19:47:49

From frnkblk at iname.com  Tue Jul 29 22:56:04 2008
From: frnkblk at iname.com (Frank Bulk - iNAME)
Date: Tue, 29 Jul 2008 21:56:04 -0500
Subject: [c-nsp] IOS SLB support
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com>
References: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABCMkKulKPER4CD0NCzYfWqAQAAAAA=@iname.com>
	<000501c80f72$d3245080$280a0a0a@hojmark.net>
	<67F7C1FAF83A074AA3520D8F155782A57CCD11@xmb-ams-331.emea.cisco.com>
Message-ID: <!&!AAAAAAAAAAAuAAAAAAAAAKTyXRN5/+lGvU59a+P7CFMBAN6gY+ZG84BMpVQcAbDh1IQAAAATbSgAABAAAABBeoJyyFkrSJiKJlJ+LkxvAQAAAAA=@iname.com>

It looks like IOS SLB support for the RSP720's made it into the SRC code
line:
http://www.cisco.com/en/US/docs/ios/ipapp/configuration/guide/ipapp_slb.html

We just upgraded to SRB4 a month ago on TAC's advice to see if it resolves
an intermittent (once every few months) critical bug.  If we can upgrade to
SRC and save ourselves $10K+ in redundant load balancers (traffic rates
would be 2-4 Mbps), I would like to do that, but if SRC is generally "too
new", then perhaps I need to reconsider.

My initial design calls for two servers, each with two virtual machines.
The first VM on the first server would be running the same services as the
first VM on the second server.  I would like each VM to communicate both
directly to the other 3 VMs and also to the SLB.  Based on my research, it
looks like I need to run dispatch mode, but not only that, put each the VM
on a server on different networks.  Do I need to set up a trunk to the
virtual server host, and break out there, or can I just assign a secondary
network to each VLAN?

               _____ A-1
              /      A-2
hosts---7609-S
              \_____ B-1
                     B-2
   
A-1 and B-1 mirror each other, and so do A-2 and B-2.  A-1 and B-1 need to
be able to talk to the virtual IP that balances between to A-2 and B-2, and
the hosts need to talk to the virtual IP that balances A-1 and B-1 and the
other virtual IP that balances A-2 and B-2.  

Frank     

-----Original Message-----
From: Arie Vayner (avayner) [mailto:avayner at cisco.com] 
Sent: Wednesday, October 17, 2007 2:46 AM
To: Asbjorn Hojmark - Lists; frnkblk at iname.com
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] IOS SLB support

Asbjorn,

>From what I know it is planned for the next SR release (SRC).

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Asbjorn Hojmark
- Lists
Sent: Monday, October 15, 2007 23:32 PM
To: frnkblk at iname.com
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] IOS SLB support

> I'm running c7600rsp72043-advipservicesk9-mz.122-33.SRB1 on a 7609-S
> with the RSP720 and PFC3C.  Any idea when I'll see SLB support?

It is my understanding that there will never be IOS SLB on the RSP720.
Have you been told otherwise? It sure isn't supported today, re.
http://tinyurl.com/2f4mqc.

> And is SLB without Cisco's Content Services module truly switch in
> software, or does the PFC3C now deal with that in hardware?

The CSM works it's magic using network processors on the module, but
it's still configured from IOS, close to the same config as with IOS
SLB. However, the CSMs are not supported in 12.2 SR.

A later release should add RSP720 support for the ACE, which also works
on network processors (though much faster than the CSM), but is
configured from a separate (IOS-like) command line.

-A

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From MLouis at nwnit.com  Tue Jul 29 22:56:37 2008
From: MLouis at nwnit.com (Mike Louis)
Date: Tue, 29 Jul 2008 22:56:37 -0400
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
Message-ID: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BAC0@mncmx1.NWNIT.CORP>

When you have the vss core what will you attach to it from the dist\access layers? How will they attach to the vss core?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 10:06 PM
To: Mike Louis <MLouis at nwnit.com>; Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


I will be replacing the 3750 with the 6509's

-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com]
Sent: Tuesday, July 29, 2008 6:19 PM
To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????

Last time I checked the 3750 did not support the pagp extensions for
vss. You would get an stp loop if you tried. Has this support changed?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 7:42 PM
To: Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net
<cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????


My plan is to collapse my core switch(3750), pix, and css devices into
two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
the best way to segregate the internal lan and middle tier dmz's.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:27 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

If you want something somewhat Cisco centric, the Networkers slides on
the
ACE blades are ok.  They cover some nice basics about load balancing and

about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on
the
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.





Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.


From rodunn at cisco.com  Tue Jul 29 22:57:42 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 29 Jul 2008 22:57:42 -0400
Subject: [c-nsp] CBWFQ question
In-Reply-To: <7993134a0807291455y7f760783v5a4ec39ca191b145@mail.gmail.com>
References: <7993134a0807291455y7f760783v5a4ec39ca191b145@mail.gmail.com>
Message-ID: <20080730025742.GG10966@rtp-cse-489.cisco.com>

I've seen it before where it does when the chipset resets
the driver when say the tx ring is adjusted. For
all, that I can remember, we were able to workaround that
to prevent the link flap with some code changes.

Read..ideally we don't want to flap the interface and
cause a reconvergence event for routing.

To expect no packet loss is unrealistic if you have to
reset the tx ring.

Rodney


On Wed, Jul 30, 2008 at 05:55:05AM +0800, Shaun wrote:
> Does removing or adding CBWFQ on an interface drop the link? Or does it
> depend on traffic levels? Type of interface? I have had opinions both ways.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From whisper555 at gmail.com  Tue Jul 29 23:02:26 2008
From: whisper555 at gmail.com (Whisper)
Date: Wed, 30 Jul 2008 13:02:26 +1000
Subject: [c-nsp] IPsec Throughput on Cisco 800 series routers
In-Reply-To: <50f158990807291943n27d8ce97v5162585d68ea497c@mail.gmail.com>
References: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
	<50f158990807291943n27d8ce97v5162585d68ea497c@mail.gmail.com>
Message-ID: <5333e1040807292002o11fc1cd6l875efdd40bc0bd16@mail.gmail.com>

Funny thing about the 87x series

Quite often the objective stats say you have maxed everything out, but the
subjective end user experience never seems to indicate any CPU shortage at
all.

Is that how other people see how this series operates in the real world?

On Wed, Jul 30, 2008 at 12:43 PM, Pete S. <pshuleski at gmail.com> wrote:

> During our ipsec testing (best case scenario, back to back encrypted
> tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
> ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
> understandably so, only reaching about 6-8Mbps.  Still more than
> enough to saturate most DSL, and some cable connections.   The router
> CPU was of course at or near maxed out during both tests.  CBWFQ also
> held out extremely well in the tests, although i cannot remember
> specifics, just that the call did not drop or get choppy.  I think the
> throughput speeds were similar.
>
> The 871 is our standard remote client hardware VPN solution, and we
> haven't had any issues yet.  If you aren't maxing out the CPU, you're
> probably not having a throughput issue.
>
>
>
> On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com>
> wrote:
> > Greetings, anyone have any 800 series routers deployed to remote sites
> > to terminate vpn tunnels?  We have an 871 deployed to a remote
> > location/country that we are experiencing some throughput issues with.
> >
> >
> >
> > Router seems to handle the traffic just fine, no errors what so ever.
> >
> >
> >
> >
> >
> >
> >
> > TIA,
> >
> >
> >
> >
> >
> > Bryan
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From whisper555 at gmail.com  Tue Jul 29 23:04:31 2008
From: whisper555 at gmail.com (Whisper)
Date: Wed, 30 Jul 2008 13:04:31 +1000
Subject: [c-nsp] Is proxy-arp evil?
In-Reply-To: <20080729184001.GD17128@ronin.4ever.de>
References: <20080729184001.GD17128@ronin.4ever.de>
Message-ID: <5333e1040807292004y5950eeb3h279bbcb26467f437@mail.gmail.com>

Elmi

There was a big discussion on this list about proxy-arp several months ago.

Do a search for the forums that keep this in forum format to read up about
it.

I think you will find the discussions educational. :)

On Wed, Jul 30, 2008 at 4:40 AM, Elmar K. Bins <elmi at 4ever.de> wrote:

> Hi knowledgeable fellows,
>
> I think I should bounce this off the people on this list before
> I shoot myself in the foot...
>
> My setup looks like this:
>
>                                  +--- [Server]
> [ISP]---| a.b.c.d/28 |--[Router]--+--- [Server]
>                                  +--- [Server]
>
> Access network to the ISP is a.b.c.d/28, transfer network between
> "Router" (a WS-3750G in L3 mode) and Servers is something else (think
> 192.168.1.0/24) with every server having a unique address on that
> transfer network (like .2, .3 and .4).
>
> Every server also has one address from the access network, called
> "service address" on a loopback/dummy and the router is configured
> with static routes for that service address to each of the servers'
> transfer addresses:
>
>
> 3750#show run | i relevant
> !
> interface vlan 10
>  description OUTSIDE
>  ip address a.b.c.+2 255.255.255.240
> !
> interface vlan 11
>  description INSIDE
>  ip address 192.168.1.1 255.255.255.0
> !
> ip route 0.0.0.0 0.0.0.0 a.b.c.+1
> ip route a.b.c.+3 255.255.255.255 192.168.1.2
> ip route a.b.c.+3 255.255.255.255 192.168.1.3
> ip route a.b.c.+3 255.255.255.255 192.168.1.4
> !
> ip cef
> ip cef load-sharing algorithm tunnel
>
>
> This setup does work flawlessly as long as the service address is not
> from the ISP transfer block. CEF does a pretty good balancing job to
> the inside, the forwarding on a 3750 is not bad either.
>
> As soon as the service address is from the transfer block, I need to
> make traffic happen towards the routing system to be able to push
> it further (and control the routing).
>
> The solution I do see is to use
>
> interface vlan 11
>  ip local-proxy-arp
>
> on the inside interface.
>
>
> In my lab environment this seems to work flawlessly, but maybe I am
> overlooking an obvious alternative solution (renumbering the entire
> setup and adding a transfer network is not an option in the short run).
>
> Am I being st00pid? Is that how one is supposed to do it? Is there
> a way around proxy-arp (which I frankly never liked)?
>
> Any ideas/thoughts...
>                        Elmi.
>
> --
>
> "Hinken ist kein Mangel eines Vergleichs, sondern sollte als wesentliche
>  Eigenschaft von Vergleichen angesehen werden."       (Marius Fr?nzel in
> desd)
>
> --------------------------------------------------------------[ ELMI-RIPE
> ]---
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From rodunn at cisco.com  Tue Jul 29 23:04:23 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 29 Jul 2008 23:04:23 -0400
Subject: [c-nsp] MPLS multilink MTU
In-Reply-To: <371cac6a0807291951n12d6e948p6a1b25b38c9a3278@mail.gmail.com>
References: <371cac6a0807291951n12d6e948p6a1b25b38c9a3278@mail.gmail.com>
Message-ID: <20080730030423.GH10966@rtp-cse-489.cisco.com>

Soon,

I haven't done this myself but I've seen discussions around
it before. From what I remember it has to do with the
MRRU negotiated values.

Check 'debug ppp negotiation' and let's see what
we negotiated for MRU.

Also, it's best not to use the "mpls mtu" command anymore
and always set the phsyical MTU on the interface to
account for the MPLS and/or tunnel overhead.

CSCdj40945 
PPP multilink MRRU value is not configurable

added the support for the:

[no] ppp multilink mrru remote [num]
and
[no] ppp multilink mrru local [num]

commands.

See if that helps and let me know.

Rodney




On Wed, Jul 30, 2008 at 10:51:30AM +0800, Soon Kian wrote:
> Hi Guys,
> 
> Wondering if any one met with such problem before ?
> 
> a. Setup: MPLS PE - MPLS PE (using 2 x E1 with mlppp multilink)
> b. If only 1 x E1 is in bundle, I could ping vrf up to 1500 df. However when
> both E1 are in the multilink, I only could ping up to 1496
> c. IOS: c7200-jk9s-mz.124-18.bin
> d. E1 Controller: PA-MC-8E1/120
> 
> Configuration:
> 
> interface Multilink11
>  ip address x.x.x.x
>  no ip redirects
>  no ip proxy-arp
>  carrier-delay 10
>  mpls label protocol ldp
>  mpls ip
>  mpls mtu 1600
>  no cdp enable
>  ppp multilink
>  ppp multilink group 11
>  no clns route-cache
> 
> interface Serial1/7:0
>  bandwidth 2048
>  ip address x.x.x.x 255.255.255.252
>  encapsulation ppp
>  ppp multilink
>  ppp multilink group 11
>  no clns route-cache
> 
> interface Serial2/5:0
> bandwidth 2048
>  ip address x.x.x.x 255.255.255.252
>  encapsulation ppp
>  no fair-queue
>  ppp multilink
>  ppp multilink group 11
>  no clns route-cache
> 
> router>sh ppp multilink
> Bundle up for 19:47:41, total bandwidth 4096, load 42/255
>   Receive buffer limit 24000 bytes, frag timeout 1000 ms
>     0/0 fragments/bytes in reassembly list
>     37 lost fragments, 122838 reordered
>     632/475896 discarded fragments/bytes, 0 lost received
>     0x203DB4 received sequence, 0x16EF7F sent sequence
>   Member links: 2 active, 0 inactive (max not set, min not set)
>     Se2/5:0, since 19:47:52
>     Se1/7:0, since 19:47:49
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Tue Jul 29 23:08:26 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 29 Jul 2008 23:08:26 -0400
Subject: [c-nsp] 7204 NPE Bus Error
In-Reply-To: <4888E850.8000900@networkoblivion.com>
References: <4888E850.8000900@networkoblivion.com>
Message-ID: <20080730030826.GI10966@rtp-cse-489.cisco.com>

I decoded the tracebacks adn they point to the buffer
allocation routines if it's the right version listed.

What boot image do you have in bootflash?

Does it do the same thing if you erase the configuration
and reboot it?

Rodney

On Thu, Jul 24, 2008 at 03:38:40PM -0500, Peder @ NetworkOblivion wrote:
> Does anybody know how to figure out what a bus error means 
> on a 7204VXR with NPE300?  We have one that works fine for 
> about 2 weeks and then it crashes.  If you reboot it, it 
> goes in an endless bus error loop.  If you leave it off and 
> fiddle with the cards, memory, etc and re-seat it all, 
> eventually it will boot, but this sometimes takes days to 
> get in there.
> 
> There is a link on cisco.com titled Troubleshooting Bus 
> Error Crashes, but it isn't really much help.
> 
> It gets an error during the bootstrap and then another 
> error upon loading IOS and then just loops 2 or 3 times 
> before freezing.  There is an entry that says "possible 
> software fault", but I can't imagine that is the case as 
> there are errors before it even gets to IOS.  Here is the 
> log from a fresh boot.
> 
> 
> 
> System Bootstrap, Version 12.0(19990210:195103) [12.0XE 
> 105], DEVELOPMENT SOFTWARE
> Copyright (c) 1994-1999 by cisco Systems, Inc.
> C7200 platform with 262144 Kbytes of main memory
> 
> 
> 
> Self decompressing the image : 
> #####################################################################
> ###################################################################################################
> ###################################################################################################
> ################# [OK]
> 
> === Flushing messages () ===
> 
> 
> *** System received a Bus Error exception ***
> 
> signal= 0xa, code= 0x1c, context= 0x6087a8d0
> 
> PC = 0x60362a38, Cause = 0x4020, Status Reg = 0x34008002
>  System Bootstrap, Version 12.0(19990210:195103) [12.0XE 
>  105], DEVELOPMENT SOFTWARE
> Copyright (c) 1994-1999 by cisco Systems, Inc.
> C7200 platform with 262144 Kbytes of main memory
> 
> 
> 
> Self decompressing the image : 
> #####################################################################
> ###################################################################################################
> ################################################################## [OK]
>                Restricted Rights Legend
> 
> Use, duplication, or disclosure by the Government is
> subject to restrictions as set forth in subparagraph
> (c) of the Commercial Computer Software - Restricted
> Rights clause at FAR sec. 52.227-19 and subparagraph
> (c) (1) (ii) of the Rights in Technical Data and Computer
> Software clause at DFARS sec. 252.227-7013.
> 
>            cisco Systems, Inc.
>            170 West Tasman Drive
>            San Jose, California 95134-1706
> 
> 
> 
> Cisco Internetwork Operating System Software
> IOS (tm) 7200 Software (C7200-IK9S-M), Version 12.3(26), 
> RELEASE SOFTWARE (fc2)
> Technical Support: http://www.cisco.com/techsupport
> Copyright (c) 1986-2008 by cisco Systems, Inc.
> Compiled Mon 17-Mar-08 19:27 by dchih
> 
> 
> 
>  : Data Bus Error exception, CPU signal 10, PC = 0x61F3F138
> 
> 
> 
> --------------------------------------------------------------------
>    Possible software fault. Upon reccurence,  please collect
>    crashinfo, "show tech" and contact Cisco Technical 
>    Support.
> --------------------------------------------------------------------
> 
> 
> -Traceback= 61F3F138 607F41D4 607F431C 607F2E98 607EEF60 
> 607E9F68 60783190 607FC398 6088E990
> 60782F90 60714030 60714470 607DDC94 607DDC78
> $0 : 00000000, AT : 632E0000, v0 : 0000000B, v1 : 63670000
> a0 : 20000000, a1 : 63686A88, a2 : 00000028, a3 : 622AF9CC
> t0 : 00000000, t1 : 00000000, t2 : 00000008, t3 : 00000008
> t4 : 00000000, t5 : 639224AC, t6 : 639224A8, t7 : 639224A4
> s0 : 00000009, s1 : 20000000, s2 : 63686A84, s3 : 00000000
> s4 : 63686A84, s5 : 63434878, s6 : 00000024, s7 : 00000021
> t8 : 639224EC, t9 : 00000000, k0 : 3040D001, k1 : BE840244
> gp : 632EE318, sp : 638F9138, s8 : 62280000, ra : 607F41D4
> EPC  : 61F3F138, ErrorEPC : FE9A6CDB, SREG     : 3400C103
> MDLO : 00000009, MDHI     : 00000010, BadVaddr : 3E665C36
> DATA_START : 0x61F4DEF0
> Cause 0000401C (Code 0x7): Data Bus Error exception
> 
> 
> === Flushing messages () ===
> 
> 
> *** System received a Bus Error exception ***
> 
> signal= 0xa, code= 0x1c, context= 0x636a2c04
> 
> PC = 0x60815e38, Cause = 0x4020, Status Reg = 0x34008002
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From rodunn at cisco.com  Tue Jul 29 23:12:03 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Tue, 29 Jul 2008 23:12:03 -0400
Subject: [c-nsp] IPsec Throughput on Cisco 800 series routers
In-Reply-To: <5333e1040807292002o11fc1cd6l875efdd40bc0bd16@mail.gmail.com>
References: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
	<50f158990807291943n27d8ce97v5162585d68ea497c@mail.gmail.com>
	<5333e1040807292002o11fc1cd6l875efdd40bc0bd16@mail.gmail.com>
Message-ID: <20080730031203.GJ10966@rtp-cse-489.cisco.com>

Unless you have a lot of LAN2LAN traffic or have a
very fast WAN connection to it with a lot of features
it's pretty unlikely that a end user performance complaint
is coming from the device being "overloaded".

It's probably something like packets being punted
to process level, fragmentation (#1 issue in tunnel
environments), packet loss somewhere along the path,
etc.

Rodney


On Wed, Jul 30, 2008 at 01:02:26PM +1000, Whisper wrote:
> Funny thing about the 87x series
> 
> Quite often the objective stats say you have maxed everything out, but the
> subjective end user experience never seems to indicate any CPU shortage at
> all.
> 
> Is that how other people see how this series operates in the real world?
> 
> On Wed, Jul 30, 2008 at 12:43 PM, Pete S. <pshuleski at gmail.com> wrote:
> 
> > During our ipsec testing (best case scenario, back to back encrypted
> > tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
> > ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
> > understandably so, only reaching about 6-8Mbps.  Still more than
> > enough to saturate most DSL, and some cable connections.   The router
> > CPU was of course at or near maxed out during both tests.  CBWFQ also
> > held out extremely well in the tests, although i cannot remember
> > specifics, just that the call did not drop or get choppy.  I think the
> > throughput speeds were similar.
> >
> > The 871 is our standard remote client hardware VPN solution, and we
> > haven't had any issues yet.  If you aren't maxing out the CPU, you're
> > probably not having a throughput issue.
> >
> >
> >
> > On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com>
> > wrote:
> > > Greetings, anyone have any 800 series routers deployed to remote sites
> > > to terminate vpn tunnels?  We have an 871 deployed to a remote
> > > location/country that we are experiencing some throughput issues with.
> > >
> > >
> > >
> > > Router seems to handle the traffic just fine, no errors what so ever.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > TIA,
> > >
> > >
> > >
> > >
> > >
> > > Bryan
> > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Tue Jul 29 23:19:17 2008
From: justin at justinshore.com (Justin Shore)
Date: Tue, 29 Jul 2008 22:19:17 -0500
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
Message-ID: <488FDDB5.1060200@justinshore.com>

Teller, Robert wrote:
> I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?

I found the "Cisco ASA, PIX, and FWSM Firewall Handbook" to be a fair 
book.  Granted it's not perfect but you want to get your feet wet on the 
FWSM then that's a good start.  I found it very useful when we got our 
first FWSMs.

http://tinyurl.com/5qwe58

As far as the ACEs go I'm not aware of any books on them.  I have 2 and 
still haven't got them in production.

Best of luck,
  Justin



From brett at looney.id.au  Tue Jul 29 21:52:14 2008
From: brett at looney.id.au (Brett Looney)
Date: Wed, 30 Jul 2008 09:52:14 +0800
Subject: [c-nsp] CBWFQ question
In-Reply-To: <B98837F93D40A74D8656EAE7C1F57C5611D305@EXCHANGE1.corp.clearrate.net>
References: <7993134a0807291455y7f760783v5a4ec39ca191b145@mail.gmail.com>
	<B98837F93D40A74D8656EAE7C1F57C5611D305@EXCHANGE1.corp.clearrate.net>
Message-ID: <000001c8f1e6$ec388bc0$c4a9a340$@id.au>

> Does removing or adding CBWFQ on an interface drop the link? Or does
> it depend on traffic levels? Type of interface? I have had opinions
> both ways.

Highly platform, interface and IOS version specific. It does in some cases
and not in others. For situations where it does drop the link it generally
does so when being added and not being removed although there are some
exceptions.

I've also seen situations where the link doesn't drop but traffic forwarding
stops for a few seconds. Kinda makes you nervous when doing it on remote
routers...

B.


From jonvoip at gmail.com  Wed Jul 30 01:01:06 2008
From: jonvoip at gmail.com (Jonathan Charles)
Date: Wed, 30 Jul 2008 00:01:06 -0500
Subject: [c-nsp] Need a Primer on WCCP / Web Hijacking
Message-ID: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>

Cust has access points open to public, they need to hijack the web
requests and take them a web page where they enter a security code,
and then allow them... So, I need to integrate this with some form of
ACS (still finding out) and a web server...

I think WCCP will do it, just looking for a primer to start me off...


TIA



Jonathan

From brett at looney.id.au  Wed Jul 30 01:34:48 2008
From: brett at looney.id.au (Brett Looney)
Date: Wed, 30 Jul 2008 13:34:48 +0800
Subject: [c-nsp] Need a Primer on WCCP / Web Hijacking
In-Reply-To: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
References: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
Message-ID: <006501c8f205$ff0c3ed0$fd24bc70$@id.au>

> Cust has access points open to public, they need to hijack the 
> web requests and take them a web page where they enter a security
> code, and then allow them... So, I need to integrate this with
> some form of ACS (still finding out) and a web server...

You might also check out IP auth-proxy:
http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_confi
guration_example09186a0080094655.shtml

B.


From tseveendorj at gmail.com  Wed Jul 30 01:46:33 2008
From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu)
Date: Wed, 30 Jul 2008 13:46:33 +0800
Subject: [c-nsp] Q.931 disconnect problem
Message-ID: <62c908120807292246u4a739f86l47d525fa0950b8bc@mail.gmail.com>

Hi guys,

This gateway used for call terminating. I have found following log on my
gateway. These are come from debug isdn q931.

part of entire log:

    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8090 - Normal call clearing
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x8491 - User busy
    Cause i = 0x82E6 - Recovery on timer expiry
    Cause i = 0x82E6 - Recovery on timer expiry
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x82E6 - Recovery on timer expiry
    Cause i = 0x82E6 - Recovery on timer expiry
    Cause i = 0x8491 - User busy
    Cause i = 0x8090 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8090 - Normal call clearing
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x8491 - User busy
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8491 - User busy
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
    Cause i = 0x8090 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8090 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing
    Cause i = 0x8290 - Normal call clearing

My question is

1. What kind of reason following errors occurred ?
2. How to solve that ?

  Cause i = 0x809E - Response to STATUS ENQUIRY or number unassigned
  Cause i = 0x82E6 - Recovery on timer expiry


Thanks for any help.

Best regards,
Tseveen.

From christian at broknrobot.com  Wed Jul 30 02:10:28 2008
From: christian at broknrobot.com (Christian Koch)
Date: Wed, 30 Jul 2008 02:10:28 -0400
Subject: [c-nsp] Need a Primer on WCCP / Web Hijacking
In-Reply-To: <006501c8f205$ff0c3ed0$fd24bc70$@id.au>
References: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
	<006501c8f205$ff0c3ed0$fd24bc70$@id.au>
Message-ID: <c93a55220807292310w53664acbn4272dbaa35933176@mail.gmail.com>

wccp should work..google around for some example configs, there is plenty
around, it is pretty straightforward..it is the overall solution that you
will need to decide on what will be best fit for your problem/environment

wccp on router > gre tunnel > squid box > auth to radius etc, whatever

or you may want to look into captive portals





On Wed, Jul 30, 2008 at 1:34 AM, Brett Looney <brett at looney.id.au> wrote:

> > Cust has access points open to public, they need to hijack the
> > web requests and take them a web page where they enter a security
> > code, and then allow them... So, I need to integrate this with
> > some form of ACS (still finding out) and a web server...
>
> You might also check out IP auth-proxy:
>
> http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_confi
> guration_example09186a0080094655.shtml<http://www.cisco.com/en/US/partner/products/sw/secursw/ps1018/products_configuration_example09186a0080094655.shtml>
>
> B.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From soonkian.wong at gmail.com  Wed Jul 30 02:34:41 2008
From: soonkian.wong at gmail.com (Soon Kian)
Date: Wed, 30 Jul 2008 14:34:41 +0800
Subject: [c-nsp] MPLS multilink MTU
In-Reply-To: <20080730030423.GH10966@rtp-cse-489.cisco.com>
References: <371cac6a0807291951n12d6e948p6a1b25b38c9a3278@mail.gmail.com>
	<20080730030423.GH10966@rtp-cse-489.cisco.com>
Message-ID: <371cac6a0807292334g7465ecfcx139b146eef1e7664@mail.gmail.com>

Hi Rodney

It's works!  after changing physical interface MTU  instead of using "mpls
mtu xxx" I have attached the debug output before and after changing.

Before:
Jul 30 06:07:32.398: Se3/5:0 LCP: O CONFREQ [Listen] id 254 len 23
Jul 30 06:07:32.398: Se3/5:0 LCP:    MagicNumber 0x3C11DFE2 (0x05063C11DFE2)
Jul 30 06:07:32.398: Se3/5:0 LCP:    MRRU 1500 (0x110405DC)
Jul 30 06:07:32.398: Se3/5:0 LCP:    EndpointDisc 1 klp002
(0x1309016B6C70303032)


After:
Jul 30 06:21:53.827: Se4/7:0 PPP: Phase is ESTABLISHING, renegotiate LCP
Jul 30 06:21:53.827: Se4/7:0 LCP: O CONFREQ [Closed] id 28 len 23
Jul 30 06:21:53.827: Se4/7:0 LCP:    MagicNumber 0x3C1F0A9B (0x05063C1F0A9B)
Jul 30 06:21:53.827: Se4/7:0 LCP:    MRRU 1520 (0x110405F0)

Cheers
Soon Kian

On Wed, Jul 30, 2008 at 11:04 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> Soon,
>
> I haven't done this myself but I've seen discussions around
> it before. From what I remember it has to do with the
> MRRU negotiated values.
>
> Check 'debug ppp negotiation' and let's see what
> we negotiated for MRU.
>
> Also, it's best not to use the "mpls mtu" command anymore
> and always set the phsyical MTU on the interface to
> account for the MPLS and/or tunnel overhead.
>
> CSCdj40945
> PPP multilink MRRU value is not configurable
>
> added the support for the:
>
> [no] ppp multilink mrru remote [num]
> and
> [no] ppp multilink mrru local [num]
>
> commands.
>
> See if that helps and let me know.
>
> Rodney
>
>
>
>
> On Wed, Jul 30, 2008 at 10:51:30AM +0800, Soon Kian wrote:
> > Hi Guys,
> >
> > Wondering if any one met with such problem before ?
> >
> > a. Setup: MPLS PE - MPLS PE (using 2 x E1 with mlppp multilink)
> > b. If only 1 x E1 is in bundle, I could ping vrf up to 1500 df. However
> when
> > both E1 are in the multilink, I only could ping up to 1496
> > c. IOS: c7200-jk9s-mz.124-18.bin
> > d. E1 Controller: PA-MC-8E1/120
> >
> > Configuration:
> >
> > interface Multilink11
> >  ip address x.x.x.x
> >  no ip redirects
> >  no ip proxy-arp
> >  carrier-delay 10
> >  mpls label protocol ldp
> >  mpls ip
> >  mpls mtu 1600
> >  no cdp enable
> >  ppp multilink
> >  ppp multilink group 11
> >  no clns route-cache
> >
> > interface Serial1/7:0
> >  bandwidth 2048
> >  ip address x.x.x.x 255.255.255.252
> >  encapsulation ppp
> >  ppp multilink
> >  ppp multilink group 11
> >  no clns route-cache
> >
> > interface Serial2/5:0
> > bandwidth 2048
> >  ip address x.x.x.x 255.255.255.252
> >  encapsulation ppp
> >  no fair-queue
> >  ppp multilink
> >  ppp multilink group 11
> >  no clns route-cache
> >
> > router>sh ppp multilink
> > Bundle up for 19:47:41, total bandwidth 4096, load 42/255
> >   Receive buffer limit 24000 bytes, frag timeout 1000 ms
> >     0/0 fragments/bytes in reassembly list
> >     37 lost fragments, 122838 reordered
> >     632/475896 discarded fragments/bytes, 0 lost received
> >     0x203DB4 received sequence, 0x16EF7F sent sequence
> >   Member links: 2 active, 0 inactive (max not set, min not set)
> >     Se2/5:0, since 19:47:52
> >     Se1/7:0, since 19:47:49
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From RTeller at deltadentalwa.com  Wed Jul 30 02:58:14 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Tue, 29 Jul 2008 23:58:14 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
References: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BAC0@mncmx1.NWNIT.CORP>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA07CDC2CF@tiger.deltadentalwa.com>

I am going for a collapsed core design and using 4948's for top of rack access.

________________________________

From: Mike Louis [mailto:MLouis at nwnit.com]
Sent: Tue 7/29/2008 7:56 PM
To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????



When you have the vss core what will you attach to it from the dist\access layers? How will they attach to the vss core?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 10:06 PM
To: Mike Louis <MLouis at nwnit.com>; Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net <cisco-nsp at puck.nether.net>
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


I will be replacing the 3750 with the 6509's

-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com]
Sent: Tuesday, July 29, 2008 6:19 PM
To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????

Last time I checked the 3750 did not support the pagp extensions for
vss. You would get an stp loop if you tried. Has this support changed?

-----Original Message-----
From: Teller, Robert <RTeller at deltadentalwa.com>
Sent: Tuesday, July 29, 2008 7:42 PM
To: Tony Varriale <tvarriale at comcast.net>; cisco-nsp at puck.nether.net
<cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????


My plan is to collapse my core switch(3750), pix, and css devices into
two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
the best way to segregate the internal lan and middle tier dmz's.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:27 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

If you want something somewhat Cisco centric, the Networkers slides on
the
ACE blades are ok.  They cover some nice basics about load balancing and

about the ACE blades.

For FWSM, the Cisco docs are decent.  The code is almost the same as on
the
pix/asa.  So the Cisco Press firewall book would do well.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: "Tony Varriale" <tvarriale at comcast.net>; <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 6:19 PM
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????


Yeah I am going to have a contractor come in for a day to work on some
of the best practices type stuff but was looking for a book to read on
the side.

-----Original Message-----
From: Tony Varriale [mailto:tvarriale at comcast.net]
Sent: Tuesday, July 29, 2008 4:11 PM
To: Teller, Robert; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????

Sorry, VSS and those modules are not supported yet.

The ACE and FWSM blades are somewhat complex.  I would recommend
piggy-backing on someone that has experience.

tv
----- Original Message -----
From: "Teller, Robert" <RTeller at deltadentalwa.com>
To: <cisco-nsp at puck.nether.net>
Sent: Tuesday, July 29, 2008 5:49 PM
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????


>I am working on implementing two 6509 chassis setup using vss and
> ace/fwsm modules. Anyone know of any good books for the ACE and FWSM
> modules?
>
>
>
> #########################################################
> The information contained in this e-mail and subsequent attachments
may be
> privileged,
> confidential and protected from disclosure.  This transmission is
intended
> for the sole
> use of the individual and entity to whom it is addressed.  If you are
not
> the intended
> recipient, any dissemination, distribution or copying is strictly
> prohibited.  If you
> think that you have received this message in error, please e-mail the
> sender at the above
> e-mail address.
> #########################################################
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


Note: This message and any attachments is intended solely for the use of
the individual or entity to which it is addressed and may contain
information that is non-public, proprietary, legally privileged,
confidential, and/or exempt from disclosure.  If you are not the
intended recipient, you are hereby notified that any use, dissemination,
distribution, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify the
original sender immediately by telephone or return email and destroy or
delete this message along with any attachments immediately.





Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.





From gert at greenie.muc.de  Wed Jul 30 03:13:21 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 30 Jul 2008 09:13:21 +0200
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E65@tiger.deltadentalwa.com>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<003a01c8f1d0$4fa90e30$f211a8c0@flamwsugsmul5v>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E63@tiger.deltadentalwa.com>
	<006f01c8f1d2$9a350010$f211a8c0@flamwsugsmul5v>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E65@tiger.deltadentalwa.com>
Message-ID: <20080730071321.GJ288@greenie.muc.de>

Hi,

On Tue, Jul 29, 2008 at 04:40:25PM -0700, Teller, Robert wrote:
> My plan is to collapse my core switch(3750), pix, and css devices into
> two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
> the best way to segregate the internal lan and middle tier dmz's.

Our experience with 6500/7600 and IOS support makes this look like a bad
plan.  

Due to "what do we care about our customers?" policy inside some Cisco 
BUs, you should be prepared expect to see sudden end-of-support for 
whatever hardware and software combination you want to use.

Historic precedence shows that all 6500/7600 blades that are not "ethernet 
based" have a fairly short life experience (or won't be supported in 
whatever chassis you have, you always need "the other one").

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080730/1ca3ba5d/attachment-0001.bin>

From julien.leroiso at gmail.com  Wed Jul 30 03:38:49 2008
From: julien.leroiso at gmail.com (julien leroiso)
Date: Wed, 30 Jul 2008 09:38:49 +0200
Subject: [c-nsp] 2950 L2 ?
Message-ID: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>

Hi

can someone confirm me that 2950 do or don't do L3 ?
I'll need to configure many vlan gateway on, but I don't remember if I can
do it on that device.

thx

From julien.leroiso at gmail.com  Wed Jul 30 03:43:11 2008
From: julien.leroiso at gmail.com (julien leroiso)
Date: Wed, 30 Jul 2008 09:43:11 +0200
Subject: [c-nsp] 2950 L2 ?
In-Reply-To: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
References: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
Message-ID: <cabee8830807300043r6089d2bdl2cb1c1f6b96c7d9f@mail.gmail.com>

Sorry the title should be : 2950 L3 ?

On Wed, Jul 30, 2008 at 9:38 AM, julien leroiso <julien.leroiso at gmail.com>wrote:

> Hi
>
> can someone confirm me that 2950 do or don't do L3 ?
> I'll need to configure many vlan gateway on, but I don't remember if I can
> do it on that device.
>
> thx
>

From allan.eising at gmail.com  Wed Jul 30 03:48:44 2008
From: allan.eising at gmail.com (Allan Eising)
Date: Wed, 30 Jul 2008 09:48:44 +0200
Subject: [c-nsp] 2950 L2 ?
In-Reply-To: <cabee8830807300043r6089d2bdl2cb1c1f6b96c7d9f@mail.gmail.com>
References: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
	<cabee8830807300043r6089d2bdl2cb1c1f6b96c7d9f@mail.gmail.com>
Message-ID: <f7b7d3c40807300048o3cdd537cva44e9b82a6d7453b@mail.gmail.com>

The 2950 switch is a Layer 2 switch, and does not do any Layer 3 switching.

On Wed, Jul 30, 2008 at 9:43 AM, julien leroiso
<julien.leroiso at gmail.com> wrote:
> Sorry the title should be : 2950 L3 ?
>
> On Wed, Jul 30, 2008 at 9:38 AM, julien leroiso <julien.leroiso at gmail.com>wrote:
>
>> Hi
>>
>> can someone confirm me that 2950 do or don't do L3 ?
>> I'll need to configure many vlan gateway on, but I don't remember if I can
>> do it on that device.
>>
>> thx
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Med venlig hilsen / Best regards

Allan Eising

From risnaini at indo.net.id  Wed Jul 30 04:25:40 2008
From: risnaini at indo.net.id (a. rahman isnaini r.sutan)
Date: Wed, 30 Jul 2008 15:25:40 +0700
Subject: [c-nsp] Need a Primer on WCCP / Web Hijacking
In-Reply-To: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
References: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
Message-ID: <48902584.2040301@indo.net.id>

Mikrotik with Hotspot Profile... for cheaper & fast solution


rgs
a. rahman isnaini rangkayo sutan

Jonathan Charles wrote:
> Cust has access points open to public, they need to hijack the web
> requests and take them a web page where they enter a security code,
> and then allow them... So, I need to integrate this with some form of
> ACS (still finding out) and a web server...
> 
> I think WCCP will do it, just looking for a primer to start me off...
> 
> 
> TIA
> 
> 
> 
> Jonathan
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 
> 

From spinthiras.mario at gmail.com  Wed Jul 30 05:11:07 2008
From: spinthiras.mario at gmail.com (Mario Spinthiras)
Date: Wed, 30 Jul 2008 12:11:07 +0300
Subject: [c-nsp] IPsec Throughput on Cisco 800 series routers
In-Reply-To: <20080730031203.GJ10966@rtp-cse-489.cisco.com>
References: <7B98C6D193FB964A9BF956356ACCBCC8ABC56D@digeo-mail1.digeo.com>
	<50f158990807291943n27d8ce97v5162585d68ea497c@mail.gmail.com>
	<5333e1040807292002o11fc1cd6l875efdd40bc0bd16@mail.gmail.com>
	<20080730031203.GJ10966@rtp-cse-489.cisco.com>
Message-ID: <4f890e580807300211h37819ba3g2804c71a3fbf90c3@mail.gmail.com>

Since it is PPPoE and IPSEC on the top then I would say play a little with
your MTU since IPSEC and PPPoE demand a chunk from it. Then you have to
consider the size of your encrypted packets. Do you do payload or datagram
encryption (mode)?

A really good way I recently tuned an IPSEC tunnel was with the use of
iperf. Iperf is a bandwidth test application that can test bandwidth on both
ends with configurable variables of a connection (both tcp and udp). I have
a small article about this on my blog which can be found at :

http://www.spinthiras.net/2008/07/03/link-bandwidth-testing/

Regards,
Mario

On Wed, Jul 30, 2008 at 6:12 AM, Rodney Dunn <rodunn at cisco.com> wrote:

> Unless you have a lot of LAN2LAN traffic or have a
> very fast WAN connection to it with a lot of features
> it's pretty unlikely that a end user performance complaint
> is coming from the device being "overloaded".
>
> It's probably something like packets being punted
> to process level, fragmentation (#1 issue in tunnel
> environments), packet loss somewhere along the path,
> etc.
>
> Rodney
>
>
> On Wed, Jul 30, 2008 at 01:02:26PM +1000, Whisper wrote:
> > Funny thing about the 87x series
> >
> > Quite often the objective stats say you have maxed everything out, but
> the
> > subjective end user experience never seems to indicate any CPU shortage
> at
> > all.
> >
> > Is that how other people see how this series operates in the real world?
> >
> > On Wed, Jul 30, 2008 at 12:43 PM, Pete S. <pshuleski at gmail.com> wrote:
> >
> > > During our ipsec testing (best case scenario, back to back encrypted
> > > tunnel, adjusted mss of 1436bytes) we were pushing about 20Mbps with
> > > ftp traffic.  Adjusting MTU down to 64bytes, I believe we were,
> > > understandably so, only reaching about 6-8Mbps.  Still more than
> > > enough to saturate most DSL, and some cable connections.   The router
> > > CPU was of course at or near maxed out during both tests.  CBWFQ also
> > > held out extremely well in the tests, although i cannot remember
> > > specifics, just that the call did not drop or get choppy.  I think the
> > > throughput speeds were similar.
> > >
> > > The 871 is our standard remote client hardware VPN solution, and we
> > > haven't had any issues yet.  If you aren't maxing out the CPU, you're
> > > probably not having a throughput issue.
> > >
> > >
> > >
> > > On Tue, Jul 29, 2008 at 2:46 PM, Bryan Welch <Bryan.Welch at digeo.com>
> > > wrote:
> > > > Greetings, anyone have any 800 series routers deployed to remote
> sites
> > > > to terminate vpn tunnels?  We have an 871 deployed to a remote
> > > > location/country that we are experiencing some throughput issues
> with.
> > > >
> > > >
> > > >
> > > > Router seems to handle the traffic just fine, no errors what so ever.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > TIA,
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Bryan
> > > >
> > > > _______________________________________________
> > > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > > >
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



-- 
Warm Regards,
Mario A. Spinthiras

From pigsign.pykota at gmail.com  Wed Jul 30 06:44:03 2008
From: pigsign.pykota at gmail.com (Yang Darren)
Date: Wed, 30 Jul 2008 18:44:03 +0800
Subject: [c-nsp] How can do Multi-Interface Path with DMVPN or GET-VPN
Message-ID: <c914c50e0807300344x786c3b15lc56c22fa37bbb32d@mail.gmail.com>

Hi All,

I have deployed six 1812-Router at Headquarter and Branch using DMVPN.

Recently, all sites add new line(ADSL 8M/640K). I want to use two lines at
the same time below...

1. one line transmit critical data(VoIP, Video Conference...), another
transmit normal data(Web)
2. When one line corrupt, another can take all jobs.

Any one have ideas?

Regards,
Pigsign

From elmi at 4ever.de  Wed Jul 30 07:05:12 2008
From: elmi at 4ever.de (Elmar K. Bins)
Date: Wed, 30 Jul 2008 13:05:12 +0200
Subject: [c-nsp] Is proxy-arp evil?
Message-ID: <20080730110512.GK17128@ronin.4ever.de>

Re:)


whisper555 at gmail.com (Whisper) wrote:

> There was a big discussion on this list about proxy-arp several months ago.

And I do suppose that's why I find proxy-arp quite suspicious, and why I
asked about someone having a different idea for a solution.

> Do a search for the forums that keep this in forum format to read up about
> it.

I will refresh my memory :)

About Terry's question:

The servers and the service address are NOT on the same subnet,
I must have explained badly.

ISP-to-Router: a.b.c.d/28         (think 192.0.2.0/28)
Router-to-Servers: 192.168.1.0/24
Server Loopback: a.b.c.+3         (think 192.0.2.3)

Yours,
	Elmi.

> >                                  +--- [Server]
> >[ISP]---| a.b.c.d/28 |--[Router]--+--- [Server]
> >                                  +--- [Server]
> >

> > 3750#show run | i relevant
> > !
> > interface vlan 10
> >  description OUTSIDE
> >  ip address a.b.c.+2 255.255.255.240
> > !
> > interface vlan 11
> >  description INSIDE
> >  ip address 192.168.1.1 255.255.255.0
> > !
> > ip route 0.0.0.0 0.0.0.0 a.b.c.+1
> > ip route a.b.c.+3 255.255.255.255 192.168.1.2
> > ip route a.b.c.+3 255.255.255.255 192.168.1.3
> > ip route a.b.c.+3 255.255.255.255 192.168.1.4
> > !
> > ip cef
> > ip cef load-sharing algorithm tunnel


From rs at seastrom.com  Wed Jul 30 07:12:40 2008
From: rs at seastrom.com (Robert E. Seastrom)
Date: Wed, 30 Jul 2008 07:12:40 -0400
Subject: [c-nsp] Need a Primer on WCCP / Web Hijacking
In-Reply-To: <48902584.2040301@indo.net.id> (a. rahman isnaini r. sutan's
	message of "Wed, 30 Jul 2008 15:25:40 +0700")
References: <5d093f9a0807292201i6d281523u2f921358a40425ac@mail.gmail.com>
	<48902584.2040301@indo.net.id>
Message-ID: <86tze762xj.fsf@seastrom.com>


or pfsense captive portal (easy to set up, cheaper than mikrotik)

or openwrt + chilispot (somewhat more difficult to set up, even cheaper yet)

                                        ---rob

"a. rahman isnaini r.sutan" <risnaini at indo.net.id> writes:

> Mikrotik with Hotspot Profile... for cheaper & fast solution
>
>
> rgs
> a. rahman isnaini rangkayo sutan
>
> Jonathan Charles wrote:
>> Cust has access points open to public, they need to hijack the web
>> requests and take them a web page where they enter a security code,
>> and then allow them... So, I need to integrate this with some form of
>> ACS (still finding out) and a web server...
>> I think WCCP will do it, just looking for a primer to start me off...
>> TIA
>> Jonathan
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From SamHall at wiseman-dairies.co.uk  Wed Jul 30 08:25:23 2008
From: SamHall at wiseman-dairies.co.uk (Sam Hall)
Date: Wed, 30 Jul 2008 13:25:23 +0100
Subject: [c-nsp] Dont let it happen to you...
In-Reply-To: <9D30659ABCA7FB428CF91E386C3A5744A5A3D7@hermes.sapphire-int.gi>
Message-ID: <OF47B955C6.75906482-ON80257496.0043F6E9-80257496.00443E9D@wiseman-dairies.co.uk>

http://supportwiki.cisco.com/ViewWiki/index.php/Catalyst_3550_switch_reloads_and_gives_the_%22EXPRESS_SETUP-6-CONFIG_IS_RESET%22_error_message_when_the_mode_button_is_pressed_for_a_longer_time_during_a_password_recovery


Sam
----
Sam Hall
Robert Wiseman & Sons
Ext: 6655
Tel: +44 (0)1355 270655
samhall at wiseman-dairies.co.uk
www.wiseman-dairies.co.uk
159 Glasgow Road, East Kilbride, Glasgow, G74 4PA

*********************************************************************************
Disclaimer: This electronic mail, together with any attachments, is for the exclusive and confidential use of the recipient addressee. Any other distribution, use or reproduction without our prior consent is unauthorised and strictly prohibited. If you have received this message in error, please delete it immediately and contact the sender directly or the Robert Wiseman & Sons Ltd IT Helpdesk on +44 (0)1355 270634. Any views or opinions expressed in this message are those of the author and do not necessarily represent those of Robert Wiseman & Sons Ltd or of any of its associated companies. No reliance may be placed on this message without written confirmation from an authorised representative of the company.

Robert Wiseman & Sons Limited reserves the right to monitor all e-mail communications through its network.

This message has been checked for viruses but the recipient is strongly advised to re-scan the message before opening any attachments or attached executable files.

ROBERT WISEMAN & SONS LIMITED
Registered Number: 87376 Scotland
Registered Office: 159 Glasgow Road,
East Kilbride, Glasgow, G74 4PA

********************************************************************************

From MatlockK at exempla.org  Wed Jul 30 08:26:54 2008
From: MatlockK at exempla.org (Matlock, Kenneth L)
Date: Wed, 30 Jul 2008 06:26:54 -0600
Subject: [c-nsp] 2950 L2 ?
References: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com><cabee8830807300043r6089d2bdl2cb1c1f6b96c7d9f@mail.gmail.com>
	<f7b7d3c40807300048o3cdd537cva44e9b82a6d7453b@mail.gmail.com>
Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E707@LMC-MAIL2.exempla.org>

Yep, the 2950 can have a maximum of 1 layer 3 interface active (I assume for management).
 
If you have a Layer3 Vlan interface up, and try to bring a second one up, it automatically disables the first. (Not that I've ever accidentally done that and had to drive out to the chassis to console in or anything) :)
 
Ken Matlock
matlockk at exempla.org
Network Analyst
(303) 467-4671

________________________________

From: cisco-nsp-bounces at puck.nether.net on behalf of Allan Eising
Sent: Wed 7/30/2008 1:48 AM
To: julien leroiso
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 2950 L2 ?



The 2950 switch is a Layer 2 switch, and does not do any Layer 3 switching.

On Wed, Jul 30, 2008 at 9:43 AM, julien leroiso
<julien.leroiso at gmail.com> wrote:
> Sorry the title should be : 2950 L3 ?
>
> On Wed, Jul 30, 2008 at 9:38 AM, julien leroiso <julien.leroiso at gmail.com>wrote:
>
>> Hi
>>
>> can someone confirm me that 2950 do or don't do L3 ?
>> I'll need to configure many vlan gateway on, but I don't remember if I can
>> do it on that device.
>>
>> thx
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>



--
Med venlig hilsen / Best regards

Allan Eising
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



From rodunn at cisco.com  Wed Jul 30 09:47:45 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 30 Jul 2008 09:47:45 -0400
Subject: [c-nsp] MPLS multilink MTU
In-Reply-To: <371cac6a0807292334g7465ecfcx139b146eef1e7664@mail.gmail.com>
References: <371cac6a0807291951n12d6e948p6a1b25b38c9a3278@mail.gmail.com>
	<20080730030423.GH10966@rtp-cse-489.cisco.com>
	<371cac6a0807292334g7465ecfcx139b146eef1e7664@mail.gmail.com>
Message-ID: <20080730134745.GE15981@rtp-cse-489.cisco.com>

Ah ha...so with the physical MTU (which please start using it over
mpls mtu) we picked up on that and adjusted the MRRU negotiated
value it appears.


Rodney

On Wed, Jul 30, 2008 at 02:34:41PM +0800, Soon Kian wrote:
> Hi Rodney
> 
> It's works!  after changing physical interface MTU  instead of using "mpls mtu
> xxx" I have attached the debug output before and after changing.
> 
> Before:
> Jul 30 06:07:32.398: Se3/5:0 LCP: O CONFREQ [Listen] id 254 len 23
> Jul 30 06:07:32.398: Se3/5:0 LCP:    MagicNumber 0x3C11DFE2 (0x05063C11DFE2)
> Jul 30 06:07:32.398: Se3/5:0 LCP:    MRRU 1500 (0x110405DC)
> Jul 30 06:07:32.398: Se3/5:0 LCP:    EndpointDisc 1 klp002
> (0x1309016B6C70303032)
> 
> 
> After:
> Jul 30 06:21:53.827: Se4/7:0 PPP: Phase is ESTABLISHING, renegotiate LCP
> Jul 30 06:21:53.827: Se4/7:0 LCP: O CONFREQ [Closed] id 28 len 23
> Jul 30 06:21:53.827: Se4/7:0 LCP:    MagicNumber 0x3C1F0A9B (0x05063C1F0A9B)
> Jul 30 06:21:53.827: Se4/7:0 LCP:    MRRU 1520 (0x110405F0)
> 
> Cheers
> Soon Kian
> 
> On Wed, Jul 30, 2008 at 11:04 AM, Rodney Dunn <rodunn at cisco.com> wrote:
> 
>     Soon,
>    
>     I haven't done this myself but I've seen discussions around
>     it before. From what I remember it has to do with the
>     MRRU negotiated values.
>    
>     Check 'debug ppp negotiation' and let's see what
>     we negotiated for MRU.
>    
>     Also, it's best not to use the "mpls mtu" command anymore
>     and always set the phsyical MTU on the interface to
>     account for the MPLS and/or tunnel overhead.
>    
>     CSCdj40945
>     PPP multilink MRRU value is not configurable
>    
>     added the support for the:
>    
>     [no] ppp multilink mrru remote [num]
>     and
>     [no] ppp multilink mrru local [num]
>    
>     commands.
>    
>     See if that helps and let me know.
>    
>     Rodney
>    
>    
>    
>    
>     On Wed, Jul 30, 2008 at 10:51:30AM +0800, Soon Kian wrote:
>     > Hi Guys,
>     >
>     > Wondering if any one met with such problem before ?
>     >
>     > a. Setup: MPLS PE - MPLS PE (using 2 x E1 with mlppp multilink)
>     > b. If only 1 x E1 is in bundle, I could ping vrf up to 1500 df. However
>     when
>     > both E1 are in the multilink, I only could ping up to 1496
>     > c. IOS: c7200-jk9s-mz.124-18.bin
>     > d. E1 Controller: PA-MC-8E1/120
>     >
>     > Configuration:
>     >
>     > interface Multilink11
>     >  ip address x.x.x.x
>     >  no ip redirects
>     >  no ip proxy-arp
>     >  carrier-delay 10
>     >  mpls label protocol ldp
>     >  mpls ip
>     >  mpls mtu 1600
>     >  no cdp enable
>     >  ppp multilink
>     >  ppp multilink group 11
>     >  no clns route-cache
>     >
>     > interface Serial1/7:0
>     >  bandwidth 2048
>     >  ip address x.x.x.x 255.255.255.252
>     >  encapsulation ppp
>     >  ppp multilink
>     >  ppp multilink group 11
>     >  no clns route-cache
>     >
>     > interface Serial2/5:0
>     > bandwidth 2048
>     >  ip address x.x.x.x 255.255.255.252
>     >  encapsulation ppp
>     >  no fair-queue
>     >  ppp multilink
>     >  ppp multilink group 11
>     >  no clns route-cache
>     >
>     > router>sh ppp multilink
>     > Bundle up for 19:47:41, total bandwidth 4096, load 42/255
>     >   Receive buffer limit 24000 bytes, frag timeout 1000 ms
>     >     0/0 fragments/bytes in reassembly list
>     >     37 lost fragments, 122838 reordered
>     >     632/475896 discarded fragments/bytes, 0 lost received
>     >     0x203DB4 received sequence, 0x16EF7F sent sequence
>     >   Member links: 2 active, 0 inactive (max not set, min not set)
>     >     Se2/5:0, since 19:47:52
>     >     Se1/7:0, since 19:47:49
>     > _______________________________________________
>     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     > https://puck.nether.net/mailman/listinfo/cisco-nsp
>     > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From rodunn at cisco.com  Wed Jul 30 09:51:59 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 30 Jul 2008 09:51:59 -0400
Subject: [c-nsp] Is proxy-arp evil?
In-Reply-To: <20080730110512.GK17128@ronin.4ever.de>
References: <20080730110512.GK17128@ronin.4ever.de>
Message-ID: <20080730135159.GF15981@rtp-cse-489.cisco.com>

The router would proxy arp if it has a more specific route
out another interface.

But it's a hack and I would not design my network around it
working personally.

Rodney


On Wed, Jul 30, 2008 at 01:05:12PM +0200, Elmar K. Bins wrote:
> Re:)
> 
> 
> whisper555 at gmail.com (Whisper) wrote:
> 
> > There was a big discussion on this list about proxy-arp several months ago.
> 
> And I do suppose that's why I find proxy-arp quite suspicious, and why I
> asked about someone having a different idea for a solution.
> 
> > Do a search for the forums that keep this in forum format to read up about
> > it.
> 
> I will refresh my memory :)
> 
> About Terry's question:
> 
> The servers and the service address are NOT on the same subnet,
> I must have explained badly.
> 
> ISP-to-Router: a.b.c.d/28         (think 192.0.2.0/28)
> Router-to-Servers: 192.168.1.0/24
> Server Loopback: a.b.c.+3         (think 192.0.2.3)
> 
> Yours,
> 	Elmi.
> 
> > >                                  +--- [Server]
> > >[ISP]---| a.b.c.d/28 |--[Router]--+--- [Server]
> > >                                  +--- [Server]
> > >
> 
> > > 3750#show run | i relevant
> > > !
> > > interface vlan 10
> > >  description OUTSIDE
> > >  ip address a.b.c.+2 255.255.255.240
> > > !
> > > interface vlan 11
> > >  description INSIDE
> > >  ip address 192.168.1.1 255.255.255.0
> > > !
> > > ip route 0.0.0.0 0.0.0.0 a.b.c.+1
> > > ip route a.b.c.+3 255.255.255.255 192.168.1.2
> > > ip route a.b.c.+3 255.255.255.255 192.168.1.3
> > > ip route a.b.c.+3 255.255.255.255 192.168.1.4
> > > !
> > > ip cef
> > > ip cef load-sharing algorithm tunnel
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From jeff-kell at utc.edu  Wed Jul 30 09:59:35 2008
From: jeff-kell at utc.edu (Jeff Kell)
Date: Wed, 30 Jul 2008 09:59:35 -0400
Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory...
Message-ID: <489073C7.5020003@utc.edu>

Quick question for someone that's "been there done that" from someone 
who has said "I thought it would work" more often than I'd like :-)

Can you get a full BGP feed (two peers) into a Sup2?  with uRPF?  Which 
RAM needs to be upgraded?

I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb.

Will 512Mb do it?  Can you put 512Mb in a Sup2 (some 3rd-party pages 
imply 256 is max, another says a "Sup2U" can do 512) ?

Do you upgrade the Sup2 memory or one of the daughtercards, or both?

Jeff

From jared at puck.nether.net  Wed Jul 30 10:03:03 2008
From: jared at puck.nether.net (Jared Mauch)
Date: Wed, 30 Jul 2008 10:03:03 -0400
Subject: [c-nsp] Quick 6500 Sup2 / BGP / memory...
In-Reply-To: <489073C7.5020003@utc.edu>
References: <489073C7.5020003@utc.edu>
Message-ID: <20080730140303.GA34639@puck.nether.net>

On Wed, Jul 30, 2008 at 09:59:35AM -0400, Jeff Kell wrote:
> Quick question for someone that's "been there done that" from someone  
> who has said "I thought it would work" more often than I'd like :-)
>
> Can you get a full BGP feed (two peers) into a Sup2?  with uRPF?  Which  
> RAM needs to be upgraded?

	No.

	sup2 has a 256k route limit in tcam.  the tcam is not
upgradable.  you need a sup720 w/ 3bxl or 3cxl.

	enabling u-rpf drops it to 128k entries in the tcam on
the sup2.

	- jared

> I found out the hard way it won't fit into a SUP2/MSFC2/PFC2 w/256Mb.
>
> Will 512Mb do it?  Can you put 512Mb in a Sup2 (some 3rd-party pages  
> imply 256 is max, another says a "Sup2U" can do 512) ?
>
> Do you upgrade the Sup2 memory or one of the daughtercards, or both?

	fan tray, power supplies and sup.

	- jared

-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.

From achatz at forthnet.gr  Wed Jul 30 12:04:55 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 30 Jul 2008 19:04:55 +0300
Subject: [c-nsp] 6500/SUP720 & SXH boot loader images
Message-ID: <48909127.7020602@forthnet.gr>


Release notes for 12.2(18)SXF include the following under "Feature Set Guidelines and Restrictions":

There are no 12.2SX boot loader images: none are required.

As expected, i didn't find any to download too.


Release notes for 12.2(33)SXH do not include the above statement.

As expected (!) i found SXH boot loader images:

s72033-boot-mz.122-33.SXH2a.bin
s72033-boot-mz.122-33.SXH3.bin


Are they needed? Is there a reason they returned?
Or should i stick to the general 12.2SX rule "There are no 12.2SX boot loader images: none are required."?


-- 
Tassos

From achatz at forthnet.gr  Wed Jul 30 12:07:51 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Wed, 30 Jul 2008 19:07:51 +0300
Subject: [c-nsp] interpretation of sysTrafficPeakTime
In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501AC43C2@xmb-ams-331.emea.cisco.com>
References: <488F51BB.3020504@forthnet.gr>
	<67F7C1FAF83A074AA3520D8F155782A501AC43C2@xmb-ams-331.emea.cisco.com>
Message-ID: <489091D7.9070404@forthnet.gr>

Arie,

Actually i was using "sh platform hardware capacity fabric" to see it through the cli.

Still, my main concern is... should i stick to my 1st explanation or the 2nd one?

--
Tassos

Arie Vayner (avayner) wrote on 29/7/2008 11:22 ??:
> Tasso,
> 
> Your analysis makes sense.
> It seems that this OID is basically what you can see with this command:
> Router#show catalyst6000 traffic-meter
>   traffic meter =   1%  Never cleared
>            peak =   1%        reached at 20:14:17 UTC Tue Jul 29 2008 
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos
> Chatzithomaoglou
> Sent: Tuesday, July 29, 2008 20:22 PM
> To: cisco-nsp
> Subject: [c-nsp] interpretation of sysTrafficPeakTime
> 
> 
> According to the cisco-stack-mib:
> 
> sysTrafficPeakTime OBJECT-TYPE
>          SYNTAX        TimeTicks
>          MAX-ACCESS    read-only
>          STATUS        current
> DESCRIPTION   "The time (in hundredths of a second) since the peak
> traffic meter value
> occurred."
>          ::= { systemGrp 20 }
> 
> 
> Can someone please interpret the above description?
> 
> 
> I'm thinking of 2 different values here:
> 
> 1) current time (present) <=== peak time (past)     : the value should
> increase as time passes by (*)
> 
> 2) power-on/reset time (past) ===> peak time (past) : the value should
> stay constant as time passes by (*)
> 
> 
> If i was to interpret it, i would probably choose the 1st one, but
> according to my sample snmp outputs on some 6500s/7600s the 2nd seems to
> be the correct one.
> 
> (*) having only one peak traffic time
> 
> --
> Tassos
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 

From rodunn at cisco.com  Wed Jul 30 12:30:36 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 30 Jul 2008 12:30:36 -0400
Subject: [c-nsp] How can do Multi-Interface Path with DMVPN or GET-VPN
In-Reply-To: <c914c50e0807300344x786c3b15lc56c22fa37bbb32d@mail.gmail.com>
References: <c914c50e0807300344x786c3b15lc56c22fa37bbb32d@mail.gmail.com>
Message-ID: <20080730163036.GJ15981@rtp-cse-489.cisco.com>

I think the best solution here would be to look at deploying
OER/(now called PfR) for this.

I've never done it myself but have seen scenarios where it's
targeted at doing pretty much exactly what you are asking.

Rodney

On Wed, Jul 30, 2008 at 06:44:03PM +0800, Yang Darren wrote:
> Hi All,
> 
> I have deployed six 1812-Router at Headquarter and Branch using DMVPN.
> 
> Recently, all sites add new line(ADSL 8M/640K). I want to use two lines at
> the same time below...
> 
> 1. one line transmit critical data(VoIP, Video Conference...), another
> transmit normal data(Web)
> 2. When one line corrupt, another can take all jobs.
> 
> Any one have ideas?
> 
> Regards,
> Pigsign
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From kgraham at industrial-marshmallow.com  Wed Jul 30 12:56:45 2008
From: kgraham at industrial-marshmallow.com (Kevin Graham)
Date: Wed, 30 Jul 2008 09:56:45 -0700 (PDT)
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
Message-ID: <994076.97219.qm@web907.biz.mail.mud.yahoo.com>



> > My plan is to collapse my core switch(3750), pix, and css devices into

> > two 6509's with the fwsm/ace/Gig-e modules. I am just trying to decide
> > the best way to segregate the internal lan and middle tier dmz's.
> 
> Our experience with 6500/7600 and IOS support makes this look like a bad
> plan.  
[...]
> Historic precedence shows that all 6500/7600 blades that are not "ethernet 
> based" have a fairly short life experience (or won't be supported in 
> whatever chassis you have, you always need "the other one").

Much agreed. Unless you need the throughput on the modules, an ASA and ACE
4710 strapped to the 3750 stack will likely be cheaper, easier to manage
(the only management gain with ACE-M and FWSM is power control), have better
availability characteristics and leave your options for redeployment and
future upgrades wide open. With the leftover budget, start swapping in
3750E's and you'd be in great shape. 

Based on past performance, unless you intend to deploy this and leave it
untouched until you forklift everything but the chassis. The really cute
part is that support will be _effectively_ dropped well before Cisco issues
an EOS notice. (Just one example is that Cisco will still sell you a new
CSM, though don't put it in a SXH switch (which a 720C requires), as it
will be powered down due to being unsupported while still preserving all of
the CLI's.)


From RTeller at deltadentalwa.com  Wed Jul 30 13:09:03 2008
From: RTeller at deltadentalwa.com (Teller, Robert)
Date: Wed, 30 Jul 2008 10:09:03 -0700
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <994076.97219.qm@web907.biz.mail.mud.yahoo.com>
References: <994076.97219.qm@web907.biz.mail.mud.yahoo.com>
Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E6C@tiger.deltadentalwa.com>

I already have the hardware and I am prepping for migration.

-----Original Message-----
From: Kevin Graham [mailto:kgraham at industrial-marshmallow.com] 
Sent: Wednesday, July 30, 2008 9:57 AM
To: Gert Doering; Teller, Robert
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] 6509 ACE/FWSM Modules??????????



> > My plan is to collapse my core switch(3750), pix, and css devices
into

> > two 6509's with the fwsm/ace/Gig-e modules. I am just trying to
decide
> > the best way to segregate the internal lan and middle tier dmz's.
> 
> Our experience with 6500/7600 and IOS support makes this look like a
bad
> plan.  
[...]
> Historic precedence shows that all 6500/7600 blades that are not
"ethernet 
> based" have a fairly short life experience (or won't be supported in 
> whatever chassis you have, you always need "the other one").

Much agreed. Unless you need the throughput on the modules, an ASA and
ACE
4710 strapped to the 3750 stack will likely be cheaper, easier to manage
(the only management gain with ACE-M and FWSM is power control), have
better
availability characteristics and leave your options for redeployment and
future upgrades wide open. With the leftover budget, start swapping in
3750E's and you'd be in great shape. 

Based on past performance, unless you intend to deploy this and leave it
untouched until you forklift everything but the chassis. The really cute
part is that support will be _effectively_ dropped well before Cisco
issues
an EOS notice. (Just one example is that Cisco will still sell you a new
CSM, though don't put it in a SXH switch (which a 720C requires), as it
will be powered down due to being unsupported while still preserving all
of
the CLI's.)



#########################################################
The information contained in this e-mail and subsequent attachments may be privileged, 
confidential and protected from disclosure.  This transmission is intended for the sole 
use of the individual and entity to whom it is addressed.  If you are not the intended 
recipient, any dissemination, distribution or copying is strictly prohibited.  If you 
think that you have received this message in error, please e-mail the sender at the above 
e-mail address.
#########################################################


From jim at tgasolutions.com  Wed Jul 30 14:58:09 2008
From: jim at tgasolutions.com (Jim McBurnett)
Date: Wed, 30 Jul 2008 14:58:09 -0400
Subject: [c-nsp] 2950 L2 ?
In-Reply-To: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
References: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
Message-ID: <CCD4153D830F584982521DFC986BFF3128A81D6F6B@tgainf06.TGASolutions.local>

With only 1 exception I have seen..
29xx layer 2
3xxx / 45xx / 65xx layer3

The exception is the 3500XL-- Layer 2..

Later,
Jim
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of julien leroiso
Sent: Wednesday, July 30, 2008 3:39 AM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] 2950 L2 ?

Hi

can someone confirm me that 2950 do or don't do L3 ?
I'll need to configure many vlan gateway on, but I don't remember if I can
do it on that device.

thx
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From gert at greenie.muc.de  Wed Jul 30 15:43:26 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Wed, 30 Jul 2008 21:43:26 +0200
Subject: [c-nsp] 2950 L2 ?
In-Reply-To: <CCD4153D830F584982521DFC986BFF3128A81D6F6B@tgainf06.TGASolutions.local>
References: <cabee8830807300038m1a554330r1f689dff9051572d@mail.gmail.com>
	<CCD4153D830F584982521DFC986BFF3128A81D6F6B@tgainf06.TGASolutions.local>
Message-ID: <20080730194326.GM288@greenie.muc.de>

Hi,

On Wed, Jul 30, 2008 at 02:58:09PM -0400, Jim McBurnett wrote:
> With only 1 exception I have seen..
> 29xx layer 2
> 3xxx / 45xx / 65xx layer3
> 
> The exception is the 3500XL-- Layer 2..

Well, a 65xx with Sup1 or Sup2 and no MSFC is also L2 only...

And a 2948G-L3 is neither L2 or L3 (it's a pile of sh*t) :-)

gert


-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080730/cf28f054/attachment.bin>

From dwinkworth at wi.rr.com  Wed Jul 30 17:39:57 2008
From: dwinkworth at wi.rr.com (dwinkworth at wi.rr.com)
Date: Wed, 30 Jul 2008 16:39:57 -0500
Subject: [c-nsp] interpretation of sysTrafficPeakTime
Message-ID: <32662199.957881217453997889.JavaMail.root@hrndva-web17-z02>

The value represents the amount of time that has passed since the highest recorded peak.

I don't know if this value rolls over or not.  I don't think it does.

---- Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote: 
> Arie,

Actually i was using "sh platform hardware capacity fabric" to see it through the cli.

Still, my main concern is... should i stick to my 1st explanation or the 2nd one?

--
Tassos

Arie Vayner (avayner) wrote on 29/7/2008 11:22 ??:
> Tasso,
> 
> Your analysis makes sense.
> It seems that this OID is basically what you can see with this command:
> Router#show catalyst6000 traffic-meter
>   traffic meter =   1%  Never cleared
>            peak =   1%        reached at 20:14:17 UTC Tue Jul 29 2008 
> 
> Arie
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos
> Chatzithomaoglou
> Sent: Tuesday, July 29, 2008 20:22 PM
> To: cisco-nsp
> Subject: [c-nsp] interpretation of sysTrafficPeakTime
> 
> 
> According to the cisco-stack-mib:
> 
> sysTrafficPeakTime OBJECT-TYPE
>          SYNTAX        TimeTicks
>          MAX-ACCESS    read-only
>          STATUS        current
> DESCRIPTION   "The time (in hundredths of a second) since the peak
> traffic meter value
> occurred."
>          ::= { systemGrp 20 }
> 
> 
> Can someone please interpret the above description?
> 
> 
> I'm thinking of 2 different values here:
> 
> 1) current time (present) <=== peak time (past)     : the value should
> increase as time passes by (*)
> 
> 2) power-on/reset time (past) ===> peak time (past) : the value should
> stay constant as time passes by (*)
> 
> 
> If i was to interpret it, i would probably choose the 1st one, but
> according to my sample snmp outputs on some 6500s/7600s the 2nd seems to
> be the correct one.
> 
> (*) having only one peak traffic time
> 
> --
> Tassos
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


From zhassan at gmx.net  Wed Jul 30 18:45:54 2008
From: zhassan at gmx.net (Zahid Hassan)
Date: Wed, 30 Jul 2008 23:45:54 +0100
Subject: [c-nsp] WebVPN/SSL VPN module for 6500
Message-ID: <200807302246.m6UMk0pN069766@puck.nether.net>

Dear All,
 
 
Does anyone know if there is any replacement module planned for WebVPN or
SSL VPN for the 6500 chassis ?
 
The current WebVPN Services Module is apparently already or will soon be
declared EOL/EOS. 
 
http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6404/product_dat
a_sheet0900aecd802aff73.html
 
 
Regards,
 
 
ZH 
 

From bitkraft at gmail.com  Wed Jul 30 21:46:27 2008
From: bitkraft at gmail.com (Brian Spade)
Date: Wed, 30 Jul 2008 18:46:27 -0700
Subject: [c-nsp] Netflow / 3560 platform
Message-ID: <505b616c0807301846o1839d581rde34ae6793e999e5@mail.gmail.com>

Can anyone explain why Cisco fails to support Netflow on the 3560 Catalyst
switches?

/b

From bitkraft at gmail.com  Wed Jul 30 22:00:22 2008
From: bitkraft at gmail.com (Brian Spade)
Date: Wed, 30 Jul 2008 19:00:22 -0700
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <D0D0330CBD07114D85B70B784E80C2F2022FCA7E@exch-mail2.win.slac.stanford.edu>
References: <505b616c0807301846o1839d581rde34ae6793e999e5@mail.gmail.com>
	<D0D0330CBD07114D85B70B784E80C2F2022FCA7E@exch-mail2.win.slac.stanford.edu>
Message-ID: <505b616c0807301900k37d83ea0ob1cc1a7ab71bac46@mail.gmail.com>

Hi, adding back cisco-nsp

On Wed, Jul 30, 2008 at 6:54 PM, Buhrmaster, Gary <gtb at slac.stanford.edu>wrote:

>
> > Can anyone explain why Cisco fails to support Netflow on the
> > 3560 Catalyst switches?
>
> They did not build the hardware to support it.
>
> One of the many feature/cost choices made on
> that platform during the design.
>

These routers are software based -- Cisco 800, 1800, 2800, and 3800 -- and
support Netflow.

/b

From rodunn at cisco.com  Wed Jul 30 23:03:50 2008
From: rodunn at cisco.com (Rodney Dunn)
Date: Wed, 30 Jul 2008 23:03:50 -0400
Subject: [c-nsp] 32 bit ASN
In-Reply-To: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com>
References: <5083A1F1-069D-49FC-9140-5CB9FFE3A17D@i2bnetworks.com>
Message-ID: <20080731030350.GF23991@rtp-cse-489.cisco.com>

I'm asking about this.

I'll get back with you.

It's going to be in a 12.0(33)S rebuild for sure.

But I need to check back on what the 12008 decision
was...ie: only in 32S rebuilds?


On Mon, Jul 28, 2008 at 12:24:56PM -0700, Troy Beisigl wrote:
> Hi,
> 
> Does anyone know if the 32 bit ASN support is going to get 
> implemented  in the 12008 or 7500 RSP8 series? If not, what 
> is recommended as  replacements?
> 
> Thanks,
> 
> -Troy
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

From justin at justinshore.com  Thu Jul 31 00:35:23 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 30 Jul 2008 23:35:23 -0500
Subject: [c-nsp] WebVPN/SSL VPN module for 6500
In-Reply-To: <200807302246.m6UMk0pN069766@puck.nether.net>
References: <200807302246.m6UMk0pN069766@puck.nether.net>
Message-ID: <4891410B.2060004@justinshore.com>

Zahid Hassan wrote:
> Dear All,
>  
>  
> Does anyone know if there is any replacement module planned for WebVPN or
> SSL VPN for the 6500 chassis ?
>  
> The current WebVPN Services Module is apparently already or will soon be
> declared EOL/EOS. 
>  
> http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps6404/product_dat
> a_sheet0900aecd802aff73.html

I have to side with Gert on the risks of putting something like that in 
a large chassis.  I would recommend a different external platform for 
terminating SSL VPN connections.  You could use an ASA, a 7200 or even 
an ISR.  The approach we took was to use a pair of 3845s (though I would 
have greatly preferred the 7200).  You can even accomplish VRF-aware SSL 
VPN termination with both the ISR or 7200 option.  The ASA option 
wouldn't be VRF aware but then again the FWSM isn't VRF aware either. 
Just terminate the SSL VPN on a VLAN and put the VLAN in a VRF behind 
the ASA.  Any of these options would allow you to replace the solution 
in the future as new products become available or as platforms are EoLed.

Justin


From justin at justinshore.com  Thu Jul 31 00:44:28 2008
From: justin at justinshore.com (Justin Shore)
Date: Wed, 30 Jul 2008 23:44:28 -0500
Subject: [c-nsp] Dont let it happen to you...
In-Reply-To: <OF47B955C6.75906482-ON80257496.0043F6E9-80257496.00443E9D@wiseman-dairies.co.uk>
References: <OF47B955C6.75906482-ON80257496.0043F6E9-80257496.00443E9D@wiseman-dairies.co.uk>
Message-ID: <4891432C.5080003@justinshore.com>

Sam Hall wrote:
> http://supportwiki.cisco.com/ViewWiki/index.php/Catalyst_3550_switch_reloads_and_gives_the_%22EXPRESS_SETUP-6-CONFIG_IS_RESET%22_error_message_when_the_mode_button_is_pressed_for_a_longer_time_during_a_password_recovery

I ran into this problem a year or so back.  Our cable guy happened to 
lean back on my rack in one of his head-ends.  Turns out my 3560 was 
right at hip level.  I'm glad to know that there is a way to prevent the 
problem, er feature. :-)

Justin



From gert at greenie.muc.de  Thu Jul 31 02:40:19 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 31 Jul 2008 08:40:19 +0200
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <505b616c0807301900k37d83ea0ob1cc1a7ab71bac46@mail.gmail.com>
References: <505b616c0807301846o1839d581rde34ae6793e999e5@mail.gmail.com>
	<D0D0330CBD07114D85B70B784E80C2F2022FCA7E@exch-mail2.win.slac.stanford.edu>
	<505b616c0807301900k37d83ea0ob1cc1a7ab71bac46@mail.gmail.com>
Message-ID: <20080731064019.GN288@greenie.muc.de>

Hi,

On Wed, Jul 30, 2008 at 07:00:22PM -0700, Brian Spade wrote:
> Hi, adding back cisco-nsp
> 
> On Wed, Jul 30, 2008 at 6:54 PM, Buhrmaster, Gary <gtb at slac.stanford.edu>wrote:
> > > Can anyone explain why Cisco fails to support Netflow on the
> > > 3560 Catalyst switches?
> >
> > They did not build the hardware to support it.
> >
> > One of the many feature/cost choices made on
> > that platform during the design.
> 
> These routers are software based -- Cisco 800, 1800, 2800, and 3800 -- and
> support Netflow.

That's the point: they are software based.  You can do everything on 
SW based platforms.

The 3560 is hardware based, and it's "fairly simple" hardware, as opposed 
to a 6500/7600, which has more complex (and more expensive!) hardware.

So the 3560 hardware just cannot do it, because implementing it would have
made the box much more expensive.

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080731/f27762d9/attachment.bin>

From lists at hojmark.org  Thu Jul 31 03:25:25 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 31 Jul 2008 09:25:25 +0200
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
Message-ID: <7F61BE01FDFC437F98469EDC5534F6B7@hojmark.net>

> I am working on implementing two 6509 chassis setup using vss
> and ace/fwsm modules. Anyone know of any good books for the ACE
> and FWSM modules?

Neither ACE nor FWSM is currently supported in a Catalyst 6500
running VSS. The NAM is the only service module supported today.
(See the VSS Config Guide on http://tinyurl.com/yqg97w)

You will need to run the 6500s in a standard HSRP / STP setup.

-A


From christian at broknrobot.com  Thu Jul 31 04:25:57 2008
From: christian at broknrobot.com (Christian Koch)
Date: Thu, 31 Jul 2008 04:25:57 -0400
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <7F61BE01FDFC437F98469EDC5534F6B7@hojmark.net>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<7F61BE01FDFC437F98469EDC5534F6B7@hojmark.net>
Message-ID: <c93a55220807310125w57344419wd7c33a739ac519cd@mail.gmail.com>

FWSM is supported with 12.2(33)SXI

On Thu, Jul 31, 2008 at 3:25 AM, Asbjorn Hojmark - Lists
<lists at hojmark.org>wrote:

> > I am working on implementing two 6509 chassis setup using vss
> > and ace/fwsm modules. Anyone know of any good books for the ACE
> > and FWSM modules?
>
> Neither ACE nor FWSM is currently supported in a Catalyst 6500
> running VSS. The NAM is the only service module supported today.
> (See the VSS Config Guide on http://tinyurl.com/yqg97w)
>
> You will need to run the 6500s in a standard HSRP / STP setup.
>
> -A
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

From nic.tjirkalli at za.verizonbusiness.com  Thu Jul 31 06:19:20 2008
From: nic.tjirkalli at za.verizonbusiness.com (Nic Tjirkalli)
Date: Thu, 31 Jul 2008 12:19:20 +0200 (SAST)
Subject: [c-nsp] XR OS-SHMWIN-2-ERROR_ENCOUNTERED
Message-ID: <Pine.LNX.4.64.0807311216380.14416@duffus.ops.uunet.co.za>



Howdy ho,

Have a CISCO GSR  12416/PRP running XR 3.6.1


and it has started continually whining about :-

LC/0/0/CPU0:Jul 31 10:15:47.970 : fib_mgr[146]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical
LC/0/0/CPU0:Jul 31 10:15:50.337 : l2fib[180]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical
LC/0/0/CPU0:Jul 31 10:16:17.989 : fib_mgr[146]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical
LC/0/0/CPU0:Jul 31 10:16:19.372 : l2fib[180]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical
LC/0/0/CPU0:Jul 31 10:16:48.014 : fib_mgr[146]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical
LC/0/0/CPU0:Jul 31 10:16:49.269 : l2fib[180]:
%OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin state
is critical


CCO says log a tac case, but was wondering if anybody had some ideas of
what this error is and how to go about "fixing" it

thanx




---------------------------------------------------------------------
Mind Like A Steel Trap - Rusty And Illegal In 37 States.

Nic Tjirkalli
Verizon Business South Africa
Network Strategy Team

Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This e-mail
is strictly confidential and intended only for use by the addressee unless
otherwise indicated.

Company Information:http:// www.verizonbusiness.com/za/contact/legal/

This e-mail is strictly confidential and intended only for use by the
addressee unless otherwise indicated.


From Horvath.Szabolcs at iqsys.hu  Thu Jul 31 05:36:30 2008
From: Horvath.Szabolcs at iqsys.hu (=?ISO-8859-2?Q?Horv=E1th_Szabolcs?=)
Date: Thu, 31 Jul 2008 11:36:30 +0200
Subject: [c-nsp] special routing (vrf?) with Cisco 3825
Message-ID: <085C022C25FF9C4EBCF76712A2588DCB0137C953@X-SPIRIT.integris.hu>

Hello,

We'd like to set up a special routing between remote sites.

The network looks like the following:

   <Site #1 LAN>        <Site #2 LAN>       <Site #3 LAN>
         |                    |                   |
   <  Site #1  >        <  Site #2  >       <  Site #3  >
   < CE router >        < CE router >       < CE router >
         |                    |                   |
         |                    |                   |
    /---------------------------------------------------\
    |                                                   |
    |          Service Provider's MPLS backbone         |
    |                                                   |
    \---------------------------------------------------/
                              |
                              |
                       < Central Site >
                       <   CE router  >
                              |
                       <   Firewall   >
                              |
                       < Central LAN  >


We have 4 sites over an IP VPN. All traffic is routed through the central CE router (the network is configured to "hub & spoke" mode).
Direct traffic between sites is not allowed, only through the central CE router. 

In addition, we have to pass the traffic through the "Firewall" which is going to or coming from the "Site #3".

1. So the route from site #1 to site #3 should look like: 

 Site #1 LAN ---> Site #1 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router ---> 
   SP network ---> Site #3 CE router ---> Site #3 LAN

2. The route from site #3 to site #2 should look like:
 
 Site #3 LAN ---> Site #3 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router --->
   SP network ---> Site #2 CE router ---> Site #2 LAN


The Central CE router is Cisco 3825.

Is this idea can be achieved with current Cisco technologies?
If yes, how does this technology called? I've read about VRF, it might help, but I'm not sure.
Could you please point out the main steps to configure this?

I have a few years Cisco experience, mostly with lan, but I have never ever used complex routing stuffs like this.
I just need a minimal info to start and I'll try to implement. In the first step, I'm just curious if this can be done or you know better solution to do this job.

Thanks in advance,
Szabolcs Horvath

From avayner at cisco.com  Thu Jul 31 06:49:59 2008
From: avayner at cisco.com (Arie Vayner (avayner))
Date: Thu, 31 Jul 2008 12:49:59 +0200
Subject: [c-nsp] special routing (vrf?) with Cisco 3825
In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB0137C953@X-SPIRIT.integris.hu>
References: <085C022C25FF9C4EBCF76712A2588DCB0137C953@X-SPIRIT.integris.hu>
Message-ID: <67F7C1FAF83A074AA3520D8F155782A501AC4905@xmb-ams-331.emea.cisco.com>

Horvath,

What you are describing is Hub and Spoke VPN... As you are using it already, it should be easy to make the traffic pass the firewall. Have you discussed it with your SP?

In general, you could take a look at these links:
http://www.cisco.com/en/US/products/sw/netmgtsw/ps4748/products_user_guide_chapter09186a008093505e.html
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_cfg_hub_spoke.html

Arie

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Horv?th Szabolcs
Sent: Thursday, July 31, 2008 12:37 PM
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] special routing (vrf?) with Cisco 3825

Hello,

We'd like to set up a special routing between remote sites.

The network looks like the following:

   <Site #1 LAN>        <Site #2 LAN>       <Site #3 LAN>
         |                    |                   |
   <  Site #1  >        <  Site #2  >       <  Site #3  >
   < CE router >        < CE router >       < CE router >
         |                    |                   |
         |                    |                   |
    /---------------------------------------------------\
    |                                                   |
    |          Service Provider's MPLS backbone         |
    |                                                   |
    \---------------------------------------------------/
                              |
                              |
                       < Central Site >
                       <   CE router  >
                              |
                       <   Firewall   >
                              |
                       < Central LAN  >


We have 4 sites over an IP VPN. All traffic is routed through the central CE router (the network is configured to "hub & spoke" mode).
Direct traffic between sites is not allowed, only through the central CE router. 

In addition, we have to pass the traffic through the "Firewall" which is going to or coming from the "Site #3".

1. So the route from site #1 to site #3 should look like: 

 Site #1 LAN ---> Site #1 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router ---> 
   SP network ---> Site #3 CE router ---> Site #3 LAN

2. The route from site #3 to site #2 should look like:
 
 Site #3 LAN ---> Site #3 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router --->
   SP network ---> Site #2 CE router ---> Site #2 LAN


The Central CE router is Cisco 3825.

Is this idea can be achieved with current Cisco technologies?
If yes, how does this technology called? I've read about VRF, it might help, but I'm not sure.
Could you please point out the main steps to configure this?

I have a few years Cisco experience, mostly with lan, but I have never ever used complex routing stuffs like this.
I just need a minimal info to start and I'll try to implement. In the first step, I'm just curious if this can be done or you know better solution to do this job.

Thanks in advance,
Szabolcs Horvath
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From stig.johansen at ementor.no  Thu Jul 31 06:59:03 2008
From: stig.johansen at ementor.no (Stig Johansen)
Date: Thu, 31 Jul 2008 12:59:03 +0200
Subject: [c-nsp] special routing (vrf?) with Cisco 3825
In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB0137C953@X-SPIRIT.integris.hu>
References: <085C022C25FF9C4EBCF76712A2588DCB0137C953@X-SPIRIT.integris.hu>
Message-ID: <13A13E9CF0F76342A79031B9E558C0C5187B92@100NOOSLMSG004.common.alpharoot.net>

Hi there,

Here are two different solutions to this (there may be more):
1) Request four different VPN's from the SP and terminate in four different VRF's on the central CE-router. Forward in four different VLANS/interfaces towards the firewall, which have to have four different interfaces to accept these. This way there will be "absolute" separation all the way up to the firewall.
2) Run policy-based routing (PBR) on the central CE-router and forward all incoming packets from the MPLS-VPN directly to the firewall. Ordinary routing-decisions should only occur on traffic coming *from* the firewall and into the MPLS-VPN. Be aware of any limitations concerning PIX/ASA/FWSM's in this configuration. The default ASA (adaptive security algorithm)-config doesn't allow routing packets out the same interface they arrived.

Best regards,
Stig Meireles Johansen

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Horv?th Szabolcs
Sent: 31. juli 2008 11:36
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] special routing (vrf?) with Cisco 3825

Hello,

We'd like to set up a special routing between remote sites.

The network looks like the following:

   <Site #1 LAN>        <Site #2 LAN>       <Site #3 LAN>
         |                    |                   |
   <  Site #1  >        <  Site #2  >       <  Site #3  >
   < CE router >        < CE router >       < CE router >
         |                    |                   |
         |                    |                   |
    /---------------------------------------------------\
    |                                                   |
    |          Service Provider's MPLS backbone         |
    |                                                   |
    \---------------------------------------------------/
                              |
                              |
                       < Central Site >
                       <   CE router  >
                              |
                       <   Firewall   >
                              |
                       < Central LAN  >


We have 4 sites over an IP VPN. All traffic is routed through the central CE router (the network is configured to "hub & spoke" mode).
Direct traffic between sites is not allowed, only through the central CE router. 

In addition, we have to pass the traffic through the "Firewall" which is going to or coming from the "Site #3".

1. So the route from site #1 to site #3 should look like: 

 Site #1 LAN ---> Site #1 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router ---> 
   SP network ---> Site #3 CE router ---> Site #3 LAN

2. The route from site #3 to site #2 should look like:
 
 Site #3 LAN ---> Site #3 CE router ---> SP network ---> Central CE router ---> Firewall ---> Central CE router --->
   SP network ---> Site #2 CE router ---> Site #2 LAN


The Central CE router is Cisco 3825.

Is this idea can be achieved with current Cisco technologies?
If yes, how does this technology called? I've read about VRF, it might help, but I'm not sure.
Could you please point out the main steps to configure this?

I have a few years Cisco experience, mostly with lan, but I have never ever used complex routing stuffs like this.
I just need a minimal info to start and I'll try to implement. In the first step, I'm just curious if this can be done or you know better solution to do this job.

Thanks in advance,
Szabolcs Horvath
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

From paul.stainton at talktalk.net  Thu Jul 31 07:34:54 2008
From: paul.stainton at talktalk.net (Paul - Talk Talk)
Date: Thu, 31 Jul 2008 12:34:54 +0100
Subject: [c-nsp] PIX not port forwarding
Message-ID: <200807311135.m6VBZ3RJ000849@puck.nether.net>

Hi,

 

Having problem with a Cisco PIX 613.

 

I am allowing traffic from a specific Public IP address to pass on two ports
only

I then forward this traffic to a LAN IP address

 

 So.

 

 

>From the internet.

access-list internet permit tcp any host xx.xxx.xx.xxx range 5040 5041

 

 

To the LAN

static (inside,outside) tcp xx.xxx.xx.xxx 5040 192.168.127.4 5040 netmask
255.255.255.255 0 0

static (inside,outside) tcp xx.xxx.xx.xxx 5041 192.168.127.4 5041 netmask
255.255.255.255 0 0

 

I should then be able to telnet to the LAN address on each of the two ports

 

Internal telnet works fine as does using a simple cheap Firewall/Router

 

I have used this method on the PIX in plenty of other examples like SMTP,
PPTP and they can all be reached via telnet

I can see I am getting hits on the internet access-list

 

Can anyone throw some light on this for me please?

 


From achatz at forthnet.gr  Thu Jul 31 07:42:28 2008
From: achatz at forthnet.gr (Tassos Chatzithomaoglou)
Date: Thu, 31 Jul 2008 14:42:28 +0300
Subject: [c-nsp] interpretation of sysTrafficPeakTime
In-Reply-To: <32662199.957881217453997889.JavaMail.root@hrndva-web17-z02>
References: <32662199.957881217453997889.JavaMail.root@hrndva-web17-z02>
Message-ID: <4891A524.6040308@forthnet.gr>

That's what i though too.
But then it should be increasing as time passes by...which it doesn't ;)

--
Tassos

dwinkworth at wi.rr.com wrote on 31/7/2008 12:39 ??:
> The value represents the amount of time that has passed since the highest recorded peak.
> 
> I don't know if this value rolls over or not.  I don't think it does.
> 
> ---- Tassos Chatzithomaoglou <achatz at forthnet.gr> wrote: 
>> Arie,
> 
> Actually i was using "sh platform hardware capacity fabric" to see it through the cli.
> 
> Still, my main concern is... should i stick to my 1st explanation or the 2nd one?
> 
> --
> Tassos
> 
> Arie Vayner (avayner) wrote on 29/7/2008 11:22 ??:
>> Tasso,
>>
>> Your analysis makes sense.
>> It seems that this OID is basically what you can see with this command:
>> Router#show catalyst6000 traffic-meter
>>   traffic meter =   1%  Never cleared
>>            peak =   1%        reached at 20:14:17 UTC Tue Jul 29 2008 
>>
>> Arie
>>
>> -----Original Message-----
>> From: cisco-nsp-bounces at puck.nether.net
>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos
>> Chatzithomaoglou
>> Sent: Tuesday, July 29, 2008 20:22 PM
>> To: cisco-nsp
>> Subject: [c-nsp] interpretation of sysTrafficPeakTime
>>
>>
>> According to the cisco-stack-mib:
>>
>> sysTrafficPeakTime OBJECT-TYPE
>>          SYNTAX        TimeTicks
>>          MAX-ACCESS    read-only
>>          STATUS        current
>> DESCRIPTION   "The time (in hundredths of a second) since the peak
>> traffic meter value
>> occurred."
>>          ::= { systemGrp 20 }
>>
>>
>> Can someone please interpret the above description?
>>
>>
>> I'm thinking of 2 different values here:
>>
>> 1) current time (present) <=== peak time (past)     : the value should
>> increase as time passes by (*)
>>
>> 2) power-on/reset time (past) ===> peak time (past) : the value should
>> stay constant as time passes by (*)
>>
>>
>> If i was to interpret it, i would probably choose the 1st one, but
>> according to my sample snmp outputs on some 6500s/7600s the 2nd seems to
>> be the correct one.
>>
>> (*) having only one peak traffic time
>>
>> --
>> Tassos
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> 

From wim.holemans at ua.ac.be  Thu Jul 31 07:45:58 2008
From: wim.holemans at ua.ac.be (Holemans Wim)
Date: Thu, 31 Jul 2008 13:45:58 +0200
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
References: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BABA@mncmx1.NWNIT.CORP>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E66@tiger.deltadentalwa.com>
Message-ID: <2F7B70885960AA42BE820036B3A8CDA02ABEA6@xmail06.ad.ua.ac.be>

Can someone clarify the PAGP problem ? I had a discussion with someone
of Cisco for a new design in one of our datarooms and we had chosen a
VSS solution with dual 3750E stacks and 20Gig uplinks in each rack to
the VSS chassis for max redundantie. According to our Cisco contact,
this was a working solution. If however it is impossible to make
channels between a 3750E cluster and both switches in a VSS, the
complete design has to be redone...

Wim Holemans
Network Services 
University of Antwerp



-----Original Message-----
From: Mike Louis [mailto:MLouis at nwnit.com] 
Sent: Tuesday, July 29, 2008 6:19 PM
To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????

Last time I checked the 3750 did not support the pagp extensions for
vss. You would get an stp loop if you tried. Has this support changed?


From monika.vpls at gmail.com  Thu Jul 31 08:25:15 2008
From: monika.vpls at gmail.com (Monika M)
Date: Thu, 31 Jul 2008 17:55:15 +0530
Subject: [c-nsp] LDP Graceful restart
Message-ID: <707cb4cd0807310525k5201e9a9ic00f29192b95363c@mail.gmail.com>

 Does the graceful restart feature for LDP works in a single route processor
configuration? (similar to Routing protocols?)

Regards,
Monika

From gert at greenie.muc.de  Thu Jul 31 09:33:48 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 31 Jul 2008 15:33:48 +0200
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <C4B73207.25C76%dcurran@nuvox.com>
References: <20080731064019.GN288@greenie.muc.de>
	<C4B73207.25C76%dcurran@nuvox.com>
Message-ID: <20080731133348.GP288@greenie.muc.de>

Hi,

On Thu, Jul 31, 2008 at 09:10:31AM -0400, David Curran wrote:
> I would add that the 6500/7600 can "do" netflow but not well.  I think the
> true limitation is that these platforms are switches, not routers.  So as
> previous responses have stated, things are done in hardware, not software.
> Platforms without route processors would be hard pressed to due the
> necessary work to properly log and export flows.
> 
> At least that's the excuse we get when we run into netflow issues on the
> 7600 platform...

Well, dunno about yours, but our 7600s seem to have route processors,
(*and* switch processors even) :-)

But indeed, hardware based netflow is prone to have *different* limitations,
when compared to a software based architecture.  The latter usually dies
when the load goes up too much...

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080731/0886a297/attachment-0001.bin>

From dcurran at nuvox.com  Thu Jul 31 09:10:31 2008
From: dcurran at nuvox.com (David Curran)
Date: Thu, 31 Jul 2008 09:10:31 -0400
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <20080731064019.GN288@greenie.muc.de>
Message-ID: <C4B73207.25C76%dcurran@nuvox.com>

I would add that the 6500/7600 can "do" netflow but not well.  I think the
true limitation is that these platforms are switches, not routers.  So as
previous responses have stated, things are done in hardware, not software.
Platforms without route processors would be hard pressed to due the
necessary work to properly log and export flows.

At least that's the excuse we get when we run into netflow issues on the
7600 platform...

> From: Gert Doering <gert at greenie.muc.de>
> Date: Thu, 31 Jul 2008 02:40:19 -0400
> To: Brian Spade <bitkraft at gmail.com>
> Cc: <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Netflow / 3560 platform
> 
> Hi,
> 
> On Wed, Jul 30, 2008 at 07:00:22PM -0700, Brian Spade wrote:
>> Hi, adding back cisco-nsp
>> 
>> On Wed, Jul 30, 2008 at 6:54 PM, Buhrmaster, Gary
>> <gtb at slac.stanford.edu>wrote:
>>>> Can anyone explain why Cisco fails to support Netflow on the
>>>> 3560 Catalyst switches?
>>> 
>>> They did not build the hardware to support it.
>>> 
>>> One of the many feature/cost choices made on
>>> that platform during the design.
>> 
>> These routers are software based -- Cisco 800, 1800, 2800, and 3800 -- and
>> support Netflow.
> 
> That's the point: they are software based.  You can do everything on
> SW based platforms.
> 
> The 3560 is hardware based, and it's "fairly simple" hardware, as opposed
> to a 6500/7600, which has more complex (and more expensive!) hardware.
> 
> So the 3560 hardware just cannot do it, because implementing it would have
> made the box much more expensive.
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



This email and any attachments ("Message") may contain legally privileged and/or confidential information.  If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email.  Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege.

From dcurran at nuvox.com  Thu Jul 31 10:07:56 2008
From: dcurran at nuvox.com (David Curran)
Date: Thu, 31 Jul 2008 10:07:56 -0400
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <20080731133348.GP288@greenie.muc.de>
Message-ID: <C4B73F7C.25C90%dcurran@nuvox.com>

Touche.  I was speaking of the smaller catalyst platforms.  However I'm not
sure its fair to real routers to call the Supervisors route processors.
That's like calling a Yugo a race car.  Sure, you COULD race it...


> From: Gert Doering <gert at greenie.muc.de>
> Date: Thu, 31 Jul 2008 15:33:48 +0200
> To: David Curran <dcurran at nuvox.com>
> Cc: Gert Doering <gert at greenie.muc.de>, <cisco-nsp at puck.nether.net>
> Subject: Re: [c-nsp] Netflow / 3560 platform
> 
> Hi,
> 
> On Thu, Jul 31, 2008 at 09:10:31AM -0400, David Curran wrote:
>> I would add that the 6500/7600 can "do" netflow but not well.  I think the
>> true limitation is that these platforms are switches, not routers.  So as
>> previous responses have stated, things are done in hardware, not software.
>> Platforms without route processors would be hard pressed to due the
>> necessary work to properly log and export flows.
>> 
>> At least that's the excuse we get when we run into netflow issues on the
>> 7600 platform...
> 
> Well, dunno about yours, but our 7600s seem to have route processors,
> (*and* switch processors even) :-)
> 
> But indeed, hardware based netflow is prone to have *different* limitations,
> when compared to a software based architecture.  The latter usually dies
> when the load goes up too much...
> 
> gert
> -- 
> USENET is *not* the non-clickable part of WWW!
>                                                            //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de



This email and any attachments ("Message") may contain legally privileged and/or confidential information.  If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email.  Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege.

From gert at greenie.muc.de  Thu Jul 31 10:20:20 2008
From: gert at greenie.muc.de (Gert Doering)
Date: Thu, 31 Jul 2008 16:20:20 +0200
Subject: [c-nsp] Netflow / 3560 platform
In-Reply-To: <C4B73F7C.25C90%dcurran@nuvox.com>
References: <20080731133348.GP288@greenie.muc.de>
	<C4B73F7C.25C90%dcurran@nuvox.com>
Message-ID: <20080731142019.GQ288@greenie.muc.de>

Hi,

On Thu, Jul 31, 2008 at 10:07:56AM -0400, David Curran wrote:
> Touche.  I was speaking of the smaller catalyst platforms.  However I'm not
> sure its fair to real routers to call the Supervisors route processors.
> That's like calling a Yugo a race car.  Sure, you COULD race it...

Given that "real routers" sometimes don't even use the "route processors"
for netflow export (but do that on the line card CPU), I'm not convinced
that "real route processors" would make netflow export much easier :-)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20080731/659ab442/attachment.bin>

From lists at hojmark.org  Thu Jul 31 10:52:56 2008
From: lists at hojmark.org (Asbjorn Hojmark - Lists)
Date: Thu, 31 Jul 2008 16:52:56 +0200
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <c93a55220807310125w57344419wd7c33a739ac519cd@mail.gmail.com>
References: <20080729184001.GD17128@ronin.4ever.de>
	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E5F@tiger.deltadentalwa.com>
	<7F61BE01FDFC437F98469EDC5534F6B7@hojmark.net>
	<c93a55220807310125w57344419wd7c33a739ac519cd@mail.gmail.com>
Message-ID: <F0C8BF69E4F942F2B53CE367F78E55A1@hojmark.net>

> FWSM is supported with 12.2(33)SXI

I think you meant to write: 'FWSM *will be* supported in SXI'.

Yes, SXI should ship sometime soon and will add new hardware
support. It will also add tons of new features and likely a lot
of new bugs. Whether one is willing to be one of the first to
use it in production in a data center... well YMMV.

And it's not here today.

-A


From ib_cims at yahoo.com  Thu Jul 31 13:06:33 2008
From: ib_cims at yahoo.com (Ibrahim Alsharif)
Date: Thu, 31 Jul 2008 10:06:33 -0700 (PDT)
Subject: [c-nsp] Anomaly Guard
Message-ID: <490438.93087.qm@web63814.mail.re1.yahoo.com>

hello Guys,
I have Anomaly Guard Box & Anomaly Guard Detector module on 6500 Catalyst Switch & I want to put the GiGa Ethernet port which placed in the Detector module in the same Vlan of the Guard Box Port on the Switch.
Thanks for help
Ibrahim Alsharif


      

From ASikkema at office.unet.nl  Thu Jul 31 14:11:00 2008
From: ASikkema at office.unet.nl (Andreas Sikkema)
Date: Thu, 31 Jul 2008 20:11:00 +0200
Subject: [c-nsp] Can an AS5350 route ISDN calls to ISDN?
In-Reply-To: <48809E50.2090100@evaristesys.com>
Message-ID: <OFFCDFA7D1.64EDC98B-ONC1257497.0062D661-C1257497.0063DAF0@office.unet.nl>

Hi,

> > Cool! So I just match the incoming calls from a specific ISDN 
interface 
> > and send them out through another. Are there any caveats I should 
know? I 
> > can't match specific dialled or dialling numbers, currently there's 
over 
> > 2000 DID's in use on these lines.
> 
> No other caveats.
> 
> You don't have to match incoming calls on a peer based on an expression 
> for "incoming called-number ..." - you can just create a peer that has 
> an affinity to a voice port, although it won't work to bind it to a 
> trunk-group (that only works for outgoing).
> 
> But otherwise, no other things readily come to mind.

I'm trying to test this by sending calsl from a specific number from a 
specific voice port, but it's not working.

We currently have a "catch all" voip dialpeer for all other calls that 
come into this gateway that is matched whatever I try.

So, the basic setup is that I have a dialpeer that matches the incoming 
call:

dial-peer voice 20 pots
 description **** inbound from isdn, should go to isdn directly
 destination-pattern some_number
 translate-outgoing called 100
 port 3/3:D

dial-peer voice 12 pots
 trunkgroup my_trunkgroup
 description *** To Trunk ***
 translation-profile outgoing outgoing_profile
 destination-pattern 310
 forward-digits all

dial-peer voice 100 voip
 description *** catchall ***
 destination-pattern .
 voice-class codec 100
 session protocol sipv2
 session target ipv4:something

voice translation-rule 100
 rule 1 /^31\(.........\)/ /31031\1/

Incoming calls from the ISDN line all start with 31.

I want to send calls from isdn port 3/3 (currently only for a single test 
number, but that is temporary) out on the isdn lines in trunkgroup 
my_trunkgroup using dialpeer 12. I tried this by doing some digit 
manupulation, but IIRC that is done only after the outgoign dialpeer is 
matched, not during dialpeer matching.

How do I add 310 as a prefix to the calls from port 3/3 so that dialpeer 
100 does not match and calls go to dialpeer 12 (or something functionally 
similar)?

Thanks!

-- 
Andreas Sikkema

From cisco-nsp at slepicka.net  Thu Jul 31 17:22:25 2008
From: cisco-nsp at slepicka.net (James Slepicka)
Date: Thu, 31 Jul 2008 16:22:25 -0500
Subject: [c-nsp] 6509 ACE/FWSM Modules??????????
In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA02ABEA6@xmail06.ad.ua.ac.be>
References: <CBBF2C7B2547D14A910A349B58810AC22BBBD2BABA@mncmx1.NWNIT.CORP>	<06C1E76E03FE9C4B85BFA9C75365D9DA0FC00E66@tiger.deltadentalwa.com>
	<2F7B70885960AA42BE820036B3A8CDA02ABEA6@xmail06.ad.ua.ac.be>
Message-ID: <48922D11.7010108@slepicka.net>

Should work fine (though, admittedly, I haven't deployed this config).  
The purpose of PAgP+ is to provide dual-active detection should the VSL 
between your VSS pair fail.  If your devices don't support PAgP+, you 
need to configure a dedicated link to perform this detection instead.

See 
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps9336/prod_white_paper0900aecd806ee2ed_ps2797_Products_White_Paper.html


Holemans Wim wrote:
> Can someone clarify the PAGP problem ? I had a discussion with someone
> of Cisco for a new design in one of our datarooms and we had chosen a
> VSS solution with dual 3750E stacks and 20Gig uplinks in each rack to
> the VSS chassis for max redundantie. According to our Cisco contact,
> this was a working solution. If however it is impossible to make
> channels between a 3750E cluster and both switches in a VSS, the
> complete design has to be redone...
>
> Wim Holemans
> Network Services 
> University of Antwerp
>
>
>
> -----Original Message-----
> From: Mike Louis [mailto:MLouis at nwnit.com] 
> Sent: Tuesday, July 29, 2008 6:19 PM
> To: Teller, Robert; Tony Varriale; cisco-nsp at puck.nether.net
> Subject: RE: [c-nsp] 6509 ACE/FWSM Modules??????????
>
> Last time I checked the 3750 did not support the pagp extensions for
> vss. You would get an stp loop if you tried. Has this support changed?
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>   

From rgallagh at cisco.com  Thu Jul 31 18:17:23 2008
From: rgallagh at cisco.com (Richard Gallagher)
Date: Fri, 1 Aug 2008 08:17:23 +1000
Subject: [c-nsp] XR OS-SHMWIN-2-ERROR_ENCOUNTERED
In-Reply-To: <Pine.LNX.4.64.0807311216380.14416@duffus.ops.uunet.co.za>
References: <Pine.LNX.4.64.0807311216380.14416@duffus.ops.uunet.co.za>
Message-ID: <B5259005-CE6A-4FBF-83B9-35B8D74332F9@cisco.com>

How much memory is installed in slot0 LC? Looks like you might not  
have enough.

Can you send a "show diag"

Rich

On 31/07/2008, at 8:19 PM, Nic Tjirkalli wrote:

>
>
> Howdy ho,
>
> Have a CISCO GSR  12416/PRP running XR 3.6.1
>
>
> and it has started continually whining about :-
>
> LC/0/0/CPU0:Jul 31 10:15:47.970 : fib_mgr[146]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
> LC/0/0/CPU0:Jul 31 10:15:50.337 : l2fib[180]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
> LC/0/0/CPU0:Jul 31 10:16:17.989 : fib_mgr[146]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
> LC/0/0/CPU0:Jul 31 10:16:19.372 : l2fib[180]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
> LC/0/0/CPU0:Jul 31 10:16:48.014 : fib_mgr[146]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
> LC/0/0/CPU0:Jul 31 10:16:49.269 : l2fib[180]:
> %OS-SHMWIN-2-ERROR_ENCOUNTERED : SHMWIN: Error encountered: shmwin  
> state
> is critical
>
>
> CCO says log a tac case, but was wondering if anybody had some ideas  
> of
> what this error is and how to go about "fixing" it
>
> thanx
>
>
>
>
> ---------------------------------------------------------------------
> Mind Like A Steel Trap - Rusty And Illegal In 37 States.
>
> Nic Tjirkalli
> Verizon Business South Africa
> Network Strategy Team
>
> Verizon Business is a brand of Verizon South Africa (Pty) Ltd. This  
> e-mail
> is strictly confidential and intended only for use by the addressee  
> unless
> otherwise indicated.
>
> Company Information:http:// www.verizonbusiness.com/za/contact/legal/
>
> This e-mail is strictly confidential and intended only for use by the
> addressee unless otherwise indicated.
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


From felixnkansah at gmail.com  Thu Jul 31 18:48:15 2008
From: felixnkansah at gmail.com (Felix Nkansah)
Date: Thu, 31 Jul 2008 22:48:15 +0000
Subject: [c-nsp] Problem Resetting of Cisco Firewall CSC SSM Password
Message-ID: <18dba4e50807311548s5a2a1204r8c32ac6a1d5e4f0c@mail.gmail.com>

Hi Team,

I have been trying to reset the password to a Cisco content security and
control module on an ASA appliance.

I get the following error when I enter the password reset commands.

##############################################

FAVBLESS(config)# hw-module module 1 password-reset

Reset the password on module in slot 1? [confirm]
*The SSM application version does not support password reset
Failed to reset the password on the module in slot 1
*
#############################################

I should be glad if you can help me resolve this problem or suggest another
technique for resetting the password to the CSC SSM.

Regards,

Felix