From brad.henshaw at qcn.com.au Thu May 1 00:49:59 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 1 May 2008 14:49:59 +1000 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue In-Reply-To: <4818BEE1.2060205@west.net> Message-ID: <3B0B088532A4A44C97875AA89AEF971B2033C2@qcnexc01.corp.qcn> Jay Hennigan wrote: > Both providers are sourcing clock, but apparently not in sync with each other. > Second E-1 on the WIC shows slips. You're probably seeing a hardware limitation. My understanding is that the E1 controller can only have one clock source. When you set 'clock source line' (assuming network-clock-select is letting that port have priority) the internal PLL is driven by clocking on the selected interface and all other interfaces gain timing from the internal clock. Is this actually causing a problem? Other than running links to separate providers on physically separate boxen, you could try setting loop time on both E1's - this decouples their timing from the PLL and will probably cause slips on both interfaces, but may change the nature of your problem. Feel free to slap me around with a clue by four if my understanding is incorrect. The majority of multiple-E1 boxen I've had to deal with have utilised E1's from a single provider with a single clock source. Regards, Brad From Kris.Amy at eip.net.au Thu May 1 04:51:27 2008 From: Kris.Amy at eip.net.au (Kris Amy) Date: Thu, 1 May 2008 18:51:27 +1000 Subject: [c-nsp] Random Crashing Message-ID: Hi Guys, Just wondering if anyone has seen this. It's my first time debugging an 'unknown' crash reason so any pointers would be helpful. Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 13-Mar-08 13:50 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE E uptime is 1 hour, 7 minutes System returned to ROM by reload System image file is "flash:c870-advipservicesk9-mz.124-15.T4.bin" Last reload reason: Unknown reason The only thing I can pull from the crashinfo is :- === Start of Crashinfo Collection (14:38:22 PCTime Mon Feb 25 2008) ===^M ^M For image:^M Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Copyright (c) 1986-2008 by Cisco Systems, Inc.^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M ^M ^M ========= Show Alignment =============================^M Alignment data for:^M C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M Total Spurious Accesses 3, Recorded 3^M ^M Address Count Traceback^M 0 1 0x80D6CF20 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF28 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF4C 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M ---- Partial decode of process block ----^M ^M Pid 197: Process "IP NAT Ager" stack 0x83EBB344 savedsp 0x832F143C^M Flags: analyze prefers_new ^M Status 0x00000000 Orig_ra 0x00000000 Routine 0x80D3A394 Signal 0^M Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000 State 0^M Totmalloc 252 Totfree 252 Totgetbuf 0 ^M Totretbuf 0 Edisms 0x0 Eparm 0x0 ^M Elapsed 0x0 Ncalls 0xF0F Ngiveups 0x0 ^M Priority_q 4 Ticks_5s 0 Cpu_5sec 0 Cpu_1min 0^M Cpu_5min 0 Stacksize 0x1770 Lowstack 0x1770 ^M Ttyptr 0x83261850 Mem_holding 0x1C44 Thrash_count 0^M Wakeup_reasons 0x0FFFFFFF Default_wakeup_reasons 0x0FFFFFFF^M Direct_wakeup_major 0x00000000 Direct_wakeup_minor 0x00000000^M -- Cheers, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 07 3018 0282 Email: kris.amy at eip.net.au From rblayzor.bulk at inoc.net Thu May 1 05:47:41 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Thu, 1 May 2008 05:47:41 -0400 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue In-Reply-To: <4818BEE1.2060205@west.net> References: <4818BEE1.2060205@west.net> Message-ID: <223F4EA9-65F2-407E-A238-E6C1D85E49EE@inoc.net> On Apr 30, 2008, at 2:48 PM, Jay Hennigan wrote: > Second E-1 on the WIC shows slips. It appears that "clock source > line" > doesn't do what it should, or somehow the first E-1 is clocking both > circuits. Physically disconnecting the first E-1 fixes the slips on > the > second. Are both of these E1 links going to different telecom providers or just to one telecom provider and one to a private link of sorts? If they're both going to telecom providers, shouldn't their clock source be relatively close? I'm thinking if their a carrier they probably should be synced at stratum 1 BITS source if not at the very least 3e for all their SDH/SONET equipment... I believe a E1/T1 only requires stratum 4, maybe even 5. I'd find it a bit strange if two actual telecom carriers had that much difference in clock source that you were seeing slips. The other questions is, are you sure you're getting good clocking from both providers, have you tried one and not the other, etc? -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ Mac OS X. Because making Unix user-friendly is easier than debugging Windows. From blahu77 at gmail.com Thu May 1 07:38:36 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 1 May 2008 12:38:36 +0100 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <200805010202.m41229Jv057699@mainstreet.net> References: <200805010202.m41229Jv057699@mainstreet.net> Message-ID: <383357750805010438h45b98ccawd24ddfa703b85b75@mail.gmail.com> 2008/5/1 Mark Kent : > > I've got the following scenario: > > a) a 7201 with a trunk to a 4948 > > b) a metroLAN from that 4948 to a 6509 > > c) a 7206/npe-g2 with a trunk to that 6509 > > I need the 7201 to be layer3-connected to the 7206. > > I can't get it to work. This is what I have: > > The 7201: > > interface GigabitEthernet0/1.90 > encapsulation dot1Q 90 > ip address 192.0.2.56 255.255.255.254 > > and > > The 4948 trunk port to the 7201: > > interface GigabitEthernet1/1 > description TRUNK to c7201-1 router port 0/1 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 87,90 > switchport mode trunk > > The 4948 port for the metrolan: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port for the metrolan: > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port to the 7206: > > interface GigabitEthernet3/1 > description TRUNK to c7206 router port 0/3 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 78,90 > switchport mode trunk > > And the 7206/NPE-G2: > > interface GigabitEthernet0/3.90 > encapsulation dot1Q 90 > ip address 192.0.2.57 255.255.255.254 > > Now, I've also tried it with the ports on each end of the metroLAN > configured not as trunks, but simply like this: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport access vlan 90 > > and > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport access vlan 90 > > but with no luck. > > What gives? Do I really need the cooperation of the metroLAN > provider to make this work? > > Thanks, > -mark > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > You have to make sure that your L2 path is end to end, so what do the switches say? show vlan 90 show spanning-tree vlan 90 on both switches... I assume the interfaces are up/up and patched correctly... Best Regards, -mat From gonnason at gmail.com Thu May 1 07:46:49 2008 From: gonnason at gmail.com (Mike Gonnason) Date: Thu, 1 May 2008 03:46:49 -0800 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <200805010202.m41229Jv057699@mainstreet.net> References: <200805010202.m41229Jv057699@mainstreet.net> Message-ID: <5cb5bcea0805010446q6905fc61u7a12d3dfd6dc36d0@mail.gmail.com> On Wed, Apr 30, 2008 at 6:02 PM, Mark Kent wrote: > > I've got the following scenario: > > a) a 7201 with a trunk to a 4948 > > b) a metroLAN from that 4948 to a 6509 > > c) a 7206/npe-g2 with a trunk to that 6509 > > I need the 7201 to be layer3-connected to the 7206. > > I can't get it to work. This is what I have: > > The 7201: > > interface GigabitEthernet0/1.90 > encapsulation dot1Q 90 > ip address 192.0.2.56 255.255.255.254 > > and > > The 4948 trunk port to the 7201: > > interface GigabitEthernet1/1 > description TRUNK to c7201-1 router port 0/1 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 87,90 > switchport mode trunk > > The 4948 port for the metrolan: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port for the metrolan: > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port to the 7206: > > interface GigabitEthernet3/1 > description TRUNK to c7206 router port 0/3 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 78,90 > switchport mode trunk > > And the 7206/NPE-G2: > > interface GigabitEthernet0/3.90 > encapsulation dot1Q 90 > ip address 192.0.2.57 255.255.255.254 > > Now, I've also tried it with the ports on each end of the metroLAN > configured not as trunks, but simply like this: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport access vlan 90 > > and > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport access vlan 90 > > but with no luck. > > What gives? Do I really need the cooperation of the metroLAN > provider to make this work? > > Thanks, > -mark What do your arp tables show on either end for your IP addresses? Have you traced the related MAC addresses across the layer 2 path? -Mike Gonnason From rblayzor.bulk at inoc.net Thu May 1 08:39:23 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Thu, 1 May 2008 08:39:23 -0400 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <200805010202.m41229Jv057699@mainstreet.net> References: <200805010202.m41229Jv057699@mainstreet.net> Message-ID: On Apr 30, 2008, at 10:02 PM, Mark Kent wrote: > I've got the following scenario: Simple question, but does VLAN90 appear in the VLAN database on both switches? ie: "show vlan" on each switch shows vlan90 configured? -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ Mac OS X. Because making Unix user-friendly is easier than debugging Windows. From gulerozgur at yahoo.co.uk Thu May 1 05:26:23 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 1 May 2008 10:26:23 +0100 Subject: [c-nsp] Random Crashing In-Reply-To: References: Message-ID: <009801c8ab6d$6ebdda20$4c398e60$@co.uk> Do you have anything in "show alignment" while the router is running? Best is openning a TAC case so they can decode your tracebacks. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy Sent: 01 May 2008 09:51 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Random Crashing Hi Guys, Just wondering if anyone has seen this. It's my first time debugging an 'unknown' crash reason so any pointers would be helpful. Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 13-Mar-08 13:50 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE E uptime is 1 hour, 7 minutes System returned to ROM by reload System image file is "flash:c870-advipservicesk9-mz.124-15.T4.bin" Last reload reason: Unknown reason The only thing I can pull from the crashinfo is :- === Start of Crashinfo Collection (14:38:22 PCTime Mon Feb 25 2008) ===^M ^M For image:^M Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Copyright (c) 1986-2008 by Cisco Systems, Inc.^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M ^M ^M ========= Show Alignment =============================^M Alignment data for:^M C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M Total Spurious Accesses 3, Recorded 3^M ^M Address Count Traceback^M 0 1 0x80D6CF20 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF28 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF4C 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M ---- Partial decode of process block ----^M ^M Pid 197: Process "IP NAT Ager" stack 0x83EBB344 savedsp 0x832F143C^M Flags: analyze prefers_new ^M Status 0x00000000 Orig_ra 0x00000000 Routine 0x80D3A394 Signal 0^M Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000 State 0^M Totmalloc 252 Totfree 252 Totgetbuf 0 ^M Totretbuf 0 Edisms 0x0 Eparm 0x0 ^M Elapsed 0x0 Ncalls 0xF0F Ngiveups 0x0 ^M Priority_q 4 Ticks_5s 0 Cpu_5sec 0 Cpu_1min 0^M Cpu_5min 0 Stacksize 0x1770 Lowstack 0x1770 ^M Ttyptr 0x83261850 Mem_holding 0x1C44 Thrash_count 0^M Wakeup_reasons 0x0FFFFFFF Default_wakeup_reasons 0x0FFFFFFF^M Direct_wakeup_major 0x00000000 Direct_wakeup_minor 0x00000000^M -- Cheers, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 07 3018 0282 Email: kris.amy at eip.net.au _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ___________________________________________________________ Try the all-new Yahoo! Mail. "The New Version is radically easier to use" ? The Wall Street Journal http://uk.docs.yahoo.com/nowyoucan.html From shane at short.id.au Thu May 1 09:01:10 2008 From: shane at short.id.au (Shane Short) Date: Thu, 1 May 2008 21:01:10 +0800 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <200805010202.m41229Jv057699@mainstreet.net> References: <200805010202.m41229Jv057699@mainstreet.net> Message-ID: <160C72FA-1FE9-48C7-8422-A9D23AD78CB7@short.id.au> Any particular reason you're not just running the MetroE link as access ports? Some MetroE providers don't allow trunking. -Shane On 01/05/2008, at 10:02 AM, Mark Kent wrote: > > I've got the following scenario: > > a) a 7201 with a trunk to a 4948 > > b) a metroLAN from that 4948 to a 6509 > > c) a 7206/npe-g2 with a trunk to that 6509 > > I need the 7201 to be layer3-connected to the 7206. > > I can't get it to work. This is what I have: > > The 7201: > > interface GigabitEthernet0/1.90 > encapsulation dot1Q 90 > ip address 192.0.2.56 255.255.255.254 > > and > > The 4948 trunk port to the 7201: > > interface GigabitEthernet1/1 > description TRUNK to c7201-1 router port 0/1 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 87,90 > switchport mode trunk > > The 4948 port for the metrolan: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port for the metrolan: > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 90 > switchport mode trunk > > The 6509 port to the 7206: > > interface GigabitEthernet3/1 > description TRUNK to c7206 router port 0/3 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 78,90 > switchport mode trunk > > And the 7206/NPE-G2: > > interface GigabitEthernet0/3.90 > encapsulation dot1Q 90 > ip address 192.0.2.57 255.255.255.254 > > Now, I've also tried it with the ports on each end of the metroLAN > configured not as trunks, but simply like this: > > interface GigabitEthernet1/48 > description metroLAN to c6509 g5/2 > switchport access vlan 90 > > and > > interface GigabitEthernet5/2 > description metroLAN to c4948 port 1/48 > switchport access vlan 90 > > but with no luck. > > What gives? Do I really need the cooperation of the metroLAN > provider to make this work? > > Thanks, > -mark > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zivl at gilat.net Thu May 1 10:00:15 2008 From: zivl at gilat.net (Ziv Leyes) Date: Thu, 1 May 2008 17:00:15 +0300 Subject: [c-nsp] Random Crashing In-Reply-To: References: Message-ID: Did you check that you have enough memory for running this IOS? According to Cisco's website, this version of IOS requires a minimum of 128M DRAM and 28M of Flash. You're trying to run a very "fresh" version, and quite "heavy" so you must be sure your router can handle it. I'd stay away from the "train" versions unless you have a very good reason to use it. I'd rather give a try to the LD version 12.4(19) which I've tried and have found quite stable. I'm using a more basic feature set and on a different platform though... Hope this helps Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Kris Amy Sent: Thursday, May 01, 2008 11:51 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Random Crashing Hi Guys, Just wondering if anyone has seen this. It's my first time debugging an 'unknown' crash reason so any pointers would be helpful. Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Thu 13-Mar-08 13:50 by prod_rel_team ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE E uptime is 1 hour, 7 minutes System returned to ROM by reload System image file is "flash:c870-advipservicesk9-mz.124-15.T4.bin" Last reload reason: Unknown reason The only thing I can pull from the crashinfo is :- === Start of Crashinfo Collection (14:38:22 PCTime Mon Feb 25 2008) ===^M ^M For image:^M Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Copyright (c) 1986-2008 by Cisco Systems, Inc.^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M ^M ^M ========= Show Alignment =============================^M Alignment data for:^M C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T4, RELEASE SOFTWARE (fc2)^M Technical Support: http://www.cisco.com/techsupport^M Compiled Thu 13-Mar-08 13:50 by prod_rel_team^M ^M Total Spurious Accesses 3, Recorded 3^M ^M Address Count Traceback^M 0 1 0x80D6CF20 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF28 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M 0 1 0x80D6CF4C 0x80D753E0 0x80D3A034 0x814857A0 0x814858F8 0x80D3A4D0 0x80367A28 0x8036AB70 ^M ---- Partial decode of process block ----^M ^M Pid 197: Process "IP NAT Ager" stack 0x83EBB344 savedsp 0x832F143C^M Flags: analyze prefers_new ^M Status 0x00000000 Orig_ra 0x00000000 Routine 0x80D3A394 Signal 0^M Caller_pc 0x00000000 Callee_pc 0x00000000 Dbg_events 0x00000000 State 0^M Totmalloc 252 Totfree 252 Totgetbuf 0 ^M Totretbuf 0 Edisms 0x0 Eparm 0x0 ^M Elapsed 0x0 Ncalls 0xF0F Ngiveups 0x0 ^M Priority_q 4 Ticks_5s 0 Cpu_5sec 0 Cpu_1min 0^M Cpu_5min 0 Stacksize 0x1770 Lowstack 0x1770 ^M Ttyptr 0x83261850 Mem_holding 0x1C44 Thrash_count 0^M Wakeup_reasons 0x0FFFFFFF Default_wakeup_reasons 0x0FFFFFFF^M Direct_wakeup_major 0x00000000 Direct_wakeup_minor 0x00000000^M -- Cheers, Kris Amy Enterprise IP Phone: 07 3123 5510 National: 1300 347 287 Fax: 07 3018 0282 Email: kris.amy at eip.net.au _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From eric at atlantech.net Thu May 1 10:29:48 2008 From: eric at atlantech.net (Eric Van Tol) Date: Thu, 1 May 2008 10:29:48 -0400 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <200805010202.m41229Jv057699@mainstreet.net> References: <200805010202.m41229Jv057699@mainstreet.net> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> > The 7201: > > interface GigabitEthernet0/1.90 > encapsulation dot1Q 90 > ip address 192.0.2.56 255.255.255.254 > > and > > And the 7206/NPE-G2: > > interface GigabitEthernet0/3.90 > encapsulation dot1Q 90 > ip address 192.0.2.57 255.255.255.254 > Are /31 subnets valid for an ethernet network nowadays? -evt From drew.weaver at thenap.com Thu May 1 10:46:39 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Thu, 1 May 2008 10:46:39 -0400 Subject: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. In-Reply-To: <18f601940804301643m7d51ffb3o6509c8d4360ce248@mail.gmail.com> References: <480dad640804292148y6a1bd4e3s2d4e8c3a3bb15e68@mail.gmail.com> <48185D38.6050407@autempspourmoi.be> <18f601940804301643m7d51ffb3o6509c8d4360ce248@mail.gmail.com> Message-ID: Somewhat related to this thread, Is there some sort of 'magic' you have to do with a Sup720 to get it to export flows egress and ingress? It appears that there is quite a bit of traffic "missing" from the NetFlow data (most of it infact)... I simply applied ip route-cache flow to the layer3 vlans of interest and then setup the export commands as documented. Are there other steps required? Thanks, -Drew -----Original Message----- From: Aaron Glenn [mailto:aaron.glenn at gmail.com] Sent: Wednesday, April 30, 2008 7:44 PM To: Drew Weaver Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. On Wed, Apr 30, 2008 at 5:54 AM, Drew Weaver wrote: > > So, what are folks using these days for NetFlow analysis (software?) > nfsen and pmacct. excellent open source products. aaron.glenn From benny+usenet at amorsen.dk Thu May 1 11:06:18 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Thu, 01 May 2008 17:06:18 +0200 Subject: [c-nsp] trunks, vlans and a metroLAN References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> Message-ID: Eric Van Tol writes: > Are /31 subnets valid for an ethernet network nowadays? See RFC 3021. Speaking of which, I wish we could redefine the subnet address to be a usable host address in general. I know the history with zero-broadcast and all that, but this is 2008... /Benny From peter at rathlev.dk Thu May 1 13:39:38 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 01 May 2008 19:39:38 +0200 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> Message-ID: <1209663578.13186.2.camel@dusken.sys.mjna.net> On Thu, 2008-05-01 at 17:06 +0200, Benny Amorsen wrote: > Eric Van Tol writes: > > Are /31 subnets valid for an ethernet network nowadays? > > See RFC 3021. So the answer is: No, not unless Ethernet is "point-to-point", which it isn't. Regards, Peter From jay at west.net Thu May 1 13:47:21 2008 From: jay at west.net (Jay Hennigan) Date: Thu, 01 May 2008 10:47:21 -0700 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue In-Reply-To: <223F4EA9-65F2-407E-A238-E6C1D85E49EE@inoc.net> References: <4818BEE1.2060205@west.net> <223F4EA9-65F2-407E-A238-E6C1D85E49EE@inoc.net> Message-ID: <481A0229.1030806@west.net> Robert Blayzor wrote: > Are both of these E1 links going to different telecom providers or just > to one telecom provider and one to a private link of sorts? If they're > both going to telecom providers, shouldn't their clock source be > relatively close? I'm thinking if their a carrier they probably should > be synced at stratum 1 BITS source if not at the very least 3e for all > their SDH/SONET equipment... I believe a E1/T1 only requires stratum 4, > maybe even 5. I'd find it a bit strange if two actual telecom carriers > had that much difference in clock source that you were seeing slips. > The other questions is, are you sure you're getting good clocking from > both providers, have you tried one and not the other, etc? Both are going to different providers. I agree that they all *should* tie back to stratum 1 clocks and have minimal slips. However, it isn't uncommon to find that carriers just clock internally off of a local mux somewhere for data circuits. Absent a highly accurate clock on our side, it would be impossible to tell which carrier was off-frequency. They could both be. Even if we could prove that one carrier was inaccurate, the effort of escalating the issue to someone within the organization who understands the issue, cares enough to do something about it, and has the authority to fix it isn't likely to be productive. "I've got this one E-1 customer who is complaining about slips because he's also connected to a competitor. Nobody else has a problem. He could fix it with a separate WIC card. We should spend five figures on a highly accurate clock for this POP and cable it to everything with a serial interface", isn't likely to play well. Dealing with many carriers, I've found that getting them to grasp the concept of clocking issues at all is often difficult. In the TDM voice world the carriers usually get it right. I run multiple long-distance and local PRIs from different providers to the same switch all the time and never have a problem. I suspect that plesiosynchronous data circuits just aren't given the same attention. This issue is likely the reason that Cisco gave us the "clock source line independent" option, which works just fine as long as you don't have to configure it via the interface you're trying to manipulate! -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From petelists at templin.org Thu May 1 14:02:59 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 01 May 2008 13:02:59 -0500 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue - resolved! In-Reply-To: <4818D501.1080809@west.net> References: <4818BEE1.2060205@west.net> <002501c8aaf9$f986d180$f211a8c0@flamwsugsmul5v> <4818CF01.7080609@west.net> <4818D501.1080809@west.net> Message-ID: <481A05D3.6080603@templin.org> Jay Hennigan wrote: > The "clock source line independent" keyword indeed fixes the issue, but > it needs to be done without any channel-groups configured on EITHER > controller. This makes it difficult to do remotely. :-) Classic question: could you manipulate the startup configuration, then lather, rinse, and reload? TFTP in a replacement startup config, etc. pt From jared at puck.nether.net Thu May 1 14:09:17 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 1 May 2008 14:09:17 -0400 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <1209663578.13186.2.camel@dusken.sys.mjna.net> References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> <1209663578.13186.2.camel@dusken.sys.mjna.net> Message-ID: <8798890E-0415-492D-95E5-40752BC6DBE5@puck.nether.net> On May 1, 2008, at 1:39 PM, Peter Rathlev wrote: > On Thu, 2008-05-01 at 17:06 +0200, Benny Amorsen wrote: >> Eric Van Tol writes: >>> Are /31 subnets valid for an ethernet network nowadays? >> >> See RFC 3021. > > So the answer is: No, not unless Ethernet is "point-to-point", which > it > isn't. > I think this is really something that is dependent on your equipment, etc.. There are a number of routers/switches/whatnot that do the right thing. There are some that don't. On infrastructure where you control there's no reason you can't decide to use /31's. I might even use them with clued peers, but I don't think they'd be wise to use on a customer connection. Some various combinations of the "it-depends" apply here. There are reasons to not use a /127 in IPv6-land so using a /126 or even a /64 depending on the platform(s) involved may be required. - Jared From jashton at esnet.com Thu May 1 14:20:10 2008 From: jashton at esnet.com (James Ashton) Date: Thu, 1 May 2008 14:20:10 -0400 Subject: [c-nsp] 6500 interface going administratively down Message-ID: I have a pair of 6509s with Sup720s that are connected together via a trunk link on the SUPs GigE ports. I am passing about 100 dot1Q Vlans across that trunk. Each vlan is running HSRP. Basic config of all vlans is this: interface Vlan23 description Example ip address 1.1.1.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip route-cache flow mls netflow sampling standby ip 1.1.1.1 standby timers 5 40 standby priority 110 standby preempt About a dozen times a week the interface on the secondary 6509 goes admin down and all of my HSRP groups go live. The interface comes back up, HSRP re-negotiates and everything goes back to normal. This causes about 20 seconds of outage across the network. Any thoughts? The logs for the primary for this event are: May 1 11:03:31 10.10.5.100 23121: .May 1 11:01:50.314 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to down May 1 11:03:31 10.10.5.100 23122: .May 1 11:01:50.386 EST: %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down May 1 11:03:32 10.10.5.100 23123: May 1 11:01:50.386 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 10.10.5.100 23124: May 1 11:01:50.386 EST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 10.10.5.100 23125: .May 1 11:01:52.034 EST: %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May 1 11:03:34 10.10.5.100 23126: May 1 11:01:52.035 EST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May 1 11:03:36 10.10.5.100 23127: .May 1 11:01:54.998 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to up May 1 11:03:37 10.10.5.100 23128: May 1 11:01:55.012 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to up And for the secondary: May 1 11:03:32 10.10.5.101 230399714: .May 1 11:01:43.460 EST: %LINK-5-CHANGED: Interface GigabitEthernet5/1, changed state to administratively down May 1 11:03:32 10.10.5.101 230399715: .May 1 11:01:43.464 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to down May 1 11:03:32 10.10.5.101 230399716: May 1 11:01:43.467 EST: %LINK-SP-5-CHANGED: Interface GigabitEthernet5/1, changed state to administratively down May 1 11:03:32 10.10.5.101 230399717: May 1 11:01:43.479 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 10.10.5.101 230399718: .May 1 11:01:44.704 EST: %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 10.10.5.101 230399719: .May 1 11:01:45.576 EST: %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May 1 11:03:34 10.10.5.101 230399720: May 1 11:01:44.702 EST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down May 1 11:03:34 10.10.5.101 230399721: May 1 11:01:45.574 EST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May 1 11:03:37 10.10.5.101 230399722: .May 1 11:01:48.541 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to up May 1 11:03:38 10.10.5.101 230399723: May 1 11:01:48.561 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, changed state to up May 1 11:04:06 10.10.5.101 230399724: .May 1 11:02:18.593 EST: %STANDBY-6-STATECHANGE: Vlan148 Group 0 state Standby -> Active May 1 11:04:06 10.10.5.101 230399725: .May 1 11:02:18.617 EST: %STANDBY-6-STATECHANGE: Vlan404 Group 0 state Standby -> Active ~~~ For each of 100 vlans ~~~ May 1 11:04:12 10.10.5.101 230399783: .May 1 11:02:24.409 EST: %STANDBY-6-STATECHANGE: Vlan23 Group 0 state Active -> Speak May 1 11:04:18 10.10.5.101 230399784: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 21 is flapping between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 230399785: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 24 is flapping between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 230399786: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 215 is flapping between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 230399787: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 111 is flapping between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 230399788: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 8 is flapping between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 230399789: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 230399790: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 230399791: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 53 is flapping between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 230399792: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 46 is flapping between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 230399793: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 230399794: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 230399795: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 230399796: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 230399797: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 179 is flapping between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 230399798: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 64 is flapping between port Gi5/1 and port Router From r.engehausen at gmail.com Thu May 1 14:25:30 2008 From: r.engehausen at gmail.com (Roy) Date: Thu, 01 May 2008 11:25:30 -0700 Subject: [c-nsp] Problems doing NPE upgrade Message-ID: <481A0B1A.4060208@gmail.com> A client has a 7206VXR that we are attempting to just upgrade the NPE. When we replace the NPE-300 with an NPE-400 we get a crash loop during the boot. The OS we are using is Cisco IOS Software, 7200 Software (C7200-P-M), Version 12.4(8d), RELEASE SOFTWARE (fc2) Console log follows. Any ideas welcome. Roy ----------------- System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], DEVELOPMENT SOFTWARE Copyright (c) 1994-2000 by cisco Systems, Inc. C7200 platform with 524288 Kbytes of main memory Self decompressing the image : ########################################## ################################################################################ ################################################################################ ################################################# [OK] %Software-forced reload Nested r4k_return_to_monitor call (2 times) -Traceback= 0 602BE8D0 Nested r4k_return_to_monitor call (3 times) -Traceback= 0 60338694 Nested r4k_return_to_monitor call (4 times) -Traceback= 0 60338694 Nested r4k_return_to_monitor call (5 times) -Traceback= 0 60338694 Nested r4k_return_to_monitor call (6 times) -Traceback= 0 60338694 From cconn at b2b2c.ca Thu May 1 14:37:15 2008 From: cconn at b2b2c.ca (Chris Conn) Date: Thu, 01 May 2008 14:37:15 -0400 Subject: [c-nsp] Problems doing NPE upgrade In-Reply-To: <481A0B1A.4060208@gmail.com> References: <481A0B1A.4060208@gmail.com> Message-ID: <481A0DDB.2050004@b2b2c.ca> Roy wrote: > A client has a 7206VXR that we are attempting to just upgrade the NPE. > When we replace the NPE-300 with an NPE-400 we get a crash loop during > the boot. The OS we are using is > > Cisco IOS Software, 7200 Software (C7200-P-M), Version 12.4(8d), RELEASE > SOFTWARE (fc2) > > Console log follows. Any ideas welcome. > > Roy Hello, Check your bootflash. You may have to upgrade it to a newer version that can recognize the NPE-400. > > ----------------- > > System Bootstrap, Version 12.1(20000710:044039) [nlaw-121E_npeb 117], > DEVELOPMENT SOFTWARE > Copyright (c) 1994-2000 by cisco Systems, Inc. > > C7200 platform with 524288 Kbytes of main memory > > > > Self decompressing the image : > ########################################## > ################################################################################ > ################################################################################ > ################################################# [OK] > > > > %Software-forced reload > > Nested r4k_return_to_monitor call (2 times) > > > -Traceback= 0 602BE8D0 > > Nested r4k_return_to_monitor call (3 times) > > > -Traceback= 0 60338694 > > Nested r4k_return_to_monitor call (4 times) > > > -Traceback= 0 60338694 > > Nested r4k_return_to_monitor call (5 times) > > > -Traceback= 0 60338694 > > Nested r4k_return_to_monitor call (6 times) > > > -Traceback= 0 60338694 > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ploopster at gmail.com Thu May 1 15:36:05 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Thu, 01 May 2008 15:36:05 -0400 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <1209663578.13186.2.camel@dusken.sys.mjna.net> References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> <1209663578.13186.2.camel@dusken.sys.mjna.net> Message-ID: <481A1BA5.8010504@gmail.com> Peter Rathlev wrote: > On Thu, 2008-05-01 at 17:06 +0200, Benny Amorsen wrote: >> Eric Van Tol writes: >>> Are /31 subnets valid for an ethernet network nowadays? >> See RFC 3021. > > So the answer is: No, not unless Ethernet is "point-to-point", which it > isn't. It can be, can't it? How would you describe an ethernet with two nodes on it, using an RFC 3021 addressing scheme? Peace... Sridhar From tvarriale at comcast.net Thu May 1 15:49:55 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 1 May 2008 14:49:55 -0500 Subject: [c-nsp] 6500 interface going administratively down References: Message-ID: <004701c8abc4$88bf7e90$f211a8c0@flamwsugsmul5v> Hard to say without more info but that HSRP mac flapping is typcially a spanning tree issue. Anything odd going on at layer 2? tv ----- Original Message ----- From: "James Ashton" To: Sent: Thursday, May 01, 2008 1:20 PM Subject: [c-nsp] 6500 interface going administratively down > > > I have a pair of 6509s with Sup720s that are connected together via a > trunk link on the SUPs GigE ports. > > I am passing about 100 dot1Q Vlans across that trunk. > Each vlan is running HSRP. > Basic config of all vlans is this: > > interface Vlan23 > description Example > ip address 1.1.1.2 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip flow ingress > ip route-cache flow > mls netflow sampling > standby ip 1.1.1.1 > standby timers 5 40 > standby priority 110 > standby preempt > > > About a dozen times a week the interface on the secondary 6509 goes admin > down and all of my HSRP groups go live. The interface comes back up, HSRP > re-negotiates and everything goes back to normal. > > > This causes about 20 seconds of outage across the network. > > Any thoughts? > > > The logs for the primary for this event are: > > May 1 11:03:31 10.10.5.100 23121: .May 1 11:01:50.314 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down > May 1 11:03:31 10.10.5.100 23122: .May 1 11:01:50.386 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:32 10.10.5.100 23123: May 1 11:01:50.386 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down > May 1 11:03:33 10.10.5.100 23124: May 1 11:01:50.386 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.100 23125: .May 1 11:01:52.034 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:34 10.10.5.100 23126: May 1 11:01:52.035 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:36 10.10.5.100 23127: .May 1 11:01:54.998 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > May 1 11:03:37 10.10.5.100 23128: May 1 11:01:55.012 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > > > And for the secondary: > > May 1 11:03:32 10.10.5.101 230399714: .May 1 11:01:43.460 EST: > %LINK-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down > May 1 11:03:32 10.10.5.101 230399715: .May 1 11:01:43.464 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down > May 1 11:03:32 10.10.5.101 230399716: May 1 11:01:43.467 EST: > %LINK-SP-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down > May 1 11:03:32 10.10.5.101 230399717: May 1 11:01:43.479 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down > May 1 11:03:33 10.10.5.101 230399718: .May 1 11:01:44.704 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.101 230399719: .May 1 11:01:45.576 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:34 10.10.5.101 230399720: May 1 11:01:44.702 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:34 10.10.5.101 230399721: May 1 11:01:45.574 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:37 10.10.5.101 230399722: .May 1 11:01:48.541 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > May 1 11:03:38 10.10.5.101 230399723: May 1 11:01:48.561 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > May 1 11:04:06 10.10.5.101 230399724: .May 1 11:02:18.593 EST: > %STANDBY-6-STATECHANGE: Vlan148 Group 0 state Standby -> Active > May 1 11:04:06 10.10.5.101 230399725: .May 1 11:02:18.617 EST: > %STANDBY-6-STATECHANGE: Vlan404 Group 0 state Standby -> Active > > ~~~ > For each of 100 vlans > ~~~ > > May 1 11:04:12 10.10.5.101 230399783: .May 1 11:02:24.409 EST: > %STANDBY-6-STATECHANGE: Vlan23 Group 0 state Active -> Speak > May 1 11:04:18 10.10.5.101 230399784: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 21 is flapping between > port Gi5/1 and port Router > May 1 11:04:18 10.10.5.101 230399785: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 24 is flapping between > port Gi5/1 and port Router > May 1 11:04:18 10.10.5.101 230399786: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 215 is flapping between > port Gi5/1 and port Router > May 1 11:04:18 10.10.5.101 230399787: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 111 is flapping between > port Gi5/1 and port Router > May 1 11:04:18 10.10.5.101 230399788: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 8 is flapping between > port Gi5/1 and port Router > May 1 11:04:19 10.10.5.101 230399789: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping between > port Gi5/1 and port Router > May 1 11:04:19 10.10.5.101 230399790: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping between > port Gi5/1 and port Router > May 1 11:04:19 10.10.5.101 230399791: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 53 is flapping between > port Gi5/1 and port Router > May 1 11:04:19 10.10.5.101 230399792: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 46 is flapping between > port Gi5/1 and port Router > May 1 11:04:19 10.10.5.101 230399793: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping between > port Gi5/1 and port Router > May 1 11:04:20 10.10.5.101 230399794: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping between > port Gi5/1 and port Router > May 1 11:04:20 10.10.5.101 230399795: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping between > port Gi5/1 and port Router > May 1 11:04:20 10.10.5.101 230399796: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping between > port Gi5/1 and port Router > May 1 11:04:20 10.10.5.101 230399797: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 179 is flapping between > port Gi5/1 and port Router > May 1 11:04:20 10.10.5.101 230399798: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 64 is flapping between > port Gi5/1 and port Router > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu May 1 17:17:17 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 01 May 2008 23:17:17 +0200 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: <481A1BA5.8010504@gmail.com> References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> <1209663578.13186.2.camel@dusken.sys.mjna.net> <481A1BA5.8010504@gmail.com> Message-ID: <1209676637.15951.9.camel@dusken.sys.mjna.net> On Thu, 2008-05-01 at 15:36 -0400, Sridhar Ayengar wrote: > Peter Rathlev wrote: > > On Thu, 2008-05-01 at 17:06 +0200, Benny Amorsen wrote: > >> Eric Van Tol writes: > >>> Are /31 subnets valid for an ethernet network nowadays? > >> See RFC 3021. > > > > So the answer is: No, not unless Ethernet is "point-to-point", which it > > isn't. > > It can be, can't it? How would you describe an ethernet with two nodes > on it, using an RFC 3021 addressing scheme? It still technically wouldn't be a "point-to-point" link. It would be a "broadcast, multiple access" segment that would happen to have only two participating nodes. If you configure a /31 netmask on an Ethernet-interface on e.g. a C6k SXF you get: PE2(config)#interface GigabitEthernet4/9 PE2(config-if)#ip address 10.0.0.0 255.255.255.254 % Warning: use /31 mask on non point-to-point interface cautiously PE2(config-if)# You can configure it, but the message says that the GE interface (this one is on a WS-X6516-GBIC LAN card) is not "point-to-point". So to sum it up: You can use /31 netmasks also on Ethernet links, but RFC3021 treats only "point-to-point" links, and thus technically not Ethernet. (Section 2.2.) Using an Ethernet line as "point-to-point" is definately possible. And e.g. ISIS has the "isis network point-to-point" interface command to force the IGP to assume that a link is "point-to-point". But you can't hide behind RFC3021 if you encounter problems... Regards, Peter From virendra.rode at gmail.com Thu May 1 20:11:02 2008 From: virendra.rode at gmail.com (virendra rode //) Date: Thu, 01 May 2008 17:11:02 -0700 Subject: [c-nsp] %BCM-4-ECC_MEMORY: Corrected ECC from memory - 7206vxr/npe-g1 Message-ID: <481A5C16.2090302@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm seeing sustained occurrence of this message "%BCM-4-ECC_MEMORY: Corrected ECC from memory" on 7206vxr/npe-g1. Is there a test that I can run to figure out which memory (dimm) is gone bad before I go about and swap entire memory bank. tia, regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIGlwWpbZvCIJx1bcRAmWwAKDYVmNH6wC8gL4hRG6IaUVqJoa2XgCfVQ8Q +1RGcS93US1hO4ZU2kfUbsk= =CInb -----END PGP SIGNATURE----- From arla at rn.dk Fri May 2 03:07:51 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Fri, 2 May 2008 09:07:51 +0200 Subject: [c-nsp] Cisco 2851 with internal switch module Message-ID: <8D68760F464FFD40A01BF2FB374E4A286465C625B7@SRVEXC02.aas.its.nja.dk> Hi all. Is there anyone that has experience with 2851 router and the switching module NME-XD-48ES-2S-P. Is it possible run MPLS on the SFP interfaces, for fiber uplinks to the MPLS Core. Or is there another way to get around this. I can't seem to find any documentation on Cisco web on this. /Arne From gert at greenie.muc.de Fri May 2 06:58:49 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 2 May 2008 12:58:49 +0200 Subject: [c-nsp] trunks, vlans and a metroLAN In-Reply-To: References: <200805010202.m41229Jv057699@mainstreet.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E5EE@exchange.aoihq.local> Message-ID: <20080502105849.GQ3278@greenie.muc.de> Hi, On Thu, May 01, 2008 at 05:06:18PM +0200, Benny Amorsen wrote: > Speaking of which, I wish we could redefine the subnet address to be a > usable host address in general. I know the history with zero-broadcast > and all that, but this is 2008... In IPv6, the ::0 host address is perfectly valid. Just get rid of your legacy IP stuff... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080502/05d489cf/attachment.bin From gert at greenie.muc.de Fri May 2 07:06:51 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 2 May 2008 13:06:51 +0200 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue - resolved! In-Reply-To: <481A05D3.6080603@templin.org> References: <4818BEE1.2060205@west.net> <002501c8aaf9$f986d180$f211a8c0@flamwsugsmul5v> <4818CF01.7080609@west.net> <4818D501.1080809@west.net> <481A05D3.6080603@templin.org> Message-ID: <20080502110650.GS3278@greenie.muc.de> Hi, On Thu, May 01, 2008 at 01:02:59PM -0500, Pete Templin wrote: > Classic question: could you manipulate the startup configuration, then > lather, rinse, and reload? TFTP in a replacement startup config, etc. Or do "copy tftp run" with the complete de-configuration and re-configuration of the interfaces. Combined with "reload in 5", so if you mess it up, the router will come back with a known-working config. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080502/6a9396af/attachment.bin From jashton at esnet.com Fri May 2 07:43:44 2008 From: jashton at esnet.com (James Ashton) Date: Fri, 2 May 2008 07:43:44 -0400 Subject: [c-nsp] 6500 interface going administratively down In-Reply-To: <004701c8abc4$88bf7e90$f211a8c0@flamwsugsmul5v> Message-ID: Nothing odd going on that I can see. There are one of 2 customers that are using non cisco gear. But most are foundry or HP. They should have no issues with spanning tree. But you never know. We dug up a few cisco 1900s in the network the other day. I am planning on replacing them. They could have some spanning tree issues I guess. But I am using loopguard and udld and am getting no spanning tree based log messages. Also, The trunk interface is going administrativly down when this happens. That appears to be causing all of the rest.. Spanning tree wouldn't cause that... Would it? But that would definatly cause the spanning tree and HSRP issues. So I am feeling that that is the cause. But I could easily be wron about that. James P. Ashton Senior Network Engineer E Solutions Corporation 813.301.2642 Direct 813.301.2600 Main 813.301.2699 Fax 813.301.2620 Support www.esnet.com -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, May 01, 2008 3:50 PM To: James Ashton; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 interface going administratively down Hard to say without more info but that HSRP mac flapping is typcially a spanning tree issue. Anything odd going on at layer 2? tv ----- Original Message ----- From: "James Ashton" To: Sent: Thursday, May 01, 2008 1:20 PM Subject: [c-nsp] 6500 interface going administratively down > > > I have a pair of 6509s with Sup720s that are connected together via a > trunk link on the SUPs GigE ports. > > I am passing about 100 dot1Q Vlans across that trunk. > Each vlan is running HSRP. > Basic config of all vlans is this: > > interface Vlan23 > description Example > ip address 1.1.1.2 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip flow ingress > ip route-cache flow > mls netflow sampling > standby ip 1.1.1.1 > standby timers 5 40 > standby priority 110 > standby preempt > > > About a dozen times a week the interface on the secondary 6509 goes > admin down and all of my HSRP groups go live. The interface comes back > up, HSRP re-negotiates and everything goes back to normal. > > > This causes about 20 seconds of outage across the network. > > Any thoughts? > > > The logs for the primary for this event are: > > May 1 11:03:31 10.10.5.100 23121: .May 1 11:01:50.314 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:31 10.10.5.100 23122: .May 1 > 11:01:50.386 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:32 10.10.5.100 23123: May 1 11:01:50.386 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:33 10.10.5.100 23124: May 1 > 11:01:50.386 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.100 23125: .May 1 11:01:52.034 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May > 1 11:03:34 10.10.5.100 23126: May 1 11:01:52.035 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:36 10.10.5.100 23127: .May 1 11:01:54.998 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:03:37 10.10.5.100 23128: May 1 > 11:01:55.012 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > > > And for the secondary: > > May 1 11:03:32 10.10.5.101 230399714: .May 1 11:01:43.460 EST: > %LINK-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down May 1 11:03:32 10.10.5.101 230399715: .May 1 > 11:01:43.464 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:32 10.10.5.101 230399716: May 1 > 11:01:43.467 EST: > %LINK-SP-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down May 1 11:03:32 10.10.5.101 230399717: May 1 > 11:01:43.479 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:33 10.10.5.101 230399718: .May 1 > 11:01:44.704 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.101 230399719: .May 1 11:01:45.576 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May > 1 11:03:34 10.10.5.101 230399720: May 1 11:01:44.702 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:34 10.10.5.101 230399721: May 1 11:01:45.574 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:37 10.10.5.101 230399722: .May 1 11:01:48.541 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:03:38 10.10.5.101 230399723: May 1 > 11:01:48.561 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:04:06 10.10.5.101 230399724: .May 1 > 11:02:18.593 EST: > %STANDBY-6-STATECHANGE: Vlan148 Group 0 state Standby -> Active May 1 > 11:04:06 10.10.5.101 230399725: .May 1 11:02:18.617 EST: > %STANDBY-6-STATECHANGE: Vlan404 Group 0 state Standby -> Active > > ~~~ > For each of 100 vlans > ~~~ > > May 1 11:04:12 10.10.5.101 230399783: .May 1 11:02:24.409 EST: > %STANDBY-6-STATECHANGE: Vlan23 Group 0 state Active -> Speak May 1 > 11:04:18 10.10.5.101 230399784: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 21 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399785: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 24 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399786: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 215 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399787: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 111 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399788: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 8 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399789: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399790: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399791: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 53 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399792: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 46 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399793: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399794: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399795: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399796: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399797: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 179 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399798: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 64 is flapping > between port Gi5/1 and port Router > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri May 2 09:09:18 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 2 May 2008 09:09:18 -0400 Subject: [c-nsp] Virtual-Template Problem Message-ID: <000001c8ac55$bbb8b0a0$332a11e0$@org> Hi folks... Trying to build a new VPN config - long story short: router(config)#int virtual-template 1 type tunnel % Warning: cannot change vtemplate type Done google searches etc.. no luck... Cisco 871 with Advanced IP image... Just wondering if there is somewhere you have to enable support the this template type or is this an IOS problem ?? Thanks, Paul From gaurav at inwire.net Fri May 2 09:23:25 2008 From: gaurav at inwire.net (Gaurav Sabharwal) Date: Fri, 02 May 2008 15:23:25 +0200 Subject: [c-nsp] Virtual-Template Problem In-Reply-To: <000001c8ac55$bbb8b0a0$332a11e0$@org> References: <000001c8ac55$bbb8b0a0$332a11e0$@org> Message-ID: <481B15CD.2060801@inwire.net> Hi Paul, Was a virtual-template 1 interface created before without the type as tunnel? If yes, the only way I have found to get rid of the error is to reload the router. To check if you IOS has support or not, try to create a virtual-template 2 interface with type as tunnel. Regards, - Gaurav on 05/02/2008 03:09 PM Paul Stewart said the following: > Hi folks... > > Trying to build a new VPN config - long story short: > > router(config)#int virtual-template 1 type tunnel > % Warning: cannot change vtemplate type > > Done google searches etc.. no luck... Cisco 871 with Advanced IP image... > > Just wondering if there is somewhere you have to enable support the this > template type or is this an IOS problem ?? > > Thanks, > > Paul From MLouis at nwnit.com Fri May 2 09:24:58 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 2 May 2008 09:24:58 -0400 Subject: [c-nsp] 6500 interface going administratively down In-Reply-To: References: <004701c8abc4$88bf7e90$f211a8c0@flamwsugsmul5v>, Message-ID: There is an issue with using HSRP and same virtual mac address when connecting to 3rd party switches. Try setting the HSRP group IDs to unique and see if that clears the issue. Here is the link http://www.cisco.com/en/US/products/hw/switches/ps700/products_qanda_item09186a008011c6bb.shtml#q5 Checkout last couple of Q/A regarding per vlan mac-address table support in 3rd party switches. ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of James Ashton [jashton at esnet.com] Sent: Friday, May 02, 2008 7:43 AM To: Tony Varriale; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 interface going administratively down Nothing odd going on that I can see. There are one of 2 customers that are using non cisco gear. But most are foundry or HP. They should have no issues with spanning tree. But you never know. We dug up a few cisco 1900s in the network the other day. I am planning on replacing them. They could have some spanning tree issues I guess. But I am using loopguard and udld and am getting no spanning tree based log messages. Also, The trunk interface is going administrativly down when this happens. That appears to be causing all of the rest.. Spanning tree wouldn't cause that... Would it? But that would definatly cause the spanning tree and HSRP issues. So I am feeling that that is the cause. But I could easily be wron about that. James P. Ashton Senior Network Engineer E Solutions Corporation 813.301.2642 Direct 813.301.2600 Main 813.301.2699 Fax 813.301.2620 Support www.esnet.com -----Original Message----- From: Tony Varriale [mailto:tvarriale at comcast.net] Sent: Thursday, May 01, 2008 3:50 PM To: James Ashton; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 6500 interface going administratively down Hard to say without more info but that HSRP mac flapping is typcially a spanning tree issue. Anything odd going on at layer 2? tv ----- Original Message ----- From: "James Ashton" To: Sent: Thursday, May 01, 2008 1:20 PM Subject: [c-nsp] 6500 interface going administratively down > > > I have a pair of 6509s with Sup720s that are connected together via a > trunk link on the SUPs GigE ports. > > I am passing about 100 dot1Q Vlans across that trunk. > Each vlan is running HSRP. > Basic config of all vlans is this: > > interface Vlan23 > description Example > ip address 1.1.1.2 255.255.255.0 > no ip redirects > no ip unreachables > no ip proxy-arp > ip flow ingress > ip route-cache flow > mls netflow sampling > standby ip 1.1.1.1 > standby timers 5 40 > standby priority 110 > standby preempt > > > About a dozen times a week the interface on the secondary 6509 goes > admin down and all of my HSRP groups go live. The interface comes back > up, HSRP re-negotiates and everything goes back to normal. > > > This causes about 20 seconds of outage across the network. > > Any thoughts? > > > The logs for the primary for this event are: > > May 1 11:03:31 10.10.5.100 23121: .May 1 11:01:50.314 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:31 10.10.5.100 23122: .May 1 > 11:01:50.386 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:32 10.10.5.100 23123: May 1 11:01:50.386 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:33 10.10.5.100 23124: May 1 > 11:01:50.386 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.100 23125: .May 1 11:01:52.034 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May > 1 11:03:34 10.10.5.100 23126: May 1 11:01:52.035 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:36 10.10.5.100 23127: .May 1 11:01:54.998 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:03:37 10.10.5.100 23128: May 1 > 11:01:55.012 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up > > > And for the secondary: > > May 1 11:03:32 10.10.5.101 230399714: .May 1 11:01:43.460 EST: > %LINK-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down May 1 11:03:32 10.10.5.101 230399715: .May 1 > 11:01:43.464 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:32 10.10.5.101 230399716: May 1 > 11:01:43.467 EST: > %LINK-SP-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down May 1 11:03:32 10.10.5.101 230399717: May 1 > 11:01:43.479 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:33 10.10.5.101 230399718: .May 1 > 11:01:44.704 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:33 10.10.5.101 230399719: .May 1 11:01:45.576 EST: > %LINK-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up May > 1 11:03:34 10.10.5.101 230399720: May 1 11:01:44.702 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to down > May 1 11:03:34 10.10.5.101 230399721: May 1 11:01:45.574 EST: > %LINK-SP-3-UPDOWN: Interface GigabitEthernet5/1, changed state to up > May 1 11:03:37 10.10.5.101 230399722: .May 1 11:01:48.541 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:03:38 10.10.5.101 230399723: May 1 > 11:01:48.561 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:04:06 10.10.5.101 230399724: .May 1 > 11:02:18.593 EST: > %STANDBY-6-STATECHANGE: Vlan148 Group 0 state Standby -> Active May 1 > 11:04:06 10.10.5.101 230399725: .May 1 11:02:18.617 EST: > %STANDBY-6-STATECHANGE: Vlan404 Group 0 state Standby -> Active > > ~~~ > For each of 100 vlans > ~~~ > > May 1 11:04:12 10.10.5.101 230399783: .May 1 11:02:24.409 EST: > %STANDBY-6-STATECHANGE: Vlan23 Group 0 state Active -> Speak May 1 > 11:04:18 10.10.5.101 230399784: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 21 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399785: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 24 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399786: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 215 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399787: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 111 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399788: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 8 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399789: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399790: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399791: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 53 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399792: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 46 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399793: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399794: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399795: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399796: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399797: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 179 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399798: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 64 is flapping > between port Gi5/1 and port Router > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From masood at nexlinx.net.pk Fri May 2 09:35:17 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Fri, 2 May 2008 18:35:17 +0500 Subject: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. In-Reply-To: References: <480dad640804292148y6a1bd4e3s2d4e8c3a3bb15e68@mail.gmail.com> <48185D38.6050407@autempspourmoi.be> <18f601940804301643m7d51ffb3o6509c8d4360ce248@mail.gmail.com> Message-ID: <0dc601c8ac59$5c131380$14393a80$@net.pk> I have written blog to your asked question about Netflow packets collecting/forwarding issue... http://weblogs.com.pk/jahil/archive/2008/05/02/how-to-netflow-with-csico-650 0.aspx Regards, Masood A Shah -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Drew Weaver Sent: Thursday, May 01, 2008 7:47 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. Somewhat related to this thread, Is there some sort of 'magic' you have to do with a Sup720 to get it to export flows egress and ingress? It appears that there is quite a bit of traffic "missing" from the NetFlow data (most of it infact)... I simply applied ip route-cache flow to the layer3 vlans of interest and then setup the export commands as documented. Are there other steps required? Thanks, -Drew -----Original Message----- From: Aaron Glenn [mailto:aaron.glenn at gmail.com] Sent: Wednesday, April 30, 2008 7:44 PM To: Drew Weaver Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] If BGP is running on a circuit, if you ping the other end you get loss. kill the BGP (and thus the traffic..) no more loss. On Wed, Apr 30, 2008 at 5:54 AM, Drew Weaver wrote: > > So, what are folks using these days for NetFlow analysis (software?) > nfsen and pmacct. excellent open source products. aaron.glenn _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rs at seastrom.com Fri May 2 10:12:39 2008 From: rs at seastrom.com (Robert E. Seastrom) Date: Fri, 02 May 2008 10:12:39 -0400 Subject: [c-nsp] Problems doing NPE upgrade In-Reply-To: <481A0DDB.2050004@b2b2c.ca> (Chris Conn's message of "Thu, 01 May 2008 14:37:15 -0400") References: <481A0B1A.4060208@gmail.com> <481A0DDB.2050004@b2b2c.ca> Message-ID: <8663twg5go.fsf@seastrom.com> Chris Conn writes: > Roy wrote: >> A client has a 7206VXR that we are attempting to just upgrade the NPE. >> When we replace the NPE-300 with an NPE-400 we get a crash loop during >> the boot. The OS we are using is >> >> Cisco IOS Software, 7200 Software (C7200-P-M), Version 12.4(8d), RELEASE >> SOFTWARE (fc2) >> >> Console log follows. Any ideas welcome. >> >> Roy > > Hello, > > Check your bootflash. You may have to upgrade it to a newer version > that can recognize the NPE-400. Yep, that's almost certainly it. It is *amazing* the amount of trouble people have with 7200s that is directly traceable to the bootflash being wildly out of sync with the running IOS load. Not that I've ever picked up "malfunctioning" VXRs on the cheap that turned out to work fine after getting re-flashed ... -r From rekordmeister at gmail.com Fri May 2 12:25:19 2008 From: rekordmeister at gmail.com (MKS) Date: Fri, 2 May 2008 16:25:19 +0000 Subject: [c-nsp] ATM-to-Ethernet Local Switching scalability Message-ID: Hi list I was wondering about the scalability of local switching (ATM to Ethernet). How may local switch circuits can I have on a 7200? http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1067905 Does someone know if or when ATM-to-Ethernet local switching will be available on the 7600 w/ ATM SPAs? Regards MKS From ross at kallisti.us Fri May 2 14:34:08 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Fri, 2 May 2008 14:34:08 -0400 Subject: [c-nsp] 6500 interface going administratively down In-Reply-To: References: Message-ID: <20080502183408.GA14326@kallisti.us> On Thu, May 01, 2008 at 02:20:10PM -0400, James Ashton wrote: > About a dozen times a week the interface on the secondary 6509 goes > admin down and all of my HSRP groups go live. The interface comes > back up, HSRP re-negotiates and everything goes back to normal. I'd say HSRP isn't your problem - unreliable interfaces are. I've seen repeated issues like this when using non-Cisco GBICs. We had a batch of bad transceivers from ebay caused a very similar issue in a very similar configuration. The fact that the secondary switch reports that the HSRP virtual MAC is flapping further makes me think you've got a communication problem between the two switches. I'd debug transciever to see if there's something fishy going on there. I would also suggest that you convert the trunk between those switches to a port-channel. This will insulate from an individual link failing, but there's nothing to say you won't see both go admin down... Ross > > > This causes about 20 seconds of outage across the network. > > Any thoughts? > > > The logs for the primary for this event are: > > May 1 11:03:31 10.10.5.100 23121: .May 1 11:01:50.314 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to down May 1 11:03:31 10.10.5.100 23122: .May 1 > 11:01:50.386 EST: %LINK-3-UPDOWN: Interface GigabitEthernet5/1, > changed state to down May 1 11:03:32 10.10.5.100 23123: May 1 > 11:01:50.386 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet5/1, changed state to down May 1 11:03:33 > 10.10.5.100 23124: May 1 11:01:50.386 EST: %LINK-SP-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 > 10.10.5.100 23125: .May 1 11:01:52.034 EST: %LINK-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to up May 1 11:03:34 > 10.10.5.100 23126: May 1 11:01:52.035 EST: %LINK-SP-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to up May 1 11:03:36 > 10.10.5.100 23127: .May 1 11:01:54.998 EST: %LINEPROTO-5-UPDOWN: > Line protocol on Interface GigabitEthernet5/1, changed state to up > May 1 11:03:37 10.10.5.100 23128: May 1 11:01:55.012 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet5/1, changed state to up > > > And for the secondary: > > May 1 11:03:32 10.10.5.101 230399714: .May 1 11:01:43.460 EST: > %LINK-5-CHANGED: Interface GigabitEthernet5/1, changed state to > administratively down May 1 11:03:32 10.10.5.101 230399715: .May 1 > 11:01:43.464 EST: %LINEPROTO-5-UPDOWN: Line protocol on Interface > GigabitEthernet5/1, changed state to down May 1 11:03:32 > 10.10.5.101 230399716: May 1 11:01:43.467 EST: %LINK-SP-5-CHANGED: > Interface GigabitEthernet5/1, changed state to administratively down > May 1 11:03:32 10.10.5.101 230399717: May 1 11:01:43.479 EST: > %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet5/1, changed state to down May 1 11:03:33 > 10.10.5.101 230399718: .May 1 11:01:44.704 EST: %LINK-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to down May 1 11:03:33 > 10.10.5.101 230399719: .May 1 11:01:45.576 EST: %LINK-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to up May 1 11:03:34 > 10.10.5.101 230399720: May 1 11:01:44.702 EST: %LINK-SP-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to down May 1 11:03:34 > 10.10.5.101 230399721: May 1 11:01:45.574 EST: %LINK-SP-3-UPDOWN: > Interface GigabitEthernet5/1, changed state to up May 1 11:03:37 > 10.10.5.101 230399722: .May 1 11:01:48.541 EST: > %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet5/1, > changed state to up May 1 11:03:38 10.10.5.101 230399723: May 1 > 11:01:48.561 EST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet5/1, changed state to up May 1 11:04:06 10.10.5.101 > 230399724: .May 1 11:02:18.593 EST: %STANDBY-6-STATECHANGE: Vlan148 > Group 0 state Standby -> Active May 1 11:04:06 10.10.5.101 > 230399725: .May 1 11:02:18.617 EST: %STANDBY-6-STATECHANGE: Vlan404 > Group 0 state Standby -> Active > > ~~~ For each of 100 vlans ~~~ > > May 1 11:04:12 10.10.5.101 230399783: .May 1 11:02:24.409 EST: > %STANDBY-6-STATECHANGE: Vlan23 Group 0 state Active -> Speak May 1 > 11:04:18 10.10.5.101 230399784: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 21 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399785: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host > 0000.0c07.ac00 in vlan 24 is flapping between port Gi5/1 and port > Router May 1 11:04:18 10.10.5.101 230399786: May 1 11:02:30.865 > EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 215 is > flapping between port Gi5/1 and port Router May 1 11:04:18 > 10.10.5.101 230399787: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 111 is flapping > between port Gi5/1 and port Router May 1 11:04:18 10.10.5.101 > 230399788: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host > 0000.0c07.ac00 in vlan 8 is flapping between port Gi5/1 and port > Router May 1 11:04:19 10.10.5.101 230399789: May 1 11:02:30.865 > EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is > flapping between port Gi5/1 and port Router May 1 11:04:19 > 10.10.5.101 230399790: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 157 is flapping > between port Gi5/1 and port Router May 1 11:04:19 10.10.5.101 > 230399791: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host > 0000.0c07.ac00 in vlan 53 is flapping between port Gi5/1 and port > Router May 1 11:04:19 10.10.5.101 230399792: May 1 11:02:30.865 > EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 46 is > flapping between port Gi5/1 and port Router May 1 11:04:19 > 10.10.5.101 230399793: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 51 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399794: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host > 0000.0c07.ac00 in vlan 51 is flapping between port Gi5/1 and port > Router May 1 11:04:20 10.10.5.101 230399795: May 1 11:02:30.865 > EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is > flapping between port Gi5/1 and port Router May 1 11:04:20 > 10.10.5.101 230399796: May 1 11:02:30.865 EST: > %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 232 is flapping > between port Gi5/1 and port Router May 1 11:04:20 10.10.5.101 > 230399797: May 1 11:02:30.865 EST: %MAC_MOVE-SP-4-NOTIF: Host > 0000.0c07.ac00 in vlan 179 is flapping between port Gi5/1 and port > Router May 1 11:04:20 10.10.5.101 230399798: May 1 11:02:30.865 > EST: %MAC_MOVE-SP-4-NOTIF: Host 0000.0c07.ac00 in vlan 64 is > flapping between port Gi5/1 and port Router > _______________________________________________ cisco-nsp mailing > list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp archive at > http://puck.nether.net/pipermail/cisco-nsp/ -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From raa at opusnet.com Fri May 2 14:38:00 2008 From: raa at opusnet.com (raa at opusnet.com) Date: Fri, 2 May 2008 11:38:00 -0700 Subject: [c-nsp] Netflow Question Message-ID: <001201c8ac83$a6c85820$f4590860$@com> Hi, Can anyone tell me the difference between the interface command: Router(config-if)# ip flow ingress Router(config-if)# ip flow egress And Router(config-if)# ip route-cache flow Thanks. Second part to this question is anyone recommend a Netflow analyzer? Either application or appliance (price is important.) I'd like to get one where I can assign clients access where they only have access to the ports I assign them. I'm currently using the free version of Scrutinizer. Thanks all! From rdobbins at cisco.com Fri May 2 15:10:20 2008 From: rdobbins at cisco.com (Roland Dobbins) Date: Sat, 3 May 2008 02:10:20 +0700 Subject: [c-nsp] Netflow Question In-Reply-To: <001201c8ac83$a6c85820$f4590860$@com> References: <001201c8ac83$a6c85820$f4590860$@com> Message-ID: <0A8C7402-6B36-4F43-A613-3EA7DE7BE9D4@cisco.com> On May 3, 2008, at 1:38 AM, wrote: > Router(config-if)# ip flow ingress > Router(config-if)# ip flow egress These supersede the older ip route-cache flow. Check the archives of this list for lots of discussion around NetFlow collection/analysis systems, including earlier this week. ----------------------------------------------------------------------- Roland Dobbins // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb From greg.x.stemberger at sprint.com Fri May 2 15:10:45 2008 From: greg.x.stemberger at sprint.com (Stemberger, Gregory J [NTK]) Date: Fri, 2 May 2008 14:10:45 -0500 Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue In-Reply-To: <4818BEE1.2060205@west.net> References: <4818BEE1.2060205@west.net> Message-ID: <792C125F6435894BB361A7E8CA5E20CF37D863873F@PDAWM02C.ad.sprint.com> When we had this issue on the VWIC-V1 cards, which of course didn't have the "independent" command, we had some success with just changing the secondary T1/E1 to use internal timing assuming you have a circuit that is getting clocking from a PE directly of which can be changed to line timing. Gregory Stemberger Sprint Managed Services Operations Engineering -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jay Hennigan Sent: Wednesday, April 30, 2008 2:48 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2821 VWIC2-2MFT-T1/E1 clocking issue Scenario: Cisco 2821 router running 12.4(18) VWIC2-2MFT-T1/E1 terminating E-1 connections from two ISPs. Both are configured clock source line. Both providers are sourcing clock, but apparently not in sync with each other. Second E-1 on the WIC shows slips. It appears that "clock source line" doesn't do what it should, or somehow the first E-1 is clocking both circuits. Physically disconnecting the first E-1 fixes the slips on the second. Bug? Misconfiguration? Hardware limitation? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From virendra.rode at gmail.com Fri May 2 15:30:56 2008 From: virendra.rode at gmail.com (virendra rode //) Date: Fri, 02 May 2008 12:30:56 -0700 Subject: [c-nsp] Netflow Question In-Reply-To: <001201c8ac83$a6c85820$f4590860$@com> References: <001201c8ac83$a6c85820$f4590860$@com> Message-ID: <481B6BF0.7040003@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 raa at opusnet.com wrote: > Hi, > > Can anyone tell me the difference between the interface command: > > Router(config-if)# ip flow ingress > Router(config-if)# ip flow egress - ------------------- ip flow ingress is recommended for 12.4 and >. Then again, I have devices w/ 12.4 code running ip route-cache flow w/o any problems. If you wish to monitor only ONE interface then use, ip flow ingress ip flow egress Each interface needs to have ip flow ingress enabled in order to be monitored. > > And > > Router(config-if)# ip route-cache flow - ------------------ I guess it is antiquated from what I've gathered but works w/o any problems (head scratching). route-cache flow performs ingress and monitors traffic off all interfaces w/o enabling it individually. there's more on the list, just look at archives. regards, /virendra > > Thanks. Second part to this question is anyone recommend a Netflow > analyzer? Either application or appliance (price is important.) I'd like > to get one where I can assign clients access where they only have access to > the ports I assign them. I'm currently using the free version of > Scrutinizer. > > Thanks all! > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIG2vwpbZvCIJx1bcRAjwQAKCpPirXqK4rokWwjL2GYGckhWK47QCgxZ3+ YtKs5+IFSFKPrlCFs2cn1iw= =RVNF -----END PGP SIGNATURE----- From jfitz at Princeton.EDU Fri May 2 17:05:50 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 2 May 2008 17:05:50 -0400 Subject: [c-nsp] snmp access list Message-ID: Does anybody know how a numbered standard ACL that is applied to snmp traffic via commands shown below, actually works? Does the SNMP process still get touched when a DENY is hit? snmp-server community xxxx RO 99 snmp-server community xxxx RW 99 Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University From Rafael.Rodriguez at msmc.com Fri May 2 17:42:38 2008 From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez) Date: Fri, 2 May 2008 17:42:38 -0400 Subject: [c-nsp] snmp access list In-Reply-To: References: Message-ID: <13D27D9DCE0E0945A617043C88DD6194014C9943@SVIPEXC1.msmc.com> Permit/deny queries to SNMP daemon via the ACL. If your ACL only permits 1.1.1.1, and 2.2.2.2 tries to get/set from SNMP, ACL drops it. Cheers, RR -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Friday, May 02, 2008 17:06 To: cisco-nsp at puck.nether.net Subject: [c-nsp] snmp access list Does anybody know how a numbered standard ACL that is applied to snmp traffic via commands shown below, actually works? Does the SNMP process still get touched when a DENY is hit? snmp-server community xxxx RO 99 snmp-server community xxxx RW 99 Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From streiner at cluebyfour.org Fri May 2 18:08:41 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 2 May 2008 18:08:41 -0400 (EDT) Subject: [c-nsp] snmp access list In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194014C9943@SVIPEXC1.msmc.com> References: <13D27D9DCE0E0945A617043C88DD6194014C9943@SVIPEXC1.msmc.com> Message-ID: On Fri, 2 May 2008, Rafael Rodriguez wrote: > Permit/deny queries to SNMP daemon via the ACL. If your ACL only > permits 1.1.1.1, and 2.2.2.2 tries to get/set from SNMP, ACL drops it. My interpretation of the question is a bit different. I thought Jeff asked if the SNMP agent itself was responsible for handling the SNMP ACL lookups and allowing/denying the traffic, or if another process does that job before the packets ever reach the SNMP agent. Unfortunately I don' know the answer off-hand, but it is an interesting question. Jeff: am I correct in my interpretation of your question? Thanks jms > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater > Sent: Friday, May 02, 2008 17:06 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] snmp access list > > Does anybody know how a numbered standard ACL that is applied to snmp > traffic via commands shown below, actually works? > Does the SNMP process still get touched when a DENY is hit? > > > snmp-server community xxxx RO 99 > snmp-server community xxxx RW 99 > > > > Thanks for any info. > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at Princeton.EDU Fri May 2 18:20:57 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 2 May 2008 18:20:57 -0400 Subject: [c-nsp] snmp access list In-Reply-To: References: <13D27D9DCE0E0945A617043C88DD6194014C9943@SVIPEXC1.msmc.com> Message-ID: <20BB27BC-57E9-4B57-9064-2FA6F6B5787A@princeton.edu> Yes Justin that is what I meant. Sometimes it hard to explain whats in you head at the moment. We were just trying to understand if the snmp process could become busy from denies. Jeff On May 2, 2008, at 6:08 PM, Justin M. Streiner wrote: > On Fri, 2 May 2008, Rafael Rodriguez wrote: > >> Permit/deny queries to SNMP daemon via the ACL. If your ACL only >> permits 1.1.1.1, and 2.2.2.2 tries to get/set from SNMP, ACL drops >> it. > > My interpretation of the question is a bit different. I thought Jeff > asked if the SNMP agent itself was responsible for handling the SNMP > ACL > lookups and allowing/denying the traffic, or if another process does > that > job before the packets ever reach the SNMP agent. Unfortunately I > don' > know the answer off-hand, but it is an interesting question. > > Jeff: am I correct in my interpretation of your question? > > Thanks > jms > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff >> Fitzwater >> Sent: Friday, May 02, 2008 17:06 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] snmp access list >> >> Does anybody know how a numbered standard ACL that is applied to snmp >> traffic via commands shown below, actually works? >> Does the SNMP process still get touched when a DENY is hit? >> >> >> snmp-server community xxxx RO 99 >> snmp-server community xxxx RW 99 >> >> >> >> Thanks for any info. >> >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sean.shepard at ewavepartners.com Fri May 2 21:57:05 2008 From: sean.shepard at ewavepartners.com (Sean Shepard) Date: Fri, 2 May 2008 21:57:05 -0400 Subject: [c-nsp] Cisco 1760 - 12.4(1c) - CPU utilization creep Message-ID: Greetings, We have been experiencing a problem that we believe is something going haywire with a 1760 router (show ver is below). Essentially, over time (one to three weeks) the router's CPU utilization creeps up and begins spiking at 90 to 100% until, if left untreated via RELOAD it gets progressively worse until pegging at 100% making even a telnet visit to type the word "reload" a 10 minute lesson in patience. The problem first becomes noticed by the end user when they start having problems with their 30 or so VoIP phones which are more sensitive to network issues. Running nearly idle this evening (processing around 50kbps) the cpu was still showing 18 to 22% [if memory serves] and after reload it basically flatlined in the expected 1-3% range. Whack-a-mole fix it attempts have included: Loading a different IOS version onto the router: I believe 12.3(18) [c1700-k9o3sy7-mz.123-18.bin] was the original and it is still available in flash but we now show it loading 12.4(1c) [see below] after the IOS change. Replacing the router itself once when the IOS change didn't help. Packet traces taken on the LAN side of the network do not indicate any significant broadcast or other suspect traffic. The following line is at the affected location in the SHOW VER output but not on the stable router's SHOW VER output: "ROM: C1700 Software (C1700-K9O3SY7-M), Version 12.3(18), RELEASE SOFTWARE (fc3)" Any help or advice is greatly appreciated! SHOW VERSION output Cisco IOS Software, C1700 Software (C1700-IPBASE-M), Version 12.4(1c), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Wed 26-Oct-05 06:46 by evmiller ROM: System Bootstrap, Version 12.2(7r)XM2, RELEASE SOFTWARE (fc1) ROM: C1700 Software (C1700-K9O3SY7-M), Version 12.3(18), RELEASE SOFTWARE (fc3) ********** uptime is 9 minutes System returned to ROM by reload at 00:10:01 UTC Sat May 3 2008 System restarted at 00:14:05 UTC Sat May 3 2008 System image file is "flash:c1700-ipbase-mz.124-1c.bin" Cisco 1760 (MPC860P) processor (revision 0x851) with 55706K/9830K bytes of memory. Processor board ID FOC09512DZZ (2976419533), with hardware revision 0000 MPC860P processor: part number 5, mask 2 1 FastEthernet interface 1 Serial interface WIC T1-DSU 32K bytes of NVRAM. 32768K bytes of processor board System flash (Read/Write) Configuration register is 0x2102 COPY OF CONFIGURATION (EDITED TO GET G RATING) ;-) note: configuration mostly provided by customer's VAR whom we are working with on the problem. Using 2816 out of 29688 bytes version 12.4 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname xxxxxxxxxxxxx ! boot-start-marker boot system flash c1700-ipbase-mz.124-1c.bin boot-end-marker ! no logging buffered enable password 7 xxxxxxxxxxxxxxx ! no aaa new-model ! resource policy ! memory-size iomem 15 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.100.1.1 ! ip dhcp pool Phones network 10.100.1.0 255.255.255.0 default-router 10.100.1.1 option 66 ascii "xxxxxxxxxxxx" dns-server xxxxxxxxxxxx xxxxxxxxxxxx lease 60 ! ! ip domain name xxxxxxxxxxxxxx ip name-server xxxxxxxxxxxx ip name-server xxxxxxxxxxxx ! ! class-map match-all VOIP-CONTROL match access-group 182 match access-group 102 class-map match-all VOIP-RTP match access-group 181 match access-group 102 ! ! policy-map QOS-Policy-1.5M-Internet class VOIP-RTP priority 1000 class VOIP-CONTROL bandwidth 64 class class-default fair-queue ! ! ! interface FastEthernet0/0 description Connection to LAN no ip address speed 100 full-duplex ! interface FastEthernet0/0.1 description Private data network VLAN ! interface FastEthernet0/0.2 description Voice network VLAN encapsulation dot1Q 2 ip address 10.100.1.1 255.255.255.0 ip nat inside no snmp trap link-status ! interface FastEthernet0/0.3 description Public address VLAN encapsulation dot1Q 3 ip address xxxxxxxxxxxxxxx 255.255.255.248 no snmp trap link-status ! interface Serial0/0 description T1 Uplink bandwidth 1536 ip address xxxxxxxxxxxx 255.255.255.252 ip nat outside service-policy output QOS-Policy-1.5M-Internet ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0 ! no ip http server ip nat translation udp-timeout 602 ip nat inside source list 10 interface Serial0/0 overload ip nat inside source static tcp 10.100.1.15 80 interface Serial0/0 33000 ! access-list 10 permit 10.100.1.0 0.0.0.255 access-list 102 permit udp 10.100.1.0 0.0.0.255 any access-list 102 permit udp any 10.100.1.0 0.0.0.255 access-list 181 permit udp any any dscp ef access-list 182 permit udp any any dscp af31 snmp-server community xxxxxxxxxxxx RO ! control-plane ! ! ntp clock-period 17208021 ntp server xxxxxxxxxxxx prefer end From kofflerg at umkc.edu Fri May 2 23:58:55 2008 From: kofflerg at umkc.edu (Koffler, George A.) Date: Fri, 2 May 2008 22:58:55 -0500 Subject: [c-nsp] snmp access list Message-ID: <377801c8acd2$00d56172$3309bd0a@kc.umkc.edu> Jeff, I've noticed that, unlike other ACLs, I receive syslog entries for denied *SNMP queries* even when an SNMP ACL is the reason for the failure. It looks just like a failure due to an incorrect community string. The ACL isn't set to log. I hadn't really thought about it until I saw your question, but now I'm intrigued... George Koffler UMKC IS Networking & Telecommunications > > > Date: Fri, 2 May 2008 17:05:50 -0400 From: Jeff Fitzwater Subject: [c-nsp] snmp access list To: cisco-nsp at puck.nether.net Does anybody know how a numbered standard ACL that is applied to snmp traffic via commands shown below, actually works? Does the SNMP process still get touched when a DENY is hit? snmp-server community xxxx RO 99 snmp-server community xxxx RW 99 Thanks for any info. Jeff Fitzwater OIT Network Systems Princeton University /> From jay at west.net Sat May 3 00:46:37 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 02 May 2008 21:46:37 -0700 Subject: [c-nsp] Cisco 1760 - 12.4(1c) - CPU utilization creep In-Reply-To: References: Message-ID: <481BEE2D.1040901@west.net> Sean Shepard wrote: > Greetings, > > We have been experiencing a problem that we believe is something going > haywire with a 1760 router (show ver is below). > > Essentially, over time (one to three weeks) the router's CPU utilization > creeps up and begins spiking at 90 to 100% until, if left untreated via > RELOAD it gets progressively worse until pegging at 100% making even a > telnet visit to type the word "reload" a 10 minute lesson in patience. The > problem first becomes noticed by the end user when they start having > problems with their 30 or so VoIP phones which are more sensitive to network > issues. Are the VoIP phones running SIP with NAT traversal handled by the router? If so, you are probably encountering CSCsj08002 which is squashed in: 12.4(11)T4 12.4(16.10)T 12.4(15)T2 12.4(18.10)M "CPU slowly ramps up until NAT translation is cleared" The leak is seen when there are SIP translations being created that use port 5060 on both the inside and outside. The rate at which the CPU increases will depend upon the rate SIP of phone calls. > I believe 12.3(18) [c1700-k9o3sy7-mz.123-18.bin] was the original and it > is still available in flash > but we now show it loading 12.4(1c) [see below] after the IOS change. > Replacing the router itself once when the IOS change didn't help. > Packet traces taken on the LAN side of the network do not indicate any > significant broadcast or other suspect traffic. > > The following line is at the affected location in the SHOW VER output but > not on the stable router's SHOW VER output: "ROM: C1700 Software > (C1700-K9O3SY7-M), Version 12.3(18), RELEASE SOFTWARE (fc3)" > > Any help or advice is greatly appreciated! You're booting to 12.4(1c) because of the "boot system" command. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From dale.shaw+cisco-nsp at gmail.com Sat May 3 02:45:06 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Sat, 3 May 2008 16:45:06 +1000 Subject: [c-nsp] Netflow Question In-Reply-To: <481B6BF0.7040003@gmail.com> References: <001201c8ac83$a6c85820$f4590860$@com> <481B6BF0.7040003@gmail.com> Message-ID: <3329cbb40805022345m55ee5c9fjc7f8181453521bf9@mail.gmail.com> Hi, raa at opusnet.com wrote: > > Second part to this question is anyone recommend a Netflow > > analyzer? Either application or appliance (price is important.) I'd like > > to get one where I can assign clients access where they only have access to > > the ports I assign them. I'm currently using the free version of > > Scrutinizer. This seems to be a FAQ. I guess there are a bunch of good products out there, so it's hard for anyone to give definitive, unbiased opinions. The best you can probably hope for is advice _against_ using a particular product, due to some real or perceived limitation/deficiency. While we're on the topic, does anyone have anything particularly positive or negative to say about Cisco NetFlow Collector, or Compuware's NetFlow product? cheers, Dale From bouaziz at nerim.net Sat May 3 08:43:33 2008 From: bouaziz at nerim.net (Raphael Bouaziz) Date: Sat, 3 May 2008 14:43:33 +0200 Subject: [c-nsp] trunks, vlans and a metroLAN Message-ID: <20080503124333.GA96667@nerim.net> Hi, On Fri, May 02, 2008, Gert Doering wrote: > In IPv6, the ::0 host address is perfectly valid. Used to believe that too, but today I'm not so sure. RC3-1(config)#int g1/17 RC3-1(config-if)#ipv6 add 2001:7a8:1:1500::/64 % 2001:7A8:1:1500::/64 should not be configured on GigabitEthernet1/17, a subnet router anycast RC3-1(config-if)#ipv6 add 2001:7a8:1:1500::1/64 RC3-1(config-if)# Also: RC3-1(config-if)#ipv6 add 2001:7a8:1:1500:ffff:ffff:ffff:ffff/64 % 2001:7A8:1:1500:FFFF:FFFF:FFFF:FFFF/64 should not be configured on GigabitEthernet1/17, a reserved anycast (7600 w/ 12.2(18)SXF10). -- Raphael Bouaziz. From maillist at webjogger.net Sat May 3 09:39:19 2008 From: maillist at webjogger.net (Adam Greene) Date: Sat, 3 May 2008 09:39:19 -0400 Subject: [c-nsp] sonicwall / PIX VPN woes References: <01f301c8aad4$a27cdda0$12140a0a@GINKGO> <003301c8aafe$1bb6d080$12140a0a@GINKGO> Message-ID: <020f01c8ad23$16c6d850$12140a0a@GINKGO> Just wanted to post resolution on this issue. Thanks for the replies I received off-list, which suggested making sure PFS was off, and enabling nat-traversal if necessary. The issue turned out to be that the following lines were present in the crypto map configuration: crypto map mapname client configuration address initiate crypto map mapname client configuration address respond but the corresponding "no-config-mode" argument was not appended to the "isakmp key" command for the VPN: isakmp key xxxxxxxxxxxx address z.z.z.z netmask 255.255.255.255 no-config-mode Live and learn ... Thanks, Adam ----- Original Message ----- From: "Adam Greene" To: Sent: Wednesday, April 30, 2008 4:09 PM Subject: Re: [c-nsp] sonicwall / PIX VPN woes > Hmmm .... packet capture on Sonicwall reports that some of the ISAKMP > packets received from the PIX are "malformed". > > I can create a site-to-site VPN between the Sonicwall TZ 170 and a > Sonicwall > Pro 4100 but not to the PIX! > > Argh! > > > ----- Original Message ----- > From: "Adam Greene" > To: > Sent: Wednesday, April 30, 2008 11:12 AM > Subject: [c-nsp] sonicwall / PIX VPN woes > > >> Hi, >> >> Trying to set up a site-to-site VPN between PIX 515E 6.3(3) and Sonicwall >> TZ 170 SonicOS Enhanced 3.2.3.0-6e. >> >> I followed all the instructions both on CCO >> (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008052c9d4.shtml) >> and the Sonicwall site >> (http://www.sonicwall.com/downloads/vpn_interoperability_between_sonicos30e_and_cisco_pix_firewall.pdf). >> >> It seems to be hanging on Phase II negotiation. >> >> The sonicwall reports: >> >> 04/30/2008 10:02:06.080 - Info - VPN IKE - IKE Initiator: Start Main Mode >> negotiation (Phase 1) >> 04/30/2008 10:02:06.400 - Info - VPN IKE - IKE Initiator: Main Mode >> complete (Phase 1) ;3DES; SHA1; DH Group 2; lifetime=28800 secs >> 04/30/2008 10:02:06.400 - Info - VPN IKE - IKE Initiator: Start Quick >> Mode >> (Phase 2). >> 04/30/2008 10:02:06.448 - Info - VPN IKE - IKE Responder: Received Quick >> Mode Request (Phase 2) >> 04/30/2008 10:02:21.448 - Warning - VPN IKE - Received packet >> retransmission. Drop duplicate packet >> 04/30/2008 10:02:36.448 - Warning - VPN IKE - Received packet >> retransmission. Drop duplicate packet >> >> The pix reports: >> >> PIX# sh crypto isa sa >> Total : 1 >> Embryonic : 0 >> dst src state pending created >> x.x.x.x y.y.y.y OAK_CONF_ADDR 0 0 >> >> And a pix debug shows: >> >> ISAKMP (0): processing SA payload. message ID = 0 >> >> ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy >> ISAKMP: encryption 3DES-CBC >> ISAKMP: hash SHA >> ISAKMP: default group 2 >> ISAKMP: auth pre-share >> ISAKMP: life type in seconds >> ISAKMP: life duration (basic) of 28800 >> ISAKMP (0): atts are acceptable. Next payload is 0 >> ISAKMP (0): processing vendor id payload >> >> ISAKMP (0): SA is doing pre-shared key authentication using id type >> ID_IPV4_ADDR >> return status is IKMP_NO_ERROR >> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 >> OAK_MM exchange >> ISAKMP (0): processing KE payload. message ID = 0 >> >> ISAKMP (0): processing NONCE payload. message ID = 0 >> >> ISAKMP (0): processing vendor id payload >> >> ISAKMP (0): processing vendor id payload >> >> ISAKMP (0): received xauth v6 vendor id >> >> ISAKMP (0): processing vendor id payload >> >> ISAKMP (0): processing vendor id payload >> >> ISAKMP (0): remote peer supports dead peer detection >> >> return status is IKMP_NO_ERROR >> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 >> OAK_MM exchange >> ISAKMP (0): processing ID payload. message ID = 0 >> ISAKMP (0): processing HASH payload. message ID = 0 >> ISAKMP (0): SA has been authenticated >> >> ISAKMP (0): ID payload >> next-payload : 8 >> type : 1 >> protocol : 17 >> port : 500 >> length : 8 >> ISAKMP (0): Total payload length: 12 >> return status is IKMP_NO_ERROR >> ISAKMP (0): sending INITIAL_CONTACT notify >> ISAKMP (0): sending NOTIFY message 24578 protocol 1 >> VPN Peer: ISAKMP: Added new peer: ip:x.x.x.x/500 Total VPN Peers:1 >> VPN Peer: ISAKMP: Peer ip:x.x.x.x/500 Ref cnt incremented to:1 Total VPN >> Peers:1 >> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 >> OAK_QM exchange >> ISAKMP (0:0): Need config/address >> ISAKMP (0:0): initiating peer config to x.x.x.x. ID = zzzzzzz >> (1xda111cf8) >> return status is IKMP_NO_ERROR >> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 >> ISAKMP: phase 2 packet is a duplicate of a previous packet >> ISAKMP: resending last response >> crypto_isakmp_process_block:src:x.x.x.x, dest:y.y.y.y spt:500 dpt:500 >> ISAKMP: phase 2 packet is a duplicate of a previous packet >> ISAKMP: resending last response >> ISAKMP (0): retransmitting Config Mode Request... >> >> >> Any ideas what might be failing? >> >> I'm not sure why OAK messages would be showing up at all. >> >> Thanks, >> Adam >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > From p.mayers at imperial.ac.uk Sat May 3 11:36:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sat, 03 May 2008 16:36:19 +0100 Subject: [c-nsp] snmp access list In-Reply-To: References: Message-ID: <481C8673.8040103@imperial.ac.uk> Jeff Fitzwater wrote: > Does anybody know how a numbered standard ACL that is applied to snmp > traffic via commands shown below, actually works? > Does the SNMP process still get touched when a DENY is hit? Yes. If you think about it, it has to - the combination that's permitted is: (community AND ACL) ...so the SNMP process has to run at least as far as parsing the first bits of the SNMP packet to extract the community string. This means that actual IP ACLs (or CoPP, on supporting platforms) should also be used to drop SNMP (and other management traffic) in hardware/CEF before the process is invoked, for complete security > > > snmp-server community xxxx RO 99 > snmp-server community xxxx RW 99 > > > > Thanks for any info. > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Sat May 3 12:59:54 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sat, 03 May 2008 19:59:54 +0300 Subject: [c-nsp] snmp access list In-Reply-To: <481C8673.8040103@imperial.ac.uk> References: <481C8673.8040103@imperial.ac.uk> Message-ID: <481C9A0A.6040602@forthnet.gr> The debug shows that the snmp packet is received by the SNMP process, although it's dropped afterwards: May 3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on FastEthernet0 May 3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet I believe the acl check could be done first, before it even touches the snmp process. After that, snmp packet data could be checked. What's the meaning of checking inside the snmp data, if the packet is to be dropped eventually? -- Tassos Phil Mayers wrote on 3/5/2008 6:36 ??: > Jeff Fitzwater wrote: >> Does anybody know how a numbered standard ACL that is applied to snmp >> traffic via commands shown below, actually works? >> Does the SNMP process still get touched when a DENY is hit? > > Yes. If you think about it, it has to - the combination that's permitted is: > > (community AND ACL) > > ...so the SNMP process has to run at least as far as parsing the first > bits of the SNMP packet to extract the community string. > > This means that actual IP ACLs (or CoPP, on supporting platforms) should > also be used to drop SNMP (and other management traffic) in hardware/CEF > before the process is invoked, for complete security > >> >> snmp-server community xxxx RO 99 >> snmp-server community xxxx RW 99 >> >> >> >> Thanks for any info. >> >> >> >> Jeff Fitzwater >> OIT Network Systems >> Princeton University >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Sat May 3 13:25:34 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sat, 03 May 2008 20:25:34 +0300 Subject: [c-nsp] snmp access list In-Reply-To: <377801c8acd2$00d56172$3309bd0a@kc.umkc.edu> References: <377801c8acd2$00d56172$3309bd0a@kc.umkc.edu> Message-ID: <481CA00E.6040901@forthnet.gr> George, I guess you're referring to snmp traps (not syslog entries). If yes, try "no snmp-server trap authentication acl-failure". Otherwise, i would be interested to see these syslog entries. -- Tassos Koffler, George A. wrote on 3/5/2008 6:58 ??: > Jeff, > > I've noticed that, unlike other ACLs, I receive syslog entries for denied *SNMP queries* even when an SNMP ACL is the reason for the failure. It looks just like a failure due to an incorrect community string. The ACL isn't set to log. > > I hadn't really thought about it until I saw your question, but now I'm intrigued... > > George Koffler > UMKC IS Networking & Telecommunications > >> >> > Date: Fri, 2 May 2008 17:05:50 -0400 > From: Jeff Fitzwater > Subject: [c-nsp] snmp access list > To: cisco-nsp at puck.nether.net > > Does anybody know how a numbered standard ACL that is applied to snmp > traffic via commands shown below, actually works? > Does the SNMP process still get touched when a DENY is hit? > > > snmp-server community xxxx RO 99 > snmp-server community xxxx RW 99 > > > > Thanks for any info. > > > > Jeff Fitzwater > OIT Network Systems > Princeton University > > /> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From philxor at gmail.com Sat May 3 14:19:54 2008 From: philxor at gmail.com (Phil Bedard) Date: Sat, 3 May 2008 14:19:54 -0400 Subject: [c-nsp] snmp access list In-Reply-To: <481C9A0A.6040602@forthnet.gr> References: <481C8673.8040103@imperial.ac.uk> <481C9A0A.6040602@forthnet.gr> Message-ID: <4C7DFBDA-DFF1-499D-82AF-6D615BD7948C@gmail.com> That's what ingress packet ACLs or CoPP is for. Having the SNMP process ACL there as a last resort is probably a good idea in case someone screws up the first layer of security, but I wouldn't rely on it alone. Phil On May 3, 2008, at 12:59 PM, Tassos Chatzithomaoglou wrote: > > The debug shows that the snmp packet is received by the SNMP > process, although it's dropped afterwards: > > May 3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on > FastEthernet0 > May 3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet > > > I believe the acl check could be done first, before it even touches > the snmp process. > After that, snmp packet data could be checked. > > What's the meaning of checking inside the snmp data, if the packet > is to be dropped eventually? > > -- > Tassos > > > Phil Mayers wrote on 3/5/2008 6:36 ??: >> Jeff Fitzwater wrote: >>> Does anybody know how a numbered standard ACL that is applied to >>> snmp >>> traffic via commands shown below, actually works? >>> Does the SNMP process still get touched when a DENY is hit? >> >> Yes. If you think about it, it has to - the combination that's >> permitted is: >> >> (community AND ACL) >> >> ...so the SNMP process has to run at least as far as parsing the >> first >> bits of the SNMP packet to extract the community string. >> >> This means that actual IP ACLs (or CoPP, on supporting platforms) >> should >> also be used to drop SNMP (and other management traffic) in >> hardware/CEF >> before the process is invoked, for complete security >> >>> >>> snmp-server community xxxx RO 99 >>> snmp-server community xxxx RW 99 >>> >>> >>> >>> Thanks for any info. >>> >>> >>> >>> Jeff Fitzwater >>> OIT Network Systems >>> Princeton University >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwcarder at wisc.edu Sat May 3 19:40:56 2008 From: dwcarder at wisc.edu (Dale W. Carder) Date: Sat, 03 May 2008 18:40:56 -0500 Subject: [c-nsp] snmp access list In-Reply-To: References: Message-ID: <7451-SnapperMsg2EED2966C442A896@[75.205.245.230]> ...... Original Message ....... On Fri, 02 May 2008 17:05:50 -0400 "Jeff Fitzwater" wrote: >Does anybody know how a numbered standard ACL that is applied to snmp >traffic via commands shown below, actually works? >Does the SNMP process still get touched when a DENY is hit? Yes. You probably want to use CoPP to have the effect I think you want. We had a host mistakenly pounding the snmp process on one of our 6500's. While the ACL "stopped" the traffic, the cpu was pegged. SNMP is a lower priority process and this didn't have much or any impact on production traffic, but impeded our ability to manage the box. We turned on CoPP to block snmp from all but our NMS systems and to also police it to a low rate. Dale From danletkeman at gmail.com Sun May 4 01:36:01 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 4 May 2008 00:36:01 -0500 Subject: [c-nsp] 2801 - can it handle this? Message-ID: Hello, I have a 2801 router with the firewall IOS. I have a 10mbit connection to the internet. There will be anywhere from 100-300 users using this router for browsing the internet at one time. I will be running ips and some security acl's. No voip, maybe one or two video connections. Will this router be able to handle this amount of connections? Thanks, Dan. From danletkeman at gmail.com Sun May 4 02:04:45 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 4 May 2008 01:04:45 -0500 Subject: [c-nsp] 2801 - can it handle this? In-Reply-To: References: Message-ID: It's almost all web traffic. I think the ACL's are very straightforward, basically the ones that the security audit recommended. Is there a good way to monitor the firewall/ips system? Thanks, Dan. On Sun, May 4, 2008 at 12:56 AM, Richard Golodner wrote: > Dan should not be a problem at all. What kind of traffic are you pushing > now? As long as your security ACL's are straightforward and not complex you > should be fine. Also max out the memory so you can keep multiple images in > the box in case you need to change on the fly. By the way I really lie the > FW feature set in 12.4. > > most sincerely, Richard > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman > Sent: Sunday, May 04, 2008 12:36 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 2801 - can it handle this? > > Hello, > > I have a 2801 router with the firewall IOS. I have a 10mbit > connection to the internet. There will be anywhere from 100-300 users > using this router for browsing the internet at one time. > > I will be running ips and some security acl's. No voip, maybe one or > two video connections. > > Will this router be able to handle this amount of connections? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From arla at rn.dk Sun May 4 03:53:09 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Sun, 4 May 2008 09:53:09 +0200 Subject: [c-nsp] Downloadale acl for ASA-pix to VPN-clients Message-ID: <8D68760F464FFD40A01BF2FB374E4A286465C625BC@SRVEXC02.aas.its.nja.dk> Hi All. Is it possible via RADIUS to download access-list to a vpn client that is connecting to an ASA-firewall, so that the clients are restricted separately. And how is it done. Any links or example would be appreciated. /Arne From zivl at gilat.net Sun May 4 03:55:12 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 4 May 2008 10:55:12 +0300 Subject: [c-nsp] %BCM-4-ECC_MEMORY: Corrected ECC from memory - 7206vxr/npe-g1 In-Reply-To: <481A5C16.2090302@gmail.com> References: <481A5C16.2090302@gmail.com> Message-ID: I've had the same problem a couple of months ago and asked here a question about it, I'll save you the time searching the archives, nobody could give me a certain answer about this, but they all pointed to the dram, so I finally decided to replace the whole bank (they were a fresh purchased dimms so I've got RMA on them) and that solved the problem. So my suggestion is to first go and replace the whole bank, and put the device back to work, then, if you want to know for sure which dimm is the bad one, test it later on a lab environment, on another offline router, if you have such possibility. Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of virendra rode // Sent: Friday, May 02, 2008 3:11 AM To: 'cisco-nsp' Subject: [c-nsp] %BCM-4-ECC_MEMORY: Corrected ECC from memory - 7206vxr/npe-g1 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm seeing sustained occurrence of this message "%BCM-4-ECC_MEMORY: Corrected ECC from memory" on 7206vxr/npe-g1. Is there a test that I can run to figure out which memory (dimm) is gone bad before I go about and swap entire memory bank. tia, regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIGlwWpbZvCIJx1bcRAmWwAKDYVmNH6wC8gL4hRG6IaUVqJoa2XgCfVQ8Q +1RGcS93US1hO4ZU2kfUbsk= =CInb -----END PGP SIGNATURE----- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From slastenov at corbina.net Sun May 4 06:24:41 2008 From: slastenov at corbina.net (=?koi8-r?B?4c7E0sXKIPPMwdPUxc7P1w==?=) Date: Sun, 4 May 2008 14:24:41 +0400 Subject: [c-nsp] snmp access list In-Reply-To: <7451-SnapperMsg2EED2966C442A896@[75.205.245.230]> References: <7451-SnapperMsg2EED2966C442A896@[75.205.245.230]> Message-ID: <001601c8add1$10a97410$31fc5c30$@net> SNMP use udp. So, someone (if know community of course) may spoof IP source address of SNMP request. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale W. Carder Sent: Sunday, May 04, 2008 3:41 AM To: Jeff Fitzwater Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] snmp access list ...... Original Message ....... On Fri, 02 May 2008 17:05:50 -0400 "Jeff Fitzwater" wrote: >Does anybody know how a numbered standard ACL that is applied to snmp >traffic via commands shown below, actually works? >Does the SNMP process still get touched when a DENY is hit? Yes. You probably want to use CoPP to have the effect I think you want. We had a host mistakenly pounding the snmp process on one of our 6500's. While the ACL "stopped" the traffic, the cpu was pegged. SNMP is a lower priority process and this didn't have much or any impact on production traffic, but impeded our ability to manage the box. We turned on CoPP to block snmp from all but our NMS systems and to also police it to a low rate. Dale _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Sun May 4 07:23:59 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 04 May 2008 12:23:59 +0100 Subject: [c-nsp] snmp access list In-Reply-To: <481C9A0A.6040602@forthnet.gr> References: <481C8673.8040103@imperial.ac.uk> <481C9A0A.6040602@forthnet.gr> Message-ID: <481D9CCF.1050003@imperial.ac.uk> Tassos Chatzithomaoglou wrote: > > The debug shows that the snmp packet is received by the SNMP process, > although it's dropped afterwards: > > May 3 19:53:45.341: SNMP: Packet received via UDP from x.x.x.x on > FastEthernet0 > May 3 19:55:29: %SEC-6-IPACCESSLOGS: list 99 denied x.x.x.x 1 packet > > > I believe the acl check could be done first, before it even touches the > snmp process. I think that could be quite complicated in the fully general case. The SNMP server would have to merge the ACLs for *all* the community strings, and those ACLs could have conflicting permit/deny statements so you'd have to merge e.g. all the permits and append a "deny any" and *then* re-apply the original ACL after you'd decoded the community string. Much simpler is to use CoPP or ACLs for router interface addresses at the border. This is best practice anyway. From p.mayers at imperial.ac.uk Sun May 4 08:01:10 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 04 May 2008 13:01:10 +0100 Subject: [c-nsp] snmp access list In-Reply-To: <001601c8add1$10a97410$31fc5c30$@net> References: <7451-SnapperMsg2EED2966C442A896@[75.205.245.230]> <001601c8add1$10a97410$31fc5c30$@net> Message-ID: <481DA586.3060202@imperial.ac.uk> ?????? ????????? wrote: > > SNMP use udp. So, someone (if know community of course) may spoof IP source > address of SNMP request. Lots of networks can (should) have spoofing be impossible. That attack would not work on our network for example. It's a problem for the DFZ though. It's worth pointing out that SNMP can run over TCP. IOS doesn't support it of course, because Cisco seem happy to let management fester. I guess the rationale is "everyone copies IOS, it must be good". The IOS CLI is a hacked-up copy of "ex": http://connection.netcordia.com/blogs/terrys_blog/archive/2007/10/28/the-history-of-the-cisco-cli.aspx ...and here we are >15 years later, with no real improvements beyond aliases and TCL. Bah. I want my junoscript (and no, I don't rate netconf) From freimer at ctiusa.com Sun May 4 09:42:25 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Sun, 4 May 2008 09:42:25 -0400 Subject: [c-nsp] Downloadale acl for ASA-pix to VPN-clients In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A286465C625BC@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A286465C625BC@SRVEXC02.aas.its.nja.dk> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950269CEB6@EXCHANGE.ctiusa.com> Yes and no. The ACL isn't downloaded to the VPN client itself, it is downloaded to the ASA and enforced at that point. It's pretty simple, and here are the references. http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/gui de/fwaaa.html#wp1043588 And: http://www.cisco.com/en/US/partner/docs/security/asa/asa80/configuration/gui de/vpngrp.html#wp1133080 Sorry for the partner links, but you can do your own search. It's all in the configuration guides. I know it sounds simple, but just download the command line configuration guide, and read it. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland > Sent: Sunday, May 04, 2008 3:53 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Downloadale acl for ASA-pix to VPN-clients > > Hi All. > Is it possible via RADIUS to download access-list to a vpn client that > is connecting to an ASA-firewall, so that the clients are restricted > separately. And how is it done. > Any links or example would be appreciated. > > /Arne > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080504/bb3656c2/attachment.bin From virendra.rode at gmail.com Sun May 4 10:20:50 2008 From: virendra.rode at gmail.com (virendra rode) Date: Sun, 4 May 2008 07:20:50 -0700 Subject: [c-nsp] %BCM-4-ECC_MEMORY: Corrected ECC from memory - 7206vxr/npe-g1 In-Reply-To: References: <481A5C16.2090302@gmail.com> Message-ID: <889fd8b20805040720h484ca949n5da1c7eee3b80299@mail.gmail.com> On Sun, May 4, 2008 at 12:55 AM, Ziv Leyes wrote: > I've had the same problem a couple of months ago and asked here a question > about it, I'll save you the time searching the archives, nobody could give > me a certain answer about this, but they all pointed to the dram, so I > finally decided to replace the whole bank (they were a fresh purchased dimms > so I've got RMA on them) and that solved the problem. > So my suggestion is to first go and replace the whole bank, and put the > device back to work, then, if you want to know for sure which dimm is the > bad one, test it later on a lab environment, on another offline router, if > you have such possibility. > > > Ziv ------------------------------- I went ahead and replaced npe-g1 and memory to resolve this issue. regards, /virendra > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of virendra rode // > Sent: Friday, May 02, 2008 3:11 AM > To: 'cisco-nsp' > Subject: [c-nsp] %BCM-4-ECC_MEMORY: Corrected ECC from memory - > 7206vxr/npe-g1 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I'm seeing sustained occurrence of this message "%BCM-4-ECC_MEMORY: > Corrected ECC from memory" on 7206vxr/npe-g1. > > Is there a test that I can run to figure out which memory (dimm) is gone > bad before I go about and swap entire memory bank. > > tia, > > > regards, > /virendra > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.2.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFIGlwWpbZvCIJx1bcRAmWwAKDYVmNH6wC8gL4hRG6IaUVqJoa2XgCfVQ8Q > +1RGcS93US1hO4ZU2kfUbsk= > =CInb > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer > viruses. > > ************************************************************************************ > > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer > viruses. > > ************************************************************************************ > > > From dale.shaw+cisco-nsp at gmail.com Sun May 4 22:04:36 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Mon, 5 May 2008 12:04:36 +1000 Subject: [c-nsp] OT: IT recruiters in Canada Message-ID: <3329cbb40805041904i61c62923t364861f4b6da8250@mail.gmail.com> Hi all, Can anyone recommend (for or against) a recruitment outfit in Canada? -- Vancouver, specifically. I'm moving from Australia at the end of the month and it would be great to get in touch with a reputable soul-seller (oxymoron? :-)) Any Canadians on list willing to share info, please get in touch! cheers, Dale From skeeve at skeeve.org Mon May 5 03:31:57 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Mon, 5 May 2008 17:31:57 +1000 Subject: [c-nsp] Cisco support for ASNv4 (4 byte ASN) Message-ID: <026101c8ae82$198e8050$4cab80f0$@org> Hey all, Can someone let me know if/when Cisco supports 4byte AS Numbers in BGP in the current IOS stream (not XR or XE). .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From marco at by-night.ch Mon May 5 03:46:52 2008 From: marco at by-night.ch (Marco Huggenberger) Date: Mon, 5 May 2008 09:46:52 +0200 Subject: [c-nsp] Cisco support for ASNv4 (4 byte ASN) In-Reply-To: <026101c8ae82$198e8050$4cab80f0$@org> References: <026101c8ae82$198e8050$4cab80f0$@org> Message-ID: Hi Skeeve 2008/5/5 Skeeve Stevens : > Can someone let me know if/when Cisco supports 4byte AS Numbers in > BGP in the current IOS stream (not XR or XE). 12.5T late 2008 in the meantime use AS23456 ;) Cheers Marco PS: Good starting point for ASN32 compatiblity is my micro-site at: http://www.swissix.ch/asn32/doku.php From mack at exchange.alphared.com Mon May 5 04:03:01 2008 From: mack at exchange.alphared.com (mack) Date: Mon, 5 May 2008 03:03:01 -0500 Subject: [c-nsp] Input queue drops due to backplane congestion Message-ID: <859D2283FD04CA44986CC058E06598F894A09F7972@exchange4.exchange.alphared.local> We have a 6509 with sup720 3bxl running SXF11. We have a number of 6704-10GE line cards and A number of 6748-GE-TX line cards all with PFC3BXLs. When one (only one) of the 6704 fabric channels peaks at about 80% utilization coming from the fabric we start to See packet loss on the GigE ports. Even if the traffic Is confined to one GigE blade. We have run a large number of troubleshooting exercises Including replacing Sup units and line cards. The problem Is definitely fabric congestion. Our current solution is Simply to add another line card and move one of the lines On that fabric channel. This is somewhat different from the expected behavior Which would be drops occurring on the fabric channel counters. Has anyone else run into this problem? Is this unique to SXF11? (we are planning an upgrade) Would a 7609 chassis perform better with the same line cards? Would changing the 'fabric buffer-reserve' to something other Than the default queueing setting help? I have only seen one other case of something similar on the list Back in January. Has anyone else run into this barrier? -- LR Mack McBride Network Administrator Alpha Red, Inc. From mtinka at globaltransit.net Mon May 5 04:09:37 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 5 May 2008 16:09:37 +0800 Subject: [c-nsp] Cisco support for ASNv4 (4 byte ASN) In-Reply-To: <026101c8ae82$198e8050$4cab80f0$@org> References: <026101c8ae82$198e8050$4cab80f0$@org> Message-ID: <200805051609.42115.mtinka@globaltransit.net> On Monday 05 May 2008, Skeeve Stevens wrote: > Hey all, > > Can someone let me know if/when Cisco supports 4byte AS > Numbers in BGP in the current IOS stream (not XR or XE). According to http://www.swissix.ch/asn32/doku.php, it's meant to be mid this year for 12.5T - you might want to check with your SE. For SR*, there will be future support, but it's under NDA, so you want to check with your SE on this. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080505/992d2bb7/attachment.bin From wyatt.eliasson at gmail.com Mon May 5 08:48:52 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Ishmael Jovial Gyllenvarg) Date: Mon, 5 May 2008 14:48:52 +0200 Subject: [c-nsp] Policing with DFCs Message-ID: <994752fe0805050548s23f37c1bue5ee3019c8960226@mail.gmail.com> Hi We are trying too police in a 7600 on the output on a Te interface. After some fiddling I must ask, is there a workaround for the cir * DFCs problem. There is no need for high precision, just a rough working sollution. Best regards Mattias Gyllenvarg Skycom AB From lee.e.rian at census.gov Mon May 5 09:43:14 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Mon, 5 May 2008 09:43:14 -0400 Subject: [c-nsp] Input queue drops due to backplane congestion In-Reply-To: <859D2283FD04CA44986CC058E06598F894A09F7972@exchange4.exchange.alphared.local> References: <859D2283FD04CA44986CC058E06598F894A09F7972@exchange4.exchange.alphared.local> Message-ID: -----mack wrote: ----- >Date: 05/05/2008 04:03AM >Subject: [c-nsp] Input queue drops due to backplane congestion > >We have a 6509 with sup720 3bxl running SXF11. >We have a number of 6704-10GE line cards and >A number of 6748-GE-TX line cards all with PFC3BXLs. > >When one (only one) of the 6704 fabric channels peaks at about >80% utilization coming from the fabric we start to >See packet loss on the GigE ports. Even if the traffic >Is confined to one GigE blade. > >We have run a large number of troubleshooting exercises >Including replacing Sup units and line cards. The problem >Is definitely fabric congestion. Our current solution is >Simply to add another line card and move one of the lines >On that fabric channel. > >This is somewhat different from the expected behavior >Which would be drops occurring on the fabric channel counters. > >Has anyone else run into this problem? Maybe. Another person in the office has a TAC case open for input queue drops on a 6500/sup720 and the TAC engineer came back with this: "With the WS-X6704-10GE blades, ports 1 & 2 belong to one fabric channel and 3 & 4 to another. When traffic is switched between two ports leading to the same asic, you are limited to about 8 Gig per port. If you are pushing this limit, it is possible the flow-control mechanism could induce packet drops. This is a hardware limitation." Regards, Lee From donato.dungui at gmail.com Mon May 5 12:11:49 2008 From: donato.dungui at gmail.com (Donato Dunguihual Morales) Date: Mon, 05 May 2008 12:11:49 -0400 Subject: [c-nsp] cisco slb ace and snmp OID Message-ID: <481F31C5.7070107@gmail.com> Hi, I need to graph with mrtg or rrdtool, real servers and server farm info for cisco application control engine module. Anyone have information about the most popular oid that can be measured and polled through snmp?. I've been looking in the web for specifc oid without results. For example for cisco CSS the oid for current connections per service is like that 1.3.6.1.4.1.2467.1.15.2.1.20.5.104.116.116.112.52. Thanks Donato From malitsky at netabn.com Mon May 5 13:28:49 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Mon, 5 May 2008 12:28:49 -0500 Subject: [c-nsp] 2801 - can it handle this? In-Reply-To: References: Message-ID: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> > Date: Sun, 4 May 2008 00:36:01 -0500 > From: "Dan Letkeman" > Subject: [c-nsp] 2801 - can it handle this? > To: cisco-nsp at puck.nether.net > Message-ID: > > Content-Type: text/plain; charset=ISO-8859-1 > > Hello, > > I have a 2801 router with the firewall IOS. I have a 10mbit > connection to the internet. There will be anywhere from 100-300 users > using this router for browsing the internet at one time. > > I will be running ips and some security acl's. No voip, maybe one or > two video connections. > > Will this router be able to handle this amount of connections? > > Thanks, > Dan. > The specs from Cisco say no problem, but I've run into a number of issues trying to use ISRs (2800 and 1800 series) for multiple purposes simultaneously (router, firewall, etc). The closest case I had to your scenario was trying to use 2 2811s as a failover/redundant firewall with NAT and IPS. We hardly had traffic reaching 10Mb, but the setup kept crashing - the reason was never fully tracked down, TAC was taking too long. Replaced with a pair of ASAs, not a single hiccup since. Similar experiences elsewhere - I don't see these platforms as viable for firewall/IPS purposes unless the traffic levels are very low. I don't know if this is due to bugs or performance limitations. For similar money, the PIX or ASA appliances are far more stable and can handle much higher loads. Michael From r.engehausen at gmail.com Mon May 5 14:05:31 2008 From: r.engehausen at gmail.com (Roy) Date: Mon, 05 May 2008 11:05:31 -0700 Subject: [c-nsp] 2801 - can it handle this? In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> Message-ID: <481F4C6B.2070501@gmail.com> Michael Malitsky wrote: >> Date: Sun, 4 May 2008 00:36:01 -0500 >> From: "Dan Letkeman" >> Subject: [c-nsp] 2801 - can it handle this? >> To: cisco-nsp at puck.nether.net >> Message-ID: >> >> Content-Type: text/plain; charset=ISO-8859-1 >> >> Hello, >> >> I have a 2801 router with the firewall IOS. I have a 10mbit >> connection to the internet. There will be anywhere from 100-300 users >> using this router for browsing the internet at one time. >> >> I will be running ips and some security acl's. No voip, maybe one or >> two video connections. >> >> Will this router be able to handle this amount of connections? >> >> Thanks, >> Dan. > > > The specs from Cisco say no problem, but I've run into a number of > issues trying to use ISRs (2800 and 1800 series) for multiple purposes > simultaneously (router, firewall, etc). The closest case I had to your > scenario was trying to use 2 2811s as a failover/redundant firewall with > NAT and IPS. We hardly had traffic reaching 10Mb, but the setup kept > crashing - the reason was never fully tracked down, TAC was taking too > long. Replaced with a pair of ASAs, not a single hiccup since. > Similar experiences elsewhere - I don't see these platforms as viable > for firewall/IPS purposes unless the traffic levels are very low. I > don't know if this is due to bugs or performance limitations. > For similar money, the PIX or ASA appliances are far more stable and can > handle much higher loads. > > Michael > > I too would be a little cautious on selecting the 2801. The Cisco router performance guide shows the 2801 rated at 90 kpps and 46 Mbps but only in the CEF mode. Process switch shows only 2 kpps and 1.5 Mbps. The connection starts and stops will be process switched so an active user population could stress the 2801. Roy From diogo.montagner at gmail.com Mon May 5 15:18:46 2008 From: diogo.montagner at gmail.com (Diogo Montagner) Date: Mon, 5 May 2008 16:18:46 -0300 Subject: [c-nsp] Getting BGP peer route information using SNMP Message-ID: <84eb7a820805051218t4a53bab5qdfe15d2e89d3f57d@mail.gmail.com> Hi All, I was asking me if is there a way to get routes information from a BGP peer using SNMP ? In other words, I would like to get the output of command: show ip bgp neighbor x.y.z.w advertised-routes using a snmpwalk. I checked the BGP MIBv1 and MIBv2 of Cisco but I couldn't find the information about routes that are being advertised by the BGP peer. The only information that I can get is the information about the peer state, local and remote port or remote AS and others. The IOS version is 12.0.32S8 and the router is a Cisco 12k. My first choice to do this was a perl script to execute this command and save the output into a file. But if is possible, I prefer to do this using SNMP. If there is no way to do this using SNMP, I will use the perl script. Thanks in advance, ./diogo -montagner From paul at paulstewart.org Mon May 5 16:06:50 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 5 May 2008 16:06:50 -0400 Subject: [c-nsp] MPLS - 6500's Message-ID: <002101c8aeeb$8f5e5210$ae1af630$@org> This is a topic that has come up on the mailing list several times including from myself..;) Hopefully a simple question (been reading the archives for a couple of hours now). With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what can you NOT do with MPLS on these chassis? Is it "just" VPLS that requires an OSM card or a FlexWAN card for example? We are working on a project where MPLS may come into play .. VPLS would be a nice option to throw in but not 100% necessary. Today, these are 6500's with Sup2/MSFC2 which I'm told are pretty much useless for anything MPLS oriented.... Thanks, Paul From streiner at cluebyfour.org Mon May 5 16:39:59 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 5 May 2008 16:39:59 -0400 (EDT) Subject: [c-nsp] MPLS - 6500's In-Reply-To: <002101c8aeeb$8f5e5210$ae1af630$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org> Message-ID: On Mon, 5 May 2008, Paul Stewart wrote: > With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what can you NOT > do with MPLS on these chassis? Is it "just" VPLS that requires an OSM card > or a FlexWAN card for example? > > We are working on a project where MPLS may come into play .. VPLS would be a > nice option to throw in but not 100% necessary. Today, these are 6500's > with Sup2/MSFC2 which I'm told are pretty much useless for anything MPLS > oriented.... I'm not sure about MPLS limitations in the Sup2/MSFC2, but it wouldn't surprise me if they're pretty major since those engines are much more software driven and have substantially lower forwarding capabilities than the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running it in a 'true' service provider environment. We run MPLS using LDP to distribute labels to some non-Cisco gear and terminate Martini tunnels and that seems to work pretty cleanly, although the hair-pinning needed to land a Martini tunnel is somewhat strange... jms From paul at paulstewart.org Mon May 5 16:52:49 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 5 May 2008 16:52:49 -0400 Subject: [c-nsp] MPLS - 6500's In-Reply-To: References: <002101c8aeeb$8f5e5210$ae1af630$@org> Message-ID: <002601c8aef1$fc2406f0$f46c14d0$@org> Thanks... So if someone wanted to build a low traffic volume, "bare bones" MPLS network could they not use: Cisco 7206VXR-NPE-G1 for P router Cisco 3825 or 2821 for PE router This would give you every MPLS feature but VPLS specifically or am I way off? Why I bring this up is that in this particular case there is still the Sup2/MSFC2 6500's in the middle but they could remain in the middle just as layer2 devices connecting the above devices together at layer3 as MPLS devices right? This particular project *could* use some of the TE and QOS features in MPLS but total traffic might be 10Mb/s on a peak hence why upgrading the 6500's would not make sense but adding some gear "around" them might work just fine...?? Thanks, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. Streiner Sent: Monday, May 05, 2008 4:40 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's On Mon, 5 May 2008, Paul Stewart wrote: > With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what can you NOT > do with MPLS on these chassis? Is it "just" VPLS that requires an OSM card > or a FlexWAN card for example? > > We are working on a project where MPLS may come into play .. VPLS would be a > nice option to throw in but not 100% necessary. Today, these are 6500's > with Sup2/MSFC2 which I'm told are pretty much useless for anything MPLS > oriented.... I'm not sure about MPLS limitations in the Sup2/MSFC2, but it wouldn't surprise me if they're pretty major since those engines are much more software driven and have substantially lower forwarding capabilities than the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running it in a 'true' service provider environment. We run MPLS using LDP to distribute labels to some non-Cisco gear and terminate Martini tunnels and that seems to work pretty cleanly, although the hair-pinning needed to land a Martini tunnel is somewhat strange... jms _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From philxor at gmail.com Mon May 5 16:54:34 2008 From: philxor at gmail.com (Phil Bedard) Date: Mon, 5 May 2008 16:54:34 -0400 Subject: [c-nsp] MPLS - 6500's In-Reply-To: <002101c8aeeb$8f5e5210$ae1af630$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org> Message-ID: <14B29640-A260-4204-86C1-2C25F380088F@gmail.com> What exactly are you trying to do with MPLS? PFC3 will support most things without additional modules (OSM,SIP) with the most notable exception being local switching. You can get around that by looping in and out of the box if you need to. No VPLS as well, but I'm not too keen on running VPLS anyways. :) There are some restrictions with regards to when MPLS packets are recirculated that you may want to look into. Phil On May 5, 2008, at 4:06 PM, Paul Stewart wrote: > This is a topic that has come up on the mailing list several times > including > from myself..;) > > Hopefully a simple question (been reading the archives for a couple > of hours > now). > > With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what can > you NOT > do with MPLS on these chassis? Is it "just" VPLS that requires an > OSM card > or a FlexWAN card for example? > > We are working on a project where MPLS may come into play .. VPLS > would be a > nice option to throw in but not 100% necessary. Today, these are > 6500's > with Sup2/MSFC2 which I'm told are pretty much useless for anything > MPLS > oriented.... > > Thanks, > > Paul > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From philxor at gmail.com Mon May 5 16:55:44 2008 From: philxor at gmail.com (Phil Bedard) Date: Mon, 5 May 2008 16:55:44 -0400 Subject: [c-nsp] MPLS - 6500's In-Reply-To: References: <002101c8aeeb$8f5e5210$ae1af630$@org> Message-ID: <58C8EF27-D59E-49B0-B5D5-D8A57C474DCB@gmail.com> There are no restrictions for MPLS on the SUP2/MSFC2 since it's completely unsupported. :) You need an OSM to do MPLS on those platforms. Phil On May 5, 2008, at 4:39 PM, Justin M. Streiner wrote: > On Mon, 5 May 2008, Paul Stewart wrote: > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what >> can you NOT >> do with MPLS on these chassis? Is it "just" VPLS that requires an >> OSM card >> or a FlexWAN card for example? >> >> We are working on a project where MPLS may come into play .. VPLS >> would be a >> nice option to throw in but not 100% necessary. Today, these are >> 6500's >> with Sup2/MSFC2 which I'm told are pretty much useless for anything >> MPLS >> oriented.... > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it wouldn't > surprise me if they're pretty major since those engines are much more > software driven and have substantially lower forwarding capabilities > than > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > it in > a 'true' service provider environment. We run MPLS using LDP to > distribute labels to some non-Cisco gear and terminate Martini > tunnels and > that seems to work pretty cleanly, although the hair-pinning needed to > land a Martini tunnel is somewhat strange... > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcdarby at usgs.gov Mon May 5 17:31:53 2008 From: jcdarby at usgs.gov (Justin C. Darby) Date: Mon, 05 May 2008 16:31:53 -0500 Subject: [c-nsp] Nexus 7000 Message-ID: <481F7CC9.8060903@usgs.gov> Anyone on this list using the N7K platform in production anywhere? We've got a pretty good size 10GbE SAN solution in place and we're looking to consolidate our overall switching environment. I'm just checking up to see if anyone has gotten a hold of one, and if they've had any problems so far, though I realize it might not be considered generally available yet. Thanks, Justin C. Darby Note: The contents of this message are mine and do not reflect the views of the United States Federal Government. From streiner at cluebyfour.org Mon May 5 17:45:39 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 5 May 2008 17:45:39 -0400 (EDT) Subject: [c-nsp] MPLS - 6500's In-Reply-To: <002601c8aef1$fc2406f0$f46c14d0$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org> <002601c8aef1$fc2406f0$f46c14d0$@org> Message-ID: On Mon, 5 May 2008, Paul Stewart wrote: > So if someone wanted to build a low traffic volume, "bare bones" MPLS > network could they not use: > > Cisco 7206VXR-NPE-G1 for P router > Cisco 3825 or 2821 for PE router I do have a tunnel landing on a 3845, but at the time I had very few options for code to run on it. I needed something that supported both MPLS (and related features) and IOS firewall. It would stand to reason that it should be doable on the 3825, but I don't have one handy to test... Never tried running MPLS on a 7206VXR. jms From freimer at ctiusa.com Mon May 5 17:56:23 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Mon, 5 May 2008 17:56:23 -0400 Subject: [c-nsp] 2801 - can it handle this? In-Reply-To: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> References: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950269D2E5@EXCHANGE.ctiusa.com> What version of code was the router running. There was a major rewrite of the IPS code in 12.3(11)T. If you were running anything prior to that performance was lacking. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Michael Malitsky > Sent: Monday, May 05, 2008 1:29 PM > To: danletkeman at gmail.com > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 2801 - can it handle this? > > > Date: Sun, 4 May 2008 00:36:01 -0500 > > From: "Dan Letkeman" > > Subject: [c-nsp] 2801 - can it handle this? > > To: cisco-nsp at puck.nether.net > > Message-ID: > > > > Content-Type: text/plain; charset=ISO-8859-1 > > > > Hello, > > > > I have a 2801 router with the firewall IOS. I have a 10mbit > > connection to the internet. There will be anywhere from 100-300 > users > > using this router for browsing the internet at one time. > > > > I will be running ips and some security acl's. No voip, maybe one or > > two video connections. > > > > Will this router be able to handle this amount of connections? > > > > Thanks, > > Dan. > > > > > The specs from Cisco say no problem, but I've run into a number of > issues trying to use ISRs (2800 and 1800 series) for multiple purposes > simultaneously (router, firewall, etc). The closest case I had to your > scenario was trying to use 2 2811s as a failover/redundant firewall > with > NAT and IPS. We hardly had traffic reaching 10Mb, but the setup kept > crashing - the reason was never fully tracked down, TAC was taking too > long. Replaced with a pair of ASAs, not a single hiccup since. > Similar experiences elsewhere - I don't see these platforms as viable > for firewall/IPS purposes unless the traffic levels are very low. I > don't know if this is due to bugs or performance limitations. > For similar money, the PIX or ASA appliances are far more stable and > can > handle much higher loads. > > Michael > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080505/3707c858/attachment.bin From philxor at gmail.com Mon May 5 19:15:51 2008 From: philxor at gmail.com (Phil Bedard) Date: Mon, 5 May 2008 19:15:51 -0400 Subject: [c-nsp] MPLS - 6500's In-Reply-To: <002601c8aef1$fc2406f0$f46c14d0$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org> <002601c8aef1$fc2406f0$f46c14d0$@org> Message-ID: You may want to look at L2TPv3 unless you really need TE features. It's supported on more platforms and supported in non 'T' train releases. Phil On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > Thanks... > > So if someone wanted to build a low traffic volume, "bare bones" MPLS > network could they not use: > > Cisco 7206VXR-NPE-G1 for P router > Cisco 3825 or 2821 for PE router > > This would give you every MPLS feature but VPLS specifically or am I > way > off? Why I bring this up is that in this particular case there is > still the > Sup2/MSFC2 6500's in the middle but they could remain in the middle > just as > layer2 devices connecting the above devices together at layer3 as MPLS > devices right? > > This particular project *could* use some of the TE and QOS features > in MPLS > but total traffic might be 10Mb/s on a peak hence why upgrading the > 6500's > would not make sense but adding some gear "around" them might work > just > fine...?? > > Thanks, > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > Streiner > Sent: Monday, May 05, 2008 4:40 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS - 6500's > > On Mon, 5 May 2008, Paul Stewart wrote: > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what >> can you > NOT >> do with MPLS on these chassis? Is it "just" VPLS that requires an >> OSM > card >> or a FlexWAN card for example? >> >> We are working on a project where MPLS may come into play .. VPLS >> would be > a >> nice option to throw in but not 100% necessary. Today, these are >> 6500's >> with Sup2/MSFC2 which I'm told are pretty much useless for anything >> MPLS >> oriented.... > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it wouldn't > surprise me if they're pretty major since those engines are much more > software driven and have substantially lower forwarding capabilities > than > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > it in > a 'true' service provider environment. We run MPLS using LDP to > distribute labels to some non-Cisco gear and terminate Martini > tunnels and > that seems to work pretty cleanly, although the hair-pinning needed to > land a Martini tunnel is somewhat strange... > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaron.glenn at gmail.com Mon May 5 21:05:48 2008 From: aaron.glenn at gmail.com (Aaron Glenn) Date: Mon, 5 May 2008 18:05:48 -0700 Subject: [c-nsp] Getting BGP peer route information using SNMP In-Reply-To: <84eb7a820805051218t4a53bab5qdfe15d2e89d3f57d@mail.gmail.com> References: <84eb7a820805051218t4a53bab5qdfe15d2e89d3f57d@mail.gmail.com> Message-ID: <18f601940805051805t1204350al10c79836aed0e3e@mail.gmail.com> On Mon, May 5, 2008 at 12:18 PM, Diogo Montagner wrote: > Hi All, > > I was asking me if is there a way to get routes information from a BGP > peer using SNMP ? It's been a while but I believe 1.3.6.1.4.1.9.9.187.1.2.1.1.4 will do the trick for you. *should* be supported on your IOS version but very well may not be. aaron.glenn From paul at paulstewart.org Mon May 5 21:52:40 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 5 May 2008 21:52:40 -0400 Subject: [c-nsp] MPLS - 6500's In-Reply-To: References: <002101c8aeeb$8f5e5210$ae1af630$@org> <002601c8aef1$fc2406f0$f46c14d0$@org> Message-ID: <000001c8af1b$e09220f0$a1b662d0$@org> Thanks , yeah looking at that too..... ;) Does anyone know the lowest hardware support for l2tpv3 as what I've found on Cisco's website references pretty large gear so far... Paul -----Original Message----- From: Phil Bedard [mailto:philxor at gmail.com] Sent: Monday, May 05, 2008 7:16 PM To: Paul Stewart Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's You may want to look at L2TPv3 unless you really need TE features. It's supported on more platforms and supported in non 'T' train releases. Phil From mtinka at globaltransit.net Mon May 5 22:05:33 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 6 May 2008 10:05:33 +0800 Subject: [c-nsp] Cisco support for ASNv4 (4 byte ASN) In-Reply-To: References: <026101c8ae82$198e8050$4cab80f0$@org> Message-ID: <200805061005.36923.mtinka@globaltransit.net> On Monday 05 May 2008, Marco Huggenberger wrote: > 12.5T late 2008 in the meantime use AS23456 ;) From the other side of the pond, J recently released 9.1, which now introduces support for 4-byte ASN's to their mainstream platforms. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080506/150a7598/attachment.bin From paul at paulstewart.org Mon May 5 22:11:05 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 5 May 2008 22:11:05 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: References: <002101c8aeeb$8f5e5210$ae1af630$@org> <002601c8aef1$fc2406f0$f46c14d0$@org> Message-ID: <000201c8af1e$73231da0$596958e0$@org> Oops.. overlooked it in the software advisor. According to Cisco.com l2tpv3 is supported even in the 1811's... So, what QOS levels can I invoke with l2tpv3 if the packets are tunneled? In other words, is there a way to mark voice packets inside of l2tpv3 tunnels across a core network to another location? Here's a scenario on where the MPLS thoughts came from: Location A - Cisco 1811, two subnets inbound to the router internally - one voice and one data. Location B - Cisco 1811, two subnets inbound to the router internally - one voice and one data. The data portions need to be joined via VPN (currently using GRE/IpSec). Each site has public Internet access via NAT. The voice portions need to be joined on a VPN basis also. I want the voice portions to have dscp bits set (could mark via NBAR?) so that on the transport side we can prioritize. Each site has 5 Mb/s of layer3 connectivity so congestion will definitely occur at times. In between each site is some 6500's (hence my questions on MPLS with 6500's) running Sup2/MSFC2 functioning as distribution routers. To do this properly I keep coming back to an MPLS solution that we don't have today... our other option is to convert a bunch of gear and make each site a trunked layer2 connection but rather avoid that if possible... Open to ideas... thanks folks.. Paul -----Original Message----- From: Phil Bedard [mailto:philxor at gmail.com] Sent: Monday, May 05, 2008 7:16 PM To: Paul Stewart Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] MPLS - 6500's You may want to look at L2TPv3 unless you really need TE features. It's supported on more platforms and supported in non 'T' train releases. Phil On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > Thanks... > > So if someone wanted to build a low traffic volume, "bare bones" MPLS > network could they not use: > > Cisco 7206VXR-NPE-G1 for P router > Cisco 3825 or 2821 for PE router > > This would give you every MPLS feature but VPLS specifically or am I > way > off? Why I bring this up is that in this particular case there is > still the > Sup2/MSFC2 6500's in the middle but they could remain in the middle > just as > layer2 devices connecting the above devices together at layer3 as MPLS > devices right? > > This particular project *could* use some of the TE and QOS features > in MPLS > but total traffic might be 10Mb/s on a peak hence why upgrading the > 6500's > would not make sense but adding some gear "around" them might work > just > fine...?? > > Thanks, > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > Streiner > Sent: Monday, May 05, 2008 4:40 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS - 6500's > > On Mon, 5 May 2008, Paul Stewart wrote: > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what >> can you > NOT >> do with MPLS on these chassis? Is it "just" VPLS that requires an >> OSM > card >> or a FlexWAN card for example? >> >> We are working on a project where MPLS may come into play .. VPLS >> would be > a >> nice option to throw in but not 100% necessary. Today, these are >> 6500's >> with Sup2/MSFC2 which I'm told are pretty much useless for anything >> MPLS >> oriented.... > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it wouldn't > surprise me if they're pretty major since those engines are much more > software driven and have substantially lower forwarding capabilities > than > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > it in > a 'true' service provider environment. We run MPLS using LDP to > distribute labels to some non-Cisco gear and terminate Martini > tunnels and > that seems to work pretty cleanly, although the hair-pinning needed to > land a Martini tunnel is somewhat strange... > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.8/1415 - Release Date: 5/5/2008 6:01 AM From malitsky at netabn.com Mon May 5 22:46:34 2008 From: malitsky at netabn.com (Michael Malitsky) Date: Mon, 5 May 2008 21:46:34 -0500 Subject: [c-nsp] 2801 - can it handle this? In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950269D2E5@EXCHANGE.ctiusa.com> References: <79AF0C3901752A49881FE4CB31F7AA40C333AA@abn-borg2.NETABN.LOCAL> <98B7739FB65BF04F9B3233AB842EEC950269D2E5@EXCHANGE.ctiusa.com> Message-ID: <79AF0C3901752A49881FE4CB31F7AA40C333C0@abn-borg2.NETABN.LOCAL> The specific example I referenced was 12.4. I no longer have the records available to show the exact train/revision. Most recently I had problems on an 1800 with 12.4.18a (also tried 12.4.3, 12.4.19. 12.4.18a was TAC's recommendation). Michael > -----Original Message----- > From: Fred Reimer [mailto:freimer at ctiusa.com] > Sent: Monday, May 05, 2008 4:56 PM > To: Michael Malitsky; danletkeman at gmail.com > Cc: cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] 2801 - can it handle this? > > What version of code was the router running. There was a > major rewrite of > the IPS code in 12.3(11)T. If you were running anything prior to that > performance was lacking. > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Michael Malitsky > > Sent: Monday, May 05, 2008 1:29 PM > > To: danletkeman at gmail.com > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] 2801 - can it handle this? > > > > > Date: Sun, 4 May 2008 00:36:01 -0500 > > > From: "Dan Letkeman" > > > Subject: [c-nsp] 2801 - can it handle this? > > > To: cisco-nsp at puck.nether.net > > > Message-ID: > > > > > > Content-Type: text/plain; charset=ISO-8859-1 > > > > > > Hello, > > > > > > I have a 2801 router with the firewall IOS. I have a 10mbit > > > connection to the internet. There will be anywhere from 100-300 > > users > > > using this router for browsing the internet at one time. > > > > > > I will be running ips and some security acl's. No voip, > maybe one or > > > two video connections. > > > > > > Will this router be able to handle this amount of connections? > > > > > > Thanks, > > > Dan. > > > > > > > > > The specs from Cisco say no problem, but I've run into a number of > > issues trying to use ISRs (2800 and 1800 series) for > multiple purposes > > simultaneously (router, firewall, etc). The closest case I > had to your > > scenario was trying to use 2 2811s as a failover/redundant firewall > > with > > NAT and IPS. We hardly had traffic reaching 10Mb, but the > setup kept > > crashing - the reason was never fully tracked down, TAC was > taking too > > long. Replaced with a pair of ASAs, not a single hiccup since. > > Similar experiences elsewhere - I don't see these platforms > as viable > > for firewall/IPS purposes unless the traffic levels are very low. I > > don't know if this is due to bugs or performance limitations. > > For similar money, the PIX or ASA appliances are far more stable and > > can > > handle much higher loads. > > > > Michael > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From freimer at ctiusa.com Tue May 6 00:32:18 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Tue, 6 May 2008 00:32:18 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: <000201c8af1e$73231da0$596958e0$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org><002601c8aef1$fc2406f0$f46c14d0$@org> <000201c8af1e$73231da0$596958e0$@org> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950269D371@EXCHANGE.ctiusa.com> The VoIP packets should be marked normally at the ingress port to the network. This is most likely the port on the switch that the phone is plugged into, or on the switch the router is plugged into. You may find it difficult to classify and mark traffic on the (sub) interfaces on which you configure the xconnects for L2TPv3 because the router treats them as layer-2 interfaces (i.e., you can't assign an IP address to them, etc). With the VoIP properly marked before they get to the router, as they should be, you can use the tos reflect feature to copy the TOS bytes of the packets coming into the router (even though they are treated as "layer-2" packets) to the L2TPv3 header that is sent out the router. The resulting L2TPv3 encapsulated traffic can be queued just like any other traffic. One note, you say you need to create VPN's. The P in VPN is Private; L2TPv3 provides no encryption of the packets. If you need a private network you should use IPsec. You can use qos preclassify in order to classify the packets before they are encapsulated; providing a similar feature as tos reflect does with L2TPv3. It sounds to me like you just want to setup IPsec VPN's. You can put the voice and data into the same tunnel, and with qos preclassify have the marking on the IPsec header reflect the QoS you want the packet treated with. I don't see the need for MPLS here. At 5Mbps max rate there are a ton of options as far as what hardware to select. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Monday, May 05, 2008 10:11 PM > To: 'Phil Bedard' > Cc: cisco-nsp at puck.nether.net > Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's > > Oops.. overlooked it in the software advisor. According to Cisco.com > l2tpv3 > is supported even in the 1811's... > > So, what QOS levels can I invoke with l2tpv3 if the packets are > tunneled? > In other words, is there a way to mark voice packets inside of l2tpv3 > tunnels across a core network to another location? > > Here's a scenario on where the MPLS thoughts came from: > > Location A - Cisco 1811, two subnets inbound to the router internally - > one > voice and one data. > > Location B - Cisco 1811, two subnets inbound to the router internally - > one > voice and one data. > > The data portions need to be joined via VPN (currently using > GRE/IpSec). > Each site has public Internet access via NAT. The voice portions need > to be > joined on a VPN basis also. I want the voice portions to have dscp > bits set > (could mark via NBAR?) so that on the transport side we can prioritize. > Each site has 5 Mb/s of layer3 connectivity so congestion will > definitely > occur at times. > > In between each site is some 6500's (hence my questions on MPLS with > 6500's) > running Sup2/MSFC2 functioning as distribution routers. To do this > properly > I keep coming back to an MPLS solution that we don't have today... our > other option is to convert a bunch of gear and make each site a trunked > layer2 connection but rather avoid that if possible... > > Open to ideas... thanks folks.. > > Paul > > > -----Original Message----- > From: Phil Bedard [mailto:philxor at gmail.com] > Sent: Monday, May 05, 2008 7:16 PM > To: Paul Stewart > Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS - 6500's > > You may want to look at L2TPv3 unless you really need TE features. > It's supported on more platforms and supported in non 'T' train > releases. > > Phil > > > On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > > > Thanks... > > > > So if someone wanted to build a low traffic volume, "bare bones" MPLS > > network could they not use: > > > > Cisco 7206VXR-NPE-G1 for P router > > Cisco 3825 or 2821 for PE router > > > > This would give you every MPLS feature but VPLS specifically or am I > > way > > off? Why I bring this up is that in this particular case there is > > still the > > Sup2/MSFC2 6500's in the middle but they could remain in the middle > > just as > > layer2 devices connecting the above devices together at layer3 as > MPLS > > devices right? > > > > This particular project *could* use some of the TE and QOS features > > in MPLS > > but total traffic might be 10Mb/s on a peak hence why upgrading the > > 6500's > > would not make sense but adding some gear "around" them might work > > just > > fine...?? > > > > Thanks, > > > > Paul > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > > Streiner > > Sent: Monday, May 05, 2008 4:40 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] MPLS - 6500's > > > > On Mon, 5 May 2008, Paul Stewart wrote: > > > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what > >> can you > > NOT > >> do with MPLS on these chassis? Is it "just" VPLS that requires an > >> OSM > > card > >> or a FlexWAN card for example? > >> > >> We are working on a project where MPLS may come into play .. VPLS > >> would be > > a > >> nice option to throw in but not 100% necessary. Today, these are > >> 6500's > >> with Sup2/MSFC2 which I'm told are pretty much useless for anything > >> MPLS > >> oriented.... > > > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it > wouldn't > > surprise me if they're pretty major since those engines are much more > > software driven and have substantially lower forwarding capabilities > > than > > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > > it in > > a 'true' service provider environment. We run MPLS using LDP to > > distribute labels to some non-Cisco gear and terminate Martini > > tunnels and > > that seems to work pretty cleanly, although the hair-pinning needed > to > > land a Martini tunnel is somewhat strange... > > > > jms > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.8/1415 - Release Date: > 5/5/2008 > 6:01 AM > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080506/e3b2fa26/attachment.bin From tseveendorj at gmail.com Tue May 6 02:56:29 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Tue, 6 May 2008 15:56:29 +0900 Subject: [c-nsp] SYS-3-MGDTIMER Message-ID: <62c908120805052356k19eae08ft3c9e30ef04f17018@mail.gmail.com> Hi, I found the error message from log file of AS5350. May 6 03:56:25.476: %SYS-3-MGDTIMER: Uninitialized timer, timer stop, timer = 6879AB1C. -Process= "ISDN", ipl= 0, pid= 66, -Traceback= 0x60494E20 0x605D0098 0x600AF2F4 0x600A1FD8 0x600FB3A8 What is it? bug or error? Regards, Tseveen. From tojo.raonisoa at gmail.com Tue May 6 03:52:32 2008 From: tojo.raonisoa at gmail.com (Tojonirina RAONISOAFIANINANA) Date: Tue, 6 May 2008 10:52:32 +0300 Subject: [c-nsp] My Cisco 3825 doesn't support HWIC 2CE1T1-PRI ? Message-ID: <5427eee90805060052q1aa00aebg16da20fa489227b2@mail.gmail.com> Hi all ! I want to configure a HWIC 2CE1T1-PRI with a Cisco 3825 (IOS "c3825-adventerprisek9-mz.124-12.bin"), but when I try to configure it, I always get an error message. Here is the config and the error message: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#network-clock-participate wic 0 WIC slot is empty or does not support clock participate Router(config)# Router(config)# Please, could someone give me a solution for this problem ? Best Regards Tojo From dean at eatworms.org.uk Tue May 6 04:00:28 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Tue, 6 May 2008 09:00:28 +0100 Subject: [c-nsp] My Cisco 3825 doesn't support HWIC 2CE1T1-PRI ? References: <5427eee90805060052q1aa00aebg16da20fa489227b2@mail.gmail.com> Message-ID: <001d01c8af4f$42d4ab10$0b03010a@DEANPC> CCO Clearly shows the minimum IOS required. http://www.cisco.com/en/US/prod/collateral/modules/ps2797/product_data_sheet0900aecd80710c88.html Table 2. Minimum Cisco IOS Software Requirements Minimum Cisco IOS Software Feature Set Minimum Cisco IOS Software Release IP BASE . 12.4(11)XW4 . 12.5T first release (TBD) ----- Original Message ----- From: "Tojonirina RAONISOAFIANINANA" To: Cc: Sent: Tuesday, May 06, 2008 8:52 AM Subject: [c-nsp] My Cisco 3825 doesn't support HWIC 2CE1T1-PRI ? > Hi all ! > > I want to configure a HWIC 2CE1T1-PRI with a Cisco 3825 (IOS > "c3825-adventerprisek9-mz.124-12.bin"), but when I try to configure it, I > always get an error message. > > Here is the config and the error message: > > Router#conf t > Enter configuration commands, one per line. End with > CNTL/Z. > Router(config)#network-clock-participate wic 0 > WIC slot is empty or does not support clock participate > Router(config)# > Router(config)# > > Please, could someone give me a solution for this problem ? > > Best Regards > > Tojo > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Tue May 6 05:08:22 2008 From: techconfig at yahoo.com (Mark Tech) Date: Tue, 6 May 2008 02:08:22 -0700 (PDT) Subject: [c-nsp] Internet vrf, pros and cons Message-ID: <664106.17320.qm@web44815.mail.sp1.yahoo.com> Hi We area going to deploy a new MPLS network which will be used for Internet customers and IP/VPN customers. I understand that there are two options with running these networks: 1. Run the internet natively across all boxes and secure them down against DoS attacks etc 2. Create an Internet VRF whereby all internet traffic is simply seen as a large IPVPN network, thereby utilising some of the inherent security factors associated with IPVPNS My question is whether anyone has other pros and cons from real life experience, associated with the two options previously stated. I would like to add that the platforms will be provisionally Cisco 6500s with SUP720s (edge)?and Cisco XR 12406's (core) Regards Mark ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From p.mayers at imperial.ac.uk Tue May 6 06:37:30 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 06 May 2008 11:37:30 +0100 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <664106.17320.qm@web44815.mail.sp1.yahoo.com> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> Message-ID: <482034EA.7080606@imperial.ac.uk> Mark Tech wrote: > Hi We area going to deploy a new MPLS network which will be used for > Internet customers and IP/VPN customers. I understand that there are > two options with running these networks: 1. Run the internet natively > across all boxes and secure them down against DoS attacks etc 2. > Create an Internet VRF whereby all internet traffic is simply seen as > a large IPVPN network, thereby utilising some of the inherent > security factors associated with IPVPNS I'm not aware of any particularly compelling security factors for the router control plane by putting the internet in a VRF. What are you thinking of? There are some benefits to reserving the "default" VRF for management; specifically at least on 6500/12.2SXF various bits and pieces of IOS are not VRF aware, such as the DNS and syslog servers, SNMP trap addresses and so forth - these all come from the "default" VRF. Support for some of these is trickling in SXH/SR trains, but it's still a bit weak. Similarly, using scp/ftp/tftp from the box is difficult/impossible if you're not using the default VRF for management. For router security I would not rely on "vrfs being secure". I would look to CoPP. From tomas at soitron.com Tue May 6 07:10:22 2008 From: tomas at soitron.com (Tomas Daniska) Date: Tue, 6 May 2008 13:10:22 +0200 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <664106.17320.qm@web44815.mail.sp1.yahoo.com> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3013ED4EE@kenya.tronet.as> > > Hi > We area going to deploy a new MPLS network which will be used for Internet > customers and IP/VPN customers. I understand that there are two options > with running these networks: > 1. Run the internet natively across all boxes and secure them down against > DoS attacks etc > 2. Create an Internet VRF whereby all internet traffic is simply seen as a > large IPVPN network, thereby utilising some of the inherent security > factors associated with IPVPNS > My question is whether anyone has other pros and cons from real life > experience, associated with the two options previously stated. > I would like to add that the platforms will be provisionally Cisco 6500s > with SUP720s (edge)?and Cisco XR 12406's (core) > Regards > Mark > You can do that, I did it for one customer on a 12k/7k6 network and it works. You did not mention whether you want to do default routing or full BGP in the VPN. Having the latter on 6k5/7k6 (although supported by -XL hardware) brings some serious limitations to the network, as BGP/prefix/TCAM/whatever else processing on the platform is far from optimal. Consider this especially if anything like fast convergence is your goal. But then - yes, there's so many nice thingies on having inet in VPN... And then - the folks still have some issues when the full-BGP VRF on the 7k6 occasionaly stops forwarding anything, but that probably is a different story. -- deejay From achatz at forthnet.gr Tue May 6 07:49:44 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 06 May 2008 14:49:44 +0300 Subject: [c-nsp] max mac-addresses on a 3CXL/3BXL chassis Message-ID: <482045D8.6080808@forthnet.gr> Although the operating mode of a 7606/RSP720-3CXL (12.2(33)SRB2) is PFC3BXL (due to a 3BXL card), i can see 96k as the maximum number of mac-addresses on the SUP, which means i'm not loosing one of the advantages of 3CXL mode. Am i missing something here? 7606#sh mod Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 48 48-port 100FX SFP Ethernet Module WS-X6148-FE-SFP xxx 4 24 CEF720 24 port 1000mb SFP WS-X6724-SFP xxx 6 2 Route Switch Processor 720 (Active) RSP720-3CXL-GE xxx Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 4 Distributed Forwarding Card WS-F6700-DFC3BXL xxxxxxxxxxx 5.3 Ok 6 Policy Feature Card 3 7600-PFC3CXL xxxxxxxxxxx 1.0 Ok 6 C7600 MSFC4 Daughterboard 7600-MSFC4 xxxxxxxxxxx 1.1 Ok 7606#sh platform hardware pfc mode PFC operating mode : PFC3BXL 7606#sh platform hardware capacity forwarding L2 Forwarding Resources MAC Table usage: Module Collisions Total Used %Used 4 0 65536 139 1% 6 0 98304 82 1% -- Tassos From jeje at jeje.org Tue May 6 09:07:37 2008 From: jeje at jeje.org (=?ISO-8859-1?Q?J=E9r=F4me_Fleury?=) Date: Tue, 6 May 2008 15:07:37 +0200 Subject: [c-nsp] Exporting VRF routes to global routing table Message-ID: <80b7d9f60805060607r37ed423eo1f2d43bd25763ebf@mail.gmail.com> Hi all, I'm looking for a way to *dynamically* export routes from a VRF to the global routing table. It should be the reverse of that feature: BGP Support for IP Prefix Import from Global Table into a VRF Table http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.html (import ipv4 unicast map route-map) There's not "export" equivalence as far as I know. By dynamically I mean something that would use route-maps. Does that exist ? (it does in JunOS and JunOSe, unfortunately) Thanks for your help! From jeje at jeje.org Tue May 6 08:46:22 2008 From: jeje at jeje.org (=?ISO-8859-1?Q?J=E9r=F4me_Fleury?=) Date: Tue, 6 May 2008 14:46:22 +0200 Subject: [c-nsp] Exporting VRf routes to global routing table Message-ID: <80b7d9f60805060546j403a25a2nd33e36164678497a@mail.gmail.com> Hi all, I'm looking for a way to *dynamically* export routes from a VRF to the global routing table. It should be the reverse of that feature: BGP Support for IP Prefix Import from Global Table into a VRF Table http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.html (import ipv4 unicast map route-map) There's not "export" equivalence as far as I know. By dynamically I mean something that would use route-maps. Does that exist ? (it does in JunOS and JunOSe, unfortunately) Thanks for your help! From philxor at gmail.com Tue May 6 11:11:55 2008 From: philxor at gmail.com (Phil Bedard) Date: Tue, 6 May 2008 11:11:55 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: <000201c8af1e$73231da0$596958e0$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org> <002601c8aef1$fc2406f0$f46c14d0$@org> <000201c8af1e$73231da0$596958e0$@org> Message-ID: <93867D09-D42B-4FE2-8072-9093D0F48506@gmail.com> Cisco has some mechanisms for setting the DSCP on the L2TPv3 frames based on the incoming CoS bits. I'm not sure about widespread model support but I imagine it's supported on the VXR. More info here: http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/tnl_mrkg_l2tpv3_tnls.html Phil On May 5, 2008, at 10:11 PM, Paul Stewart wrote: > Oops.. overlooked it in the software advisor. According to Cisco.com > l2tpv3 > is supported even in the 1811's... > > So, what QOS levels can I invoke with l2tpv3 if the packets are > tunneled? > In other words, is there a way to mark voice packets inside of l2tpv3 > tunnels across a core network to another location? > > Here's a scenario on where the MPLS thoughts came from: > > Location A - Cisco 1811, two subnets inbound to the router > internally - one > voice and one data. > > Location B - Cisco 1811, two subnets inbound to the router > internally - one > voice and one data. > > The data portions need to be joined via VPN (currently using GRE/ > IpSec). > Each site has public Internet access via NAT. The voice portions > need to be > joined on a VPN basis also. I want the voice portions to have dscp > bits set > (could mark via NBAR?) so that on the transport side we can > prioritize. > Each site has 5 Mb/s of layer3 connectivity so congestion will > definitely > occur at times. > > In between each site is some 6500's (hence my questions on MPLS with > 6500's) > running Sup2/MSFC2 functioning as distribution routers. To do this > properly > I keep coming back to an MPLS solution that we don't have today... > our > other option is to convert a bunch of gear and make each site a > trunked > layer2 connection but rather avoid that if possible... > > Open to ideas... thanks folks.. > > Paul > > > -----Original Message----- > From: Phil Bedard [mailto:philxor at gmail.com] > Sent: Monday, May 05, 2008 7:16 PM > To: Paul Stewart > Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS - 6500's > > You may want to look at L2TPv3 unless you really need TE features. > It's supported on more platforms and supported in non 'T' train > releases. > > Phil > > > On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > >> Thanks... >> >> So if someone wanted to build a low traffic volume, "bare bones" MPLS >> network could they not use: >> >> Cisco 7206VXR-NPE-G1 for P router >> Cisco 3825 or 2821 for PE router >> >> This would give you every MPLS feature but VPLS specifically or am I >> way >> off? Why I bring this up is that in this particular case there is >> still the >> Sup2/MSFC2 6500's in the middle but they could remain in the middle >> just as >> layer2 devices connecting the above devices together at layer3 as >> MPLS >> devices right? >> >> This particular project *could* use some of the TE and QOS features >> in MPLS >> but total traffic might be 10Mb/s on a peak hence why upgrading the >> 6500's >> would not make sense but adding some gear "around" them might work >> just >> fine...?? >> >> Thanks, >> >> Paul >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. >> Streiner >> Sent: Monday, May 05, 2008 4:40 PM >> To: cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] MPLS - 6500's >> >> On Mon, 5 May 2008, Paul Stewart wrote: >> >>> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what >>> can you >> NOT >>> do with MPLS on these chassis? Is it "just" VPLS that requires an >>> OSM >> card >>> or a FlexWAN card for example? >>> >>> We are working on a project where MPLS may come into play .. VPLS >>> would be >> a >>> nice option to throw in but not 100% necessary. Today, these are >>> 6500's >>> with Sup2/MSFC2 which I'm told are pretty much useless for anything >>> MPLS >>> oriented.... >> >> I'm not sure about MPLS limitations in the Sup2/MSFC2, but it >> wouldn't >> surprise me if they're pretty major since those engines are much more >> software driven and have substantially lower forwarding capabilities >> than >> the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running >> it in >> a 'true' service provider environment. We run MPLS using LDP to >> distribute labels to some non-Cisco gear and terminate Martini >> tunnels and >> that seems to work pretty cleanly, although the hair-pinning needed >> to >> land a Martini tunnel is somewhat strange... >> >> jms >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.8/1415 - Release Date: > 5/5/2008 > 6:01 AM > > From tvarriale at comcast.net Tue May 6 11:18:19 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 6 May 2008 10:18:19 -0500 Subject: [c-nsp] 2801 - can it handle this? References: Message-ID: <002101c8af8c$6c866b50$f211a8c0@flamwsugsmul5v> 2801 will be able to handle that situation. As others may have said...finding an IOS that works for you may be a challenge. tv ----- Original Message ----- From: "Dan Letkeman" To: Sent: Sunday, May 04, 2008 12:36 AM Subject: [c-nsp] 2801 - can it handle this? > Hello, > > I have a 2801 router with the firewall IOS. I have a 10mbit > connection to the internet. There will be anywhere from 100-300 users > using this router for browsing the internet at one time. > > I will be running ips and some security acl's. No voip, maybe one or > two video connections. > > Will this router be able to handle this amount of connections? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Tue May 6 11:40:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 6 May 2008 11:40:36 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950269D371@EXCHANGE.ctiusa.com> References: <002101c8aeeb$8f5e5210$ae1af630$@org><002601c8aef1$fc2406f0$f46c14d0$@org> <000201c8af1e$73231da0$596958e0$@org> <98B7739FB65BF04F9B3233AB842EEC950269D371@EXCHANGE.ctiusa.com> Message-ID: <000501c8af8f$89ff6760$9dfe3620$@org> Thanks very much - I find this interesting for sure. There is already GRE/IPSec tunnels up between these locations - it's the added element of voice that has driven me in several different directions ;) So if I read this correctly, it's possible to classify the voice packets inside of the existing VPN in place and maintain QOS so when it hits congestion we can give voice a high precedence? Does it matter that this is currently GRE based? If this is correct, I just need to do some digging up on cisco.com Thanks, Paul -----Original Message----- From: Fred Reimer [mailto:freimer at ctiusa.com] Sent: Tuesday, May 06, 2008 12:32 AM To: Paul Stewart; Phil Bedard Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's The VoIP packets should be marked normally at the ingress port to the network. This is most likely the port on the switch that the phone is plugged into, or on the switch the router is plugged into. You may find it difficult to classify and mark traffic on the (sub) interfaces on which you configure the xconnects for L2TPv3 because the router treats them as layer-2 interfaces (i.e., you can't assign an IP address to them, etc). With the VoIP properly marked before they get to the router, as they should be, you can use the tos reflect feature to copy the TOS bytes of the packets coming into the router (even though they are treated as "layer-2" packets) to the L2TPv3 header that is sent out the router. The resulting L2TPv3 encapsulated traffic can be queued just like any other traffic. One note, you say you need to create VPN's. The P in VPN is Private; L2TPv3 provides no encryption of the packets. If you need a private network you should use IPsec. You can use qos preclassify in order to classify the packets before they are encapsulated; providing a similar feature as tos reflect does with L2TPv3. It sounds to me like you just want to setup IPsec VPN's. You can put the voice and data into the same tunnel, and with qos preclassify have the marking on the IPsec header reflect the QoS you want the packet treated with. I don't see the need for MPLS here. At 5Mbps max rate there are a ton of options as far as what hardware to select. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Monday, May 05, 2008 10:11 PM > To: 'Phil Bedard' > Cc: cisco-nsp at puck.nether.net > Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's > > Oops.. overlooked it in the software advisor. According to Cisco.com > l2tpv3 > is supported even in the 1811's... > > So, what QOS levels can I invoke with l2tpv3 if the packets are > tunneled? > In other words, is there a way to mark voice packets inside of l2tpv3 > tunnels across a core network to another location? > > Here's a scenario on where the MPLS thoughts came from: > > Location A - Cisco 1811, two subnets inbound to the router internally - > one > voice and one data. > > Location B - Cisco 1811, two subnets inbound to the router internally - > one > voice and one data. > > The data portions need to be joined via VPN (currently using > GRE/IpSec). > Each site has public Internet access via NAT. The voice portions need > to be > joined on a VPN basis also. I want the voice portions to have dscp > bits set > (could mark via NBAR?) so that on the transport side we can prioritize. > Each site has 5 Mb/s of layer3 connectivity so congestion will > definitely > occur at times. > > In between each site is some 6500's (hence my questions on MPLS with > 6500's) > running Sup2/MSFC2 functioning as distribution routers. To do this > properly > I keep coming back to an MPLS solution that we don't have today... our > other option is to convert a bunch of gear and make each site a trunked > layer2 connection but rather avoid that if possible... > > Open to ideas... thanks folks.. > > Paul > > > -----Original Message----- > From: Phil Bedard [mailto:philxor at gmail.com] > Sent: Monday, May 05, 2008 7:16 PM > To: Paul Stewart > Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] MPLS - 6500's > > You may want to look at L2TPv3 unless you really need TE features. > It's supported on more platforms and supported in non 'T' train > releases. > > Phil > > > On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > > > Thanks... > > > > So if someone wanted to build a low traffic volume, "bare bones" MPLS > > network could they not use: > > > > Cisco 7206VXR-NPE-G1 for P router > > Cisco 3825 or 2821 for PE router > > > > This would give you every MPLS feature but VPLS specifically or am I > > way > > off? Why I bring this up is that in this particular case there is > > still the > > Sup2/MSFC2 6500's in the middle but they could remain in the middle > > just as > > layer2 devices connecting the above devices together at layer3 as > MPLS > > devices right? > > > > This particular project *could* use some of the TE and QOS features > > in MPLS > > but total traffic might be 10Mb/s on a peak hence why upgrading the > > 6500's > > would not make sense but adding some gear "around" them might work > > just > > fine...?? > > > > Thanks, > > > > Paul > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > > Streiner > > Sent: Monday, May 05, 2008 4:40 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] MPLS - 6500's > > > > On Mon, 5 May 2008, Paul Stewart wrote: > > > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what > >> can you > > NOT > >> do with MPLS on these chassis? Is it "just" VPLS that requires an > >> OSM > > card > >> or a FlexWAN card for example? > >> > >> We are working on a project where MPLS may come into play .. VPLS > >> would be > > a > >> nice option to throw in but not 100% necessary. Today, these are > >> 6500's > >> with Sup2/MSFC2 which I'm told are pretty much useless for anything > >> MPLS > >> oriented.... > > > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it > wouldn't > > surprise me if they're pretty major since those engines are much more > > software driven and have substantially lower forwarding capabilities > > than > > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > > it in > > a 'true' service provider environment. We run MPLS using LDP to > > distribute labels to some non-Cisco gear and terminate Martini > > tunnels and > > that seems to work pretty cleanly, although the hair-pinning needed > to > > land a Martini tunnel is somewhat strange... > > > > jms > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > -- > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.524 / Virus Database: 269.23.8/1415 - Release Date: > 5/5/2008 > 6:01 AM > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From david at davidcoulson.net Tue May 6 12:37:53 2008 From: david at davidcoulson.net (David Coulson) Date: Tue, 06 May 2008 12:37:53 -0400 Subject: [c-nsp] Exporting VRf routes to global routing table In-Reply-To: <80b7d9f60805060546j403a25a2nd33e36164678497a@mail.gmail.com> References: <80b7d9f60805060546j403a25a2nd33e36164678497a@mail.gmail.com> Message-ID: <48208961.3050904@davidcoulson.net> Any particular you don't want to use a BGP session for this? J?r?me Fleury wrote: > Hi all, > > I'm looking for a way to *dynamically* export routes from a VRF to the > global routing table. > > It should be the reverse of that feature: > > BGP Support for IP Prefix Import from Global Table into a VRF Table > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.html > > (import ipv4 unicast map route-map) > > There's not "export" equivalence as far as I know. > > By dynamically I mean something that would use route-maps. > > Does that exist ? (it does in JunOS and JunOSe, unfortunately) > > Thanks for your help! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From freimer at ctiusa.com Tue May 6 12:47:15 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Tue, 6 May 2008 12:47:15 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: <000501c8af8f$89ff6760$9dfe3620$@org> References: <002101c8aeeb$8f5e5210$ae1af630$@org><002601c8aef1$fc2406f0$f46c14d0$@org> <000201c8af1e$73231da0$596958e0$@org> <98B7739FB65BF04F9B3233AB842EEC950269D371@EXCHANGE.ctiusa.com> <000501c8af8f$89ff6760$9dfe3620$@org> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950273D067@EXCHANGE.ctiusa.com> Yes, no. Quality of Service Options on GRE Tunnel Interfaces: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080 17405e.shtml Quality of Service - qos pre-classify command: http://www.cisco.com/en/US/docs/routers/access/3200/software/configuration/g uide/M032qos.html#wp1077010 Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: Paul Stewart [mailto:paul at paulstewart.org] > Sent: Tuesday, May 06, 2008 11:41 AM > To: Fred Reimer; 'Phil Bedard' > Cc: cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's > > Thanks very much - I find this interesting for sure. > > There is already GRE/IPSec tunnels up between these locations - it's > the > added element of voice that has driven me in several different > directions ;) > > So if I read this correctly, it's possible to classify the voice > packets > inside of the existing VPN in place and maintain QOS so when it hits > congestion we can give voice a high precedence? Does it matter that > this is > currently GRE based? > > If this is correct, I just need to do some digging up on cisco.com > > Thanks, > > Paul > > > -----Original Message----- > From: Fred Reimer [mailto:freimer at ctiusa.com] > Sent: Tuesday, May 06, 2008 12:32 AM > To: Paul Stewart; Phil Bedard > Cc: cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's > > The VoIP packets should be marked normally at the ingress port to the > network. This is most likely the port on the switch that the phone is > plugged into, or on the switch the router is plugged into. You may > find it > difficult to classify and mark traffic on the (sub) interfaces on which > you > configure the xconnects for L2TPv3 because the router treats them as > layer-2 > interfaces (i.e., you can't assign an IP address to them, etc). With > the > VoIP properly marked before they get to the router, as they should be, > you > can use the tos reflect feature to copy the TOS bytes of the packets > coming > into the router (even though they are treated as "layer-2" packets) to > the > L2TPv3 header that is sent out the router. The resulting L2TPv3 > encapsulated traffic can be queued just like any other traffic. > > One note, you say you need to create VPN's. The P in VPN is Private; > L2TPv3 > provides no encryption of the packets. If you need a private network > you > should use IPsec. You can use qos preclassify in order to classify the > packets before they are encapsulated; providing a similar feature as > tos > reflect does with L2TPv3. > > It sounds to me like you just want to setup IPsec VPN's. You can put > the > voice and data into the same tunnel, and with qos preclassify have the > marking on the IPsec header reflect the QoS you want the packet treated > with. I don't see the need for MPLS here. At 5Mbps max rate there are > a > ton of options as far as what hardware to select. > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Paul Stewart > > Sent: Monday, May 05, 2008 10:11 PM > > To: 'Phil Bedard' > > Cc: cisco-nsp at puck.nether.net > > Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's > > > > Oops.. overlooked it in the software advisor. According to Cisco.com > > l2tpv3 > > is supported even in the 1811's... > > > > So, what QOS levels can I invoke with l2tpv3 if the packets are > > tunneled? > > In other words, is there a way to mark voice packets inside of l2tpv3 > > tunnels across a core network to another location? > > > > Here's a scenario on where the MPLS thoughts came from: > > > > Location A - Cisco 1811, two subnets inbound to the router internally > - > > one > > voice and one data. > > > > Location B - Cisco 1811, two subnets inbound to the router internally > - > > one > > voice and one data. > > > > The data portions need to be joined via VPN (currently using > > GRE/IpSec). > > Each site has public Internet access via NAT. The voice portions > need > > to be > > joined on a VPN basis also. I want the voice portions to have dscp > > bits set > > (could mark via NBAR?) so that on the transport side we can > prioritize. > > Each site has 5 Mb/s of layer3 connectivity so congestion will > > definitely > > occur at times. > > > > In between each site is some 6500's (hence my questions on MPLS with > > 6500's) > > running Sup2/MSFC2 functioning as distribution routers. To do this > > properly > > I keep coming back to an MPLS solution that we don't have today... > our > > other option is to convert a bunch of gear and make each site a > trunked > > layer2 connection but rather avoid that if possible... > > > > Open to ideas... thanks folks.. > > > > Paul > > > > > > -----Original Message----- > > From: Phil Bedard [mailto:philxor at gmail.com] > > Sent: Monday, May 05, 2008 7:16 PM > > To: Paul Stewart > > Cc: 'Justin M. Streiner'; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] MPLS - 6500's > > > > You may want to look at L2TPv3 unless you really need TE features. > > It's supported on more platforms and supported in non 'T' train > > releases. > > > > Phil > > > > > > On May 5, 2008, at 4:52 PM, Paul Stewart wrote: > > > > > Thanks... > > > > > > So if someone wanted to build a low traffic volume, "bare bones" > MPLS > > > network could they not use: > > > > > > Cisco 7206VXR-NPE-G1 for P router > > > Cisco 3825 or 2821 for PE router > > > > > > This would give you every MPLS feature but VPLS specifically or am > I > > > way > > > off? Why I bring this up is that in this particular case there is > > > still the > > > Sup2/MSFC2 6500's in the middle but they could remain in the middle > > > just as > > > layer2 devices connecting the above devices together at layer3 as > > MPLS > > > devices right? > > > > > > This particular project *could* use some of the TE and QOS features > > > in MPLS > > > but total traffic might be 10Mb/s on a peak hence why upgrading the > > > 6500's > > > would not make sense but adding some gear "around" them might work > > > just > > > fine...?? > > > > > > Thanks, > > > > > > Paul > > > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin M. > > > Streiner > > > Sent: Monday, May 05, 2008 4:40 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] MPLS - 6500's > > > > > > On Mon, 5 May 2008, Paul Stewart wrote: > > > > > >> With a 6500 Catalyst, regular line cards, and Sup720-3BXL - what > > >> can you > > > NOT > > >> do with MPLS on these chassis? Is it "just" VPLS that requires an > > >> OSM > > > card > > >> or a FlexWAN card for example? > > >> > > >> We are working on a project where MPLS may come into play .. VPLS > > >> would be > > > a > > >> nice option to throw in but not 100% necessary. Today, these are > > >> 6500's > > >> with Sup2/MSFC2 which I'm told are pretty much useless for > anything > > >> MPLS > > >> oriented.... > > > > > > I'm not sure about MPLS limitations in the Sup2/MSFC2, but it > > wouldn't > > > surprise me if they're pretty major since those engines are much > more > > > software driven and have substantially lower forwarding > capabilities > > > than > > > the Sup720/3BXL. The 3BXL does MPLS just fine, but I'm not running > > > it in > > > a 'true' service provider environment. We run MPLS using LDP to > > > distribute labels to some non-Cisco gear and terminate Martini > > > tunnels and > > > that seems to work pretty cleanly, although the hair-pinning needed > > to > > > land a Martini tunnel is somewhat strange... > > > > > > jms > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > > -- > > No virus found in this incoming message. > > Checked by AVG. > > Version: 7.5.524 / Virus Database: 269.23.8/1415 - Release Date: > > 5/5/2008 > > 6:01 AM > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080506/13320793/attachment.bin From razor at meganet.net Tue May 6 12:06:12 2008 From: razor at meganet.net (Paul A) Date: Tue, 6 May 2008 12:06:12 -0400 Subject: [c-nsp] RBE and PPPOE on the same router Message-ID: <044601c8af93$1afde7c0$2e40d5d1@nocpamaral> Hi, folks hope someone here can clue me in on what I need to do. I currently have a cisco 7200 that I setup a while back for RBE DSL and it's been working great with no issues. We also have a redback terminating DSL/PPPOE that we want to shutdown. What we are going to do is move the PPPOE customers from the redback to the same cisco as the RBE DSL customers. The PPPOE customers will be on different VPI/VCI's so I'm assuming I can have RBE and PPPOE coexist without issues. The telco needs to know my mac address for the cisco to add to their bridge table. Looking at my config I noticed I have a mac-address on the ATM, mac-address 0000.0cca.22dc. Should this mac-address be the fast0 interface's mac address thats connected to the gateway? I'm trying to figure out what mac-address they are looking for. I would apriciate if someone could point me in the direction for getting RBE/PPPOE working together on the same router. interface ATM5/0 description VZ CIRTUIT ID 95HFGJ6XXXX mac-address 0000.0cca.22dc no ip address no ip redirects no ip unreachables ip route-cache policy ip route-cache flow load-interval 30 no atm oversubscribe atm scrambling cell-payload atm uni-version 3.1 atm ilmi-keepalive arp arpa arp timeout 0 ! interface ATM5/0.100201 point-to-point ip unnumbered Loopback1 ip access-group dsl-inbound in no ip redirects no ip unreachables ip nat inside ip virtual-reassembly ip route-cache same-interface no ip mroute-cache ip policy route-map FA20RM no snmp trap link-status atm route-bridged ip pvc 1/201 encapsulation aal5snap service-policy output fbwfq Thanks, ---------------------------------------------------- Paulo Amaral MegaNet Communications P: 508 646 0030 ----------------------------------------------------- From paul at paulstewart.org Tue May 6 13:17:15 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 6 May 2008 13:17:15 -0400 Subject: [c-nsp] VPN/QOS Questions Was MPLS - 6500's In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950273D067@EXCHANGE.ctiusa.com> References: <002101c8aeeb$8f5e5210$ae1af630$@org><002601c8aef1$fc2406f0$f46c14d0$@org> <000201c8af1e$73231da0$596958e0$@org> <98B7739FB65BF04F9B3233AB842EEC950269D371@EXCHANGE.ctiusa.com> <000501c8af8f$89ff6760$9dfe3620$@org> <98B7739FB65BF04F9B3233AB842EEC950273D067@EXCHANGE.ctiusa.com> Message-ID: <003401c8af9d$09fdbf90$1df93eb0$@org> That's awesome!! Thanks so much... I had this conversation last year at Networkers and nobody found a solution - quite possibly I didn't explain it well I guess.... Best Regards, Paul -----Original Message----- From: Fred Reimer [mailto:freimer at ctiusa.com] Sent: Tuesday, May 06, 2008 12:47 PM To: Paul Stewart; Phil Bedard Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] VPN/QOS Questions Was MPLS - 6500's Yes, no. Quality of Service Options on GRE Tunnel Interfaces: http://www.cisco.com/en/US/tech/tk543/tk545/technologies_tech_note09186a0080 17405e.shtml Quality of Service - qos pre-classify command: http://www.cisco.com/en/US/docs/routers/access/3200/software/configuration/g uide/M032qos.html#wp1077010 Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 From paul at gtcomm.net Tue May 6 12:40:25 2008 From: paul at gtcomm.net (Paul) Date: Tue, 06 May 2008 12:40:25 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port Message-ID: <482089F9.2020608@gtcomm.net> C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE1, RELEASE SOFTWARE (fc1) Running two etherchannels with two gig ports not cross stack. Here's an example of one of them. What's happening is that only one port is being used for outgoing traffic, no matter what I set the port-channel load-balance to. Is etherchannel broken in 12.2.44SE1? This is a new setup. ! interface GigabitEthernet1/0/1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 5,11 switchport mode trunk load-interval 30 channel-group 1 mode active end interface GigabitEthernet1/0/2 switchport trunk encapsulation dot1q switchport trunk allowed vlan 5,11 switchport mode trunk load-interval 30 channel-group 1 mode active end interface Port-channel1 switchport trunk encapsulation dot1q switchport trunk allowed vlan 5,11 switchport mode trunk load-interval 30 end Group state = L2 Ports: 2 Maxports = 16 Port-channels: 1 Max Port-channels = 16 Protocol: LACP Minimum Links: 0 Ports in the group: ------------------- Port: Gi1/0/1 ------------ Port state = Up Mstr Assoc In-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi1/0/1 SA bndl 32768 0x1 0x1 0x1 0x3D Partner's information: LACP port Admin Oper Port Port Port Flags Priority Dev ID Age key Key Number State Gi1/0/1 SA 32768 0015.175d.1800 2s 0x0 0x1D0 0x2 0x3D Age of the port in the current state: 11d:12h:50m:38s Port: Gi1/0/2 ------------ Port state = Up Mstr Assoc In-Bndl Channel group = 1 Mode = Active Gcchange = - Port-channel = Po1 GC = - Pseudo port-channel = Po1 Port index = 0 Load = 0x00 Protocol = LACP Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs. A - Device is in active mode. P - Device is in passive mode. Local information: LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi1/0/2 SA bndl 32768 0x1 0x1 0x2 0x3D Partner's information: LACP port Admin Oper Port Port Port Flags Priority Dev ID Age key Key Number State Gi1/0/2 SA 32768 0015.175d.1800 2s 0x0 0x1D0 0x3 0x3D Age of the port in the current state: 11d:12h:50m:36s Port-channels in the group: --------------------------- Port-channel: Po1 (Primary Aggregator) ------------ Age of the Port-channel = 11d:12h:51m:07s Logical slot/port = 10/1 Number of ports = 2 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP Port security = Disabled Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 00 Gi1/0/1 Active 0 0 00 Gi1/0/2 Active 0 Time since last port bundled: 11d:12h:50m:44s Gi1/0/2 From jeje at jeje.org Tue May 6 13:24:49 2008 From: jeje at jeje.org (=?ISO-8859-1?Q?J=E9r=F4me_Fleury?=) Date: Tue, 6 May 2008 19:24:49 +0200 Subject: [c-nsp] Exporting VRf routes to global routing table In-Reply-To: <48208961.3050904@davidcoulson.net> References: <80b7d9f60805060546j403a25a2nd33e36164678497a@mail.gmail.com> <48208961.3050904@davidcoulson.net> Message-ID: <80b7d9f60805061024w67c5bf32y7f8eedc6014802db@mail.gmail.com> Hi David, I did not think about using a BGP session actually! I will try that right now. Thanks for the clue. On Tue, May 6, 2008 at 6:37 PM, David Coulson wrote: > Any particular you don't want to use a BGP session for this? > > J?r?me Fleury wrote: > > > > > > > > > Hi all, > > > > I'm looking for a way to *dynamically* export routes from a VRF to the > > global routing table. > > > > It should be the reverse of that feature: > > > > BGP Support for IP Prefix Import from Global Table into a VRF Table > > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_bgivt.html > > > > (import ipv4 unicast map route-map) > > > > There's not "export" equivalence as far as I know. > > > > By dynamically I mean something that would use route-maps. > > > > Does that exist ? (it does in JunOS and JunOSe, unfortunately) > > > > Thanks for your help! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > From der.mikus at gmail.com Tue May 6 13:27:36 2008 From: der.mikus at gmail.com (Mike Butash) Date: Tue, 06 May 2008 10:27:36 -0700 Subject: [c-nsp] Netflow Question In-Reply-To: <3329cbb40805022345m55ee5c9fjc7f8181453521bf9@mail.gmail.com> References: <001201c8ac83$a6c85820$f4590860$@com> <481B6BF0.7040003@gmail.com> <3329cbb40805022345m55ee5c9fjc7f8181453521bf9@mail.gmail.com> Message-ID: <48209508.1000205@gmail.com> Hi Dale, Haven't used Cisco netflow collector software, but I can only assume like most of their typical (java) software it's probably an overpriced abortion waiting to happen. Cisco makes great hardware, though their software leaves much to be desired... For a big shop with multiple large flow sources, Arbor Peakflow products are _very_ nice, but price puts them out of the reach of small to medium business. They are an enterprise/service provider product though, I've seen them scale in very large environments provide a wealth of information that is priceless, especially when you're prone to DDoS and other forms of abuse. On a smaller scale, I always use and install for customers open-source Ntop on Linux when it's a temporary or a small shop, but have seen it scale pretty decently, at least over 100mb on something like a dell 1850 server. Good reporting app with a web interface, provides lots of nice detail and features of your traffic. There are lots of open-source netflow apps out there, just google for linux and netflow. In 12.4T there is also the topN talker function in IOS to give you a list of top talkers currently that is nice when available, but only if you have a smaller platform that uses 12.4T on cutting-edge code. All depends what your platforms and budgets look like. -mb Dale Shaw wrote: > Hi, > > raa at opusnet.com wrote: >> > Second part to this question is anyone recommend a Netflow >> > analyzer? Either application or appliance (price is important.) I'd like >> > to get one where I can assign clients access where they only have access to >> > the ports I assign them. I'm currently using the free version of >> > Scrutinizer. > > This seems to be a FAQ. > > I guess there are a bunch of good products out there, so it's hard for > anyone to give definitive, unbiased opinions. The best you can > probably hope for is advice _against_ using a particular product, due > to some real or perceived limitation/deficiency. > > While we're on the topic, does anyone have anything particularly > positive or negative to say about Cisco NetFlow Collector, or > Compuware's NetFlow product? > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ross at kallisti.us Tue May 6 14:39:52 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 6 May 2008 14:39:52 -0400 Subject: [c-nsp] cisco slb ace and snmp OID In-Reply-To: <481F31C5.7070107@gmail.com> References: <481F31C5.7070107@gmail.com> Message-ID: <20080506183952.GA10539@kallisti.us> On Mon, May 05, 2008 at 12:11:49PM -0400, Donato Dunguihual Morales wrote: > Hi, > > I need to graph with mrtg or rrdtool, real servers and server farm info > for cisco application control engine module. Anyone have information > about the most popular oid that can be measured and polled through > snmp?. I've been looking in the web for specifc oid without results. > > > For example for cisco CSS the oid for current connections per service > is like that 1.3.6.1.4.1.2467.1.15.2.1.20.5.104.116.116.112.52. You want to be looking at CISCO-SLB-MIB and CISCO-SLB-EXT-MIB. BE VERY CAREFUL - there is an IOS crash that is triggered by polling a real/vserver at the same time it is being deleted. I don't have the bug ID handy, and I'm not sure if it affects ACE (or just CSM), but I would tread lightly. -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From jmaimon at ttec.com Tue May 6 16:47:54 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Tue, 06 May 2008 16:47:54 -0400 Subject: [c-nsp] RBE and PPPOE on the same router In-Reply-To: <04e501c8afb5$8e1150e0$2e40d5d1@nocpamaral> References: <044601c8af93$1afde7c0$2e40d5d1@nocpamaral> <4820B651.8040603@ttec.com> <04e501c8afb5$8e1150e0$2e40d5d1@nocpamaral> Message-ID: <4820C3FA.1090003@ttec.com> Use the mac address, whats the big deal? they use it for security filtering. You can also specify in bba-group Here is a configlet distilled from a working system. aaa group server radius radiusgroup server xx.yy.132.7 auth-port 1812 acct-port 1813 server xx.yy.32.37 auth-port 1812 acct-port 1813 deadtime 1 ! vc-class atm vzdsl no ilmi manage oam-pvc manage encapsulation aal5autoppp Virtual-Template1 ! ip local pool DSL-POOL xxx.yyy.146.192 xxx.yyy.146.223 ! aaa authentication ppp default local group radiusgroup aaa authentication ppp radiusgroup group radiusgroup aaa authorization network default local group radiusgroup aaa authorization network radiusgroup group radiusgroup aaa accounting delay-start aaa accounting update periodic 5 aaa accounting network default start-stop group radiusgroup aaa accounting system default start-stop group radiusgroup ! interface Loopback0 ip address xx.yy.15.248 255.255.255.255 ! bba-group pppoe global virtual-template 1 sessions max limit 500 sessions per-mac limit 4 sessions per-vc throttle 30 10 10 sessions per-mac throttle 10 30 30 sessions auto cleanup ! interface Virtual-Template1 ip unnumbered Loopback0 ip verify unicast source reachable-via rx ip route-cache policy ip route-cache flow ip tcp adjust-mss 1452 peer default ip address pool DSL-POOL ppp authentication pap radiusgroup ppp authorization radiusgroup ppp ipcp address required interface ATM2/1/0.20032 point-to-point ip address xx.xx.xx.49 255.255.255.248 class-int vzdsl atm route-bridged ip pvc 2/32 interface ATM2/1/0.500 multipoint description ADSL NY LATA 132 SPID xxxx class-int vzdsl range PPPOE-01 pvc 1/500 1/599 create on-demand radius-server attribute 218 mandatory radius-server attribute nas-port format d radius-server host xx.yyy.32.37 auth-port 1812 acct-port 1813 key THEKEY radius-server host xx.yyy.132.7 auth-port 1812 acct-port 1813 key THEKEY radius-server vsa send authentication Paul A wrote: > Joe, cisco recommends that I use a bba-group if im going to have RBE and > PPPOE on the same interface. > > Currently all of my RBE DSL's use the mac-address below. > > I forgot how I configured that mac-address under the atm interface and how I > can go about configuring another mac address for the bba-group. > > Let me know if you have any ideas and I appreciate the response. > > > > Thanks, > > ---------------------------------------------------- > Paulo Amaral > MegaNet Communications > P: 508 646 0030 > ----------------------------------------------------- > > P.A > -----Original Message----- > P.A > From: Joe Maimon [mailto:jmaimon at ttec.com] > P.A > Sent: Tuesday, May 06, 2008 3:50 PM > P.A > To: Paul A > P.A > Subject: Re: [c-nsp] RBE and PPPOE on the same router > P.A > > P.A > You can put a mac-address on the atm interface with the mac-address > P.A > command. It need have nothing to do with any ethernet interfaces. > P.A > > P.A > Paul A wrote: > P.A > > Hi, folks hope someone here can clue me in on what I need to do. > P.A > > > P.A > > I currently have a cisco 7200 that I setup a while back for RBE DSL > P.A > and it's > P.A > > been working great with no issues. We also have a redback > P.A > terminating > P.A > > DSL/PPPOE that we want to shutdown. What we are going to do is move > P.A > the > P.A > > PPPOE customers from the redback to the same cisco as the RBE DSL > P.A > customers. > P.A > > > P.A > > The PPPOE customers will be on different VPI/VCI's so I'm assuming I > P.A > can > P.A > > have RBE and PPPOE coexist without issues. The telco needs to know > P.A > my mac > P.A > > address for the cisco to add to their bridge table. Looking at my > P.A > config I > P.A > > noticed I have a mac-address on the ATM, mac-address 0000.0cca.22dc. > P.A > > > P.A > > Should this mac-address be the fast0 interface's mac address thats > P.A > connected > P.A > > to the gateway? I'm trying to figure out what mac-address they are > P.A > looking > P.A > > for. > P.A > > > P.A > > I would apriciate if someone could point me in the direction for > P.A > getting > P.A > > RBE/PPPOE working together on the same router. > P.A > > > P.A > > > P.A > > interface ATM5/0 > P.A > > description VZ CIRTUIT ID 95HFGJ6XXXX > P.A > > mac-address 0000.0cca.22dc > P.A > > no ip address > P.A > > no ip redirects > P.A > > no ip unreachables > P.A > > ip route-cache policy > P.A > > ip route-cache flow > P.A > > load-interval 30 > P.A > > no atm oversubscribe > P.A > > atm scrambling cell-payload > P.A > > atm uni-version 3.1 > P.A > > atm ilmi-keepalive > P.A > > arp arpa > P.A > > arp timeout 0 > P.A > > ! > P.A > > interface ATM5/0.100201 point-to-point > P.A > > ip unnumbered Loopback1 > P.A > > ip access-group dsl-inbound in > P.A > > no ip redirects > P.A > > no ip unreachables > P.A > > ip nat inside > P.A > > ip virtual-reassembly > P.A > > ip route-cache same-interface > P.A > > no ip mroute-cache > P.A > > ip policy route-map FA20RM > P.A > > no snmp trap link-status > P.A > > atm route-bridged ip > P.A > > pvc 1/201 > P.A > > encapsulation aal5snap > P.A > > service-policy output fbwfq > P.A > > > P.A > > Thanks, > P.A > > > P.A > > ---------------------------------------------------- > P.A > > Paulo Amaral > P.A > > MegaNet Communications > P.A > > P: 508 646 0030 > P.A > > ----------------------------------------------------- > P.A > > > P.A > > _______________________________________________ > P.A > > cisco-nsp mailing list cisco-nsp at puck.nether.net > P.A > > https://puck.nether.net/mailman/listinfo/cisco-nsp > P.A > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > P.A > > > P.A > > > > From p.mayers at imperial.ac.uk Tue May 6 17:19:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 06 May 2008 22:19:19 +0100 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <4EF7C23B9231A14E99C9016F65B13B8C04C475C6@PDXEX01.webtrends.corp> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> <482034EA.7080606@imperial.ac.uk> <4EF7C23B9231A14E99C9016F65B13B8C04C475C6@PDXEX01.webtrends.corp> Message-ID: <4820CB57.9090803@imperial.ac.uk> Ryan Otis wrote: > Does this mean that even if you have a 6500 with a VIF inside a VRF, and > you have a management station on the same VLAN as the VIF; you would be > unable to send SNMP traps to the management station? I haven't specifically tested SNMP traps, but that is my understanding. It's certainly the case for other stuff. From skeeve at skeeve.org Tue May 6 18:41:49 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Wed, 7 May 2008 08:41:49 +1000 Subject: [c-nsp] Any 3xxx Switches support MPLS? Message-ID: <046501c8afca$5f5d8c40$1e18a4c0$@org> Any 3xxx Switches support MPLS? i.e. 3550, 3560, 3750, and so on? .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From peter at rathlev.dk Tue May 6 19:07:15 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 07 May 2008 01:07:15 +0200 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <046501c8afca$5f5d8c40$1e18a4c0$@org> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> Message-ID: <1210115235.8710.2.camel@dusken.sys.mjna.net> On Wed, 2008-05-07 at 08:41 +1000, Skeeve Stevens wrote: > Any 3xxx Switches support MPLS? > > i.e. 3550, 3560, 3750, and so on? The 3750 Metro does on the ES ports, otherwise no. Regards, Peter From philxor at gmail.com Tue May 6 20:11:39 2008 From: philxor at gmail.com (Phil Bedard) Date: Tue, 6 May 2008 20:11:39 -0400 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <046501c8afca$5f5d8c40$1e18a4c0$@org> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> Message-ID: <1E77FB93-7B39-43CB-808D-3189935A7849@gmail.com> ME3750, but I haven't heard very good things about its MPLS support. You would need to go up to something like the ME6524. Phil On May 6, 2008, at 6:41 PM, Skeeve Stevens wrote: > Any 3xxx Switches support MPLS? > > i.e. 3550, 3560, 3750, and so on? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Colin at 2cups.com Tue May 6 19:42:00 2008 From: Colin at 2cups.com (Colin McNamara) Date: Tue, 06 May 2008 16:42:00 -0700 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <046501c8afca$5f5d8c40$1e18a4c0$@org> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> Message-ID: <4820ECC8.5010504@2cups.com> ME-C3750-24TE-M supports MPLS. ".. The Cisco Catalyst 3750 Metro Series switches are a new line of premier multilayer switches that bring greater intelligence to the metro Ethernet edge, enabling the delivery of more differentiated metro Ethernet services. Featuring hierarchical quality of service (QoS) and traffic shaping, intelligent 802.1Q tunneling, VLAN mapping, Multi-protocol Label Switching (MPLS) and Ethernet over MPLS (EoMPLS) support, and redundant AC or DC power, these switches are ideal for service providers seeking to deliver profitable business services, such as Layer 2, Layer 3, and MPLS VPNs, in a variety of bandwidths and with different service-level agreements (SLAs). With flexible software options, the Cisco Catalyst 3750 Metro Series offers a cost-effective path for meeting current and future service requirements from service providers serving enterprises and commercial businesses. .." http://www.cisco.com/en/US/products/hw/switches/ps5532/ Skeeve Stevens wrote: > Any 3xxx Switches support MPLS? > > i.e. 3550, 3560, 3750, and so on? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Colin McNamara (858)208-8105 CCIE #18233,RHCE,GCIH http://www.colinmcnamara.com http://www.linkedin.com/in/colinmcnamara "The difficult we do immediately, the impossible just takes a little longer" From rubensk at gmail.com Tue May 6 21:05:39 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 6 May 2008 22:05:39 -0300 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <664106.17320.qm@web44815.mail.sp1.yahoo.com> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> Message-ID: <6bb5f5b10805061805o79bcb90bof824b84414ac7d99@mail.gmail.com> The issue with VRFs is that it can't do policy routing, because it's already a routing table selection... I agree that box security should be taken care with CoPP. Put Internet customers on the main VRF, but carefully design ACL, policy-routing and CoPP to reach your security goals. VRFs are great with overlapping IP spaces, but on the Internet where everybody on the world agrees on an addressing plan, just use plaing routing. Rubens On Tue, May 6, 2008 at 6:08 AM, Mark Tech wrote: > Hi > We area going to deploy a new MPLS network which will be used for Internet customers and IP/VPN customers. I understand that there are two options with running these networks: > 1. Run the internet natively across all boxes and secure them down against DoS attacks etc > 2. Create an Internet VRF whereby all internet traffic is simply seen as a large IPVPN network, thereby utilising some of the inherent security factors associated with IPVPNS > My question is whether anyone has other pros and cons from real life experience, associated with the two options previously stated. > I would like to add that the platforms will be provisionally Cisco 6500s with SUP720s (edge) and Cisco XR 12406's (core) > Regards > Mark > > > > ____________________________________________________________________________________ > Be a better friend, newshound, and > know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dan at beanfield.com Tue May 6 20:23:44 2008 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 06 May 2008 20:23:44 -0400 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <1E77FB93-7B39-43CB-808D-3189935A7849@gmail.com> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> <1E77FB93-7B39-43CB-808D-3189935A7849@gmail.com> Message-ID: <4820F690.8000002@beanfield.com> I've said it before, I'll say it again - I would give my first born for MPLS support on the ME3400s. :-) We need an inexpensive, small, L3 switch platform that does MPLS! Foundry has one although I've not looked at pricing, Juniper has the J series routers which don't quite have the backplane.... The 6524 is hardly inexpensive.... Phil Bedard wrote: > ME3750, but I haven't heard very good things about its MPLS support. > You would need to go up to something like the ME6524. > > Phil > > On May 6, 2008, at 6:41 PM, Skeeve Stevens wrote: > > >> Any 3xxx Switches support MPLS? >> >> i.e. 3550, 3560, 3750, and so on? >> >> .Skeeve >> >> -- >> Skeeve Stevens, RHCE >> skeeve at skeeve.org / www.skeeve.org >> Cell +61 (0)414 753 383 / skype://skeeve >> >> eintellego - skeeve at eintellego.net - www.eintellego.net >> -- >> I'm a groove licked love child king of the verse >> Si vis pacem, para bellum >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ed at edgeoc.net Tue May 6 21:25:24 2008 From: ed at edgeoc.net (ed at edgeoc.net) Date: Wed, 7 May 2008 01:25:24 +0000 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <4820F690.8000002@beanfield.com> References: <046501c8afca$5f5d8c40$1e18a4c0$@org><1E77FB93-7B39-43CB-808D-3189935A7849@gmail.com><4820F690.8000002@beanfield.com> Message-ID: <1032606725-1210123513-cardhu_decombobulator_blackberry.rim.net-1196104617-@bxe133.bisx.prod.on.blackberry> I am almost positive the me3400 will do mpls vpn from PE--CE with the metroipaccess image. -Ed -----Original Message----- From: Dan Armstrong Date: Tue, 06 May 2008 20:23:44 To:Phil Bedard Cc:cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Any 3xxx Switches support MPLS? I've said it before, I'll say it again - I would give my first born for MPLS support on the ME3400s. :-) We need an inexpensive, small, L3 switch platform that does MPLS! Foundry has one although I've not looked at pricing, Juniper has the J series routers which don't quite have the backplane.... The 6524 is hardly inexpensive.... Phil Bedard wrote: > ME3750, but I haven't heard very good things about its MPLS support. > You would need to go up to something like the ME6524. > > Phil > > On May 6, 2008, at 6:41 PM, Skeeve Stevens wrote: > > >> Any 3xxx Switches support MPLS? >> >> i.e. 3550, 3560, 3750, and so on? >> >> .Skeeve >> >> -- >> Skeeve Stevens, RHCE >> skeeve at skeeve.org / www.skeeve.org >> Cell +61 (0)414 753 383 / skype://skeeve >> >> eintellego - skeeve at eintellego.net - www.eintellego.net >> -- >> I'm a groove licked love child king of the verse >> Si vis pacem, para bellum >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From philxor at gmail.com Tue May 6 21:47:16 2008 From: philxor at gmail.com (Phil Bedard) Date: Tue, 6 May 2008 21:47:16 -0400 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <1032606725-1210123513-cardhu_decombobulator_blackberry.rim.net-1196104617-@bxe133.bisx.prod.on.blackberry> References: <046501c8afca$5f5d8c40$1e18a4c0$@org><1E77FB93-7B39-43CB-808D-3189935A7849@gmail.com><4820F690.8000002@beanfield.com> <1032606725-1210123513-cardhu_decombobulator_blackberry.rim.net-1196104617-@bxe133.bisx.prod.on.blackberry> Message-ID: The ME3400 only supports VRF-Lite, not MPLS. It works well as a metro access device you can trunk into a 7600 which does the MPLS VPN service, but cannot natively deal with MPLS packets. Phil On May 6, 2008, at 9:25 PM, ed at edgeoc.net wrote: > I am almost positive the me3400 will do mpls vpn from PE--CE with > the metroipaccess image. > > -Ed > -----Original Message----- > From: Dan Armstrong > > Date: Tue, 06 May 2008 20:23:44 > To:Phil Bedard > Cc:cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Any 3xxx Switches support MPLS? > > > I've said it before, I'll say it again - I would give my first born > for > MPLS support on the ME3400s. :-) > > We need an inexpensive, small, L3 switch platform that does MPLS! > > Foundry has one although I've not looked at pricing, Juniper has the J > series routers which don't quite have the backplane.... > > The 6524 is hardly inexpensive.... > > > > > > Phil Bedard wrote: >> ME3750, but I haven't heard very good things about its MPLS support. >> You would need to go up to something like the ME6524. >> >> Phil >> >> On May 6, 2008, at 6:41 PM, Skeeve Stevens wrote: >> >> >>> Any 3xxx Switches support MPLS? >>> >>> i.e. 3550, 3560, 3750, and so on? >>> >>> .Skeeve >>> >>> -- >>> Skeeve Stevens, RHCE >>> skeeve at skeeve.org / www.skeeve.org >>> Cell +61 (0)414 753 383 / skype://skeeve >>> >>> eintellego - skeeve at eintellego.net - www.eintellego.net >>> -- >>> I'm a groove licked love child king of the verse >>> Si vis pacem, para bellum >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Tue May 6 21:51:55 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 6 May 2008 22:51:55 -0300 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <046501c8afca$5f5d8c40$1e18a4c0$@org> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> Message-ID: <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> Only 3750 Metro supports MPLS, badly. Filling the annual customer satisfaction survey section about the 3750 Metro always inspires me a death-wish that I would rather not have. May be the the Juniper EX boxes will have MPLS in a year or two, but for the mean time, you can consider 1) Using Multi-VRF instead of MPLS to provide IPVPN services, and then use something like the 3400ME with METROIPACCESS image 2) Buy ME6524, which is a very good box 3) Combine Juniper EX with Juniper J routers so you can have density, L2 backplane, L3 routing on the EX box, but enough MPLS routing capacity on the J box to provide services to a growing POP Option 2 is what we do today, considering wether to use option 1 or 3 to grow the network. Rubens On Tue, May 6, 2008 at 7:41 PM, Skeeve Stevens wrote: > Any 3xxx Switches support MPLS? > > i.e. 3550, 3560, 3750, and so on? > > .Skeeve > > -- > Skeeve Stevens, RHCE > skeeve at skeeve.org / www.skeeve.org > Cell +61 (0)414 753 383 / skype://skeeve > > eintellego - skeeve at eintellego.net - www.eintellego.net > -- > I'm a groove licked love child king of the verse > Si vis pacem, para bellum > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Tue May 6 22:59:27 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 7 May 2008 10:59:27 +0800 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <6bb5f5b10805061805o79bcb90bof824b84414ac7d99@mail.gmail.com> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> <6bb5f5b10805061805o79bcb90bof824b84414ac7d99@mail.gmail.com> Message-ID: <200805071059.32022.mtinka@globaltransit.net> On Wednesday 07 May 2008, Rubens Kuhl Jr. wrote: > The issue with VRFs is that it can't do policy routing, > because it's already a routing table selection... I agree > that box security should be taken care with CoPP. Put > Internet customers on the main VRF, but carefully design > ACL, policy-routing and CoPP to reach your security > goals. VRFs are great with overlapping IP spaces, but on > the Internet where everybody on the world agrees on an > addressing plan, just use plaing routing. I agree with this - having global (Internet) routes in a VRF, I think, adds complexity. One situation where we have considered doing this is when we want a specific PE router to have access to only a specific set of routes on a public border router. Other than that, we keep it quite simple :-). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080507/29784580/attachment.bin From dan at beanfield.com Tue May 6 23:11:56 2008 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 06 May 2008 23:11:56 -0400 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> Message-ID: <48211DFC.6060007@beanfield.com> As long as I'm inventing features - you know what would really help? The ability to "re-stack" QinQ VLANs on one of these inexpensive devices, then it wouldn't be such a problem to use cheaper switches on the edge, and do MPLS VPNs on your aggregators. If I could take vlan X,Y, and Z from outer VLAN N, then make a new outer VLAN L from VLAN X & Y only and put VLAN Z into outer VLAN M. Or at the very least if I could make an access port from one of the inner Q's in a QinQ VLAN.... that'd even help! Rubens Kuhl Jr. wrote: > Only 3750 Metro supports MPLS, badly. Filling the annual customer > satisfaction survey section about the 3750 Metro always inspires me a > death-wish that I would rather not have. > > May be the the Juniper EX boxes will have MPLS in a year or two, but > for the mean time, you can consider > 1) Using Multi-VRF instead of MPLS to provide IPVPN services, and then > use something like the 3400ME with METROIPACCESS image > 2) Buy ME6524, which is a very good box > 3) Combine Juniper EX with Juniper J routers so you can have density, > L2 backplane, L3 routing on the EX box, but enough MPLS routing > capacity on the J box to provide services to a growing POP > > Option 2 is what we do today, considering wether to use option 1 or 3 > to grow the network. > > > Rubens > > > > > > On Tue, May 6, 2008 at 7:41 PM, Skeeve Stevens wrote: > >> Any 3xxx Switches support MPLS? >> >> i.e. 3550, 3560, 3750, and so on? >> >> .Skeeve >> >> -- >> Skeeve Stevens, RHCE >> skeeve at skeeve.org / www.skeeve.org >> Cell +61 (0)414 753 383 / skype://skeeve >> >> eintellego - skeeve at eintellego.net - www.eintellego.net >> -- >> I'm a groove licked love child king of the verse >> Si vis pacem, para bellum >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dhooper at emerge.net.au Wed May 7 00:35:13 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Wed, 7 May 2008 12:35:13 +0800 Subject: [c-nsp] 3550-12T rack ears Message-ID: I'm attempting to install rack ears onto a collection of 12T's I have, for some reason the screw holes on the ears only line up on the right hand side of the switch, on the other side the holes are slightly out and it's not possible to fit the ear onto it, it doesnt matter if im mounting them on the front, back or center of the switch, the left side of the switch holes are all slightly out. Have i just got the wrong rack mount kit? I've mounted these in the past with no hassle's, with the same batch of ears that I have for them today. Thanks, -Dan From cisco-nsp-list at createx.de Wed May 7 02:19:10 2008 From: cisco-nsp-list at createx.de (Arne Boettger) Date: Wed, 7 May 2008 08:19:10 +0200 Subject: [c-nsp] BVI not passing some broadcast traffic from WLC users In-Reply-To: <4804EB49.2090100@velvet.org> References: <4804DEA9.6010007@velvet.org> <4804EB49.2090100@velvet.org> Message-ID: <0FF1D8F3-95CD-41B9-BCDD-77E6DF60E252@createx.de> Hi Matt, it seems you never got a response. iTunes uses IPv6, and Cisco IRB does not bridge IPv6. The only possible way would be configuring IPv6 on the WLAN interfaces and maybe forward the multicasts used between the subnets. Sadly, the only release I could find so far which supported IPv6 on WLAN on my 878W was 12.4(15)XY, which worked for a few hours before crashing repeatedly. On 15.04.2008, at 19:52, matthew zeier wrote: > Revelant config @ http://mrz.pastebin.mozilla.org/404065 > > Mario Spinthiras wrote: >> can you please post your configuration? >> >> >> -- >> Warm Regards, >> Mario A. Spinthiras >> Nicosia , Cyprus >> Blog: http://www.spinthiras.net >> Mail: mspinthiras at gmail.com >> Skype: smario125 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tima at transtelecom.net Wed May 7 04:39:01 2008 From: tima at transtelecom.net (Tima Maryin) Date: Wed, 07 May 2008 12:39:01 +0400 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> Message-ID: <48216AA5.6050901@transtelecom.net> But keep in mind that it has oversubscription on non uplink ports Rubens Kuhl Jr. wrote: > 2) Buy ME6524, which is a very good box From tima at transtelecom.net Wed May 7 04:25:31 2008 From: tima at transtelecom.net (Tima Maryin) Date: Wed, 07 May 2008 12:25:31 +0400 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <664106.17320.qm@web44815.mail.sp1.yahoo.com> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> Message-ID: <4821677B.2050007@transtelecom.net> Hi! Pros: Security. You can make device management based on private addresses like 10./172. So no one ever can get remote access to your routers from internet. Cons: Memory consuption on routers. Each full view will consume more router's ram that usual. A bit more annoying troubleshoot - you need to type ping vrf, trace vrf and so on Works well on NPE-G1, IOS bases GSR's Mark Tech wrote: > Hi > We area going to deploy a new MPLS network which will be used for Internet customers and IP/VPN customers. I understand that there are two options with running these networks: > 1. Run the internet natively across all boxes and secure them down against DoS attacks etc > 2. Create an Internet VRF whereby all internet traffic is simply seen as a large IPVPN network, thereby utilising some of the inherent security factors associated with IPVPNS > My question is whether anyone has other pros and cons from real life experience, associated with the two options previously stated. > I would like to add that the platforms will be provisionally Cisco 6500s with SUP720s (edge) and Cisco XR 12406's (core) > Regards > Mark > From cisco-nsp at ibh.net Wed May 7 07:05:21 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Wed, 7 May 2008 13:05:21 +0200 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <482089F9.2020608@gtcomm.net> References: <482089F9.2020608@gtcomm.net> Message-ID: <20080507110521.GB24477@ibh.de> Hi Paul, On Tue, May 06, 2008 at 12:40:25PM -0400, Paul wrote: > C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE1, RELEASE > SOFTWARE (fc1) > > Running two etherchannels with two gig ports not cross stack. Here's an > example of one of them. > What's happening is that only one port is being used for outgoing > traffic, no matter what I set the port-channel load-balance to. Is > etherchannel broken in 12.2.44SE1? This is a new setup. I'm running 12.2(44)SE1 on a bunch of 3560E chassis which are similar enough to the 3750E, but maybe not the 3750. They're running multiple port-channels that look quite similar to yours (LACP) and I see egress traffic on both group members. > Ports in the Port-channel: > > Index Load Port EC state No of bits > ------+------+------+------------------+----------- > 0 00 Gi1/0/1 Active 0 > 0 00 Gi1/0/2 Active 0 Looks the same here, but doesn't seem to indicate a problem. Of course you will see a certain flow always taking just one member egress path, any load balancing is purely statistical. I was running the default (source MAC only) load balancing method. Thanks you triggered me to revise this, which was forgotten after the replacements. I've changed it to src-dst-ip. I'm just not sure if that will really make a difference on an L2 port-channel or if that incarnation will always take the "Non-IP" branch. Using just Source MAC (or even Src XOR Dst MAC) is often bad when routers are talking to each other, as most traffic is going from/to a single MAC, so having this work even on L2 port-channels would be a win. I'll see whether my Torrus graphs show significantly better distribution after the change. But it still might be due to just the Non-IP: Source XOR Destination MAC address balancing still better than the default. HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From petelists at templin.org Wed May 7 08:26:52 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 07 May 2008 07:26:52 -0500 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <200805071059.32022.mtinka@globaltransit.net> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> <6bb5f5b10805061805o79bcb90bof824b84414ac7d99@mail.gmail.com> <200805071059.32022.mtinka@globaltransit.net> Message-ID: <4821A00C.5010302@templin.org> Mark Tinka wrote: > One situation where we have considered doing this is when we > want a specific PE router to have access to only a specific > set of routes on a public border router. Other than that, > we keep it quite simple :-). What software and hardware are you using? If it's "the right stuff", there was a neat presentation at NANOG42 that showed a cool way to enforce peering policy on an interface, without having to dedicate a router to the task. See http://www.nanog.org/mtg-0802/norton.html and view David Smith's presentation. Admittedly, it's only on 12000 E3/E5, XR 12000, CRS-1, and "other IOS routers also"...which translates to "not in 6500/7600" unfortunately. The concepts in the presentation are a little complex. Just read it slowly, and read it again...it wasn't much easier with a narrator. ;) pt From jcartier at acs.on.ca Wed May 7 09:15:43 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 7 May 2008 09:15:43 -0400 Subject: [c-nsp] VPN Backup Link Message-ID: Hey Everyone, I'm throwing this question out in attempts to get more detail that what I've currently been able to dig up. My objective is to have a backup VPN connection in the event that our primary WAN link fails. The routing protocol currently used is EIGRP. We would need a router that could handle an est. 40Mbps of VPN traffic. Any suggestions on where to look for sample configurations regarding VPN failover with EIGRP? And which Cisco router would be ideal for this situation? (ie. Ability to handle 40Mbps VPN traffic). From mtinka at globaltransit.net Wed May 7 09:31:32 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 7 May 2008 21:31:32 +0800 Subject: [c-nsp] Internet vrf, pros and cons In-Reply-To: <4821A00C.5010302@templin.org> References: <664106.17320.qm@web44815.mail.sp1.yahoo.com> <200805071059.32022.mtinka@globaltransit.net> <4821A00C.5010302@templin.org> Message-ID: <200805072131.40971.mtinka@globaltransit.net> On Wednesday 07 May 2008, Pete Templin wrote: > What software and hardware are you using? JunOS (M-series) and IOS (7200-VXR). > If it's "the > right stuff", there was a neat presentation at NANOG42 > that showed a cool way to enforce peering policy on an > interface, without having to dedicate a router to the > task. See http://www.nanog.org/mtg-0802/norton.html and > view David Smith's presentation. Yes, we are familiar with QPPB. We use it quite extensively for one of the products we sell; and yes, it is very neat. Offers far more scalability and manageability for providing restricted access (and services, thereof) to specific routes in the network. However, for the particular situation I described earlier, we feel a VRF would be a simpler solution, especially on a software router. Juniper's DCU feature also accomplishes the same task as QPPB. > Admittedly, it's only > on 12000 E3/E5, XR 12000, CRS-1, and "other IOS routers > also"... It's supported on the 7200-VXR. > which translates to "not in 6500/7600" > unfortunately. This is due to a hardware limitation on these particular platforms. Have a word with your SE for details. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080507/77e9fb95/attachment.bin From jay at west.net Wed May 7 10:15:50 2008 From: jay at west.net (Jay Hennigan) Date: Wed, 07 May 2008 07:15:50 -0700 Subject: [c-nsp] 3550-12T rack ears In-Reply-To: References: Message-ID: <4821B996.3000400@west.net> Daniel Hooper wrote: > I'm attempting to install rack ears onto a collection of 12T's I have, for some reason the screw holes on the ears only line up on the right hand side of the switch, on the other side the holes are slightly out and it's not possible to fit the ear onto it, it doesnt matter if im mounting them on the front, back or center of the switch, the left side of the switch holes are all slightly out. > > Have i just got the wrong rack mount kit? I've mounted these in the past with no hassle's, with the same batch of ears that I have for them today. If the serial number ends in a 7, you need a different rack mount kit, unless it's also prime. Seriously, Cisco's need to produce a different hole pattern for rack ears every time they introduce a different 1U box never ceases to amaze. There are at least nine different incompatible Cisco 1U rack ear patterns. When you finally get ears with the right pattern, expect the screws to be some odd-sized thread pattern unavailable anywhere. (28xx routers are a mild example). -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From cisco-nsp at ibh.net Wed May 7 10:28:25 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Wed, 7 May 2008 16:28:25 +0200 Subject: [c-nsp] Netflow Question In-Reply-To: <001201c8ac83$a6c85820$f4590860$@com> References: <001201c8ac83$a6c85820$f4590860$@com> Message-ID: <20080507142824.GC24477@ibh.de> Hi, [I rearranged the order of lines in the following for historic reasons] On Fri, May 02, 2008 at 11:38:00AM -0700, raa at opusnet.com wrote: > > Can anyone tell me the difference between the interface command: > > Router(config-if)# ip route-cache flow When NetFlow Data Export was introduced, it was a "byproduct" of a new route cache implementation called "flow". The route cache would operate on individual flows and would allow to inspect that cache as well as to export information on entries that just time out from the cache. As a route cache implementation, it had a number of implict attributes that were not optimal in the wider field of accounting: * It would be implicitely operating on ingress packets only. This required you to design your network properly in order to avoid accounting for a flow more than exactly once. It would also not allow you schemes like "account only what goes to or comes from my BGP upstreams". * Several interfaces would inherit their setting of route-cache flow from a parent, e.g. in the case of Ethernet subinterfaces. This would require even more design workarounds including the addition of hardware. You could not mix accounted and not accounted interfaces on a single interface in a router-on-a-stick setup. > And > > Router(config-if)# ip flow ingress This replaces "ip route-cache flow" on parent interfaces and it is entirely new that you can switch it on and off individually on every subinterface. When you upgrade IOS to a version that has it, an "ip route-cache flow" statement on a parent will be converted to an "ip flow ingress" on the parent as well as *every* subinterface below that parent. From then on, you can switch it individually, but of course setting "ip route-cache flow" will again fan out an "ingress" to all subinterfaces. Thus, avoid using the old command as soon as you have migrated, and never look back. Please note that using NetFlow as a route cache is history, it is now a pure accounting and monitoring tool. BTW, there's a minor glitch in the conversion that can lead to an interface losing route caching (which you normally want to have set to CEF these days) altogether. So after an IOS upgrade that does this conversion, check your interfaces e.g. using "sh cef interface brief". > Router(config-if)# ip flow egress That's finally the counterpart to "ip flow ingress" that allows you to track interface egress traffic. That was simply impossible with the old implementation (beeing implicitely ingress-only). Today you should be able to set ingress+egress flow tracking on your upstreams to get just the external traffic. But you could also stay with the old way of just tracking ingress on upstreams + downstreams (but never within the network itself to prevent multiple records). > Thanks. Second part to this question is anyone recommend a Netflow > analyzer? Either application or appliance (price is important.) I'd like > to get one where I can assign clients access where they only have access to > the ports I assign them. I'm currently using the free version of > Scrutinizer. There's a plethora of free (as in Free and Open Source Software) solutions available. Depends on the exact needs you have. I'm using it just for accounting, not as an analyzer, so I can't name products here. SWITCH has a nice list, maybe for a starter see: http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From freimer at ctiusa.com Wed May 7 10:29:21 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Wed, 7 May 2008 10:29:21 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <20080507110521.GB24477@ibh.de> References: <482089F9.2020608@gtcomm.net> <20080507110521.GB24477@ibh.de> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950273D391@EXCHANGE.ctiusa.com> I'm not sure what you meant by the term "purely statistical" when referring to EtherChannel load balancing, but I think it may give a false impression. If you meant that the results of the load balancing would be "by chance" and statistically average out over time then that's incorrect. EtherChannel load balancing is very deterministic. You can tell exactly what port will be selected based on the load-balancing protocol and the number of ports. There's even a SP command to tell you what would be selected on the 6500 platform (test etherchannel load-balance interface pox ip y.y.y.y z.z.z.z in a remote login switch session). If you have a relatively low number of very high throughput streams you can use the actual protocols to map out what ports would be selected, and choose the appropriate protocol for your specific needs. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Andre Beck > Sent: Wednesday, May 07, 2008 7:05 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3750 etherchannel only using 1 port > > Hi Paul, > > On Tue, May 06, 2008 at 12:40:25PM -0400, Paul wrote: > > C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(44)SE1, > RELEASE > > SOFTWARE (fc1) > > > > Running two etherchannels with two gig ports not cross stack. Here's > an > > example of one of them. > > What's happening is that only one port is being used for outgoing > > traffic, no matter what I set the port-channel load-balance to. > Is > > etherchannel broken in 12.2.44SE1? This is a new setup. > > I'm running 12.2(44)SE1 on a bunch of 3560E chassis which are similar > enough to the 3750E, but maybe not the 3750. They're running multiple > port-channels that look quite similar to yours (LACP) and I see egress > traffic on both group members. > > > Ports in the Port-channel: > > > > Index Load Port EC state No of bits > > ------+------+------+------------------+----------- > > 0 00 Gi1/0/1 Active 0 > > 0 00 Gi1/0/2 Active 0 > > Looks the same here, but doesn't seem to indicate a problem. > > Of course you will see a certain flow always taking just one member > egress path, any load balancing is purely statistical. I was running > the default (source MAC only) load balancing method. Thanks you > triggered > me to revise this, which was forgotten after the replacements. I've > changed it to src-dst-ip. I'm just not sure if that will really make > a difference on an L2 port-channel or if that incarnation will always > take the "Non-IP" branch. Using just Source MAC (or even Src XOR Dst > MAC) > is often bad when routers are talking to each other, as most traffic is > going from/to a single MAC, so having this work even on L2 port- > channels > would be a win. I'll see whether my Torrus graphs show significantly > better distribution after the change. But it still might be due to just > the > > Non-IP: Source XOR Destination MAC address > > balancing still better than the default. > > HTH, > Andre. > -- > Real men don't make backups of their mail. They just send it out > on the Internet and let the secret services do the hard work. > > -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080507/ff2b0fbb/attachment.bin From razor at meganet.net Wed May 7 10:35:36 2008 From: razor at meganet.net (Paul A) Date: Wed, 7 May 2008 10:35:36 -0400 Subject: [c-nsp] mac address question Message-ID: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> Hi, we have an ATM circuit that will be terminating some DSL circuits. The Telco is asking me for the terminating router's mac address I'm confused as to what mac address I should give them. I know im supposed to add the mac-address statement under the ATM interface according to the documents I read on the cisco site but how go I figure out with mac address to use? TIA, P From jmaimon at ttec.com Wed May 7 10:49:54 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 07 May 2008 10:49:54 -0400 Subject: [c-nsp] mac address question In-Reply-To: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> References: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> Message-ID: <4821C192.1050201@ttec.com> Take an old ethernet card, copy its mac address and throw the ethernet card out. Use that mac address. Realistically, the TELCO is actually asking for what to put in a layer 2 access list. You want to be able to connect multiple routers, for example with an ATM switch, so tell them a mac address with the last two hex digits masked to FF That way you can connect a couple hundred routers without involving them again. So long as the mac's arent going to conflict with any of your customers, you shouldnt ever have a problem. Paul A wrote: > Hi, we have an ATM circuit that will be terminating some DSL circuits. The > Telco is asking me for the terminating router's mac address > I'm confused as to what mac address I should give them. I know im supposed > to add the mac-address statement under the ATM interface according to the > documents I read on the cisco site but how go I figure out with mac address > to use? > > TIA, P > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From paul at gtcomm.net Wed May 7 10:55:47 2008 From: paul at gtcomm.net (Paul) Date: Wed, 07 May 2008 10:55:47 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: References: Message-ID: <4821C2F3.3070509@gtcomm.net> The src-dst-ip works on any switch at any level. I use it on 2960 switches 3550, 3750, 6509, etc. It works on everything but my 3750 and i'm not even doing cross stack etherchannel on the 3750 so I don't know what is up with it. I can't play around with it too much since It's in operation and I wasn't expecting it to break in 12.2.44SE1 :/ gi1/0/1 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 25329000 bits/sec, 9503 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec 2714579689 packets input, 1139748310253 bytes, 0 no buffer Received 34498 broadcasts (34498 multicasts) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored gi1/0/2 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 14640000 bits/sec, 3969 packets/sec 30 second output rate 23801000 bits/sec, 5139 packets/sec 1568433448 packets input, 904763903192 bytes, 0 no buffer Received 145644 broadcasts (145644 multicasts) 0 runts, 0 giants, 0 throttles See what I mean?? It's router to router so MAC won't work and there are thousands and thousands of ip addresses going through this so the src-dst-ip should work no problem, but it doesn't. :/ I don't get it.. I've tried changing it to dst-ip, src-ip, even mac and still no luck. I've never seen etherchannel not work before like this. A 2960 switch plugged into the same device works with src-dst-ip no problem. Paul From razor at meganet.net Wed May 7 10:58:32 2008 From: razor at meganet.net (Paul A) Date: Wed, 7 May 2008 10:58:32 -0400 Subject: [c-nsp] mac address question In-Reply-To: <4821C192.1050201@ttec.com> References: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> <4821C192.1050201@ttec.com> Message-ID: <013201c8b052$d193f280$2e40d5d1@nocpamaral> Joe, so basically I'm going to make up a mac-address and pass that along to the Telco correct? Also currently im using a mac address on this router with RBE dsl connections and the new DSL's getting cut over to this ATM are PPPOE, I read somewhere on cisco that I should use a different mac-address for the PPPOE under a bba-group. So I should just be able to make one up and pass that along to them? Thanks, Paul P.A > -----Original Message----- P.A > From: Joe Maimon [mailto:jmaimon at ttec.com] P.A > Sent: Wednesday, May 07, 2008 10:50 AM P.A > To: Paul A P.A > Cc: cisco-nsp at puck.nether.net P.A > Subject: Re: [c-nsp] mac address question P.A > P.A > Take an old ethernet card, copy its mac address and throw the ethernet P.A > card out. P.A > P.A > Use that mac address. P.A > P.A > Realistically, the TELCO is actually asking for what to put in a layer P.A > 2 P.A > access list. P.A > P.A > You want to be able to connect multiple routers, for example with an P.A > ATM P.A > switch, so tell them a mac address with the last two hex digits masked P.A > to FF P.A > P.A > That way you can connect a couple hundred routers without involving P.A > them P.A > again. P.A > P.A > So long as the mac's arent going to conflict with any of your P.A > customers, P.A > you shouldnt ever have a problem. P.A > P.A > P.A > Paul A wrote: P.A > > Hi, we have an ATM circuit that will be terminating some DSL P.A > circuits. The P.A > > Telco is asking me for the terminating router's mac address P.A > > I'm confused as to what mac address I should give them. I know im P.A > supposed P.A > > to add the mac-address statement under the ATM interface according P.A > to the P.A > > documents I read on the cisco site but how go I figure out with mac P.A > address P.A > > to use? P.A > > P.A > > TIA, P P.A > > P.A > > P.A > > _______________________________________________ P.A > > cisco-nsp mailing list cisco-nsp at puck.nether.net P.A > > https://puck.nether.net/mailman/listinfo/cisco-nsp P.A > > archive at http://puck.nether.net/pipermail/cisco-nsp/ P.A > > P.A > > From cisco-nsp at ibh.net Wed May 7 11:09:26 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Wed, 7 May 2008 17:09:26 +0200 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950273D391@EXCHANGE.ctiusa.com> References: <482089F9.2020608@gtcomm.net> <20080507110521.GB24477@ibh.de> <98B7739FB65BF04F9B3233AB842EEC950273D391@EXCHANGE.ctiusa.com> Message-ID: <20080507150926.GD24477@ibh.de> Hi Fred, On Wed, May 07, 2008 at 10:29:21AM -0400, Fred Reimer wrote: > I'm not sure what you meant by the term "purely statistical" when referring > to EtherChannel load balancing, but I think it may give a false impression. I'm used to this term meaning "there is no load balancing unless a large number of source and/or destination systems are involved, so that every single deterministic decision will lead to a statistical distribution". Maybe it's not the correct term or does mean something different in english (which isn't my native language), so if you have a better term that states this in a single word, I'm all ears ;) > If you meant that the results of the load balancing would be "by chance" and > statistically average out over time then that's incorrect. Not over time. Over sources/destinations. Lot's of them. > EtherChannel > load balancing is very deterministic. You can tell exactly what port will > be selected based on the load-balancing protocol and the number of ports. Yep, I know. In my statement >> Of course you will see a certain flow always taking just one member >> egress path, any load balancing is purely statistical. I hoped that the first part of that sentence makes this clear. Of course it all depends on your definition of "flow", which here is essentially the load-balance algorithm, like "Src XOR Dst IP" (somehow hashed to the number of members). I should have pointed out that the most relevant thing to know here is that on L2, there is *never* per-frame load balancing, at least not in a typical switch. People coding operating systems sometimes don't see all the potential problems that are involved and simply provide such means anyway (and they often even work). > There's even a SP command to tell you what would be selected on the 6500 > platform (test etherchannel load-balance interface pox ip y.y.y.y z.z.z.z in > a remote login switch session). Cool, this works well on my 3560Es too. It even tells me that indeed, a changing source IP address leads to changing egress members on my L2 port-channels with src-dst-ip load-balancing. So it does work as expected. Shouldn't have been so doubtful here ;) > If you have a relatively low number of very high throughput streams you can > use the actual protocols to map out what ports would be selected, and choose > the appropriate protocol for your specific needs. As long as your hardware supports such balancing algorithms (up to transport layer port numers etc). This is no option with the hardware in question: sw-ibh-xg1(config)#port-channel load-balance ? dst-ip Dst IP Addr dst-mac Dst Mac Addr src-dst-ip Src XOR Dst IP Addr src-dst-mac Src XOR Dst Mac Addr src-ip Src IP Addr src-mac Src Mac Addr So the best you can do in an IP shop is src-dst-ip so at least you balance on more than the router MACs (which in the worst case leads to no balancing at all). Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From rubensk at gmail.com Wed May 7 11:17:18 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 7 May 2008 12:17:18 -0300 Subject: [c-nsp] Any 3xxx Switches support MPLS? In-Reply-To: <48216AA5.6050901@transtelecom.net> References: <046501c8afca$5f5d8c40$1e18a4c0$@org> <6bb5f5b10805061851k66940026ofeef592a902258ef@mail.gmail.com> <48216AA5.6050901@transtelecom.net> Message-ID: <6bb5f5b10805070817k7b3774e3o71a9869df03ade91@mail.gmail.com> It has port-group based oversubscription, each group has 1 ASIC serving 3 ports (and it's not 1-3, they are L-shaped port groups looking at the physical ports). A good port assignment strategy can make management ports and slow customers grouped with a single high speed customer, or leaving it alone in a port group altogether. The backbone ports, on the other hand, are not over subscribed. So you can call it a 16-port Gigabit switch or an 8GE+8GE+16FE switch... Rubens On Wed, May 7, 2008 at 5:39 AM, Tima Maryin wrote: > But keep in mind that it has oversubscription on non uplink ports > > > > > Rubens Kuhl Jr. wrote: > > > > 2) Buy ME6524, which is a very good box > > > > From cisco-nsp at ibh.net Wed May 7 11:32:29 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Wed, 7 May 2008 17:32:29 +0200 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <4821C2F3.3070509@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> Message-ID: <20080507153229.GE24477@ibh.de> Re Paul, On Wed, May 07, 2008 at 10:55:47AM -0400, Paul wrote: > The src-dst-ip works on any switch at any level. I use it on 2960 Yep, I trust it now ;) > switches 3550, 3750, 6509, etc. It works on everything but my 3750 and > i'm not even doing cross stack etherchannel on the 3750 so I don't know > what is up with it. Even though the channel is not X-stack, is this a single 3750 or is it stacked? I've seen 3750 stacks do strange things before (though that was in the L3 department), and it has added complexity (the Etherchannel implementation must have provisions for X-stack operation on this platform, and if the bug is in that code, I'll not see it on the similar-but-not-quite-unlike boxes with the ripped out stacking ASICs). > I can't play around with it too much since It's in > operation and I wasn't expecting it to break in 12.2.44SE1 :/ At least it's not generally broken in 12.2(44)SE1, but I have no 3750 to verify whether it is generic to that *exact* hardware. > gi1/0/1 > 30 second input rate 25329000 bits/sec, 9503 packets/sec > 30 second output rate 0 bits/sec, 0 packets/sec > > gi1/0/2 > 30 second input rate 14640000 bits/sec, 3969 packets/sec > 30 second output rate 23801000 bits/sec, 5139 packets/sec > > See what I mean?? Clearly. Something is hosed. Does "test etherchannel load-balance" always resolve to Gi1/0/2 or is it actually computing a distribution? And is there really no traffic (verified at the other end) or maybe just the "good" old Cisco Counter Fun in action? > It's router to router so MAC won't work and there are > thousands and thousands of ip addresses going through this so the > src-dst-ip should work no problem, but it doesn't. :/ Indeed. > I don't get it.. I've tried changing it to dst-ip, src-ip, even mac and > still no luck. > I've never seen etherchannel not work before like this. A 2960 switch > plugged into the same device works with src-dst-ip no problem. Did you try to reload the box if at all possible? Wouldn't be the first time I see something like this clear up by a power cycle, especially in a stacking setup. Sad but true. BTW, if it *is* a stack, have you tried actually *making* the channel X-stack? Maybe that triggers something... Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From lucyf at cv.net Wed May 7 11:36:47 2008 From: lucyf at cv.net (Lucy Favaloro) Date: Wed, 07 May 2008 11:36:47 -0400 Subject: [c-nsp] Univercd Message-ID: <012901c8b058$28fba450$54fafe0a@cablevisd0b9d4> Anyone have any info on the following? Cisco IOS Release 12.4 Configuration Guides The Cisco Connection Online (CCO) website, also known as UniverCD, is being discontinued. Please access the Cisco IOS Release 12.4 configuration guides from the following Thanks, From jfitz at Princeton.EDU Wed May 7 11:37:44 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 7 May 2008 11:37:44 -0400 Subject: [c-nsp] FWSM going away rumor Message-ID: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> We currently have two FWSM running 3.2 and are awaiting new code to fix some transparent mode issues. The rumor I heard is that CISCO will only have one more release of FWSM code and thats it; No more FWSM, the future will only be the ASA. The FWSM isn't that old, maybe 2-3 years. I thought the FWSM was the latest and greatest and came from the ASA. Anybody heard anything like this? Jeff Fitzwater OIT Network Systems Princeton University From dhooper at emerge.net.au Wed May 7 11:44:01 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Wed, 7 May 2008 23:44:01 +0800 Subject: [c-nsp] 3550-12T rack ears References: <4821B996.3000400@west.net> Message-ID: -----Original Message----- From: Jay Hennigan [mailto:jay at west.net] Sent: Wed 5/7/2008 10:15 PM To: Daniel Hooper Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3550-12T rack ears Daniel Hooper wrote: > I'm attempting to install rack ears onto a collection of 12T's I have, for some reason the screw holes on the ears only line up on the right hand side of the switch, on the other side the holes are slightly out and it's not possible to fit the ear onto it, it doesnt matter if im mounting them on the front, back or center of the switch, the left side of the switch holes are all slightly out. > > Have i just got the wrong rack mount kit? I've mounted these in the past with no hassle's, with the same batch of ears that I have for them today. >>If the serial number ends in a 7, you need a different rack mount kit, >>unless it's also prime. >>Seriously, Cisco's need to produce a different hole pattern for rack >>ears every time they introduce a different 1U box never ceases to amaze. >> There are at least nine different incompatible Cisco 1U rack ear >>patterns. When you finally get ears with the right pattern, expect the >>screws to be some odd-sized thread pattern unavailable anywhere. (28xx >>routers are a mild example). >>-- >>Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net >>Impulse Internet Service - http://www.impulse.net/ >>Your local telephone and internet company - 805 884-6323 - WB6RDV It's totally odd that the holes are a different pattern on each side of the switch, I'll check tomorrow on the serial number but I needed it to go into the rack today so unfortunately it got made to fit with a cordless drill and removing the shell of the switch and adding some extra screw holes. `sif cisco could maintain any type of consistency across product lines. -Dan From jmaimon at ttec.com Wed May 7 11:51:51 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 07 May 2008 11:51:51 -0400 Subject: [c-nsp] mac address question In-Reply-To: <013201c8b052$d193f280$2e40d5d1@nocpamaral> References: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> <4821C192.1050201@ttec.com> <013201c8b052$d193f280$2e40d5d1@nocpamaral> Message-ID: <4821D017.4030200@ttec.com> To be correct they should be mac-addresses that can be guaranteed unique (such as off old ethernet nic's), but thats hard to do in a range. I dont see any reason to use different mac's for bridging and pppoe. Paul A wrote: > Joe, so basically I'm going to make up a mac-address and pass that along to > the Telco correct? > > Also currently im using a mac address on this router with RBE dsl > connections and the new DSL's getting cut over to this ATM are PPPOE, I read > somewhere on cisco that I should use a different mac-address for the PPPOE > under a bba-group. > > So I should just be able to make one up and pass that along to them? > > Thanks, > > Paul > > P.A > -----Original Message----- > P.A > From: Joe Maimon [mailto:jmaimon at ttec.com] > P.A > Sent: Wednesday, May 07, 2008 10:50 AM > P.A > To: Paul A > P.A > Cc: cisco-nsp at puck.nether.net > P.A > Subject: Re: [c-nsp] mac address question > P.A > > P.A > Take an old ethernet card, copy its mac address and throw the ethernet > P.A > card out. > P.A > > P.A > Use that mac address. > P.A > > P.A > Realistically, the TELCO is actually asking for what to put in a layer > P.A > 2 > P.A > access list. > P.A > > P.A > You want to be able to connect multiple routers, for example with an > P.A > ATM > P.A > switch, so tell them a mac address with the last two hex digits masked > P.A > to FF > P.A > > P.A > That way you can connect a couple hundred routers without involving > P.A > them > P.A > again. > P.A > > P.A > So long as the mac's arent going to conflict with any of your > P.A > customers, > P.A > you shouldnt ever have a problem. > P.A > > P.A > > P.A > Paul A wrote: > P.A > > Hi, we have an ATM circuit that will be terminating some DSL > P.A > circuits. The > P.A > > Telco is asking me for the terminating router's mac address > P.A > > I'm confused as to what mac address I should give them. I know im > P.A > supposed > P.A > > to add the mac-address statement under the ATM interface according > P.A > to the > P.A > > documents I read on the cisco site but how go I figure out with mac > P.A > address > P.A > > to use? > P.A > > > P.A > > TIA, P > P.A > > > P.A > > > P.A > > _______________________________________________ > P.A > > cisco-nsp mailing list cisco-nsp at puck.nether.net > P.A > > https://puck.nether.net/mailman/listinfo/cisco-nsp > P.A > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > P.A > > > P.A > > > > From streiner at cluebyfour.org Wed May 7 12:05:33 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 7 May 2008 12:05:33 -0400 (EDT) Subject: [c-nsp] FWSM going away rumor In-Reply-To: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> References: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> Message-ID: On Wed, 7 May 2008, Jeff Fitzwater wrote: > We currently have two FWSM running 3.2 and are awaiting new code to > fix some transparent mode issues. What transparent mode i ssues are you seeing? We run many FWSMs in transparent mode on 3.2(4) code and it's pretty stable. The only nagging issue that's causing us grief is related to global service policies. > The rumor I heard is that CISCO will only have one more release of > FWSM code and thats it; No more FWSM, the future will only be the ASA. I don't know where that rumor came from but AFAIK it's totally untrue. I've be working closely with our account team on requests for feature enhancements in future versions of the code. There are nice new features on their way in the 4.0 release train and beyond, but I can't go into details because much of it is still under NDA. > The FWSM isn't that old, maybe 2-3 years. I thought the FWSM was the > latest and greatest and came from the ASA. The ASA 5580 is the newest beast, but I see the FWSM continuing to fill a role for a long time. I only wish it directly supported landing IPSEC tunnels... jms From paul at gtcomm.net Wed May 7 12:07:49 2008 From: paul at gtcomm.net (Paul) Date: Wed, 07 May 2008 12:07:49 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <4821C2F3.3070509@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> Message-ID: <4821D3D5.6090604@gtcomm.net> Oh ho! This gives me an idea.. I'm doing CEF load balancing with multipath over two etherchannels and I think what is happening is that the multipath load balancing is using the exact same algorithm as the etherchannel so that it's only sending ips out one port channel that the etherchannel load balancing algorithm picks only one port to use. This is a bad side effect if that is the case. I wonder if there is a way to change the algorithm around a bit for either the cef or the etherchannel load balancing in order for this to work properly.. From jay at west.net Wed May 7 12:12:54 2008 From: jay at west.net (Jay Hennigan) Date: Wed, 07 May 2008 09:12:54 -0700 Subject: [c-nsp] 3550-12T rack ears In-Reply-To: References: <4821B996.3000400@west.net> Message-ID: <4821D506.3090700@west.net> Daniel Hooper wrote: > It's totally odd that the holes are a different pattern on each side of > the switch, I'll check tomorrow on the serial number but I needed it to > go into the rack today so unfortunately it got made to fit with a > cordless drill and removing the shell of the switch and adding some > extra screw holes. The comment about the serial number was a joke/sarcasm. Yikes, I would have modified the rack ear, not the switch! > `sif cisco could maintain any type of consistency across product lines. Indeed! -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From razor at meganet.net Wed May 7 12:16:14 2008 From: razor at meganet.net (Paul A) Date: Wed, 7 May 2008 12:16:14 -0400 Subject: [c-nsp] mac address question In-Reply-To: <4821D017.4030200@ttec.com> References: <012001c8b04f$9ceef4b0$2e40d5d1@nocpamaral> <4821C192.1050201@ttec.com> <013201c8b052$d193f280$2e40d5d1@nocpamaral> <4821D017.4030200@ttec.com> Message-ID: <015e01c8b05d$ac267df0$2e40d5d1@nocpamaral> Ok Joe, thanks for all your help. Thanks, paul P.A > -----Original Message----- P.A > From: Joe Maimon [mailto:jmaimon at ttec.com] P.A > Sent: Wednesday, May 07, 2008 11:52 AM P.A > To: Paul A P.A > Cc: cisco-nsp at puck.nether.net P.A > Subject: Re: [c-nsp] mac address question P.A > P.A > To be correct they should be mac-addresses that can be guaranteed P.A > unique P.A > (such as off old ethernet nic's), but thats hard to do in a range. P.A > P.A > I dont see any reason to use different mac's for bridging and pppoe. P.A > P.A > P.A > P.A > P.A > P.A > Paul A wrote: P.A > > Joe, so basically I'm going to make up a mac-address and pass that P.A > along to P.A > > the Telco correct? P.A > > P.A > > Also currently im using a mac address on this router with RBE dsl P.A > > connections and the new DSL's getting cut over to this ATM are P.A > PPPOE, I read P.A > > somewhere on cisco that I should use a different mac-address for the P.A > PPPOE P.A > > under a bba-group. P.A > > P.A > > So I should just be able to make one up and pass that along to them? P.A > > P.A > > Thanks, P.A > > P.A > > Paul P.A > > P.A > > P.A > -----Original Message----- P.A > > P.A > From: Joe Maimon [mailto:jmaimon at ttec.com] P.A > > P.A > Sent: Wednesday, May 07, 2008 10:50 AM P.A > > P.A > To: Paul A P.A > > P.A > Cc: cisco-nsp at puck.nether.net P.A > > P.A > Subject: Re: [c-nsp] mac address question P.A > > P.A > P.A > > P.A > Take an old ethernet card, copy its mac address and throw the P.A > ethernet P.A > > P.A > card out. P.A > > P.A > P.A > > P.A > Use that mac address. P.A > > P.A > P.A > > P.A > Realistically, the TELCO is actually asking for what to put in P.A > a layer P.A > > P.A > 2 P.A > > P.A > access list. P.A > > P.A > P.A > > P.A > You want to be able to connect multiple routers, for example P.A > with an P.A > > P.A > ATM P.A > > P.A > switch, so tell them a mac address with the last two hex P.A > digits masked P.A > > P.A > to FF P.A > > P.A > P.A > > P.A > That way you can connect a couple hundred routers without P.A > involving P.A > > P.A > them P.A > > P.A > again. P.A > > P.A > P.A > > P.A > So long as the mac's arent going to conflict with any of your P.A > > P.A > customers, P.A > > P.A > you shouldnt ever have a problem. P.A > > P.A > P.A > > P.A > P.A > > P.A > Paul A wrote: P.A > > P.A > > Hi, we have an ATM circuit that will be terminating some DSL P.A > > P.A > circuits. The P.A > > P.A > > Telco is asking me for the terminating router's mac address P.A > > P.A > > I'm confused as to what mac address I should give them. I P.A > know im P.A > > P.A > supposed P.A > > P.A > > to add the mac-address statement under the ATM interface P.A > according P.A > > P.A > to the P.A > > P.A > > documents I read on the cisco site but how go I figure out P.A > with mac P.A > > P.A > address P.A > > P.A > > to use? P.A > > P.A > > P.A > > P.A > > TIA, P P.A > > P.A > > P.A > > P.A > > P.A > > P.A > > _______________________________________________ P.A > > P.A > > cisco-nsp mailing list cisco-nsp at puck.nether.net P.A > > P.A > > https://puck.nether.net/mailman/listinfo/cisco-nsp P.A > > P.A > > archive at http://puck.nether.net/pipermail/cisco-nsp/ P.A > > P.A > > P.A > > P.A > > P.A > > P.A > > From streiner at cluebyfour.org Wed May 7 12:23:38 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 7 May 2008 12:23:38 -0400 (EDT) Subject: [c-nsp] 3550-12T rack ears In-Reply-To: <4821D506.3090700@west.net> References: <4821B996.3000400@west.net> <4821D506.3090700@west.net> Message-ID: On Wed, 7 May 2008, Jay Hennigan wrote: >> `sif cisco could maintain any type of consistency across product lines. > > Indeed! Seconded. We've had just about every 1U box that Cisco made at one point or another, and most of ears are not compatible with each other, short of getting creative with a drill and a bench grinder. As a result, I have a veritable petting zoo full of rack ears for boxes that have long since come and gone... Maybe I'll make sculptures out of them or something... jms From paul at paulstewart.org Wed May 7 12:24:33 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 7 May 2008 12:24:33 -0400 Subject: [c-nsp] IpSEC VPN Default Gateway Message-ID: <001701c8b05e$d65de030$8319a090$@org> Hi there... Hoping someone on here has an answer to this... been searching and not finding the right solution. I have an IpSEC VPN setup into a 2821 router. Works fine, can access internal resources. Also, have split tunneling setup so as a client I can continue to surf the Internet at the same time. If I remove the ACL for split tunneling then (as predicted) I can only access internal resources once the VPN session is connected. My question is basically - can I connect with no split tunneling and surf from *within* the remote network? I want the user experience to be *identical* to as if they were at their desk. We want to use this 'feature' so that any devices we have an be locked down to only permitting access from the firewall IP address. Someone indicated on a few postings that there is a way to do this via a default gateway setting? Config looks like: aaa authentication login vpn_xauth1 local aaa authorization network vpn_group1 local crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp client configuration group RemoteAccess key XXXXXXXXXXXXXXXXXXXXXXXXX dns xxxxxxxxxxxxxxxxxxx domain xxxxxxxxxxxxxxxxx pool VPNPool1 acl 100 save-password netmask 255.255.255.0 crypto isakmp profile VPN-Profile match identity group RemoteAccess client authentication list vpn_xauth1 isakmp authorization list vpn_group1 client configuration address respond virtual-template 2 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto ipsec profile VPN-Profile set transform-set ESP-3DES-SHA set isakmp-profile VPN-Profile interface Virtual-Template2 type tunnel ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile VPN-Profile ! ip local pool VPNPool1 192.168.250.2 192.168.250.254 Thanks in advance, Paul From dwcarder at wisc.edu Wed May 7 13:42:42 2008 From: dwcarder at wisc.edu (Dale W. Carder) Date: Wed, 07 May 2008 12:42:42 -0500 Subject: [c-nsp] FWSM going away rumor In-Reply-To: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> References: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> Message-ID: On May 7, 2008, at 10:37 AM, Jeff Fitzwater wrote: > We currently have two FWSM running 3.2 and are awaiting new code to > fix some transparent mode issues. I would like to know what you're seeing. > The rumor I heard is that CISCO will only have one more release of > FWSM code and thats it; No more FWSM, the future will only be the > ASA. Your account team would likely know more, but in my opinion, 5 years without a hardware refresh sure seems awful damning about the platform's future. Sure there might be another software release to attempt to breathe life-support into those network processors, but there is going to be a finite limit as to what they can and can not do (example: ginormous ACL's, IPv6, handling huge flows without significant hackery). I would expect there will be a strong motivation to develop software for and sell you shinny new ASA 5580-40's instead of fwsm. > The FWSM isn't that old, maybe 2-3 years. We got our 1st one in early 2003. > I thought the FWSM was the latest and greatest and came from > the ASA. The FWSM is sort of it's own beast, with hardware assist from network processors. The ASA is truly a next-gen PIX. Dale From jeje at jeje.org Wed May 7 13:53:21 2008 From: jeje at jeje.org (=?ISO-8859-1?Q?J=E9r=F4me_Fleury?=) Date: Wed, 7 May 2008 19:53:21 +0200 Subject: [c-nsp] BGP with yourself... In-Reply-To: <48112D50.1000106@wi.rr.com> References: <1209034054.29429.9.camel@dusken.sys.mjna.net> <002901c8a650$eaff1800$e80a0a0a@hojmark.net> <19cdad00804241716q5a21f0fse3d88fb703e24d3c@mail.gmail.com> <48112D50.1000106@wi.rr.com> Message-ID: <80b7d9f60805071053s59ad8345pf075cc5918c6e5e4@mail.gmail.com> Yes, but you probably can't do it between global and VRF since the peering works because peer addresses are exchanged with route-target. This cannot be accomplished with global routing table I guess (actually I didn't manage to do it). On Fri, Apr 25, 2008 at 3:01 AM, Wink wrote: > Er.. > > There is a feature in IOS to accomplish inter-VRF routing on the same > router. It is accomplished by spoofing the router-id within a VRF. > > http://www.cisco.com/en/US/docs/ios/12_2sr/12_2sra/feature/guide/srbgprid.html > > > > Luan Nguyen wrote: > > Very interesting. I have a problem with having an ethernet in global doing > > NAT over a VRF, and the vrf doesn't know how to get to the ethernet LAN > > segment in the global. > > I was thinking of just doing:" ip route vrf whatever 1.1.1.0 255.255.255.0 > > 3.3.3.3 global, where 3.3.3.3 is just some bogus nonexistence address (just > > to dump the packets destined for 1.1.1.0 out into the global since you can't > > put ethernet0 global because you can't do VPN route to a non-point-to-point > > interface) > > I can imagine us using this "dynamic route exchanger" way when needing to > > move lots of routes. > > > > -lmn > > > > On Thu, Apr 24, 2008 at 5:19 PM, Asbjorn Hojmark - Lists > > wrote: > > > > > >>> Now it trying to have an iBGP-session with itself, > >>> > >> How strange. Normally it'll complain that it can't peer with > >> itself. > >> > >> > >>> a thing I normally can't configure. :-) > >>> > >> That actually is possible: Set up two loopbacks, create a tunnel > >> between the loopbacks, and peer over that tunnel with one end of > >> the BGP session in a VRF (vpnv4). > >> > >> (I did that recently to get routes from the global table into a > >> VRF. It's annoying there's no good way to do that on a single > >> router). > >> > >> -A > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Michael.Balasko at cityofhenderson.com Wed May 7 14:02:23 2008 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Wed, 7 May 2008 11:02:23 -0700 Subject: [c-nsp] VTP Version 3 In-Reply-To: <012901c8b058$28fba450$54fafe0a@cablevisd0b9d4> References: <012901c8b058$28fba450$54fafe0a@cablevisd0b9d4> Message-ID: <9AF22D15085E7D409ED5710CBC779E9305DD88D8@COHNTCS09.ci.henderson.nv.us> Has anyone had any success deploying VTP v3? We are strongly considering moving in that direction. We have been very happy with v2 but our team is growing and we are starting to get nervous about all the advantages VTP brings to the table:) The major hiccup appears to be that only CatOS and SRC code appear to support it. According to docs we can run this in a mixed mode(v2/v3) as our VTP Primary would be a CatOS box, however this leaves our 3/4/6K IOS platforms in the stone age. There aren't a ton of docs on the cisco site about v3 which just makes me feel even more warm and fuzzy about it. I'd prefer not to have the "Why are you doing VTP argument?", just helpful info please. TIA, Michael Balasko CCSP,MCSE,MCNE,SCP Network Specialist II City of Henderson 240 Water St. Henderson, NV 89015 From jfitz at Princeton.EDU Wed May 7 14:38:29 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 7 May 2008 14:38:29 -0400 Subject: [c-nsp] FWSM going away rumor In-Reply-To: References: <5CB2A5BA-557A-4FCF-AA69-C78F8995BBB8@princeton.edu> Message-ID: <7223F1D3-E67F-4135-BCD4-D553E5922C33@Princeton.EDU> On May 7, 2008, at 1:42 PM, Dale W. Carder wrote: > > On May 7, 2008, at 10:37 AM, Jeff Fitzwater wrote: >> We currently have two FWSM running 3.2 and are awaiting new code to >> fix some transparent mode issues. > > I would like to know what you're seeing. Our FWSM is in a 6509 with a sup 720-3CXL and logically sits between our 3 ISP as a transparent FW configured with 3 BVIs, one for each ISP. Our first major issue was that each BVI required a separate IP, not just for management but so it could ARP for host if it was not in bridge table. That forced us to change all our ISP from /30 to /29 in order to allocate an IP on that net for the FWSM BVI. We initially did not want to block anything so we could control all functions of the FWSM, so we disabled STATE checking, Random Sequence Number generation and all Inspection functions. What was left, but not clearly documented, was DNS-GUARD which only allows the first response thru then closes the connection. This made many DNS (things) fail on campus. It turned out that there is no way to disable it. We are in the process of testing BETA code. So we have had our FWSM for about a year of just sitting in the chassis. Jeff Fitzwater OIT Network Systems Princeton University > > >> The rumor I heard is that CISCO will only have one more release of >> FWSM code and thats it; No more FWSM, the future will only be the >> ASA. > > Your account team would likely know more, but in my opinion, > 5 years without a hardware refresh sure seems awful damning > about the platform's future. > > Sure there might be another software release to attempt to > breathe life-support into those network processors, but there > is going to be a finite limit as to what they can and can > not do (example: ginormous ACL's, IPv6, handling huge flows > without significant hackery). > > I would expect there will be a strong motivation to develop > software for and sell you shinny new ASA 5580-40's instead > of fwsm. > >> The FWSM isn't that old, maybe 2-3 years. > We got our 1st one in early 2003. > >> I thought the FWSM was the latest and greatest and came from >> the ASA. > > The FWSM is sort of it's own beast, with hardware assist from > network processors. The ASA is truly a next-gen PIX. > > Dale From A.L.M.Buxey at lboro.ac.uk Wed May 7 14:39:41 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 7 May 2008 19:39:41 +0100 Subject: [c-nsp] 3550-12T rack ears In-Reply-To: References: <4821B996.3000400@west.net> <4821D506.3090700@west.net> Message-ID: <20080507183941.GB24102@lboro.ac.uk> hi, not just the hole locations but also how 'deep' or 'protruded' each switch ends up being.....every couple of years a cabinet racking has to be shifted so a front or back door can be closed.... alan From dcurran at nuvox.com Wed May 7 14:58:43 2008 From: dcurran at nuvox.com (David Curran) Date: Wed, 07 May 2008 14:58:43 -0400 Subject: [c-nsp] VPLS Message-ID: This is sort of a blanket question but does anyone have experiences they could relate about VPLS with 7200s as the uPE and 7600s as the nPE in H-VPLS? Specifically I?m interested in the 7200 on the SB code train and the 7600 with 3BXL on the SRC train. Feel free to email me directly and I?ll summarize for the list. -d This email and any attachments ("Message") may contain legally privileged and/or confidential information. If you are not the addressee, or if this Message has been addressed to you in error, you are not authorized to read, copy, or distribute it, and we ask that you please delete it (including all copies) and notify the sender by return email. Delivery of this Message to any person other than the intended recipient(s) shall not be deemed a waiver of confidentiality and/or a privilege. From paul at gtcomm.net Wed May 7 15:57:48 2008 From: paul at gtcomm.net (Paul) Date: Wed, 07 May 2008 15:57:48 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <4821D3D5.6090604@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> <4821D3D5.6090604@gtcomm.net> Message-ID: <482209BC.70308@gtcomm.net> I did the test etherchannel of course and it's working properly, but since I am using the cef load balancing (two 0.0.0.0 routes with the same cost) and it's going out two port channels the algorithm for that must be exactly the same as the one for the etherchannel, which explains why on etherchannel #1 the packets are going out port #1, and on etherchannel #2 the packets are going out port #2.. This is a very interesting phenomenon :) Now I just have to figure out what to do about it..... I Completely would not have thought that it would operate like this but I suppose it makes sense.. Grr :> Any ideas? Paul wrote: > Oh ho! This gives me an idea.. > > I'm doing CEF load balancing with multipath over two etherchannels and > I think what is happening is that the > multipath load balancing is using the exact same algorithm as the > etherchannel so that it's only sending ips out one port channel that > the etherchannel load balancing algorithm picks only one port to use. > > This is a bad side effect if that is the case. I wonder if there is a > way to change the algorithm around a bit for either the cef or the > etherchannel load balancing in order for this to work properly.. > > > From jhigham at epri.com Wed May 7 16:18:23 2008 From: jhigham at epri.com (Higham, Josh) Date: Wed, 7 May 2008 13:18:23 -0700 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <482209BC.70308@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> <4821D3D5.6090604@gtcomm.net> <482209BC.70308@gtcomm.net> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273E4234B@uspalex02.epri.com> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul > > I did the test etherchannel of course and it's working properly, but > since I am using the cef load balancing (two 0.0.0.0 routes with the > same cost) and it's going out two port channels the > algorithm for that > must be exactly the same as the one for the etherchannel, > which explains > why on etherchannel #1 the packets are going out port #1, and on > etherchannel #2 the packets are going out port #2.. This is a very > interesting phenomenon :) Painful. Can you do per-packet routing rather than per-flow in your environment? Alternatively drop etherchannel altogether and just make them all L3 links, with 4 way equal cost routes. If you are stuck on etherchannel you might be able to change the algorithm so that it's less effective but different (src IP rather than src dst XOR or whatever). Hope that's of some use. Thanks, Josh From lists at hojmark.org Wed May 7 17:55:42 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 7 May 2008 23:55:42 +0200 Subject: [c-nsp] Univercd In-Reply-To: <012901c8b058$28fba450$54fafe0a@cablevisd0b9d4> References: <012901c8b058$28fba450$54fafe0a@cablevisd0b9d4> Message-ID: <000101c8b08d$18c28e20$280a0a0a@hojmark.net> > Cisco IOS Release 12.4 Configuration Guides > The Cisco Connection Online (CCO) website, also known as > UniverCD, is being discontinued. Please access the Cisco IOS > Release 12.4 configuration guides from the following www.cisco.com/univercd (which was fast and relatively easy to navigate) is going away for the marketing-fluff of the rest of www.cisco.com. What, specifically, are you looking for? -A From eric.m.andrews at gmail.com Wed May 7 18:47:52 2008 From: eric.m.andrews at gmail.com (Eric Andrews) Date: Wed, 7 May 2008 15:47:52 -0700 Subject: [c-nsp] MPLS over Ethernet? Message-ID: <7a4707ef0805071547q5390cb18y7d5c72ff484c3499@mail.gmail.com> I'm a bit confused if this is possible: I have a number of CPE devices that speak MPLS natively. I'd like to aggregate them all using a basic layer 2 switch (like a 2960) to my PE. Am I correct in assuming that ethernet is ethernet is ethernet and thusly if the switch doesnt understand MPLS, it can still switch/trunk the traffic? thanks, Eric From peter at rathlev.dk Wed May 7 19:13:35 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 08 May 2008 01:13:35 +0200 Subject: [c-nsp] MPLS over Ethernet? In-Reply-To: <7a4707ef0805071547q5390cb18y7d5c72ff484c3499@mail.gmail.com> References: <7a4707ef0805071547q5390cb18y7d5c72ff484c3499@mail.gmail.com> Message-ID: <1210202015.20094.2.camel@dusken.sys.mjna.net> On Wed, 2008-05-07 at 15:47 -0700, Eric Andrews wrote: > I'm a bit confused if this is possible: I have a number of CPE devices > that speak MPLS natively. I'd like to aggregate them all using a basic > layer 2 switch (like a 2960) to my PE. Am I correct in assuming that > ethernet is ethernet is ethernet and thusly if the switch doesnt > understand MPLS, it can still switch/trunk the traffic? If you're asking whether you can switch MPLS traffic, then yes, that's no problem. And the switch doesn't need to understand MPLS to switch Ethernet-encapsulated MPLS packets. We have a few places where P-to-P MPLS connections are switched VLANs running through some C3560s. Keep an eye out for MTU related problems though. Regards, Peter From brandon at sterling.net Wed May 7 19:53:14 2008 From: brandon at sterling.net (Brandon Price) Date: Wed, 7 May 2008 16:53:14 -0700 Subject: [c-nsp] Client/server bandwidth tester Message-ID: Hey guys, I'm looking for a good bandwidth tester. I would like to have something that has a server piece on one side and a client on the other, So for example I just setup a point to point wireless link for a customer and it would be nice to throw a laptop on the far end and slam the link and see what I get.. Anything like that out there? Thanks, Brandon From pkranz at unwiredltd.com Wed May 7 19:59:13 2008 From: pkranz at unwiredltd.com (Peter Kranz) Date: Wed, 7 May 2008 16:59:13 -0700 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: References: Message-ID: <014401c8b09e$5996de40$0cc49ac0$@com> Iperf http://dast.nlanr.net/Projects/Iperf/ Peter Kranz Founder/CEO - Unwired Ltd www.UnwiredLtd.com Desk: 510-868-1614 x100 Mobile: 510-207-0000 pkranz at unwiredltd.com -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Price Sent: Wednesday, May 07, 2008 4:53 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Client/server bandwidth tester Hey guys, I'm looking for a good bandwidth tester. I would like to have something that has a server piece on one side and a client on the other, So for example I just setup a point to point wireless link for a customer and it would be nice to throw a laptop on the far end and slam the link and see what I get.. Anything like that out there? Thanks, Brandon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From raa at opusnet.com Wed May 7 20:08:30 2008 From: raa at opusnet.com (Ruben Alvarez) Date: Wed, 7 May 2008 17:08:30 -0700 Subject: [c-nsp] Netflow Question In-Reply-To: <20080507142824.GC24477@ibh.de> References: <001201c8ac83$a6c85820$f4590860$@com> <20080507142824.GC24477@ibh.de> Message-ID: <000001c8b09f$a6e25ac0$f4a71040$@com> Thanks. Great information. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andre Beck Sent: Wednesday, May 07, 2008 7:28 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Netflow Question Hi, [I rearranged the order of lines in the following for historic reasons] On Fri, May 02, 2008 at 11:38:00AM -0700, raa at opusnet.com wrote: > > Can anyone tell me the difference between the interface command: > > Router(config-if)# ip route-cache flow When NetFlow Data Export was introduced, it was a "byproduct" of a new route cache implementation called "flow". The route cache would operate on individual flows and would allow to inspect that cache as well as to export information on entries that just time out from the cache. As a route cache implementation, it had a number of implict attributes that were not optimal in the wider field of accounting: * It would be implicitely operating on ingress packets only. This required you to design your network properly in order to avoid accounting for a flow more than exactly once. It would also not allow you schemes like "account only what goes to or comes from my BGP upstreams". * Several interfaces would inherit their setting of route-cache flow from a parent, e.g. in the case of Ethernet subinterfaces. This would require even more design workarounds including the addition of hardware. You could not mix accounted and not accounted interfaces on a single interface in a router-on-a-stick setup. > And > > Router(config-if)# ip flow ingress This replaces "ip route-cache flow" on parent interfaces and it is entirely new that you can switch it on and off individually on every subinterface. When you upgrade IOS to a version that has it, an "ip route-cache flow" statement on a parent will be converted to an "ip flow ingress" on the parent as well as *every* subinterface below that parent. From then on, you can switch it individually, but of course setting "ip route-cache flow" will again fan out an "ingress" to all subinterfaces. Thus, avoid using the old command as soon as you have migrated, and never look back. Please note that using NetFlow as a route cache is history, it is now a pure accounting and monitoring tool. BTW, there's a minor glitch in the conversion that can lead to an interface losing route caching (which you normally want to have set to CEF these days) altogether. So after an IOS upgrade that does this conversion, check your interfaces e.g. using "sh cef interface brief". > Router(config-if)# ip flow egress That's finally the counterpart to "ip flow ingress" that allows you to track interface egress traffic. That was simply impossible with the old implementation (beeing implicitely ingress-only). Today you should be able to set ingress+egress flow tracking on your upstreams to get just the external traffic. But you could also stay with the old way of just tracking ingress on upstreams + downstreams (but never within the network itself to prevent multiple records). > Thanks. Second part to this question is anyone recommend a Netflow > analyzer? Either application or appliance (price is important.) I'd like > to get one where I can assign clients access where they only have access to > the ports I assign them. I'm currently using the free version of > Scrutinizer. There's a plethora of free (as in Free and Open Source Software) solutions available. Depends on the exact needs you have. I'm using it just for accounting, not as an analyzer, so I can't name products here. SWITCH has a nice list, maybe for a starter see: http://www.switch.ch/network/projects/completed/TF-NGN/floma/software.html HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From azher at hep.caltech.edu Wed May 7 19:59:17 2008 From: azher at hep.caltech.edu (Azher Mughal) Date: Wed, 07 May 2008 16:59:17 -0700 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: References: Message-ID: <48224255.7050602@hep.caltech.edu> Iperf, netperf are good tools for bandwidth measurements (both udp and tcp, uni and bidirectional). You can find more from Caida. http://www.caida.org/tools/taxonomy/performance.xml -Azher Brandon Price wrote: > Hey guys, I'm looking for a good bandwidth tester. > > I would like to have something that has a server piece on one side and a > client on the other, > So for example I just setup a point to point wireless link for a > customer and it would be nice to throw a laptop on the far end and slam > the link and see what I get.. > > > Anything like that out there? > > > > Thanks, > Brandon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisco at ibctech.ca Wed May 7 21:07:41 2008 From: cisco at ibctech.ca (Steve Bertrand) Date: Wed, 07 May 2008 21:07:41 -0400 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: References: Message-ID: <4822525D.6090008@ibctech.ca> Brandon Price wrote: > Hey guys, I'm looking for a good bandwidth tester. > > I would like to have something that has a server piece on one side and a > client on the other, > So for example I just setup a point to point wireless link for a > customer and it would be nice to throw a laptop on the far end and slam > the link and see what I get.. > > > Anything like that out there? ttcp or IPerf. Regards, Steve From dhooper at emerge.net.au Wed May 7 23:33:18 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Thu, 8 May 2008 11:33:18 +0800 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: <014401c8b09e$5996de40$0cc49ac0$@com> References: <014401c8b09e$5996de40$0cc49ac0$@com> Message-ID: I find Jperf to be a handy front end to iperf. http://dast.nlanr.net/Projects/Jperf/ and someone's gone to the effort to the create a .exe installer for windows bundled with the cygwin dll: http://www.macalester.edu/crash/software/pc/iperf/ -Dan > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Peter Kranz > Sent: Thursday, 8 May 2008 7:59 AM > To: 'Brandon Price'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Client/server bandwidth tester > > Iperf > > http://dast.nlanr.net/Projects/Iperf/ > > Peter Kranz > Founder/CEO - Unwired Ltd > www.UnwiredLtd.com > Desk: 510-868-1614 x100 > Mobile: 510-207-0000 > pkranz at unwiredltd.com > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Price > Sent: Wednesday, May 07, 2008 4:53 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Client/server bandwidth tester > > Hey guys, I'm looking for a good bandwidth tester. > > I would like to have something that has a server piece on one side and > a > client on the other, > So for example I just setup a point to point wireless link for a > customer and it would be nice to throw a laptop on the far end and slam > the link and see what I get.. > > > Anything like that out there? > > > > Thanks, > Brandon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From criling at gmail.com Thu May 8 00:11:36 2008 From: criling at gmail.com (Chris Riling) Date: Thu, 8 May 2008 00:11:36 -0400 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: References: <014401c8b09e$5996de40$0cc49ac0$@com> Message-ID: <8c829ec10805072111o3effbf22r503e9f97143d7b79@mail.gmail.com> I apologize for not adding too much meat to the thread, but I'd like to throw in my vote for iperf, I've used on many occasions and it's also helped me solved some fun TCP window sizing issues :) Chris On Wed, May 7, 2008 at 11:33 PM, Daniel Hooper wrote: > I find Jperf to be a handy front end to iperf. > > http://dast.nlanr.net/Projects/Jperf/ > > and someone's gone to the effort to the create a .exe installer for > windows bundled with the cygwin dll: > > http://www.macalester.edu/crash/software/pc/iperf/ > > -Dan > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Peter Kranz > > Sent: Thursday, 8 May 2008 7:59 AM > > To: 'Brandon Price'; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Client/server bandwidth tester > > > > Iperf > > > > http://dast.nlanr.net/Projects/Iperf/ > > > > Peter Kranz > > Founder/CEO - Unwired Ltd > > www.UnwiredLtd.com > > Desk: 510-868-1614 x100 > > Mobile: 510-207-0000 > > pkranz at unwiredltd.com > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Price > > Sent: Wednesday, May 07, 2008 4:53 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Client/server bandwidth tester > > > > Hey guys, I'm looking for a good bandwidth tester. > > > > I would like to have something that has a server piece on one side and > > a > > client on the other, > > So for example I just setup a point to point wireless link for a > > customer and it would be nice to throw a laptop on the far end and > slam > > the link and see what I get.. > > > > > > Anything like that out there? > > > > > > > > Thanks, > > Brandon > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From criling at gmail.com Thu May 8 00:12:06 2008 From: criling at gmail.com (Chris Riling) Date: Thu, 8 May 2008 00:12:06 -0400 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: <8c829ec10805072111o3effbf22r503e9f97143d7b79@mail.gmail.com> References: <014401c8b09e$5996de40$0cc49ac0$@com> <8c829ec10805072111o3effbf22r503e9f97143d7b79@mail.gmail.com> Message-ID: <8c829ec10805072112n66e44906mb1bb38d5c6c0a665@mail.gmail.com> err... *solve On Thu, May 8, 2008 at 12:11 AM, Chris Riling wrote: > I apologize for not adding too much meat to the thread, but I'd like to > throw in my vote for iperf, I've used on many occasions and it's also helped > me solved some fun TCP window sizing issues :) > > Chris > > On Wed, May 7, 2008 at 11:33 PM, Daniel Hooper > wrote: > > > I find Jperf to be a handy front end to iperf. > > > > http://dast.nlanr.net/Projects/Jperf/ > > > > and someone's gone to the effort to the create a .exe installer for > > windows bundled with the cygwin dll: > > > > http://www.macalester.edu/crash/software/pc/iperf/ > > > > -Dan > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Peter Kranz > > > Sent: Thursday, 8 May 2008 7:59 AM > > > To: 'Brandon Price'; cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] Client/server bandwidth tester > > > > > > Iperf > > > > > > http://dast.nlanr.net/Projects/Iperf/ > > > > > > Peter Kranz > > > Founder/CEO - Unwired Ltd > > > www.UnwiredLtd.com > > > Desk: 510-868-1614 x100 > > > Mobile: 510-207-0000 > > > pkranz at unwiredltd.com > > > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brandon Price > > > Sent: Wednesday, May 07, 2008 4:53 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: [c-nsp] Client/server bandwidth tester > > > > > > Hey guys, I'm looking for a good bandwidth tester. > > > > > > I would like to have something that has a server piece on one side and > > > a > > > client on the other, > > > So for example I just setup a point to point wireless link for a > > > customer and it would be nice to throw a laptop on the far end and > > slam > > > the link and see what I get.. > > > > > > > > > Anything like that out there? > > > > > > > > > > > > Thanks, > > > Brandon > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > From maillist at webjogger.net Thu May 8 09:09:38 2008 From: maillist at webjogger.net (Adam Greene) Date: Thu, 8 May 2008 09:09:38 -0400 Subject: [c-nsp] is RPF strict mode common? Message-ID: <003301c8b10c$c53c81e0$12140a0a@GINKGO> Hi, Trying to control bandwidth between my (2) upstream Internet providers, Global Crossing (20Mbps) and Savvis (50Mbps). I currently receive full routes from both, and the smaller Global Crossing link is maxed out, inbound. The obvious solution to me will be to prepend my route announcements to Global Crossing. However, one question: there is a good chance that some of my traffic will flow out through Savvis and in through Global Crossing (in fact, that's almost certainly happening right now). Will this kind of asymmetrical traffic run into issues with other ISPs that deploy RPF in strict mode? Are there many ISPs out there that do this? It seems that so much traffic on the Internet must be asymmetrical, any ISPs running RPF in strict mode must be doing so in a way that will not break traffic that's asymmetrical because of other ISPs' standard routing policies. IF they do, then they would be causing dead spots for their own customers ... do you think that's a valid assumption? Thanks for your advice. Adam From streiner at cluebyfour.org Thu May 8 09:42:13 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 8 May 2008 09:42:13 -0400 (EDT) Subject: [c-nsp] is RPF strict mode common? In-Reply-To: <003301c8b10c$c53c81e0$12140a0a@GINKGO> References: <003301c8b10c$c53c81e0$12140a0a@GINKGO> Message-ID: On Thu, 8 May 2008, Adam Greene wrote: > The obvious solution to me will be to prepend my route announcements to > Global Crossing. However, one question: there is a good chance that some > of my traffic will flow out through Savvis and in through Global > Crossing (in fact, that's almost certainly happening right now). Will > this kind of asymmetrical traffic run into issues with other ISPs that > deploy RPF in strict mode? Are there many ISPs out there that do this? While it's certainly a plausible scenario, an ISP that runs strict RPF on multihomed customer links is begging for trouble for exactly the reasons you described. The might run loose RPF, or straight ingress/egress filtering, which should be OK. Strict RPF is meant for singlehomed sites. Bottom line, you should be able to alter your edge routing policies in the ways you described to make better utilization of your transit links without too much fear of breaking things in interesting ways... jms From kgraham at industrial-marshmallow.com Thu May 8 11:26:00 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 8 May 2008 08:26:00 -0700 (PDT) Subject: [c-nsp] Univercd Message-ID: <540346.9221.qm@web905.biz.mail.mud.yahoo.com> As much as I'm disappointed to see /univercd become deprecated, the new documentation site at least looks OK once you can find the right navigation links to it. What's far worse is what was just done to the old release navigator pages. Now, instead of searching by release, we get to search first by product category, then by chassis, then by release. Ignoring how cumbersome this is to begin with for scanning for recent rebuilds of current trains (which has been cited here before as a _useful_ expenditure of development time), please proceed to search for a 7600/Sup22 image. Once you've decided whether its a 'Router Software' or 'Switch Software', you then get to select from a list of chassis, and only then sort through Supervior and MSFC permutations. Still no solution to the ambiguity of the prior solution, but you get to go through and additional three levels first. ----- Original Message ---- > From: Asbjorn Hojmark - Lists > To: Lucy Favaloro ; cisco-nsp at puck.nether.net > Sent: Wednesday, May 7, 2008 2:55:42 PM > Subject: Re: [c-nsp] Univercd > > Cisco IOS Release 12.4 Configuration Guides > > The Cisco Connection Online (CCO) website, also known as > > UniverCD, is being discontinued. Please access the Cisco IOS > > Release 12.4 configuration guides from the following > > www.cisco.com/univercd (which was fast and relatively easy to > navigate) is going away for the marketing-fluff of the rest of > www.cisco.com. > > What, specifically, are you looking for? > > -A > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From criling at gmail.com Thu May 8 11:33:15 2008 From: criling at gmail.com (Chris Riling) Date: Thu, 8 May 2008 11:33:15 -0400 Subject: [c-nsp] 3550 Policing Message-ID: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> Hi All, I'm having an issue with policing on the 3550; mls qos class-map match-any Match-Any-Rate-Limit match any policy-map 10Mbps-Rate-Limit class Match-Any-Rate-Limit police 10000000 2000000 exceed-action drop interface FastEthernet0/11 description XXXX switchport access vlan XXX switchport mode access no ip address service-policy input 10Mbps-Rate-Limit service-policy output 10Mbps-Rate-Limit end FastEthernet0/11 Ingress dscp: incoming no_change classified policed dropped (in bytes) Others: 4109200271 3363237923 745962348 0 0 Egress dscp: incoming no_change classified policed dropped (in bytes) Others: 1755089285 n/a n/a 0 0 Any ideas? It seems to be working to some extent, although the "policed" counter is 0 and they're bursting a bit higher than they should be. I have similar policers on some 4948's and it works fine, is there something on the 3550 I should know about? Thanks! Chris From cisco-nsp at ibh.net Thu May 8 11:38:41 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Thu, 8 May 2008 17:38:41 +0200 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <482209BC.70308@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> <4821D3D5.6090604@gtcomm.net> <482209BC.70308@gtcomm.net> Message-ID: <20080508153841.GD16053@ibh.de> Re Paul, On Wed, May 07, 2008 at 03:57:48PM -0400, Paul wrote: > I did the test etherchannel of course and it's working properly, but > since I am using the cef load balancing (two 0.0.0.0 routes with the > same cost) and it's going out two port channels the algorithm for that > must be exactly the same as the one for the etherchannel, which explains > why on etherchannel #1 the packets are going out port #1, and on > etherchannel #2 the packets are going out port #2.. This is a very > interesting phenomenon :) Argh. The crux of simple, harwired hashing algorithms... > Now I just have to figure out what to do about it..... I Completely > would not have thought that it would operate like this but I suppose it > makes sense.. Grr :> > Any ideas? Hmm. Dunno exactly what the topology big picture is here, but maybe just eliminate the Etherchannels and instead have four equal distance routes point via the four interfaces? HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From lowen at pari.edu Thu May 8 11:45:00 2008 From: lowen at pari.edu (Lamar Owen) Date: Thu, 8 May 2008 11:45:00 -0400 Subject: [c-nsp] Univercd In-Reply-To: <540346.9221.qm@web905.biz.mail.mud.yahoo.com> References: <540346.9221.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <200805081145.00440.lowen@pari.edu> On Thursday 08 May 2008, Kevin Graham wrote: > As much as I'm disappointed to see /univercd become deprecated, the new > documentation site at least looks OK once you can find the right navigation > links to it. The bigger problem is that, at least on the documentation DVD I have, that not everything is on the DVD, and it pulls in stuff from the deprecated univercd area. Of course, it's a couple of years old and may have been fixed by now. But there are a lot of documentation CD's and DVD's out there that will be broken when this change occurs. -- Lamar Owen www.pari.edu From maillist at webjogger.net Thu May 8 11:50:47 2008 From: maillist at webjogger.net (Adam Greene) Date: Thu, 8 May 2008 11:50:47 -0400 Subject: [c-nsp] is RPF strict mode common? References: <003301c8b10c$c53c81e0$12140a0a@GINKGO> Message-ID: <00b401c8b123$482d28f0$12140a0a@GINKGO> Thanks much for the replies on and off list. It does seem like strict RFP should *not* be an issue in the way I had been imagining. Thanks guys! ----- Original Message ----- From: "Justin M. Streiner" To: "Adam Greene" Cc: Sent: Thursday, May 08, 2008 9:42 AM Subject: Re: [c-nsp] is RPF strict mode common? > On Thu, 8 May 2008, Adam Greene wrote: > >> The obvious solution to me will be to prepend my route announcements to >> Global Crossing. However, one question: there is a good chance that some >> of my traffic will flow out through Savvis and in through Global Crossing >> (in fact, that's almost certainly happening right now). Will this kind of >> asymmetrical traffic run into issues with other ISPs that deploy RPF in >> strict mode? Are there many ISPs out there that do this? > > While it's certainly a plausible scenario, an ISP that runs strict RPF on > multihomed customer links is begging for trouble for exactly the reasons > you described. The might run loose RPF, or straight ingress/egress > filtering, which should be OK. Strict RPF is meant for singlehomed sites. > > Bottom line, you should be able to alter your edge routing policies in the > ways you described to make better utilization of your transit links > without too much fear of breaking things in interesting ways... > > jms > > > > > From cisco-nsp at ibh.net Thu May 8 11:57:35 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Thu, 8 May 2008 17:57:35 +0200 Subject: [c-nsp] Ethernet Freezeup In-Reply-To: <20080408101345.GB923@ibh.de> References: <20060715212320.GA12801@panix.com> <20080407132812.GA12719@ibh.de> <20080407141038.GC25032@panix.com> <20080407160428.GB12719@ibh.de> <20080407161837.GA11148@panix.com> <20080408101345.GB923@ibh.de> Message-ID: <20080508155735.GE16053@ibh.de> Hi, just to give a status followup: On Tue, Apr 08, 2008 at 12:13:45PM +0200, Andre Beck wrote: > > nexus#sh track > Track 1 > Response Time Reporter 1 reachability > Reachability is Up > 1 change, last change 18:11:20 > Latest operation return code: OK > Latest RTT (millisecs) 1 > Tracked by: > applet duck-reachable > > Looks like it would work - but only time will tell. Given the Heisenbug > nature of the thing, maybe just running the monitor prevents it from > ever occuring again ;) I should apply for the JREF Million Dollar Challenge with this level of correct prediction of the future: nexus#sh track Track 1 Response Time Reporter 1 reachability Reachability is Up 1 change, last change 4w3d Latest operation return code: OK Latest RTT (millisecs) 1 Tracked by: applet duck-reachable Since I hacked in the EEM applet, it never triggered. In a way this is good (I finally can sleep through again), but then again, what's wrong now for the bug to no longer trigger? 1) It's a real Heisenbug that vanishes as soon as someone watches closely; 2) It actually *was* a problem with the replaced power supply; 3) It was an issue with a BRI interface that had a bad BRI connected which was constantly triggering PHY errors. To give (1) a chance, I'm posting here, maybe it tickles Murphy just like it did for Ed ;) But seriously I'd rather focus on (2). HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From everton at lab.ipaccess.diveo.net.br Thu May 8 12:36:40 2008 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Thu, 8 May 2008 13:36:40 -0300 Subject: [c-nsp] Client/server bandwidth tester In-Reply-To: References: Message-ID: <20080508163640.GA8194@diveo.net.br> On Wed, May 07, 2008 at 04:53:14PM -0700, Brandon Price wrote: > Hey guys, I'm looking for a good bandwidth tester. > > I would like to have something that has a server piece on one side and a > client on the other, > So for example I just setup a point to point wireless link for a > customer and it would be nice to throw a laptop on the far end and slam > the link and see what I get.. iperf: http://dast.nlanr.net/Projects/Iperf/ nuttcp: http://www.wcisd.hpc.mil/nuttcp/ nepim: http://www.nongnu.org/nepim/ Cheers, Everton From dhooper at emerge.net.au Thu May 8 13:08:55 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Fri, 9 May 2008 01:08:55 +0800 Subject: [c-nsp] 3550 Policing In-Reply-To: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> References: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Chris Riling > Sent: Thursday, 8 May 2008 11:33 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3550 Policing > > Hi All, > > I'm having an issue with policing on the 3550; > > mls qos > > class-map match-any Match-Any-Rate-Limit > match any > > policy-map 10Mbps-Rate-Limit > class Match-Any-Rate-Limit > police 10000000 2000000 exceed-action drop > > interface FastEthernet0/11 > description XXXX > switchport access vlan XXX > switchport mode access > no ip address > service-policy input 10Mbps-Rate-Limit > service-policy output 10Mbps-Rate-Limit > end > > FastEthernet0/11 > Ingress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 4109200271 3363237923 745962348 0 0 > Egress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 1755089285 n/a n/a 0 0 > > > Any ideas? It seems to be working to some extent, although the > "policed" > counter is 0 and they're bursting a bit higher than they should be. I > have > similar policers on some 4948's and it works fine, is there something > on the > 3550 I should know about? > > Thanks! > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Here's what I'm using on a 3550 which is working: class-map match-all 2MBIT match ip dscp default policy-map 2MBIT class 2MBIT police 2000000 512000 exceed-action drop ! interface FastEthernet0/1 switchport access vlan 606 switchport mode access service-policy input 2MBIT speed 100 duplex full no cdp enable spanning-tree bpdufilter enable switch#sh mls qos interface FastEthernet 0/1 statistics FastEthernet0/1 Ingress dscp: incoming no_change classified policed dropped (in bytes) Others: 1859986733 1854120139 5866594 0 18280295 Egress dscp: incoming no_change classified policed dropped (in bytes) Others: 1461309424 n/a n/a 0 0 From jcartier at acs.on.ca Thu May 8 13:15:56 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Thu, 8 May 2008 13:15:56 -0400 Subject: [c-nsp] 3550 Policing References: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> Message-ID: I've come into issues before where the counters don't actually 'count' per say...It's working, but from looking at show commands...you wouldn't guess it. IOS bug. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net on behalf of Daniel Hooper Sent: Thu 5/8/2008 1:08 PM To: Chris Riling; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 3550 Policing > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Chris Riling > Sent: Thursday, 8 May 2008 11:33 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 3550 Policing > > Hi All, > > I'm having an issue with policing on the 3550; > > mls qos > > class-map match-any Match-Any-Rate-Limit > match any > > policy-map 10Mbps-Rate-Limit > class Match-Any-Rate-Limit > police 10000000 2000000 exceed-action drop > > interface FastEthernet0/11 > description XXXX > switchport access vlan XXX > switchport mode access > no ip address > service-policy input 10Mbps-Rate-Limit > service-policy output 10Mbps-Rate-Limit > end > > FastEthernet0/11 > Ingress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 4109200271 3363237923 745962348 0 0 > Egress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 1755089285 n/a n/a 0 0 > > > Any ideas? It seems to be working to some extent, although the > "policed" > counter is 0 and they're bursting a bit higher than they should be. I > have > similar policers on some 4948's and it works fine, is there something > on the > 3550 I should know about? > > Thanks! > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Here's what I'm using on a 3550 which is working: class-map match-all 2MBIT match ip dscp default policy-map 2MBIT class 2MBIT police 2000000 512000 exceed-action drop ! interface FastEthernet0/1 switchport access vlan 606 switchport mode access service-policy input 2MBIT speed 100 duplex full no cdp enable spanning-tree bpdufilter enable switch#sh mls qos interface FastEthernet 0/1 statistics FastEthernet0/1 Ingress dscp: incoming no_change classified policed dropped (in bytes) Others: 1859986733 1854120139 5866594 0 18280295 Egress dscp: incoming no_change classified policed dropped (in bytes) Others: 1461309424 n/a n/a 0 0 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Thu May 8 13:21:44 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 08 May 2008 20:21:44 +0300 Subject: [c-nsp] strange open sockets on a switch Message-ID: <482336A8.7080408@forthnet.gr> Any idea why the switch listens to all these ports? 3400#sh ip sockets Proto Remote Port Local Port In Out Stat TTY OutputIF 17 0.0.0.0 0 x.x.x.x 1967 0 0 211 0 (sla control) 17 y.y.y.y 162 x.x.x.x 61570 0 0 0 0 (send snmp-trap to server) 17 0.0.0.0 0 x.x.x.x 2228 0 0 211 0 (?) 17 y.y.y.y 54482 x.x.x.x 161 0 0 1 0 (accept snmp from server) 17 --listen-- x.x.x.x 162 0 0 11 0 (accept snmp-trap from ?) 17 --listen-- x.x.x.x 62897 0 0 1 0 (?) 17 --listen-- --any-- 161 0 0 20001 0 (accept snmp from server) 17 --listen-- --any-- 162 0 0 20011 0 (accept snmp-trap from ?) 17 --listen-- --any-- 60312 0 0 20001 0 (?) 17 --listen-- x.x.x.x 123 0 0 1 0 (ntp) 17 y.y.y.y 514 x.x.x.x 64690 0 0 400211 0 (send syslog) 17 y.y.y.y 53936 x.x.x.x 5060 0 0 51 0 (sla data) Also, is there a command to list the ports every active process is using (like a port to process mapping tool)? -- Tassos From criling at gmail.com Thu May 8 13:23:20 2008 From: criling at gmail.com (Chris Riling) Date: Thu, 8 May 2008 13:23:20 -0400 Subject: [c-nsp] 3550 Policing In-Reply-To: References: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> Message-ID: <8c829ec10805081023g35ba9011x8b75b317b0d20821@mail.gmail.com> I had heard of that before as well, but now that I changed the class map to match-all on dscp 0 it *seems* to work. hmrph. I guess I'll just keep an eye on the MRTG graphs... : FastEthernet0/11 Ingress dscp: incoming no_change classified policed dropped (in bytes) Others: 3537826000 2791863566 745962434 0 2467793 Egress dscp: incoming no_change classified policed dropped (in bytes) Others: 676669051 n/a n/a 0 1975855 Thanks! Chris On 5/8/08, Jeff Cartier wrote: > > I've come into issues before where the counters don't actually 'count' > per say...It's working, but from looking at show commands...you wouldn't > guess it. IOS bug. > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net on behalf of Daniel Hooper > Sent: Thu 5/8/2008 1:08 PM > To: Chris Riling; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3550 Policing > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Chris Riling > > Sent: Thursday, 8 May 2008 11:33 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] 3550 Policing > > > > Hi All, > > > > I'm having an issue with policing on the 3550; > > > > mls qos > > > > class-map match-any Match-Any-Rate-Limit > > match any > > > > policy-map 10Mbps-Rate-Limit > > class Match-Any-Rate-Limit > > police 10000000 2000000 exceed-action drop > > > > interface FastEthernet0/11 > > description XXXX > > switchport access vlan XXX > > switchport mode access > > no ip address > > service-policy input 10Mbps-Rate-Limit > > service-policy output 10Mbps-Rate-Limit > > end > > > > FastEthernet0/11 > > Ingress > > dscp: incoming no_change classified policed dropped (in bytes) > > Others: 4109200271 3363237923 745962348 0 0 > > Egress > > dscp: incoming no_change classified policed dropped (in bytes) > > Others: 1755089285 n/a n/a 0 0 > > > > > > Any ideas? It seems to be working to some extent, although the > > "policed" > > counter is 0 and they're bursting a bit higher than they should be. I > > have > > similar policers on some 4948's and it works fine, is there something > > on the > > 3550 I should know about? > > > > Thanks! > > Chris > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Here's what I'm using on a 3550 which is working: > > class-map match-all 2MBIT > match ip dscp default > > policy-map 2MBIT > class 2MBIT > police 2000000 512000 exceed-action drop > > ! > interface FastEthernet0/1 > switchport access vlan 606 > switchport mode access > service-policy input 2MBIT > speed 100 > duplex full > no cdp enable > spanning-tree bpdufilter enable > > switch#sh mls qos interface FastEthernet 0/1 statistics > FastEthernet0/1 > Ingress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 1859986733 1854120139 5866594 0 18280295 > Egress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 1461309424 n/a n/a 0 0 > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From achatz at forthnet.gr Thu May 8 14:01:02 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 08 May 2008 21:01:02 +0300 Subject: [c-nsp] 3550 Policing In-Reply-To: <8c829ec10805081023g35ba9011x8b75b317b0d20821@mail.gmail.com> References: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> <8c829ec10805081023g35ba9011x8b75b317b0d20821@mail.gmail.com> Message-ID: <48233FDE.7050709@forthnet.gr> I guess the "match any" under your class is like the class-default which cannot be used for policing on the 3550. On the other hand, "dscp 0" refers to all traffic on untrusted ports, which might be ok for you. -- Tassos Chris Riling wrote on 8/5/2008 8:23 ??: > I had heard of that before as well, but now that I changed the class map to > match-all on dscp 0 it *seems* to work. hmrph. I guess I'll just keep an eye > on the MRTG graphs... : > > FastEthernet0/11 > Ingress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 3537826000 2791863566 745962434 0 2467793 > Egress > dscp: incoming no_change classified policed dropped (in bytes) > Others: 676669051 n/a n/a 0 1975855 > > > Thanks! > Chris > > > On 5/8/08, Jeff Cartier wrote: >> I've come into issues before where the counters don't actually 'count' >> per say...It's working, but from looking at show commands...you wouldn't >> guess it. IOS bug. >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net on behalf of Daniel Hooper >> Sent: Thu 5/8/2008 1:08 PM >> To: Chris Riling; cisco-nsp at puck.nether.net >> Subject: Re: [c-nsp] 3550 Policing >> >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>> bounces at puck.nether.net] On Behalf Of Chris Riling >>> Sent: Thursday, 8 May 2008 11:33 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] 3550 Policing >>> >>> Hi All, >>> >>> I'm having an issue with policing on the 3550; >>> >>> mls qos >>> >>> class-map match-any Match-Any-Rate-Limit >>> match any >>> >>> policy-map 10Mbps-Rate-Limit >>> class Match-Any-Rate-Limit >>> police 10000000 2000000 exceed-action drop >>> >>> interface FastEthernet0/11 >>> description XXXX >>> switchport access vlan XXX >>> switchport mode access >>> no ip address >>> service-policy input 10Mbps-Rate-Limit >>> service-policy output 10Mbps-Rate-Limit >>> end >>> >>> FastEthernet0/11 >>> Ingress >>> dscp: incoming no_change classified policed dropped (in bytes) >>> Others: 4109200271 3363237923 745962348 0 0 >>> Egress >>> dscp: incoming no_change classified policed dropped (in bytes) >>> Others: 1755089285 n/a n/a 0 0 >>> >>> >>> Any ideas? It seems to be working to some extent, although the >>> "policed" >>> counter is 0 and they're bursting a bit higher than they should be. I >>> have >>> similar policers on some 4948's and it works fine, is there something >>> on the >>> 3550 I should know about? >>> >>> Thanks! >>> Chris >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> Here's what I'm using on a 3550 which is working: >> >> class-map match-all 2MBIT >> match ip dscp default >> >> policy-map 2MBIT >> class 2MBIT >> police 2000000 512000 exceed-action drop >> >> ! >> interface FastEthernet0/1 >> switchport access vlan 606 >> switchport mode access >> service-policy input 2MBIT >> speed 100 >> duplex full >> no cdp enable >> spanning-tree bpdufilter enable >> >> switch#sh mls qos interface FastEthernet 0/1 statistics >> FastEthernet0/1 >> Ingress >> dscp: incoming no_change classified policed dropped (in bytes) >> Others: 1859986733 1854120139 5866594 0 18280295 >> Egress >> dscp: incoming no_change classified policed dropped (in bytes) >> Others: 1461309424 n/a n/a 0 0 >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From criling at gmail.com Thu May 8 14:16:28 2008 From: criling at gmail.com (Chris Riling) Date: Thu, 8 May 2008 14:16:28 -0400 Subject: [c-nsp] 3550 Policing In-Reply-To: <48233FDE.7050709@forthnet.gr> References: <8c829ec10805080833o11332d7doe0054edd20b1634@mail.gmail.com> <8c829ec10805081023g35ba9011x8b75b317b0d20821@mail.gmail.com> <48233FDE.7050709@forthnet.gr> Message-ID: <8c829ec10805081116y5dece491l43f7ac6564cc7251@mail.gmail.com> Ah, if that's the case that makes sense... Thanks! Chris On 5/8/08, Tassos Chatzithomaoglou wrote: > > I guess the "match any" under your class is like the class-default which > cannot be used for policing on the 3550. > > On the other hand, "dscp 0" refers to all traffic on untrusted ports, which > might be ok for you. > > > -- > Tassos > > > Chris Riling wrote on 8/5/2008 8:23 ??: > >> I had heard of that before as well, but now that I changed the class map >> to >> match-all on dscp 0 it *seems* to work. hmrph. I guess I'll just keep an >> eye >> on the MRTG graphs... : >> >> FastEthernet0/11 >> Ingress >> dscp: incoming no_change classified policed dropped (in bytes) >> Others: 3537826000 2791863566 745962434 0 2467793 >> Egress >> dscp: incoming no_change classified policed dropped (in bytes) >> Others: 676669051 n/a n/a 0 1975855 >> >> >> Thanks! >> Chris >> >> >> On 5/8/08, Jeff Cartier wrote: >> >>> I've come into issues before where the counters don't actually 'count' >>> per say...It's working, but from looking at show commands...you wouldn't >>> guess it. IOS bug. >>> >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net on behalf of Daniel Hooper >>> Sent: Thu 5/8/2008 1:08 PM >>> To: Chris Riling; cisco-nsp at puck.nether.net >>> Subject: Re: [c-nsp] 3550 Policing >>> >>> >>> >>> -----Original Message----- >>>> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >>>> bounces at puck.nether.net] On Behalf Of Chris Riling >>>> Sent: Thursday, 8 May 2008 11:33 PM >>>> To: cisco-nsp at puck.nether.net >>>> Subject: [c-nsp] 3550 Policing >>>> >>>> Hi All, >>>> >>>> I'm having an issue with policing on the 3550; >>>> >>>> mls qos >>>> >>>> class-map match-any Match-Any-Rate-Limit >>>> match any >>>> >>>> policy-map 10Mbps-Rate-Limit >>>> class Match-Any-Rate-Limit >>>> police 10000000 2000000 exceed-action drop >>>> >>>> interface FastEthernet0/11 >>>> description XXXX >>>> switchport access vlan XXX >>>> switchport mode access >>>> no ip address >>>> service-policy input 10Mbps-Rate-Limit >>>> service-policy output 10Mbps-Rate-Limit >>>> end >>>> >>>> FastEthernet0/11 >>>> Ingress >>>> dscp: incoming no_change classified policed dropped (in bytes) >>>> Others: 4109200271 3363237923 745962348 0 0 >>>> Egress >>>> dscp: incoming no_change classified policed dropped (in bytes) >>>> Others: 1755089285 n/a n/a 0 0 >>>> >>>> >>>> Any ideas? It seems to be working to some extent, although the >>>> "policed" >>>> counter is 0 and they're bursting a bit higher than they should be. I >>>> have >>>> similar policers on some 4948's and it works fine, is there something >>>> on the >>>> 3550 I should know about? >>>> >>>> Thanks! >>>> Chris >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> Here's what I'm using on a 3550 which is working: >>> >>> class-map match-all 2MBIT >>> match ip dscp default >>> >>> policy-map 2MBIT >>> class 2MBIT >>> police 2000000 512000 exceed-action drop >>> >>> ! >>> interface FastEthernet0/1 >>> switchport access vlan 606 >>> switchport mode access >>> service-policy input 2MBIT >>> speed 100 >>> duplex full >>> no cdp enable >>> spanning-tree bpdufilter enable >>> >>> switch#sh mls qos interface FastEthernet 0/1 statistics >>> FastEthernet0/1 >>> Ingress >>> dscp: incoming no_change classified policed dropped (in bytes) >>> Others: 1859986733 1854120139 5866594 0 18280295 >>> Egress >>> dscp: incoming no_change classified policed dropped (in bytes) >>> Others: 1461309424 n/a n/a 0 0 >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> From dudepron at gmail.com Thu May 8 14:47:38 2008 From: dudepron at gmail.com (Aaron) Date: Thu, 8 May 2008 14:47:38 -0400 Subject: [c-nsp] Univercd In-Reply-To: <200805081145.00440.lowen@pari.edu> References: <540346.9221.qm@web905.biz.mail.mud.yahoo.com> <200805081145.00440.lowen@pari.edu> Message-ID: <480dad640805081147s5b9e4d86g308daf5ca39a1a17@mail.gmail.com> Provide feedback on the website. I always do. On Thu, May 8, 2008 at 11:45 AM, Lamar Owen wrote: > On Thursday 08 May 2008, Kevin Graham wrote: > > As much as I'm disappointed to see /univercd become deprecated, the new > > documentation site at least looks OK once you can find the right > navigation > > links to it. > > The bigger problem is that, at least on the documentation DVD I have, that > not > everything is on the DVD, and it pulls in stuff from the deprecated > univercd > area. Of course, it's a couple of years old and may have been fixed by > now. > But there are a lot of documentation CD's and DVD's out there that will be > broken when this change occurs. > -- > Lamar Owen > www.pari.edu > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Thu May 8 16:54:36 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 08 May 2008 22:54:36 +0200 Subject: [c-nsp] strange open sockets on a switch In-Reply-To: <482336A8.7080408@forthnet.gr> References: <482336A8.7080408@forthnet.gr> Message-ID: <1210280076.27289.8.camel@dusken.sys.mjna.net> On Thu, 2008-05-08 at 20:21 +0300, Tassos Chatzithomaoglou wrote: > Any idea why the switch listens to all these ports? > > 3400#sh ip sockets > Proto Remote Port Local Port In Out Stat TTY OutputIF > 17 0.0.0.0 0 x.x.x.x 1967 0 0 211 0 (sla control) > 17 y.y.y.y 162 x.x.x.x 61570 0 0 0 0 (send snmp-trap to server) > 17 0.0.0.0 0 x.x.x.x 2228 0 0 211 0 (?) > 17 y.y.y.y 54482 x.x.x.x 161 0 0 1 0 (accept snmp from server) > 17 --listen-- x.x.x.x 162 0 0 11 0 (accept snmp-trap from ?) > 17 --listen-- x.x.x.x 62897 0 0 1 0 (?) > 17 --listen-- --any-- 161 0 0 20001 0 (accept snmp from server) > 17 --listen-- --any-- 162 0 0 20011 0 (accept snmp-trap from ?) > 17 --listen-- --any-- 60312 0 0 20001 0 (?) > 17 --listen-- x.x.x.x 123 0 0 1 0 (ntp) > 17 y.y.y.y 514 x.x.x.x 64690 0 0 400211 0 (send syslog) > 17 y.y.y.y 53936 x.x.x.x 5060 0 0 51 0 (sla data) I have a C6k with port 2228/udp listening too, and then 59008/udp. The 2228 is "ehome-ms" according to IANA, but I don't see what a service like that would be doing on a switch. Strange indeed. > Also, is there a command to list the ports every active process is > using (like a port to process mapping tool)? IOS 12.4(4)T has the "show control-plane host open-ports", but that's no use on a ME3400, which I presume the above is from. I would be very sweet to have on the L3 switches. Regards, Peter From lists at hojmark.org Thu May 8 17:02:13 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Thu, 8 May 2008 23:02:13 +0200 Subject: [c-nsp] Univercd In-Reply-To: <480dad640805081147s5b9e4d86g308daf5ca39a1a17@mail.gmail.com> References: <540346.9221.qm@web905.biz.mail.mud.yahoo.com><200805081145.00440.lowen@pari.edu> <480dad640805081147s5b9e4d86g308daf5ca39a1a17@mail.gmail.com> Message-ID: <000601c8b14e$ca81aa80$280a0a0a@hojmark.net> > Provide feedback on the website. I always do. I've gave up on that when someone replied that they fully agreed that the site was becoming less user-friendly, but they couldn't do anything about it because the marketing people ruled... Feedback about cisco.com makes absolutely no difference. It's becoming worse all the time. -A From paul at gtcomm.net Thu May 8 19:42:07 2008 From: paul at gtcomm.net (Paul) Date: Thu, 08 May 2008 19:42:07 -0400 Subject: [c-nsp] 3750 etherchannel only using 1 port In-Reply-To: <482209BC.70308@gtcomm.net> References: <4821C2F3.3070509@gtcomm.net> <4821D3D5.6090604@gtcomm.net> <482209BC.70308@gtcomm.net> Message-ID: <48238FCF.3030408@gtcomm.net> Well it seems all the hashing algos for cef and for etherchannel are exactly same. I tried cef universal with various hashes, I tried cef original, I tried etherchannel src ip, dst ip, and src-dst-ip :/ Everything has the same result.. Packets only output on one of the gig links on the port channel. Grumble.. What's so hard about slightly changing up the algos or letting us pick some sort of hash key that will change it up a bit, or even have a etherchannel setting for cef where instead of the normal algorithm it makes it into bigger blocks where normally it would alternate between one or the other it sends say x number of flows that way, and x number of flows the other way instead of a 1-1 ratio, then the etherchannel would have a chance. Paul From ecables at gmail.com Thu May 8 20:00:55 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 8 May 2008 17:00:55 -0700 Subject: [c-nsp] %CONTROLLER-2-FIRMWARE errors Message-ID: Has anyone seen these errors before? May 8 14:31:27.827 PDT: %CONTROLLER-2-FIRMWARE: Controller E1 0/0, firmware is not running May 8 14:31:37.915 PDT: %CONTROLLER-2-FIRMWARE: Controller E1 0/0, firmware is not running I found a couple of posts, but didn't see much in the way of what fixed the problem. Hardware? Software? I've reloaded without success. -- Eric From mtinka at globaltransit.net Thu May 8 10:18:53 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 8 May 2008 22:18:53 +0800 Subject: [c-nsp] is RPF strict mode common? In-Reply-To: <003301c8b10c$c53c81e0$12140a0a@GINKGO> References: <003301c8b10c$c53c81e0$12140a0a@GINKGO> Message-ID: <200805082219.02149.mtinka@globaltransit.net> On Thursday 08 May 2008, Adam Greene wrote: > Trying to control bandwidth between my (2) upstream > Internet providers, Global Crossing (20Mbps) and Savvis > (50Mbps). I currently receive full routes from both, and > the smaller Global Crossing link is maxed out, inbound. > > The obvious solution to me will be to prepend my route > announcements to Global Crossing. However, one question: > there is a good chance that some of my traffic will flow > out through Savvis and in through Global Crossing (in > fact, that's almost certainly happening right now). Will > this kind of asymmetrical traffic run into issues with > other ISPs that deploy RPF in strict mode? Are there many > ISPs out there that do this? It seems that so much > traffic on the Internet must be asymmetrical, any ISPs > running RPF in strict mode must be doing so in a way that > will not break traffic that's asymmetrical because of > other ISPs' standard routing policies. IF they do, then > they would be causing dead spots for their own customers > ... do you think that's a valid assumption? We use strict mode for customer connections - specifically, customers that do not multihome, either to ourselves or another provider. We "generally" use loose mode for peering (upstreams, public peering, private peering, e.t.c.). We don't use uRPF in our core (BGP-free core and all that...). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080508/9b5f51ce/attachment.bin From James.Baker at chelmer.co.nz Thu May 8 23:13:23 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Fri, 9 May 2008 15:13:23 +1200 Subject: [c-nsp] AVPairs + Dynamic ACLs Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD5417AD@chmaexch.chelmer.co.nz> Anyone know if it's possible to use AVpairs with Dynamic ACLs? Thanks -- James ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From manoj_koshti at yahoo.com Fri May 9 00:27:36 2008 From: manoj_koshti at yahoo.com (Manoj koshti) Date: Thu, 8 May 2008 21:27:36 -0700 (PDT) Subject: [c-nsp] engineer opening Message-ID: <855686.64571.qm@web51401.mail.re2.yahoo.com> Hi All, ? ? I am looking for Network and Security Engineer with 3 year of networking experience in cisco networking for graveyard shift ? Manoj ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From dale.shaw+cisco-nsp at gmail.com Fri May 9 01:26:49 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Fri, 9 May 2008 15:26:49 +1000 Subject: [c-nsp] engineer opening In-Reply-To: <855686.64571.qm@web51401.mail.re2.yahoo.com> References: <855686.64571.qm@web51401.mail.re2.yahoo.com> Message-ID: <3329cbb40805082226q19d26452m1fd6b569e0710008@mail.gmail.com> Hi, On Fri, May 9, 2008 at 2:27 PM, Manoj koshti wrote: > > I am looking for Network and Security Engineer with 3 year of networking experience in cisco networking for graveyard shift Do you realise this is a mailing list with global membership? You haven't specified where the position is based. cheers, Dale From rudal at online.rudal.com Fri May 9 03:04:50 2008 From: rudal at online.rudal.com (Rudy Setiawan) Date: Fri, 9 May 2008 00:04:50 -0700 Subject: [c-nsp] PIX questions Message-ID: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> Hi all, I have a question about PIX translation An outside interface has IP address: 192.168.1.2 255.255.255.0 An DMZ interface has IP address: 10.1.1.2 255.255.255.0 Current translation: 10.1.1.3 -> 192.168.1.3 10.1.1.4 -> 192.168.1.4 How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? How can I make it so that anyone behind 10.1.1.0/24 network is able to ping the IP "192.168.1.4"? Consider the ICMP is allowed any any. I tried to configure it but the ASDM log say "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" Thank you for your help in advance. Regards, Rudy From tedm at toybox.placo.com Fri May 9 03:50:15 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Fri, 9 May 2008 00:50:15 -0700 Subject: [c-nsp] PIX questions In-Reply-To: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> Message-ID: please post the entire pix config Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Rudy Setiawan > Sent: Friday, May 09, 2008 12:05 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX questions > > > Hi all, > > I have a question about PIX translation > > An outside interface has IP address: > 192.168.1.2 255.255.255.0 > > An DMZ interface has IP address: > 10.1.1.2 255.255.255.0 > > > Current translation: > 10.1.1.3 -> 192.168.1.3 > 10.1.1.4 -> 192.168.1.4 > > > How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? > How can I make it so that anyone behind 10.1.1.0/24 network is able to > ping the IP "192.168.1.4"? > > Consider the ICMP is allowed any any. > > I tried to configure it but the ASDM log say > "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" > > Thank you for your help in advance. > > Regards, > Rudy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From K.J.Barrass at leeds.ac.uk Fri May 9 05:31:05 2008 From: K.J.Barrass at leeds.ac.uk (Kevin Barrass) Date: Fri, 9 May 2008 10:31:05 +0100 Subject: [c-nsp] Turning on no ip unreachables and the effects Message-ID: Hi I've been following a thread on NANOG about PMTUD black holing and as a result am reviewing our setup here with regards this. I've seen in the below link that enabling "no ip unreachables" on a interface can break PMTUD across your network if the outgoing interface is then on a link with an MTU too small as the interface with "no ip unreachables" will not send a packet too big type message. Does anyone have a link to a definitive list as to the effect of turning on this command as I thought that turning on this command didn't prevent the interface sending TTL expired and hence not breaking trace route but now im unsure. Any feedback appreciated. Cheers Kev From eric at atlantech.net Fri May 9 06:16:03 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 9 May 2008 06:16:03 -0400 Subject: [c-nsp] is RPF strict mode common? In-Reply-To: <200805082219.02149.mtinka@globaltransit.net> References: <003301c8b10c$c53c81e0$12140a0a@GINKGO> <200805082219.02149.mtinka@globaltransit.net> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863500B0E668@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Thursday, May 08, 2008 10:19 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] is RPF strict mode common? > > On Thursday 08 May 2008, Adam Greene wrote: > > > Trying to control bandwidth between my (2) upstream > > Internet providers, Global Crossing (20Mbps) and Savvis > > (50Mbps). I currently receive full routes from both, and > > the smaller Global Crossing link is maxed out, inbound. > > > > The obvious solution to me will be to prepend my route > > announcements to Global Crossing. However, one question: > > there is a good chance that some of my traffic will flow > > out through Savvis and in through Global Crossing (in > > fact, that's almost certainly happening right now). Will > > this kind of asymmetrical traffic run into issues with > > other ISPs that deploy RPF in strict mode? Are there many > > ISPs out there that do this? It seems that so much > > traffic on the Internet must be asymmetrical, any ISPs > > running RPF in strict mode must be doing so in a way that > > will not break traffic that's asymmetrical because of > > other ISPs' standard routing policies. IF they do, then > > they would be causing dead spots for their own customers > > ... do you think that's a valid assumption? I would suggest that either instead of or in addition to prepending, you utilize the GBLX community string definitions to better control how your traffic flows: http://www.onesc.net/communities/as3549/ Try setting the community to lower the localpref in their network so your route is less preferred. You can also prepend to specific networks using their communities. We use uRPF on non-multihomed customer connections. The only "large" provider we've ever worked with that uses uRPF on multihomed customer connections is Qwest, which is not a wise idea IMO. -evt From mcgrath at fas.harvard.edu Fri May 9 09:02:01 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Fri, 09 May 2008 09:02:01 -0400 Subject: [c-nsp] PIX questions In-Reply-To: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> Message-ID: <48244B49.9010701@fas.harvard.edu> You do realize that ICMP handling needs to be enabled on the PIX independently of ACL Rudy Setiawan wrote: > Hi all, > > I have a question about PIX translation > > An outside interface has IP address: > 192.168.1.2 255.255.255.0 > > An DMZ interface has IP address: > 10.1.1.2 255.255.255.0 > > > Current translation: > 10.1.1.3 -> 192.168.1.3 > 10.1.1.4 -> 192.168.1.4 > > > How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? > How can I make it so that anyone behind 10.1.1.0/24 network is able to > ping the IP "192.168.1.4"? > > Consider the ICMP is allowed any any. > > I tried to configure it but the ASDM log say > "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" > > Thank you for your help in advance. > > Regards, > Rudy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rblayzor.bulk at inoc.net Fri May 9 10:26:48 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Fri, 9 May 2008 10:26:48 -0400 Subject: [c-nsp] is RPF strict mode common? In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863500B0E668@exchange.aoihq.local> References: <003301c8b10c$c53c81e0$12140a0a@GINKGO> <200805082219.02149.mtinka@globaltransit.net> <2C05E949E19A9146AF7BDF9D44085B863500B0E668@exchange.aoihq.local> Message-ID: RFC3704, Section 5 seems to have the best information on the use of ingress/edge filtering and the use of loose/strict RPF. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ Mac OS X. Because making Unix user-friendly is easier than debugging Windows. From criling at gmail.com Fri May 9 10:51:20 2008 From: criling at gmail.com (Chris Riling) Date: Fri, 9 May 2008 10:51:20 -0400 Subject: [c-nsp] SSH Authoized Keys? Message-ID: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> Hey Guys, I've done some research on SSH in IOS and I've only been able to find "the usual" information on how to implement SSH; (generate keys, change transport, etc.) but I'm more interested in seeing if I can use key files for authentication without a password. I've read that you can do it on the IDS boxes, but I haven't found anything on routers/switches... Any ideas? Thanks, From p.mayers at imperial.ac.uk Fri May 9 11:59:52 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 09 May 2008 16:59:52 +0100 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> Message-ID: <482474F8.4040206@imperial.ac.uk> Chris Riling wrote: > Hey Guys, > > I've done some research on SSH in IOS and I've only been able to find > "the usual" information on how to implement SSH; (generate keys, change > transport, etc.) but I'm more interested in seeing if I can use key files > for authentication without a password. I've read that you can do it on the > IDS boxes, but I haven't found anything on routers/switches... Any ideas? It's not supported :o( I've never heard a good justification from Cisco as to why. Does anyone know if a bug/feature request was ever opened? From dr at cluenet.de Fri May 9 12:02:08 2008 From: dr at cluenet.de (Daniel Roesen) Date: Fri, 9 May 2008 18:02:08 +0200 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> Message-ID: <20080509160208.GA12439@srv01.cluenet.de> On Fri, May 09, 2008 at 10:51:20AM -0400, Chris Riling wrote: > I've done some research on SSH in IOS and I've only been able to find > "the usual" information on how to implement SSH; (generate keys, change > transport, etc.) but I'm more interested in seeing if I can use key files > for authentication without a password. I've read that you can do it on the > IDS boxes, but I haven't found anything on routers/switches... Any ideas? No, Cisco persistently doesn't understand this requirement of the user base. I'm sure there is "no customer demand" as usual. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From mtinka at globaltransit.net Fri May 9 12:34:37 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 10 May 2008 00:34:37 +0800 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> Message-ID: <200805100034.45748.mtinka@globaltransit.net> On Friday 09 May 2008, Chris Riling wrote: > I've done some research on SSH in IOS and I've only > been able to find "the usual" information on how to > implement SSH; (generate keys, change transport, etc.) > but I'm more interested in seeing if I can use key files > for authentication without a password. I've read that you > can do it on the IDS boxes, but I haven't found anything > on routers/switches... Any ideas? AFAIK, IOS routers will not store SSH keys for private/public-based authentication. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080510/6159d485/attachment.bin From jeff-kell at utc.edu Fri May 9 13:22:51 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 09 May 2008 13:22:51 -0400 Subject: [c-nsp] ASIC distribution in 3550-12? Message-ID: <4824886B.30809@utc.edu> Anyone know offhand the ASIC count and port distribution for this switch? It doesn't have the 'show asic' or 'show platform asic' options. I'm setting up etherchannels and wondering if the port distribution is worthy of any concerns (as it is on some oversubscribed blades/asics) Jeff From colin at netech.ie Fri May 9 13:41:05 2008 From: colin at netech.ie (Colin Whittaker) Date: Fri, 9 May 2008 18:41:05 +0100 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <482474F8.4040206@imperial.ac.uk> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> <482474F8.4040206@imperial.ac.uk> Message-ID: <20080509174105.GC19800@infiltrator.gizzard.com> On Fri, May 09, 2008 at 04:59:52PM +0100, Phil Mayers wrote: > I've never heard a good justification from Cisco as to why. Does anyone > know if a bug/feature request was ever opened? The answer I have heard from Cisco is that doing so would place a runtime dependancy on the storage. It is reasonably safe to erase the nvram and format the flash on a running box. If your authorised keys file was on the flash or nvram then it failing would lock you out of the device. You could put the keys into the config but the config could get messy. Colin -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin at netech.ie From A.L.M.Buxey at lboro.ac.uk Fri May 9 14:02:25 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 9 May 2008 19:02:25 +0100 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <20080509174105.GC19800@infiltrator.gizzard.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> <482474F8.4040206@imperial.ac.uk> <20080509174105.GC19800@infiltrator.gizzard.com> Message-ID: <20080509180225.GB8290@lboro.ac.uk> Hi, > You could put the keys into the config but the config could get messy. messy? have you SEEN the IOS config after you've enabled SSH, QoS and .1X ? ;-) having a few lines of ssh-key username blah h98rygfj4r98iqgh890qy94ytq8v94qyt89cyn48ty3vq98tyv89y3tv8y438tv9y f4n3uihrgu8iwa7fiy6o43q98ht89q-hcn8f43qyfh48q9p8gfvy3qtr98vcy4q8t fj483v9qphfc80943qyf094y3qtv709y4qp98htr9qytb0qyt8rqugfirhgw754u7 vc9rqgfvc749vqc dss etc etc (PS thats random typing on the keyboard...so sorry if I've just given away your private key! ;-) ) wouldnt be an issue. alan From ddunkin at netos.net Fri May 9 14:33:16 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Fri, 9 May 2008 11:33:16 -0700 Subject: [c-nsp] SSH Authoized Keys? References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com><482474F8.4040206@imperial.ac.uk> <20080509174105.GC19800@infiltrator.gizzard.com> Message-ID: <56F5BC5F404CF84896C447397A1AAF20337CA1@MAIL.nosi.netos.com> This is what local backup logins are for, you can revert to passwords in the rare case it is needed (while having the convenience the other 99.9% of the time). Same deal with TACACS, if your servers are unreachable, you can still login using a local login/password from the NVRAM. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Colin Whittaker Sent: Friday, May 09, 2008 10:41 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] SSH Authoized Keys? On Fri, May 09, 2008 at 04:59:52PM +0100, Phil Mayers wrote: > I've never heard a good justification from Cisco as to why. Does anyone > know if a bug/feature request was ever opened? The answer I have heard from Cisco is that doing so would place a runtime dependancy on the storage. It is reasonably safe to erase the nvram and format the flash on a running box. If your authorised keys file was on the flash or nvram then it failing would lock you out of the device. You could put the keys into the config but the config could get messy. Colin -- Colin Whittaker +353 (0)86 8211 965 http://colin.netech.ie colin at netech.ie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From criling at gmail.com Fri May 9 14:46:59 2008 From: criling at gmail.com (Chris Riling) Date: Fri, 9 May 2008 14:46:59 -0400 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20337CA1@MAIL.nosi.netos.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> <482474F8.4040206@imperial.ac.uk> <20080509174105.GC19800@infiltrator.gizzard.com> <56F5BC5F404CF84896C447397A1AAF20337CA1@MAIL.nosi.netos.com> Message-ID: <8c829ec10805091146l12659a09x7816ff94656c705@mail.gmail.com> Thanks for the info! We should get someone to open a feature request... Chris On 5/9/08, Darryl Dunkin wrote: > > This is what local backup logins are for, you can revert to passwords in > the rare case it is needed (while having the convenience the other 99.9% > of the time). Same deal with TACACS, if your servers are unreachable, > you can still login using a local login/password from the NVRAM. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Colin Whittaker > Sent: Friday, May 09, 2008 10:41 > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SSH Authoized Keys? > > On Fri, May 09, 2008 at 04:59:52PM +0100, Phil Mayers wrote: > > I've never heard a good justification from Cisco as to why. Does > anyone > > know if a bug/feature request was ever opened? > > The answer I have heard from Cisco is that doing so would place a > runtime dependancy on the storage. > It is reasonably safe to erase the nvram and format the flash on a > running box. If your authorised keys file was on the flash or nvram then > it failing would lock you out of the device. > > You could put the keys into the config but the config could get messy. > > Colin > -- > Colin Whittaker +353 (0)86 8211 965 > http://colin.netech.ie colin at netech.ie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Colin at 2cups.com Fri May 9 13:50:46 2008 From: Colin at 2cups.com (Colin McNamara) Date: Fri, 09 May 2008 10:50:46 -0700 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> Message-ID: <48248EF6.9050504@2cups.com> The general work around is to use an expect script for your authentication to the device. -- Colin McNamara (858)208-8105 CCIE #18233,RHCE,GCIH http://www.colinmcnamara.com http://www.linkedin.com/in/colinmcnamara "The difficult we do immediately, the impossible just takes a little longer" Chris Riling wrote: > Hey Guys, > > I've done some research on SSH in IOS and I've only been able to find > "the usual" information on how to implement SSH; (generate keys, change > transport, etc.) but I'm more interested in seeing if I can use key files > for authentication without a password. I've read that you can do it on the > IDS boxes, but I haven't found anything on routers/switches... Any ideas? > > Thanks, > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From felixnkansah at gmail.com Fri May 9 15:49:39 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 9 May 2008 19:49:39 +0000 Subject: [c-nsp] Simulating high Latency on LAN Message-ID: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> Hi, I am trying to simulate a latency of 128kbps of bandwidth and 50ms+ latency in a lab. Anyone got an idea of how to do so. Limiting the bandwidth isn't a problem, but the latency still remains at 1ms. Please give me an idea. I am trying to test a Cisco WAAS setup and obtaining such latency between the appliances in my mock offices would be more apt for this demo. Regards, Felix From egirard at focustsi.com Fri May 9 16:05:54 2008 From: egirard at focustsi.com (Eric Girard) Date: Fri, 9 May 2008 16:05:54 -0400 Subject: [c-nsp] Simulating high Latency on LAN In-Reply-To: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> References: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> Message-ID: Felix, There is an ISO image available on CCO that has a prepackaged install of NISTnet with a nice little wrapper script. If memory serves me correctly, it is in the WAAS download area, and there is a link to industry tools or something similar. I have used that successfully on a number of occasions in our WAAS practice. Eric -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Friday, May 09, 2008 3:50 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Simulating high Latency on LAN Hi, I am trying to simulate a latency of 128kbps of bandwidth and 50ms+ latency in a lab. Anyone got an idea of how to do so. Limiting the bandwidth isn't a problem, but the latency still remains at 1ms. Please give me an idea. I am trying to test a Cisco WAAS setup and obtaining such latency between the appliances in my mock offices would be more apt for this demo. Regards, Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jasongurtz at npumail.com Fri May 9 16:09:45 2008 From: jasongurtz at npumail.com (Jason Gurtz) Date: Fri, 9 May 2008 16:09:45 -0400 Subject: [c-nsp] =?utf-7?q?Simulating_high_Latency_on_LAN?= In-Reply-To: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> References: =?utf-7?B?K0FEdy0xOGRiYTRlNTA4MDUwOTEyNDlvM2Q4MTliNzlqNmYz?= =?utf-7?B?Nzg0NTAzZDM2MjgzNitBRUEtbWFpbC5nbWFpbC5jb20rQUQ0LQ==?= Message-ID: +AD4- I am trying to simulate a latency of 128kbps of bandwidth and 50ms+- +AD4- latency in a lab. This came up on nanog just the other day. See the thread, +ACI-Introducing latency for testing,+ACI- in the archives: +ADw-http://nanog.markmail.org/message/okvf2ugvuclachhw?q+AD0-introducing+-latency+- for+-testing+AD4- +AH4-JasonG -- From felixnkansah at gmail.com Fri May 9 16:10:28 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 9 May 2008 20:10:28 +0000 Subject: [c-nsp] Simulating high Latency on LAN In-Reply-To: References: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> Message-ID: <18dba4e50805091310q2de1ada2ibfccd66122897ea4@mail.gmail.com> Thanks Grenier and Eric. Would take a look at the NISTnet package. Felix From alaerte.vidali at nsn.com Fri May 9 20:11:08 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Fri, 9 May 2008 19:11:08 -0500 Subject: [c-nsp] ICMP Packet too big attack In-Reply-To: References: Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> Hi, Have you heard about attacks trying to explore generation of packet too big ICMP messages? Tks, Alaerte From mehmet.suzen at physics.org Fri May 9 20:45:20 2008 From: mehmet.suzen at physics.org (Mehmet Suzen) Date: Sat, 10 May 2008 02:45:20 +0200 Subject: [c-nsp] ICMP Packet too big attack In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> Message-ID: <8c4169d00805091745o8552235x2fedefc1d377db58@mail.gmail.com> hi, kind of smurf maybe? http://www.phrack.org/issues.html?issue=55&id=10&mode=txt Mehmet Suzen On Sat, May 10, 2008 at 2:11 AM, wrote: > > Hi, > > Have you heard about attacks trying to explore generation of packet too > big ICMP messages? > > Tks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kgraham at industrial-marshmallow.com Sat May 10 05:03:12 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Sat, 10 May 2008 02:03:12 -0700 (PDT) Subject: [c-nsp] SSH Authoized Keys? Message-ID: <423954.59306.qm@web904.biz.mail.mud.yahoo.com> (21252 unread) Yahoo! Mail, cepbc > The answer I have heard from Cisco is that doing so would place a > runtime dependancy on the storage. [...] > You could put the keys into the config but the config could get messy. RSA crypto keyrings are a little noisy, but well organized, hardly anything new, nor any different failure mode than IPSec PSK or local AAA auth. For huge chains, obviously there's more appropriate solutions (k5, x509 ssh when it becomes more prevalent, etc), but one size need not fit all. This seems perfectly reasonable: username autotool access-class 50 keyring TOOLS priv 15 access-list 50 permit host 192.0.2.5 crypto keyring TOOLS ssh-dsa-pubkey name rancid key-string 30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101 00CBEE5F F1A0C22C 4676CB80 A544722D 8819D3CC 5B3CC25C 27729F36 E2F98831 9CDD59DD BDE67C87 8913C9B0 C67B8612 94EABF60 E0527290 0AB6DDD5 EECF94D0 16137838 49CA5FA9 8D62A8FC 61CBE600 7714F617 ADCEDCFF D6C62E07 8222D75D 6910F3A2 27C5405A ED97EC81 9873FF3B CDC92B13 5D118E0E 08D2D78F 53F78901 167CCB1B C7FED675 B54CA739 AC79EB6F 45C77406 13503DB7 B468BBFF 4E4FD339 792D645F A545521F 730AE2AC D34BA82A 9986722A 42EA5CF7 00403909 4E906932 7FFC93DF 972F3A34 CA972B47 7C59EB48 E58E81BE E5365D70 669653A4 031CB8C3 31288E26 47AC7190 FE8FAE7B 160DF077 13050132 F25D5A35 E4C2F976 6F9FDD2A 75020301 0001 Per-user administration of keys for local authentication is ugly, but that's the case today with password auth as well (ie. no way to allow a user to change their password and only their password). Presently, my gripe with SSH on IOS is the lack of being able to determine whether its enabled from inspecting the config. Without this or a means to nondestructively 'crypto key generate rsa general modulus 1024', enabling ssh is entirely manual. I can accept that RANCID-style login-in-and-screenscrape approaches already require enough expect (or similar) interaction that there's little need, but with NETCONFoSSH, its becoming less acceptable. [...obcomplaint that with the increasing fragmentation of operating systems that any requests like this become a shot in the dark with regards to consistent implementation or timing, as compared to very nice and very much appreciated job keeping 12.2SE and 12.2SG frequently resyncing to 12.2S to bring over non-core CLI and management functionality...] From paul.cosgrove at heanet.ie Sat May 10 08:19:54 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Sat, 10 May 2008 13:19:54 +0100 Subject: [c-nsp] ICMP Packet too big attack In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> Message-ID: <482592EA.3080200@heanet.ie> Hi Alaerte, The attack is intended to force PMTUD to lower the outgoing packet size. This increases fragmentation of outgoing packets and thus load on the processor. Cisco IOS was modified to mitigate against, but not prevent, such attacks. I think the change was just to delay the response to such packets. Forget in which versions this was first implemented in but think it was about 18 months ago. Paul. alaerte.vidali at nsn.com wrote: > > Hi, > > Have you heard about attacks trying to explore generation of packet too > big ICMP messages? > > Tks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From maillist at webjogger.net Sat May 10 08:53:31 2008 From: maillist at webjogger.net (Adam Greene) Date: Sat, 10 May 2008 08:53:31 -0400 Subject: [c-nsp] is RPF strict mode common? References: <003301c8b10c$c53c81e0$12140a0a@GINKGO><200805082219.02149.mtinka@globaltransit.net><2C05E949E19A9146AF7BDF9D44085B863500B0E668@exchange.aoihq.local> Message-ID: <004501c8b29c$d96cfd20$12140a0a@GINKGO> Thanks, Eric, Robert, for the additional info ... The GBLX communities list is very handy ... we'll probably make use of these as well. Thanks again. ----- Original Message ----- From: "Robert Blayzor" To: Sent: Friday, May 09, 2008 10:26 AM Subject: Re: [c-nsp] is RPF strict mode common? > RFC3704, Section 5 seems to have the best information on the use of > ingress/edge filtering and the use of loose/strict RPF. > > -- > Robert Blayzor, BOFH > INOC, LLC > rblayzor at inoc.net > http://www.inoc.net/~rblayzor/ > > Mac OS X. Because making Unix user-friendly is easier than debugging > Windows. > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > From eugeniu.patrascu at gmail.com Sat May 10 11:11:31 2008 From: eugeniu.patrascu at gmail.com (Eugeniu Patrascu) Date: Sat, 10 May 2008 18:11:31 +0300 Subject: [c-nsp] Simulating high Latency on LAN In-Reply-To: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> References: <18dba4e50805091249o3d819b79j6f3784503d362836@mail.gmail.com> Message-ID: <4825BB23.4050006@gmail.com> Felix Nkansah wrote: > Hi, > > I am trying to simulate a latency of 128kbps of bandwidth and 50ms+ latency > in a lab. > > Anyone got an idea of how to do so. Limiting the bandwidth isn't a problem, > but the latency still remains at 1ms. > > Please give me an idea. > > I am trying to test a Cisco WAAS setup and obtaining such latency between > the appliances in my mock offices would be more apt for this demo. > > You can use a Linux box with netsim kernel module and with tc from iproute2 you can simulate link speed and delays to whatever you need for testing. From tdurack at gmail.com Sat May 10 12:09:09 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 10 May 2008 12:09:09 -0400 Subject: [c-nsp] Microsoft NLB vs Cisco Message-ID: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> Anyone using Microsoft NLB Multicast mode for a cluster? It requires a static arp entry on Cisco, as the cluster ip resolves to a multicast mac, which can't/shouldn't be learned via arp. So we do something like: "arp a.b.c.d 0100.5e7f.xxyy arpa" Apparently this results in software switching the adjacency on a Sup720, which is painful to say the least. Any suggestions? Tim:> From alaerte.vidali at nsn.com Sat May 10 13:57:19 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sat, 10 May 2008 12:57:19 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <482592EA.3080200@heanet.ie> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> Hi, Any document about how is the processing of a packet received on interface A toward interface B, where interface B has lower MTU than received packet and DF bit is set? (like description of the process) (considering CPU impact and if default limitation of ICMP generation enough when the number of packets is very high) Thanks, Alaerte From paul.cosgrove at heanet.ie Sat May 10 14:53:26 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Sat, 10 May 2008 19:53:26 +0100 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> Message-ID: <4825EF26.7090000@heanet.ie> Hi Alaerte, This will be dependent on the hardware, traffic types, throughput and software version/configuration. You may need to explain a little more in order to get an adequate answer to your question. Large numbers of packets from a handful of hosts running PMTUD may require a smaller number of ICMP notifications than would be necessary for a larger number of hosts sending less traffic. The difference in the MTUs, and the sizes of the incoming packets will also affect the proportion of traffic which triggers notifications. Similarly protocols running on the router itself may require their packets to be fragmented. Paul. alaerte.vidali at nsn.com wrote: > Hi, > > Any document about how is the processing of a packet received on > interface A toward interface B, where interface B has lower MTU than > received packet and DF bit is set? > > (like description of the process) > > (considering CPU impact and if default limitation of ICMP generation > enough when the number of packets is very high) > > Thanks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From alaerte.vidali at nsn.com Sat May 10 16:39:23 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sat, 10 May 2008 15:39:23 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <4825EF26.7090000@heanet.ie> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> Thanks Paul, I would like to find information about processing on 7609 under this situation, from traffic coming from Internet, normally users downloading files or watching videos. Because internal network design requirements, it is necessary decrease internal MTU to slight lower than 1500 bytes, so I would like to know how 7609 will handle high number (in the worst case, or attacks) of packets with high MTU and DF bit set. Br, Alaerte -----Original Message----- From: ext Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] Sent: Saturday, May 10, 2008 9:53 PM To: Vidali Alaerte (NSN - BR/Rio de Janeiro) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP Hi Alaerte, This will be dependent on the hardware, traffic types, throughput and software version/configuration. You may need to explain a little more in order to get an adequate answer to your question. Large numbers of packets from a handful of hosts running PMTUD may require a smaller number of ICMP notifications than would be necessary for a larger number of hosts sending less traffic. The difference in the MTUs, and the sizes of the incoming packets will also affect the proportion of traffic which triggers notifications. Similarly protocols running on the router itself may require their packets to be fragmented. Paul. alaerte.vidali at nsn.com wrote: > Hi, > > Any document about how is the processing of a packet received on > interface A toward interface B, where interface B has lower MTU than > received packet and DF bit is set? > > (like description of the process) > > (considering CPU impact and if default limitation of ICMP generation > enough when the number of packets is very high) > > Thanks, > Alaerte > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From peter at rathlev.dk Sat May 10 16:48:23 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 10 May 2008 22:48:23 +0200 Subject: [c-nsp] Microsoft NLB vs Cisco In-Reply-To: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> References: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> Message-ID: <1210452503.6939.6.camel@dusken.sys.mjna.net> On Sat, 2008-05-10 at 12:09 -0400, Tim Durack wrote: > Anyone using Microsoft NLB Multicast mode for a cluster? > > It requires a static arp entry on Cisco, as the cluster ip resolves to > a multicast mac, which can't/shouldn't be learned via arp. I find that a very irritating requirement of the MS NLB. :-) > So we do something like: "arp a.b.c.d 0100.5e7f.xxyy arpa" > Apparently this results in software switching the adjacency on a > Sup720, which is painful to say the least. > > Any suggestions? I guess you're referring to CSCee49121 "static ARPs dont create adjs when used with routes pointing at intf". I thought this was only a problem if you used it like this: ip route 10.11.12.13 255.255.255.255 Gi1/1 arp 10.11.12.13 030b.adc0.ffee Gi1/1 Is the problem also there without the route statement? We use it against two MS NLBs, and we don't see any problems. The traffic doesn't seem to be software switched, but apart from consulting Feature Manager and looking at the CPU interrupt usage, I'm not completely sure how to check it. How do you do it? Regards, Peter From have.an.email at gmail.com Sat May 10 16:55:41 2008 From: have.an.email at gmail.com (Nathan) Date: Sat, 10 May 2008 22:55:41 +0200 Subject: [c-nsp] L2TP arriving inside a VRF? Message-ID: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> Hi, I have PPP over L2TP arriving on a router on a dedicated interface, and radius tells the router in which VRF to place the PPP connection; so far so good. I would like to have the network on which the L2TP connections arrive placed into a VRF. The IP address that the L2TP sessions are established with would be in a VRF. Of course the PPP connections must still arrive in the same VRF as before. Radius requests could be made using the global table or in the L2TP vrf, it doesn't matter to me. The reason for this is that the L2TP tunnels are coming from a network that should not be accessed by my clients, and by very few of my routers, I'd prefer to keep it apart. On a hunch I tried setting a "vpn vrf XXXX" in the vpdn group, but it doesn't seem to be that simple. Is this easily done / well tested / well supported enough to be used in production? Thanks, -- Nathan From dwinkworth at wi.rr.com Sat May 10 17:29:20 2008 From: dwinkworth at wi.rr.com (Wink) Date: Sat, 10 May 2008 16:29:20 -0500 Subject: [c-nsp] L2TP arriving inside a VRF? In-Reply-To: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> References: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> Message-ID: <482613B0.4050403@wi.rr.com> http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftvpdnmh.html This seems to be what you are looking for, except it looks like you already did this. hmm.... Nathan wrote: > Hi, > > I have PPP over L2TP arriving on a router on a dedicated interface, > and radius tells the router in which VRF to place the PPP connection; > so far so good. > > I would like to have the network on which the L2TP connections arrive > placed into a VRF. The IP address that the L2TP sessions are > established with would be in a VRF. Of course the PPP connections must > still arrive in the same VRF as before. Radius requests could be made > using the global table or in the L2TP vrf, it doesn't matter to me. > > The reason for this is that the L2TP tunnels are coming from a network > that should not be accessed by my clients, and by very few of my > routers, I'd prefer to keep it apart. > > On a hunch I tried setting a "vpn vrf XXXX" in the vpdn group, but it > doesn't seem to be that simple. > > Is this easily done / well tested / well supported enough to be used > in production? > > Thanks, > From pshem.k at gmail.com Sat May 10 17:34:45 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Sun, 11 May 2008 09:34:45 +1200 Subject: [c-nsp] L2TP arriving inside a VRF? In-Reply-To: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> References: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> Message-ID: <20fe625b0805101434t64d5662al3678c8ebbfabd6a7@mail.gmail.com> HI, 2008/5/11 Nathan : > Hi, > > I have PPP over L2TP arriving on a router on a dedicated interface, > and radius tells the router in which VRF to place the PPP connection; > so far so good. > > I would like to have the network on which the L2TP connections arrive > placed into a VRF. The IP address that the L2TP sessions are > established with would be in a VRF. Of course the PPP connections must > still arrive in the same VRF as before. Radius requests could be made > using the global table or in the L2TP vrf, it doesn't matter to me. > > The reason for this is that the L2TP tunnels are coming from a network > that should not be accessed by my clients, and by very few of my > routers, I'd prefer to keep it apart. > > On a hunch I tried setting a "vpn vrf XXXX" in the vpdn group, but it > doesn't seem to be that simple. > > Is this easily done / well tested / well supported enough to be used > in production? We have slightly different setup, but might be of some help to you. Our L2TP arrives in a vrf and then another L2TP tunnel is established with another device on our network (also into a vrf). I believe you can decapsulate the PPP the same way, just buy changing the radius response to simply accept the user (without specifying the tunnel parameters) We use 7301 for that, IOS 12.4(16). Radius sits in a vrf. aaa authorization network default group radiusProxy aaa group server radius radiusProxy server-private 10.173.15.7 auth-port 1812 acct-port 1813 key 7 xxx server-private 10.173.15.8 auth-port 1812 acct-port 1813 key 7 xxx ip vrf forwarding ExternalL2TP ip radius source-interface Loopback2 vpdn enable vpdn multihop vpdn search-order multihop-hostname ! vpdn-group TCNZ ! Default L2TP VPDN group accept-dialin protocol l2tp vpn vrf ExternalL2TP local-name akl-mdr-lts1 lcp renegotiation always l2tp tunnel hello 300 l2tp tunnel password 0 xxx l2tp tunnel timeout no-session 1800 l2tp tunnel retransmit retries 7 l2tp tunnel retransmit timeout min 2 l2tp tunnel retransmit timeout max 5 and our standard radius response (freeradius syntax): DEFAULT Service-Type == Outbound-User, User-Name =~ "^host:", NAS-Identifier =~ "^akl-mdr-lts1", Auth-Type := Accept Cisco-AVPair += "vpdn:ip-addresses=10.173.255.93/10.173.255.92", Cisco-AVPair += "vpdn:tunnel-type=l2tp", Cisco-AVPair += "vpdn:vpn-vrf=InternalL2TP", Cisco-AVPair += "vpdn:l2tp-tunnel-password=xxxx" kind regards Pshem From tdurack at gmail.com Sat May 10 17:38:44 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 10 May 2008 17:38:44 -0400 Subject: [c-nsp] Microsoft NLB vs Cisco In-Reply-To: <1210452503.6939.6.camel@dusken.sys.mjna.net> References: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> <1210452503.6939.6.camel@dusken.sys.mjna.net> Message-ID: <9e246b4d0805101438w75f14328n7d2816708bfba8ee@mail.gmail.com> On Sat, May 10, 2008 at 4:48 PM, Peter Rathlev wrote: > On Sat, 2008-05-10 at 12:09 -0400, Tim Durack wrote: >> Anyone using Microsoft NLB Multicast mode for a cluster? >> >> It requires a static arp entry on Cisco, as the cluster ip resolves to >> a multicast mac, which can't/shouldn't be learned via arp. > > I find that a very irritating requirement of the MS NLB. :-) > >> So we do something like: "arp a.b.c.d 0100.5e7f.xxyy arpa" >> Apparently this results in software switching the adjacency on a >> Sup720, which is painful to say the least. >> >> Any suggestions? > > I guess you're referring to CSCee49121 "static ARPs dont create adjs > when used with routes pointing at intf". I thought this was only a > problem if you used it like this: > > ip route 10.11.12.13 255.255.255.255 Gi1/1 > arp 10.11.12.13 030b.adc0.ffee Gi1/1 > > Is the problem also there without the route statement? We use it against > two MS NLBs, and we don't see any problems. The traffic doesn't seem to > be software switched, but apart from consulting Feature Manager and > looking at the CPU interrupt usage, I'm not completely sure how to check > it. How do you do it? No static route - maybe that's the difference. Educated guess work. CPU is running >90%. Install a CoPP policy dropping the traffic, and CPU drops back to a more normal ~30%. Monday I plan to try a SPAN against the rp, and see what is hitting it. I need this to tune CoPP anyway. > Regards, > Peter > > > From ariev at vayner.net Sun May 11 00:35:38 2008 From: ariev at vayner.net (Arie Vayner) Date: Sun, 11 May 2008 07:35:38 +0300 Subject: [c-nsp] Microsoft NLB vs Cisco In-Reply-To: <9e246b4d0805101438w75f14328n7d2816708bfba8ee@mail.gmail.com> References: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> <1210452503.6939.6.camel@dusken.sys.mjna.net> <9e246b4d0805101438w75f14328n7d2816708bfba8ee@mail.gmail.com> Message-ID: <20b13c6b0805102135j71d3d6e5x95bbd3f34d853d19@mail.gmail.com> Tim, May I offer another approach? Maybe you could just drop NLB, and use the IP SLB feature you have inside your Sup720? Arie On Sun, May 11, 2008 at 12:38 AM, Tim Durack wrote: > On Sat, May 10, 2008 at 4:48 PM, Peter Rathlev wrote: > > On Sat, 2008-05-10 at 12:09 -0400, Tim Durack wrote: > >> Anyone using Microsoft NLB Multicast mode for a cluster? > >> > >> It requires a static arp entry on Cisco, as the cluster ip resolves to > >> a multicast mac, which can't/shouldn't be learned via arp. > > > > I find that a very irritating requirement of the MS NLB. :-) > > > >> So we do something like: "arp a.b.c.d 0100.5e7f.xxyy arpa" > >> Apparently this results in software switching the adjacency on a > >> Sup720, which is painful to say the least. > >> > >> Any suggestions? > > > > I guess you're referring to CSCee49121 "static ARPs dont create adjs > > when used with routes pointing at intf". I thought this was only a > > problem if you used it like this: > > > > ip route 10.11.12.13 255.255.255.255 Gi1/1 > > arp 10.11.12.13 030b.adc0.ffee Gi1/1 > > > > Is the problem also there without the route statement? We use it against > > two MS NLBs, and we don't see any problems. The traffic doesn't seem to > > be software switched, but apart from consulting Feature Manager and > > looking at the CPU interrupt usage, I'm not completely sure how to check > > it. How do you do it? > > No static route - maybe that's the difference. > > Educated guess work. CPU is running >90%. Install a CoPP policy > dropping the traffic, and CPU drops back to a more normal ~30%. > > Monday I plan to try a SPAN against the rp, and see what is hitting > it. I need this to tune CoPP anyway. > > > Regards, > > Peter > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pshem.k at gmail.com Sun May 11 04:22:46 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Sun, 11 May 2008 20:22:46 +1200 Subject: [c-nsp] Huge number of input queue drops on 6500 Message-ID: <20fe625b0805110122s6aa02304n5180f3bb48fb2b0a@mail.gmail.com> Hi All, We just discovered a very weird problem, we're not sure what to attribute it to. We run a port-channel between a cisco (6509E, WS-X6548-GE-TX) and a Huawei NE40E. Port channel consists of 2 copper links and runs at about 1.2G. We've noticed huge number of input queue drops and overruns: akl-grafton-bdr1#sh int gi2/8 controller GigabitEthernet2/8 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0009.1259.50ab (bia 0009.1259.50ab) Description: akl-grafton-edge2 (gi1/0/1) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 2/255, rxload 134/255 Encapsulation ARPA, loopback not set Full-duplex, 1000Mb/s input flow-control is off, output flow-control is desired Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:16, output hang never Last clearing of "show interface" counters 00:08:10 Input queue: 0/2000/2456215/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 527858000 bits/sec, 84768 packets/sec 5 minute output rate 8797000 bits/sec, 4316 packets/sec 37730092 packets input, 29406534349 bytes, 0 no buffer Received 2546 broadcasts (864 multicast) 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 2456196 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 1923154 packets output, 495893834 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out the port-channel status: Channel-group listing: ----------------------- Group: 1 ---------- Port-channels in the group: ---------------------- Port-channel: Po1 ------------ Age of the Port-channel = 227d:06h:23m:31s Logical slot/port = 14/1 Number of ports = 2 GC = 0x00000000 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = - Ports in the Port-channel: Index Load Port EC state No of bits ------+------+------+------------------+----------- 1 55 Gi2/5 On/FEC 4 0 AA Gi2/8 On/FEC 4 Time since last port bundled: 31d:19h:44m:47s Gi2/5 Time since last port Un-bundled: 123d:16h:48m:20s Gi2/8 the overruns and input queue drops show on both interfaces. I suspect it might have something to do with the port-channel, since none of the native links between our Cisco and Huawei seems to suffer from the same problem. I cannot easily replace the port channel, and after reading some documentation the only thing I found that could potentially help is to change the hold-queue on the 6500. The other end doesn't show any issues and packets are only getting dropped from the NE40E to the 6500. I know that the issue might not be caused by cisco, but perhaps any of you encountered something similar kind regards Pshem From skeeve at skeeve.org Sun May 11 04:36:57 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Sun, 11 May 2008 18:36:57 +1000 Subject: [c-nsp] Static route based on name Message-ID: Hey all, I have a customer who has an 1841 with 2 ADSL2 connections which works well for the most part. Occasionally a website is stressed by the load balanced connections coming from two source ip's and generally we just put a static rule in for that site to go out one or the other connections. But. he is having issues with YouTube which isn't liking the load balancing and they use a lot of different IP addresses. Is there a way to use a outbound route-map which matches based on a url regex? i.e. *.youtube.com .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum From pshem.k at gmail.com Sun May 11 04:50:52 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Sun, 11 May 2008 20:50:52 +1200 Subject: [c-nsp] Static route based on name In-Reply-To: References: Message-ID: <20fe625b0805110150j2c3ccbe9o2ac871954c5c133@mail.gmail.com> 2008/5/11 Skeeve Stevens : > > Hey all, {cut} > > Is there a way to use a outbound route-map which matches based on a url > regex? i.e. *.youtube.com I don't know if you can match a string within an http request, but definitely you can match a youtube address range - 208.65.152.0/22. kind regards Pshem From James.Baker at chelmer.co.nz Sun May 11 05:45:58 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Sun, 11 May 2008 21:45:58 +1200 Subject: [c-nsp] Static route based on name In-Reply-To: <20fe625b0805110150j2c3ccbe9o2ac871954c5c133@mail.gmail.com> References: <20fe625b0805110150j2c3ccbe9o2ac871954c5c133@mail.gmail.com> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD5417C9@chmaexch.chelmer.co.nz> >>2008/5/11 Skeeve Stevens : >> >> Hey all, >{cut} >> >> Is there a way to use a outbound route-map which matches based on a url >> regex? i.e. *.youtube.com > >don't know if you can match a string within an http request, but >definitely you can match a youtube address range - 208.65.152.0/22. class-map match-all MATCH-HTTP match protocol http host *youtube.com* ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From sthaug at nethelp.no Sun May 11 05:49:01 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sun, 11 May 2008 11:49:01 +0200 (CEST) Subject: [c-nsp] Huge number of input queue drops on 6500 In-Reply-To: <20fe625b0805110122s6aa02304n5180f3bb48fb2b0a@mail.gmail.com> References: <20fe625b0805110122s6aa02304n5180f3bb48fb2b0a@mail.gmail.com> Message-ID: <20080511.114901.74716308.sthaug@nethelp.no> > We just discovered a very weird problem, we're not sure what to > attribute it to. We run a port-channel between a cisco (6509E, > WS-X6548-GE-TX) and a Huawei NE40E. Port channel consists of 2 copper > links and runs at about 1.2G. We've noticed huge number of input queue > drops and overruns: Entirely expected (we've seen similar). The 6548 is overbooked 8:1, each ASIC handling 8 ports with 1 Gig towards the backplane bus. 2/5 and 2/8 are on the same ASIC and drops are expected if you run above 1 Gbps. You may have better luck if you spread the channels on two different ASICs. For high bandwidth applications a card with small or no overbooking is better (e.g. the 6724 / 6748 family). Steinar Haug, Nethelp consulting, sthaug at nethelp.no From techconfig at yahoo.com Sun May 11 06:19:20 2008 From: techconfig at yahoo.com (Mark Tech) Date: Sun, 11 May 2008 03:19:20 -0700 (PDT) Subject: [c-nsp] Internet vrf, pros and cons Message-ID: <843374.39055.qm@web44814.mail.sp1.yahoo.com> Thanks for all the replies. Looks like I'll stick to running the ISP routes natively ----- Original Message ---- From: Phil Mayers To: Ryan Otis Cc: Cisco-nsp Sent: Tuesday, May 6, 2008 10:19:19 PM Subject: Re: [c-nsp] Internet vrf, pros and cons Ryan Otis wrote: > Does this mean that even if you have a 6500 with a VIF inside a VRF, and > you have a management station on the same VLAN as the VIF; you would be > unable to send SNMP traps to the management station? I haven't specifically tested SNMP traps, but that is my understanding. It's certainly the case for other stuff. _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ From avayner at cisco.com Sun May 11 07:24:28 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 11 May 2008 13:24:28 +0200 Subject: [c-nsp] Static route based on name In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501539B75@xmb-ams-331.emea.cisco.com> Skeeve, Not sure if this answers your question directly, but take a look at IOS Optimized Edge Routing http://www.cisco.com/en/US/docs/ios/12_4/oer/configuration/guide/hoer_c. html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Skeeve Stevens Sent: Sunday, May 11, 2008 11:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Static route based on name Hey all, I have a customer who has an 1841 with 2 ADSL2 connections which works well for the most part. Occasionally a website is stressed by the load balanced connections coming from two source ip's and generally we just put a static rule in for that site to go out one or the other connections. But. he is having issues with YouTube which isn't liking the load balancing and they use a lot of different IP addresses. Is there a way to use a outbound route-map which matches based on a url regex? i.e. *.youtube.com .Skeeve -- Skeeve Stevens, RHCE skeeve at skeeve.org / www.skeeve.org Cell +61 (0)414 753 383 / skype://skeeve eintellego - skeeve at eintellego.net - www.eintellego.net -- I'm a groove licked love child king of the verse Si vis pacem, para bellum _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul.cosgrove at heanet.ie Sun May 11 08:14:14 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Sun, 11 May 2008 13:14:14 +0100 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> Message-ID: <4826E316.7080906@heanet.ie> Hi Alaerte, Well the packets with DF set will be dropped, but I don't know what rate restrictions (if any) exist about the generation of ICMP notifications when this occurs. Perhaps someone else can provide that informaton. Normally, PMTUD on the end devices should reduce the number of large packets you receive (in response to the ICMP notifications your router sends). If PMTUD is broken or not used by those devices, for TCP traffic you have the option of having the router modify the segment size sent in transit SYN packets, to keep the packet size down. See: http://www.cisco.com/en/US/docs/ios/ipapp/command/reference/iap_i2.html#wp1012558 Haven't used this with high rates of traffic though and am not sure of the the impact the command itself will impose on the routers performance. You may need to be more concerned about the effect of large IPv4 packets which do not have DF set, as I would imagine that they will put more of a load on the router as it fragments them. Keep in mind that certain multicast packets can greatly increase this effect. Paul. alaerte.vidali at nsn.com wrote: > Thanks Paul, > > I would like to find information about processing on 7609 under this > situation, from traffic coming from Internet, normally users downloading > files or watching videos. > Because internal network design requirements, it is necessary decrease > internal MTU to slight lower than 1500 bytes, so I would like to know > how 7609 will handle high number (in the worst case, or attacks) of > packets with high MTU and DF bit set. > > Br, > Alaerte > > -----Original Message----- > From: ext Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Saturday, May 10, 2008 9:53 PM > To: Vidali Alaerte (NSN - BR/Rio de Janeiro) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco Processing Regarding ICMP > > Hi Alaerte, > > This will be dependent on the hardware, traffic types, throughput and > software version/configuration. You may need to explain a little more > in order to get an adequate answer to your question. > > Large numbers of packets from a handful of hosts running PMTUD may > require a smaller number of ICMP notifications than would be necessary > for a larger number of hosts sending less traffic. The difference in > the MTUs, and the sizes of the incoming packets will also affect the > proportion of traffic which triggers notifications. Similarly protocols > running on the router itself may require their packets to be fragmented. > > Paul. > > alaerte.vidali at nsn.com wrote: > >> Hi, >> >> Any document about how is the processing of a packet received on >> interface A toward interface B, where interface B has lower MTU than >> received packet and DF bit is set? >> >> (like description of the process) >> >> (considering CPU impact and if default limitation of ICMP generation >> enough when the number of packets is very high) >> >> Thanks, >> Alaerte >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > > From snar at paranoia.ru Sun May 11 08:32:10 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Sun, 11 May 2008 16:32:10 +0400 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <4826E316.7080906@heanet.ie> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <4826E316.7080906@heanet.ie> Message-ID: <20080511123210.GA17379@paranoia.ru> On Sun, May 11, 2008 at 01:14:14PM +0100, Paul Cosgrove wrote: > Hi Alaerte, > > Well the packets with DF set will be dropped, but I don't know what rate > restrictions (if any) exist about the generation of ICMP notifications > when this occurs. Perhaps someone else can provide that informaton. You can rate-limit ICMP generation due to MTU failures: Router(config)#mls rate-limit all mtu-failure ? <10-1000000> packets per second but, by default it not configured to any rate: Router#show mls rate-limit Sharing Codes: S - static, D - dynamic Codes dynamic sharing: H - owner (head) of the group, g - guest of the group Rate Limiter Type Status Packets/s Burst Sharing --------------------- ---------- --------- ----- ------- [...] MTU FAILURE Off - - - so, it's possible that high rate of MTU failures will overload your 65xx/76xx.. From gert at greenie.muc.de Sun May 11 09:13:42 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 May 2008 15:13:42 +0200 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <20080509174105.GC19800@infiltrator.gizzard.com> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> <482474F8.4040206@imperial.ac.uk> <20080509174105.GC19800@infiltrator.gizzard.com> Message-ID: <20080511131342.GR3278@greenie.muc.de> Hi, On Fri, May 09, 2008 at 06:41:05PM +0100, Colin Whittaker wrote: > The answer I have heard from Cisco is that doing so would place a > runtime dependancy on the storage. > It is reasonably safe to erase the nvram and format the flash on a > running box. If your authorised keys file was on the flash or nvram then > it failing would lock you out of the device. > > You could put the keys into the config but the config could get messy. They seem to be able to handle that for things like IPSEC key material just fine (or with the system's RSA host keys). Sounds like major "we don't want to think about it, so we come back with valid-sounding bullshit" to me. Not like the SSH implementation in IOS is an example for well-behaving code otherwise... (I have a TAC case open since over a year on a SSH client bug - the case is "release pending" and everybody plays dead). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/a47f9841/attachment.bin From philxor at gmail.com Sun May 11 09:23:28 2008 From: philxor at gmail.com (Phil Bedard) Date: Sun, 11 May 2008 09:23:28 -0400 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> Message-ID: <709A29CE-2B9A-4C92-BBC8-64699B84BA5D@gmail.com> There is a limiter in place on how many destination unreachable ICMP messages the MSFC will generate, I believe the default is 1 per 500ms. You can set a specific limiter on the DU, Code 4 ICMP messages (Fragmentation needed, DF bit set) the router generates. There are also limits on how many packets are sent to the MSFC that require DU messages be generated, but I don't remember that number off hand. The packets that need to have an ICMP unreachable sent are punted to the MSFC so it can generate those messages. On some of the distributed systems, the line cards can generate those messages, but I don't know about the 7600/DFC and if that's the case. In my tests, it does a good job by default of protecting the router from that type of situation. If it needs to legitimately generate thousands of ICMP messages per second, then the design needs to be changed. :) Phil On May 10, 2008, at 4:39 PM, wrote: > Thanks Paul, > > I would like to find information about processing on 7609 under this > situation, from traffic coming from Internet, normally users > downloading > files or watching videos. > Because internal network design requirements, it is necessary decrease > internal MTU to slight lower than 1500 bytes, so I would like to know > how 7609 will handle high number (in the worst case, or attacks) of > packets with high MTU and DF bit set. > > Br, > Alaerte > > -----Original Message----- > From: ext Paul Cosgrove [mailto:paul.cosgrove at heanet.ie] > Sent: Saturday, May 10, 2008 9:53 PM > To: Vidali Alaerte (NSN - BR/Rio de Janeiro) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco Processing Regarding ICMP > > Hi Alaerte, > > This will be dependent on the hardware, traffic types, throughput and > software version/configuration. You may need to explain a little > more > in order to get an adequate answer to your question. > > Large numbers of packets from a handful of hosts running PMTUD may > require a smaller number of ICMP notifications than would be necessary > for a larger number of hosts sending less traffic. The difference in > the MTUs, and the sizes of the incoming packets will also affect the > proportion of traffic which triggers notifications. Similarly > protocols > running on the router itself may require their packets to be > fragmented. > > Paul. > > alaerte.vidali at nsn.com wrote: >> Hi, >> >> Any document about how is the processing of a packet received on >> interface A toward interface B, where interface B has lower MTU than >> received packet and DF bit is set? >> >> (like description of the process) >> >> (considering CPU impact and if default limitation of ICMP generation >> enough when the number of packets is very high) >> >> Thanks, >> Alaerte >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From zivl at gilat.net Sun May 11 09:34:29 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 11 May 2008 16:34:29 +0300 Subject: [c-nsp] engineer opening In-Reply-To: <3329cbb40805082226q19d26452m1fd6b569e0710008@mail.gmail.com> References: <855686.64571.qm@web51401.mail.re2.yahoo.com> <3329cbb40805082226q19d26452m1fd6b569e0710008@mail.gmail.com> Message-ID: Pardon me, but this sounds like a lead for a joke... It's like too hard to contain yourself from making funny comments out of it. I'm so sorry, but am I the only one here that thinks like this? Anyway, I agree with Dale that this might not be the right place to post such message, though I think he knows that here there are a lot of guys that can meet the requirements and even more. Based on his location and occupation, (Manager Network & Security at Verisign, Inc. - San Francisco Bay area) I guess that answers the whereabouts of the job, right Manoj? Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale Shaw Sent: Friday, May 09, 2008 8:27 AM To: Manoj koshti Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] engineer opening Hi, On Fri, May 9, 2008 at 2:27 PM, Manoj koshti wrote: > > I am looking for Network and Security Engineer with 3 year of networking experience in cisco networking for graveyard shift Do you realise this is a mailing list with global membership? You haven't specified where the position is based. cheers, Dale _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From tik at lufttransport.no Sun May 11 09:51:38 2008 From: tik at lufttransport.no (Tor-Ivar Kristoffersen) Date: Sun, 11 May 2008 15:51:38 +0200 Subject: [c-nsp] Router / Switch in front of Firewall Message-ID: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> Hi all This is my first post here, so I hope this gets in the right way :) We have a 100mbit Internet Connection that we are building (this is a new line). We are setting in new eq. and we plan to move over 1 and 1 service. We have a Fortigate 500A Firewall in front here, but we need to setup a router or switch or some other nice box in front of the firewall. The reason for this is that we have a /21 net routed to this fw, but our supplier runs their eq. on 10.x.x.x IP's and they will not let their eq. be exposed by real ip's. So the issue for us comes when the FG500A is to communicate with the world, it sees that the default gw is on a 10.x.x.x. net and therefore uses it's own 10.x.x.x. assigned IP address for transmitting this. This naturally gets dropped by the isp. Solution is to set a Cisco switch / router in front with 2 IF's. One with our legal IP and one with the 10.x address. This way this unit will become the default gw for our fg500a and will transmit with it's real ip address. But that leaves the question as to which unit to use in front. We have a couple of 2801 in stock, but they can't handle the traffic. We need something that can withstand an attack and at the same time deliver enough performance for the 100mb link. All suggestions are welcomed , also if anyone has a similar setup and therefore has any hans on experience with such a front end that would also be great. Thanks Best regards Tor-Ivar Kristoffersen IT Consultant Lufttransport AS "Horsepower is how hard you hit the wall, torque is how long you take the wall with you" From gert at greenie.muc.de Sun May 11 11:58:01 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 May 2008 17:58:01 +0200 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> Message-ID: <20080511155800.GS3278@greenie.muc.de> Hi, On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com wrote: > Because internal network design requirements, it is necessary decrease > internal MTU to slight lower than 1500 bytes, Ugh. This is *really* unusual. Many networks increase their MTU to well above 1500, so that even tunneled connections still are able to carry full-MTU packets - but running a network below 1500 sounds like a Really Bad Plan to me. Expect fun with all the sites out there that have Issues with PMTUD. Lots. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/c489cad9/attachment.bin From gert at greenie.muc.de Sun May 11 12:38:55 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 May 2008 18:38:55 +0200 Subject: [c-nsp] Router / Switch in front of Firewall In-Reply-To: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> References: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> Message-ID: <20080511163854.GT3278@greenie.muc.de> Hi, On Sun, May 11, 2008 at 03:51:38PM +0200, Tor-Ivar Kristoffersen wrote: > Solution is to set a Cisco switch / router in front with 2 IF's. Get a reasonable supplyer. Forcing RFC1918 addresses on customer transit links is no way to run an Internet services. (Regarding your original question, something like an 2851 should do). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/d8e96686/attachment.bin From philxor at gmail.com Sun May 11 12:41:27 2008 From: philxor at gmail.com (Phil Bedard) Date: Sun, 11 May 2008 12:41:27 -0400 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511155800.GS3278@greenie.muc.de> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> Message-ID: Yeah, a better solution to me is to use the tcp-adjust-mss value, assuming this is TCP traffic and not something else. I don't know the CPU limitations of that on the 7600 but it will probably end up being less processing power than generating an ICMP message that may never get to its destination. Phil On May 11, 2008, at 11:58 AM, Gert Doering wrote: > Hi, > > On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com > wrote: >> Because internal network design requirements, it is necessary >> decrease >> internal MTU to slight lower than 1500 bytes, > > Ugh. > > This is *really* unusual. Many networks increase their MTU to well > above 1500, so that even tunneled connections still are able to carry > full-MTU packets - but running a network below 1500 sounds like a > Really Bad Plan to me. > > Expect fun with all the sites out there that have Issues with > PMTUD. Lots. > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From snar at paranoia.ru Sun May 11 12:45:12 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Sun, 11 May 2008 20:45:12 +0400 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511155800.GS3278@greenie.muc.de> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> Message-ID: <20080511164512.GA21829@paranoia.ru> On Sun, May 11, 2008 at 05:58:01PM +0200, Gert Doering wrote: > On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com wrote: > > Because internal network design requirements, it is necessary decrease > > internal MTU to slight lower than 1500 bytes, > > Ugh. > > This is *really* unusual. Many networks increase their MTU to well > above 1500, so that even tunneled connections still are able to carry > full-MTU packets - but running a network below 1500 sounds like a > Really Bad Plan to me. It's not so *really* unusual. Some parts of access layer in our network is PPPoE over some 'really cheap' switches, which have no option to support MTU of 1504 (1500 + PPPoE overhead). > Expect fun with all the sites out there that have Issues with PMTUD. Lots. 'ip tcp adjust-mss' helps. Really helps. I never heard about MTU issue for years we running PPPoE... From jmaimon at ttec.com Sun May 11 13:01:08 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Sun, 11 May 2008 13:01:08 -0400 Subject: [c-nsp] Router / Switch in front of Firewall In-Reply-To: <20080511163854.GT3278@greenie.muc.de> References: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> <20080511163854.GT3278@greenie.muc.de> Message-ID: <48272654.9000600@ttec.com> Gert Doering wrote: > Hi, > > On Sun, May 11, 2008 at 03:51:38PM +0200, Tor-Ivar Kristoffersen wrote: >> Solution is to set a Cisco switch / router in front with 2 IF's. A 3550 will do as well. > > Get a reasonable supplyer. Forcing RFC1918 addresses on customer > transit links is no way to run an Internet services. Reasonable equipment will allow itself to be configured to source traffic correctly, regardless of transit addressing. > > (Regarding your original question, something like an 2851 should do). > > gert > > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alaerte.vidali at nsn.com Sun May 11 13:57:28 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sun, 11 May 2008 12:57:28 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511155800.GS3278@greenie.muc.de> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639927@daebe103.NOE.Nokia.com> Totally agree. Do you know that times you receive request that you just would like to forget? :) -----Original Message----- From: ext Gert Doering [mailto:gert at greenie.muc.de] Sent: Sunday, May 11, 2008 6:58 PM To: Vidali Alaerte (NSN - BR/Rio de Janeiro) Cc: paul.cosgrove at heanet.ie; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP Hi, On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com wrote: > Because internal network design requirements, it is necessary decrease > internal MTU to slight lower than 1500 bytes, Ugh. This is *really* unusual. Many networks increase their MTU to well above 1500, so that even tunneled connections still are able to carry full-MTU packets - but running a network below 1500 sounds like a Really Bad Plan to me. Expect fun with all the sites out there that have Issues with PMTUD. Lots. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From alaerte.vidali at nsn.com Sun May 11 13:59:06 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sun, 11 May 2008 12:59:06 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511123210.GA17379@paranoia.ru> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <4826E316.7080906@heanet.ie> <20080511123210.GA17379@paranoia.ru> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639928@daebe103.NOE.Nokia.com> Are you sure by default it is not configured any rate? It seems it default to two per second. -----Original Message----- From: ext Alexandre Snarskii [mailto:snar at paranoia.ru] Sent: Sunday, May 11, 2008 3:32 PM To: Paul Cosgrove Cc: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP On Sun, May 11, 2008 at 01:14:14PM +0100, Paul Cosgrove wrote: > Hi Alaerte, > > Well the packets with DF set will be dropped, but I don't know what > rate restrictions (if any) exist about the generation of ICMP > notifications when this occurs. Perhaps someone else can provide that informaton. You can rate-limit ICMP generation due to MTU failures: Router(config)#mls rate-limit all mtu-failure ? <10-1000000> packets per second but, by default it not configured to any rate: Router#show mls rate-limit Sharing Codes: S - static, D - dynamic Codes dynamic sharing: H - owner (head) of the group, g - guest of the group Rate Limiter Type Status Packets/s Burst Sharing --------------------- ---------- --------- ----- ------- [...] MTU FAILURE Off - - - so, it's possible that high rate of MTU failures will overload your 65xx/76xx.. From gert at greenie.muc.de Sun May 11 14:02:18 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 May 2008 20:02:18 +0200 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511164512.GA21829@paranoia.ru> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> <20080511164512.GA21829@paranoia.ru> Message-ID: <20080511180218.GU3278@greenie.muc.de> Hi, On Sun, May 11, 2008 at 08:45:12PM +0400, Alexandre Snarskii wrote: > On Sun, May 11, 2008 at 05:58:01PM +0200, Gert Doering wrote: > > On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com wrote: > > > Because internal network design requirements, it is necessary decrease > > > internal MTU to slight lower than 1500 bytes, > > It's not so *really* unusual. Some parts of access layer in our > network is PPPoE over some 'really cheap' switches, which have no > option to support MTU of 1504 (1500 + PPPoE overhead). Well, sure. As soon as end-user access comes into play and you have PPPoE, you usually end up with 1492 byte IP MTU. Which is annoying, but can normally be handled fairly well by the aggregation layer. The specific thread mentioned a 7600 being at the boundary between "1500 MTU" and "less-than 1500", which is very untypical for PPPoE environments, as the 7600 can't (reasonably) do PPPoE. > > Expect fun with all the sites out there that have Issues with PMTUD. Lots. > > 'ip tcp adjust-mss' helps. Really helps. I never heard about MTU issue > for years we running PPPoE... I've run into lots of unnecessary trouble with smaller-than-1500 MTU - and "ip tcp adjust-mss" won't fix your customer's IPSEC VPNs, for example. *Usually* it's just a misconfiguration somewhere (filtering fragments, filtering ICMP [because it's evil!], ...) but having a reasonable MTU would be *so* much easier in the long run... Actually I'm pretty amazed that folks seem to accept that "it must be this way" - all DSL gear that's build today is build in the knowledge that PPPoE exists, and ethernet chips that can handle 1508 just fine *do* exist. So having 1500 byte IP MTU even with PPPoE would be possible if people just *wanted* it... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/1d7bbbbe/attachment-0001.bin From alaerte.vidali at nsn.com Sun May 11 14:01:48 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sun, 11 May 2008 13:01:48 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639929@daebe103.NOE.Nokia.com> Hi Phil, I have seem description saying that initial SYN is punted to RP, so there is impact under SYN attack for example. Also, RP needs to calculate new checksum. I agree it seems better solution, I am only worried with CPU impact in 7609. Also, only helps UDP. Tks, Alaerte -----Original Message----- From: ext Phil Bedard [mailto:philxor at gmail.com] Sent: Sunday, May 11, 2008 7:41 PM To: Gert Doering Cc: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP Yeah, a better solution to me is to use the tcp-adjust-mss value, assuming this is TCP traffic and not something else. I don't know the CPU limitations of that on the 7600 but it will probably end up being less processing power than generating an ICMP message that may never get to its destination. Phil On May 11, 2008, at 11:58 AM, Gert Doering wrote: > Hi, > > On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com > wrote: >> Because internal network design requirements, it is necessary >> decrease internal MTU to slight lower than 1500 bytes, > > Ugh. > > This is *really* unusual. Many networks increase their MTU to well > above 1500, so that even tunneled connections still are able to carry > full-MTU packets - but running a network below 1500 sounds like a > Really Bad Plan to me. > > Expect fun with all the sites out there that have Issues with PMTUD. > Lots. > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From alaerte.vidali at nsn.com Sun May 11 14:02:11 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sun, 11 May 2008 13:02:11 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC290163992A@daebe103.NOE.Nokia.com> I mean, only helps TCP :) -----Original Message----- From: Vidali Alaerte (NSN - BR/Rio de Janeiro) Sent: Sunday, May 11, 2008 9:02 PM To: 'ext Phil Bedard'; Gert Doering Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco Processing Regarding ICMP Hi Phil, I have seem description saying that initial SYN is punted to RP, so there is impact under SYN attack for example. Also, RP needs to calculate new checksum. I agree it seems better solution, I am only worried with CPU impact in 7609. Also, only helps UDP. Tks, Alaerte -----Original Message----- From: ext Phil Bedard [mailto:philxor at gmail.com] Sent: Sunday, May 11, 2008 7:41 PM To: Gert Doering Cc: Vidali Alaerte (NSN - BR/Rio de Janeiro); cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP Yeah, a better solution to me is to use the tcp-adjust-mss value, assuming this is TCP traffic and not something else. I don't know the CPU limitations of that on the 7600 but it will probably end up being less processing power than generating an ICMP message that may never get to its destination. Phil On May 11, 2008, at 11:58 AM, Gert Doering wrote: > Hi, > > On Sat, May 10, 2008 at 03:39:23PM -0500, alaerte.vidali at nsn.com > wrote: >> Because internal network design requirements, it is necessary >> decrease internal MTU to slight lower than 1500 bytes, > > Ugh. > > This is *really* unusual. Many networks increase their MTU to well > above 1500, so that even tunneled connections still are able to carry > full-MTU packets - but running a network below 1500 sounds like a > Really Bad Plan to me. > > Expect fun with all the sites out there that have Issues with PMTUD. > Lots. > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Sun May 11 14:05:40 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 11 May 2008 20:05:40 +0200 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639927@daebe103.NOE.Nokia.com> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639927@daebe103.NOE.Nokia.com> Message-ID: <20080511180540.GV3278@greenie.muc.de> Hi, On Sun, May 11, 2008 at 12:57:28PM -0500, alaerte.vidali at nsn.com wrote: > Totally agree. Do you know that times you receive request that you just > would like to forget? :) Well... sometimes I can refuse to do things, and sometimes workarounds can be found. And given the number of "it must be do everything, sing and dance, and at the same time must not cost anything" things I've had to build *and later on support* in the past, my tolerance for crappy designs is not overly good these days... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080511/73df23dc/attachment.bin From alaerte.vidali at nsn.com Sun May 11 14:09:15 2008 From: alaerte.vidali at nsn.com (alaerte.vidali at nsn.com) Date: Sun, 11 May 2008 13:09:15 -0500 Subject: [c-nsp] Cisco Processing Regarding ICMP In-Reply-To: <20080511180540.GV3278@greenie.muc.de> References: <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398A6@daebe103.NOE.Nokia.com> <482592EA.3080200@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC29016398F1@daebe103.NOE.Nokia.com> <4825EF26.7090000@heanet.ie> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639903@daebe103.NOE.Nokia.com> <20080511155800.GS3278@greenie.muc.de> <1A629FEA23F9F14CAF0B8B3A5AA2FC2901639927@daebe103.NOE.Nokia.com> <20080511180540.GV3278@greenie.muc.de> Message-ID: <1A629FEA23F9F14CAF0B8B3A5AA2FC290163992C@daebe103.NOE.Nokia.com> I am almost there concerning tolerance :) Hope this one is just provisory, until IP backbone devices is changed to support necessary Jumbo frame on this customer. anyway I documented all risks involved, PMTU black role, Cisco CPU increase and bla-bla-bla. Tks, Alaerte -----Original Message----- From: ext Gert Doering [mailto:gert at greenie.muc.de] Sent: Sunday, May 11, 2008 9:06 PM To: Vidali Alaerte (NSN - BR/Rio de Janeiro) Cc: gert at greenie.muc.de; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco Processing Regarding ICMP Hi, On Sun, May 11, 2008 at 12:57:28PM -0500, alaerte.vidali at nsn.com wrote: > Totally agree. Do you know that times you receive request that you > just would like to forget? :) Well... sometimes I can refuse to do things, and sometimes workarounds can be found. And given the number of "it must be do everything, sing and dance, and at the same time must not cost anything" things I've had to build *and later on support* in the past, my tolerance for crappy designs is not overly good these days... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From have.an.email at gmail.com Sun May 11 17:56:15 2008 From: have.an.email at gmail.com (Nathan) Date: Sun, 11 May 2008 23:56:15 +0200 Subject: [c-nsp] L2TP arriving inside a VRF? In-Reply-To: <482613B0.4050403@wi.rr.com> References: <9f785d120805101355s287de12ao3e17944e07ab97f8@mail.gmail.com> <482613B0.4050403@wi.rr.com> Message-ID: <9f785d120805111456p6aba50d5vdfbdc33ead350508@mail.gmail.com> On Sat, May 10, 2008 at 11:29 PM, Wink wrote: > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t15/feature/guide/ftvpdnmh.html > > This seems to be what you are looking for, except it looks like you > already did this. > > hmm.... Hmm indeed. Since you both said it works I went back to the beginning. I was testing this on a new router, and it turns out the problem I had was with the place the new router had in the network and not with the L2TP-incoming-on-VRF config (a problem with the selection of the source address on radius requests and me having multiple Radius servers, some of which were accessed through a "good" IP and some not... After a lot of debugging to understand where the problem was, ip radius source-interface took care of it). Works a charm :-) Thanks a lot ! From paul at gtcomm.net Sun May 11 18:26:24 2008 From: paul at gtcomm.net (Paul) Date: Sun, 11 May 2008 18:26:24 -0400 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness Message-ID: <48277290.9050805@gtcomm.net> Anyone out there have 3750 running 12.2(44)SE1 ? Strange issue with the CPU sitting at 5% no matter what is going on, zero traffic or lots of traffic. Simple config, very few routes, 2 etherchannels, nothing major. Just curious.. It's not affecting anything except the ping time when you ping the switch directly. From stig.johansen at ementor.no Sun May 11 19:10:47 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Mon, 12 May 2008 01:10:47 +0200 Subject: [c-nsp] Huge number of input queue drops on 6500 In-Reply-To: <20080511.114901.74716308.sthaug@nethelp.no> References: <20fe625b0805110122s6aa02304n5180f3bb48fb2b0a@mail.gmail.com> <20080511.114901.74716308.sthaug@nethelp.no> Message-ID: <13A13E9CF0F76342A79031B9E558C0C50308120B@100NOOSLMSG004.common.alpharoot.net> >> We just discovered a very weird problem, we're not sure what to >> attribute it to. We run a port-channel between a cisco (6509E, >> WS-X6548-GE-TX) and a Huawei NE40E. Port channel consists of 2 copper >> links and runs at about 1.2G. We've noticed huge number of input queue >> drops and overruns: > Entirely expected (we've seen similar). The 6548 is overbooked 8:1, each > ASIC handling 8 ports with 1 Gig towards the backplane bus. 2/5 and 2/8 > are on the same ASIC and drops are expected if you run above 1 Gbps. You > may have better luck if you spread the channels on two different ASICs. > For high bandwidth applications a card with small or no overbooking is > better (e.g. the 6724 / 6748 family). You should look at this URL: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note 09186a00801751d7.shtml#ASIC as it has all the information about this problem and other etherchannel-related restrictions using this card. Best regards, Stig Meireles Johansen From dwinkworth at wi.rr.com Sun May 11 19:11:49 2008 From: dwinkworth at wi.rr.com (Wink) Date: Sun, 11 May 2008 18:11:49 -0500 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <48277290.9050805@gtcomm.net> References: <48277290.9050805@gtcomm.net> Message-ID: <48277D35.8030603@wi.rr.com> "show proc cpu" please? Is it really affecting the ping times? Doesn't seem like it would affect ping times at all. Paul wrote: > Anyone out there have 3750 running 12.2(44)SE1 ? > Strange issue with the CPU sitting at 5% no matter what is going on, > zero traffic or lots of traffic. > Simple config, very few routes, 2 etherchannels, nothing major. > > Just curious.. It's not affecting anything except the ping time when you > ping the switch directly. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From brad.henshaw at qcn.com.au Sun May 11 19:23:42 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Mon, 12 May 2008 09:23:42 +1000 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <48277290.9050805@gtcomm.net> Message-ID: <3B0B088532A4A44C97875AA89AEF971B203412@qcnexc01.corp.qcn> Paul wrote: > Anyone out there have 3750 running 12.2(44)SE1 ? > Strange issue with the CPU sitting at 5% no matter what is going on, > zero traffic or lots of traffic. > Simple config, very few routes, 2 etherchannels, nothing major. Doesn't seem weird to me. That's pretty much what we see on our 3750's and 3750ME's, running BGP, OSPF and a few other things. Usage went from 4% to 5% when we upgraded to 12.2(44)SE. > Just curious.. It's not affecting anything except the ping time when you > ping the switch directly. I haven't noticed this affecting switch response time except that the IP SLA probe results now seem to report latency 1ms higher than they used to. Latency through the switches is unaffected. Regards, Brad From paul at gtcomm.net Sun May 11 19:31:15 2008 From: paul at gtcomm.net (Paul) Date: Sun, 11 May 2008 19:31:15 -0400 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <48277D35.8030603@wi.rr.com> References: <48277290.9050805@gtcomm.net> <48277D35.8030603@wi.rr.com> Message-ID: <482781C3.1080805@gtcomm.net> CPU utilization for five seconds: 6%/0%; one minute: 6%; five minutes: 5% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 362 2609 1734 1504 0.95% 0.18% 0.04% 1 Virtual Exec 9 5221403 25084858 208 0.63% 0.27% 0.24% 0 ARP Input 184 958738 3069313 312 0.15% 0.10% 0.06% 0 IP Input It's always at 5%, even with no traffic at all, maybe it's just the way it's supposed to be with the new software, which is fine with me I just want to know about it :> 3750 with 12.2.44SE1 PING 10.9.0.1 (10.9.0.1): 56 data bytes 64 bytes from 10.9.0.1: icmp_seq=0 ttl=255 time=1.482 ms 64 bytes from 10.9.0.1: icmp_seq=1 ttl=255 time=1.434 ms 64 bytes from 10.9.0.1: icmp_seq=2 ttl=255 time=0.660 ms 64 bytes from 10.9.0.1: icmp_seq=3 ttl=255 time=1.744 ms 64 bytes from 10.9.0.1: icmp_seq=4 ttl=255 time=2.071 ms 64 bytes from 10.9.0.1: icmp_seq=5 ttl=255 time=0.588 ms 64 bytes from 10.9.0.1: icmp_seq=6 ttl=255 time=2.019 ms 64 bytes from 10.9.0.1: icmp_seq=7 ttl=255 time=2.264 ms 64 bytes from 10.9.0.1: icmp_seq=8 ttl=255 time=2.389 ms 3750 with 12.2.25 PING 10.3.100.1 (10.3.100.1): 56 data bytes 64 bytes from 10.3.100.1: icmp_seq=0 ttl=255 time=0.923 ms 64 bytes from 10.3.100.1: icmp_seq=1 ttl=255 time=0.982 ms 64 bytes from 10.3.100.1: icmp_seq=2 ttl=255 time=0.895 ms 64 bytes from 10.3.100.1: icmp_seq=3 ttl=255 time=0.958 ms 64 bytes from 10.3.100.1: icmp_seq=4 ttl=255 time=0.961 ms 64 bytes from 10.3.100.1: icmp_seq=5 ttl=255 time=0.927 ms 64 bytes from 10.3.100.1: icmp_seq=6 ttl=255 time=3.469 ms 64 bytes from 10.3.100.1: icmp_seq=7 ttl=255 time=0.946 ms 64 bytes from 10.3.100.1: icmp_seq=8 ttl=255 time=0.936 ms 64 bytes from 10.3.100.1: icmp_seq=9 ttl=255 time=0.974 ms 64 bytes from 10.3.100.1: icmp_seq=10 ttl=255 time=0.941 ms 64 bytes from 10.3.100.1: icmp_seq=11 ttl=255 time=1.214 ms 64 bytes from 10.3.100.1: icmp_seq=12 ttl=255 time=0.902 ms Kind of weird.. I guess the only issue to me is that the traceroute-through times looks weird.. You see a traceroute like this: traceroute to cnn.com (64.236.29.120), 30 hops max, 38 byte packets 1 router1 (x.x.x.x) 0.231 ms 0.202 ms 0.164 ms 2 3750with12244SE1 (x.x.x.x) 2.328 ms 1.190 ms 2.047 ms 3 edge-router (x.x.x.x) 0.284 ms 0.282 ms 0.405 ms looks a bit odd that way :) the previous software was usually at least under 1ms I'm not complaining because the forwarding obviously works at much lower latency or the edge router wouldn't be so low, but customers will undoubtedly complain over 1.5ms because they don't understand what is happening. Paul Wink wrote: > "show proc cpu" please? > > Is it really affecting the ping times? Doesn't seem like it would > affect ping times at all. > > Paul wrote: >> Anyone out there have 3750 running 12.2(44)SE1 ? >> Strange issue with the CPU sitting at 5% no matter what is going on, >> zero traffic or lots of traffic. >> Simple config, very few routes, 2 etherchannels, nothing major. >> >> Just curious.. It's not affecting anything except the ping time when >> you ping the switch directly. >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > From paul at gtcomm.net Sun May 11 19:33:00 2008 From: paul at gtcomm.net (Paul) Date: Sun, 11 May 2008 19:33:00 -0400 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <3B0B088532A4A44C97875AA89AEF971B203412@qcnexc01.corp.qcn> References: <3B0B088532A4A44C97875AA89AEF971B203412@qcnexc01.corp.qcn> Message-ID: <4827822C.3020108@gtcomm.net> Yes that's pretty much what I'm seeing. My main concern is customers tracerouting and seeing 1ms higher on the routers and most likely will say something about it because they don't understand the difference between forwarding performance and cpu punts for icmp. Paul Brad Henshaw wrote: > Paul wrote: > > >> Anyone out there have 3750 running 12.2(44)SE1 ? >> Strange issue with the CPU sitting at 5% no matter what is going on, >> zero traffic or lots of traffic. >> Simple config, very few routes, 2 etherchannels, nothing major. >> > > Doesn't seem weird to me. > That's pretty much what we see on our 3750's and 3750ME's, running > BGP, OSPF and a few other things. Usage went from 4% to 5% when we > upgraded > to 12.2(44)SE. > > >> Just curious.. It's not affecting anything except the ping time when >> > you > >> ping the switch directly. >> > > I haven't noticed this affecting switch response time except that the IP > SLA probe results now seem to report latency 1ms higher than they used > to. > Latency through the switches is unaffected. > > Regards, > Brad > > From paul at gtcomm.net Sun May 11 19:39:14 2008 From: paul at gtcomm.net (Paul) Date: Sun, 11 May 2008 19:39:14 -0400 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) Message-ID: <482783A2.4020601@gtcomm.net> Does anyone know how to make CEF load balancing work over etherchannels and actually load balance on the etherchannel? I have two GEC interfaces with 2 ports in each, and then I have two routes multipath, one to each GEC interface The problem is that the CEF algorithm is the same as the etherchannel algorithm and each one of the etherchannels ends up only sending out one of the two ports so it is not load balancing. I have tried changing the port-channel load-balance setting to various things (I can not use MAC because it's from one router to another) and I have tried changing the cef load sharing algorithm. Maybe this is a limitation of the 3750 platform? I have not tried this on any of the other equipment. Paul From tdurack at gmail.com Sun May 11 20:19:55 2008 From: tdurack at gmail.com (Tim Durack) Date: Sun, 11 May 2008 20:19:55 -0400 Subject: [c-nsp] Microsoft NLB vs Cisco In-Reply-To: <20b13c6b0805102135j71d3d6e5x95bbd3f34d853d19@mail.gmail.com> References: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> <1210452503.6939.6.camel@dusken.sys.mjna.net> <9e246b4d0805101438w75f14328n7d2816708bfba8ee@mail.gmail.com> <20b13c6b0805102135j71d3d6e5x95bbd3f34d853d19@mail.gmail.com> Message-ID: <9e246b4d0805111719r6facc0cfjfe925f96f7be4830@mail.gmail.com> Amazing, think I found a fix: http://www.skendric.com/packet/msnlb-catalyst-configuration.pdf MS NLB requires not just a static ARP entry, but a static MAC too, something like: arp a.b.c.d 0100.5e7f.ccdd mac-address-table static 0100.5e7f.ccdd vlan x interface G1/45 G1/46 disable-snooping The cluster still works and CPU is back to normal (I've also proved 12.2(33)SXH2 can run at 90-100% without dropping routing sessions or crashing :-) (Big thanks to Stuart Kendrick who wrote the above link!) Tim:> On Sun, May 11, 2008 at 12:35 AM, Arie Vayner wrote: > Tim, > > May I offer another approach? Maybe you could just drop NLB, and use the IP > SLB feature you have inside your Sup720? > > Arie > > On Sun, May 11, 2008 at 12:38 AM, Tim Durack wrote: >> >> On Sat, May 10, 2008 at 4:48 PM, Peter Rathlev wrote: >> > On Sat, 2008-05-10 at 12:09 -0400, Tim Durack wrote: >> >> Anyone using Microsoft NLB Multicast mode for a cluster? >> >> >> >> It requires a static arp entry on Cisco, as the cluster ip resolves to >> >> a multicast mac, which can't/shouldn't be learned via arp. >> > >> > I find that a very irritating requirement of the MS NLB. :-) >> > >> >> So we do something like: "arp a.b.c.d 0100.5e7f.xxyy arpa" >> >> Apparently this results in software switching the adjacency on a >> >> Sup720, which is painful to say the least. >> >> >> >> Any suggestions? >> > >> > I guess you're referring to CSCee49121 "static ARPs dont create adjs >> > when used with routes pointing at intf". I thought this was only a >> > problem if you used it like this: >> > >> > ip route 10.11.12.13 255.255.255.255 Gi1/1 >> > arp 10.11.12.13 030b.adc0.ffee Gi1/1 >> > >> > Is the problem also there without the route statement? We use it against >> > two MS NLBs, and we don't see any problems. The traffic doesn't seem to >> > be software switched, but apart from consulting Feature Manager and >> > looking at the CPU interrupt usage, I'm not completely sure how to check >> > it. How do you do it? >> >> No static route - maybe that's the difference. >> >> Educated guess work. CPU is running >90%. Install a CoPP policy >> dropping the traffic, and CPU drops back to a more normal ~30%. >> >> Monday I plan to try a SPAN against the rp, and see what is hitting >> it. I need this to tune CoPP anyway. >> >> > Regards, >> > Peter >> > >> > >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From sidney.boumendil at gmail.com Sun May 11 20:40:25 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Mon, 12 May 2008 02:40:25 +0200 Subject: [c-nsp] Microsoft NLB vs Cisco In-Reply-To: <9e246b4d0805111719r6facc0cfjfe925f96f7be4830@mail.gmail.com> References: <9e246b4d0805100909y72abfb14s1ef25c000b58836f@mail.gmail.com> <1210452503.6939.6.camel@dusken.sys.mjna.net> <9e246b4d0805101438w75f14328n7d2816708bfba8ee@mail.gmail.com> <20b13c6b0805102135j71d3d6e5x95bbd3f34d853d19@mail.gmail.com> <9e246b4d0805111719r6facc0cfjfe925f96f7be4830@mail.gmail.com> Message-ID: <41522e900805111740q24b5251fv7f391c156643aead@mail.gmail.com> On Mon, May 12, 2008 at 2:19 AM, Tim Durack wrote: > Amazing, think I found a fix: > http://www.skendric.com/packet/msnlb-catalyst-configuration.pdf > > MS NLB requires not just a static ARP entry, but a static MAC too, > something like: > > arp a.b.c.d 0100.5e7f.ccdd > mac-address-table static 0100.5e7f.ccdd vlan x interface G1/45 G1/46 > disable-snooping > > The cluster still works and CPU is back to normal (I've also proved > 12.2(33)SXH2 can run at 90-100% without dropping routing sessions or > crashing :-) > > (Big thanks to Stuart Kendrick who wrote the above link!) > > Tim:> Hi, There is a document on Cisco's site explaining precisely this problem. It also happens with Nokia/Checkpoint VRRP and Bluecoat clusters. http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008059a9df.shtml Sidney From dhooper at emerge.net.au Mon May 12 00:55:43 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Mon, 12 May 2008 12:55:43 +0800 Subject: [c-nsp] 3550 learning state Message-ID: Hi, I have a 3550-48-EMI running 2 MST spanning tree instances. What's happening is that when an ethernet interface is connected or disconnected 5 of the ports on the switch move back to a learning state. The ports that are changing to a learning state are both trunk & access ports. I'm not too familiar with spanning-tree and this is my first attempt to get it going, I don't believe this is normal though. This is the config I am running on this particular switch that is doing weird things: ! spanning-tree mode mst no spanning-tree optimize bpdu transmission spanning-tree extend system-id ! spanning-tree mst configuration instance 10 vlan 50, 69-70, 92-96, 98-99, 291, 350, 498-509, 550, 603 instance 10 vlan 605-606, 701, 703, 750, 761, 800-802 instance 15 vlan 1-49, 51-68, 71-91, 97, 100-290, 292-349, 351-497, 510-549 instance 15 vlan 551-602, 604, 607-700, 702, 704-749, 751-760, 762-799 instance 15 vlan 803-4094 ! spanning-tree mst hello-time 4 spanning-tree mst 10 priority 61440 spanning-tree mst 15 priority 61440 ! ! interface FastEthernet0/12 description Uplink to Somewhere switchport trunk encapsulation dot1q switchport mode trunk switchport nonegotiate shutdown no cdp enable spanning-tree mst 10 port-priority 32 spanning-tree mst 15 port-priority 64 end ! ! interface FastEthernet0/48 description Uplink to Somewhere switchport trunk encapsulation dot1q switchport mode trunk speed 100 duplex full spanning-tree mst 10 port-priority 64 spanning-tree mst 15 port-priority 32 end ! Any help appreciated! -Dan From tim at pelican.org Mon May 12 05:11:37 2008 From: tim at pelican.org (Tim Franklin) Date: Mon, 12 May 2008 10:11:37 +0100 (BST) Subject: [c-nsp] Policing with DFCs In-Reply-To: <994752fe0805050548s23f37c1bue5ee3019c8960226@mail.gmail.com> References: <994752fe0805050548s23f37c1bue5ee3019c8960226@mail.gmail.com> Message-ID: <1278.87.84.237.95.1210583497.squirrel@webmail.pelican.org> On Mon, May 5, 2008 1:48 pm, Wyatt Mattias Ishmael Jovial Gyllenvarg wrote: > We are trying too police in a 7600 on the output on a Te interface. > > After some fiddling I must ask, is there a workaround for the cir * > DFCs problem. > > There is no need for high precision, just a rough working sollution. Sorry for the late reply, doesn't look like anyone has answered this in the meantime... Doesn't a hierarchical policy get around this, something similar to: policy-map outside class class-default shape average blah service-policy inside policy-map inside class class-default police blah My understanding is that HTS forces the policy to actually be applied on the egress line-card rather than at every ingress point. Regards, Tim. From emre.turkmenler at doruk.net.tr Mon May 12 06:36:31 2008 From: emre.turkmenler at doruk.net.tr (=?iso-8859-9?Q?Emre_T=FCrkmenler?=) Date: Mon, 12 May 2008 13:36:31 +0300 Subject: [c-nsp] cisco 828 "WARNING: Cookie information is corrupt" Message-ID: <00f901c8b41c$0aefa2a0$170d3ad4@emre> Hi, I have a Cisco 828 Router and I'm receiving a "WARNING: Cookie information is corrupt" message and the router can't boot,I can only reach the Rommon mode. How can I solve this problem? Thanks From wim.holemans at ua.ac.be Mon May 12 07:00:50 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 12 May 2008 13:00:50 +0200 Subject: [c-nsp] Cisco vulnerabilities Message-ID: <2F7B70885960AA42BE820036B3A8CDA02AB495@xmail06.ad.ua.ac.be> I got this via Qualys but haven't seen it on this list (hope I didn't miss it). So to be sure : The following vulnerabilities were added to the Vulnerability KnowledgeBase of the QualysGuard Web service between May 05, 2008 and May 11, 2008. QID Sev. Title ... 43134 P 3 Cisco IOS OSPF, MPLS VPN, and Supervisor 32, ... (CVE-2008-0537) 43135 P 3 Cisco IOS Multicast Virtual Private Network (... (CVE-2008-1156) Legend: V: Vulnerability P: Potential Vulnerability To view the Vulnerability KnowledgeBase, use the following URL: https://qualysguard.qualys.de/fo/tools/kbase.php From sidney.boumendil at gmail.com Mon May 12 07:27:50 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Mon, 12 May 2008 13:27:50 +0200 Subject: [c-nsp] cisco 828 "WARNING: Cookie information is corrupt" In-Reply-To: <00f901c8b41c$0aefa2a0$170d3ad4@emre> References: <00f901c8b41c$0aefa2a0$170d3ad4@emre> Message-ID: <41522e900805120427j1ca9a6dcn52e7b3fcf7ffd1a8@mail.gmail.com> On Mon, May 12, 2008 at 12:36 PM, Emre T?rkmenler wrote: > Hi, > > I have a Cisco 828 Router and I'm receiving a "WARNING: Cookie information is corrupt" message and the router can't boot,I can only reach the Rommon mode. > > How can I solve this problem? > > Thanks Hi, Below one of the answers from google: http://www.bitshift.ch/eng/support/kbase/000001.asp Sidney From zivl at gilat.net Mon May 12 07:34:22 2008 From: zivl at gilat.net (Ziv Leyes) Date: Mon, 12 May 2008 14:34:22 +0300 Subject: [c-nsp] cisco 828 "WARNING: Cookie information is corrupt" In-Reply-To: <00f901c8b41c$0aefa2a0$170d3ad4@emre> References: <00f901c8b41c$0aefa2a0$170d3ad4@emre> Message-ID: Oh yes, those corrupted cookies! You're lucky today, I've found the way to fix a corrupted cookie just by googleing, but sometimes what you find may look hard to understand, so I can make it simplier for you, I've wrote a vbs script that can be used from within a SecureCRT to recover that corrupted cookie ,just copy/paste this text below, save it as whatever.vbs , you need to first connect to the router with console, reach the rommon> and only then run this script. When the script finishes, just type "reset" at the router's command prompt. Et voila! If you want a plain text list of the commands you need to enter, one by one, just scroll down after the script. ==== CUT BELOW HERE ===== #$language = "VBScript" #$interface = "1.0" Sub Main() crt.Screen.Synchronous = True Dim nAnswer szMessage = vbTab & "Please be sure to run this script " & vbcr & _ vbTab & "ONLY after you've got into rommon> " & vbcr & _ vbTab & "prompt and ONLY on a router " & vbcr & _ vbTab & "with a missing or corrupted cookie ! ! ! " & vbcr & _ vbTab & "Are you sure you want to continue? " nAnswer = MsgBox(szMessage, vbYesNo, "Run Commands Prompt") If nAnswer = vbYes Then Crt.Screen.Send "priv" & vbcr Crt.Screen.WaitForString "assword:" Crt.Screen.Send "0000" & vbcr Crt.Screen.WaitForString ">" Crt.Screen.Send "cookie" & vbcr Crt.Screen.WaitForString "ersion:" Crt.Screen.Send "01" & vbcr Crt.Screen.WaitForString "0x01):" Crt.Screen.Send "01" & vbcr Crt.Screen.WaitForString "ddress:" Crt.Screen.Send "00 04 27 fe 00 ea" & vbcr Crt.Screen.WaitForString "0x3e):" Crt.Screen.Send "3e" & vbcr Crt.Screen.WaitForString "0x00):" Crt.Screen.Send "00" & vbcr Crt.Screen.WaitForString "0x01):" Crt.Screen.Send "01" & vbcr Crt.Screen.WaitForString "nused:" Crt.Screen.Send "ff" & vbcr Crt.Screen.WaitForString "ID:" Crt.Screen.Send "01 ff" & vbcr Crt.Screen.WaitForString "llocated:" Crt.Screen.Send "00 00" & vbcr Crt.Screen.WaitForString "0x17:" Crt.Screen.Send "00 00 00 00 00 00 00 00" & vbcr Crt.Screen.WaitForString "0x22:" Crt.Screen.Send "4a 41 44 05 42 30 39 ff ff 03 01" & vbcr Crt.Screen.WaitForString "eviation:" Crt.Screen.Send "6f e6" & vbcr Crt.Screen.WaitForString "0x2c:" Crt.Screen.Send "00 00 00 00 ff ff ff 50" & vbcr Crt.Screen.WaitForString "onfig:" Crt.Screen.Send "04" & vbcr Crt.Screen.WaitForString "0x31:" Crt.Screen.Send "49 11 ec 03" & vbcr Crt.Screen.WaitForString "ddress:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x3f:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x47:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x4f:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x57:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x5f:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x67:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x6f:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x77:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr Crt.Screen.WaitForString "0x7f:" Crt.Screen.Send "ff ff ff ff ff ff ff ff" & vbcr MsgBox "The script has finished", vbOKOnly Else MsgBox "The script was cancelled", vbOKOnly exit Sub End If crt.Screen.Synchronous = False End Sub ==== END CUT ===== Here's the plain text lsit of commands: rommon 1>cookie ! If all 0 then: rommon 2>priv Password:0000 rommon 3>cookie And then answer each question with these lines, one by one respectively: 01 01 00 04 27 fd 7c 0c 3e 00 01 ff 01 ff 00 00 00 00 00 00 00 00 00 00 4a 41 44 05 31 30 35 4e 310801 00 00 00 00 00 00 ff ff ff 50 06 49 11 ec 06 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff rommon 4>reset Hope this helps! Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Emre T?rkmenler Sent: Monday, May 12, 2008 1:37 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] cisco 828 "WARNING: Cookie information is corrupt" Hi, I have a Cisco 828 Router and I'm receiving a "WARNING: Cookie information is corrupt" message and the router can't boot,I can only reach the Rommon mode. How can I solve this problem? Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From squid at oranged.to Mon May 12 08:55:26 2008 From: squid at oranged.to (Jimmy Stewpot) Date: Mon, 12 May 2008 13:55:26 +0100 Subject: [c-nsp] Router / Switch in front of Firewall In-Reply-To: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> References: <441C449160381D49A93241C6EE5B80160BBD873892@ltexchange.lufttransport.no> Message-ID: <48283E3E.8010308@oranged.to> Hi, I believe you can get the Fortinet device to query the Fortiguard distribution network with a different source address (e.g. an internal interface rather than the default route external interface). Check the options under config system fortiguard In version 3.0 build 660 you should have the following *hostname hostname or IP of the FortiGuard server srv-ovrd enable or disable the server override list. port port used to communicate with the FortiGuard servers client-override-status enable or disable the client override IP. service-account-id service account id central-mgmt-status enable/disable central management antispam-status enable/disable the service antispam-cache enable/disable the cache antispam-cache-ttl The time-to-live for cache entries in seconds (300-86400) antispam-cache-mpercent The maximum percent of memory the cache is allowed to use (1-15%) *antispam-timeout query time out (1-30 seconds) avquery-status enable/disable the service avquery-cache enable/disable the cache avquery-cache-ttl The time-to-live for cache entries in seconds (300-86400) avquery-cache-mpercent The maximum percent of memory the cache is allowed to use (1-15%) *avquery-timeout query time out (1-30 seconds) webfilter-status enable/disable the service webfilter-cache enable/disable the cache webfilter-cache-ttl The time-to-live for cache entries in seconds (300-86400) *webfilter-timeout query time out (1-30 seconds) Ive just played around with it in our lab with a 500A and it works well. If your using features like antspam or NAT it may not work so well with a non-public address on the "external" interface. Regards, Jimmy. p.s. sorry for posting non cicso related stuff on the cisco list :() Tor-Ivar Kristoffersen wrote: > Hi all > > This is my first post here, so I hope this gets in the right way :) > > We have a 100mbit Internet Connection that we are building (this is a new line). We are setting in new eq. and we plan to move over 1 and 1 service. > We have a Fortigate 500A Firewall in front here, but we need to setup a router or switch or some other nice box in front of the firewall. > The reason for this is that we have a /21 net routed to this fw, but our supplier runs their eq. on 10.x.x.x IP's and they will not let their eq. be exposed by real ip's. So the issue for us comes when the FG500A is to communicate with the world, it sees that the default gw is on a 10.x.x.x. net and therefore uses it's own 10.x.x.x. assigned IP address for transmitting this. This naturally gets dropped by the isp. > > Solution is to set a Cisco switch / router in front with 2 IF's. One with our legal IP and one with the 10.x address. This way this unit will become the default gw for our fg500a and will transmit with it's real ip address. > > But that leaves the question as to which unit to use in front. > > We have a couple of 2801 in stock, but they can't handle the traffic. We need something that can withstand an attack and at the same time deliver enough performance for the 100mb link. > > All suggestions are welcomed , also if anyone has a similar setup and therefore has any hans on experience with such a front end that would also be great. > > Thanks > > Best regards > Tor-Ivar Kristoffersen > IT Consultant > Lufttransport AS > > "Horsepower is how hard you hit the wall, torque is how long you take the wall with you" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ross at kallisti.us Mon May 12 09:50:19 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 12 May 2008 09:50:19 -0400 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <48277290.9050805@gtcomm.net> References: <48277290.9050805@gtcomm.net> Message-ID: <20080512135019.GA4385@kallisti.us> On Sun, May 11, 2008 at 06:26:24PM -0400, Paul wrote: > Anyone out there have 3750 running 12.2(44)SE1 ? > Strange issue with the CPU sitting at 5% no matter what is going on, > zero traffic or lots of traffic. > Simple config, very few routes, 2 etherchannels, nothing major. > > Just curious.. It's not affecting anything except the ping time when you > ping the switch directly. We have a few stacks of 3750s runnint 12.2(25)SEE and see the same thing. They are running pure L2 stuff other than management. 5% is pretty much the idle baseline. Never seen them higher. -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From jeekay at gmail.com Mon May 12 10:05:47 2008 From: jeekay at gmail.com (Ras) Date: Mon, 12 May 2008 15:05:47 +0100 Subject: [c-nsp] Cat4500/Sup5 not forwarding local multicast Message-ID: I currently have a problem where a Cat4500/Sup5 is not forwarding multicast where both the source and destination networks are locally attached. A 'show ip mroute count' gives this: cat4500-sup5#sh ip mro mcast-group src-ip count IP Multicast Statistics 685 routes using 631462 bytes of memory 154 groups, 3.44 average sources per group Forwarding Counts: Pkt Count/Pkts per second/Avg Pkt Size/Kilobits per second Other counts: Total/RPF failed/Other drops(OIF-null, rate-limit etc) Group: mcast-group, Source count: 44, Packets forwarded: 901267197, Packets received: 944510033 Source: src-ip/32, Forwarding: NC/NC/NC/NC, Other: NC/NC/NC A 'show ip mroute' for this source gives: cat4500-sup5#sh ip mro mcast-group src-ip IP Multicast Routing Table Flags: D - Dense, S - Sparse, B - Bidir Group, s - SSM Group, C - Connected, L - Local, P - Pruned, R - RP-bit set, F - Register flag, T - SPT-bit set, J - Join SPT, M - MSDP created entry, X - Proxy Join Timer Running, A - Candidate for MSDP Advertisement, U - URD, I - Received Source Specific Host Report, Z - Multicast Tunnel, z - MDT-data group sender, Y - Joined MDT-data group, y - Sending to MDT-data group Outgoing interface flags: H - Hardware switched, A - Assert winner Timers: Uptime/Expires Interface state: Interface, Next-Hop or VCD, State/Mode (src-ip, mcast-group), 00:01:31/00:02:13, flags: T Incoming interface: Vlan251, RPF nbr 0.0.0.0 Outgoing interface list: Vlan665, Forward/Sparse-Dense, 00:01:31/00:02:59, H Vlan250, Forward/Sparse, 00:01:31/00:02:56, H For some reasons these (S,G) entries are very young - they should have been active for at least a week. It seems like the entry is cycling roughly once every 180 seconds but I can find no obvious cause. Anyone have any ideas on what NC/NC/NC might mean or why this would be happening? Thanks, Ras From ploopster at gmail.com Mon May 12 10:53:37 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 12 May 2008 10:53:37 -0400 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <200805100034.45748.mtinka@globaltransit.net> References: <8c829ec10805090751yb645c6na28371b3b94d8543@mail.gmail.com> <200805100034.45748.mtinka@globaltransit.net> Message-ID: <482859F1.7070601@gmail.com> Mark Tinka wrote: > On Friday 09 May 2008, Chris Riling wrote: > >> I've done some research on SSH in IOS and I've only >> been able to find "the usual" information on how to >> implement SSH; (generate keys, change transport, etc.) >> but I'm more interested in seeing if I can use key files >> for authentication without a password. I've read that you >> can do it on the IDS boxes, but I haven't found anything >> on routers/switches... Any ideas? > > AFAIK, IOS routers will not store SSH keys for > private/public-based authentication. No, but they should. Peace... Sridhar From rblayzor.bulk at inoc.net Mon May 12 11:08:06 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Mon, 12 May 2008 11:08:06 -0400 Subject: [c-nsp] SSH Authoized Keys? In-Reply-To: <423954.59306.qm@web904.biz.mail.mud.yahoo.com> References: <423954.59306.qm@web904.biz.mail.mud.yahoo.com> Message-ID: <8AE15DE5-997B-46B9-9159-8210C899CC6D@inoc.net> On May 10, 2008, at 5:03 AM, Kevin Graham wrote: > username autotool access-class 50 keyring TOOLS priv 15 > access-list 50 permit host 192.0.2.5 > crypto keyring TOOLS > ssh-dsa-pubkey name rancid Well as an alternative to putting the keys in a config, how about the ability to return public keys as part of a attribute returned from a RADIUS server. I know there may be an issue with packet size, but I think most 512-1024 bit keys should be able to fit in a standard authentication based response. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ Mac OS X. Because making Unix user-friendly is easier than debugging Windows. From tim at pelican.org Mon May 12 11:09:57 2008 From: tim at pelican.org (Tim Franklin) Date: Mon, 12 May 2008 16:09:57 +0100 (BST) Subject: [c-nsp] Policing with DFCs In-Reply-To: <1F810BAE-80B6-4338-93CD-C57F927E578B@gmail.com> References: <994752fe0805050548s23f37c1bue5ee3019c8960226@mail.gmail.com> <1278.87.84.237.95.1210583497.squirrel@webmail.pelican.org> <1F810BAE-80B6-4338-93CD-C57F927E578B@gmail.com> Message-ID: <2017.87.84.237.95.1210604997.squirrel@webmail.pelican.org> On Mon, May 12, 2008 2:18 pm, Phil Bedard wrote: > The 7600 doesn't allow traffic shaping unless you are using an OSM or > SIP module, which isn't the case here if he is using DFCs on line > cards. I think what you posted may be pertinent to the GSRs which had > some odd functionality as well when it came to ingress/egress shaping > with the distributed architecture. I've never seen a good workaround > for the 7600. Oops, sorry, yes - it's largely been OSMs where I've used the hierarchical workaround. Definitely on the 7600 though. Regards, Tim. From jcartier at acs.on.ca Mon May 12 11:50:15 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 12 May 2008 11:50:15 -0400 Subject: [c-nsp] EAP-TLS Message-ID: I'm attempting to run EAP-TLS on a 1130 AP with 12.3(11)JA code, but I'm getting the following error messages in the debug. I'm running into a wall in terms of finding any information regarding a fix. *Aug 1 20:17:57.839: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOLpkt on Authenticator Q *Aug 1 20:17:57.839: dot1x-registry:registry:dot1x_ether_macaddr called *Aug 1 20:18:27.839: %DOT11-7-AUTH_FAILED: Station 0016.6f79.8bf8 Authentication failed *Aug 1 20:18:27.882: AAA/BIND(00000661): Bind i/f *Aug 1 20:18:27.883: dot1x-registry:registry:dot1x_ether_macaddr called *Aug 1 20:18:27.904: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. *Aug 1 20:18:27.904: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOLpkt on Authenticator Q *Aug 1 20:18:27.904: dot1x-registry:registry:dot1x_ether_macaddr called *Aug 1 20:18:56.406: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:56.480: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:56.953: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.079: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.098: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.295: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.374: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.437: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.722: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.904: %DOT11-7-AUTH_FAILED: Station 0016.6f79.8bf8 Authentication failed *Aug 1 20:18:57.914: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.943: AAA/BIND(00000662): Bind i/f *Aug 1 20:18:57.944: dot1x-registry:registry:dot1x_ether_macaddr called *Aug 1 20:18:57.972: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:57.973: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on Dot11Radio0.1. *Aug 1 20:18:57.973: dot1x-packet:dot1x_mgr_process_eapol_pak: queuing an EAPOLpkt on Authenticator Q *Aug 1 20:18:57.973: dot1x-registry:registry:dot1x_ether_macaddr called *Aug 1 20:18:57.991: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.123: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.277: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.380: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.451: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.525: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.715: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.727: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.831: AAA/BIND(00000663): Bind i/f *Aug 1 20:18:58.831: AAA/AUTHEN/LOGIN (00000663): Pick method list 'default' *Aug 1 20:18:58.845: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.914: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:58.988: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:59.002: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:59.275: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:59.290: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:59.490: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' *Aug 1 20:18:59.595: AAA/AUTHEN/LOGIN (00000000): Pick method list 'default' From skeeve at skeeve.org Mon May 12 12:30:16 2008 From: skeeve at skeeve.org (Skeeve Stevens) Date: Tue, 13 May 2008 02:30:16 +1000 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting Message-ID: <08f401c8b44d$76587810$63096830$@org> This is an article which should be VERY interesting to ALL ISP's and businesses using Cisco equipment. Main Article: http://www.news.com.au/technology/story/0,25642,23683235-5014239,00.html Source: http://www.abovetopsecret.com/forum/thread350381/pg1 I've grabbed a copy of the original PPT and hosted it locally - it's free from Virus/Worms. FBI PowerPoint Document (unclassified): http://www.eintellego.net/OMB_briefing-2008.01.11a.ppt (under 1MB) -- Skeeve Stevens, Managing Director eintellego Pty Ltd - The ISP Specialists skeeve at eintellego.net / www.eintellego.net Phone: (+612) 8197 2760, Fax: (+612) 8572 9954 Cell +61 (0)414 753 383 / skype://skeeve -- NOC, NOC, who's there? From gsgranados at comcast.net Mon May 12 13:17:21 2008 From: gsgranados at comcast.net (Scott Granados) Date: Mon, 12 May 2008 10:17:21 -0700 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? Message-ID: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> Am I correct in assuming there is no way to seat a WIC1ADSL or something similar on a 72xx or 75xx? I'm interested in using some DSL loops to back up a few of these but there doesn't seem to be an obvious way with out using another router. Am I correct here? Thank you Scott From blackberry at davidcoulson.net Mon May 12 13:23:25 2008 From: blackberry at davidcoulson.net (=?utf-8?B?RGF2aWQgQ291bHNvbg==?=) Date: Mon, 12 May 2008 17:23:25 +0000 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> Message-ID: <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> You have to use an fast ethernet port with a external dsl modem... Run pppoe client on cisco with modem in bridge mode passing ppp to router. -- David Coulson Sent from my BlackBerry -----Original Message----- From: "Scott Granados" Date: Mon, 12 May 2008 10:17:21 To: Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? Am I correct in assuming there is no way to seat a WIC1ADSL or something similar on a 72xx or 75xx? I'm interested in using some DSL loops to back up a few of these but there doesn't seem to be an obvious way with out using another router. Am I correct here? Thank you Scott _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ploopster at gmail.com Mon May 12 13:28:59 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Mon, 12 May 2008 13:28:59 -0400 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> Message-ID: <48287E5B.5030700@gmail.com> David Coulson wrote: > You have to use an fast ethernet port with a external dsl modem... Run pppoe client on cisco with modem in bridge mode passing ppp to router. Which DSL modems support fast ethernet (and full-duplex)? Peace... Sridhar From blackberry at davidcoulson.net Mon May 12 13:30:12 2008 From: blackberry at davidcoulson.net (=?utf-8?B?RGF2aWQgQ291bHNvbg==?=) Date: Mon, 12 May 2008 17:30:12 +0000 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <48287E5B.5030700@gmail.com> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry><48287E5B.5030700@gmail.com> Message-ID: <1962405074-1210613416-cardhu_decombobulator_blackberry.rim.net-791455231-@bxe122.bisx.prod.on.blackberry> Speedstreams do. 5200 or something -- David Coulson Sent from my BlackBerry -----Original Message----- From: Sridhar Ayengar Date: Mon, 12 May 2008 13:28:59 To:david at davidcoulson.net Cc:Scott Granados , cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? David Coulson wrote: > You have to use an fast ethernet port with a external dsl modem... Run pppoe client on cisco with modem in bridge mode passing ppp to router. Which DSL modems support fast ethernet (and full-duplex)? Peace... Sridhar From joe at netbyjoe.com Mon May 12 13:34:17 2008 From: joe at netbyjoe.com (Joe Freeman) Date: Mon, 12 May 2008 12:34:17 -0500 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <48287E5B.5030700@gmail.com> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> <48287E5B.5030700@gmail.com> Message-ID: <5da6cd9f0805121034h39cf4143pf2f85bc93bdd0f49@mail.gmail.com> Most of the ones I've worked with in the last couple of years will. This includes Westell and Zyxel (try the 650 or 660 units). Joe On Mon, May 12, 2008 at 12:28 PM, Sridhar Ayengar wrote: > David Coulson wrote: > > You have to use an fast ethernet port with a external dsl modem... Run > pppoe client on cisco with modem in bridge mode passing ppp to router. > > Which DSL modems support fast ethernet (and full-duplex)? > > Peace... Sridhar > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Mon May 12 13:35:19 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 12 May 2008 19:35:19 +0200 (CEST) Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <482783A2.4020601@gtcomm.net> References: <482783A2.4020601@gtcomm.net> Message-ID: On Sun, 11 May 2008, Paul wrote: > Maybe this is a limitation of the 3750 platform? I have not tried this > on any of the other equipment. If it's any help, I have a case open for the same problem on a 7206. I cannot get it to load-share at all egress, I have tried both multiple destination IP addresses and concurrent TCP flows (not real traffic though). I've been trying to find somewhere how etherchannel egress loadsharing is supposed to work on the CPU based platforms, but to no avail, and the TAC engineer didn't seem to find it anywhere either. Considering the speed of the progress on this case, there must be very few people doing etherchannel on these platforms. -- Mikael Abrahamsson email: swmike at swm.pp.se From cmadams at hiwaay.net Mon May 12 13:42:26 2008 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 12 May 2008 12:42:26 -0500 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <48287E5B.5030700@gmail.com> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> <48287E5B.5030700@gmail.com> Message-ID: <20080512174226.GF1139409@hiwaay.net> Once upon a time, Sridhar Ayengar said: > David Coulson wrote: > > You have to use an fast ethernet port with a external dsl modem... Run pppoe client on cisco with modem in bridge mode passing ppp to router. > > Which DSL modems support fast ethernet (and full-duplex)? I picked up an Efficient Networks Speedstream 5260 from eBay that is running 100/full and passing PPPoE to a firewall. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Gregori.Parker at theplatform.com Mon May 12 13:34:41 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Mon, 12 May 2008 10:34:41 -0700 Subject: [c-nsp] PIX questions In-Reply-To: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> Message-ID: <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> I was hoping to see an answer to this, as I ran into what I believe to be a similar situation a while back. We had an ASA at an edge, with several static identity NATs, e.g.: static (inside,outside) x.x.x.78 172.16.8.44 netmask 255.255.255.255 static (inside,outside) x.x.x.79 172.16.8.45 netmask 255.255.255.255 ... Where x.x.x.* are public addresses, and an access-list allows specific services from anywhere to each public NAT. All outgoing traffic is PATed to the interface address, say x.x.x.80, and I'm not clear on how to enable a host on the inside to communicate with an identity NAT on the outside...essentially the ASA would be doubling up on translations, one outgoing, to one inbound...looping back to itself so-to-speak. It doesn't work, and I understand why, but I've wondered if there's a way to enable this (other than having the hosts communicate directly). I've looked at things like permitting same-security-traffic inter/intra-interface to no avail. Thanks in advance (and sorry if I woke a dead thread) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan Sent: Friday, May 09, 2008 12:05 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PIX questions Hi all, I have a question about PIX translation An outside interface has IP address: 192.168.1.2 255.255.255.0 An DMZ interface has IP address: 10.1.1.2 255.255.255.0 Current translation: 10.1.1.3 -> 192.168.1.3 10.1.1.4 -> 192.168.1.4 How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? How can I make it so that anyone behind 10.1.1.0/24 network is able to ping the IP "192.168.1.4"? Consider the ICMP is allowed any any. I tried to configure it but the ASDM log say "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" Thank you for your help in advance. Regards, Rudy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From criling at gmail.com Mon May 12 14:17:58 2008 From: criling at gmail.com (Chris Riling) Date: Mon, 12 May 2008 14:17:58 -0400 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <20080512174226.GF1139409@hiwaay.net> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> <48287E5B.5030700@gmail.com> <20080512174226.GF1139409@hiwaay.net> Message-ID: <8c829ec10805121117r2404beecsf3d59650968701b2@mail.gmail.com> We use a lot of the Zoom modems, X3, X5, X6, etc... I *think* all of them do 100/full... Chris On 5/12/08, Chris Adams wrote: > > Once upon a time, Sridhar Ayengar said: > > David Coulson wrote: > > > You have to use an fast ethernet port with a external dsl modem... Run > pppoe client on cisco with modem in bridge mode passing ppp to router. > > > > Which DSL modems support fast ethernet (and full-duplex)? > > I picked up an Efficient Networks Speedstream 5260 from eBay that is > running 100/full and passing PPPoE to a firewall. > > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From r.nevot at gmail.com Mon May 12 14:19:28 2008 From: r.nevot at gmail.com (Raul Lopez Nevot) Date: Mon, 12 May 2008 20:19:28 +0200 Subject: [c-nsp] PIX questions In-Reply-To: <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: Hi On Mon, May 12, 2008 at 7:34 PM, Gregori Parker wrote: > to enable a host on the inside to communicate with an identity NAT on > the outside...essentially the ASA would be doubling up on translations, In the past, with pix 6.3 and earlier, you achieved it with alias command. From cmadams at hiwaay.net Mon May 12 14:26:55 2008 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 12 May 2008 13:26:55 -0500 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <8c829ec10805121117r2404beecsf3d59650968701b2@mail.gmail.com> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> <48287E5B.5030700@gmail.com> <20080512174226.GF1139409@hiwaay.net> <8c829ec10805121117r2404beecsf3d59650968701b2@mail.gmail.com> Message-ID: <20080512182655.GG1139409@hiwaay.net> Once upon a time, Chris Riling said: > We use a lot of the Zoom modems, X3, X5, X6, etc... I *think* all of them do > 100/full... IIRC the X5 and X6 are routers only (so they can't pass the PPPoE through to another device). I don't know about the X3. -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From Gregori.Parker at theplatform.com Mon May 12 15:31:39 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Mon, 12 May 2008 12:31:39 -0700 Subject: [c-nsp] PIX questions In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <1A9866F953006D45AEE0166066114E090F701C3E@TPMAIL02.corp.theplatform.com> The alias command still seems usable in 7.2, but I tried this in my scenario and it didn't affect anything (also tried the 'dns doctoring' and 'hairpinning' solutions) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Raul Lopez Nevot Sent: Monday, May 12, 2008 11:19 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PIX questions Hi On Mon, May 12, 2008 at 7:34 PM, Gregori Parker wrote: > to enable a host on the inside to communicate with an identity NAT on > the outside...essentially the ASA would be doubling up on translations, In the past, with pix 6.3 and earlier, you achieved it with alias command. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at gtcomm.net Mon May 12 18:08:03 2008 From: paul at gtcomm.net (Paul) Date: Mon, 12 May 2008 18:08:03 -0400 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) Message-ID: <4828BFC3.3030407@gtcomm.net> It doesn't really have anything to do with etherchannel, that works just fine by itself. It has to do with the CEF load balancing algorithm being exactly the same as the etherchannel one. This even propagates through to multiple switches, for instance I have tested it like: 3750 with 2 etherchannels, to two 2960 with an etherchannel link in between the 2960's CEF load balance to router on a single port on 2960 #2 (two /30's, two vlans) What happens is 3750 sends out both port channel interfaces to each 2960, and on port channel 1 it uses the 2nd port only for the traffic, and on port channel 2 it only uses the 1st port. Which means each 2960 only receives packets on 1 of the etherchannels effectively making it 1gbps instead of two. Further, this propagates to the link between the 2960's because the traffic is only going out 2960 #2 so what I see on the 2gbps port channel link between the 2960 is also that is only using 1 port of the etherchannel. If i take this a step further and put a router in between 3750 to router 1 to 2960 3750 to router 2 to 2960 for example it STILL has the same effect because it's only based on the source/destination ip or source or dst ip which the CEF load balancing is creating. A simple change to the etherchannel load balancing algorithm or the CEF one would clearly fix the problem. From mksmith at adhost.com Mon May 12 19:39:07 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Mon, 12 May 2008 16:39:07 -0700 Subject: [c-nsp] PIX questions In-Reply-To: <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031603F351F2@ad-exh01.adhost.lan> Hello Gregori: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gregori Parker > Sent: Monday, May 12, 2008 10:35 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] PIX questions > > I was hoping to see an answer to this, as I ran into what I believe to > be a similar situation a while back. > > We had an ASA at an edge, with several static identity NATs, e.g.: > > static (inside,outside) x.x.x.78 172.16.8.44 netmask > 255.255.255.255 > static (inside,outside) x.x.x.79 172.16.8.45 netmask > 255.255.255.255 > ... > > Where x.x.x.* are public addresses, and an access-list allows specific > services from anywhere to each public NAT. All outgoing traffic is > PATed to the interface address, say x.x.x.80, and I'm not clear on how > to enable a host on the inside to communicate with an identity NAT on > the outside...essentially the ASA would be doubling up on translations, > one outgoing, to one inbound...looping back to itself so-to-speak. It > doesn't work, and I understand why, but I've wondered if there's a way > to enable this (other than having the hosts communicate directly). > I've > looked at things like permitting same-security-traffic > inter/intra-interface to no avail. > > Thanks in advance (and sorry if I woke a dead thread) > The only way I've seen it work is to give both the source and destination a static NAT. The PAT'd to static doesn't work while the static to static does. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080512/4e1c6091/attachment.bin From liuxiaofengqd at hotmail.com Mon May 12 20:43:48 2008 From: liuxiaofengqd at hotmail.com (=?gb2312?B?wfVUb21=?=) Date: Tue, 13 May 2008 08:43:48 +0800 Subject: [c-nsp] Old Aironet Gear Issus Message-ID: Hi ivor, I have a old CISCO AIR-AP1230B. But it's firmware is very older.I want to updating the firmware.Can you give me a new firmware for CISCO AIR-AP1230B,Please.Thank you very much. Tom _________________________________________________________________ ?????????????MSN????TA????? http://im.live.cn/emoticons/?ID=18 From pshem.k at gmail.com Mon May 12 22:02:53 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Tue, 13 May 2008 14:02:53 +1200 Subject: [c-nsp] Huge number of input queue drops on 6500 In-Reply-To: <13A13E9CF0F76342A79031B9E558C0C50308120B@100NOOSLMSG004.common.alpharoot.net> References: <20fe625b0805110122s6aa02304n5180f3bb48fb2b0a@mail.gmail.com> <20080511.114901.74716308.sthaug@nethelp.no> <13A13E9CF0F76342A79031B9E558C0C50308120B@100NOOSLMSG004.common.alpharoot.net> Message-ID: <20fe625b0805121902k474d7adev935828dd476f1f54@mail.gmail.com> Hi, We moved those interfaces to a 6724 modules and all the problems went away. Thank you for your help. kind regards Pshem From stig.johansen at ementor.no Mon May 12 22:18:22 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Tue, 13 May 2008 04:18:22 +0200 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <482783A2.4020601@gtcomm.net> References: <482783A2.4020601@gtcomm.net> Message-ID: <13A13E9CF0F76342A79031B9E558C0C503081215@100NOOSLMSG004.common.alpharoot.net> >Does anyone know how to make CEF load balancing work over etherchannels >and actually load balance on the etherchannel? >I have two GEC interfaces with 2 ports in each, and then I have two >routes multipath, one to each GEC interface >The problem is that the CEF algorithm is the same as the etherchannel >algorithm and each one of the etherchannels ends up only sending out one >of the two ports so it is not load balancing. I have tried changing >the port-channel load-balance setting to various things (I can not use >MAC because it's from one router to another) and I have tried changing >the cef load sharing algorithm. >Maybe this is a limitation of the 3750 platform? I have not tried this >on any of the other equipment. Hi there, I guess you have tried it, but here goes anyway.. Do you have several different source AND destinations IP-adresses using these links? If so, setting the following should be of some help: ! Set etherchannel load-balancing to use a XOR hash port-channel load-balance src-dst-ip ! Set CEF algorithm load-balancing to use a different seed for the hashing ip cef load-sharing algorithm universal 1 If you have only one source-IP, this could mess up the hashing somewhat and reault in only one (or possibly a very skewed distribution) link in each of the portchannels to be used. If this is/has been tried and proven wrong, it was at least worth a try :) best regards, Stig Meireles Johansen From tedm at toybox.placo.com Tue May 13 02:08:11 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 12 May 2008 23:08:11 -0700 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <08f401c8b44d$76587810$63096830$@org> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Skeeve Stevens > Sent: Monday, May 12, 2008 9:30 AM > To: isp-australia at isp-australia.com > Cc: ausnog at ausnog.net; aussie-isp at taz.net.au; cisco-nsp at puck.nether.net; > 2600-list at wiretapped.net > Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting > > > This is an article which should be VERY interesting to ALL ISP's and > businesses using Cisco equipment. > After the initial reaction of laughing, I have this to say about it. It is clearly rediculous that Chinese crackers are going to steal national security secrets by using counterfeit WIC-1DSU-T1 cards. I think the majority of counterfeit gear they picked up was probably along those lines. It is a bit more of a national security concern when the counterfeit gear is firewalls. I also am somewhat neutral on the issue of the government buying Cisco routers for $250 that normally sold for $2500, which was also metioned in the article. On one hand I don't like to see my tax dollars enriching some Chinese criminals pocket, on the other hand I would rather not have my taxes go up 90% to pay full price. I am mostly concerned with the following, however: 1) Purchase of networking equipment on credit cards rather than through the authorized government purchasing system. 2) Counterfeit gear getting into the government offices through the regular distributors. In case #1, that is clearly the case of network admins getting denied approval for a project and saying "fuck you" and going ahead with it anyway. While I'm sure lots of people can relate stories of dumb government decisions that required people to make end-runs around them, (ie: the $500 hammer, $2000 toilet seat, etc.) the fact is that we know about those stories precisely because the people in the government who were forced to go through some overcharging scamming vendor, complained to the press about it, rather than secretly slipping some hammer purchases though on a personal expense report. I don't want my civil servants making an end run around some beaurucrat that has his head up his ass, with a credit card and Ebay. I want them going to the press so the resultant citizen outrage gets the anally-inserted beaurucrat fired, or promoted into a harmless little office where he supervises staplers (which is how the government usually deal with embarassingly incompetent civil servants) In case #2, the middlemen/distributors/etc. that the government normally is buying from are selling Chinese counterfeit stuff for full price. Thus, they are buying the counterfeit gear for pennies and selling it for millions, and making a killing doing so. Well, the FBI discovered it, where are the stories of such distributors getting arrested for fraud? All in all, a very disturbing article. Not about the counterfeiting - we all know it happens. But the fact that the stuff got into the government networks in the first place. Ted From zivl at gilat.net Tue May 13 02:14:03 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 13 May 2008 09:14:03 +0300 Subject: [c-nsp] PIX questions In-Reply-To: <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs? Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker Sent: Monday, May 12, 2008 8:35 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PIX questions I was hoping to see an answer to this, as I ran into what I believe to be a similar situation a while back. We had an ASA at an edge, with several static identity NATs, e.g.: static (inside,outside) x.x.x.78 172.16.8.44 netmask 255.255.255.255 static (inside,outside) x.x.x.79 172.16.8.45 netmask 255.255.255.255 ... Where x.x.x.* are public addresses, and an access-list allows specific services from anywhere to each public NAT. All outgoing traffic is PATed to the interface address, say x.x.x.80, and I'm not clear on how to enable a host on the inside to communicate with an identity NAT on the outside...essentially the ASA would be doubling up on translations, one outgoing, to one inbound...looping back to itself so-to-speak. It doesn't work, and I understand why, but I've wondered if there's a way to enable this (other than having the hosts communicate directly). I've looked at things like permitting same-security-traffic inter/intra-interface to no avail. Thanks in advance (and sorry if I woke a dead thread) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan Sent: Friday, May 09, 2008 12:05 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PIX questions Hi all, I have a question about PIX translation An outside interface has IP address: 192.168.1.2 255.255.255.0 An DMZ interface has IP address: 10.1.1.2 255.255.255.0 Current translation: 10.1.1.3 -> 192.168.1.3 10.1.1.4 -> 192.168.1.4 How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? How can I make it so that anyone behind 10.1.1.0/24 network is able to ping the IP "192.168.1.4"? Consider the ICMP is allowed any any. I tried to configure it but the ASDM log say "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" Thank you for your help in advance. Regards, Rudy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From jay at west.net Tue May 13 02:51:20 2008 From: jay at west.net (Jay Hennigan) Date: Mon, 12 May 2008 23:51:20 -0700 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: References: Message-ID: <48293A68.9080808@west.net> Ted Mittelstaedt wrote: > After the initial reaction of laughing, I have this to say about it. > > It is clearly rediculous that Chinese crackers are going to steal > national security secrets by using counterfeit WIC-1DSU-T1 cards. > I think the majority of counterfeit gear they picked up was probably > along those lines. > > It is a bit more of a national security concern when the counterfeit > gear is firewalls. I think that the intent of the counterfeiters is purely financial gain, not espionage. The only reason we aren't seeing counterfeit firewalls is that the volume of ASAs vs. WICs and 17xx routers is too low to make it profitable. > I am mostly concerned with the following, however: > > 1) Purchase of networking equipment on credit cards rather than through > the authorized government purchasing system. > > 2) Counterfeit gear getting into the government offices through the > regular distributors. > > In case #1, that is clearly the case of network admins getting denied > approval for a project and saying "fuck you" and going ahead with it > anyway. Not necessarily. Quite often there is a need for government agencies to use official credit cards for such purchases outside of the normal procurement channels. USDA Forest Service procuring gear for deployment at a fire camp, FEMA in a disaster area, even such things as WH Communications agency needing a setup for a Presidential trip to a small town often don't allow for the standard GSA procurements with the red tape involved, etc. After the fire or emergency, the equipment winds up in the agency's inventory. > In case #2, the middlemen/distributors/etc. that the government normally > is buying from are selling Chinese counterfeit stuff for full price. > Thus, they are buying the counterfeit gear for pennies and selling it > for millions, and making a killing doing so. Well, the FBI discovered it, > where are the stories of such distributors getting arrested for fraud? > > All in all, a very disturbing article. Not about the counterfeiting - > we all know it happens. But the fact that the stuff got into the > government networks in the first place. The distributors may be victims as well, it could be a crooked delivery driver or stock clerk. We have been burned with counterfeit WICs shipped direct from a very large nationwide official Cisco distributor (initials I.M.) ordered from Cisco. Or the switch could have happened in China, where the real Cisco gear is also manufactured, perhaps in the same factory during the day shift. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From A.L.M.Buxey at lboro.ac.uk Tue May 13 04:07:55 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Tue, 13 May 2008 09:07:55 +0100 Subject: [c-nsp] Old Aironet Gear Issus In-Reply-To: References: Message-ID: <20080513080755.GA16679@lboro.ac.uk> Hi, > > Hi ivor, I have a old CISCO AIR-AP1230B. But it's firmware is very older.I want to updating the firmware.Can you give me a new firmware for CISCO AIR-AP1230B,Please.Thank you very much. Tom those devices are EOL/EOS for quite some time. but this isnt the forum to ask for firmware files. go to cisco.com and if you dont have CCO< see what access a registered guest will give you. if theres been a particular vulnerability etc then usually the fixed firmware is publically available anyway. alan From peter at rathlev.dk Tue May 13 04:28:55 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 May 2008 10:28:55 +0200 Subject: [c-nsp] Interruptions when enabling "mls qos" Message-ID: <1210667335.20768.5.camel@dusken.sys.mjna.net> Hi, How much of an interruption can we expect when enabling the "mls qos" command on 3750s and 6500/Sup720s? As far as I can see on our test-equipment, it either causes no interruption at all or a very short one (<500ms). I can't seem to find any documentation about it. We're preparing a service window and need to enable this on a few edge and distribution units, but we're unable to say exactly how much disturbance the network can expect, e.g. if this would down eBGP-sessions. Does anybody have any experience in this area? Thanks, Peter From paul at gtcomm.net Tue May 13 04:34:48 2008 From: paul at gtcomm.net (Paul) Date: Tue, 13 May 2008 04:34:48 -0400 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <4829458C.6010009@tbm.ro> References: <482783A2.4020601@gtcomm.net> <4829458C.6010009@tbm.ro> Message-ID: <482952A8.7050904@gtcomm.net> This doesn't work on 3750. I tried. Also tried changing cef algorithm to universal 1 and also universal with some random hex... Apparently even the src-ip follows the same rule as the CEF load balancing. Too bad we can't change per port channel balancing :P Dan Sabau wrote: > Had the same problem, I've change the way etherchannel load balances > the link to: > port-channel load-balance src-ip > and every thing was ok after. > > Paul wrote: >> Does anyone know how to make CEF load balancing work over >> etherchannels and actually load balance on the etherchannel? >> I have two GEC interfaces with 2 ports in each, and then I have two >> routes multipath, one to each GEC interface >> The problem is that the CEF algorithm is the same as the etherchannel >> algorithm and each one of the etherchannels ends up only sending out >> one of the two ports so it is not load balancing. I have tried >> changing the port-channel load-balance setting to various things (I >> can not use MAC because it's from one router to another) and I have >> tried changing the cef load sharing algorithm. >> Maybe this is a limitation of the 3750 platform? I have not tried >> this on any of the other equipment. >> >> Paul >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From dan.sabau at tbm.ro Tue May 13 03:38:52 2008 From: dan.sabau at tbm.ro (Dan Sabau) Date: Tue, 13 May 2008 10:38:52 +0300 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <482783A2.4020601@gtcomm.net> References: <482783A2.4020601@gtcomm.net> Message-ID: <4829458C.6010009@tbm.ro> Had the same problem, I've change the way etherchannel load balances the link to: port-channel load-balance src-ip and every thing was ok after. Paul wrote: > Does anyone know how to make CEF load balancing work over etherchannels > and actually load balance on the etherchannel? > I have two GEC interfaces with 2 ports in each, and then I have two > routes multipath, one to each GEC interface > The problem is that the CEF algorithm is the same as the etherchannel > algorithm and each one of the etherchannels ends up only sending out one > of the two ports so it is not load balancing. I have tried changing > the port-channel load-balance setting to various things (I can not use > MAC because it's from one router to another) and I have tried changing > the cef load sharing algorithm. > Maybe this is a limitation of the 3750 platform? I have not tried this > on any of the other equipment. > > Paul > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Dan Sabau Manager NOC Cluj New Com Telecomunicatii SA, Telefon: +40-740078983 Email: dan.sabau at newcom.ro From dan.sabau at tbm.ro Tue May 13 04:56:20 2008 From: dan.sabau at tbm.ro (Dan Sabau) Date: Tue, 13 May 2008 11:56:20 +0300 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <482952A8.7050904@gtcomm.net> References: <482783A2.4020601@gtcomm.net> <4829458C.6010009@tbm.ro> <482952A8.7050904@gtcomm.net> Message-ID: <482957B4.1030908@tbm.ro> Did you tried on both ends of the portchannel? i'm running: Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(35)SE2, RELEASE SOFTWARE (fc1) Paul wrote: > This doesn't work on 3750. I tried. Also tried changing cef algorithm > to universal 1 and also universal with some random hex... Apparently > even the src-ip follows the same rule as the CEF load balancing. > Too bad we can't change per port channel balancing :P > > Dan Sabau wrote: >> Had the same problem, I've change the way etherchannel load balances >> the link to: >> port-channel load-balance src-ip >> and every thing was ok after. >> >> Paul wrote: >>> Does anyone know how to make CEF load balancing work over >>> etherchannels and actually load balance on the etherchannel? >>> I have two GEC interfaces with 2 ports in each, and then I have two >>> routes multipath, one to each GEC interface >>> The problem is that the CEF algorithm is the same as the >>> etherchannel algorithm and each one of the etherchannels ends up >>> only sending out one of the two ports so it is not load balancing. >>> I have tried changing the port-channel load-balance setting to >>> various things (I can not use MAC because it's from one router to >>> another) and I have tried changing the cef load sharing algorithm. >>> Maybe this is a limitation of the 3750 platform? I have not tried >>> this on any of the other equipment. >>> >>> Paul >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > > -- Dan Sabau Manager NOC Cluj New Com Telecomunicatii SA, Telefon: +40-740078983 Email: dan.sabau at newcom.ro From wyatt.eliasson at gmail.com Tue May 13 05:10:07 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Ishmael Jovial Gyllenvarg) Date: Tue, 13 May 2008 11:10:07 +0200 Subject: [c-nsp] Shapeing/policing in 7600 Message-ID: <994752fe0805130210x12adea22va794b6ac439ac2d6@mail.gmail.com> > The 7600 doesn't allow traffic shaping unless you are using an OSM or > SIP module, which isn't the case here if he is using DFCs on line > cards. I think what you posted may be pertinent to the GSRs which had > some odd functionality as well when it came to ingress/egress shaping > with the distributed architecture. I've never seen a good workaround > for the 7600. So, I could shape/police outbound traffic on a Te interface if its a SIP card with the appropriate interface module? //Mattias Gyllevarg Skycom AB From pao_rivi at hotmail.com Tue May 13 05:33:04 2008 From: pao_rivi at hotmail.com (P@0l0) Date: Tue, 13 May 2008 11:33:04 +0200 Subject: [c-nsp] PIX questions In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: Dear ALL, I don't understand why do you wonna do something like that..., maybe I misunderstood but I don't recognize your needs What I mean is: If you need to make some comunication between internal addresses, than you need to use real IP If you need to make comunication between different interfaces you can (if needed) use nated IP Now I'm thinking about, and I think that you should need it, due to DNS resolutions issue. In other words, a internal address nated on the outside that is resolved with a public (nat) address that need to be reached from the internal server/client, than you need to use the "alias command" to define DNS doctoring inspection. take a look to the manual for DNS doctoring (alias command). Hope this help you guys out Cheers Paolo Riviello Home: http://www.paoloriviello.com Msn: pao_rivi at hotmail.com Skype: pao_rivi -- I'm a rebel, soul rebel I'm a capturer, soul adventurer See the morning sun, On the hillside if not living good, travel wide. B.M. > From: zivl at gilat.net > To: cisco-nsp at puck.nether.net > Date: Tue, 13 May 2008 09:14:03 +0300 > Subject: Re: [c-nsp] PIX questions > > > You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs? > > Ziv > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker > Sent: Monday, May 12, 2008 8:35 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] PIX questions > > I was hoping to see an answer to this, as I ran into what I believe to > be a similar situation a while back. > > We had an ASA at an edge, with several static identity NATs, e.g.: > > static (inside,outside) x.x.x.78 172.16.8.44 netmask > 255.255.255.255 > static (inside,outside) x.x.x.79 172.16.8.45 netmask > 255.255.255.255 > ... > > Where x.x.x.* are public addresses, and an access-list allows specific > services from anywhere to each public NAT. All outgoing traffic is > PATed to the interface address, say x.x.x.80, and I'm not clear on how > to enable a host on the inside to communicate with an identity NAT on > the outside...essentially the ASA would be doubling up on translations, > one outgoing, to one inbound...looping back to itself so-to-speak. It > doesn't work, and I understand why, but I've wondered if there's a way > to enable this (other than having the hosts communicate directly). I've > looked at things like permitting same-security-traffic > inter/intra-interface to no avail. > > Thanks in advance (and sorry if I woke a dead thread) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan > Sent: Friday, May 09, 2008 12:05 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX questions > > Hi all, > > I have a question about PIX translation > > An outside interface has IP address: > 192.168.1.2 255.255.255.0 > > An DMZ interface has IP address: > 10.1.1.2 255.255.255.0 > > > Current translation: > 10.1.1.3 -> 192.168.1.3 > 10.1.1.4 -> 192.168.1.4 > > > How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? > How can I make it so that anyone behind 10.1.1.0/24 network is able to > ping the IP "192.168.1.4"? > > Consider the ICMP is allowed any any. > > I tried to configure it but the ASDM log say > "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" > > Thank you for your help in advance. > > Regards, > Rudy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > > > > > > ************************************************************************************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************************ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Divertiti con le nuove EMOTICON per Messenger! http://intrattenimento.it.msn.com/emoticon From perc69+cnsp at gmail.com Tue May 13 05:46:45 2008 From: perc69+cnsp at gmail.com (Pelle) Date: Tue, 13 May 2008 11:46:45 +0200 Subject: [c-nsp] 3550 learning state In-Reply-To: References: Message-ID: <746ca6da0805130246o40aa1e25of07d61e83c207231@mail.gmail.com> Hi. > What's happening is that when an ethernet interface is connected or disconnected 5 of the ports on the switch move back to a learning state. > > The ports that are changing to a learning state are both trunk & access ports. Are you running MST on the uplink ports, i.e is there a MST listener upstream? If not, this is the expected result. All ports "external" to an MST-region will go through the port state transitions whenever a topology change occurs. It looks like your upstream ports are indeed "external". You can check this with the command "show spanning-tree mst". Here is one example: 3550-24T#sh spanning-tree mst ##### MST0 vlans mapped: none Interface Role Sts Cost Prio.Nbr Type ---------------- ---- --- --------- -------- -------------------------------- Fa0/15 Desg FWD 200000 128.15 P2p Bound(PVST) Gi0/1 Desg FWD 20000 128.25 P2p Gi0/2 Root FWD 20000 128.26 P2p Gi0/1 and Gi0/2 are the upstream ports running MST and Fa0/15 is connected to an switch outside the MST-region (an "external" port). > spanning-tree mst configuration > instance 10 vlan 50, 69-70, 92-96, 98-99, 291, 350, 498-509, 550, 603 > instance 10 vlan 605-606, 701, 703, 750, 761, 800-802 > instance 15 vlan 1-49, 51-68, 71-91, 97, 100-290, 292-349, 351-497, 510-549 > instance 15 vlan 551-602, 604, 607-700, 702, 704-749, 751-760, 762-799 > instance 15 vlan 803-4094 I would not recommend having this very complex MST instance mapping (if possible). Keep it simple is the mantra (here too). -- Pelle From Ruben.Montes at eu.didata.com Tue May 13 06:17:53 2008 From: Ruben.Montes at eu.didata.com (Ruben Montes (Europe)) Date: Tue, 13 May 2008 12:17:53 +0200 Subject: [c-nsp] Interruptions when enabling "mls qos" In-Reply-To: References: Message-ID: Hello, I enabled this command in the core of a living network (4x 6500) during working hours and there wasn't any impact in the network, or it was negligible. Regards, Ruben From diogo.montagner at gmail.com Tue May 13 06:33:25 2008 From: diogo.montagner at gmail.com (Diogo Montagner) Date: Tue, 13 May 2008 07:33:25 -0300 Subject: [c-nsp] Interruptions when enabling "mls qos" In-Reply-To: References: Message-ID: <84eb7a820805130333q5c1f9345y9cdc77bec3ed20cb@mail.gmail.com> Hi Peter, just like Ruben, I never saw interruption in service during the activation of 'mls qos' command. Regards, Diogo On Tue, May 13, 2008 at 7:17 AM, Ruben Montes (Europe) < Ruben.Montes at eu.didata.com> wrote: > Hello, > > I enabled this command in the core of a living network (4x 6500) during > working hours and there wasn't any impact in the network, or it was > negligible. > > Regards, > > Ruben > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ./diogo -montagner From peter at rathlev.dk Tue May 13 06:51:10 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 May 2008 12:51:10 +0200 Subject: [c-nsp] Interruptions when enabling "mls qos" In-Reply-To: <84eb7a820805130333q5c1f9345y9cdc77bec3ed20cb@mail.gmail.com> References: <84eb7a820805130333q5c1f9345y9cdc77bec3ed20cb@mail.gmail.com> Message-ID: <1210675870.22557.1.camel@dusken.sys.mjna.net> Thank you for the feedback. Seems we'll announce "small chance of disturbance", then nobody should be surprised. :-) Regards, Peter On Tue, 2008-05-13 at 07:33 -0300, Diogo Montagner wrote: > Hi Peter, > > just like Ruben, I never saw interruption in service during the activation > of 'mls qos' command. > > Regards, > Diogo > > On Tue, May 13, 2008 at 7:17 AM, Ruben Montes (Europe) < > Ruben.Montes at eu.didata.com> wrote: > > > Hello, > > > > I enabled this command in the core of a living network (4x 6500) during > > working hours and there wasn't any impact in the network, or it was > > negligible. > > > > Regards, > > > > Ruben > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > From DTODD at PARTNERS.ORG Tue May 13 06:38:55 2008 From: DTODD at PARTNERS.ORG (Todd, Douglas M.) Date: Tue, 13 May 2008 06:38:55 -0400 Subject: [c-nsp] Interruptions when enabling "mls qos" References: <84eb7a820805130333q5c1f9345y9cdc77bec3ed20cb@mail.gmail.com> Message-ID: <1F1F2AF9CD74144CAB1F5702D4F74A4EE9365C@PHSXMB24.partners.org> The only problem I have seen is with COPP enabled. Enabling the qos feature on the 6500 enables the hardware policing function of COPP (otherwise it's just software policing COPP). This causes traffic to hit the default queue more (still truly unsure why this is). -----Original Message----- From: cisco-nsp-bounces at puck.nether.net on behalf of Diogo Montagner Sent: Tue 5/13/2008 6:33 AM To: Ruben Montes (Europe) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Interruptions when enabling "mls qos" Hi Peter, just like Ruben, I never saw interruption in service during the activation of 'mls qos' command. Regards, Diogo On Tue, May 13, 2008 at 7:17 AM, Ruben Montes (Europe) < Ruben.Montes at eu.didata.com> wrote: > Hello, > > I enabled this command in the core of a living network (4x 6500) during > working hours and there wasn't any impact in the network, or it was > negligible. > > Regards, > > Ruben > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ./diogo -montagner _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.23.16/1428 - Release Date: 5/12/2008 7:44 AM The information transmitted in this electronic communication is intended only for the person or entity to whom it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this information in error, please contact the Compliance HelpLine at 800-856-1983 and properly dispose of this information. From mcgrath at fas.harvard.edu Tue May 13 08:34:19 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Tue, 13 May 2008 08:34:19 -0400 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: References: Message-ID: <48298ACB.3040405@fas.harvard.edu> I have some experience with the counterfeit stuff as well. Purchased CWDM SFP's from a Cisco platinum partner - they failed the validity check they looked good came in cisco packaging with all the seals documentation etc. It's just they were fake turns out distributors use the 'spot' market to get product they don't have in stock and is not available from Cisco at that moment in time and that's how fake stuff enters the distribution channel. Purchasing agents only care about getting X units for Y dollars landed on the dock and the receivers just have time for a cursory check 'Hey it has Cisco logos on the box'. Also the counterfeiters are moving up the food chain there is now counterfeit Catalyst 4500 stuff out there and that is much more of a threat than a WIC or SFP as well as counterfeit 26xx and 36xx routers which are used EVERYWHERE by everyone including the Fed's. But this is one of the risks which occur when you outsource your supply chain and the chinese are not necessarily our friends they agreed to do manufacturing in exchange for the production technology. Just ask Schwinn, Chrysler and Audi how well that worked out for them. Cisco at some point will be competing against it's own technology without the 'Cisco Tax' Recall the 26xx clones from Huawei they even ran the current IOS! Ted Mittelstaedt wrote: > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Skeeve Stevens >> Sent: Monday, May 12, 2008 9:30 AM >> To: isp-australia at isp-australia.com >> Cc: ausnog at ausnog.net; aussie-isp at taz.net.au; cisco-nsp at puck.nether.net; >> 2600-list at wiretapped.net >> Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting >> >> >> This is an article which should be VERY interesting to ALL ISP's and >> businesses using Cisco equipment. >> >> > > After the initial reaction of laughing, I have this to say about it. > > It is clearly rediculous that Chinese crackers are going to steal > national security secrets by using counterfeit WIC-1DSU-T1 cards. > I think the majority of counterfeit gear they picked up was probably > along those lines. > > It is a bit more of a national security concern when the counterfeit > gear is firewalls. > > I also am somewhat neutral on the issue of the government buying > Cisco routers for $250 that normally sold for $2500, which was also > metioned in the article. On one hand I don't like to see my tax dollars > enriching some Chinese criminals pocket, on the other hand I would > rather not have my taxes go up 90% to pay full price. > > I am mostly concerned with the following, however: > > 1) Purchase of networking equipment on credit cards rather than through > the authorized government purchasing system. > > 2) Counterfeit gear getting into the government offices through the > regular distributors. > > In case #1, that is clearly the case of network admins getting denied > approval for a project and saying "fuck you" and going ahead with it > anyway. While I'm sure lots of people can relate stories of dumb > government decisions that required people to make end-runs around them, > (ie: the $500 hammer, $2000 toilet seat, etc.) the fact is that we > know about those stories precisely because the people in the government > who were forced to go through some overcharging scamming vendor, > complained to the press about it, rather than secretly slipping some > hammer purchases though on a personal expense report. I don't want > my civil servants making an end run around some beaurucrat that has > his head up his ass, with a credit card and Ebay. I want them going > to the press so the resultant citizen outrage gets the anally-inserted > beaurucrat fired, or promoted into a harmless little office where > he supervises staplers (which is how the government usually deal with > embarassingly incompetent civil servants) > > In case #2, the middlemen/distributors/etc. that the government normally > is buying from are selling Chinese counterfeit stuff for full price. > Thus, they are buying the counterfeit gear for pennies and selling it > for millions, and making a killing doing so. Well, the FBI discovered it, > where are the stories of such distributors getting arrested for fraud? > > All in all, a very disturbing article. Not about the counterfeiting - > we all know it happens. But the fact that the stuff got into the > government networks in the first place. > > Ted > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Tue May 13 08:56:32 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 May 2008 14:56:32 +0200 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <48298ACB.3040405@fas.harvard.edu> References: <48298ACB.3040405@fas.harvard.edu> Message-ID: <1210683392.24063.1.camel@dusken.sys.mjna.net> This thread probably covers an interesting subject, but in my eyes it's too political to be on topic. Am I wrong to think that the discussion should move to somewhere else? Regards, Peter On Tue, 2008-05-13 at 08:34 -0400, Scott McGrath wrote: > I have some experience with the counterfeit stuff as well. > > Purchased CWDM SFP's from a Cisco platinum partner - they failed the > validity check they looked good came in cisco packaging with all the > seals documentation etc. It's just they were fake turns out > distributors use the 'spot' market to get product they don't have in > stock and is not available from Cisco at that moment in time and that's > how fake stuff enters the distribution channel. Purchasing agents only > care about getting X units for Y dollars landed on the dock and the > receivers just have time for a cursory check 'Hey it has Cisco logos on > the box'. > > Also the counterfeiters are moving up the food chain there is now > counterfeit Catalyst 4500 stuff out there and that is much more of a > threat than a WIC or SFP as well as counterfeit 26xx and 36xx routers > which are used EVERYWHERE by everyone including the Fed's. > > But this is one of the risks which occur when you outsource your supply > chain and the chinese are not necessarily our friends they agreed to do > manufacturing in exchange for the production technology. Just ask > Schwinn, Chrysler and Audi how well that worked out for them. Cisco at > some point will be competing against it's own technology without the > 'Cisco Tax' Recall the 26xx clones from Huawei they even ran the > current IOS! > > > > Ted Mittelstaedt wrote: > > > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Skeeve Stevens > >> Sent: Monday, May 12, 2008 9:30 AM > >> To: isp-australia at isp-australia.com > >> Cc: ausnog at ausnog.net; aussie-isp at taz.net.au; cisco-nsp at puck.nether.net; > >> 2600-list at wiretapped.net > >> Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting > >> > >> > >> This is an article which should be VERY interesting to ALL ISP's and > >> businesses using Cisco equipment. > >> > >> > > > > After the initial reaction of laughing, I have this to say about it. > > > > It is clearly rediculous that Chinese crackers are going to steal > > national security secrets by using counterfeit WIC-1DSU-T1 cards. > > I think the majority of counterfeit gear they picked up was probably > > along those lines. > > > > It is a bit more of a national security concern when the counterfeit > > gear is firewalls. > > > > I also am somewhat neutral on the issue of the government buying > > Cisco routers for $250 that normally sold for $2500, which was also > > metioned in the article. On one hand I don't like to see my tax dollars > > enriching some Chinese criminals pocket, on the other hand I would > > rather not have my taxes go up 90% to pay full price. > > > > I am mostly concerned with the following, however: > > > > 1) Purchase of networking equipment on credit cards rather than through > > the authorized government purchasing system. > > > > 2) Counterfeit gear getting into the government offices through the > > regular distributors. > > > > In case #1, that is clearly the case of network admins getting denied > > approval for a project and saying "fuck you" and going ahead with it > > anyway. While I'm sure lots of people can relate stories of dumb > > government decisions that required people to make end-runs around them, > > (ie: the $500 hammer, $2000 toilet seat, etc.) the fact is that we > > know about those stories precisely because the people in the government > > who were forced to go through some overcharging scamming vendor, > > complained to the press about it, rather than secretly slipping some > > hammer purchases though on a personal expense report. I don't want > > my civil servants making an end run around some beaurucrat that has > > his head up his ass, with a credit card and Ebay. I want them going > > to the press so the resultant citizen outrage gets the anally-inserted > > beaurucrat fired, or promoted into a harmless little office where > > he supervises staplers (which is how the government usually deal with > > embarassingly incompetent civil servants) > > > > In case #2, the middlemen/distributors/etc. that the government normally > > is buying from are selling Chinese counterfeit stuff for full price. > > Thus, they are buying the counterfeit gear for pennies and selling it > > for millions, and making a killing doing so. Well, the FBI discovered it, > > where are the stories of such distributors getting arrested for fraud? > > > > All in all, a very disturbing article. Not about the counterfeiting - > > we all know it happens. But the fact that the stuff got into the > > government networks in the first place. > > > > Ted > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Tue May 13 09:30:37 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 13 May 2008 16:30:37 +0300 (IDT) Subject: [c-nsp] SPAN for POS? Message-ID: We recently upgraded our connectivity from GigaE to an STM-16 POS. We now find that SPAN doesn't cover POS links: petach-tikva-gp(config)#monitor session 1 source interface ? GigabitEthernet GigabitEthernet IEEE 802.3z Port-channel Ethernet Channel of interfaces TenGigabitEthernet Ten Gigabit Ethernet Any clever workarounds for 12.2(18)SXF11? Ugh! Thanks, -Hank From mksmith at adhost.com Tue May 13 09:50:35 2008 From: mksmith at adhost.com (Michael Smith) Date: Tue, 13 May 2008 06:50:35 -0700 Subject: [c-nsp] SPAN for POS? In-Reply-To: References: Message-ID: <9895BA85-AC40-4871-B801-43478CAAE40C@adhost.com> Hello Hank: On May 13, 2008, at 6:30 AM, Hank Nussbacher wrote: > We recently upgraded our connectivity from GigaE to an STM-16 POS. > We now > find that SPAN doesn't cover POS links: > petach-tikva-gp(config)#monitor session 1 source interface ? > GigabitEthernet GigabitEthernet IEEE 802.3z > Port-channel Ethernet Channel of interfaces > TenGigabitEthernet Ten Gigabit Ethernet > > Any clever workarounds for 12.2(18)SXF11? > I don't think there is a workaround because SPAN doesn't do POS interfaces. Can you SPAN from a different ethernet port on the back end (distribution instead of aggregate)? Also, what type of information are you trying to get from the POS interface? Perhaps there is something similar you can poll via SNMP. Regards, Mike From jason.plank at comcast.net Tue May 13 10:00:23 2008 From: jason.plank at comcast.net (jason.plank at comcast.net) Date: Tue, 13 May 2008 14:00:23 +0000 Subject: [c-nsp] SPAN for POS? Message-ID: <051320081400.19725.48299EF7000B4B3500004D0D220730079305020E049FD202019C0E06@comcast.net> Or: http://datacomsystemsinc.com/products/details.asp?prod=32&itm=1&cat=5 Forget about the vendor, but the idea of "taps" are that you sit inline and observe traffic on your link. Jason -- Regards, Jason Plank CCIE #16560 e: jason.plank at comcast.net -------------- Original message ---------------------- From: Michael Smith > Hello Hank: > > On May 13, 2008, at 6:30 AM, Hank Nussbacher wrote: > > > We recently upgraded our connectivity from GigaE to an STM-16 POS. > > We now > > find that SPAN doesn't cover POS links: > > petach-tikva-gp(config)#monitor session 1 source interface ? > > GigabitEthernet GigabitEthernet IEEE 802.3z > > Port-channel Ethernet Channel of interfaces > > TenGigabitEthernet Ten Gigabit Ethernet > > > > Any clever workarounds for 12.2(18)SXF11? > > > I don't think there is a workaround because SPAN doesn't do POS > interfaces. Can you SPAN from a different ethernet port on the back > end (distribution instead of aggregate)? Also, what type of > information are you trying to get from the POS interface? Perhaps > there is something similar you can poll via SNMP. > > Regards, > > Mike > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From K.J.Barrass at leeds.ac.uk Tue May 13 10:06:39 2008 From: K.J.Barrass at leeds.ac.uk (Kevin Barrass) Date: Tue, 13 May 2008 15:06:39 +0100 Subject: [c-nsp] IPv6 load testing In-Reply-To: <9895BA85-AC40-4871-B801-43478CAAE40C@adhost.com> References: <9895BA85-AC40-4871-B801-43478CAAE40C@adhost.com> Message-ID: Hi We are looking to push IPv6 support on our network onto some Cisco 4500's but as the supervisor we currently have doesn't support IPv6 in hardware I want to load one of our test 4500s up with realistic IPv6 Unicast traffic to see what impact it has on the switch. Does anyone know of any free software I can get to do this. Regards Kev From david.freedman at uk.clara.net Tue May 13 10:32:04 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 13 May 2008 15:32:04 +0100 Subject: [c-nsp] CSCek62005 Message-ID: Does anybody from cisco here know what exact conditions trigger this and why there appears to be no "first-fixed-in" candidate for 12.0SY ? Thanks, Dave. From mcgrath at fas.harvard.edu Tue May 13 10:49:41 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Tue, 13 May 2008 10:49:41 -0400 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <48298ACB.3040405@fas.harvard.edu> References: <48298ACB.3040405@fas.harvard.edu> Message-ID: <4829AA85.5090502@fas.harvard.edu> All, Sorry if I was not clear I was speaking in a purely commercial sense As IP in Asia historically is not respected as there is a millenia old tradition of sharing designs and producing identical products unlike the west where designs and production are proprietary to the original owner as orginally exemplified by the medieval guilds and now by patent and IP laws. As a example I recently bought a small chinese milling machine and there are at least 5 companies which make a identical product with interchangeable components the primary difference being the color and the fitting of the spindle. The political dimension I agree is outside the scope of the c-nsp list and should not be discussed here Scott McGrath wrote: > I have some experience with the counterfeit stuff as well. > > Purchased CWDM SFP's from a Cisco platinum partner - they failed the > validity check they looked good came in cisco packaging with all the > seals documentation etc. It's just they were fake turns out > distributors use the 'spot' market to get product they don't have in > stock and is not available from Cisco at that moment in time and that's > how fake stuff enters the distribution channel. Purchasing agents only > care about getting X units for Y dollars landed on the dock and the > receivers just have time for a cursory check 'Hey it has Cisco logos on > the box'. > > Also the counterfeiters are moving up the food chain there is now > counterfeit Catalyst 4500 stuff out there and that is much more of a > threat than a WIC or SFP as well as counterfeit 26xx and 36xx routers > which are used EVERYWHERE by everyone including the Fed's. > > But this is one of the risks which occur when you outsource your supply > chain and the chinese are not necessarily our friends they agreed to do > manufacturing in exchange for the production technology. Just ask > Schwinn, Chrysler and Audi how well that worked out for them. Cisco at > some point will be competing against it's own technology without the > 'Cisco Tax' Recall the 26xx clones from Huawei they even ran the > current IOS! > > > > Ted Mittelstaedt wrote: > >> >> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Skeeve Stevens >>> Sent: Monday, May 12, 2008 9:30 AM >>> To: isp-australia at isp-australia.com >>> Cc: ausnog at ausnog.net; aussie-isp at taz.net.au; cisco-nsp at puck.nether.net; >>> 2600-list at wiretapped.net >>> Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting >>> >>> >>> This is an article which should be VERY interesting to ALL ISP's and >>> businesses using Cisco equipment. >>> >>> >>> >> After the initial reaction of laughing, I have this to say about it. >> >> It is clearly rediculous that Chinese crackers are going to steal >> national security secrets by using counterfeit WIC-1DSU-T1 cards. >> I think the majority of counterfeit gear they picked up was probably >> along those lines. >> >> It is a bit more of a national security concern when the counterfeit >> gear is firewalls. >> >> I also am somewhat neutral on the issue of the government buying >> Cisco routers for $250 that normally sold for $2500, which was also >> metioned in the article. On one hand I don't like to see my tax dollars >> enriching some Chinese criminals pocket, on the other hand I would >> rather not have my taxes go up 90% to pay full price. >> >> I am mostly concerned with the following, however: >> >> 1) Purchase of networking equipment on credit cards rather than through >> the authorized government purchasing system. >> >> 2) Counterfeit gear getting into the government offices through the >> regular distributors. >> >> In case #1, that is clearly the case of network admins getting denied >> approval for a project and saying "fuck you" and going ahead with it >> anyway. While I'm sure lots of people can relate stories of dumb >> government decisions that required people to make end-runs around them, >> (ie: the $500 hammer, $2000 toilet seat, etc.) the fact is that we >> know about those stories precisely because the people in the government >> who were forced to go through some overcharging scamming vendor, >> complained to the press about it, rather than secretly slipping some >> hammer purchases though on a personal expense report. I don't want >> my civil servants making an end run around some beaurucrat that has >> his head up his ass, with a credit card and Ebay. I want them going >> to the press so the resultant citizen outrage gets the anally-inserted >> beaurucrat fired, or promoted into a harmless little office where >> he supervises staplers (which is how the government usually deal with >> embarassingly incompetent civil servants) >> >> In case #2, the middlemen/distributors/etc. that the government normally >> is buying from are selling Chinese counterfeit stuff for full price. >> Thus, they are buying the counterfeit gear for pennies and selling it >> for millions, and making a killing doing so. Well, the FBI discovered it, >> where are the stories of such distributors getting arrested for fraud? >> >> All in all, a very disturbing article. Not about the counterfeiting - >> we all know it happens. But the fact that the stuff got into the >> government networks in the first place. >> >> Ted >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From hank at efes.iucc.ac.il Tue May 13 11:09:37 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 13 May 2008 18:09:37 +0300 (IDT) Subject: [c-nsp] SPAN for POS? In-Reply-To: <051320081400.19725.48299EF7000B4B3500004D0D220730079305020E049FD202019C0E06@comcast.net> References: <051320081400.19725.48299EF7000B4B3500004D0D220730079305020E049FD202019C0E06@comcast.net> Message-ID: On Tue, 13 May 2008, jason.plank at comcast.net wrote: > Or: > > http://datacomsystemsinc.com/products/details.asp?prod=32&itm=1&cat=5 > > Forget about the vendor, but the idea of "taps" are that you sit inline and observe traffic on your link. Been there. Done that. Didn't like it since any changes in the "tap" (port move, additional mirror added), just caused too much down time. -Hank > > Jason > > -- > Regards, > > Jason Plank > CCIE #16560 > e: jason.plank at comcast.net > > -------------- Original message ---------------------- > From: Michael Smith >> Hello Hank: >> >> On May 13, 2008, at 6:30 AM, Hank Nussbacher wrote: >> >>> We recently upgraded our connectivity from GigaE to an STM-16 POS. >>> We now >>> find that SPAN doesn't cover POS links: >>> petach-tikva-gp(config)#monitor session 1 source interface ? >>> GigabitEthernet GigabitEthernet IEEE 802.3z >>> Port-channel Ethernet Channel of interfaces >>> TenGigabitEthernet Ten Gigabit Ethernet >>> >>> Any clever workarounds for 12.2(18)SXF11? >>> >> I don't think there is a workaround because SPAN doesn't do POS >> interfaces. Can you SPAN from a different ethernet port on the back >> end (distribution instead of aggregate)? Also, what type of >> information are you trying to get from the POS interface? Perhaps >> there is something similar you can poll via SNMP. >> >> Regards, >> >> Mike >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rick.martin at arkansas.gov Tue May 13 11:15:32 2008 From: rick.martin at arkansas.gov (Rick Martin) Date: Tue, 13 May 2008 10:15:32 -0500 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: I know this is not really a Cisco specific question but it is definitely in support of Cisco hardware. How do most of you folks prove that "the problem" is not the network? We utilize CA Spectrum and eHealth for availability and statistical analysis but in some instances that does not cut it. We don't typically have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. Customers complain that their access is slow, we show that they are using all available bandwidth and eventually sell them more bandwidth and the problem is resolved. The more difficult effort is when there is plenty of available bandwidth and a particular application is slow (Outlook in the case I am involved in now). This is a very high level political official and we must come to a resolution. All tools we have available to us today indicate that there is not a problem with the network. Typical utilization on the T1 is about 500 to 600K peak during the day. Certain management continues to point the finger at the network. We have used Internet based speed tests that at times show less than 1.5Meg download speeds, I explain the variables in the Internet and the particular tool in use as well as local contention for the bandwidth etc to no avail, once they see less than 1.5 meg speed the finger points to the network. I still must somehow "prove" that the network is not the issue. I am interested in an Internet speed test like tool to install at the core of our network that would provide a sustained upload or download test that would run for longer periods of time than a regular speed test. I would like to fill the pipe while graphing in Ehealth or as part of the selected tool to prove that the contracted bandwidth is available in both directions. Any recommendations for products would be appreciated. We are currently looking at SolarWinds WAN Killer and a traffic generator from Omnicore LanTraffic V2. I am also open to different "types" of solutions to point to where the problem is actually located. Thanks in advance for any suggestions Rick Martin Network Engineer State of Arkansas, Department of Information Systems From eric at roxanne.org Tue May 13 11:25:03 2008 From: eric at roxanne.org (Eric Gauthier) Date: Tue, 13 May 2008 11:25:03 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: Message-ID: <20080513152503.GA29014@roxanne.org> Rick, This type of problem is one of the most difficult to diagnose. If you've exhausted all of your other avenues, then you might want to consider capturing the network traffic for this person's session during a time when its "slow". This is a very labor intensive process, but it may be the only way to focus in on the "real" problem. You will need to grab traffic from the end-user's network port so thta you can go through the entire session - DNS lookup, TCP setup, the Outlook/Exchange login, the request for information, the response time of the server, and the download rates, etc. - and build a timeline for the transaction. This won't, in itself, tell you what's wrong but it will tell you how long each sub-component is taking. From there, you should be able to figure out which one is causing the worst delay and then research it - be it the network or application. Eric Gauthier ..................................... . Boston University . Network Systems Engineering Group . 111 Cummington St. Boston, MA 02215 . 617-353-8218 ~^~ elg at bu.edu . http://www.bu.edu/nsg/ ..................................... On Tue, May 13, 2008 at 10:15:32AM -0500, Rick Martin wrote: > > I know this is not really a Cisco specific question but it is > definitely in support of Cisco hardware. > > How do most of you folks prove that "the problem" is not the network? > We utilize CA Spectrum and eHealth for availability and statistical > analysis but in some instances that does not cut it. We don't typically > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. > Customers complain that their access is slow, we show that they are > using all available bandwidth and eventually sell them more bandwidth > and the problem is resolved. > > The more difficult effort is when there is plenty of available > bandwidth and a particular application is slow (Outlook in the case I am > involved in now). This is a very high level political official and we > must come to a resolution. All tools we have available to us today > indicate that there is not a problem with the network. Typical > utilization on the T1 is about 500 to 600K peak during the day. Certain > management continues to point the finger at the network. We have used > Internet based speed tests that at times show less than 1.5Meg download > speeds, I explain the variables in the Internet and the particular tool > in use as well as local contention for the bandwidth etc to no avail, > once they see less than 1.5 meg speed the finger points to the network. > I still must somehow "prove" that the network is not the issue. > > I am interested in an Internet speed test like tool to install at the > core of our network that would provide a sustained upload or download > test that would run for longer periods of time than a regular speed > test. I would like to fill the pipe while graphing in Ehealth or as part > of the selected tool to prove that the contracted bandwidth is available > in both directions. > > Any recommendations for products would be appreciated. We are currently > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > LanTraffic V2. I am also open to different "types" of solutions to point > to where the problem is actually located. > > Thanks in advance for any suggestions > > Rick Martin > Network Engineer > State of Arkansas, Department of Information Systems > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at pins.net Tue May 13 11:34:39 2008 From: jason at pins.net (Jason Berenson) Date: Tue, 13 May 2008 11:34:39 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <20080513152503.GA29014@roxanne.org> References: <20080513152503.GA29014@roxanne.org> Message-ID: <4829B50F.5060509@pins.net> Eric, As for the speed testing issue. You could tell them to disconnect everything from the LAN side of the router and connect a laptop only. Have them run a speed test like that. The idea that when no one else is using the connection the speed is a steady 1.5M might hit home at that point. -Jason Eric Gauthier wrote: > Rick, > > This type of problem is one of the most difficult to diagnose. > If you've exhausted all of your other avenues, then you might > want to consider capturing the network traffic for this > person's session during a time when its "slow". This is a very > labor intensive process, but it may be the only way to focus > in on the "real" problem. You will need to grab traffic from > the end-user's network port so thta you can go through the > entire session - DNS lookup, TCP setup, the Outlook/Exchange > login, the request for information, the response time of the > server, and the download rates, etc. - and build a timeline > for the transaction. > > This won't, in itself, tell you what's wrong but it will tell > you how long each sub-component is taking. From there, you > should be able to figure out which one is causing the worst > delay and then research it - be it the network or application. > > Eric Gauthier > ..................................... > . Boston University > . Network Systems Engineering Group > . 111 Cummington St. Boston, MA 02215 > . 617-353-8218 ~^~ elg at bu.edu > . http://www.bu.edu/nsg/ > ..................................... > > > > On Tue, May 13, 2008 at 10:15:32AM -0500, Rick Martin wrote: > >> I know this is not really a Cisco specific question but it is >> definitely in support of Cisco hardware. >> >> How do most of you folks prove that "the problem" is not the network? >> We utilize CA Spectrum and eHealth for availability and statistical >> analysis but in some instances that does not cut it. We don't typically >> have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. >> Customers complain that their access is slow, we show that they are >> using all available bandwidth and eventually sell them more bandwidth >> and the problem is resolved. >> >> The more difficult effort is when there is plenty of available >> bandwidth and a particular application is slow (Outlook in the case I am >> involved in now). This is a very high level political official and we >> must come to a resolution. All tools we have available to us today >> indicate that there is not a problem with the network. Typical >> utilization on the T1 is about 500 to 600K peak during the day. Certain >> management continues to point the finger at the network. We have used >> Internet based speed tests that at times show less than 1.5Meg download >> speeds, I explain the variables in the Internet and the particular tool >> in use as well as local contention for the bandwidth etc to no avail, >> once they see less than 1.5 meg speed the finger points to the network. >> I still must somehow "prove" that the network is not the issue. >> >> I am interested in an Internet speed test like tool to install at the >> core of our network that would provide a sustained upload or download >> test that would run for longer periods of time than a regular speed >> test. I would like to fill the pipe while graphing in Ehealth or as part >> of the selected tool to prove that the contracted bandwidth is available >> in both directions. >> >> Any recommendations for products would be appreciated. We are currently >> looking at SolarWinds WAN Killer and a traffic generator from Omnicore >> LanTraffic V2. I am also open to different "types" of solutions to point >> to where the problem is actually located. >> >> Thanks in advance for any suggestions >> >> Rick Martin >> Network Engineer >> State of Arkansas, Department of Information Systems >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jfitz at Princeton.EDU Tue May 13 11:52:00 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Tue, 13 May 2008 11:52:00 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <73BB20A2-FED6-45DE-9405-F03807423F60@princeton.edu> Well this is an interesting question and not always easy to resolve, but some basic tests and a good understanding of how the customers net is configured helps. I would assume that the T1 terminates in some switch, router or firewall, so.... First is it just mail? 1 Does the load on the T1 reflect the load on the host port? 2 Does pinging the host have any long RTT and or loss? 3 Does pinging the mail server have any long RTT or loss? 4 Could the issue be its DNS being overloaded or not local to their net? Does the name takes too long to resolve. 5 There could be a local switch issue that you can't see. 6 Is this the only host on the T1? If not a T1 is kind of slow for multiple users. 7 Is the host connected via wifi and if so are other users on that net? 8 It could be as simple as a mismatch in duplex on his local connection if hardwired. 9 Lasts but not least, don't worry we will have a new President soon. Good luck Jeff Fitzwater OIT Network Systems Princeton University On May 13, 2008, at 11:15 AM, Rick Martin wrote: > > I know this is not really a Cisco specific question but it is > definitely in support of Cisco hardware. > > How do most of you folks prove that "the problem" is not the network? > We utilize CA Spectrum and eHealth for availability and statistical > analysis but in some instances that does not cut it. We don't > typically > have much trouble proving that a T1 is serving up 1.5 meg of > bandwidth. > Customers complain that their access is slow, we show that they are > using all available bandwidth and eventually sell them more bandwidth > and the problem is resolved. > > The more difficult effort is when there is plenty of available > bandwidth and a particular application is slow (Outlook in the case > I am > involved in now). This is a very high level political official and we > must come to a resolution. All tools we have available to us today > indicate that there is not a problem with the network. Typical > utilization on the T1 is about 500 to 600K peak during the day. > Certain > management continues to point the finger at the network. We have used > Internet based speed tests that at times show less than 1.5Meg > download > speeds, I explain the variables in the Internet and the particular > tool > in use as well as local contention for the bandwidth etc to no avail, > once they see less than 1.5 meg speed the finger points to the > network. > I still must somehow "prove" that the network is not the issue. > > I am interested in an Internet speed test like tool to install at the > core of our network that would provide a sustained upload or download > test that would run for longer periods of time than a regular speed > test. I would like to fill the pipe while graphing in Ehealth or as > part > of the selected tool to prove that the contracted bandwidth is > available > in both directions. > > Any recommendations for products would be appreciated. We are > currently > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > LanTraffic V2. I am also open to different "types" of solutions to > point > to where the problem is actually located. > > Thanks in advance for any suggestions > > Rick Martin > Network Engineer > State of Arkansas, Department of Information Systems > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jloiacon at csc.com Tue May 13 11:56:09 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Tue, 13 May 2008 11:56:09 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: Message-ID: Two things might help. 1) Active performance monitoring Set up iperf on both ends of your link. Periodically (e.g., for 30 seconds every hour) burst as high as you can (large windows, etc.). Graph this continually. That will show the actuall capacity achievable. You can even set up multiple client-server iperf pairs and use comparisons betwen them to isolate problems to different network segments. See, for example: http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your own :-) 2) Application performance monitoring NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data center and can track performance from all clients to any specified application (e.g., Outlook). What is neat about it is you don't have to instrument the clients to be able to understand their performance - it is all determined by examing the TCP traffic flow traversing the single point where SA is installed. The reports break the performance down into several segments, one of which is the network. This can eliminate the network as a source of performance problems (if that is the case.) I don't work work for NetQoS, and there are other similar products. Joe "Rick Martin" Sent by: cisco-nsp-bounces at puck.nether.net 05/13/2008 11:15 AM To cc Subject [c-nsp] Prove it's not the network! I know this is not really a Cisco specific question but it is definitely in support of Cisco hardware. How do most of you folks prove that "the problem" is not the network? We utilize CA Spectrum and eHealth for availability and statistical analysis but in some instances that does not cut it. We don't typically have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. Customers complain that their access is slow, we show that they are using all available bandwidth and eventually sell them more bandwidth and the problem is resolved. The more difficult effort is when there is plenty of available bandwidth and a particular application is slow (Outlook in the case I am involved in now). This is a very high level political official and we must come to a resolution. All tools we have available to us today indicate that there is not a problem with the network. Typical utilization on the T1 is about 500 to 600K peak during the day. Certain management continues to point the finger at the network. We have used Internet based speed tests that at times show less than 1.5Meg download speeds, I explain the variables in the Internet and the particular tool in use as well as local contention for the bandwidth etc to no avail, once they see less than 1.5 meg speed the finger points to the network. I still must somehow "prove" that the network is not the issue. I am interested in an Internet speed test like tool to install at the core of our network that would provide a sustained upload or download test that would run for longer periods of time than a regular speed test. I would like to fill the pipe while graphing in Ehealth or as part of the selected tool to prove that the contracted bandwidth is available in both directions. Any recommendations for products would be appreciated. We are currently looking at SolarWinds WAN Killer and a traffic generator from Omnicore LanTraffic V2. I am also open to different "types" of solutions to point to where the problem is actually located. Thanks in advance for any suggestions Rick Martin Network Engineer State of Arkansas, Department of Information Systems _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hulbertj at comcast.net Tue May 13 11:57:56 2008 From: hulbertj at comcast.net (hulbertj at comcast.net) Date: Tue, 13 May 2008 15:57:56 +0000 Subject: [c-nsp] SPAN for POS? Message-ID: <051320081557.13475.4829BA840001BEA1000034A32200750744069B9D0A0D049A08@comcast.net> Yes, use the switchport capture feature. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/sx_swcg.pdf create the VACL first and then set a switchport as "capture". You can apply the VACL to a WAN interface. Thanks, Jerry From eric at spaethco.com Tue May 13 11:58:09 2008 From: eric at spaethco.com (Eric Spaeth) Date: Tue, 13 May 2008 10:58:09 -0500 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <4829BA91.7040901@spaethco.com> Rick Martin wrote: > How do most of you folks prove that "the problem" is not the network? We leverage OPNET ( http://www.opnet.com/ ) tools quite a bit for charting out application performance issues. It can do some measurements with raw packet captures, but the real magic comes when you use the installable agents on the client & server which will break down a transaction into "network" and "server wait" components so you can see what percentage of the wait time is actually network related. -Eric From peter at rathlev.dk Tue May 13 11:57:44 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 May 2008 17:57:44 +0200 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <1210694264.24063.25.camel@dusken.sys.mjna.net> Hi Rick, Often the only way to prove that the network is not to blame is by finding what *IS* to blame. We spend countless hours working through solutions that are totally not within our area of expertise, simply because nobody else wants to. The sniffer (SPAN port and a laptop) is a good way to start trying to find out what goes wrong, but you have to dig into some very nasty details about the specific protocols, and these are often not very well documented. Mastering that discipline is what puts the "expert" in "networking expert". ;-) If all searches for a culprit fails, our only option is to turn the tables, telling the concerned party exactly what kind of service we deliver (bandwidth/latency/jitter/drops) and then let them figure out if that's good enough. We usually use some ad hoc IP SLA measurings to back this up, and are in the middle of implementing end-to-end IP SLA measurements all over the network for everyone to look into. It usually helps a LOT if you can give them the impression that you know exactly what is going on in your network. Bandwidth testing, although seldom any good indication of perceived performance, are easily done with tools like IPerf og ttcp. Traceroutes, maybe "mtr" (MyTraceroute) can be helpful in determining the source of some problems, but we've had quite a few incidents where it was proven that end users DO NOT know how to read them. Sometimes a traceroute can do more harm than good. We run a medium-ish enterprise MAN network by the way (government health), so we have very few problems with external customers. It's usually internal "customers" or external suppliers, both of which place us in an easier political situation than external customers, if not for anything else then because of the direction of the money flow. :-) Regards, Peter On Tue, 2008-05-13 at 10:15 -0500, Rick Martin wrote: > I know this is not really a Cisco specific question but it is > definitely in support of Cisco hardware. > > How do most of you folks prove that "the problem" is not the network? > We utilize CA Spectrum and eHealth for availability and statistical > analysis but in some instances that does not cut it. We don't typically > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. > Customers complain that their access is slow, we show that they are > using all available bandwidth and eventually sell them more bandwidth > and the problem is resolved. > > The more difficult effort is when there is plenty of available > bandwidth and a particular application is slow (Outlook in the case I am > involved in now). This is a very high level political official and we > must come to a resolution. All tools we have available to us today > indicate that there is not a problem with the network. Typical > utilization on the T1 is about 500 to 600K peak during the day. Certain > management continues to point the finger at the network. We have used > Internet based speed tests that at times show less than 1.5Meg download > speeds, I explain the variables in the Internet and the particular tool > in use as well as local contention for the bandwidth etc to no avail, > once they see less than 1.5 meg speed the finger points to the network. > I still must somehow "prove" that the network is not the issue. > > I am interested in an Internet speed test like tool to install at the > core of our network that would provide a sustained upload or download > test that would run for longer periods of time than a regular speed > test. I would like to fill the pipe while graphing in Ehealth or as part > of the selected tool to prove that the contracted bandwidth is available > in both directions. > > Any recommendations for products would be appreciated. We are currently > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > LanTraffic V2. I am also open to different "types" of solutions to point > to where the problem is actually located. > > Thanks in advance for any suggestions > > Rick Martin > Network Engineer > State of Arkansas, Department of Information Systems > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Tue May 13 12:07:23 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 13 May 2008 12:07:23 -0400 Subject: [c-nsp] CSCek62005 In-Reply-To: References: Message-ID: <20080513160723.GM21196@rtp-cse-489.cisco.com> I've never seen it. It appears to be part of the new local label prefix filter feature of some sort. ie: 76k-123-3#config t Enter configuration commands, one per line. End with CNTL/Z. 76k-123-3(config)#ip prefix 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.1/32 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.2/32 76k-123-3(config)#end 76k-123-3#config t 76k-123-3(config)#mpls ldp label 76k-123-3(config-ldp-lbl)#allocate ? global Specify global Routing/Forwarding instance 76k-123-3(config-ldp-lbl)#allocate global ? host-routes allocate local label for host routes only prefix-list Specify a prefix list for local label filtering 76k-123-3(config-ldp-lbl)#allocate global prefix-list p0 76k-123-3(config-ldp-lbl)#end 76k-123-3# 76k-123-3#sh ip prefix ip prefix-list p0: 2 entries seq 5 permit 1.1.1.1/32 seq 10 permit 1.1.1.2/32 76k-123-3#config t Enter configuration commands, one per line. End with CNTL/Z. 76k-123-3(config)#no mpls ldp label 76k-123-3(config)#end 76k-123-3#sh ip prefix ip prefix-list p0: 2 entries seq 5 permit 1.1.1.1/32 seq 10 permit 1.1.1.2/32 ip prefix-list p2: 1 entries seq 5 permit 18.18.18.18/32 ip prefix-list p4: 1 entries seq 5 deny 0.0.0.0/0 ip prefix-list p9: 1 entries seq 5 deny 0.0.0.0/0 le 1 76k-123-3#config t Enter configuration commands, one per line. End with CNTL/Z. 76k-123-3(config)#no ip prefix-list p0 76k-123-3(config)#end 76k-123-3#sh ip prefix-list ..... crash It's fixed in 12.0S branch but hasn't been picked up anywhere later. Rodney On Tue, May 13, 2008 at 03:32:04PM +0100, David Freedman wrote: > Does anybody from cisco here know what exact conditions trigger this and > why there appears to be no "first-fixed-in" candidate for 12.0SY ? > > Thanks, > > Dave. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at gtcomm.net Tue May 13 12:17:20 2008 From: paul at gtcomm.net (Paul) Date: Tue, 13 May 2008 12:17:20 -0400 Subject: [c-nsp] CEF Load balancing over Etherchannel (3750) In-Reply-To: <482957B4.1030908@tbm.ro> References: <482783A2.4020601@gtcomm.net> <4829458C.6010009@tbm.ro> <482952A8.7050904@gtcomm.net> <482957B4.1030908@tbm.ro> Message-ID: <4829BF10.6050801@gtcomm.net> Other end doesn't matter, the load balance is only for outgoing packets. #show etherchannel load-balance EtherChannel Load-Balancing Configuration: src-ip EtherChannel Load-Balancing Addresses Used Per-Protocol: Non-IP: Source MAC address IPv4: Source IP address IPv6: Source IP address show int gi1/0/1 | i rate Queueing strategy: fifo 30 second input rate 16054000 bits/sec, 4330 packets/sec 30 second output rate 0 bits/sec, 0 packets/sec show int gi1/0/2 | i rate Queueing strategy: fifo 30 second input rate 14813000 bits/sec, 3410 packets/sec 30 second output rate 46097000 bits/sec, 7962 packets/sec Grumble.. Dan Sabau wrote: > Did you tried on both ends of the portchannel? > i'm running: Cisco IOS Software, C3750 Software > (C3750-ADVIPSERVICESK9-M), Version 12.2(35)SE2, RELEASE SOFTWARE (fc1) > > > Paul wrote: >> This doesn't work on 3750. I tried. Also tried changing cef algorithm >> to universal 1 and also universal with some random hex... Apparently >> even the src-ip follows the same rule as the CEF load balancing. >> Too bad we can't change per port channel balancing :P >> >> Dan Sabau wrote: >>> Had the same problem, I've change the way etherchannel load balances >>> the link to: >>> port-channel load-balance src-ip >>> and every thing was ok after. >>> >>> Paul wrote: >>>> Does anyone know how to make CEF load balancing work over >>>> etherchannels and actually load balance on the etherchannel? >>>> I have two GEC interfaces with 2 ports in each, and then I have two >>>> routes multipath, one to each GEC interface >>>> The problem is that the CEF algorithm is the same as the >>>> etherchannel algorithm and each one of the etherchannels ends up >>>> only sending out one of the two ports so it is not load >>>> balancing. I have tried changing the port-channel load-balance >>>> setting to various things (I can not use MAC because it's from one >>>> router to another) and I have tried changing the cef load sharing >>>> algorithm. >>>> Maybe this is a limitation of the 3750 platform? I have not tried >>>> this on any of the other equipment. >>>> >>>> Paul >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >> >> > From david.freedman at uk.clara.net Tue May 13 12:26:54 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 13 May 2008 17:26:54 +0100 Subject: [c-nsp] CSCek62005 In-Reply-To: <20080513160723.GM21196@rtp-cse-489.cisco.com> References: <20080513160723.GM21196@rtp-cse-489.cisco.com> Message-ID: <4829C14E.6010601@uk.clara.net> Oh, thats strange, this bug was implicated for a crash caused by removing an active prefix list that was not used for the label allocation feature (just for normal BGP), this was 12.2(31)SB10 on 7206VXR NPE-G1 #sh ver | in ROM router uptime is 4 days, 17 minutes System returned to ROM by bus error at PC 0x61FA34DC, address 0xB0D0B0D at 16:53:13 BST Fri May 9 2008 #show region | in 0xA|0xB 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) #sh stack | begin Traceb -Traceback= 61FA34DC 610A1A64 60D43AA4 6089EDF0 608BA068 609C16F4 609C16E0 $0 : 00000000, AT : 630D0000, v0 : 00000000, v1 : 00000044 a0 : 0B0D0B0D, a1 : 0B0D0B0D, a2 : 651FE6FC, a3 : 00000248 t0 : 00000018, t1 : 3400FF01, t2 : 3400E100, t3 : FFFF00FF t4 : 60A0CC40, t5 : 6323ED68, t6 : 6323ED64, t7 : 6323ED60 s0 : 662E01D4, s1 : 662C83C0, s2 : 662C2674, s3 : 00000000 s4 : 662C84C0, s5 : 62ED0000, s6 : 00000001, s7 : 62E30000 t8 : 6323EDC0, t9 : 00000000, k0 : 72136AAC, k1 : 609F6640 gp : 630DB964, sp : 72754148, s8 : 63619BC0, ra : 610A1A64 EPC : 61FA34DC, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000002, MDHI : 00000000, BadVaddr : 0B0D0B0D DATA_START : 0x61FC70C0 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception Dave. Rodney Dunn wrote: > I've never seen it. > > It appears to be part of the new local label prefix filter feature of > some sort. > > ie: > > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#ip prefix > 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.1/32 > 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.2/32 > 76k-123-3(config)#end > 76k-123-3#config t > 76k-123-3(config)#mpls ldp label > 76k-123-3(config-ldp-lbl)#allocate ? > global Specify global Routing/Forwarding instance > > 76k-123-3(config-ldp-lbl)#allocate global ? > host-routes allocate local label for host routes only > prefix-list Specify a prefix list for local label filtering > > > 76k-123-3(config-ldp-lbl)#allocate global prefix-list p0 > 76k-123-3(config-ldp-lbl)#end > > 76k-123-3# > 76k-123-3#sh ip prefix > ip prefix-list p0: 2 entries > seq 5 permit 1.1.1.1/32 > seq 10 permit 1.1.1.2/32 > > > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#no mpls ldp label > 76k-123-3(config)#end > 76k-123-3#sh ip prefix > ip prefix-list p0: 2 entries > seq 5 permit 1.1.1.1/32 > seq 10 permit 1.1.1.2/32 > ip prefix-list p2: 1 entries > seq 5 permit 18.18.18.18/32 > ip prefix-list p4: 1 entries > seq 5 deny 0.0.0.0/0 > ip prefix-list p9: 1 entries > seq 5 deny 0.0.0.0/0 le 1 > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#no ip prefix-list p0 > 76k-123-3(config)#end > 76k-123-3#sh ip prefix-list > ..... > > crash > > > It's fixed in 12.0S branch but hasn't been picked up anywhere later. > > Rodney > > On Tue, May 13, 2008 at 03:32:04PM +0100, David Freedman wrote: >> Does anybody from cisco here know what exact conditions trigger this and >> why there appears to be no "first-fixed-in" candidate for 12.0SY ? >> >> Thanks, >> >> Dave. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lobo at allstream.net Tue May 13 12:16:58 2008 From: lobo at allstream.net (Jose) Date: Tue, 13 May 2008 12:16:58 -0400 Subject: [c-nsp] Label swapping on 7600 ethernet line cards Message-ID: <4829BEFA.4000809@allstream.net> It was recently brought to my attention from a colleague that certain Ethernet line cards for the 7600 platform do not support label swapping. We currently have WS-X6148-GE-TX line cards and we are planning on upgrading them due to their lack of jumbo frame support. We were looking at the WS-X6148A-GE-TX since it has jumbo frame support but now the concern is whether this card will be able to swap labels. Can't find any mention of this on CCO. Our 7600 will be a "P" router and along with the ports on the SUP32, we will have PE connections on the 6148A's ports as well. Hence if two PEs need to communicate with each other and they are on the 6148A will this fail? We would never use the 6148A for P to P connections, only for P to PE. Thanks for any tips. Jose From rodunn at cisco.com Tue May 13 12:18:46 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 13 May 2008 12:18:46 -0400 Subject: [c-nsp] CSCek62005 In-Reply-To: <4829C14E.6010601@uk.clara.net> References: <20080513160723.GM21196@rtp-cse-489.cisco.com> <4829C14E.6010601@uk.clara.net> Message-ID: <20080513161846.GQ21196@rtp-cse-489.cisco.com> Looking at the code changes to fix it I think that may be a good possiblity. Ask the TAC engineer to fill out a request to have it put in that particular throttle. Rodney On Tue, May 13, 2008 at 05:26:54PM +0100, David Freedman wrote: > Oh, thats strange, this bug was implicated for a crash caused by > removing an active prefix list that was not used for the label > allocation feature (just for normal BGP), this was > 12.2(31)SB10 on 7206VXR NPE-G1 > > #sh ver | in ROM > router uptime is 4 days, 17 minutes > System returned to ROM by bus error at PC 0x61FA34DC, address 0xB0D0B0D > at 16:53:13 BST Fri May 9 2008 > > #show region | in 0xA|0xB > 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) > > #sh stack | begin Traceb > -Traceback= 61FA34DC 610A1A64 60D43AA4 6089EDF0 608BA068 609C16F4 609C16E0 > $0 : 00000000, AT : 630D0000, v0 : 00000000, v1 : 00000044 > a0 : 0B0D0B0D, a1 : 0B0D0B0D, a2 : 651FE6FC, a3 : 00000248 > t0 : 00000018, t1 : 3400FF01, t2 : 3400E100, t3 : FFFF00FF > t4 : 60A0CC40, t5 : 6323ED68, t6 : 6323ED64, t7 : 6323ED60 > s0 : 662E01D4, s1 : 662C83C0, s2 : 662C2674, s3 : 00000000 > s4 : 662C84C0, s5 : 62ED0000, s6 : 00000001, s7 : 62E30000 > t8 : 6323EDC0, t9 : 00000000, k0 : 72136AAC, k1 : 609F6640 > gp : 630DB964, sp : 72754148, s8 : 63619BC0, ra : 610A1A64 > EPC : 61FA34DC, ErrorEPC : BFC018D4, SREG : 3400FF03 > MDLO : 00000002, MDHI : 00000000, BadVaddr : 0B0D0B0D > DATA_START : 0x61FC70C0 > Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception > > Dave. > > > > Rodney Dunn wrote: > >I've never seen it. > > > >It appears to be part of the new local label prefix filter feature of > >some sort. > > > >ie: > > > >76k-123-3#config t > >Enter configuration commands, one per line. End with CNTL/Z. > >76k-123-3(config)#ip prefix > >76k-123-3(config)#ip prefix-list p0 permit 1.1.1.1/32 > >76k-123-3(config)#ip prefix-list p0 permit 1.1.1.2/32 > >76k-123-3(config)#end > >76k-123-3#config t > >76k-123-3(config)#mpls ldp label > >76k-123-3(config-ldp-lbl)#allocate ? > > global Specify global Routing/Forwarding instance > > > >76k-123-3(config-ldp-lbl)#allocate global ? > > host-routes allocate local label for host routes only > > prefix-list Specify a prefix list for local label filtering > > > > > >76k-123-3(config-ldp-lbl)#allocate global prefix-list p0 > >76k-123-3(config-ldp-lbl)#end > > > >76k-123-3# > >76k-123-3#sh ip prefix > >ip prefix-list p0: 2 entries > > seq 5 permit 1.1.1.1/32 > > seq 10 permit 1.1.1.2/32 > > > > > >76k-123-3#config t > >Enter configuration commands, one per line. End with CNTL/Z. > >76k-123-3(config)#no mpls ldp label > >76k-123-3(config)#end > >76k-123-3#sh ip prefix > >ip prefix-list p0: 2 entries > > seq 5 permit 1.1.1.1/32 > > seq 10 permit 1.1.1.2/32 > >ip prefix-list p2: 1 entries > > seq 5 permit 18.18.18.18/32 > >ip prefix-list p4: 1 entries > > seq 5 deny 0.0.0.0/0 > >ip prefix-list p9: 1 entries > > seq 5 deny 0.0.0.0/0 le 1 > >76k-123-3#config t > >Enter configuration commands, one per line. End with CNTL/Z. > >76k-123-3(config)#no ip prefix-list p0 > >76k-123-3(config)#end > >76k-123-3#sh ip prefix-list > >..... > > > >crash > > > > > >It's fixed in 12.0S branch but hasn't been picked up anywhere later. > > > >Rodney > > > >On Tue, May 13, 2008 at 03:32:04PM +0100, David Freedman wrote: > >>Does anybody from cisco here know what exact conditions trigger this and > >>why there appears to be no "first-fixed-in" candidate for 12.0SY ? > >> > >>Thanks, > >> > >>Dave. > >> > >>_______________________________________________ > >>cisco-nsp mailing list cisco-nsp at puck.nether.net > >>https://puck.nether.net/mailman/listinfo/cisco-nsp > >>archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From gwendel at gmail.com Tue May 13 12:29:41 2008 From: gwendel at gmail.com (Greg Wendel) Date: Tue, 13 May 2008 12:29:41 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <1210694264.24063.25.camel@dusken.sys.mjna.net> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <1210694264.24063.25.camel@dusken.sys.mjna.net> Message-ID: <8dfae3430805130929ica7d2b4v4b2f17090d8e3572@mail.gmail.com> Rick, In this situation we would use our Opnet product. We put an Opnet Ace agent on each side and it is great at pinpointing problems. It is expensive, but it gives very good information. Greg, On Tue, May 13, 2008 at 11:57 AM, Peter Rathlev wrote: > Hi Rick, > > Often the only way to prove that the network is not to blame is by > finding what *IS* to blame. We spend countless hours working through > solutions that are totally not within our area of expertise, simply > because nobody else wants to. > > The sniffer (SPAN port and a laptop) is a good way to start trying to > find out what goes wrong, but you have to dig into some very nasty > details about the specific protocols, and these are often not very well > documented. Mastering that discipline is what puts the "expert" in > "networking expert". ;-) > > If all searches for a culprit fails, our only option is to turn the > tables, telling the concerned party exactly what kind of service we > deliver (bandwidth/latency/jitter/drops) and then let them figure out if > that's good enough. We usually use some ad hoc IP SLA measurings to back > this up, and are in the middle of implementing end-to-end IP SLA > measurements all over the network for everyone to look into. It usually > helps a LOT if you can give them the impression that you know exactly > what is going on in your network. > > Bandwidth testing, although seldom any good indication of perceived > performance, are easily done with tools like IPerf og ttcp. Traceroutes, > maybe "mtr" (MyTraceroute) can be helpful in determining the source of > some problems, but we've had quite a few incidents where it was proven > that end users DO NOT know how to read them. Sometimes a traceroute can > do more harm than good. > > We run a medium-ish enterprise MAN network by the way (government > health), so we have very few problems with external customers. It's > usually internal "customers" or external suppliers, both of which place > us in an easier political situation than external customers, if not for > anything else then because of the direction of the money flow. :-) > > Regards, > Peter > > On Tue, 2008-05-13 at 10:15 -0500, Rick Martin wrote: > > I know this is not really a Cisco specific question but it is > > definitely in support of Cisco hardware. > > > > How do most of you folks prove that "the problem" is not the network? > > We utilize CA Spectrum and eHealth for availability and statistical > > analysis but in some instances that does not cut it. We don't typically > > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. > > Customers complain that their access is slow, we show that they are > > using all available bandwidth and eventually sell them more bandwidth > > and the problem is resolved. > > > > The more difficult effort is when there is plenty of available > > bandwidth and a particular application is slow (Outlook in the case I am > > involved in now). This is a very high level political official and we > > must come to a resolution. All tools we have available to us today > > indicate that there is not a problem with the network. Typical > > utilization on the T1 is about 500 to 600K peak during the day. Certain > > management continues to point the finger at the network. We have used > > Internet based speed tests that at times show less than 1.5Meg download > > speeds, I explain the variables in the Internet and the particular tool > > in use as well as local contention for the bandwidth etc to no avail, > > once they see less than 1.5 meg speed the finger points to the network. > > I still must somehow "prove" that the network is not the issue. > > > > I am interested in an Internet speed test like tool to install at the > > core of our network that would provide a sustained upload or download > > test that would run for longer periods of time than a regular speed > > test. I would like to fill the pipe while graphing in Ehealth or as part > > of the selected tool to prove that the contracted bandwidth is available > > in both directions. > > > > Any recommendations for products would be appreciated. We are currently > > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > > LanTraffic V2. I am also open to different "types" of solutions to point > > to where the problem is actually located. > > > > Thanks in advance for any suggestions > > > > Rick Martin > > Network Engineer > > State of Arkansas, Department of Information Systems > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From eric at atlantech.net Tue May 13 12:32:43 2008 From: eric at atlantech.net (Eric Van Tol) Date: Tue, 13 May 2008 12:32:43 -0400 Subject: [c-nsp] IPv6 load testing In-Reply-To: References: <9895BA85-AC40-4871-B801-43478CAAE40C@adhost.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863504C7220C@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Kevin Barrass > Sent: Tuesday, May 13, 2008 10:07 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPv6 load testing > > > Hi > > We are looking to push IPv6 support on our network onto some Cisco > 4500's but as the supervisor we currently have doesn't support IPv6 > in > hardware I want to load one of our test 4500s up with realistic IPv6 > Unicast traffic to see what impact it has on the switch. > > Does anyone know of any free software I can get to do this. > > Regards > > Kev iperf should do the job: http://dast.nlanr.net/Projects/Iperf/ -evt From arla at rn.dk Tue May 13 12:46:36 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Tue, 13 May 2008 18:46:36 +0200 Subject: [c-nsp] Cisco ACS tacacs console login fails. Message-ID: <8D68760F464FFD40A01BF2FB374E4A28762190BDB7@SRVEXC02.aas.its.nja.dk> Hi Folks. Is there someone that can point me into the right direction. We are using tacacs on Cisco ACS v 4.1. This works fine when we are accessing the boxes via telnet. It authenticates us and let us directly into privilege mode on the switches and routers. But when we are using the console port it just authenticates, and doesn't let us in at all, even if we try to enable with the enable password. Here is a test from the log file that let us in via telnet.: 05/13/2008,18:25:11,Authen OK,arla,Admin,10.2.28.45,tty1,10.2.9.221 The next line authenticate us just but doesn't let us directly into the box from the console port. 05/13/2008,18:20:43,Authen OK,arla,Admin,async,tty0,10.2.9.221 When we do enable and type the enable password the tacacs reject us .: 05/13/2008,18:24:02,Authen failed,arla,Admin,async,ACS password invalid,,,tty0,10.2.9.221 What can I have missed to enable off check-boxes in the ACS tacacs setup. The config off the cisco boxes looks like this ---------------------------------------------------------------------- aaa new-model aaa authentication login CONSOLE group tacacs+ local aaa authentication login TELNET group tacacs+ aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ line con 0 password 7 1446400509107E32 login authentication CONSOLE line vty 0 4 access-class 133 in exec-timeout 60 0 password 7 15435902013E7F3D login authentication TELNET /Arne From david.freedman at uk.clara.net Tue May 13 12:26:54 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Tue, 13 May 2008 17:26:54 +0100 Subject: [c-nsp] CSCek62005 In-Reply-To: <20080513160723.GM21196@rtp-cse-489.cisco.com> References: <20080513160723.GM21196@rtp-cse-489.cisco.com> Message-ID: <4829C14E.6010601@uk.clara.net> Oh, thats strange, this bug was implicated for a crash caused by removing an active prefix list that was not used for the label allocation feature (just for normal BGP), this was 12.2(31)SB10 on 7206VXR NPE-G1 #sh ver | in ROM router uptime is 4 days, 17 minutes System returned to ROM by bus error at PC 0x61FA34DC, address 0xB0D0B0D at 16:53:13 BST Fri May 9 2008 #show region | in 0xA|0xB 0xA0000000 0xADFFFFFF 234881024 Local R/W main:(main_k1) #sh stack | begin Traceb -Traceback= 61FA34DC 610A1A64 60D43AA4 6089EDF0 608BA068 609C16F4 609C16E0 $0 : 00000000, AT : 630D0000, v0 : 00000000, v1 : 00000044 a0 : 0B0D0B0D, a1 : 0B0D0B0D, a2 : 651FE6FC, a3 : 00000248 t0 : 00000018, t1 : 3400FF01, t2 : 3400E100, t3 : FFFF00FF t4 : 60A0CC40, t5 : 6323ED68, t6 : 6323ED64, t7 : 6323ED60 s0 : 662E01D4, s1 : 662C83C0, s2 : 662C2674, s3 : 00000000 s4 : 662C84C0, s5 : 62ED0000, s6 : 00000001, s7 : 62E30000 t8 : 6323EDC0, t9 : 00000000, k0 : 72136AAC, k1 : 609F6640 gp : 630DB964, sp : 72754148, s8 : 63619BC0, ra : 610A1A64 EPC : 61FA34DC, ErrorEPC : BFC018D4, SREG : 3400FF03 MDLO : 00000002, MDHI : 00000000, BadVaddr : 0B0D0B0D DATA_START : 0x61FC70C0 Cause 00000008 (Code 0x2): TLB (load or instruction fetch) exception Dave. Rodney Dunn wrote: > I've never seen it. > > It appears to be part of the new local label prefix filter feature of > some sort. > > ie: > > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#ip prefix > 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.1/32 > 76k-123-3(config)#ip prefix-list p0 permit 1.1.1.2/32 > 76k-123-3(config)#end > 76k-123-3#config t > 76k-123-3(config)#mpls ldp label > 76k-123-3(config-ldp-lbl)#allocate ? > global Specify global Routing/Forwarding instance > > 76k-123-3(config-ldp-lbl)#allocate global ? > host-routes allocate local label for host routes only > prefix-list Specify a prefix list for local label filtering > > > 76k-123-3(config-ldp-lbl)#allocate global prefix-list p0 > 76k-123-3(config-ldp-lbl)#end > > 76k-123-3# > 76k-123-3#sh ip prefix > ip prefix-list p0: 2 entries > seq 5 permit 1.1.1.1/32 > seq 10 permit 1.1.1.2/32 > > > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#no mpls ldp label > 76k-123-3(config)#end > 76k-123-3#sh ip prefix > ip prefix-list p0: 2 entries > seq 5 permit 1.1.1.1/32 > seq 10 permit 1.1.1.2/32 > ip prefix-list p2: 1 entries > seq 5 permit 18.18.18.18/32 > ip prefix-list p4: 1 entries > seq 5 deny 0.0.0.0/0 > ip prefix-list p9: 1 entries > seq 5 deny 0.0.0.0/0 le 1 > 76k-123-3#config t > Enter configuration commands, one per line. End with CNTL/Z. > 76k-123-3(config)#no ip prefix-list p0 > 76k-123-3(config)#end > 76k-123-3#sh ip prefix-list > ..... > > crash > > > It's fixed in 12.0S branch but hasn't been picked up anywhere later. > > Rodney > > On Tue, May 13, 2008 at 03:32:04PM +0100, David Freedman wrote: >> Does anybody from cisco here know what exact conditions trigger this and >> why there appears to be no "first-fixed-in" candidate for 12.0SY ? >> >> Thanks, >> >> Dave. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Gregori.Parker at theplatform.com Tue May 13 13:05:22 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Tue, 13 May 2008 10:05:22 -0700 Subject: [c-nsp] PIX questions In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <1A9866F953006D45AEE0166066114E090F702078@TPMAIL02.corp.theplatform.com> Tried the DNS doctoring, but since the resolvers are internal to the edge, it has no affect on the situation. Why would someone want to do something like this? The obvious example: you would like to extend the protection your firewall provides a resource from external clients, to internal clients as well. Granted, some re-design in terms of adding a DMZ would make sense in that case...but this sort of thing works on Netscreen firewalls, so I just imagined there was something I was missing when it came to Cisco gear -- they are called Adaptive Security Appliances after all :) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of P at 0l0 Sent: Tuesday, May 13, 2008 2:33 AM To: Ziv Leyes; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] PIX questions Dear ALL, I don't understand why do you wonna do something like that..., maybe I misunderstood but I don't recognize your needs What I mean is: If you need to make some comunication between internal addresses, than you need to use real IP If you need to make comunication between different interfaces you can (if needed) use nated IP Now I'm thinking about, and I think that you should need it, due to DNS resolutions issue. In other words, a internal address nated on the outside that is resolved with a public (nat) address that need to be reached from the internal server/client, than you need to use the "alias command" to define DNS doctoring inspection. take a look to the manual for DNS doctoring (alias command). Hope this help you guys out Cheers Paolo Riviello Home: http://www.paoloriviello.com Msn: pao_rivi at hotmail.com Skype: pao_rivi -- I'm a rebel, soul rebel I'm a capturer, soul adventurer See the morning sun, On the hillside if not living good, travel wide. B.M. > From: zivl at gilat.net > To: cisco-nsp at puck.nether.net > Date: Tue, 13 May 2008 09:14:03 +0300 > Subject: Re: [c-nsp] PIX questions > > > You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs? > > Ziv > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gregori Parker > Sent: Monday, May 12, 2008 8:35 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] PIX questions > > I was hoping to see an answer to this, as I ran into what I believe to > be a similar situation a while back. > > We had an ASA at an edge, with several static identity NATs, e.g.: > > static (inside,outside) x.x.x.78 172.16.8.44 netmask > 255.255.255.255 > static (inside,outside) x.x.x.79 172.16.8.45 netmask > 255.255.255.255 > ... > > Where x.x.x.* are public addresses, and an access-list allows specific > services from anywhere to each public NAT. All outgoing traffic is > PATed to the interface address, say x.x.x.80, and I'm not clear on how > to enable a host on the inside to communicate with an identity NAT on > the outside...essentially the ASA would be doubling up on translations, > one outgoing, to one inbound...looping back to itself so-to-speak. It > doesn't work, and I understand why, but I've wondered if there's a way > to enable this (other than having the hosts communicate directly). I've > looked at things like permitting same-security-traffic > inter/intra-interface to no avail. > > Thanks in advance (and sorry if I woke a dead thread) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan > Sent: Friday, May 09, 2008 12:05 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] PIX questions > > Hi all, > > I have a question about PIX translation > > An outside interface has IP address: > 192.168.1.2 255.255.255.0 > > An DMZ interface has IP address: > 10.1.1.2 255.255.255.0 > > > Current translation: > 10.1.1.3 -> 192.168.1.3 > 10.1.1.4 -> 192.168.1.4 > > > How can I make it so that 10.1.1.3 is able to ping the IP "192.168.1.4"? > How can I make it so that anyone behind 10.1.1.0/24 network is able to > ping the IP "192.168.1.4"? > > Consider the ICMP is allowed any any. > > I tried to configure it but the ASDM log say > "Deny IP Spoof From 192.168.1.2 to 192.168.1.4 on interface outside" > > Thank you for your help in advance. > > Regards, > Rudy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > ************************************************************************ ************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************ ************ > > > > > > > > ************************************************************************ ************ > This footnote confirms that this email message has been scanned by > PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. > ************************************************************************ ************ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Divertiti con le nuove EMOTICON per Messenger! http://intrattenimento.it.msn.com/emoticon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Tue May 13 13:04:17 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 13 May 2008 19:04:17 +0200 Subject: [c-nsp] Label swapping on 7600 ethernet line cards In-Reply-To: <4829BEFA.4000809@allstream.net> References: <4829BEFA.4000809@allstream.net> Message-ID: <1210698257.28239.3.camel@dusken.sys.mjna.net> Hi Jose, On Tue, 2008-05-13 at 12:16 -0400, Jose wrote: > It was recently brought to my attention from a colleague that certain > Ethernet line cards for the 7600 platform do not support label > swapping. We currently have WS-X6148-GE-TX line cards and we are > planning on upgrading them due to their lack of jumbo frame support. We > were looking at the WS-X6148A-GE-TX since it has jumbo frame support but > now the concern is whether this card will be able to swap labels. Can't > find any mention of this on CCO. It does MPLS fine, both imposition/deposition and swapping. When using PFC MPLS any LAN card can be used. Be aware though that PFC MPLS is limited in some (many?) ways, so you can't do anything REALLY fancy. :-) We had four WS-X6148A-GE-TX in production until recently. They may have jumbo frame support, but they are oversubscribed and not really useful for core links. (They're sold a "wiring closet" cards.) Regards, Peter From have.an.email at gmail.com Tue May 13 13:40:41 2008 From: have.an.email at gmail.com (Nathan) Date: Tue, 13 May 2008 19:40:41 +0200 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> On Tue, May 13, 2008 at 5:15 PM, Rick Martin wrote: > > How do most of you folks prove that "the problem" is not the network? ... > a particular application is slow (Outlook in the case I am > involved in now). Hi, Proceed by elimination. If there is someone else in the office (I suppose the T1 is not just for one person) whose Outlook is *not* slow, and especially if "someone else" can be extended to "everybody else" then the problem is not the network. Outlook can have severe speed/response problems when not kept healthy; most notably there's something called PST files that have to be kept at a reasonable size, or re-indexed or something, and people who like to keep all their mail tend to run into that. HTH -- Nathan From oboehmer at cisco.com Tue May 13 13:55:41 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 13 May 2008 19:55:41 +0200 Subject: [c-nsp] Cisco ACS tacacs console login fails. In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28762190BDB7@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28762190BDB7@SRVEXC02.aas.its.nja.dk> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78405668569@xmb-ams-333.emea.cisco.com> Arne Larsen / Region Nordjylland <> wrote on Tuesday, May 13, 2008 6:47 PM: > Hi Folks. > > Is there someone that can point me into the right direction. > We are using tacacs on Cisco ACS v 4.1. This works fine when we are > accessing the boxes via telnet. It authenticates us and let us > directly into privilege mode on the switches and routers. But when we > are using the console port it just authenticates, and doesn't let us > in at all, even if we try to enable with the enable password. privilege level assignment is part of authorization, and authorization is disabled by default on console ports (in an attempt to prevent mis-configured authorization to lock you out). You need to enable it via "aaa authorization console". Make sure you test AAA failover before doing so, in your case, I would add "if-authenticated" or "none" as a fallback method for all "aaa authorization .." statements (incl. cmd author.) oli From mailinglists at unix-scripts.com Tue May 13 15:51:18 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Tue, 13 May 2008 12:51:18 -0700 Subject: [c-nsp] Route Optimization/Control Options? Message-ID: Looking for recommendations on route optimization software/appliances that are out there. Currently i have two upstream connections and i'm just using a a basic bgp setup to route traffic out. I would like somthing that does realtime monitoring and manipulates traffic based on network performance down each provider. Anybody recommend anything thats a decient price. ~Shaun From dcp at dcptech.com Tue May 13 16:16:16 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 13 May 2008 16:16:16 -0400 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: References: Message-ID: <004f01c8b536$37800f60$03e8520a@cisco.com> Have you looked at PfR http://www.cisco.com/go/pfr There is no cost except the configuration. So it would be somewhere good to start. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun R. > Sent: Tuesday, May 13, 2008 3:51 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Route Optimization/Control Options? > > Looking for recommendations on route optimization > software/appliances that > are out there. Currently i have two upstream connections and > i'm just using > a a basic bgp setup to route traffic out. I would like > somthing that does > realtime monitoring and manipulates traffic based on network > performance > down each provider. Anybody recommend anything thats a decient price. > > ~Shaun > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jzp-cnsp at rsuc.gweep.net Tue May 13 17:10:32 2008 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Tue, 13 May 2008 17:10:32 -0400 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: <004f01c8b536$37800f60$03e8520a@cisco.com> References: <004f01c8b536$37800f60$03e8520a@cisco.com> Message-ID: <20080513211032.GA77310@gweep.net> On Tue, May 13, 2008 at 04:16:16PM -0400, David Prall wrote: [snip] > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun R. > > Sent: Tuesday, May 13, 2008 3:51 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Route Optimization/Control Options? > > > > Looking for recommendations on route optimization > > software/appliances that > > are out there. Currently i have two upstream connections and > > i'm just using > > a a basic bgp setup to route traffic out. I would like > > somthing that does > > realtime monitoring and manipulates traffic based on network > > performance > > down each provider. Anybody recommend anything thats a decient price. Recall that only your outbound traffic is under your control. The only control regarding inbound traffic is the presence or abscence of your prefixes. Prepends won't override a remote autonomous system's decisions at their cost, performance, or other metrics. Your directly-neighboring providers may support ccommunities to influence the traffic on their network & their borders, but expect your guarenteed influence to flow only as far as your dollars. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From feldman at twincreeks.net Tue May 13 17:15:30 2008 From: feldman at twincreeks.net (Steve Feldman) Date: Tue, 13 May 2008 14:15:30 -0700 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: <004f01c8b536$37800f60$03e8520a@cisco.com> References: <004f01c8b536$37800f60$03e8520a@cisco.com> Message-ID: <1AA9626B-8A75-4F68-A1C3-9127CEDC0A0E@twincreeks.net> On May 13, 2008, at 1:16 PM, David Prall wrote: > Have you looked at PfR > > http://www.cisco.com/go/pfr > > There is no cost except the configuration. So it would be somewhere > good to > start. > Has anyone out there successfully deployed PfR using 6500-series equipment? We're considering it, but haven't started lab testing yet. And a related question: Ignoring PfR, is 12.2(33)SXH stable enough for production use? (Nothing fancy, full BGP from ~5 neighbors.) Thanks, Steve From dcp at dcptech.com Tue May 13 17:23:45 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 13 May 2008 17:23:45 -0400 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: <1AA9626B-8A75-4F68-A1C3-9127CEDC0A0E@twincreeks.net> References: <004f01c8b536$37800f60$03e8520a@cisco.com> <1AA9626B-8A75-4F68-A1C3-9127CEDC0A0E@twincreeks.net> Message-ID: <005301c8b53f$a444d280$03e8520a@cisco.com> Since the 6500/7600 doesn't support TCP Flags, it can't do passive monitoring. So active monitoring must be done, IP SLA probes. David -- http://dcp.dcptech.com > -----Original Message----- > From: Steve Feldman [mailto:feldman at twincreeks.net] > Sent: Tuesday, May 13, 2008 5:16 PM > To: David Prall; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Route Optimization/Control Options? > > > On May 13, 2008, at 1:16 PM, David Prall wrote: > > Have you looked at PfR > > > > http://www.cisco.com/go/pfr > > > > There is no cost except the configuration. So it would be > somewhere > > good to > > start. > > > > Has anyone out there successfully deployed PfR using 6500-series > equipment? > > We're considering it, but haven't started lab testing yet. > > And a related question: Ignoring PfR, is 12.2(33)SXH stable enough > for production use? (Nothing fancy, full BGP from ~5 neighbors.) > > Thanks, > Steve From howie at thingy.com Tue May 13 17:23:45 2008 From: howie at thingy.com (Howard Jones) Date: Tue, 13 May 2008 22:23:45 +0100 Subject: [c-nsp] PIX questions In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <482A06E1.9020108@thingy.com> Ziv Leyes wrote: > You must understand that the NAT is being performed on a "from-->to" basis, that is why the command is "static (inside,outside)" so if the NAT is between inside and outside you can't hit it when coming from the dmz, for this to be achieved you should use a "static (inside,dmz)" command, but then, you won't have the needed translation towards the outside, I think you can't enjoy both worlds... Besides, what's the problem having the outside hosts use the public IP address and the dmz hosts use the inside IP address for accessing the severs? > I have almost exactly this problem today with the following history: * customer installs a wireless aggregation box in a DMZ for internet access. No problem. * next they install a web application in a different DMZ on the same ASA for access from the internet. No problem from the rest of the world. * now that this application is "on the internet", wireless users (who don't know how they are actually connected) complain that they can't access it by it's URL (which resolves to the public IP). So it's not *that* hard to get into this situation. Since it's only one IP, and I don't think there's going to be another, my current (untested) plan is to add another static NAT for the internet-facing address in DMZ 1 to DMZ 2. Split-horizon DNS would probably be a better solution, but I don't think they have the necessary control. Am I right in thinking that the involved interfaces form part of the 'key' for looking up NAT rules? I mean, can I use the same addresses in multiple rules between different interfaces? Howie From jared at puck.nether.net Tue May 13 17:32:07 2008 From: jared at puck.nether.net (jared mauch) Date: Tue, 13 May 2008 17:32:07 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <44BF97F8-FC18-4168-8280-509A8F1B4AC2@puck.nether.net> Collection of data like interface errors including drops, etc... Should be standard practice and help you isolate what or when there is a problem. Tracking this data may mean more complex polling than using mrtg/cfgmaker in the default settings but will prove its value over time. Jared Mauch On May 13, 2008, at 11:15 AM, "Rick Martin" wrote: > > I know this is not really a Cisco specific question but it is > definitely in support of Cisco hardware. > > How do most of you folks prove that "the problem" is not the network? > We utilize CA Spectrum and eHealth for availability and statistical > analysis but in some instances that does not cut it. We don't > typically > have much trouble proving that a T1 is serving up 1.5 meg of > bandwidth. > Customers complain that their access is slow, we show that they are > using all available bandwidth and eventually sell them more bandwidth > and the problem is resolved. > > The more difficult effort is when there is plenty of available > bandwidth and a particular application is slow (Outlook in the case > I am > involved in now). This is a very high level political official and we > must come to a resolution. All tools we have available to us today > indicate that there is not a problem with the network. Typical > utilization on the T1 is about 500 to 600K peak during the day. > Certain > management continues to point the finger at the network. We have used > Internet based speed tests that at times show less than 1.5Meg > download > speeds, I explain the variables in the Internet and the particular > tool > in use as well as local contention for the bandwidth etc to no avail, > once they see less than 1.5 meg speed the finger points to the > network. > I still must somehow "prove" that the network is not the issue. > > I am interested in an Internet speed test like tool to install at the > core of our network that would provide a sustained upload or download > test that would run for longer periods of time than a regular speed > test. I would like to fill the pipe while graphing in Ehealth or as > part > of the selected tool to prove that the contracted bandwidth is > available > in both directions. > > Any recommendations for products would be appreciated. We are > currently > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > LanTraffic V2. I am also open to different "types" of solutions to > point > to where the problem is actually located. > > Thanks in advance for any suggestions > > Rick Martin > Network Engineer > State of Arkansas, Department of Information Systems > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From William.Murphy at uth.tmc.edu Tue May 13 19:02:36 2008 From: William.Murphy at uth.tmc.edu (Murphy, William ) Date: Tue, 13 May 2008 18:02:36 -0500 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <164030B85F3A8B40B960817918CB0210013423C6@UTHEVS4.mail.uthouston.edu> Our environment is probably very different than yours, but we use Netscout nGenius... If the user does not believe the pretty graphs we show them then we bring out the big guns... We use Network Performance Toolkit available through I2. They have a nice bootable Knoppix version you can boot on any PC using CD and thumb drive. You can have the user run test against the diagnostic tool from their web browser or you can run your own tests... Bill Murphy Senior Network Analyst University of Texas Health Science Center - Houston -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rick Martin Sent: Tuesday, May 13, 2008 10:16 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Prove it's not the network! I know this is not really a Cisco specific question but it is definitely in support of Cisco hardware. How do most of you folks prove that "the problem" is not the network? We utilize CA Spectrum and eHealth for availability and statistical analysis but in some instances that does not cut it. We don't typically have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. Customers complain that their access is slow, we show that they are using all available bandwidth and eventually sell them more bandwidth and the problem is resolved. The more difficult effort is when there is plenty of available bandwidth and a particular application is slow (Outlook in the case I am involved in now). This is a very high level political official and we must come to a resolution. All tools we have available to us today indicate that there is not a problem with the network. Typical utilization on the T1 is about 500 to 600K peak during the day. Certain management continues to point the finger at the network. We have used Internet based speed tests that at times show less than 1.5Meg download speeds, I explain the variables in the Internet and the particular tool in use as well as local contention for the bandwidth etc to no avail, once they see less than 1.5 meg speed the finger points to the network. I still must somehow "prove" that the network is not the issue. I am interested in an Internet speed test like tool to install at the core of our network that would provide a sustained upload or download test that would run for longer periods of time than a regular speed test. I would like to fill the pipe while graphing in Ehealth or as part of the selected tool to prove that the contracted bandwidth is available in both directions. Any recommendations for products would be appreciated. We are currently looking at SolarWinds WAN Killer and a traffic generator from Omnicore LanTraffic V2. I am also open to different "types" of solutions to point to where the problem is actually located. Thanks in advance for any suggestions Rick Martin Network Engineer State of Arkansas, Department of Information Systems _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Tue May 13 19:06:27 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Tue, 13 May 2008 16:06:27 -0700 Subject: [c-nsp] SPAN for POS? In-Reply-To: <051320081557.13475.4829BA840001BEA1000034A32200750744069B9D0A0D049A08@comcast.net> References: <051320081557.13475.4829BA840001BEA1000034A32200750744069B9D0A0D049A08@comcast.net> Message-ID: <17838240D9A5544AAA5FF95F8D52031603F35347@ad-exh01.adhost.lan> Hello Jerry: ------------------------------------------------------- From: hulbertj at comcast.net [mailto:hulbertj at comcast.net] Sent: Tuesday, May 13, 2008 8:58 AM To: Michael K. Smith - Adhost Cc: cisco-nsp at puck.nether.net Subject: Re:[c-nsp] SPAN for POS? Yes, use the switchport capture feature. ? http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/sx_swcg.pdf create the VACL first and then set a switchport as "capture". ? You can apply the VACL to a WAN interface. ? Thanks, Jerry ---------------------------------------------------------------------- If you're pushing a full OC-48 worth of bandwidth would you have to have a 10 Gig switchport or could you use an etherchannel of 3 ports? The way I read Hank's message he needs to capture the full 2.5 Gbps. Nice workaround though. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 475 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080513/c3bdecc0/attachment.bin From tahir.uddin at alliancebernstein.com Tue May 13 19:09:31 2008 From: tahir.uddin at alliancebernstein.com (Uddin, Tahir) Date: Tue, 13 May 2008 19:09:31 -0400 Subject: [c-nsp] Switch processing delay Message-ID: <1E79A7919A9B16468E407A8DEAB65A4303C97E7B@METROEVS3.ac.lp.acml.com> Hi All Does anyone know the switching delay for a 1500 byte packet (or any size packet) through a 6509E with a Sup720 10G supervisor. Packet coming in one 10gig port and out another 10Gig. Thanks ----------------------------------------- The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please "reply" to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. From abalashov at evaristesys.com Tue May 13 18:32:35 2008 From: abalashov at evaristesys.com (Alex Balashov) Date: Tue, 13 May 2008 18:32:35 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <4829B50F.5060509@pins.net> References: <20080513152503.GA29014@roxanne.org> <4829B50F.5060509@pins.net> Message-ID: <482A1703.7000908@evaristesys.com> Jason Berenson wrote: > As for the speed testing issue. You could tell them to disconnect > everything from the LAN side of the router and connect a laptop only. > Have them run a speed test like that. The idea that when no one else is > using the connection the speed is a steady 1.5M might hit home at that > point. This is generally the approach I take, and has consistently proven to be the most effective. -- Alex Balashov Evariste Systems Web : http://www.evaristesys.com/ Tel : (+1) (678) 954-0670 Direct : (+1) (678) 954-0671 Mobile : (+1) (706) 338-8599 From dcp at dcptech.com Tue May 13 19:30:43 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 13 May 2008 19:30:43 -0400 Subject: [c-nsp] SPAN for POS? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031603F35347@ad-exh01.adhost.lan> References: <051320081557.13475.4829BA840001BEA1000034A32200750744069B9D0A0D049A08@comcast.net> <17838240D9A5544AAA5FF95F8D52031603F35347@ad-exh01.adhost.lan> Message-ID: <005e01c8b551$611b0bc0$03e8520a@cisco.com> Last time I did this, you had to use a 10GE port with the POS interface. You can then put the 10GE into another box and do a redirect to an etherchannel. You can even loop the 10GE back into the same router/switch if you so desire, but it gets a little more complicated. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Michael K. Smith - Adhost > Sent: Tuesday, May 13, 2008 7:06 PM > To: hulbertj at comcast.net > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SPAN for POS? > > Hello Jerry: > > ------------------------------------------------------- > From: hulbertj at comcast.net [mailto:hulbertj at comcast.net] > Sent: Tuesday, May 13, 2008 8:58 AM > To: Michael K. Smith - Adhost > Cc: cisco-nsp at puck.nether.net > Subject: Re:[c-nsp] SPAN for POS? > > Yes, use the switchport capture feature. > ? > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/ > 12.2SX/configuration/guide/sx_swcg.pdf > create the VACL first and then set a switchport as "capture". > ? > You can apply the VACL to a WAN interface. > ? > Thanks, > Jerry > ---------------------------------------------------------------------- > > If you're pushing a full OC-48 worth of bandwidth would you > have to have a 10 Gig switchport or could you use an > etherchannel of 3 ports? The way I read Hank's message he > needs to capture the full 2.5 Gbps. Nice workaround though. > > Regards, > > Mike > From hulbertj at comcast.net Tue May 13 19:57:57 2008 From: hulbertj at comcast.net (hulbertj at comcast.net) Date: Tue, 13 May 2008 23:57:57 +0000 Subject: [c-nsp] Route Optimization/Control Options? Message-ID: <051320082357.13110.482A2B050001F4C6000033362205889116069B9D0A0D049A08@comcast.net> The 6500 can only perform the BR functions and can't perform the functions of the MC. You'll need another IOS router to do that (1800/2800/3800/7200/etc). Like David stated, PfR is free, so you could enable it without route control (observe mode) just to get an overall assessment of your outgoing traffic classes and their performance measurements. Then you can decide whether or not to actually let the MC control your routing. PfR can also try(if configured) to affect your incoming traffic, but this like anything else will depend on what your ISP decides. Message: 7 Date: Tue, 13 May 2008 17:23:45 -0400 From: "David Prall" Subject: Re: [c-nsp] Route Optimization/Control Options? To: "'Steve Feldman'" , Message-ID: <005301c8b53f$a444d280$03e8520a at cisco.com> Content-Type: text/plain; charset="us-ascii" Since the 6500/7600 doesn't support TCP Flags, it can't do passive monitoring. So active monitoring must be done, IP SLA probes. David -- http://dcp.dcptech.com From rdobbins at cisco.com Tue May 13 22:33:18 2008 From: rdobbins at cisco.com (Roland Dobbins) Date: Wed, 14 May 2008 09:33:18 +0700 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com><1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> Message-ID: <70D74E2F-BD4D-48EE-9064-CBFD803FB5AE@cisco.com> On May 13, 2008, at 10:15 PM, Rick Martin wrote: > Thanks in advance for any suggestions NetFlow plus IP SLA? ----------------------------------------------------------------------- Roland Dobbins // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb From christian at visr.org Tue May 13 22:42:49 2008 From: christian at visr.org (Christian) Date: Tue, 13 May 2008 22:42:49 -0400 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: References: Message-ID: <9b62cf2f0805131942s204400e6ra3aab23402e580a7@mail.gmail.com> might want to take a look at internaps fcp or the route science box, avaya bought them and i cant remember what they renamed the product too, if they even still have it around On Tue, May 13, 2008 at 3:51 PM, Shaun R. wrote: > Looking for recommendations on route optimization software/appliances that > are out there. Currently i have two upstream connections and i'm just > using > a a basic bgp setup to route traffic out. I would like somthing that does > realtime monitoring and manipulates traffic based on network performance > down each provider. Anybody recommend anything thats a decient price. > > ~Shaun > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cisco-nsp at jacobsson.nu Tue May 13 22:45:25 2008 From: cisco-nsp at jacobsson.nu (Fredrik Jacobsson) Date: Wed, 14 May 2008 04:45:25 +0200 Subject: [c-nsp] WDM equipment Message-ID: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik From mailinglists at unix-scripts.com Tue May 13 23:42:41 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Tue, 13 May 2008 20:42:41 -0700 Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: <9b62cf2f0805131942s204400e6ra3aab23402e580a7@mail.gmail.com> References: <9b62cf2f0805131942s204400e6ra3aab23402e580a7@mail.gmail.com> Message-ID: Internap wants 50K for a model thats rated for 300-400mbit... thats a rediculis price IMO ~Shaun "Christian" wrote in message news:9b62cf2f0805131942s204400e6ra3aab23402e580a7 at mail.gmail.com... > might want to take a look at internaps fcp or the route science box, avaya > bought them and i cant remember what they renamed the product too, if they > even still have it around > > > On Tue, May 13, 2008 at 3:51 PM, Shaun R. > wrote: > >> Looking for recommendations on route optimization software/appliances >> that >> are out there. Currently i have two upstream connections and i'm just >> using >> a a basic bgp setup to route traffic out. I would like somthing that >> does >> realtime monitoring and manipulates traffic based on network performance >> down each provider. Anybody recommend anything thats a decient price. >> >> ~Shaun >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ml at t-b-o-h.net Wed May 14 00:09:02 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Wed, 14 May 2008 00:09:02 -0400 (EDT) Subject: [c-nsp] Route Optimization/Control Options? In-Reply-To: Message-ID: <200805140409.m4E492MF085808@himinbjorg.tucs-beachin-obx-house.com> Sigh... Makes me yearn to have my Sockeye Global Routing Appliance back. Loved that little box. Should have backed it up to a server that DIDN'T die before returning it. Wouldn't have been cheaper (It was a monthly service, not a 1 time box charge) but it was W-E-L-L worth it. They were bought along with another company by Internap, and then phased out I think in favor of the "FC" boxes. Tuc > > Internap wants 50K for a model thats rated for 300-400mbit... thats a > rediculis price IMO > > ~Shaun > > > "Christian" wrote in message > news:9b62cf2f0805131942s204400e6ra3aab23402e580a7 at mail.gmail.com... > > might want to take a look at internaps fcp or the route science box, avaya > > bought them and i cant remember what they renamed the product too, if they > > even still have it around > > > > > > On Tue, May 13, 2008 at 3:51 PM, Shaun R. > > wrote: > > > >> Looking for recommendations on route optimization software/appliances > >> that > >> are out there. Currently i have two upstream connections and i'm just > >> using > >> a a basic bgp setup to route traffic out. I would like somthing that > >> does > >> realtime monitoring and manipulates traffic based on network performance > >> down each provider. Anybody recommend anything thats a decient price. > >> > >> ~Shaun > >> > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tedm at toybox.placo.com Wed May 14 01:43:58 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Tue, 13 May 2008 22:43:58 -0700 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <1210683392.24063.1.camel@dusken.sys.mjna.net> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Peter Rathlev > Sent: Tuesday, May 13, 2008 5:57 AM > To: cisco-nsp > Subject: Re: [c-nsp] Fake Cisco Equipment News Articles - very > interesting > > > This thread probably covers an interesting subject, but in my eyes it's > too political to be on topic. Am I wrong to think that the discussion > should move to somewhere else? > I don't think discussion of how the stuff gets into the supply chain is too political. As for the issue with the Chinese, yes that is political. Too political? Well, look at it this way. Cisco has spent a LOT of verbage and money planting articles against counterfeiters, as well as a lot of time and verbage in their own Cisco sales literature talking about the evils of counterfeiters. Their PRIMARY line is that counterfeiters are bad because they turn out inferior product. It is NOT that counterfeiters are bad because they lose Cisco money. In short, Cisco is tossing this issue into the technical realm. If Cisco wants us techs to believe that counterfit product is inferior, then we are not going to believe that unless they EXPLAIN why. And I do NOT mean the type of baloney explanation that would be appropriate for a CEO that couldn't tell the difference between a packet and a pocket. I would like to know this: How in the HELL is this stuff getting into distribution? The ONLY explanation to me that makes ANY sense at all is that it's being injected into distribution AT THE SOURCE, IN CHINA. We KNOW that the non-counterfeit stuff is being manufactured in China, I mean I see that the country of origin on the parts is China, don't you guys see the same? Well, we pretty damn well guess that the counterfeit stuff is ALSO being manufactured in China. So it seems that the simplest explanation is that the source is being tampered with. Why would the people in China bend over backwards to keep the non-counterfeit stuff and the counterfeit stuff separated in the supply chain until the shipments reached the US, and THEN inject the counterfeit stuff into the supply chain? It seems senseless. It makes a lot more sense that it would be injected at the source. And if it is being injected at the source, where is it being made, and by whom? Is it being made in the same factories that make the non-counterfeit stuff? Using the same machinery, same dies, same tools, same people? If so, then why would it be inferior? So, yes, I do believe that as long as Cisco is claiming that counterfeit stuff is bad because it is inferior, then Cisco has an obligation to back that kind of statement up, and answer these questions, as well as answer the question of why Cisco is outsourcing manufacturing of a $30K device to China, when there's fabs in the US that could make it? And, I cannot see how Cisco can answer this WITHOUT making some answers that YOU would regard as "political" There's Cisco employees that monitor this list. Perhaps they can let their superviors know that they have some explaining to do. People post on this list every day of problems they are having with Cisco equipment, then proceed to lambast various Cisco IOS revisions for breaking things. Well, how do I know that when someone reports X.Y.Z version of IOS is bad because it's making my router reboot all the time, that their router's not rebooting all the time because it's counterfeit? I don't. So, am I going to then base my decisions on whether to deploy X.Y.Z based on bad data? Are you? Are you happy doing this? If not, then shut up about the so-called "political counterfeiting" discussion. This is most definitely on topic. Ted From frnkblk at iname.com Wed May 14 01:56:28 2008 From: frnkblk at iname.com (Frank Bulk - iNAME) Date: Wed, 14 May 2008 00:56:28 -0500 Subject: [c-nsp] WDM equipment In-Reply-To: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Message-ID: You've hit the main two vendors, you might also want to look at gear from Transmode, Nortel, or XKL, too. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik Jacobsson Sent: Tuesday, May 13, 2008 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WDM equipment Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rudal at online.rudal.com Wed May 14 02:36:03 2008 From: rudal at online.rudal.com (Rudy Setiawan) Date: Tue, 13 May 2008 23:36:03 -0700 Subject: [c-nsp] Using same AS number Message-ID: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> Hi all, As per BGP rule, that if a router sees its own AS in the path, it will filter them out of the prefixes. So if I have two locations with different providers and no direct connection to each other, what's the best way to be able to use the same AS and yet still sees the prefixes/routes? Thank you all in advance for the help. Regards, Rudy From hank at efes.iucc.ac.il Wed May 14 03:10:15 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Wed, 14 May 2008 10:10:15 +0300 Subject: [c-nsp] SPAN for POS? In-Reply-To: <051320081557.13475.4829BA840001BEA1000034A32200750744069B9 D0A0D049A08@comcast.net> Message-ID: <5.1.0.14.2.20080514100703.00b25f50@efes.iucc.ac.il> At 03:57 PM 13-05-08 +0000, hulbertj at comcast.net wrote: >Yes, use the switchport capture feature. > >http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/sx_swcg.pdf >create the VACL first and then set a switchport as "capture". > >You can apply the VACL to a WAN interface. Thanks. I found: but would like to see an IOS config of this in action. Something that would take: monitor session 1 source interface Gi7/1 tx monitor session 1 destination interface Gi9/16 monitor session 2 source interface Gi7/1 rx monitor session 2 destination interface Gi9/17 and do the same via VACLs. If you can send actual IOS snippets that would be great! Thanks, Hank From jj at powerset.com Wed May 14 03:34:42 2008 From: jj at powerset.com (Jonathan Crawford) Date: Wed, 14 May 2008 00:34:42 -0700 Subject: [c-nsp] WDM equipment In-Reply-To: References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> There is also bti photonics... never used any of their active gear, but I'm very happy with their passive stuff. Jonathan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iNAME Sent: Tuesday, May 13, 2008 10:56 PM To: 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WDM equipment You've hit the main two vendors, you might also want to look at gear from Transmode, Nortel, or XKL, too. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik Jacobsson Sent: Tuesday, May 13, 2008 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WDM equipment Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tom at snnap.net Wed May 14 04:33:13 2008 From: tom at snnap.net (Tom Storey) Date: Wed, 14 May 2008 18:03:13 +0930 Subject: [c-nsp] Using same AS number In-Reply-To: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> References: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> Message-ID: <36B27748-1A45-4B4A-83E2-72C585DA181C@snnap.net> On 14/05/2008, at 4:06 PM, Rudy Setiawan wrote: > Hi all, > > As per BGP rule, that if a router sees its own AS in the path, it will > filter them out of the prefixes. > > So if I have two locations with different providers and no direct > connection to each other, what's the best way to be able to use the > same AS and yet still sees the prefixes/routes? > > Thank you all in advance for the help. > > Regards, > Rudy You could setup a tunnel between them and run iBGP over the tunnel. Otherwise, let the default route tackle it? From peter at rathlev.dk Wed May 14 04:34:58 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 14 May 2008 10:34:58 +0200 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: References: Message-ID: <1210754098.872.11.camel@dusken.sys.mjna.net> On Tue, 2008-05-13 at 22:43 -0700, Ted Mittelstaedt wrote: > People post on this list every day of problems they are having with Cisco > equipment, then proceed to lambast various Cisco IOS revisions for breaking > things. Well, how do I know that when someone reports X.Y.Z version of IOS > is bad because it's making my router reboot all the time, that their > router's not rebooting all the time because it's counterfeit? I don't. So, > am I going to then base my decisions on whether to deploy X.Y.Z based on bad > data? Are you? Are you happy doing this? > > If not, then shut up about the so-called "political counterfeiting" > discussion. This is most definitely on topic. Easy there, I was just asking whether people thought it was on topic. I didn't say that I disagree about what you explain, just that it tends towards politics, and that I personally think that politics shouldn't be a part of C-NSP. There are other forums for that. I really can't see why you have to ask me to "shut up", but since you insist, I will find another place to hang out. As a bootnote: I agree about the fact that Cisco has some explaining to do about this issue. We have had customers who had to stop using some functioning GBICs, simply because Cisco decided that these *3Com* GBICs where "counterfeit". I know the "service usupported-transceiver" can get around this, but that's a little like wearing a T-shirt saying "I'm criminal". If a box explodes and there's a 3Com GBIC in it, then that's to blame according to Cisco TAC. I'll leave it to you guys from here. It was nice while it lasted. :-) Regards, Peter From K.J.Barrass at leeds.ac.uk Wed May 14 04:44:53 2008 From: K.J.Barrass at leeds.ac.uk (Kevin Barrass) Date: Wed, 14 May 2008 09:44:53 +0100 Subject: [c-nsp] IPv6 load testing In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B863504C7220C@exchange.aoihq.local> References: <9895BA85-AC40-4871-B801-43478CAAE40C@adhost.com> <2C05E949E19A9146AF7BDF9D44085B863504C7220C@exchange.aoihq.local> Message-ID: Cheers will try iperf out, just building 2 Linux PCs now as I type :0) Regards Kev -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Eric Van Tol Sent: 13 May 2008 17:33 To: Kevin Barrass; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IPv6 load testing > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Kevin Barrass > Sent: Tuesday, May 13, 2008 10:07 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPv6 load testing > > > Hi > > We are looking to push IPv6 support on our network onto some Cisco > 4500's but as the supervisor we currently have doesn't support IPv6 in > hardware I want to load one of our test 4500s up with realistic IPv6 > Unicast traffic to see what impact it has on the switch. > > Does anyone know of any free software I can get to do this. > > Regards > > Kev iperf should do the job: http://dast.nlanr.net/Projects/Iperf/ -evt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jj at powerset.com Wed May 14 05:04:00 2008 From: jj at powerset.com (Jonathan Crawford) Date: Wed, 14 May 2008 02:04:00 -0700 Subject: [c-nsp] Using same AS number In-Reply-To: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> References: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A21@EXVMBX015-1.exch015.msoutlookonline.net> You can specify "neighbor allowas-in" to bypass this check. I'd proceed carefully if using it... as you are defeating one of the loop detection mechanisms, filter well. -Jonathan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan Sent: Tuesday, May 13, 2008 11:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Using same AS number Hi all, As per BGP rule, that if a router sees its own AS in the path, it will filter them out of the prefixes. So if I have two locations with different providers and no direct connection to each other, what's the best way to be able to use the same AS and yet still sees the prefixes/routes? Thank you all in advance for the help. Regards, Rudy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Wed May 14 05:05:41 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 14 May 2008 10:05:41 +0100 Subject: [c-nsp] Using same AS number In-Reply-To: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> References: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> Message-ID: <482AAB65.6090205@imperial.ac.uk> Rudy Setiawan wrote: > Hi all, > > As per BGP rule, that if a router sees its own AS in the path, it will > filter them out of the prefixes. > > So if I have two locations with different providers and no direct > connection to each other, what's the best way to be able to use the > same AS and yet still sees the prefixes/routes? use "allowas-in" i.e.: router bgp xxxx neighbor a.b.c.d allowas-in 1 Beware; I've seen different behaviour on the Ciscos (where the command *seems* to only be needed on eBGP peering - other iBGP peers just take the routes) and junipers (where the equivalent command[1] needs to be present on all routers in your AS) [1] On Juniper, you need: protocols { bgp { local-as xxxx loops 3; } } > > Thank you all in advance for the help. > > Regards, > Rudy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at ibh.net Wed May 14 05:13:58 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Wed, 14 May 2008 11:13:58 +0200 Subject: [c-nsp] Interruptions when enabling "mls qos" In-Reply-To: <1210667335.20768.5.camel@dusken.sys.mjna.net> References: <1210667335.20768.5.camel@dusken.sys.mjna.net> Message-ID: <20080514091358.GA11265@ibh.de> Hi Peter, On Tue, May 13, 2008 at 10:28:55AM +0200, Peter Rathlev wrote: > > We're preparing a service window and need to enable this on a few edge > and distribution units, but we're unable to say exactly how much > disturbance the network can expect, e.g. if this would down > eBGP-sessions. Does anybody have any experience in this area? Another possible source of disturbance might be that enabling just "mls qos" (without pushing more QoS-related commands) will have the switches default to TOS *nulling* while they were just transparently passing the TOS bits before. This can lead to QoS problems on seemingly unrelated paths that are congested and have proper QoS, but all of a sudden don't get to see the correct DSCPs any longer. So push all the relevant "mls qos trust dscp" or whatever commands you plan to roll out before enabling "mls qos" globally (just in case you weren't aware of this potential issue). HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From aaronis at people.net.au Wed May 14 07:04:34 2008 From: aaronis at people.net.au (Aaron R) Date: Wed, 14 May 2008 19:04:34 +0800 Subject: [c-nsp] Prove it's not the network! In-Reply-To: Message-ID: <200805141105.m4EB5GhG076046@puck.nether.net> I have heard of NetQoS. Is this an appliance or a piece of software? Where does it run? The site does not give much away. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono Sent: Tuesday, May 13, 2008 11:56 PM To: Rick Martin Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Prove it's not the network! Two things might help. 1) Active performance monitoring Set up iperf on both ends of your link. Periodically (e.g., for 30 seconds every hour) burst as high as you can (large windows, etc.). Graph this continually. That will show the actuall capacity achievable. You can even set up multiple client-server iperf pairs and use comparisons betwen them to isolate problems to different network segments. See, for example: http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your own :-) 2) Application performance monitoring NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data center and can track performance from all clients to any specified application (e.g., Outlook). What is neat about it is you don't have to instrument the clients to be able to understand their performance - it is all determined by examing the TCP traffic flow traversing the single point where SA is installed. The reports break the performance down into several segments, one of which is the network. This can eliminate the network as a source of performance problems (if that is the case.) I don't work work for NetQoS, and there are other similar products. Joe "Rick Martin" Sent by: cisco-nsp-bounces at puck.nether.net 05/13/2008 11:15 AM To cc Subject [c-nsp] Prove it's not the network! I know this is not really a Cisco specific question but it is definitely in support of Cisco hardware. How do most of you folks prove that "the problem" is not the network? We utilize CA Spectrum and eHealth for availability and statistical analysis but in some instances that does not cut it. We don't typically have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. Customers complain that their access is slow, we show that they are using all available bandwidth and eventually sell them more bandwidth and the problem is resolved. The more difficult effort is when there is plenty of available bandwidth and a particular application is slow (Outlook in the case I am involved in now). This is a very high level political official and we must come to a resolution. All tools we have available to us today indicate that there is not a problem with the network. Typical utilization on the T1 is about 500 to 600K peak during the day. Certain management continues to point the finger at the network. We have used Internet based speed tests that at times show less than 1.5Meg download speeds, I explain the variables in the Internet and the particular tool in use as well as local contention for the bandwidth etc to no avail, once they see less than 1.5 meg speed the finger points to the network. I still must somehow "prove" that the network is not the issue. I am interested in an Internet speed test like tool to install at the core of our network that would provide a sustained upload or download test that would run for longer periods of time than a regular speed test. I would like to fill the pipe while graphing in Ehealth or as part of the selected tool to prove that the contracted bandwidth is available in both directions. Any recommendations for products would be appreciated. We are currently looking at SolarWinds WAN Killer and a traffic generator from Omnicore LanTraffic V2. I am also open to different "types" of solutions to point to where the problem is actually located. Thanks in advance for any suggestions Rick Martin Network Engineer State of Arkansas, Department of Information Systems _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcovini at free.fr Wed May 14 07:56:20 2008 From: jcovini at free.fr (jcovini at free.fr) Date: Wed, 14 May 2008 13:56:20 +0200 Subject: [c-nsp] CVR-X2-SFP Message-ID: <1210766180.482ad364a92cf@imp.free.fr> Who can tell me whether the Twingig CVR-X2-SFP are supported in 6500 module WS-X6708-10G-3C ? cheerios Jerome Covini From simon at slimey.org Wed May 14 08:13:17 2008 From: simon at slimey.org (Simon Lockhart) Date: Wed, 14 May 2008 13:13:17 +0100 Subject: [c-nsp] CVR-X2-SFP In-Reply-To: <1210766180.482ad364a92cf@imp.free.fr> References: <1210766180.482ad364a92cf@imp.free.fr> Message-ID: <20080514121317.GW10920@virtual.bogons.net> On Wed May 14, 2008 at 01:56:20PM +0200, jcovini at free.fr wrote: > Who can tell me whether the Twingig CVR-X2-SFP are supported in 6500 module > WS-X6708-10G-3C ? No - they depend on an additional connector at the back of the slot which is only in the 3750E etc boxes. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From lobo at allstream.net Wed May 14 08:26:00 2008 From: lobo at allstream.net (Jose) Date: Wed, 14 May 2008 08:26:00 -0400 Subject: [c-nsp] Label swapping on 7600 ethernet line cards In-Reply-To: <1210698257.28239.3.camel@dusken.sys.mjna.net> References: <4829BEFA.4000809@allstream.net> <1210698257.28239.3.camel@dusken.sys.mjna.net> Message-ID: <482ADA58.1080901@allstream.net> Peter Rathlev wrote: > Hi Jose, > > On Tue, 2008-05-13 at 12:16 -0400, Jose wrote: > >> It was recently brought to my attention from a colleague that certain >> Ethernet line cards for the 7600 platform do not support label >> swapping. We currently have WS-X6148-GE-TX line cards and we are >> planning on upgrading them due to their lack of jumbo frame support. We >> were looking at the WS-X6148A-GE-TX since it has jumbo frame support but >> now the concern is whether this card will be able to swap labels. Can't >> find any mention of this on CCO. >> > > It does MPLS fine, both imposition/deposition and swapping. When using > PFC MPLS any LAN card can be used. Be aware though that PFC MPLS is > limited in some (many?) ways, so you can't do anything REALLY fancy. :-) > > We had four WS-X6148A-GE-TX in production until recently. They may have > jumbo frame support, but they are oversubscribed and not really useful > for core links. (They're sold a "wiring closet" cards.) > > Regards, > Peter > > > > > > > __________ NOD32 3096 (20080513) Information __________ > > This message was checked by NOD32 antivirus system. > http://www.eset.com > > > > Thanks everyone for the information. Jose From cwhitten at metronetsys.com Wed May 14 08:43:53 2008 From: cwhitten at metronetsys.com (Chad Whitten) Date: Wed, 14 May 2008 07:43:53 -0500 Subject: [c-nsp] vlan tagging question Message-ID: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> I have a non-cisco access device connecting to a cisco 3750 via gigE. The 3750 interface is set for 802.1q trunking with two vlans - 100 and 201. Vlan 201 is the native vlan on the cisco interface. Should the access device be tagging packets on vlan 201 or leaving them untagged? -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com From jcartier at acs.on.ca Wed May 14 08:50:21 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 14 May 2008 08:50:21 -0400 Subject: [c-nsp] vlan tagging question In-Reply-To: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> Message-ID: If the device is incapable of understanding IEEE 802.1Q then it will not be able to recognize and interpret the tagged frames, and will only understand the native/untagged vlans. It should only be communicating on the native vlan. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chad Whitten Sent: Wednesday, May 14, 2008 8:44 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vlan tagging question I have a non-cisco access device connecting to a cisco 3750 via gigE. The 3750 interface is set for 802.1q trunking with two vlans - 100 and 201. Vlan 201 is the native vlan on the cisco interface. Should the access device be tagging packets on vlan 201 or leaving them untagged? -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.nevot at gmail.com Wed May 14 08:58:55 2008 From: r.nevot at gmail.com (Raul Lopez Nevot) Date: Wed, 14 May 2008 14:58:55 +0200 Subject: [c-nsp] PIX questions In-Reply-To: <1A9866F953006D45AEE0166066114E090F701C3E@TPMAIL02.corp.theplatform.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <1A9866F953006D45AEE0166066114E090F701C3E@TPMAIL02.corp.theplatform.com> Message-ID: I'm sure you can have identity nat for two machines and PAT for others. You must combine static commands with alias commands: static (dmz,outside) publicip privateip netmask 255.255.255.255 alias (outside) privateip publicip 255.255.255.255 and then you can goal PAT for other addresses with nat and access-list commands: access-list rest-of-machines permit ip host privateip2 any nat (dmz) 10 access-list rest-of-machines global (outside) 10 (ip for PAT or interface) It's always a good practice to control nat commands with access-lists and avoid the nat (interface) group IP mask, because you can have more granularity on how to NAT/PAT connections On Mon, May 12, 2008 at 9:31 PM, Gregori Parker wrote: > The alias command still seems usable in 7.2, but I tried this in my > scenario and it didn't affect anything (also tried the 'dns doctoring' > and 'hairpinning' solutions) > From cwhitten at metronetsys.com Wed May 14 09:10:22 2008 From: cwhitten at metronetsys.com (Chad Whitten) Date: Wed, 14 May 2008 08:10:22 -0500 Subject: [c-nsp] vlan tagging question In-Reply-To: References: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> Message-ID: <13bf195a0805140610l6efb7186oba708923d3341684@mail.gmail.com> Thanks for the reply. The device can understand 802.1q and can tag/untag frames. The cisco is outside my control and I have very little experience with the native vlan setting. My thinking is that the cisco config should be something like switchport mode trunk switchport trunk encapsulation dot1q swtitchport allowed vlan 100,201 (some of that syntax may not be correct) and that if I am doing tagging on the access device, the native vlan part of the config is not needed On Wed, May 14, 2008 at 7:50 AM, Jeff Cartier wrote: > If the device is incapable of understanding IEEE 802.1Q then it will not > be able to recognize and interpret the tagged frames, and will only > understand the native/untagged vlans. It should only be communicating > on the native vlan. > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chad Whitten > Sent: Wednesday, May 14, 2008 8:44 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] vlan tagging question > > I have a non-cisco access device connecting to a cisco 3750 via gigE. > The 3750 interface is set for 802.1q trunking with two vlans - 100 and > 201. Vlan 201 is the native vlan on the cisco interface. Should the > access device be tagging packets on vlan 201 or leaving them untagged? > > -- > Chad Whitten > Metro Network Solutions > (601) 366-6630 Phone > (601) 366-6066 Fax > (601) 842-6804 Cellular > cwhitten at metronetsys.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com From eric at atlantech.net Wed May 14 09:28:46 2008 From: eric at atlantech.net (Eric Van Tol) Date: Wed, 14 May 2008 09:28:46 -0400 Subject: [c-nsp] vlan tagging question In-Reply-To: <13bf195a0805140610l6efb7186oba708923d3341684@mail.gmail.com> References: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> <13bf195a0805140610l6efb7186oba708923d3341684@mail.gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B863504C7221B@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Chad Whitten > Sent: Wednesday, May 14, 2008 9:10 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] vlan tagging question > > Thanks for the reply. > > The device can understand 802.1q and can tag/untag frames. The cisco > is outside my control and I have very little experience with the > native vlan setting. My thinking is that the cisco config should be > something like > > switchport mode trunk > switchport trunk encapsulation dot1q > swtitchport allowed vlan 100,201 > (some of that syntax may not be correct) > > and that if I am doing tagging on the access device, the native vlan > part of the config is not needed > Only seeing this part of the config, the switch will tag both 100 and 201 and allow these over the trunk. Whether or not 201 is *actually* tagged, I believe, depends on if the "vlan dot1q tag native" setting is configured on the Cisco *and* if "switchport trunk native vlan 201" is configured. -evt From jared at puck.nether.net Wed May 14 10:10:20 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 14 May 2008 10:10:20 -0400 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <482AEF47.90802@hiddenone.net> References: <482AEF47.90802@hiddenone.net> Message-ID: On May 14, 2008, at 9:55 AM, Chris Burwel wrote: > Ted Mittelstaedt wrote: >>> >>> And if it is being injected at the source, where is it being made, >>> and by >>> whom? Is it being made in the same factories that make the non- >>> counterfeit >>> stuff? Using the same machinery, same dies, same tools, same >>> people? If >>> so, then why would it be inferior? >>> > Unfortunately, I think this is the case. With the backing of the > Chinese > government, I think it's very possible that the same factories, > people, > and equipment are being used to create the counterfeit Cisco > equipment. > > I agree with you on getting solid proof from Cisco. The few articles I > have read on this issue seem to provide very little evidence as to > what > negative effects the counterfeit equipment might have. There are > reports > claiming that malware can be embedded into the equipment at the > factory > to snoop on your network. With no evidence to back that, this seems > like > little more then a scare tactic. I think this is something that is hard to prove. Unless you have some personalized loss eg: theft of your own data, or company secrets, how do you determine that the 55% savings you got from the used, NIB, or surplus equipment is authentic. Perhaps there is nothing nefarious other than concerns about protecting their brand name should the parts become sub-par. There may be other users that are happy to pay a premium to know their equipment is authentic, for example those in the defense or intelligence community. There will always be someone who wants the price advantage, be it in hardware acquisition costs or elsewhere. I recall when some local ISPs would utilize the ISA and PCI T1 cards because it was cheaper than one of those "expensive" 2500 routers. Over time they came to the realization that while the PC setup would work, it also required more care and feeding over a longer time. If you know the risk(s) you are taking, go ahead and get the equipment. If folks are improperly labeling it and marketing it to you, even if it comes from reputable places, go back to them or go to law enforcement. I just wish it was a bit easier to sort out the heritage of some of the equipment. If I buy a discontinued IP Phone from eBay for my home, I want to know it wasn't stolen. This process isn't easy. It's also hard to validate a "sticker" when I could print 5000 of them myself with the exact same S/N and slap them on some cheap clone. I do wish the sillyness with stuff like the CF, memory and optics(gbic, sfp, etc..) could be better dealt with. - Jared From tahir.uddin at alliancebernstein.com Wed May 14 10:16:37 2008 From: tahir.uddin at alliancebernstein.com (Uddin, Tahir) Date: Wed, 14 May 2008 10:16:37 -0400 Subject: [c-nsp] WDM equipment In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <1E79A7919A9B16468E407A8DEAB65A43047759AE@METROEVS3.ac.lp.acml.com> Adva WDM equipment has worked well for us in the past. Also take a look at Cienna 4500, low cost, lots of flexibility on their modules. Tahir -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonathan Crawford Sent: Wednesday, May 14, 2008 3:35 AM To: frnkblk at iname.com; 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WDM equipment There is also bti photonics... never used any of their active gear, but I'm very happy with their passive stuff. Jonathan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iNAME Sent: Tuesday, May 13, 2008 10:56 PM To: 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WDM equipment You've hit the main two vendors, you might also want to look at gear from Transmode, Nortel, or XKL, too. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik Jacobsson Sent: Tuesday, May 13, 2008 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WDM equipment Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ----------------------------------------- The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please "reply" to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. From jloiacon at csc.com Wed May 14 10:51:49 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Wed, 14 May 2008 10:51:49 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <200805141102.m4EB2r1X024270@amer-mta101.csc.com> Message-ID: NetQoS SA is an appliance. It can be placed anywhere but typically connects to a data center switch and aggreagte ports are SPAN'd to it. Among other graphs which are also valuable, the keys one for exonerating the network fall into the Server Response Time group. Here you will get four individual graphs and one composite of the four. The transactions being broken down into four components: Network RTT Retransmission time Data Transfer time Server Response time In a particular problem we were looking at, the Data Transfer and Server Response times radically dominated the composite graph. From this information, the problem was isolated to the internal client-server interaction of a web-portal load balancing application. The network was exonerted :-) Might be a similar situation for the Outlook configuration as an earlier post mentioned. Joe "Aaron R" wrote on 05/14/2008 07:04:34 AM: > I have heard of NetQoS. Is this an appliance or a piece of software? Where > does it run? The site does not give much away. > > Cheers, > > Aaron. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono > Sent: Tuesday, May 13, 2008 11:56 PM > To: Rick Martin > Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Prove it's not the network! > > Two things might help. > > 1) Active performance monitoring > > Set up iperf on both ends of your link. Periodically (e.g., for 30 seconds > every hour) burst as high as you can (large windows, etc.). Graph this > continually. That will show the actuall capacity achievable. You can even > set up multiple client-server iperf pairs and use comparisons betwen them > to isolate problems to different network segments. See, for example: > http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your > own :-) > > 2) Application performance monitoring > > NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data > center and can track performance from all clients to any specified > application (e.g., Outlook). What is neat about it is you don't have to > instrument the clients to be able to understand their performance - it is > all determined by examing the TCP traffic flow traversing the single point > where SA is installed. The reports break the performance down into several > segments, one of which is the network. This can eliminate the network as a > source of performance problems (if that is the case.) > > I don't work work for NetQoS, and there are other similar products. > > Joe > > > > > > > "Rick Martin" > Sent by: cisco-nsp-bounces at puck.nether.net > 05/13/2008 11:15 AM > > To > > cc > > Subject > [c-nsp] Prove it's not the network! > > > > > > > > I know this is not really a Cisco specific question but it is > definitely in support of Cisco hardware. > > How do most of you folks prove that "the problem" is not the network? > We utilize CA Spectrum and eHealth for availability and statistical > analysis but in some instances that does not cut it. We don't typically > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. > Customers complain that their access is slow, we show that they are > using all available bandwidth and eventually sell them more bandwidth > and the problem is resolved. > > The more difficult effort is when there is plenty of available > bandwidth and a particular application is slow (Outlook in the case I am > involved in now). This is a very high level political official and we > must come to a resolution. All tools we have available to us today > indicate that there is not a problem with the network. Typical > utilization on the T1 is about 500 to 600K peak during the day. Certain > management continues to point the finger at the network. We have used > Internet based speed tests that at times show less than 1.5Meg download > speeds, I explain the variables in the Internet and the particular tool > in use as well as local contention for the bandwidth etc to no avail, > once they see less than 1.5 meg speed the finger points to the network. > I still must somehow "prove" that the network is not the issue. > > I am interested in an Internet speed test like tool to install at the > core of our network that would provide a sustained upload or download > test that would run for longer periods of time than a regular speed > test. I would like to fill the pipe while graphing in Ehealth or as part > of the selected tool to prove that the contracted bandwidth is available > in both directions. > > Any recommendations for products would be appreciated. We are currently > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > LanTraffic V2. I am also open to different "types" of solutions to point > to where the problem is actually located. > > Thanks in advance for any suggestions > > Rick Martin > Network Engineer > State of Arkansas, Department of Information Systems > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From marcelo_veriato at sicredi.com.br Wed May 14 11:17:35 2008 From: marcelo_veriato at sicredi.com.br (Marcelo Veriato Lima) Date: Wed, 14 May 2008 12:17:35 -0300 Subject: [c-nsp] WDM equipment In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A43047759AE@METROEVS3.ac.lp.acml.com> References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> <1E79A7919A9B16468E407A8DEAB65A43047759AE@METROEVS3.ac.lp.acml.com> Message-ID: <482B028F.6050807@sicredi.com.br> Padtec, www.padtec.com.br low cost, very secure, optical route protection, transeiver protection and more. Uddin, Tahir wrote: > Adva WDM equipment has worked well for us in the past. > Also take a look at Cienna 4500, low cost, lots of flexibility on their > modules. > > Tahir > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jonathan > Crawford > Sent: Wednesday, May 14, 2008 3:35 AM > To: frnkblk at iname.com; 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] WDM equipment > > There is also bti photonics... never used any of their active gear, but > I'm very happy with their passive stuff. > > Jonathan > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - > iNAME > Sent: Tuesday, May 13, 2008 10:56 PM > To: 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] WDM equipment > > You've hit the main two vendors, you might also want to look at gear > from > Transmode, Nortel, or XKL, too. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik > Jacobsson > Sent: Tuesday, May 13, 2008 9:45 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] WDM equipment > > Greetings. > > I'm looking into WDM-equipment to save fiber costs. Using ethernet and > fibrechannel, mainly Cisco and Brocade. > > Are there anyone here with experience with equipment from Adva or Mrv? > > Happy? > > Thanks > /Fredrik > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ----------------------------------------- > The information contained in this transmission may be privileged and > confidential and is intended only for the use of the person(s) named > above. If you are not the intended recipient, or an employee or agent responsible > for delivering this message to the intended recipient, any review, dissemination, > distribution or duplication of this communication is strictly prohibited. If you are > not the intended recipient, please contact the sender immediately by reply e-mail > and destroy all copies of the original message. Please note that we do not accept > account orders and/or instructions by e-mail, and therefore will not be responsible > for carrying out such orders and/or instructions. If you, as the intended recipient > of this message, the purpose of which is to inform and update our clients, prospects > and consultants of developments relating to our services and products, would not > like to receive further e-mail correspondence from the sender, please "reply" to the > sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, > NY 10105. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- Marcelo Veriato Lima Analista de Redes e Telecomunica??es Infra-Estrutura de Redes e Telecomunica??es Telem?tica - Confedera??o SICREDI +55 (51) 3358-8355 http://www.sicredi.com.br As informacoes contidas neste e-mail e nos arquivos anexados podem ser informacoes confidenciais ou privilegiadas. Caso voce nao seja o destinatario correto, apague o conteudo desta mensagem e notifique o remetente imediatamente. From bbuchana at nexicomgroup.net Wed May 14 10:48:23 2008 From: bbuchana at nexicomgroup.net (Bruce Buchanan) Date: Wed, 14 May 2008 10:48:23 -0400 Subject: [c-nsp] WDM equipment In-Reply-To: References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Message-ID: <89D27DE3375BB6428DDCC2927489826A0148FA38@nexus.nexicomgroup.net> I use some Transmode gear and have been quite happy with it. Bruce Bruce Buchanan Senior Network Technician Nexicom 5 King St. E., Millbrook, ON, LOA 1GO Phone: 705-932-4147 Cell: 705-750-7705 Web: http://www.nexicom.net Nexicom - Connected. Naturally. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Frank Bulk - iNAME Sent: May-14-08 1:56 AM To: 'Fredrik Jacobsson'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] WDM equipment You've hit the main two vendors, you might also want to look at gear from Transmode, Nortel, or XKL, too. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik Jacobsson Sent: Tuesday, May 13, 2008 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WDM equipment Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From psirt at cisco.com Wed May 14 10:56:24 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 14 May 2008 10:56:24 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco Content Switching Module Memory Leak Vulnerability Message-ID: <200805141056.csm@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Content Switching Module Memory Leak Vulnerability Advisory ID: cisco-sa-20080514-csm http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml Revision 1.0 For Public Release 2008 May 14 1600 UTC (GMT) Summary ======= The Cisco Content Switching Module (CSM) and Cisco Content Switching Module with SSL (CSM-S) contain a memory leak vulnerability that can result in a denial of service condition. The vulnerability exists when the CSM or CSM-S is configured for layer 7 load balancing. An attacker can trigger this vulnerability when the CSM or CSM-S processes TCP segments with a specific combination of TCP flags while servers behind the CSM/CSM-S are overloaded and/or fail to accept a TCP connection. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. Affected Products ================= Vulnerable Products +------------------ The Cisco CSM and Cisco CSM-S are affected by the vulnerability described in this document if they are running an affected software version and are configured for layer 7 load balancing. The following versions of the Cisco CSM software are affected by this vulnerability: 4.2(3), 4.2(3a), 4.2(4), 4.2(5), 4.2(6), 4.2(7), and 4.2(8). The following versions of the Cisco CSM-S software are also affected by this vulnerability: 2.1(2), 2.1(3), 2.1(4), 2.1(5), 2.1(6), and 2.1(7). To determine the software version in use by the CSM or CSM-S, log into the supervisor of the chassis that hosts the CSM or CSM-S modules and issue the command "show module version" (Cisco IOS) or "show version" (Cisco CatOS). CSM modules will display as model "WS-X6066-SLB-APC", CSM-S modules will display as model "WS-X6066-SLB-S-K9", and the software version will be indicated next to the "Sw:" label. Note that the output from "show module version" (for Cisco IOS) is slightly different from the output from "show version" (for Cisco CatOS). However, in both cases the model names will read as previously described, and the software version will be easily identified by looking for the "Sw:" label. The following example shows a CSM in slot number 4 running software version 4.2(3): switch>show module version Mod Port Model Serial # Versions +--- ---- ------------------ ----------- ------------------------------------- 1 3 WS-SVC-AGM-1-K9 SAD092601W5 Hw : 1.0 Fw : 7.2(1) Sw : 5.0(3) 2 6 WS-SVC-FWM-1 SAD093200X8 Hw : 3.0 Fw : 7.2(1) Sw : 3.2(3)1 3 8 WS-SVC-IDSM-2 SAD0932089Z Hw : 5.0 Fw : 7.2(1) Sw : 5.1(6)E1 4 4 WS-X6066-SLB-APC SAD093004BD Hw : 1.7 Fw : Sw : 4.2(3) 5 2 WS-SUP720-3B SAL0934888E Hw : 4.4 Fw : 8.1(3) Sw : 12.2(18)SXF11 Sw1: 8.6(0.306)R3V15 WS-SUP720 SAL09348488 Hw : 2.3 Fw : 12.2(17r)S2 Sw : 12.2(18)SXF11 WS-F6K-PFC3B SAL0934882R Hw : 2.1 A Cisco CSM or CSM-S is configured for layer 7 load balancing if one or more layer 7 Server Load Balancing (SLB) policies are referenced in the configuration of a virtual server. There are six possible types of SLB policies: "client-group", "cookie-map", "header-map", "reverse-sticky", "sticky-group", and "url-map". Of these, the "client-group" policy type is always a layer 4 policy. The remaining policy types are layer 7 policies and, if used, would render a device affected by the vulnerability described in this document. The following example shows a CSM module that is configured for layer 7 load balancing. Note the SLB policy "TEST-SPORTS-50", which uses "url-map" and "header-map" layer 7 policies, and that is applied to the virtual server named "WEB": module ContentSwitchingModule 5 [...] ! policy TEST-SPORTS-50 url-map SPORTS header-map TEST client-group 50 serverfarm WEBFARM2 ! vserver WEB virtual 10.20.221.100 tcp www serverfarm WEBFARM persistent rebalance slb-policy TEST-SPORTS-50 inservice Products Confirmed Not Vulnerable +-------------------------------- Only Cisco CSM modules running indicated 4.2 versions are affected by this vulnerability. CSM software versions 4.1, 3.2 and 3.1 are not affected by this vulnerability. Cisco CSM-S modules running indicated 2.1 versions are the only vulnerable versions of software for that product. Cisco CSM and CSM-S modules that are not configured for layer 7 load balancing are not affected by this vulnerability. The Cisco IOS SLB feature is not affected by this vulnerability. No other Cisco products are currently known to be affected by this vulnerability. The Cisco Secure Content Accelerator is not affected by this vulnerability. Details ======= The Cisco CSM is an integrated SLB line card for the Catalyst 6500 and 7600 Series that is designed to enhance the response time for client traffic to end points including servers, caches, firewalls, Secure Sockets Layer (SSL) devices, and VPN termination devices. The Cisco CSM-S combines high-performance SLB with SSL offload. The CSM-S is similar to the CSM; however, unlike the CSM, the CSM-S can terminate and initiate SSL-encrypted traffic. This ability allows the CSM-S to perform intelligent load balancing while ensuring secure end-to-end encryption. A memory leak vulnerability exists in some versions of the software for the Cisco CSM and Cisco CSM-S when the CSM or CSM-S is configured for layer 7 load balancing (see the "Vulnerable Products" section for configuration details). The memory leak is triggered when the CSM or CSM-S processes TCP segments with a specific combination of TCP flags and fails to make a load balancing decision because servers behind the CSM/CSM-S are overloaded and/or fail to accept a TCP connection. The memory leak can be detected by issuing the command "show module ContentSwitchingModule tech-support all | include Outstanding" on the supervisor and checking the command output for a high number of outstanding buffers as seen in the following example: switch#show module ContentSwitchingModule 10 tech-support all | include Outstanding Outstanding slowpath(low pri) buffers 0 0 Outstanding slowpath(high pri) buffers 0 0 Outstanding blocks 0 0 Outstanding small buffers 0 0 Outstanding medium buffers 823 0 Outstanding large buffers 0 0 Outstanding sessions 0 0 Outstanding Closes 0 0 Close Relinquish Outstanding 0 Because small, medium, and large buffers can be affected by the memory leak, administrators are advised to check the number of these buffers in the output from the preceding command to accurately detect a memory leak condition. This vulnerability is documented in Cisco Bug ID CSCsl40722 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-1749. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * CSM: Potential buffer loss with irregular client streams (CSCsl40722) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability against a system running a vulnerable version of the Cisco CSM or the Cisco CSM-S software may cause the CSM or CSM-S to stop passing traffic. Repeated attacks may result in a prolonged DoS condition, which could affect the services that are offered by the end point devices behind the CSM or CSM-S. Note that the supervisor or any other non-CSM or non-CSM-S service module in the same chassis of the Catalyst 6500 switch or 7600 Series router that hosts the CSM or CSM-S will not be affected by this vulnerability. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. This vulnerability is fixed in version 4.2.9 of the Cisco CSM software, and in version 2.1.8 of the Cisco CSM-S software. CSM software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csm?psrtdcat20e2. Information on how to upgrade the CSM software is available at http://www.cisco.com/en/US/products/hw/modules/ps2706/products_tech_note09186a0080094526.shtml. CSM-S software can be downloaded from http://www.cisco.com/pcgi-bin/tablebuild.pl/cat6000-csms?psrtdcat20e2. Information on how to upgrade the CSM-S software is available at http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/csms/2.1.1/configuration/guide/getstart.html#wp1041858. Workarounds =========== There are no workarounds for this vulnerability. When the Cisco CSM or Cisco CSM-S has run out of memory it will simply stop passing traffic and it will have to be reloaded. The CSM and CSM-S can be reloaded via the command "hw-module module reset" (Cisco IOS) or via the command "reset " (Cisco CatOS) from the privileged EXEC prompt of the supervisor. There is no need to reload the supervisor. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered during the investigation of customer support cases. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-csm.shtml. In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-14 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- All contents are Copyright (C) 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 14, 2008 Document ID: 105450 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIKvyq86n/Gc8U/uARAknKAJ4h3Cv1kvEwebcrqEaYQ8J+AWcfvACggljK o0g1JsSfpI6hXBtkEYmWJj4= =B29t -----END PGP SIGNATURE----- From rudal at online.rudal.com Wed May 14 12:26:20 2008 From: rudal at online.rudal.com (Rudy Setiawan) Date: Wed, 14 May 2008 09:26:20 -0700 Subject: [c-nsp] Using same AS number In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A21@EXVMBX015-1.exch015.msoutlookonline.net> References: <79b6f8780805132336m7b661b6amb4e989f7cf9d7a9@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A21@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: <79b6f8780805140926m1639796dg421dbca6ff2aab51@mail.gmail.com> Thank you guys. I think I am going to try the allowas-in and see how it goes. :) Regards, Rudy On Wed, May 14, 2008 at 2:04 AM, Jonathan Crawford wrote: > You can specify "neighbor allowas-in" to bypass this check. I'd proceed carefully if using it... as you are defeating one of the loop detection mechanisms, filter well. > > -Jonathan > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rudy Setiawan > > Sent: Tuesday, May 13, 2008 11:36 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Using same AS number > > > > Hi all, > > As per BGP rule, that if a router sees its own AS in the path, it will > filter them out of the prefixes. > > So if I have two locations with different providers and no direct > connection to each other, what's the best way to be able to use the > same AS and yet still sees the prefixes/routes? > > Thank you all in advance for the help. > > Regards, > Rudy > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From psirt at cisco.com Wed May 14 12:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 14 May 2008 11:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Message-ID: <200805141115.cucmdos@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cucmdos Revision 1.0 +--------------------------------------------------------------------- Summary ======= Cisco Unified Communications Manager, formerly Cisco CallManager, contains multiple denial of service (DoS) vulnerabilities that may cause an interruption in voice services, if exploited. These vulnerabilities were discovered internally by Cisco. The following Cisco Unified Communications Manager services are affected: * Certificate Trust List (CTL) Provider * Certificate Authority Proxy Function (CAPF) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) Trap Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. Affected Products ================= Vulnerable Products +------------------ These products are vulnerable: * Cisco Unified CallManager 4.1 versions prior to 4.1.3SR7 * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4 * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2) * Cisco Unified Communications Manager 5.x versions prior to 5.1(3) * Cisco Unified Communications Manager 6.x versions prior to 6.1(1) Administrators of systems running Cisco Unified Communications Manager version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager Administration interface. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. Certificate Trust List Provider Related Vulnerabilities The Certificate Trust List (CTL) Provider service of Cisco Unified Communications Manager version 5.x contains a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager version 5.1(3). The vulnerability is documented in Cisco Bug ID CSCsj80609 and has been assigned the CVE identifier CVE-2008-1742. The CTL Provider service of Cisco Unified Communications Manager versions 5.x and 6.x contain a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsi98433 and has been assigned the CVE identifier CVE-2008-1743. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR7, 4.2(3)SR4 and 4.3(2). This vulnerability is documented in Cisco Bug ID CSCsk46770 and has been assigned the CVE identifier CVE-2008-1744. SIP-Related Vulnerabilities Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability in the handling of malformed SIP JOIN messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(2) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsi48115 and has been assigned the CVE identifier CVE-2008-1745. Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability in the handling of SIP INVITE messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsk46944 and has been assigned the CVE identifier CVE-2008-1747. Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability in the handling of SIP INVITE messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR7, 4.2(3)SR4, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsl22355 and has been assigned the CVE identifier CVE-2008-1748. SNMP Trap-Related Vulnerability The SNMP Trap Agent service of Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability that occurs when a series of malformed UDP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsj24113 and has been assigned the CVE identifier CVE-2008-1746. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR7 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2 Cisco Unified Communications Manager version 4.2(3)SR4 contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 4.2 listed in this advisory and is scheduled to be released in early June, 2008. It will be available for download at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2 Cisco Unified Communications Manager version 4.3(2) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 4.2 listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2 Cisco Unified Communications Manager version 5.1(3) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 5.x listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2 Cisco Unified Communications Manager version 6.1(1) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 6.x listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. Access to the CTL Provider Service is usually only required during the initial configuration of Cisco Unified Communications Manager authentication and encryption features. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. The values of the ports can be viewed in Cisco Unified Communications Manager Administration interface by following the System > Service Parameters menu and selecting the appropriate service. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. Access to the CAPF service is only required if Cisco Unified Communications Manager systems and IP phone devices are configured to use certificates for a secure deployment. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. Permit TCP/UDP access to ports 5060 and 5061 from only networks that need SIP access to Cisco Unified Communications Manager servers. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. For Cisco Unified Communications Manager 4.x systems, the SNMP Trap service is controlled by the embedded Windows SNMP sevice. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. For Cisco Unified Communications Manager 5.x and 6.x systems, the SNMP Trap service is controlled via the Cisco CallManager SNMP Service selection on the Control Center Feature Services screen. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. For Cisco Unified Communications Manager 4.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html For Cisco Unified Communications Manager 5.x and 6.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037ced2.html#wp1048220 Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080514-cucmdos.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE----- From psirt at cisco.com Wed May 14 12:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 14 May 2008 11:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Message-ID: <200805141115.cup@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Presence Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cup Revision 1.0 +--------------------------------------------------------------------- Summary ======= Cisco Unified Presence contains three denial of service (DoS) vulnerabilities that may cause an interruption in presence services. These vulnerabilities were discovered internally by Cisco, and there are no workarounds. Cisco has released free software updates that address these vulnerabilities. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml. Affected Products ================= Vulnerable Products +------------------ Cisco Unified Presence versions prior to 6.0(3) are affected by the vulnerabilities described in this advisory. Administrators of systems running all Cisco Unified Presence versions can determine the software version by viewing the main page of the Cisco Unified Presence Administration interface. The software version can be determined by running the command show version active via the Command Line Interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Presence collects information about a user's availability status and communications capabilities. Using information captured by Cisco Unified Presence, applications such as Cisco Unified Personal Communicator and Cisco Unified Communications Manager can improve productivity by helping users connect with colleagues more efficiently by determining the most effective means for collaborative communication. The Presence Engine service of Cisco Unified Presence version 1.0 contains two vulnerabilities that occur when a series of malformed IP packets are received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There are no workarounds for these vulnerabilities. These vulnerabilities are fixed in Cisco Unified Presence version 6.0(1). Cisco Unified Presence version 6.0(1) is the upgrade path for Cisco Unified Presence version 1.0. The first vulnerability is documented in CVE-2008-1158 and Cisco Bug ID CSCsh50164. The second vulnerability is documented in CVE-2008-1740 and Cisco Bug ID CSCsh20972. The SIP Proxy service of Cisco Unified Presence versions 6.0(1) and 6.0(2) contain a vulnerability that occurs when a TCP port scan is received by a vulnerable Cisco Unified Presence system and may result in a DoS condition. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Presence version 6.0(3). This vulnerability is documented in CVE-2008-1741 and Cisco Bug ID CSCsj64533. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsh50164 - PE Service core dumps when it receives malformed packets CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh20972 - PE Service core dumps under stress test CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj64533 - SIPD service core dumps during TCP port scan CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of any of the vulnerabilities may result in the interruption of presence services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Fixes for all the vulnerabilities listed in this advisory are included in Cisco Unified Presence version 6.0(3) that is available at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/cup-60?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. These vulnerabilities were internally discovered by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cup.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw1+86n/Gc8U/uARAlunAJ9UTjai8ZofKwUcH7B3CqyBetjIDwCdHgUI 91czchLkcIoB9pmUP9zWEI0= =gkID -----END PGP SIGNATURE----- From psirt at cisco.com Wed May 14 12:15:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 14 May 2008 11:15:00 -0500 Subject: [c-nsp] Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Message-ID: <200805141115.cucmdos@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Unified Communications Manager Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080514-cucmdos Revision 1.0 +--------------------------------------------------------------------- Summary ======= Cisco Unified Communications Manager, formerly Cisco CallManager, contains multiple denial of service (DoS) vulnerabilities that may cause an interruption in voice services, if exploited. These vulnerabilities were discovered internally by Cisco. The following Cisco Unified Communications Manager services are affected: * Certificate Trust List (CTL) Provider * Certificate Authority Proxy Function (CAPF) * Session Initiation Protocol (SIP) * Simple Network Management Protocol (SNMP) Trap Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate some of these vulnerabilities are available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml. Affected Products ================= Vulnerable Products +------------------ These products are vulnerable: * Cisco Unified CallManager 4.1 versions prior to 4.1.3SR7 * Cisco Unified Communications Manager 4.2 versions prior to 4.2(3)SR4 * Cisco Unified Communications Manager 4.3 versions prior to 4.3(2) * Cisco Unified Communications Manager 5.x versions prior to 5.1(3) * Cisco Unified Communications Manager 6.x versions prior to 6.1(1) Administrators of systems running Cisco Unified Communications Manager version 4.x can determine the software version by navigating to Help > About Cisco Unified CallManager and selecting the Details button via the Cisco Unified Communications Manager Administration interface. Administrators of systems that are running Cisco Unified Communications Manager versions 5.x and 6.x can determine the software version by viewing the main page of the Cisco Unified Communications Manager Administration interface. The software version can also be determined by running the command show version active via the command line interface (CLI). Products Confirmed Not Vulnerable +-------------------------------- Cisco Unified Communications Manager Express is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices, such as IP phones, media processing devices, voice-over-IP (VoIP) gateways, and multimedia applications. Certificate Trust List Provider Related Vulnerabilities The Certificate Trust List (CTL) Provider service of Cisco Unified Communications Manager version 5.x contains a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. The CTL Provider service is enabled by default. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager version 5.1(3). The vulnerability is documented in Cisco Bug ID CSCsj80609 and has been assigned the CVE identifier CVE-2008-1742. The CTL Provider service of Cisco Unified Communications Manager versions 5.x and 6.x contain a memory consumption vulnerability that occurs when a series of malformed TCP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The CTL Provider service listens by default on TCP port 2444 and is user configurable. There is a workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsi98433 and has been assigned the CVE identifier CVE-2008-1743. Certificate Authority Proxy Function Related Vulnerability The Certificate Authority Proxy Function (CAPF) service of Cisco Unified Communications Manager versions 4.1, 4.2 and 4.3 contain a vulnerability when handling malformed input that may result in a DoS condition. The CAPF service listens by default on TCP port 3804 and is user configurable. The CAPF service is disabled by default. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR7, 4.2(3)SR4 and 4.3(2). This vulnerability is documented in Cisco Bug ID CSCsk46770 and has been assigned the CVE identifier CVE-2008-1744. SIP-Related Vulnerabilities Cisco Unified Communications Manager versions 5.x and 6.x contain a vulnerability in the handling of malformed SIP JOIN messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 5.1(2) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsi48115 and has been assigned the CVE identifier CVE-2008-1745. Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability in the handling of SIP INVITE messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. The vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsk46944 and has been assigned the CVE identifier CVE-2008-1747. Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability in the handling of SIP INVITE messages that may result in a DoS condition. SIP processing cannot be disabled in Cisco Unified Communications Manager. There is no workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR7, 4.2(3)SR4, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsl22355 and has been assigned the CVE identifier CVE-2008-1748. SNMP Trap-Related Vulnerability The SNMP Trap Agent service of Cisco Unified Communications Manager versions 4.1, 4.2, 4.3, 5.x and 6.x contain a vulnerability that occurs when a series of malformed UDP packets are received by a vulnerable Cisco Unified Communications Manager system and may result in a DoS condition. The SNMP Trap Agent service listens by default on UDP port 61441. There is a workaround for this vulnerability. This vulnerability is fixed in Cisco Unified Communications Manager versions 4.1(3)SR6, 4.2(3)SR3, 4.3(2), 5.1(3) and 6.1(1). This vulnerability is documented in Cisco Bug ID CSCsj24113 and has been assigned the CVE identifier CVE-2008-1746. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi98433 - CTLProvider leaks memory in certain scenarios CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46770 - CAPF crash with network traffic CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsi48115 - CM 6.1 stops providing service when receiving malformed Join sip-header CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk46944 - CCM service restarts on receiving a valid SIP Packet CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsl22355 - CCM does not validate SIP URL input properly CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsj24113 - CCM Process Coredump/Restart During ISIC Execution Against Port 61441 CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerabilities in this advisory may result in the interruption of voice services. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Cisco Unified CallManager version 4.1(3)SR7 contains fixes for all vulnerabilities affecting Cisco Unified CallManager version 4.1 listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-41?psrtdcat20e2 Cisco Unified Communications Manager version 4.2(3)SR4 contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 4.2 listed in this advisory and is scheduled to be released in early June, 2008. It will be available for download at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-42?psrtdcat20e2 Cisco Unified Communications Manager version 4.3(2) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 4.2 listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-43?psrtdcat20e2 Cisco Unified Communications Manager version 5.1(3) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 5.x listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-51?psrtdcat20e2 Cisco Unified Communications Manager version 6.1(1) contains fixes for all vulnerabilities affecting Cisco Unified Communications Manager version 6.x listed in this advisory. It can downloaded at the following link: http://www.cisco.com/pcgi-bin/tablebuild.pl/callmgr-61?psrtdcat20e2 Workarounds =========== CTL Provider Related Vulnerabilities To mitigate against the CTL Provider service vulnerabilities (CSCsj80609 and CSCsi98433), system administrators can disable the CTL Provider service if it is not needed. Access to the CTL Provider Service is usually only required during the initial configuration of Cisco Unified Communications Manager authentication and encryption features. The CTL Provider service is controlled via the Cisco CTL Provider menu selection. It is possible to mitigate the CTL Provider vulnerabilities by implementing filtering on screening devices. If the CTL Provider service is enabled, permit access to TCP port 2444 only between the Cisco Unified Communications Manager systems where the CTL Provider service is active and the CTL Client, usually on the administrator's workstation, to mitigate the CTL Provider service overflow. Note: It is possible to change the default port of the CTL Provider service (TCP port 2444). If changed, filtering should be based on the values used. The values of the ports can be viewed in Cisco Unified Communications Manager Administration interface by following the System > Service Parameters menu and selecting the appropriate service. CAPF Related Vulnerability To mitigate against the CAPF service vulnerability (CSCsk46770), system administrators can disable the CAPF service if it is not needed. Access to the CAPF service is only required if Cisco Unified Communications Manager systems and IP phone devices are configured to use certificates for a secure deployment. If phones are not configured to use certificates, then the CAPF service can be disabled. The CAPF service is controlled by the Cisco Certificate Authority Proxy Function menu selection. It is possible to mitigate the CAPF vulnerability by implementing filtering on screening devices. If the CAPF service is enabled, permit access to TCP port 3804 only from networks that contain IP phone devices needing to utilize the CAPF service. SIP-Related Vulnerabilities It is possible to mitigate the SIP vulnerabilities by implementing filtering on screening devices. Permit TCP/UDP access to ports 5060 and 5061 from only networks that need SIP access to Cisco Unified Communications Manager servers. SNMP Trap-Related Vulnerability To mitigate against the SNMP Trap service vulnerability (CSCsj24113), system administrators can disable the SNMP Trap service. For Cisco Unified Communications Manager 4.x systems, the SNMP Trap service is controlled by the embedded Windows SNMP sevice. To disable the Windows SNMP service, navigate to Start > Programs > Administrative Tools > Services, and stop the SNMP Service. Note: The SNMP Trap Service listed in the Windows Service configuration screen is not applicable to this vulnerability and disabling it does not provide any benefit as a workaround for this vulnerability. For Cisco Unified Communications Manager 5.x and 6.x systems, the SNMP Trap service is controlled via the Cisco CallManager SNMP Service selection on the Control Center Feature Services screen. It is possible to mitigate the SNMP Trap service vulnerability by implementing filtering on screening devices. Permit access to UDP port 61441 only from management systems that need access to the SNMP Trap service. For Cisco Unified Communications Manager 4.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008070ec49.html For Cisco Unified Communications Manager 5.x and 6.x systems, please consult the following documentation for details on how to disable Cisco Unified Communications Manager services: http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_administration_guide_chapter09186a008037ced2.html#wp1048220 Additional mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20080514-cucmdos.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. ustomers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http:/ www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. These vulnerabilities were discovered internally by Cisco. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080514-cucmdos.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-14 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIKw3c86n/Gc8U/uARAo4iAJ461QSdwp9yXivfv/yWe4Xlj2wNaACcD/nW GpnghuWFfH2gIjp6Yk6857c= =L6xn -----END PGP SIGNATURE----- From criling at gmail.com Wed May 14 16:24:51 2008 From: criling at gmail.com (Chris Riling) Date: Wed, 14 May 2008 16:24:51 -0400 Subject: [c-nsp] Any to terminate a DSL loop on a 72xx or 75xx? In-Reply-To: <20080512182655.GG1139409@hiwaay.net> References: <028e01c8b454$0eb0a7d0$290310ac@ccntd1.covad.com> <385308605-1210613005-cardhu_decombobulator_blackberry.rim.net-433203785-@bxe122.bisx.prod.on.blackberry> <48287E5B.5030700@gmail.com> <20080512174226.GF1139409@hiwaay.net> <8c829ec10805121117r2404beecsf3d59650968701b2@mail.gmail.com> <20080512182655.GG1139409@hiwaay.net> Message-ID: <8c829ec10805141324i716a25bfid4b4413c7d49696a@mail.gmail.com> You may be correct, I haven't personally had to set up a DSL modem in quite some time... I've configured the X3's, I know they can do bridge mode... According to the datasheets on Zoom's website, the X5's and X6's will do this as well, although I haven't had to do it on these models personally... Chris On 5/12/08, Chris Adams wrote: > > Once upon a time, Chris Riling said: > > We use a lot of the Zoom modems, X3, X5, X6, etc... I *think* all of them > do > > 100/full... > > IIRC the X5 and X6 are routers only (so they can't pass the PPPoE > through to another device). I don't know about the X3. > -- > Chris Adams > Systems and Network Administrator - HiWAAY Internet Services > I don't speak for anybody but myself - that's enough trouble. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From criling at gmail.com Wed May 14 16:32:23 2008 From: criling at gmail.com (Chris Riling) Date: Wed, 14 May 2008 16:32:23 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: References: <200805141102.m4EB2r1X024270@amer-mta101.csc.com> Message-ID: <8c829ec10805141332p4542a3eeu8d2b3191aee92d55@mail.gmail.com> Last time I had to solve a similar problem, it ended up being related to one application not honoring the TCP window size in the OS. Turns out the application would only use X K regardless of what you set the window to in the OS. It took many webex school bus sessions demonstrating the differences in iperf before they understood.. Essentially if was proving that the network itself was capable of pushing the data, and that the problem must lie at an upper layer... Still had to go way above and beyond normal duties; I'm not even remotely a systems admin... :) Chris On 5/14/08, Joe Loiacono wrote: > > NetQoS SA is an appliance. It can be placed anywhere but typically > connects to a data center switch and aggreagte ports are SPAN'd to it. > Among other graphs which are also valuable, the keys one for exonerating > the network fall into the Server Response Time group. Here you will get > four individual graphs and one composite of the four. The transactions > being broken down into four components: > > Network RTT > Retransmission time > Data Transfer time > Server Response time > > In a particular problem we were looking at, the Data Transfer and Server > Response times radically dominated the composite graph. From this > information, the problem was isolated to the internal client-server > interaction of a web-portal load balancing application. The network was > exonerted :-) > > Might be a similar situation for the Outlook configuration as an earlier > post mentioned. > > Joe > > "Aaron R" wrote on 05/14/2008 07:04:34 AM: > > > I have heard of NetQoS. Is this an appliance or a piece of software? > Where > > does it run? The site does not give much away. > > > > Cheers, > > > > Aaron. > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono > > Sent: Tuesday, May 13, 2008 11:56 PM > > To: Rick Martin > > Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Prove it's not the network! > > > > Two things might help. > > > > 1) Active performance monitoring > > > > Set up iperf on both ends of your link. Periodically (e.g., for 30 > seconds > > every hour) burst as high as you can (large windows, etc.). Graph this > > continually. That will show the actuall capacity achievable. You can > even > > set up multiple client-server iperf pairs and use comparisons betwen > them > > to isolate problems to different network segments. See, for example: > > http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your > > > own :-) > > > > 2) Application performance monitoring > > > > NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data > > > center and can track performance from all clients to any specified > > application (e.g., Outlook). What is neat about it is you don't have to > > instrument the clients to be able to understand their performance - it > is > > all determined by examing the TCP traffic flow traversing the single > point > > where SA is installed. The reports break the performance down into > several > > segments, one of which is the network. This can eliminate the network as > a > > source of performance problems (if that is the case.) > > > > I don't work work for NetQoS, and there are other similar products. > > > > Joe > > > > > > > > > > > > > > "Rick Martin" > > Sent by: cisco-nsp-bounces at puck.nether.net > > 05/13/2008 11:15 AM > > > > To > > > > cc > > > > Subject > > [c-nsp] Prove it's not the network! > > > > > > > > > > > > > > > > I know this is not really a Cisco specific question but it is > > definitely in support of Cisco hardware. > > > > How do most of you folks prove that "the problem" is not the network? > > We utilize CA Spectrum and eHealth for availability and statistical > > analysis but in some instances that does not cut it. We don't typically > > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. > > Customers complain that their access is slow, we show that they are > > using all available bandwidth and eventually sell them more bandwidth > > and the problem is resolved. > > > > The more difficult effort is when there is plenty of available > > bandwidth and a particular application is slow (Outlook in the case I am > > involved in now). This is a very high level political official and we > > must come to a resolution. All tools we have available to us today > > indicate that there is not a problem with the network. Typical > > utilization on the T1 is about 500 to 600K peak during the day. Certain > > management continues to point the finger at the network. We have used > > Internet based speed tests that at times show less than 1.5Meg download > > speeds, I explain the variables in the Internet and the particular tool > > in use as well as local contention for the bandwidth etc to no avail, > > once they see less than 1.5 meg speed the finger points to the network. > > I still must somehow "prove" that the network is not the issue. > > > > I am interested in an Internet speed test like tool to install at the > > core of our network that would provide a sustained upload or download > > test that would run for longer periods of time than a regular speed > > test. I would like to fill the pipe while graphing in Ehealth or as part > > of the selected tool to prove that the contracted bandwidth is available > > in both directions. > > > > Any recommendations for products would be appreciated. We are currently > > looking at SolarWinds WAN Killer and a traffic generator from Omnicore > > LanTraffic V2. I am also open to different "types" of solutions to point > > to where the problem is actually located. > > > > Thanks in advance for any suggestions > > > > Rick Martin > > Network Engineer > > State of Arkansas, Department of Information Systems > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Wed May 14 16:56:54 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Wed, 14 May 2008 22:56:54 +0200 Subject: [c-nsp] Old Aironet Gear Issus In-Reply-To: References: Message-ID: <000f01c8b605$0ad8a100$280a0a0a@hojmark.net> > Hi ivor, I have a old CISCO AIR-AP1230B. But it's > firmware is very older.I want to updating the firmware.Can > you give me a new firmware for CISCO > AIR-AP1230B,Please.Thank you very much. Tom http://www.cisco.com/go/software > Wireless Software > Wireless Software > Access Points > Cisco Aironet 1230 AG Series > Cisco Aironet 1230 AG Access Point > IOS Software > pick your version > chose your file > Download > *read* and click Accept if you do. HTH, -A From Doug.Olson at pcsbanking.com Wed May 14 12:03:31 2008 From: Doug.Olson at pcsbanking.com (Olson, Douglas) Date: Wed, 14 May 2008 11:03:31 -0500 Subject: [c-nsp] WDM equipment In-Reply-To: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Message-ID: I've used all but the Brocade in past lives. It really depends on your requirements. Cisco has a nice plaform that supports a lot of topologies and features, but you will pay for it. Adva will be quite a bit cheaper, and they were always pretty aggressive on price to try to win the deals. Not as broad of a platform and not as fancy as Cisco, but finctional. MRV's offering was more of a low-cost down-and-dirty solution. Worked fine in a set it and forget it network, but in spans where we saw a lot of adds, changes, moves, etc, there tended to be a lot more service-affecting maintenances to changed filters, attenuators, etc. This was quite a while ago, sothey may have an updated line that does more of those things through software, though. On our larger networks we usually stuck with Cisco for two reasons: It was easier to find engineers that knew the Cisco line than any of the others, and upper management had the (probably mistaken) idea in their heads that it gave us more negotiating leverage with Cisco when it came to other equipment on our network. Again, really depends on your requirements: distances, number of locations/nodes, interface requirements, bandwidth requirements, budget, etc. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Fredrik Jacobsson Sent: Tuesday, May 13, 2008 9:45 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] WDM equipment Greetings. I'm looking into WDM-equipment to save fiber costs. Using ethernet and fibrechannel, mainly Cisco and Brocade. Are there anyone here with experience with equipment from Adva or Mrv? Happy? Thanks /Fredrik _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From vijay.ramcharan at verizonbusiness.com Wed May 14 17:44:28 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Wed, 14 May 2008 21:44:28 +0000 Subject: [c-nsp] Cisco ACS tacacs console login fails. In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28762190BDB7@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28762190BDB7@SRVEXC02.aas.its.nja.dk> Message-ID: <509A5E22DDC70B4DA85EA7C06C8FDA8F030CC96F@ASHEVS011.mcilink.com> Just a hunch, Have you tried going into enable mode with your TACACS password? I see you have specified this: aaa authentication enable default group tacacs+ enable which probably indicates the device is looking to TAC+ for the enable password. Your log message also indicates "ACS password invalid" so it appears that may be the case. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: May 13, 2008 12:47 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco ACS tacacs console login fails. Hi Folks. Is there someone that can point me into the right direction. We are using tacacs on Cisco ACS v 4.1. This works fine when we are accessing the boxes via telnet. It authenticates us and let us directly into privilege mode on the switches and routers. But when we are using the console port it just authenticates, and doesn't let us in at all, even if we try to enable with the enable password. Here is a test from the log file that let us in via telnet.: 05/13/2008,18:25:11,Authen OK,arla,Admin,10.2.28.45,tty1,10.2.9.221 The next line authenticate us just but doesn't let us directly into the box from the console port. 05/13/2008,18:20:43,Authen OK,arla,Admin,async,tty0,10.2.9.221 When we do enable and type the enable password the tacacs reject us .: 05/13/2008,18:24:02,Authen failed,arla,Admin,async,ACS password invalid,,,tty0,10.2.9.221 What can I have missed to enable off check-boxes in the ACS tacacs setup. The config off the cisco boxes looks like this ---------------------------------------------------------------------- aaa new-model aaa authentication login CONSOLE group tacacs+ local aaa authentication login TELNET group tacacs+ aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ local aaa authorization commands 0 default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting commands 0 default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ line con 0 password 7 1446400509107E32 login authentication CONSOLE line vty 0 4 access-class 133 in exec-timeout 60 0 password 7 15435902013E7F3D login authentication TELNET /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From brad.henshaw at qcn.com.au Wed May 14 19:21:37 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 15 May 2008 09:21:37 +1000 Subject: [c-nsp] vlan tagging question In-Reply-To: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> Message-ID: <3B0B088532A4A44C97875AA89AEF971B23E17D@qcnexc01.corp.qcn> Chad Whitten wrote: > I have a non-cisco access device connecting to a cisco 3750 via gigE. > The 3750 interface is set for 802.1q trunking with two vlans - 100 and > 201. Vlan 201 is the native vlan on the cisco interface. Should the > access device be tagging packets on vlan 201 or leaving them untagged? It should be leaving VLAN 201 packets untagged unless you've set 'vlan dot1q tag native' on the 3750. We avoid using the native VLAN for customer traffic and also tag everything, everywhere in order to avoid accidental propagation of BPDUs or other L2 control protocols to places they don't belong. Regards, Brad From cwhitten at metronetsys.com Wed May 14 19:28:45 2008 From: cwhitten at metronetsys.com (Chad Whitten) Date: Wed, 14 May 2008 18:28:45 -0500 Subject: [c-nsp] vlan tagging question In-Reply-To: <3B0B088532A4A44C97875AA89AEF971B23E17D@qcnexc01.corp.qcn> References: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> <3B0B088532A4A44C97875AA89AEF971B23E17D@qcnexc01.corp.qcn> Message-ID: <13bf195a0805141628l40d4a931j800ec5af73d0efe0@mail.gmail.com> Thanks all. The vlan dot1q tag native was what we needed. On Wed, May 14, 2008 at 6:21 PM, Brad Henshaw wrote: > Chad Whitten wrote: > >> I have a non-cisco access device connecting to a cisco 3750 via gigE. >> The 3750 interface is set for 802.1q trunking with two vlans - 100 and >> 201. Vlan 201 is the native vlan on the cisco interface. Should the >> access device be tagging packets on vlan 201 or leaving them untagged? > > It should be leaving VLAN 201 packets untagged unless you've set > 'vlan dot1q tag native' on the 3750. > > We avoid using the native VLAN for customer traffic and also tag > everything, everywhere in order to avoid accidental propagation of > BPDUs or other L2 control protocols to places they don't belong. > > Regards, > Brad > -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com From justin at justinshore.com Thu May 15 01:41:40 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 15 May 2008 00:41:40 -0500 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> Message-ID: <482BCD14.9040400@justinshore.com> Nathan wrote: > Proceed by elimination. If there is someone else in the office (I > suppose the T1 is not just for one person) whose Outlook is *not* > slow, and especially if "someone else" can be extended to "everybody > else" then the problem is not the network. > > Outlook can have severe speed/response problems when not kept healthy; > most notably there's something called PST files that have to be kept > at a reasonable size, or re-indexed or something, and people who like > to keep all their mail tend to run into that. Here's a long account of a similar battle over PSTs that I fought. I fought a 'blame-the-network' battle at a customer's site a couple years ago. We built a brand-new GigE greenfield network in a new building and help the customer move into their new digs. Shortly thereafter a certain group of users started complaining that their computers were horribly slow, most especially Outlook. This reached upper management before it came back down to us contractors so it was a huge deal when it landed at our feet. First thing we did was narrow down exactly who had the problem and who didn't. 95% of the complaints were "me too!" complaints and weren't legitimate. The remaining 5% were isolated to one group of users in one specific area of the new building. Their IT staff that was working on this problem with us immediately blamed us again because "it had to be the network's fault because all the users are in the same physical vicinity". I showed them graph after graph of the network I/O from the Exchange servers through the core and down through the uplinks to distribution. In the end we ended up graphing every affected users' port. The graphs did not help; we were still to blame. Finally one day I sat down with the squeakiest user and had her show me exactly what was slow and the steps she took to make that happen from minute 1 of her walking into her office. I had her shut down and start from a cold boot. She commented that the login process was faster than normal and asked what I'd done to fix it (grrr). She fired up Outlook and I noticed that it was very slow. She said that it was faster than normal. Finally Outlook came up and she started scrolling through her email. She selected a message and waited 10 seconds or so for the message to come up. Then she'd try to save the attachment to the desktop and it would take 4-5 minutes (for a 20MB attachment). She continued on with her daily routine and started scrolling down there her Outlook folders. I stopped her when I saw "Inbox, Sent, Drafts, etc" scroll by more than once. This was the sign I was looking for. I took the wheel at this point and started counting. She had 8 (count them, EIGHT) sets of default Outlook folders because she had 8 PSTs mounted in Outlook. She explained that she hits the Exchange PST hard limit of 2GB every 8-10 months. The company's IT folks would export everything to a new PST to give her a fresh inbox. Then they'd mount it in Outlook so she could have access to it (it was tax stuff so Legal wouldn't let her delete anything, literally). I started hunting for the PSTs and found them on an old file server, one that we had no idea was related to the mail system. She was mounting 8 roughly 2GB PSTs across the network to Outlook on a PC running XP w/ 128MB of RAM. Wonderful. But it gets better. I noticed that her inbox wasn't on the server but was instead in a PST on the same file server and her email was set to deliver to PST, not Exchange directly. In this situation the way Exchange works, email is held on the server for PST users until they bring their Outlook online. OL then downloads the queued up email and stuffs it into the PST. Well, the PST was stored on the server so the client would have to manipulate the PST on the server. Oh, but it gets better still. A few days later one of sys admins was looking the newly discovered file server that was apparently critical to the function of the mail server. From across the room we here loud profanity and run over to see what happened. He discovered that the idiot IT staff set up Windows to compress the non-RAIDed drive that contains all the user PSTs and home directories because they ran low on drive space about a year earlier. Before a user's OL client can modify the PST the server has to decompress the entire PST, then write the changes for the client, and recompress the PST and then write it back to disk. The server was a low-end MS box with 256MB of RAM with no RAID and a backup that usually failed. Oh, and that sys admin also discovered shortly thereafter that all of the users created in the past year and a half were set to deliver to PST because of, you guessed it, another drive space issue. Isn't that nice. All the users that reported this problem turned out to be users that handled tax data and couldn't delete any email. That's why that group of users all experienced the problem. Every single one of these users were mounting 2-8 2GB PSTs across the network. Those that shutdown at night would come in at 8am and fire up their computers. A couple dozen different users would all try to pull down their PSTs from the compressed file system of the poor server. So it wasn't the network's fault. The network was running like a champ. The POS server put into mission critical service by incompetent IT staff was to blame. We spent weeks troubleshooting the problem and trying to convince management that the network was fine. In the end I had to sit down with a user, watch everything that they did and then analyze their steps to figure out what was causing the problem. Oh, and the reason it was faster the day I worked with her was because we did this mid-morning, not at 8am. Did anyone ever apologize (even figuratively) to the network folks? Nope. Of course not. As a network engineer I've found that the vast majority of my job is helping other people find their problems. The network seldom breaks and when it does it's not subtle; it's catastrophic. Even highly skilled technical people still blame the network when their stuff doesn't work right (after all my network is just a bunch of tubes, right?). Networking is like mysterious dark magic that no one seems to understand. It's the gremlins on the wire that causes Windows to crash, not poor programming and a lack of QA. Networking is simply not understood by most people and it's human nature to fear and loathe what they don't understand. To be able to do my job effectively I have to know my shit and everyone elses' well enough to know how something works when it inevitably breaks. Had I not come into networking with a systems background and were I not a quick study under fire I would not be good at what I do. Did something "suddenly" break that must have been caused by the network maintenance I did last week? No, it's the fact that it never worked to begin with and you never actually tested it when you deployed it a year ago. It wasn't until a user tested it for you that you became aware of the fact that it wasn't working. It just happened to come a week after I did maintenance on an unrelated device on an unrelated network. But I'm going to spend all morning sniffing and decoding traffic to help you realize that this device off to the side over here couldn't possibly be involved. *sigh* Story of my life. Justin From gert at greenie.muc.de Thu May 15 03:32:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 15 May 2008 09:32:24 +0200 Subject: [c-nsp] vlan tagging question In-Reply-To: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> References: <13bf195a0805140543x7828eb42r1cda610851b05a1f@mail.gmail.com> Message-ID: <20080515073224.GY3278@greenie.muc.de> Hi, On Wed, May 14, 2008 at 07:43:53AM -0500, Chad Whitten wrote: > I have a non-cisco access device connecting to a cisco 3750 via gigE. > The 3750 interface is set for 802.1q trunking with two vlans - 100 and > 201. Vlan 201 is the native vlan on the cisco interface. Should the > access device be tagging packets on vlan 201 or leaving them untagged? "native VLAN" on Cisco usually means "non-tagged frames". So in your scenario: VLAN 100 needs to be tagged, VLAN 201 must not be tagged. (I seem to remember that *some* version of IOS for switches can also set the native VLAN to tagged - so if in doubt, check with the person administrating the Cisco switch how they want to receive the frames) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080515/2d6994d3/attachment-0001.bin From whisper555 at gmail.com Thu May 15 03:56:29 2008 From: whisper555 at gmail.com (Whisper) Date: Thu, 15 May 2008 17:56:29 +1000 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <482BCD14.9040400@justinshore.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> <482BCD14.9040400@justinshore.com> Message-ID: <5333e1040805150056y3ffe75e5l70f63e97c8cc79a9@mail.gmail.com> Justin, I have alwasy been under the impression that Network Engineers primary role was going around constantly proving that the Network is not the problem. :) Your rant, I suspect, is more or less repeated on daily basis by Network Engineers all around the world. On Thu, May 15, 2008 at 3:41 PM, Justin Shore wrote: > Nathan wrote: > > > Proceed by elimination. If there is someone else in the office (I > > suppose the T1 is not just for one person) whose Outlook is *not* > > slow, and especially if "someone else" can be extended to "everybody > > else" then the problem is not the network. > > > > Outlook can have severe speed/response problems when not kept healthy; > > most notably there's something called PST files that have to be kept > > at a reasonable size, or re-indexed or something, and people who like > > to keep all their mail tend to run into that. > > Here's a long account of a similar battle over PSTs that I fought. > > I fought a 'blame-the-network' battle at a customer's site a couple > years ago. We built a brand-new GigE greenfield network in a new > building and help the customer move into their new digs. Shortly > thereafter a certain group of users started complaining that their > computers were horribly slow, most especially Outlook. This reached > upper management before it came back down to us contractors so it was a > huge deal when it landed at our feet. > > First thing we did was narrow down exactly who had the problem and who > didn't. 95% of the complaints were "me too!" complaints and weren't > legitimate. The remaining 5% were isolated to one group of users in one > specific area of the new building. Their IT staff that was working on > this problem with us immediately blamed us again because "it had to be > the network's fault because all the users are in the same physical > vicinity". I showed them graph after graph of the network I/O from the > Exchange servers through the core and down through the uplinks to > distribution. In the end we ended up graphing every affected users' > port. The graphs did not help; we were still to blame. > > Finally one day I sat down with the squeakiest user and had her show me > exactly what was slow and the steps she took to make that happen from > minute 1 of her walking into her office. I had her shut down and start > from a cold boot. She commented that the login process was faster than > normal and asked what I'd done to fix it (grrr). She fired up Outlook > and I noticed that it was very slow. She said that it was faster than > normal. Finally Outlook came up and she started scrolling through her > email. She selected a message and waited 10 seconds or so for the > message to come up. Then she'd try to save the attachment to the > desktop and it would take 4-5 minutes (for a 20MB attachment). She > continued on with her daily routine and started scrolling down there her > Outlook folders. I stopped her when I saw "Inbox, Sent, Drafts, etc" > scroll by more than once. This was the sign I was looking for. I took > the wheel at this point and started counting. She had 8 (count them, > EIGHT) sets of default Outlook folders because she had 8 PSTs mounted in > Outlook. She explained that she hits the Exchange PST hard limit of 2GB > every 8-10 months. The company's IT folks would export everything to a > new PST to give her a fresh inbox. Then they'd mount it in Outlook so > she could have access to it (it was tax stuff so Legal wouldn't let her > delete anything, literally). I started hunting for the PSTs and found > them on an old file server, one that we had no idea was related to the > mail system. She was mounting 8 roughly 2GB PSTs across the network to > Outlook on a PC running XP w/ 128MB of RAM. Wonderful. > > But it gets better. I noticed that her inbox wasn't on the server but > was instead in a PST on the same file server and her email was set to > deliver to PST, not Exchange directly. In this situation the way > Exchange works, email is held on the server for PST users until they > bring their Outlook online. OL then downloads the queued up email and > stuffs it into the PST. Well, the PST was stored on the server so the > client would have to manipulate the PST on the server. > > Oh, but it gets better still. A few days later one of sys admins was > looking the newly discovered file server that was apparently critical to > the function of the mail server. From across the room we here loud > profanity and run over to see what happened. He discovered that the > idiot IT staff set up Windows to compress the non-RAIDed drive that > contains all the user PSTs and home directories because they ran low on > drive space about a year earlier. Before a user's OL client can modify > the PST the server has to decompress the entire PST, then write the > changes for the client, and recompress the PST and then write it back to > disk. The server was a low-end MS box with 256MB of RAM with no RAID > and a backup that usually failed. Oh, and that sys admin also > discovered shortly thereafter that all of the users created in the past > year and a half were set to deliver to PST because of, you guessed it, > another drive space issue. Isn't that nice. > > All the users that reported this problem turned out to be users that > handled tax data and couldn't delete any email. That's why that group > of users all experienced the problem. Every single one of these users > were mounting 2-8 2GB PSTs across the network. Those that shutdown at > night would come in at 8am and fire up their computers. A couple dozen > different users would all try to pull down their PSTs from the > compressed file system of the poor server. So it wasn't the network's > fault. The network was running like a champ. The POS server put into > mission critical service by incompetent IT staff was to blame. We spent > weeks troubleshooting the problem and trying to convince management that > the network was fine. In the end I had to sit down with a user, watch > everything that they did and then analyze their steps to figure out what > was causing the problem. Oh, and the reason it was faster the day I > worked with her was because we did this mid-morning, not at 8am. Did > anyone ever apologize (even figuratively) to the network folks? Nope. > Of course not. > > > As a network engineer I've found that the vast majority of my job is > helping other people find their problems. The network seldom breaks and > when it does it's not subtle; it's catastrophic. Even highly skilled > technical people still blame the network when their stuff doesn't work > right (after all my network is just a bunch of tubes, right?). > Networking is like mysterious dark magic that no one seems to > understand. It's the gremlins on the wire that causes Windows to crash, > not poor programming and a lack of QA. Networking is simply not > understood by most people and it's human nature to fear and loathe what > they don't understand. To be able to do my job effectively I have to > know my shit and everyone elses' well enough to know how something works > when it inevitably breaks. Had I not come into networking with a > systems background and were I not a quick study under fire I would not > be good at what I do. Did something "suddenly" break that must have > been caused by the network maintenance I did last week? No, it's the > fact that it never worked to begin with and you never actually tested it > when you deployed it a year ago. It wasn't until a user tested it for > you that you became aware of the fact that it wasn't working. It just > happened to come a week after I did maintenance on an unrelated device > on an unrelated network. But I'm going to spend all morning sniffing > and decoding traffic to help you realize that this device off to the > side over here couldn't possibly be involved. *sigh* Story of my life. > > > > Justin > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From alex at alsn.be Thu May 15 04:41:52 2008 From: alex at alsn.be (Alexandre Snoeck) Date: Thu, 15 May 2008 10:41:52 +0200 Subject: [c-nsp] analyze BGP traffic with SNMP Message-ID: <200805151041.52336.alex@alsn.be> Hi all, Is it possible to analyze where traffic is going with SNMP on a BGP router? If so how? I checked most mib files with BGP info in it but couldn't find anything. I have to check where the most traffic is going on the backbone bgp router. I have checked for Sflow and Netflow to do this but i would prefer a system where it is possible to check every once in a while, not a system that has to run most of the time to have decent information. I have heard there was a previous post on this some time ago but couldn't find it back to check the answers, could you maybe point me to that post if there is a answer. Regards Alex From rdobbins at cisco.com Thu May 15 04:53:06 2008 From: rdobbins at cisco.com (Roland Dobbins) Date: Thu, 15 May 2008 15:53:06 +0700 Subject: [c-nsp] analyze BGP traffic with SNMP In-Reply-To: <200805151041.52336.alex@alsn.be> References: <200805151041.52336.alex@alsn.be> Message-ID: <8ECF3F6A-5682-45BD-883D-3C0328CDDEF7@cisco.com> On May 15, 2008, at 3:41 PM, Alexandre Snoeck wrote: > not a system that has to run most of the time to have decent > information. This type of system is far more desirable from an operational standpoint, as it provides insight into behavior over time. Snapshots of this type of information aren't very useful at all, IMHO; what's useful is to understand trends, rates of change, et. al. If you're determined to use SNMP and snapshots, you may wish to take a look at the NetFlow MIB, which lets you get a snapshot of the NetFlow table. But I very strongly recommend you re-evaluate the utility of a NetFlow-based system for this type of application, perhaps starting with a freeware tool such as Stager. ----------------------------------------------------------------------- Roland Dobbins // +66.83.266.6344 mobile History is a great teacher, but it also lies with impunity. -- John Robb From gary.ciscomail at gmail.com Thu May 15 05:52:51 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Thu, 15 May 2008 10:52:51 +0100 Subject: [c-nsp] Multiple AS numbers Message-ID: Hello All I run an AS number but also want to run a second AS to advertise specific networks to an external BGP peer which I will do with a tunnel. However, can I run a second AS or do I specifically need to set up a stand alone router running its own instance of BGP just to send updates. Thanks Gary From paul.cosgrove at heanet.ie Thu May 15 06:31:22 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Thu, 15 May 2008 11:31:22 +0100 Subject: [c-nsp] Multiple AS numbers In-Reply-To: References: Message-ID: <482C10FA.2050600@heanet.ie> Hi Gary, I'm not completely clear on what your requirements are, but you may want to have a look at the 'local-as' bgp neighbor option. Will let your router behave like another ASN on that single peering. http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp3.html#wp1014448 Paul Gary Roberton wrote: > Hello All > > I run an AS number but also want to run a second AS to advertise specific > networks to an external BGP peer which I will do with a tunnel. However, > can I run a second AS or do I specifically need to set up a stand alone > router running its own instance of BGP just to send updates. > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- HEAnet Limited Ireland's Education & Research Network 5 George's Dock, IFSC, Dublin 1, Ireland Tel: +353.1.6609040 Web: http://www.heanet.ie Company registered in Ireland: 275301 Please consider the environment before printing this e-mail. From ionut.pirva at gmail.com Thu May 15 06:37:47 2008 From: ionut.pirva at gmail.com (Ionut PIRVA) Date: Thu, 15 May 2008 13:37:47 +0300 Subject: [c-nsp] Multiple AS numbers In-Reply-To: References: Message-ID: Should you take a look at the local-as feature: http://www.cisco.com/warp/public/459/39.html On Thu, May 15, 2008 at 12:52 PM, Gary Roberton wrote: > Hello All > > I run an AS number but also want to run a second AS to advertise specific > networks to an external BGP peer which I will do with a tunnel. However, > can I run a second AS or do I specifically need to set up a stand alone > router running its own instance of BGP just to send updates. > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From alex at alsn.be Thu May 15 07:43:26 2008 From: alex at alsn.be (Alexandre Snoeck) Date: Thu, 15 May 2008 13:43:26 +0200 Subject: [c-nsp] analyze BGP traffic with SNMP In-Reply-To: <200805151340.30830.asnoeck@alsn.be> References: <200805151041.52336.alex@alsn.be> <8ECF3F6A-5682-45BD-883D-3C0328CDDEF7@cisco.com> <200805151340.30830.asnoeck@alsn.be> Message-ID: <200805151343.26280.alex@alsn.be> Thanks for the advice > If you're determined to use SNMP and snapshots, you may wish to take a > look at the NetFlow MIB, which lets you get a snapshot of the NetFlow > table. Any idea if there is an equivalent in SFlow? I have been looking around the Sflow Mib but didn't find any usefull information. Alex > On Thursday 15 May 2008 10:53:06 Roland Dobbins wrote: > > On May 15, 2008, at 3:41 PM, Alexandre Snoeck wrote: > > > not a system that has to run most of the time to have decent > > > information. > > > > This type of system is far more desirable from an operational > > standpoint, as it provides insight into behavior over time. Snapshots > > of this type of information aren't very useful at all, IMHO; what's > > useful is to understand trends, rates of change, et. al. > > > > If you're determined to use SNMP and snapshots, you may wish to take a > > look at the NetFlow MIB, which lets you get a snapshot of the NetFlow > > table. But I very strongly recommend you re-evaluate the utility of a > > NetFlow-based system for this type of application, perhaps starting > > with a freeware tool such as Stager. > > > > ----------------------------------------------------------------------- > > Roland Dobbins // +66.83.266.6344 mobile > > > > History is a great teacher, but it also lies with impunity. > > > > -- John Robb > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Thu May 15 08:55:43 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 15 May 2008 08:55:43 -0400 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <5333e1040805150056y3ffe75e5l70f63e97c8cc79a9@mail.gmail.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> <482BCD14.9040400@justinshore.com> <5333e1040805150056y3ffe75e5l70f63e97c8cc79a9@mail.gmail.com> Message-ID: I sure hope Justin lets us know what the problem really was, after all this.. Jeff Fitzwater OIT Network Systems Princeton University On May 15, 2008, at 3:56 AM, Whisper wrote: > Justin, I have alwasy been under the impression that Network Engineers > primary role was going around constantly proving that the Network is > not the > problem. :) > > Your rant, I suspect, is more or less repeated on daily basis by > Network > Engineers all around the world. > > On Thu, May 15, 2008 at 3:41 PM, Justin Shore > wrote: > >> Nathan wrote: >> >>> Proceed by elimination. If there is someone else in the office (I >>> suppose the T1 is not just for one person) whose Outlook is *not* >>> slow, and especially if "someone else" can be extended to "everybody >>> else" then the problem is not the network. >>> >>> Outlook can have severe speed/response problems when not kept >>> healthy; >>> most notably there's something called PST files that have to be kept >>> at a reasonable size, or re-indexed or something, and people who >>> like >>> to keep all their mail tend to run into that. >> >> Here's a long account of a similar battle over PSTs that I fought. >> >> I fought a 'blame-the-network' battle at a customer's site a couple >> years ago. We built a brand-new GigE greenfield network in a new >> building and help the customer move into their new digs. Shortly >> thereafter a certain group of users started complaining that their >> computers were horribly slow, most especially Outlook. This reached >> upper management before it came back down to us contractors so it >> was a >> huge deal when it landed at our feet. >> >> First thing we did was narrow down exactly who had the problem and >> who >> didn't. 95% of the complaints were "me too!" complaints and weren't >> legitimate. The remaining 5% were isolated to one group of users >> in one >> specific area of the new building. Their IT staff that was working >> on >> this problem with us immediately blamed us again because "it had to >> be >> the network's fault because all the users are in the same physical >> vicinity". I showed them graph after graph of the network I/O from >> the >> Exchange servers through the core and down through the uplinks to >> distribution. In the end we ended up graphing every affected users' >> port. The graphs did not help; we were still to blame. >> >> Finally one day I sat down with the squeakiest user and had her >> show me >> exactly what was slow and the steps she took to make that happen from >> minute 1 of her walking into her office. I had her shut down and >> start >> from a cold boot. She commented that the login process was faster >> than >> normal and asked what I'd done to fix it (grrr). She fired up >> Outlook >> and I noticed that it was very slow. She said that it was faster >> than >> normal. Finally Outlook came up and she started scrolling through >> her >> email. She selected a message and waited 10 seconds or so for the >> message to come up. Then she'd try to save the attachment to the >> desktop and it would take 4-5 minutes (for a 20MB attachment). She >> continued on with her daily routine and started scrolling down >> there her >> Outlook folders. I stopped her when I saw "Inbox, Sent, Drafts, etc" >> scroll by more than once. This was the sign I was looking for. I >> took >> the wheel at this point and started counting. She had 8 (count them, >> EIGHT) sets of default Outlook folders because she had 8 PSTs >> mounted in >> Outlook. She explained that she hits the Exchange PST hard limit >> of 2GB >> every 8-10 months. The company's IT folks would export everything >> to a >> new PST to give her a fresh inbox. Then they'd mount it in Outlook >> so >> she could have access to it (it was tax stuff so Legal wouldn't let >> her >> delete anything, literally). I started hunting for the PSTs and >> found >> them on an old file server, one that we had no idea was related to >> the >> mail system. She was mounting 8 roughly 2GB PSTs across the >> network to >> Outlook on a PC running XP w/ 128MB of RAM. Wonderful. >> >> But it gets better. I noticed that her inbox wasn't on the server >> but >> was instead in a PST on the same file server and her email was set to >> deliver to PST, not Exchange directly. In this situation the way >> Exchange works, email is held on the server for PST users until they >> bring their Outlook online. OL then downloads the queued up email >> and >> stuffs it into the PST. Well, the PST was stored on the server so >> the >> client would have to manipulate the PST on the server. >> >> Oh, but it gets better still. A few days later one of sys admins was >> looking the newly discovered file server that was apparently >> critical to >> the function of the mail server. From across the room we here loud >> profanity and run over to see what happened. He discovered that the >> idiot IT staff set up Windows to compress the non-RAIDed drive that >> contains all the user PSTs and home directories because they ran >> low on >> drive space about a year earlier. Before a user's OL client can >> modify >> the PST the server has to decompress the entire PST, then write the >> changes for the client, and recompress the PST and then write it >> back to >> disk. The server was a low-end MS box with 256MB of RAM with no RAID >> and a backup that usually failed. Oh, and that sys admin also >> discovered shortly thereafter that all of the users created in the >> past >> year and a half were set to deliver to PST because of, you guessed >> it, >> another drive space issue. Isn't that nice. >> >> All the users that reported this problem turned out to be users that >> handled tax data and couldn't delete any email. That's why that >> group >> of users all experienced the problem. Every single one of these >> users >> were mounting 2-8 2GB PSTs across the network. Those that shutdown >> at >> night would come in at 8am and fire up their computers. A couple >> dozen >> different users would all try to pull down their PSTs from the >> compressed file system of the poor server. So it wasn't the >> network's >> fault. The network was running like a champ. The POS server put >> into >> mission critical service by incompetent IT staff was to blame. We >> spent >> weeks troubleshooting the problem and trying to convince management >> that >> the network was fine. In the end I had to sit down with a user, >> watch >> everything that they did and then analyze their steps to figure out >> what >> was causing the problem. Oh, and the reason it was faster the day I >> worked with her was because we did this mid-morning, not at 8am. Did >> anyone ever apologize (even figuratively) to the network folks? >> Nope. >> Of course not. >> >> >> As a network engineer I've found that the vast majority of my job is >> helping other people find their problems. The network seldom >> breaks and >> when it does it's not subtle; it's catastrophic. Even highly skilled >> technical people still blame the network when their stuff doesn't >> work >> right (after all my network is just a bunch of tubes, right?). >> Networking is like mysterious dark magic that no one seems to >> understand. It's the gremlins on the wire that causes Windows to >> crash, >> not poor programming and a lack of QA. Networking is simply not >> understood by most people and it's human nature to fear and loathe >> what >> they don't understand. To be able to do my job effectively I have to >> know my shit and everyone elses' well enough to know how something >> works >> when it inevitably breaks. Had I not come into networking with a >> systems background and were I not a quick study under fire I would >> not >> be good at what I do. Did something "suddenly" break that must have >> been caused by the network maintenance I did last week? No, it's the >> fact that it never worked to begin with and you never actually >> tested it >> when you deployed it a year ago. It wasn't until a user tested it >> for >> you that you became aware of the fact that it wasn't working. It >> just >> happened to come a week after I did maintenance on an unrelated >> device >> on an unrelated network. But I'm going to spend all morning sniffing >> and decoding traffic to help you realize that this device off to the >> side over here couldn't possibly be involved. *sigh* Story of my >> life. >> >> >> >> Justin >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jlewis at lewis.org Thu May 15 10:23:44 2008 From: jlewis at lewis.org (Jon Lewis) Date: Thu, 15 May 2008 10:23:44 -0400 (EDT) Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? Message-ID: Having just gone past the end of software maintenance date for the 3550, and with the need to start at least looking at supporting IPv6 on our customer aggregation switches in the not so distant future, I suppose it's time to seriously consider the 3560-48TS as a replacement / upgrade path for our 3550-48's. With the 3550-48's, we've been getting away with configuring generally all or nearly all the FE interfaces as routed ports using the default SDM template, and not run into any problems, even though this template is allegedly optimized for 8 routed interfaces. Can the 3560-48TS be used similarly without getting into software forwarding? I'd love to hear from someone using the 3560-48TS in a mixed v4/v6 environment with 48 routed ports, since cisco's docs that I've found so far don't seem to suggest how likely this is to work. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From justin at justinshore.com Thu May 15 10:24:29 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 15 May 2008 09:24:29 -0500 Subject: [c-nsp] CVR-X2-SFP In-Reply-To: <20080514121317.GW10920@virtual.bogons.net> References: <1210766180.482ad364a92cf@imp.free.fr> <20080514121317.GW10920@virtual.bogons.net> Message-ID: <482C479D.5040709@justinshore.com> Simon Lockhart wrote: > On Wed May 14, 2008 at 01:56:20PM +0200, jcovini at free.fr wrote: >> Who can tell me whether the Twingig CVR-X2-SFP are supported in 6500 module >> WS-X6708-10G-3C ? > > No - they depend on an additional connector at the back of the slot which is > only in the 3750E etc boxes. There are a few more supported switches but the list is short and like you said it still doesn't the linecard that Jerome was asking about. https://puck.nether.net/pipermail/cisco-nsp/2008-March/048685.html Justin From ian.mackinnon at lumison.net Thu May 15 10:38:26 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 15 May 2008 15:38:26 +0100 Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? In-Reply-To: References: Message-ID: <482C4AE2.9000809@lumison.net> Jon Lewis wrote: > Having just gone past the end of software maintenance date for the 3550, > and with the need to start at least looking at supporting IPv6 on our > customer aggregation switches in the not so distant future, I suppose it's > time to seriously consider the 3560-48TS as a replacement / upgrade path > for our 3550-48's. B****r, you are right, 7May was end of software updated, 2011 for end of support (more money required for no imediate gain) One big issue I have with 3560 is outbound policing. I can't see how to limit traffic either on a SVI or to something less than 10% of actual port speed. > > With the 3550-48's, we've been getting away with configuring generally all > or nearly all the FE interfaces as routed ports using the default SDM > template, and not run into any problems, even though this template is > allegedly optimized for 8 routed interfaces. Can the 3560-48TS be used > similarly without getting into software forwarding? > > I'd love to hear from someone using the 3560-48TS in a mixed v4/v6 > environment with 48 routed ports, since cisco's docs that I've found so > far don't seem to suggest how likely this is to work. > > ---------------------------------------------------------------------- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net | > _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From avayner at cisco.com Thu May 15 12:00:33 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 15 May 2008 18:00:33 +0200 Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A5015970BB@xmb-ams-331.emea.cisco.com> Jon, You might want to take a look at Catalyst 4948, which might present a better feature parity/richness and might be a better match for your requirements. The normal 4948 would do IPv6 in software, so it really depends on how wide you expect your deployment to be, but you can take a look at the newer 4948M http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6021/produc t_data_sheet0900aecd8017a72e.html http://www.cisco.com/en/US/products/ps6021/products_data_sheets_list.htm l Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Thursday, May 15, 2008 17:24 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? Having just gone past the end of software maintenance date for the 3550, and with the need to start at least looking at supporting IPv6 on our customer aggregation switches in the not so distant future, I suppose it's time to seriously consider the 3560-48TS as a replacement / upgrade path for our 3550-48's. With the 3550-48's, we've been getting away with configuring generally all or nearly all the FE interfaces as routed ports using the default SDM template, and not run into any problems, even though this template is allegedly optimized for 8 routed interfaces. Can the 3560-48TS be used similarly without getting into software forwarding? I'd love to hear from someone using the 3560-48TS in a mixed v4/v6 environment with 48 routed ports, since cisco's docs that I've found so far don't seem to suggest how likely this is to work. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From masood at nexlinx.net.pk Thu May 15 12:04:11 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Thu, 15 May 2008 21:04:11 +0500 Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? In-Reply-To: References: Message-ID: <03a501c8b6a5$50705fa0$f1511ee0$@net.pk> The thing I'm missing is, it does not support Policy-Based Routing (PBR) when forwarding IPv6 traffic:( The software supports IPv4 PBR only when the dual-ipv4-and-ipv6 routing template is configured. Here is the link for more on dual-ipv4-ipv6: http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/1 2.2_25_see/configuration/guide/swsdm.html#wp1077854 Regards, Masood Ahmad Shah BLOG: http://www.weblogs.com.pk/jahil/ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jon Lewis Sent: Thursday, May 15, 2008 7:24 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 3550-48 -> 3560-48TS-E migration? Having just gone past the end of software maintenance date for the 3550, and with the need to start at least looking at supporting IPv6 on our customer aggregation switches in the not so distant future, I suppose it's time to seriously consider the 3560-48TS as a replacement / upgrade path for our 3550-48's. With the 3550-48's, we've been getting away with configuring generally all or nearly all the FE interfaces as routed ports using the default SDM template, and not run into any problems, even though this template is allegedly optimized for 8 routed interfaces. Can the 3560-48TS be used similarly without getting into software forwarding? I'd love to hear from someone using the 3560-48TS in a mixed v4/v6 environment with 48 routed ports, since cisco's docs that I've found so far don't seem to suggest how likely this is to work. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From everton at lab.ipaccess.diveo.net.br Thu May 15 12:44:22 2008 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Thu, 15 May 2008 13:44:22 -0300 Subject: [c-nsp] Switch processing delay In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A4303C97E7B@METROEVS3.ac.lp.acml.com> References: <1E79A7919A9B16468E407A8DEAB65A4303C97E7B@METROEVS3.ac.lp.acml.com> Message-ID: <20080515164422.GA27863@diveo.net.br> On Tue, May 13, 2008 at 07:09:31PM -0400, Uddin, Tahir wrote: > > Does anyone know the switching delay for a 1500 byte packet > (or any size packet) through a 6509E with a Sup720 10G > supervisor. Packet coming in one 10gig port and out another > 10Gig. The following paper: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd800c958a.pdf has been cited in this thread: http://puck.nether.net/pipermail/cisco-nsp/2006-September/034533.html Cheers, Everton From jcartier at acs.on.ca Thu May 15 14:13:38 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Thu, 15 May 2008 14:13:38 -0400 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... Message-ID: We recently swapped out some non-PoE Cisco switches with Cisco 3750 48port PoE switches and have noticed the following issue. When users reboot their PC they have troubles establishing their folder connections in Windows...the following error is seen in the event log. Windows cannot obtain the domain controller name for your network. Group policy processing aborted. Event ID 1054 It seems that when users log onto the computers after a warm/cold start the network connection doesn't establish right away. We've found that disabling PoE on the access-port solves the issue. Has anyone experienced anything similar? From jfitz at Princeton.EDU Thu May 15 14:28:39 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 15 May 2008 14:28:39 -0400 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: References: Message-ID: If you have Spanning tree enabled on the CISCO (which is default ) then you need to add "spanning-tree portfast " to all access ports. This will speed up initial boot of machine instead of going through the LISTENING LEARNING FORWARDING states. Well this sounds like your problem. Jeff Fitzwater OIT Network Systems Princeton University On May 15, 2008, at 2:13 PM, Jeff Cartier wrote: > We recently swapped out some non-PoE Cisco switches with Cisco 3750 > 48port PoE switches and have noticed the following issue. > > > > When users reboot their PC they have troubles establishing their > folder > connections in Windows...the following error is seen in the event log. > > > > Windows cannot obtain the domain controller name for your network. > Group policy processing aborted. Event ID 1054 > > > > It seems that when users log onto the computers after a warm/cold > start > the network connection doesn't establish right away. We've found that > disabling PoE on the access-port solves the issue. > > > > Has anyone experienced anything similar? > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcartier at acs.on.ca Thu May 15 14:26:58 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Thu, 15 May 2008 14:26:58 -0400 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: Message-ID: Ports are already configured for port-fast. Like I said, it seems that after disabling PoE on the port everything works fine. -----Original Message----- From: Jeff Fitzwater [mailto:jfitz at Princeton.EDU] Sent: Thursday, May 15, 2008 2:29 PM To: Jeff Cartier Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Weird Issue with 3750-PoE Switches... If you have Spanning tree enabled on the CISCO (which is default ) then you need to add "spanning-tree portfast " to all access ports. This will speed up initial boot of machine instead of going through the LISTENING LEARNING FORWARDING states. Well this sounds like your problem. Jeff Fitzwater OIT Network Systems Princeton University On May 15, 2008, at 2:13 PM, Jeff Cartier wrote: > We recently swapped out some non-PoE Cisco switches with Cisco 3750 > 48port PoE switches and have noticed the following issue. > > > > When users reboot their PC they have troubles establishing their > folder > connections in Windows...the following error is seen in the event log. > > > > Windows cannot obtain the domain controller name for your network. > Group policy processing aborted. Event ID 1054 > > > > It seems that when users log onto the computers after a warm/cold > start > the network connection doesn't establish right away. We've found that > disabling PoE on the access-port solves the issue. > > > > Has anyone experienced anything similar? > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcartier at acs.on.ca Thu May 15 14:34:39 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Thu, 15 May 2008 14:34:39 -0400 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: <940dabcc0805151137j768184bi977fac5a1bab2e31@mail.gmail.com> Message-ID: No Phones are connected to the switchports which are having the issues. It is a straight connection to the PC. ________________________________ From: Fredrik Jacobsson [mailto:fred at jacobsson.nu] Sent: Thursday, May 15, 2008 2:37 PM To: Jeff Cartier Cc: Jeff Fitzwater; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Weird Issue with 3750-PoE Switches... Are phones connected to the switch, and PC to the phone? (=trunk port?) Do a "spanning-tree portfast trunk" on the interface. Regular config doesnt come into action on trunks. /Fredrik 2008/5/15 Jeff Cartier : Ports are already configured for port-fast. Like I said, it seems that after disabling PoE on the port everything works fine. -----Original Message----- From: Jeff Fitzwater [mailto:jfitz at Princeton.EDU] Sent: Thursday, May 15, 2008 2:29 PM To: Jeff Cartier Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Weird Issue with 3750-PoE Switches... If you have Spanning tree enabled on the CISCO (which is default ) then you need to add "spanning-tree portfast " to all access ports. This will speed up initial boot of machine instead of going through the LISTENING LEARNING FORWARDING states. Well this sounds like your problem. Jeff Fitzwater OIT Network Systems Princeton University On May 15, 2008, at 2:13 PM, Jeff Cartier wrote: > We recently swapped out some non-PoE Cisco switches with Cisco 3750 > 48port PoE switches and have noticed the following issue. > > > > When users reboot their PC they have troubles establishing their > folder > connections in Windows...the following error is seen in the event log. > > > > Windows cannot obtain the domain controller name for your network. > Group policy processing aborted. Event ID 1054 > > > > It seems that when users log onto the computers after a warm/cold > start > the network connection doesn't establish right away. We've found that > disabling PoE on the access-port solves the issue. > > > > Has anyone experienced anything similar? > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mailinglists at unix-scripts.com Thu May 15 14:56:33 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Thu, 15 May 2008 11:56:33 -0700 Subject: [c-nsp] Cisco PfR Message-ID: I'm looking to deploy PfR in my network. Right now the network is simple for the most part. two 7206VXR-NPE-G2's each with a upstream connected, they are also linked to eachother. Then both borders connect to my core/access layer which is a stack of 3750G's. OSPF is run between core and borders. With PfR how large of a router do i need to use as the master? Right now the network only pushes around 200mbit but the network total capacity is capable of pushing 4GB. ~Shaun From jason at pins.net Thu May 15 15:07:52 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 15 May 2008 15:07:52 -0400 Subject: [c-nsp] Cat 3560 Message-ID: <482C8A08.3000502@pins.net> Greetings, This is probably an obvious question but I seem to be overlooking something. I have a Catalyst 3560 running c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the SFP on gi0/2 to be a fiber SFP instead of copper. Here's what I see when it's not plugged in, is this normal? I tried looking for media type commands but there don't seem to be any present. router>show int gi0/2 GigabitEthernet0/2 is down, line protocol is down (err-disabled) Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia 0016.473c.0ae2) Description: << TLS 1G primary >> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive not set Full-duplex, Auto-speed, link type is auto, media type is unknown input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output never, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Here's the config for that port: interface GigabitEthernet0/2 description << TLS 1G primary >> no switchport no ip address speed nonegotiate no cdp enable I also can't seem to make a sub interface: frangelico(config)#int gi0/2.1 ? % Unrecognized command Any ideas would be greatly appreciated. Thanks, Jason From achatz at forthnet.gr Thu May 15 15:44:12 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 15 May 2008 22:44:12 +0300 Subject: [c-nsp] Cat 3560 In-Reply-To: <482C8A08.3000502@pins.net> References: <482C8A08.3000502@pins.net> Message-ID: <482C928C.1090700@forthnet.gr> You're probably using a "fake" SFP. What does "show errdisable recovery" show? You can try a combination of the following, but i'm not sure if they'll help you. service unsupported-transceiver no errdisable detect cause gbic-invalid Check the ios version too, below: http://www.cisco.com/en/US/docs/interfaces_modules/transceiver_modules/compatibility/matrix/OL_6981.html#wp105929 Also, subinterfaces are not supported on these L2/L3 switches. You can probably use SVIs instead. -- Tassos Jason Berenson wrote on 15/5/2008 10:07 ??: > Greetings, > > This is probably an obvious question but I seem to be overlooking > something. I have a Catalyst 3560 running > c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the SFP on > gi0/2 to be a fiber SFP instead of copper. Here's what I see when it's > not plugged in, is this normal? I tried looking for media type commands > but there don't seem to be any present. > > router>show int gi0/2 > GigabitEthernet0/2 is down, line protocol is down (err-disabled) > Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia > 0016.473c.0ae2) > Description: << TLS 1G primary >> > MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive not set > Full-duplex, Auto-speed, link type is auto, media type is unknown > input flow-control is off, output flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > > Here's the config for that port: > > interface GigabitEthernet0/2 > description << TLS 1G primary >> > no switchport > no ip address > speed nonegotiate > no cdp enable > > I also can't seem to make a sub interface: > > frangelico(config)#int gi0/2.1 ? > % Unrecognized command > > Any ideas would be greatly appreciated. > > Thanks, > Jason > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jason at pins.net Thu May 15 15:49:41 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 15 May 2008 15:49:41 -0400 Subject: [c-nsp] Cat 3560 In-Reply-To: References: <482C8A08.3000502@pins.net> Message-ID: <482C93D5.4010904@pins.net> There doesn't seem to be a service unsupported-transciever command: router(config)#service uns? % Unrecognized command I tried a shut/no shut, on one of the routers it seemed to work but not on the other. It still doesn't show the media type though. Here's some output from the logs. I have a feeling the SFP is bad: May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC in port 65538 has bad crc May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error detected on Gi0/2, putting Gi0/2 in err-disable state Thanks, Jason Matt Addison wrote: > What do the logs say? I'm guessing it's not a Cisco SFP so you may have > to add "service unsupported-transciever" > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Berenson > Sent: Thursday, May 15, 2008 3:08 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cat 3560 > > Greetings, > > This is probably an obvious question but I seem to be overlooking > something. I have a Catalyst 3560 running > c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the SFP on > > gi0/2 to be a fiber SFP instead of copper. Here's what I see when it's > not plugged in, is this normal? I tried looking for media type commands > > but there don't seem to be any present. > > router>show int gi0/2 > GigabitEthernet0/2 is down, line protocol is down (err-disabled) > Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia > 0016.473c.0ae2) > Description: << TLS 1G primary >> > MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, > reliability 255/255, txload 1/255, rxload 1/255 > Encapsulation ARPA, loopback not set > Keepalive not set > Full-duplex, Auto-speed, link type is auto, media type is unknown > input flow-control is off, output flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output never, output hang never > Last clearing of "show interface" counters never > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 > Queueing strategy: fifo > > Here's the config for that port: > > interface GigabitEthernet0/2 > description << TLS 1G primary >> > no switchport > no ip address > speed nonegotiate > no cdp enable > > I also can't seem to make a sub interface: > > frangelico(config)#int gi0/2.1 ? > % Unrecognized command > > Any ideas would be greatly appreciated. > > Thanks, > Jason > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Thu May 15 15:56:51 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 15 May 2008 14:56:51 -0500 Subject: [c-nsp] Cat 3560 In-Reply-To: <482C93D5.4010904@pins.net> References: <482C8A08.3000502@pins.net> <482C93D5.4010904@pins.net> Message-ID: <482C9583.1020609@justinshore.com> It's a hidden command. Copy and paste it in anyway. Justin Jason Berenson wrote: > There doesn't seem to be a service unsupported-transciever command: > > router(config)#service uns? > % Unrecognized command > > I tried a shut/no shut, on one of the routers it seemed to work but not > on the other. It still doesn't show the media type though. Here's some > output from the logs. I have a feeling the SFP is bad: > > May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: GBIC > in port 65538 has bad crc > May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error detected > on Gi0/2, putting Gi0/2 in err-disable state > > Thanks, > Jason > > Matt Addison wrote: >> What do the logs say? I'm guessing it's not a Cisco SFP so you may have >> to add "service unsupported-transciever" >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Berenson >> Sent: Thursday, May 15, 2008 3:08 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Cat 3560 >> >> Greetings, >> >> This is probably an obvious question but I seem to be overlooking >> something. I have a Catalyst 3560 running >> c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the SFP on >> >> gi0/2 to be a fiber SFP instead of copper. Here's what I see when it's >> not plugged in, is this normal? I tried looking for media type commands >> >> but there don't seem to be any present. >> >> router>show int gi0/2 >> GigabitEthernet0/2 is down, line protocol is down (err-disabled) >> Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia >> 0016.473c.0ae2) >> Description: << TLS 1G primary >> >> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, >> reliability 255/255, txload 1/255, rxload 1/255 >> Encapsulation ARPA, loopback not set >> Keepalive not set >> Full-duplex, Auto-speed, link type is auto, media type is unknown >> input flow-control is off, output flow-control is unsupported >> ARP type: ARPA, ARP Timeout 04:00:00 >> Last input never, output never, output hang never >> Last clearing of "show interface" counters never >> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 >> Queueing strategy: fifo >> >> Here's the config for that port: >> >> interface GigabitEthernet0/2 >> description << TLS 1G primary >> >> no switchport >> no ip address >> speed nonegotiate >> no cdp enable >> >> I also can't seem to make a sub interface: >> >> frangelico(config)#int gi0/2.1 ? >> % Unrecognized command >> >> Any ideas would be greatly appreciated. >> >> Thanks, >> Jason >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jfitz at Princeton.EDU Thu May 15 16:05:14 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Thu, 15 May 2008 16:05:14 -0400 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: References: Message-ID: <32B52B74-4242-40E6-92D1-34FC09D67AB9@Princeton.EDU> Take a look at this doc, some version of CISCO had POE PINOUT incorrect. http://pinouts.ru/Net/poe_pinout.shtml Jeff Fitzwater OIT Network Systems Princeton University On May 15, 2008, at 2:34 PM, Jeff Cartier wrote: > No Phones are connected to the switchports which are having the > issues. It is a straight connection to the PC. > > From: Fredrik Jacobsson [mailto:fred at jacobsson.nu] > Sent: Thursday, May 15, 2008 2:37 PM > To: Jeff Cartier > Cc: Jeff Fitzwater; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Weird Issue with 3750-PoE Switches... > > Are phones connected to the switch, and PC to the phone? > (=trunk port?) > > Do a "spanning-tree portfast trunk" on the interface. > Regular config doesnt come into action on trunks. > > /Fredrik > 2008/5/15 Jeff Cartier : > Ports are already configured for port-fast. Like I said, it seems > that > after disabling PoE on the port everything works fine. > > -----Original Message----- > From: Jeff Fitzwater [mailto:jfitz at Princeton.EDU] > Sent: Thursday, May 15, 2008 2:29 PM > To: Jeff Cartier > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Weird Issue with 3750-PoE Switches... > > If you have Spanning tree enabled on the CISCO (which is default ) > then you need to add "spanning-tree portfast " to all access ports. > This will speed up initial boot of machine instead of going through > the LISTENING LEARNING FORWARDING states. > > > Well this sounds like your problem. > > > Jeff Fitzwater > OIT Network Systems > Princeton University > On May 15, 2008, at 2:13 PM, Jeff Cartier wrote: > > > We recently swapped out some non-PoE Cisco switches with Cisco 3750 > > 48port PoE switches and have noticed the following issue. > > > > > > > > When users reboot their PC they have troubles establishing their > > folder > > connections in Windows...the following error is seen in the event > log. > > > > > > > > Windows cannot obtain the domain controller name for your network. > > Group policy processing aborted. Event ID 1054 > > > > > > > > It seems that when users log onto the computers after a warm/cold > > start > > the network connection doesn't establish right away. We've found > that > > disabling PoE on the access-port solves the issue. > > > > > > > > Has anyone experienced anything similar? > > > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jason at pins.net Thu May 15 16:23:38 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 15 May 2008 16:23:38 -0400 Subject: [c-nsp] Cat 3560 In-Reply-To: <482C9583.1020609@justinshore.com> References: <482C8A08.3000502@pins.net> <482C93D5.4010904@pins.net> <482C9583.1020609@justinshore.com> Message-ID: <482C9BCA.5050500@pins.net> Now I get media type unknown on one router and media type not supported on the other. Justin Shore wrote: > It's a hidden command. Copy and paste it in anyway. > > Justin > > Jason Berenson wrote: >> There doesn't seem to be a service unsupported-transciever command: >> >> router(config)#service uns? >> % Unrecognized command >> >> I tried a shut/no shut, on one of the routers it seemed to work but >> not on the other. It still doesn't show the media type though. >> Here's some output from the logs. I have a feeling the SFP is bad: >> >> May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: >> GBIC in port 65538 has bad crc >> May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error >> detected on Gi0/2, putting Gi0/2 in err-disable state >> >> Thanks, >> Jason >> >> Matt Addison wrote: >>> What do the logs say? I'm guessing it's not a Cisco SFP so you may have >>> to add "service unsupported-transciever" >>> >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Berenson >>> Sent: Thursday, May 15, 2008 3:08 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Cat 3560 >>> >>> Greetings, >>> >>> This is probably an obvious question but I seem to be overlooking >>> something. I have a Catalyst 3560 running >>> c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the >>> SFP on >>> >>> gi0/2 to be a fiber SFP instead of copper. Here's what I see when >>> it's not plugged in, is this normal? I tried looking for media type >>> commands >>> >>> but there don't seem to be any present. >>> >>> router>show int gi0/2 >>> GigabitEthernet0/2 is down, line protocol is down (err-disabled) >>> Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia >>> 0016.473c.0ae2) >>> Description: << TLS 1G primary >> >>> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, >>> reliability 255/255, txload 1/255, rxload 1/255 >>> Encapsulation ARPA, loopback not set >>> Keepalive not set >>> Full-duplex, Auto-speed, link type is auto, media type is unknown >>> input flow-control is off, output flow-control is unsupported >>> ARP type: ARPA, ARP Timeout 04:00:00 >>> Last input never, output never, output hang never >>> Last clearing of "show interface" counters never >>> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 >>> Queueing strategy: fifo >>> >>> Here's the config for that port: >>> >>> interface GigabitEthernet0/2 >>> description << TLS 1G primary >> >>> no switchport >>> no ip address >>> speed nonegotiate >>> no cdp enable >>> >>> I also can't seem to make a sub interface: >>> >>> frangelico(config)#int gi0/2.1 ? >>> % Unrecognized command >>> >>> Any ideas would be greatly appreciated. >>> >>> Thanks, >>> Jason >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Thu May 15 17:21:36 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 15 May 2008 16:21:36 -0500 Subject: [c-nsp] Cat 3560 In-Reply-To: <482C9BCA.5050500@pins.net> References: <482C8A08.3000502@pins.net> <482C93D5.4010904@pins.net> <482C9583.1020609@justinshore.com> <482C9BCA.5050500@pins.net> Message-ID: <482CA960.7030100@justinshore.com> I'd check the IOS version against the model of SFP to make sure that it's supported (though I imagine it will be). I'd agree with the other guys in saying that it's likely counterfeit. Do you get it from a reputable vendor? Justin Jason Berenson wrote: > Now I get media type unknown on one router and media type not supported > on the other. > Justin Shore wrote: >> It's a hidden command. Copy and paste it in anyway. >> >> Justin >> >> Jason Berenson wrote: >>> There doesn't seem to be a service unsupported-transciever command: >>> >>> router(config)#service uns? >>> % Unrecognized command >>> >>> I tried a shut/no shut, on one of the routers it seemed to work but >>> not on the other. It still doesn't show the media type though. >>> Here's some output from the logs. I have a feeling the SFP is bad: >>> >>> May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: >>> GBIC in port 65538 has bad crc >>> May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error >>> detected on Gi0/2, putting Gi0/2 in err-disable state >>> >>> Thanks, >>> Jason >>> >>> Matt Addison wrote: >>>> What do the logs say? I'm guessing it's not a Cisco SFP so you may have >>>> to add "service unsupported-transciever" >>>> >>>> -----Original Message----- >>>> From: cisco-nsp-bounces at puck.nether.net >>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jason Berenson >>>> Sent: Thursday, May 15, 2008 3:08 PM >>>> To: cisco-nsp at puck.nether.net >>>> Subject: [c-nsp] Cat 3560 >>>> >>>> Greetings, >>>> >>>> This is probably an obvious question but I seem to be overlooking >>>> something. I have a Catalyst 3560 running >>>> c3560-advipservicesk9-mz.122-25.SED1.bin. I just changed out the >>>> SFP on >>>> >>>> gi0/2 to be a fiber SFP instead of copper. Here's what I see when >>>> it's not plugged in, is this normal? I tried looking for media type >>>> commands >>>> >>>> but there don't seem to be any present. >>>> >>>> router>show int gi0/2 >>>> GigabitEthernet0/2 is down, line protocol is down (err-disabled) >>>> Hardware is Gigabit Ethernet, address is 0016.473c.0ae2 (bia >>>> 0016.473c.0ae2) >>>> Description: << TLS 1G primary >> >>>> MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, >>>> reliability 255/255, txload 1/255, rxload 1/255 >>>> Encapsulation ARPA, loopback not set >>>> Keepalive not set >>>> Full-duplex, Auto-speed, link type is auto, media type is unknown >>>> input flow-control is off, output flow-control is unsupported >>>> ARP type: ARPA, ARP Timeout 04:00:00 >>>> Last input never, output never, output hang never >>>> Last clearing of "show interface" counters never >>>> Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 >>>> Queueing strategy: fifo >>>> >>>> Here's the config for that port: >>>> >>>> interface GigabitEthernet0/2 >>>> description << TLS 1G primary >> >>>> no switchport >>>> no ip address >>>> speed nonegotiate >>>> no cdp enable >>>> >>>> I also can't seem to make a sub interface: >>>> >>>> frangelico(config)#int gi0/2.1 ? >>>> % Unrecognized command >>>> >>>> Any ideas would be greatly appreciated. >>>> >>>> Thanks, >>>> Jason >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Thu May 15 17:31:43 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 15 May 2008 16:31:43 -0500 Subject: [c-nsp] iBGP not propogating route to 0/8 Message-ID: <482CABBF.3010009@justinshore.com> I just noticed that my RTBH setup is not propagating one of my BOGON routes. Specifically it's not propagating 0.0.0.0/255.0.0.0 (0/8). The static is set up just like all my other RTBH routes complete with the appropriate tag: ip route 0.0.0.0 255.0.0.0 Null0 tag 66 name BOGON ip route 1.0.0.0 255.0.0.0 Null0 tag 66 name BOGON etc... A quick check of my advertised routes on my trigger router shows that I'm not advertising the prefix. Network Next Hop Metric LocPrf Weight Path *> 1.0.0.0 0.0.0.0 0 500 32768 i *> 2.0.0.0 0.0.0.0 0 500 32768 i The trigger router is in a full mesh with the border routers and core routers. The trigger also peers with each access edge router (which also have 2 iBGP peers with their local core routers). The route-map simply matches each static by it's tag, sets the origin, local-pref and assigns a community. route-map static-to-bgp permit 10 description Tag 66 sends traffic to Null0 match tag 66 set local-preference 500 set origin igp set community 65001:66 no-export ...plus a couple more for other tags. I can't think of any reason why this prefix wouldn't be advertised. Any ideas? I noticed it today because I have customers trying to hit 0/8 IPs (0.4.24.200 for example) that my egress ACLs are catching. Thanks Justin From mack at exchange.alphared.com Thu May 15 17:58:25 2008 From: mack at exchange.alphared.com (mack) Date: Thu, 15 May 2008 16:58:25 -0500 Subject: [c-nsp] Cat 3560 Message-ID: <859D2283FD04CA44986CC058E06598F89627AD1366@exchange4.exchange.alphared.local> >------------------------------ > >Message: 6 >Date: Thu, 15 May 2008 16:21:36 -0500 >From: Justin Shore >Subject: Re: [c-nsp] Cat 3560 >To: Jason Berenson >Cc: "cisco-nsp at puck.nether.net" >Message-ID: <482CA960.7030100 at justinshore.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >I'd check the IOS version against the model of SFP to make >sure that it's supported (though I imagine it will be). >I'd agree with the other guys in >saying that it's likely >counterfeit. Do you get it from a reputable vendor? > >Justin Counterfeit assumes a Cisco label. Third-party SFP modules are not counterfeit just unsupported. It is entirely possible that the SFP isn't even programmed for Cisco equipment. For example a Dlink SFP will not work in Cisco equipment. The bad CRC would tend to indicate the programming is not correct for Cisco equipment. This does not rule out counterfeit or bad hardware. > > >Jason Berenson wrote: >> Now I get media type unknown on one router and media type not >> supported on the other. >> Justin Shore wrote: >>> It's a hidden command. Copy and paste it in anyway. >>> >>> Justin >>> >>> Jason Berenson wrote: >>>> There doesn't seem to be a service unsupported-transciever command: >>>> >>>> router(config)#service uns? >>>> % Unrecognized command >>>> >>>> I tried a shut/no shut, on one of the routers it seemed to work but >>>> not on the other. It still doesn't show the media type though. >>>> Here's some output from the logs. I have a feeling the SFP is bad: >>>> >>>> May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: >>>> GBIC in port 65538 has bad crc >>>> May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error >>>> detected on Gi0/2, putting Gi0/2 in err-disable state >>>> >>>> Thanks, >>>> Jason >>>> -- LR Mack McBride Network Administrator Alpha Red, Inc. From jason at pins.net Thu May 15 18:25:11 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 15 May 2008 18:25:11 -0400 Subject: [c-nsp] Cat 3560 In-Reply-To: <859D2283FD04CA44986CC058E06598F89627AD1366@exchange4.exchange.alphared.local> References: <859D2283FD04CA44986CC058E06598F89627AD1366@exchange4.exchange.alphared.local> Message-ID: <482CB847.80706@pins.net> I just pulled the SFP and it turns out it's an HP. The vendor is shipping me two new ones. Can anyone give me a snippit of config with SVI being used? mack wrote: >> ------------------------------ >> >> Message: 6 >> Date: Thu, 15 May 2008 16:21:36 -0500 >> From: Justin Shore >> Subject: Re: [c-nsp] Cat 3560 >> To: Jason Berenson >> Cc: "cisco-nsp at puck.nether.net" >> Message-ID: <482CA960.7030100 at justinshore.com> >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed >> >> I'd check the IOS version against the model of SFP to make >> sure that it's supported (though I imagine it will be). >> I'd agree with the other guys in >saying that it's likely >> counterfeit. Do you get it from a reputable vendor? >> >> Justin >> > > Counterfeit assumes a Cisco label. > Third-party SFP modules are not counterfeit just unsupported. > > It is entirely possible that the SFP isn't > even programmed for Cisco equipment. > For example a Dlink SFP will not work in Cisco equipment. > > The bad CRC would tend to indicate the programming is > not correct for Cisco equipment. > This does not rule out counterfeit or bad hardware. > > >> Jason Berenson wrote: >> >>> Now I get media type unknown on one router and media type not >>> supported on the other. >>> Justin Shore wrote: >>> >>>> It's a hidden command. Copy and paste it in anyway. >>>> >>>> Justin >>>> >>>> Jason Berenson wrote: >>>> >>>>> There doesn't seem to be a service unsupported-transciever command: >>>>> >>>>> router(config)#service uns? >>>>> % Unrecognized command >>>>> >>>>> I tried a shut/no shut, on one of the routers it seemed to work but >>>>> not on the other. It still doesn't show the media type though. >>>>> Here's some output from the logs. I have a feeling the SFP is bad: >>>>> >>>>> May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4-VN_DATA_CRC_ERROR: >>>>> GBIC in port 65538 has bad crc >>>>> May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error >>>>> detected on Gi0/2, putting Gi0/2 in err-disable state >>>>> >>>>> Thanks, >>>>> Jason >>>>> >>>>> > > -- > LR Mack McBride > Network Administrator > Alpha Red, Inc. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Rafael.Rodriguez at msmc.com Thu May 15 19:34:25 2008 From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez) Date: Thu, 15 May 2008 19:34:25 -0400 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous' mode? Message-ID: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> Hello all, Here is the issue I am facing: We have a server that need to send lots of data to IP addresses not on its local subnet. Server will be directly connected to router interface via ethernet. The server SHOULD set ALL packets with a dst MAC Address of the router (its default gateway) so the packets get delivered to the remote subnets. The server DOES NOT do this... grr. Is there a way to have router interface process all packets that arrive on this interface (includes packets that don't have interface MAC Address as dst MAC Address)? All of these packets are destined for remote networks. Thanks. Cheers, RR From blackberry at davidcoulson.net Thu May 15 19:43:19 2008 From: blackberry at davidcoulson.net (=?utf-8?B?RGF2aWQgQ291bHNvbg==?=) Date: Thu, 15 May 2008 23:43:19 +0000 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode? In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> References: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> Message-ID: <914636838-1210894998-cardhu_decombobulator_blackberry.rim.net-2045603515-@bxe122.bisx.prod.on.blackberry> What mac is it sending too? where does it get the arp entry from? -- David Coulson Sent from my BlackBerry -----Original Message----- From: "Rafael Rodriguez" Date: Thu, 15 May 2008 19:34:25 To: Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous' mode? Hello all, Here is the issue I am facing: We have a server that need to send lots of data to IP addresses not on its local subnet. Server will be directly connected to router interface via ethernet. The server SHOULD set ALL packets with a dst MAC Address of the router (its default gateway) so the packets get delivered to the remote subnets. The server DOES NOT do this... grr. Is there a way to have router interface process all packets that arrive on this interface (includes packets that don't have interface MAC Address as dst MAC Address)? All of these packets are destined for remote networks. Thanks. Cheers, RR _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Thu May 15 19:57:21 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 15 May 2008 19:57:21 -0400 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode? In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> References: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> Message-ID: <000901c8b6e7$6ed0d6e0$6ed946ab@cisco.com> VACL Capture on OSM/SPA/LAN interfaces or even SPAN on LAN interfaces should work fine. What info does the server receive when it arps for a remote address. I'll assume that both ends have a /30 configured, and you aren't attempting to use Proxy-arp. -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Rafael Rodriguez > Sent: Thursday, May 15, 2008 7:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 > to 'promiscuous'mode? > > Hello all, > > Here is the issue I am facing: > > We have a server that need to send lots of data to IP addresses not on > its local subnet. Server will be directly connected to > router interface > via ethernet. > The server SHOULD set ALL packets with a dst MAC Address of the router > (its default gateway) so the packets get delivered to the remote > subnets. > The server DOES NOT do this... grr. > > Is there a way to have router interface process all packets > that arrive > on this interface (includes packets that don't have interface MAC > Address as dst MAC Address)? > > All of these packets are destined for remote networks. Thanks. > > Cheers, > > RR > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From carl at nerd.com Thu May 15 20:34:12 2008 From: carl at nerd.com (carl) Date: Thu, 15 May 2008 17:34:12 -0700 Subject: [c-nsp] Cisco ACE Web Application Firewall Message-ID: <006501c8b6ec$91456380$b3d02a80$@com> Has anyone had a chance to get a hold of one of these devices, if so what are your thoughts? We currently use Foundry ServerIrons in a DSR setup for our load balancing method and was wondering if the ACE would work in that scenario. From dhooper at emerge.net.au Thu May 15 21:32:41 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Fri, 16 May 2008 09:32:41 +0800 Subject: [c-nsp] Cat 3560 In-Reply-To: <482CB847.80706@pins.net> References: <859D2283FD04CA44986CC058E06598F89627AD1366@exchange4.exchange.alphared.local> <482CB847.80706@pins.net> Message-ID: carnilya-sw#sh run interface Vlan 2 Building configuration... Current configuration : 109 bytes ! interface Vlan2 description MANAGEMENT SVI ip address 10.10.10.105 255.255.255.0 no ip route-cache end > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jason Berenson > Sent: Friday, 16 May 2008 6:25 AM > To: mack > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cat 3560 > > I just pulled the SFP and it turns out it's an HP. The vendor is > shipping me two new ones. Can anyone give me a snippit of config with > SVI being used? > > mack wrote: > >> ------------------------------ > >> > >> Message: 6 > >> Date: Thu, 15 May 2008 16:21:36 -0500 > >> From: Justin Shore > >> Subject: Re: [c-nsp] Cat 3560 > >> To: Jason Berenson > >> Cc: "cisco-nsp at puck.nether.net" > >> Message-ID: <482CA960.7030100 at justinshore.com> > >> Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >> > >> I'd check the IOS version against the model of SFP to make > >> sure that it's supported (though I imagine it will be). > >> I'd agree with the other guys in >saying that it's likely > >> counterfeit. Do you get it from a reputable vendor? > >> > >> Justin > >> > > > > Counterfeit assumes a Cisco label. > > Third-party SFP modules are not counterfeit just unsupported. > > > > It is entirely possible that the SFP isn't > > even programmed for Cisco equipment. > > For example a Dlink SFP will not work in Cisco equipment. > > > > The bad CRC would tend to indicate the programming is > > not correct for Cisco equipment. > > This does not rule out counterfeit or bad hardware. > > > > > >> Jason Berenson wrote: > >> > >>> Now I get media type unknown on one router and media type not > >>> supported on the other. > >>> Justin Shore wrote: > >>> > >>>> It's a hidden command. Copy and paste it in anyway. > >>>> > >>>> Justin > >>>> > >>>> Jason Berenson wrote: > >>>> > >>>>> There doesn't seem to be a service unsupported-transciever > command: > >>>>> > >>>>> router(config)#service uns? > >>>>> % Unrecognized command > >>>>> > >>>>> I tried a shut/no shut, on one of the routers it seemed to work > but > >>>>> not on the other. It still doesn't show the media type though. > >>>>> Here's some output from the logs. I have a feeling the SFP is > bad: > >>>>> > >>>>> May 15 15:44:08.519 EST: %GBIC_SECURITY_CRYPT-4- > VN_DATA_CRC_ERROR: > >>>>> GBIC in port 65538 has bad crc > >>>>> May 15 15:44:08.519 EST: %PM-4-ERR_DISABLE: gbic-invalid error > >>>>> detected on Gi0/2, putting Gi0/2 in err-disable state > >>>>> > >>>>> Thanks, > >>>>> Jason > >>>>> > >>>>> > > > > -- > > LR Mack McBride > > Network Administrator > > Alpha Red, Inc. > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From brett at looney.id.au Thu May 15 21:06:09 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 16 May 2008 09:06:09 +0800 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: References: <940dabcc0805151137j768184bi977fac5a1bab2e31@mail.gmail.com> Message-ID: <011401c8b6f1$0c9c42c0$25d4c840$@id.au> I had a similar issue many moons ago with Macs plugged into 3750 switches - they had intermittent issues reaching some network resources. The NIC driver was having a cow about the trunk negotiate packets coming from the switch. Try doing a "switchport nonegotiate" on the port and see if that fixes it. B. From laxplayer at earthlink.net Thu May 15 21:41:28 2008 From: laxplayer at earthlink.net (Jeremy Stinson) Date: Thu, 15 May 2008 21:41:28 -0400 Subject: [c-nsp] CME && 7970 question References: <006501c8b6ec$91456380$b3d02a80$@com> Message-ID: <00f401c8b6f5$f6176430$6b05a8c0@jstinson> Hello, We are having an issue with our 7970 phones and the redial button and I have not been able to find anything on Google. When the user hits the redial button it take up to 20 seconds for the last number dial to appear. Does anyone have any insight into this? Thanks, Jeremy From Rafael.Rodriguez at msmc.com Thu May 15 22:57:08 2008 From: Rafael.Rodriguez at msmc.com (Rafael Rodriguez) Date: Thu, 15 May 2008 22:57:08 -0400 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode? In-Reply-To: <914636838-1210894998-cardhu_decombobulator_blackberry.rim.net-2045603515-@bxe122.bisx.prod.on.blackberry> References: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> <914636838-1210894998-cardhu_decombobulator_blackberry.rim.net-2045603515-@bxe122.bisx.prod.on.blackberry> Message-ID: <13D27D9DCE0E0945A617043C88DD6194014C9E24@SVIPEXC1.msmc.com> Thanks for the replies. Post below is a bit long but easy to read, please let me know if you guys have any advice. >What mac is it sending too? where does it get the arp entry from? Unfortunately this server does not attempt to 'arp' for the remote address, proxy-arp would be the solution in that case. Let me give some more details on what this server does: The server (just windows 2003 with software) is a content filter. It has two phy interfaces, one interface is the sniffer interface, the other/regular interface is were you manage the server and were the server sends its 'block' and tcp rst messages to end users. The sniffer interface just listens for traffic, it does not TX on this interface at all. The sniffer interface is being fed by rspan. The other/regular interface is were everything else happens. On this interface, any locally traffic generated by server works as one would expect... Oh, im trying to get to a remote network, let me send packet with dst mac address of my default gateway, let my default gateway figure out the rest. The part of locally generated traffic works perfectly. Now the problem. When the content filter makes a decision of 'blocking' someones web/http traffic based on traffic it sees on its sniifer interface, the server sends a 'block' message out the other/regular interface. The server sets the src IP of the packet to the 'bad' website and sets the dst IP to that of the offending end user. The server also sends a tcp rst to offending end user. ALL of that is perfectly fine. Problem comes down to how the server sends the data-link address part. Server is using the wrong dst MAC Address to send packets that reside on remote subnets. By wrong dst MAC Address I mean NOT the MAC Address of the servers default gateway. The server uses the src MAC Address of the 'offending' traffic from the sniffer interface as the dst MAC Address of the 'block' message. Why is this a problem? Well, dst MAC Address is not the MAC Address of the default gateway router - packet just gets dropped in hardware, never makes it up to L3 for processing. The information contained in this paragraph was confirmed/figured out with the help of wireshark. I am looking for a way to have router interface process all data-link packets regardless if the dst MAC Address is for the router interface. Thanks for reading, please reply with any info. Cheers, RR -----Original Message----- From: David Coulson [mailto:blackberry at davidcoulson.net] Sent: Thursday, May 15, 2008 19:43 To: Rafael Rodriguez; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode? What mac is it sending too? where does it get the arp entry from? -- David Coulson Sent from my BlackBerry -----Original Message----- From: "Rafael Rodriguez" Date: Thu, 15 May 2008 19:34:25 To: Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous' mode? Hello all, Here is the issue I am facing: We have a server that need to send lots of data to IP addresses not on its local subnet. Server will be directly connected to router interface via ethernet. The server SHOULD set ALL packets with a dst MAC Address of the router (its default gateway) so the packets get delivered to the remote subnets. The server DOES NOT do this... grr. Is there a way to have router interface process all packets that arrive on this interface (includes packets that don't have interface MAC Address as dst MAC Address)? All of these packets are destined for remote networks. Thanks. Cheers, RR _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Thu May 15 23:13:28 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 15 May 2008 23:13:28 -0400 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to 'promiscuous'mode? In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194014C9E24@SVIPEXC1.msmc.com> References: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com> <914636838-1210894998-cardhu_decombobulator_blackberry.rim.net-2045603515-@bxe122.bisx.prod.on.blackberry> <13D27D9DCE0E0945A617043C88DD6194014C9E24@SVIPEXC1.msmc.com> Message-ID: <001001c8b702$d4bf8d00$6ed946ab@cisco.com> The only time I've seen products like this, they had to be on a layer 2 subnet. Typically a hub was placed between the Internet Router or Firewall Internal Interface, and the switch. Everything just magically happened there. The software appears to think they are on the same L2 subnet. It is spoofing both the L3 and L2 address, when it should only be spoofing L3. What happens when you change the interface it is on to be a switchport in the same vlan that traffic is being received from, and put the default gateway address as a secondary. David -- http://dcp.dcptech.com > -----Original Message----- > From: Rafael Rodriguez [mailto:Rafael.Rodriguez at msmc.com] > Sent: Thursday, May 15, 2008 10:57 PM > To: david at davidcoulson.net; Ryan.Otis at WebTrends.com; > jmaimon at ttec.com; dcp at dcptech.com; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] Set a L3 routed interface on a 6500 + > SUP2 to 'promiscuous'mode? > > Thanks for the replies. Post below is a bit long but easy to read, > please let me know if you guys have any advice. > > >What mac is it sending too? where does it get the arp entry from? > > Unfortunately this server does not attempt to 'arp' for the remote > address, proxy-arp would be the solution in that case. > > Let me give some more details on what this server does: > > The server (just windows 2003 with software) is a content filter. It > has two phy interfaces, one interface is the sniffer interface, the > other/regular interface is were you manage the server and were the > server sends its 'block' and tcp rst messages to end users. > > The sniffer interface just listens for traffic, it does not TX on this > interface at all. > The sniffer interface is being fed by rspan. > > The other/regular interface is were everything else happens. On this > interface, any locally traffic generated by server works as one would > expect... Oh, im trying to get to a remote network, let me send packet > with dst mac address of my default gateway, let my default gateway > figure out the rest. The part of locally generated traffic works > perfectly. > > Now the problem. > > When the content filter makes a decision of 'blocking' > someones web/http > traffic based on traffic it sees on its sniifer interface, the server > sends a 'block' message out the other/regular interface. > > The server sets the src IP of the packet to the 'bad' website and sets > the dst IP to that of the offending end user. The server also sends a > tcp rst to offending end user. > ALL of that is perfectly fine. > > Problem comes down to how the server sends the data-link address part. > > Server is using the wrong dst MAC Address to send packets > that reside on > remote subnets. By wrong dst MAC Address I mean NOT the MAC > Address of > the servers default gateway. > The server uses the src MAC Address of the 'offending' > traffic from the > sniffer interface as the dst MAC Address of the 'block' > message. Why is > this a problem? Well, dst MAC Address is not the MAC Address of the > default gateway router - packet just gets dropped in hardware, never > makes it up to L3 for processing. The information contained in this > paragraph was confirmed/figured out with the help of wireshark. > > I am looking for a way to have router interface process all data-link > packets regardless if the dst MAC Address is for the router interface. > > Thanks for reading, please reply with any info. > > > Cheers, > > RR > > -----Original Message----- > From: David Coulson [mailto:blackberry at davidcoulson.net] > Sent: Thursday, May 15, 2008 19:43 > To: Rafael Rodriguez; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to > 'promiscuous'mode? > > What mac is it sending too? where does it get the arp entry from? > > -- > David Coulson > Sent from my BlackBerry > > -----Original Message----- > From: "Rafael Rodriguez" > > Date: Thu, 15 May 2008 19:34:25 > To: > Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to > 'promiscuous' > mode? > > > Hello all, > > Here is the issue I am facing: > > We have a server that need to send lots of data to IP addresses not on > its local subnet. Server will be directly connected to > router interface > via ethernet. > The server SHOULD set ALL packets with a dst MAC Address of the router > (its default gateway) so the packets get delivered to the remote > subnets. > The server DOES NOT do this... grr. > > Is there a way to have router interface process all packets > that arrive > on this interface (includes packets that don't have interface MAC > Address as dst MAC Address)? > > All of these packets are destined for remote networks. Thanks. > > Cheers, > > RR > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From stig.johansen at ementor.no Thu May 15 23:47:39 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Fri, 16 May 2008 05:47:39 +0200 Subject: [c-nsp] Cat 3560 In-Reply-To: <482CB847.80706@pins.net> References: <859D2283FD04CA44986CC058E06598F89627AD1366@exchange4.exchange.alphared.local> <482CB847.80706@pins.net> Message-ID: <13A13E9CF0F76342A79031B9E558C0C50308144A@100NOOSLMSG004.common.alpharoot.net> Jason wrote: >I just pulled the SFP and it turns out it's an HP. The vendor is >shipping me two new ones. Can anyone give me a snippit of config with >SVI being used? Try this: ! ip routing ! vlan 100 name whatever ! interface GigabitEthernet0/2 description << TLS 1G primary >> switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 100 switchport mode trunk speed nonegotiate no cdp enable ! interface Vlan100 description SVI interface ip address 192.0.2.1 255.255.255.0 ! best regards, Stig Meireles Johansen From stig.johansen at ementor.no Fri May 16 00:20:12 2008 From: stig.johansen at ementor.no (Stig Johansen) Date: Fri, 16 May 2008 06:20:12 +0200 Subject: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to'promiscuous'mode? In-Reply-To: <13D27D9DCE0E0945A617043C88DD6194014C9E24@SVIPEXC1.msmc.com> References: <13D27D9DCE0E0945A617043C88DD6194014C9E23@SVIPEXC1.msmc.com><914636838-1210894998-cardhu_decombobulator_blackberry.rim.net-2045603515-@bxe122.bisx.prod.on.blackberry> <13D27D9DCE0E0945A617043C88DD6194014C9E24@SVIPEXC1.msmc.com> Message-ID: <13A13E9CF0F76342A79031B9E558C0C50308144B@100NOOSLMSG004.common.alpharoot.net> Sorry, but this sounds like a "won't work". Your server is depending on sending spoofed packets. If this was on a local VLAN, you could simply put if2 in the same VLAN as the sniffer-if and let it work from there. I see you mentioned the traffic is fed by RSPAN, so I guess the traffic isn't local, and may even be from different VLAN's. That's when it would be a problem. Put your server in a central place where all traffic must pass and do it from there, and if you have redundant paths you should also have redundant servers. Alternatively, you should look into building a "blackbox" to accept these packets and forward into the network. The Cisco gear won't do this for you. That said, if you want to experiment further, look into using RSPAN to send these packets out on the network again... This may mean you'll need a third if for management, but it could be worth a try. Best regards, Stig Meireles Johansen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rafael Rodriguez Sent: 16. mai 2008 04:57 To: david at davidcoulson.net; Ryan.Otis at webtrends.com; jmaimon at ttec.com; dcp at dcptech.com; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Set a L3 routed interface on a 6500 + SUP2 to'promiscuous'mode? Thanks for the replies. Post below is a bit long but easy to read, please let me know if you guys have any advice. >What mac is it sending too? where does it get the arp entry from? Unfortunately this server does not attempt to 'arp' for the remote address, proxy-arp would be the solution in that case. Let me give some more details on what this server does: The server (just windows 2003 with software) is a content filter. It has two phy interfaces, one interface is the sniffer interface, the other/regular interface is were you manage the server and were the server sends its 'block' and tcp rst messages to end users. The sniffer interface just listens for traffic, it does not TX on this interface at all. The sniffer interface is being fed by rspan. The other/regular interface is were everything else happens. On this interface, any locally traffic generated by server works as one would expect... Oh, im trying to get to a remote network, let me send packet with dst mac address of my default gateway, let my default gateway figure out the rest. The part of locally generated traffic works perfectly. Now the problem. When the content filter makes a decision of 'blocking' someones web/http traffic based on traffic it sees on its sniifer interface, the server sends a 'block' message out the other/regular interface. The server sets the src IP of the packet to the 'bad' website and sets the dst IP to that of the offending end user. The server also sends a tcp rst to offending end user. ALL of that is perfectly fine. Problem comes down to how the server sends the data-link address part. Server is using the wrong dst MAC Address to send packets that reside on remote subnets. By wrong dst MAC Address I mean NOT the MAC Address of the servers default gateway. The server uses the src MAC Address of the 'offending' traffic from the sniffer interface as the dst MAC Address of the 'block' message. Why is this a problem? Well, dst MAC Address is not the MAC Address of the default gateway router - packet just gets dropped in hardware, never makes it up to L3 for processing. The information contained in this paragraph was confirmed/figured out with the help of wireshark. I am looking for a way to have router interface process all data-link packets regardless if the dst MAC Address is for the router interface. Thanks for reading, please reply with any info. Cheers, RR From tedm at toybox.placo.com Fri May 16 01:42:13 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Thu, 15 May 2008 22:42:13 -0700 Subject: [c-nsp] Fake Cisco Equipment News Articles - very interesting In-Reply-To: <1210754098.872.11.camel@dusken.sys.mjna.net> Message-ID: > -----Original Message----- > From: Peter Rathlev [mailto:peter at rathlev.dk] > Sent: Wednesday, May 14, 2008 1:35 AM > To: Ted Mittelstaedt > Cc: cisco-nsp > Subject: RE: [c-nsp] Fake Cisco Equipment News Articles - very > interesting > > > On Tue, 2008-05-13 at 22:43 -0700, Ted Mittelstaedt wrote: > > > People post on this list every day of problems they are having > with Cisco > > equipment, then proceed to lambast various Cisco IOS revisions > for breaking > > things. Well, how do I know that when someone reports X.Y.Z > version of IOS > > is bad because it's making my router reboot all the time, that their > > router's not rebooting all the time because it's counterfeit? > I don't. So, > > am I going to then base my decisions on whether to deploy X.Y.Z > based on bad > > data? Are you? Are you happy doing this? > > > > If not, then shut up about the so-called "political counterfeiting" > > discussion. This is most definitely on topic. > > Easy there, I was just asking whether people thought it was on topic. I > didn't say that I disagree about what you explain, just that it tends > towards politics, and that I personally think that politics shouldn't be > a part of C-NSP. There are other forums for that. I really can't see why > you have to ask me to "shut up", I'm very sorry that you have decided to reinterpret a pretty clear statement that you should shut up about labelling a specific discussion thread political, into a blanket statement that your being asked to completely shut up. Perhaps you have a paranoid complex and should see a psychologist? I'm just calling and raising in the silliness game here, Peter. ;-) Seriously, I ojected to your post simply because your taking a neutral word "politics" and immediately making an assumption that it's a "bad" word. As in all the Right Thinking Folk believe that political discourse is a bad thing, and should not be spoken of. If you found Scott's rant about Chinese outsourcing out of place simply because it was a political rant, and contributed nothing of value to the technical discussion about counterfeit Cisco gear, well there is nothing wrong with that. It could have been more respectful to simply say that you didn't think his last paragraph on chinese outsourcing was on the topic he was discussing. Rather than what you did which was to attempt to terminate the entire thread using a neutral word as a negative label. In other words, your calling for the end of the thread claiming it's too political, by doing one of the most common things that a politician does, redefine words - in short, your engaging in political activity to object to political discussion. Classic, textbook, Politics 101. > I agree about the fact that Cisco has some explaining to > do about this issue. So do I. And, the silence from the Cisco employee(s) that normally follow this list, on this topic, speaks volumes. Ted From jcdarby at usgs.gov Fri May 16 02:41:46 2008 From: jcdarby at usgs.gov (Justin C. Darby) Date: Fri, 16 May 2008 01:41:46 -0500 Subject: [c-nsp] Cisco ACE Web Application Firewall In-Reply-To: <006501c8b6ec$91456380$b3d02a80$@com> References: <006501c8b6ec$91456380$b3d02a80$@com> Message-ID: <7C238F0B-6005-4F7F-AFB2-B715F36A1D78@usgs.gov> The general specifications on the device indicate it can handle DSR (we also use DSR at our site but not on ACE), but it does so by claiming it can do everything IP-SLB does. I'd check with a sales rep to insure it'll work (all of the documentation related to IP-SLB and ACE functionality is pretty hard to come by in our experience, they don't document DSR well at all, dating all the way back to old CSS and CSM documentation, even though their configuration documents referenced it). The ACE has a lot of features you probably wont ever need and that you will most certainly pay for related to layer 4-7 load balancing, though. You may want to consider using the IP-SLB functionality (essentially, a software Content Services Module) in another cisco product that supports it, e.g. the 7200 for stand alone, or the IP-SLB features present on the 6500 series switch supervisors. It requires enterprise IOS licensing, but in our experience, it's a lot cheaper than the ACE -- and, if any of the things we've heard about the ACE are true, a lot easier to configure. Also to keep in mind: The 7201 for example only has about 4Gb of backplane and only has four GbE links. It might not meet your performance requirements. Because of the documentation problem, I'd also keep the device covered under Smartnet, at least for your initial configuration, so you can work it out with an engineer on the phone if you've got problems. Justin On May 15, 2008, at 7:34 PM, carl wrote: > Has anyone had a chance to get a hold of one of these devices, if so > what > are your thoughts? We currently use Foundry ServerIrons in a DSR > setup for > our load balancing method and was wondering if the ACE would work in > that > scenario. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cisco-nsp at ibh.net Fri May 16 02:50:05 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Fri, 16 May 2008 08:50:05 +0200 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <48277290.9050805@gtcomm.net> References: <48277290.9050805@gtcomm.net> Message-ID: <20080516065005.GB32704@ibh.de> Hi Paul, On Sun, May 11, 2008 at 06:26:24PM -0400, Paul wrote: > Anyone out there have 3750 running 12.2(44)SE1 ? > Strange issue with the CPU sitting at 5% no matter what is going on, > zero traffic or lots of traffic. > Simple config, very few routes, 2 etherchannels, nothing major. This is normal for those platforms which do almost all that is essential in forwarding traffic using their ASICs, with only initial packets of new flows beeig punted up to the CPU. What you see is mostly housekeeping like STP, your IGP running etc. On the old XL series the load was very high, and the offender was - hold your breath - the process that made the front LEDs blink. 3560E-24 5.51% 3560E-48 7.47% 2970G-24 4.90% 3548XL 52.20% Seems still be count-of-LEDs dependend ;) > Just curious.. It's not affecting anything except the ping time when you > ping the switch directly. Well, "Routers are no PING servers" and all that. Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From dean at eatworms.org.uk Fri May 16 03:15:22 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Fri, 16 May 2008 08:15:22 +0100 Subject: [c-nsp] Cisco ACE Web Application Firewall In-Reply-To: <7C238F0B-6005-4F7F-AFB2-B715F36A1D78@usgs.gov> References: <006501c8b6ec$91456380$b3d02a80$@com> <7C238F0B-6005-4F7F-AFB2-B715F36A1D78@usgs.gov> Message-ID: <00ea01c8b724$9b3ef800$d1bce800$@org.uk> I'm not sure the ACE would work well in DSR environment. Its default behaviour is to terminate the Client TCP session itself and then create a new connection to the server. Its been a while since I went through the docs but DSR isn't a natural fit. (We do have some ACE deployed. Our next load balancing requirement will use Foundry ServerIron) It does seem to take a while for the CCO docs to be updated with details for newer ACE OS. Dean -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin C. Darby Sent: 16 May 2008 07:42 To: carl Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco ACE Web Application Firewall The general specifications on the device indicate it can handle DSR (we also use DSR at our site but not on ACE), but it does so by claiming it can do everything IP-SLB does. I'd check with a sales rep to insure it'll work (all of the documentation related to IP-SLB and ACE functionality is pretty hard to come by in our experience, they don't document DSR well at all, dating all the way back to old CSS and CSM documentation, even though their configuration documents referenced it). The ACE has a lot of features you probably wont ever need and that you will most certainly pay for related to layer 4-7 load balancing, though. You may want to consider using the IP-SLB functionality (essentially, a software Content Services Module) in another cisco product that supports it, e.g. the 7200 for stand alone, or the IP-SLB features present on the 6500 series switch supervisors. It requires enterprise IOS licensing, but in our experience, it's a lot cheaper than the ACE -- and, if any of the things we've heard about the ACE are true, a lot easier to configure. Also to keep in mind: The 7201 for example only has about 4Gb of backplane and only has four GbE links. It might not meet your performance requirements. Because of the documentation problem, I'd also keep the device covered under Smartnet, at least for your initial configuration, so you can work it out with an engineer on the phone if you've got problems. Justin On May 15, 2008, at 7:34 PM, carl wrote: > Has anyone had a chance to get a hold of one of these devices, if so > what > are your thoughts? We currently use Foundry ServerIrons in a DSR > setup for > our load balancing method and was wondering if the ACE would work in > that > scenario. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From A.L.M.Buxey at lboro.ac.uk Fri May 16 03:46:12 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 16 May 2008 08:46:12 +0100 Subject: [c-nsp] Weird Issue with 3750-PoE Switches... In-Reply-To: <011401c8b6f1$0c9c42c0$25d4c840$@id.au> References: <940dabcc0805151137j768184bi977fac5a1bab2e31@mail.gmail.com> <011401c8b6f1$0c9c42c0$25d4c840$@id.au> Message-ID: <20080516074612.GA8549@lboro.ac.uk> Hi, > I had a similar issue many moons ago with Macs plugged into 3750 switches - > they had intermittent issues reaching some network resources. The NIC driver > was having a cow about the trunk negotiate packets coming from the switch. > Try doing a "switchport nonegotiate" on the port and see if that fixes it. yep - seen same issue with Macs attempting to do LLDP on their ports - a bit of a pain, but handy if you do want them to channel bond :-) nonegotiate should be standard on an edge port. globally for portfast. alan From CB at nianet.dk Fri May 16 03:52:06 2008 From: CB at nianet.dk (Christian Bering) Date: Fri, 16 May 2008 09:52:06 +0200 Subject: [c-nsp] iBGP not propogating route to 0/8 References: <482CABBF.3010009@justinshore.com> Message-ID: Hi Justin, >I just noticed that my RTBH setup is not propagating one of my BOGON >routes. Specifically it's not propagating 0.0.0.0/255.0.0.0 >(0/8). IOS seems to treat anything starting with 0.0.0.0 as a default no matter the mask so it won't be propagated internally unless you enable 'default-information originate'. -- Regards Christian Bering IP engineer, nianet a/s Phone: (+45) 7020 8730 From sthaug at nethelp.no Fri May 16 04:51:03 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 16 May 2008 10:51:03 +0200 (CEST) Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <20080516065005.GB32704@ibh.de> References: <48277290.9050805@gtcomm.net> <20080516065005.GB32704@ibh.de> Message-ID: <20080516.105103.74701746.sthaug@nethelp.no> > This is normal for those platforms which do almost all that is essential > in forwarding traffic using their ASICs, with only initial packets of > new flows beeig punted up to the CPU. No, the "initial packets of new flows being punted up to the CPU" is *not* the case for this platform (or for any modern switch platform). It was an issue for older 6500 boxes (Sup1a?). Steinar Haug, Nethelp consulting, sthaug at nethelp.no From david.freedman at uk.clara.net Fri May 16 08:46:19 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 16 May 2008 13:46:19 +0100 Subject: [c-nsp] WDM equipment In-Reply-To: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> Message-ID: Ghip.(http://www.ghipsystems.com) Nice , low cost kit. Dave. Fredrik Jacobsson wrote: > Greetings. > > I'm looking into WDM-equipment to save fiber costs. Using ethernet and > fibrechannel, mainly Cisco and Brocade. > > Are there anyone here with experience with equipment from Adva or Mrv? > > Happy? > > Thanks > /Fredrik > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From muluhya at yahoo.com Fri May 16 08:40:59 2008 From: muluhya at yahoo.com (peter mahuhu) Date: Fri, 16 May 2008 05:40:59 -0700 (PDT) Subject: [c-nsp] help:mail subject Message-ID: <134157.60415.qm@web57402.mail.re1.yahoo.com> Hi, I have a problem with my mails since subscription in that the mails donot indicate the subject,so for me to know what is in the mail from this group,I haveto open it,the mail appear in my mail box as below cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 26 Thu May 08, 2008 24k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 25 Thu May 08, 2008 9k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 24 Thu May 08, 2008 19k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 22 Wed May 07, 2008 19k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 21 Wed May 07, 2008 12k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 20 Wed May 07, 2008 18k [input] cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 19 Wed May 07, 2008 19k From tim at pelican.org Fri May 16 09:52:02 2008 From: tim at pelican.org (Tim Franklin) Date: Fri, 16 May 2008 14:52:02 +0100 (BST) Subject: [c-nsp] help:mail subject In-Reply-To: <134157.60415.qm@web57402.mail.re1.yahoo.com> References: <134157.60415.qm@web57402.mail.re1.yahoo.com> Message-ID: <1194.87.84.237.95.1210945922.squirrel@webmail.pelican.org> On Fri, May 16, 2008 1:40 pm, peter mahuhu wrote: > I have a problem with my mails since subscription in that the mails > donot indicate the subject,so for me to know what is in the mail from > this group,I haveto open it,the mail appear in my mail box as below > > > > cisco-nsp-request@ puck.nether.net cisco-nsp Digest, Vol 66, Issue 26 > Thu May 08, 2008 24k [input] You've subscribed to the digest rather than the individual mails. You can change your options at https://puck.nether.net/mailman/listinfo/cisco-nsp. Regards, Tim. From achatz at forthnet.gr Fri May 16 10:58:15 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 16 May 2008 17:58:15 +0300 Subject: [c-nsp] 7609 OIR and chaos theory ;) Message-ID: <482DA107.9060300@forthnet.gr> You might want to give it a try... trying to explain why Gi1/1 became shut when module 7 was removed!!! May 16 17:12:55: %SNMP-5-MODULETRAP: Module 7 [Down] Trap May 16 17:12:55: %OIR-SP-6-REMCARD: Card removed from slot 7, interfaces disabled May 16 17:13:02: %EARL-DFC1-2-SWITCH_BUS_IDLE: Switching bus is idle for 5 seconds. The card grant is 0 May 16 17:13:02: %EARL_L2_ASIC-DFC1-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB0000EBD May 16 17:13:10: %LINK-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:10: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down May 16 17:13:10: %LINK-SP-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:10: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet1/1, changed state to down May 16 17:13:11: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:12: %LINK-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:11: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:12: %LINK-SP-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:13: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:13: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:13: %LINK-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:13: %LINK-SP-5-CHANGED: Interface GigabitEthernet1/1, changed state to administratively down May 16 17:13:19: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:20: %LINK-3-UPDOWN: Interface GigabitEthernet1/1, changed state to up May 16 17:13:19: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/1, changed state to down May 16 17:13:20: %LINK-SP-3-UPDOWN: Interface GigabitEthernet1/1, changed state to up 7609/SUP720/SXF10 I have already read http://puck.nether.net/pipermail/cisco-nsp/2005-April/019343.html, so i guess i must get "used" to the bus stall event. But i still cannot understand : why Gi1/1? -- Tassos From Michael.Heimann at nscglobal.de Fri May 16 11:39:29 2008 From: Michael.Heimann at nscglobal.de (Michael Heimann) Date: Fri, 16 May 2008 17:39:29 +0200 Subject: [c-nsp] 2811 and Etherchannel with onboard FE interfaces References: Message-ID: <920404479412A34EAA2ADE3D8CA7C51A94C1@olcs-43.nsc-technology.com> Hi, I have an 2811 with IOS 12.4(15)T4 and can't get Etherchannel to work with the onboard FE Links. I've read conflicting statements from cisco about etherchannel with onboard Links on the 28xx Platform: It's not working: http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900ae cd80169bf0.html It works since IOS 12.4(17.6): (Page 6) http://www.cisco.com/en/US/prod/collateral/routers/ps5855/prod_white_pap er0900aecd806f698a.pdf I do need this feature and several 12.4T IOS features (e.g.current cme...). Has anyone ever configured etherchannel on a 28xx router with an 12.4T IOS ?!? Does anybody know when/if this will be possible? Michael From dsinn at dsinn.com Fri May 16 12:06:14 2008 From: dsinn at dsinn.com (David Sinn) Date: Fri, 16 May 2008 09:06:14 -0700 Subject: [c-nsp] iBGP not propogating route to 0/8 In-Reply-To: <482CABBF.3010009@justinshore.com> References: <482CABBF.3010009@justinshore.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On May 15, 2008, at 2:31 PM, Justin Shore wrote: > I can't think of any reason why this prefix wouldn't be advertised. > Any > ideas? I noticed it today because I have customers trying to hit 0/8 > IPs (0.4.24.200 for example) that my egress ACLs are catching. This is due to how Cisco treats martian networks per their interpretation (or real meaning) of RFC 1812. Since the following are martians, to cover the "Should not" route part of 5.3.7, they won't install them in the route table. 0.0.0.0/8 127.0.0.0/8 128.0.0.0/16 181.255.0.0/16 192.0.0.0/24 233.255.255.0/24 240.0.0.0/4 I've only personally tested 240.0.0.0/4 and it will not install in the route table. I've also not tried to figure out what more or less specific routes you could try and install to cover these blocks. David > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkgtsPYACgkQLa9jIE3ZamNprgCfUAoV0GXj0Ob1HNg8pyifER1a 6T8AoIWpvrB87i+VjRmp3avNPNRTJAV8 =1Klc -----END PGP SIGNATURE----- From cisco-nsp at ibh.net Fri May 16 12:17:04 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Fri, 16 May 2008 18:17:04 +0200 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <20080516.105103.74701746.sthaug@nethelp.no> References: <48277290.9050805@gtcomm.net> <20080516065005.GB32704@ibh.de> <20080516.105103.74701746.sthaug@nethelp.no> Message-ID: <20080516161704.GB32495@ibh.de> On Fri, May 16, 2008 at 10:51:03AM +0200, sthaug at nethelp.no wrote: > > This is normal for those platforms which do almost all that is essential > > in forwarding traffic using their ASICs, with only initial packets of > > new flows beeig punted up to the CPU. > > No, the "initial packets of new flows being punted up to the CPU" is > *not* the case for this platform (or for any modern switch platform). > It was an issue for older 6500 boxes (Sup1a?). I stand corrected. I assumed that to be the case because on the first 3750 that hit my lab, I configured the (unsupported on that platform) NetFlow data export and I seem to remember that I have seen *some* traffic, but it was just a very small trickle, orders of magnitude below the actual flows going through the box. I assumed that what I see are just the punts. Or was this the broken counters on SVIs? Damn LRU brain cache line dropping... Probably what I saw was just traffic hitting the control plane? Thanks, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From sthaug at nethelp.no Fri May 16 12:42:25 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 16 May 2008 18:42:25 +0200 (CEST) Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <20080516161704.GB32495@ibh.de> References: <20080516065005.GB32704@ibh.de> <20080516.105103.74701746.sthaug@nethelp.no> <20080516161704.GB32495@ibh.de> Message-ID: <20080516.184225.74714521.sthaug@nethelp.no> > I assumed that to be the case because on the first 3750 that hit my > lab, I configured the (unsupported on that platform) NetFlow data > export and I seem to remember that I have seen *some* traffic, but > it was just a very small trickle, orders of magnitude below the > actual flows going through the box. I assumed that what I see are > just the punts. You saw traffic being CPU switched for some reason. > Or was this the broken counters on SVIs? Damn LRU brain cache line > dropping... None of the 3550/3560/3750 family have functioning SVI counters - the hardware to do it just isn's there. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From cisco-nsp at ibh.net Fri May 16 13:03:34 2008 From: cisco-nsp at ibh.net (Andre Beck) Date: Fri, 16 May 2008 19:03:34 +0200 Subject: [c-nsp] Turning on no ip unreachables and the effects In-Reply-To: References: Message-ID: <20080516170334.GC32495@ibh.de> Hi Kevin, On Fri, May 09, 2008 at 10:31:05AM +0100, Kevin Barrass wrote: > > I've seen in the below link that enabling "no ip unreachables" on a > interface can break PMTUD across your network if the outgoing interface > is then on a link with an MTU too small as the interface with "no ip > unreachables" will not send a packet too big type message. It would be correct if the command had this effect, given that the ICMP TYPE/CODE in question (3/4) is in fact an "unreachable". Other unreachable types are "no route to network" (usually meaning there is no route to the destination in the RIB/FIB of the reporting router), "no route to host" (typically reported when ARP resolution failed for a destination IP on the router that connects to the destination network, though Cisco IOS is known to not generate this kind of error message for reasons beyond me) and "administratively unreachable" as generated by a firewall. The intention of plugging this silly command is probably to suppress the latter meaning on a firewall style device. But it breaks a whole and *essential* subclass of ICMP messages and obviously is just begging for trouble. Almost like those people who fell to the ICMP persecution complex ("There once was the PING of DEATH, so all ICMP must be banned") and filter it altogether, just more subtle. There are way too many devices out there configured with this command though, thanks to SDM. My procedure for new boxes that have SDM on them before they go to customers as CPEs: Delete everything from flash, install latest stable IOS for the platform, erase startup, configure it for the customers needs. Never let the remains of SDM survive in the poor nvram or flash... > Does anyone have a link to a definitive list as to the effect of turning > on this command as I thought that turning on this command didn't prevent > the interface sending TTL expired and hence not breaking trace route but > now im unsure. It could not break traceroute because "TTL exceeded" is NOT an unreachable. It's a "Time exceeded" type, with code "time to live exceeded in transit" (the other code of this type is "time exceeded in reassembly" which means a fragment was lost). I do not have a list that tells exactly what the command does, but I abhor what it says it does according to RFC 792 just by name - it prevents the generation of any ICMP message of type 3 (unreachable). And this is unacceptable. HTH, Andre. -- Real men don't make backups of their mail. They just send it out on the Internet and let the secret services do the hard work. -> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <- From rodunn at cisco.com Fri May 16 13:44:21 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 16 May 2008 13:44:21 -0400 Subject: [c-nsp] Anyone running RSP720's and flexwans in a 76xx with full routes? Message-ID: <20080516174421.GH24001@rtp-cse-489.cisco.com> If so, could you ping me offline. I'd like to get a little data on it. Rodney From gert at greenie.muc.de Fri May 16 14:45:04 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 16 May 2008 20:45:04 +0200 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <482BCD14.9040400@justinshore.com> References: <79b6f8780805090004v6fcffd3du9c45b5e41375a65a@mail.gmail.com> <1A9866F953006D45AEE0166066114E090F701AF7@TPMAIL02.corp.theplatform.com> <9f785d120805131040v587e0ddfne0b33d1cd5a9a2c9@mail.gmail.com> <482BCD14.9040400@justinshore.com> Message-ID: <20080516184503.GE3278@greenie.muc.de> Hi, On Thu, May 15, 2008 at 12:41:40AM -0500, Justin Shore wrote: > As a network engineer I've found that the vast majority of my job is > helping other people find their problems. The network seldom breaks and > when it does it's not subtle; it's catastrophic. Even highly skilled > technical people still blame the network when their stuff doesn't work > right (after all my network is just a bunch of tubes, right?). > Networking is like mysterious dark magic that no one seems to > understand. *applause* :-) While this getting very much off-topic on *cisco*-nsp, I can't help but notice certain similarities in my day-to-day job... "things are not working, it must be your stupid firewall filters" (client and server are in the same L2 network, and no, there are no L2 ACLs anywhere...). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080516/f2447f15/attachment.bin From achatz at forthnet.gr Fri May 16 17:33:55 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sat, 17 May 2008 00:33:55 +0300 Subject: [c-nsp] iBGP not propogating route to 0/8 In-Reply-To: References: <482CABBF.3010009@justinshore.com> Message-ID: <482DFDC3.1000406@forthnet.gr> I think it has to do with the default route "confusion"... 1) You can use "default-information originate" under the bgp process and trick bgp that this is the default route (i guess only the network part is checked). The network is shown as "0.0.0.0/8" which means that the router doesn't consider /8 to be the default length of 0.0.0.0, like in 3.0.0.0. R1>sh ip bgp BGP table version is 20, local router ID is 1.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *>i0.0.0.0/8 1.1.1.2 0 500 0 i *>i3.0.0.0 1.1.1.2 0 500 0 i 2) You can use "network 0.0.0.0 mask 255.0.0.0 route-map static-to-bgp" under bgp and force its advertisement. Method 1 requires redistribution of the route, method 2 requires route to be present in IGP/static. In your case, you have both ;) -- Tassos David Sinn wrote on 16/5/2008 7:06 ??: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On May 15, 2008, at 2:31 PM, Justin Shore wrote: > >> I can't think of any reason why this prefix wouldn't be advertised. >> Any >> ideas? I noticed it today because I have customers trying to hit 0/8 >> IPs (0.4.24.200 for example) that my egress ACLs are catching. > > This is due to how Cisco treats martian networks per their > interpretation (or real meaning) of RFC 1812. Since the following are > martians, to cover the "Should not" route part of 5.3.7, they won't > install them in the route table. > > 0.0.0.0/8 > 127.0.0.0/8 > 128.0.0.0/16 > 181.255.0.0/16 > 192.0.0.0/24 > 233.255.255.0/24 > 240.0.0.0/4 > > I've only personally tested 240.0.0.0/4 and it will not install in the > route table. I've also not tried to figure out what more or less > specific routes you could try and install to cover these blocks. > > David > > >> Thanks >> Justin >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (Darwin) > > iEYEARECAAYFAkgtsPYACgkQLa9jIE3ZamNprgCfUAoV0GXj0Ob1HNg8pyifER1a > 6T8AoIWpvrB87i+VjRmp3avNPNRTJAV8 > =1Klc > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- *************************************** Tassos Chatzithomaoglou Network Design & Development Department FORTHnet S.A. *************************************** From blahu77 at gmail.com Fri May 16 18:00:46 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 16 May 2008 23:00:46 +0100 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <20080516.184225.74714521.sthaug@nethelp.no> References: <20080516065005.GB32704@ibh.de> <20080516.105103.74701746.sthaug@nethelp.no> <20080516161704.GB32495@ibh.de> <20080516.184225.74714521.sthaug@nethelp.no> Message-ID: <383357750805161500l33023bdeybadb130409127778@mail.gmail.com> > > None of the 3550/3560/3750 family have functioning SVI counters - > the hardware to do it just isn's there. if routed interfaces (no switchport interfaces) are using internal vlans .... does it mean it applies to those interfaces as well ? -- -mat From marco at linuxgoeroe.dhs.org Fri May 16 18:03:14 2008 From: marco at linuxgoeroe.dhs.org (Marco van den Bovenkamp) Date: Sat, 17 May 2008 00:03:14 +0200 Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <383357750805161500l33023bdeybadb130409127778@mail.gmail.com> References: <20080516065005.GB32704@ibh.de> <20080516.105103.74701746.sthaug@nethelp.no> <20080516161704.GB32495@ibh.de> <20080516.184225.74714521.sthaug@nethelp.no> <383357750805161500l33023bdeybadb130409127778@mail.gmail.com> Message-ID: <482E04A2.6040404@linuxgoeroe.dhs.org> Mateusz B?aszczyk wrote: >> None of the 3550/3560/3750 family have functioning SVI counters - >> the hardware to do it just isn's there. > > if routed interfaces (no switchport interfaces) are using internal > vlans .... does it mean it applies to those interfaces as well ? Yes. Regards, Marco. From justin at justinshore.com Fri May 16 21:30:22 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 16 May 2008 20:30:22 -0500 Subject: [c-nsp] iBGP not propogating route to 0/8 In-Reply-To: <482DFDC3.1000406@forthnet.gr> References: <482CABBF.3010009@justinshore.com> <482DFDC3.1000406@forthnet.gr> Message-ID: <482E352E.5010209@justinshore.com> The default-info originate solution makes me nervous without a lab to test this in. Forcing the advertisement with the network statement though works like a champ. I hadn't even considered that this was being caused by Cisco's martian handling. But as David Sinn pointed out, there are more prefixes than just 0/8 that are being suppressed. I'll use the network command to force the advertisement for those networks too. I need to put up a RTBH HOWTO on my website I think. Thanks. TGIF! Justin Tassos Chatzithomaoglou wrote: > I think it has to do with the default route "confusion"... > > 1) You can use "default-information originate" under the bgp process and > trick bgp that this is the default route (i guess only the network part > is checked). The network is shown as "0.0.0.0/8" which means that the > router doesn't consider /8 to be the default length of 0.0.0.0, like in > 3.0.0.0. > > R1>sh ip bgp > BGP table version is 20, local router ID is 1.1.1.1 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > > Network Next Hop Metric LocPrf Weight Path > *>i0.0.0.0/8 1.1.1.2 0 500 0 i > *>i3.0.0.0 1.1.1.2 0 500 0 i > > > 2) You can use "network 0.0.0.0 mask 255.0.0.0 route-map static-to-bgp" > under bgp and force its advertisement. > > Method 1 requires redistribution of the route, method 2 requires route > to be present in IGP/static. > In your case, you have both ;) > > -- > Tassos > > > David Sinn wrote on 16/5/2008 7:06 ??: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On May 15, 2008, at 2:31 PM, Justin Shore wrote: >> >>> I can't think of any reason why this prefix wouldn't be advertised. >>> Any >>> ideas? I noticed it today because I have customers trying to hit 0/8 >>> IPs (0.4.24.200 for example) that my egress ACLs are catching. >> >> This is due to how Cisco treats martian networks per their >> interpretation (or real meaning) of RFC 1812. Since the following >> are martians, to cover the "Should not" route part of 5.3.7, they >> won't install them in the route table. >> >> 0.0.0.0/8 >> 127.0.0.0/8 >> 128.0.0.0/16 >> 181.255.0.0/16 >> 192.0.0.0/24 >> 233.255.255.0/24 >> 240.0.0.0/4 >> >> I've only personally tested 240.0.0.0/4 and it will not install in >> the route table. I've also not tried to figure out what more or >> less specific routes you could try and install to cover these blocks. >> >> David >> >> >>> Thanks >>> Justin >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (Darwin) >> >> iEYEARECAAYFAkgtsPYACgkQLa9jIE3ZamNprgCfUAoV0GXj0Ob1HNg8pyifER1a >> 6T8AoIWpvrB87i+VjRmp3avNPNRTJAV8 >> =1Klc >> -----END PGP SIGNATURE----- >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From sthaug at nethelp.no Sat May 17 02:33:59 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Sat, 17 May 2008 08:33:59 +0200 (CEST) Subject: [c-nsp] 3750 12.2(44)SE1 CPU 5% weirdness In-Reply-To: <482E04A2.6040404@linuxgoeroe.dhs.org> References: <20080516.184225.74714521.sthaug@nethelp.no> <383357750805161500l33023bdeybadb130409127778@mail.gmail.com> <482E04A2.6040404@linuxgoeroe.dhs.org> Message-ID: <20080517.083359.74658414.sthaug@nethelp.no> > >> None of the 3550/3560/3750 family have functioning SVI counters - > >> the hardware to do it just isn's there. > > > > if routed interfaces (no switchport interfaces) are using internal > > vlans .... does it mean it applies to those interfaces as well ? > > Yes. Well, you have the counters for the *physical port*, which work just fine. You just don't have per-VLAN/per-SVI counters. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From simon.leinen at switch.ch Sat May 17 11:39:32 2008 From: simon.leinen at switch.ch (Simon Leinen) Date: Sat, 17 May 2008 17:39:32 +0200 Subject: [c-nsp] WDM equipment In-Reply-To: <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> (Jonathan Crawford's message of "Wed, 14 May 2008 00:34:42 -0700") References: <940dabcc0805131945o1100bf9cs96c9ec35df8df647@mail.gmail.com> <84E2AE771361E9419DD0EFBD31F09C4D4F5BF95A20@EXVMBX015-1.exch015.msoutlookonline.net> Message-ID: Jonathan Crawford writes: > There is also bti photonics... never used any of their active gear, > but I'm very happy with their passive stuff. We have some optical amplifiers from them, and they work fine for us so far. But for management they use TL1, not SNMP, so we haven't been able to really integrate them into our monitoring systems. -- Simon. From streiner at cluebyfour.org Sat May 17 21:47:43 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sat, 17 May 2008 21:47:43 -0400 (EDT) Subject: [c-nsp] 10GE sanity check Message-ID: I'm just looking for a quick sanity check here on 10GE optics. A 10GBASE-LX4 xenpak or X2 module will not talk to a 10GBASE-LR module, correct? I'd test this assertion in my lab, but I don't have a spare LR module at the moment. From what I've read of the coding and transmission specs for both types of optics, they wouldn't seem to be compatible, but I could be wrong :) CCO doesn't seem to have much info on module-to-module compatibility, probably because they assume the optics will be the same at both ends, but vendor differences in this case make that impossible. Thanks in advance jms From azheramin at gmail.com Sat May 17 22:48:41 2008 From: azheramin at gmail.com (Azher Mughal) Date: Sat, 17 May 2008 19:48:41 -0700 Subject: [c-nsp] 10GE sanity check In-Reply-To: References: Message-ID: <482F9909.3090006@hep.caltech.edu> It should not work as both have different encoding and no of wavelengths. http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802a648b.html -Azher Justin M. Streiner wrote: > I'm just looking for a quick sanity check here on 10GE optics. > > A 10GBASE-LX4 xenpak or X2 module will not talk to a 10GBASE-LR module, > correct? I'd test this assertion in my lab, but I don't have a spare LR > module at the moment. From what I've read of the coding and transmission > specs for both types of optics, they wouldn't seem to be compatible, but I > could be wrong :) CCO doesn't seem to have much info on module-to-module > compatibility, probably because they assume the optics will be the same at > both ends, but vendor differences in this case make that impossible. > > Thanks in advance > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ross at kallisti.us Sun May 18 01:56:56 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Sun, 18 May 2008 01:56:56 -0400 Subject: [c-nsp] Strange message on the console Message-ID: <20080518055656.GA16726@kallisti.us> Hi everyone, I was messing around with rate-limiting ARP resolution on a 6500 SUP720-3bxl. After entering "mls rate-limit unicast cef glean 250 50", IOS printed this message on the console: %Packets requiring ARP resolution will be subject to the output ACLs of the input VLAN Uhhhh, duh? I would hope that traffic would always be subject to the input VLAN's output ACL, since that would be how one would expect ACLs to work - ie, that they actually do something.... I can't imagine that this means to imply that output ACLs only work when glean rate-limiting is enabled. Google finds nothing on this message - anyone have any info on this curious bit? -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From avayner at cisco.com Sun May 18 02:25:49 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 18 May 2008 08:25:49 +0200 Subject: [c-nsp] Strange message on the console In-Reply-To: <20080518055656.GA16726@kallisti.us> References: <20080518055656.GA16726@kallisti.us> Message-ID: <67F7C1FAF83A074AA3520D8F155782A5015E1FB9@xmb-ams-331.emea.cisco.com> Ross, This is a bug caused by a some HW limitation. What the message says is the packets RECEIVED on a specific VLAN, and which are destined to the local router (like in your case), and in case rate-limiting for this traffic is enabled - then this traffic would hit the OUTPUT ACL configured on the same VLAN - which is basically wrong... Hope you see the issue now. The workaround would be simple - make the ACLs permit the traffic... This issue is not there on the newer 3C/3CXL based SUPs. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ross Vandegrift Sent: Sunday, May 18, 2008 08:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Strange message on the console Hi everyone, I was messing around with rate-limiting ARP resolution on a 6500 SUP720-3bxl. After entering "mls rate-limit unicast cef glean 250 50", IOS printed this message on the console: %Packets requiring ARP resolution will be subject to the output ACLs of the input VLAN Uhhhh, duh? I would hope that traffic would always be subject to the input VLAN's output ACL, since that would be how one would expect ACLs to work - ie, that they actually do something.... I can't imagine that this means to imply that output ACLs only work when glean rate-limiting is enabled. Google finds nothing on this message - anyone have any info on this curious bit? -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Sun May 18 05:24:02 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Sun, 18 May 2008 12:24:02 +0300 Subject: [c-nsp] 10GE sanity check In-Reply-To: <482F9909.3090006@hep.caltech.edu> References: <482F9909.3090006@hep.caltech.edu> Message-ID: <482FF5B2.1080009@forthnet.gr> I had (accidentally) SFP 1000BaseLX/LH and 1000BaseZX talk to each other through SMF, regardless of their different wavelengths (!). Although everything worked fine (passing traffic through) for some minutes, i replaced one of the SFPs in order to be sure i won't meet any problems in the future. -- Tassos Azher Mughal wrote on 18/5/2008 5:48 ??: > It should not work as both have different encoding and no of wavelengths. > > http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802a648b.html > > -Azher > > Justin M. Streiner wrote: >> I'm just looking for a quick sanity check here on 10GE optics. >> >> A 10GBASE-LX4 xenpak or X2 module will not talk to a 10GBASE-LR module, >> correct? I'd test this assertion in my lab, but I don't have a spare LR >> module at the moment. From what I've read of the coding and transmission >> specs for both types of optics, they wouldn't seem to be compatible, but I >> could be wrong :) CCO doesn't seem to have much info on module-to-module >> compatibility, probably because they assume the optics will be the same at >> both ends, but vendor differences in this case make that impossible. >> >> Thanks in advance >> jms >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From frnkblk at iname.com Sun May 18 06:48:22 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sun, 18 May 2008 05:48:22 -0500 Subject: [c-nsp] Vendor spam from BTI systems received Message-ID: I just received an unsolicited e-mail from BTI systems in regards to an answer I recently gave. Be forewarned. Frank From blahu77 at gmail.com Sun May 18 06:51:48 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 18 May 2008 11:51:48 +0100 Subject: [c-nsp] 10GE sanity check In-Reply-To: <482FF5B2.1080009@forthnet.gr> References: <482F9909.3090006@hep.caltech.edu> <482FF5B2.1080009@forthnet.gr> Message-ID: <383357750805180351t4588e6d6ga109aab5c584c942@mail.gmail.com> 2008/5/18 Tassos Chatzithomaoglou : > I had (accidentally) SFP 1000BaseLX/LH and 1000BaseZX talk to each other through SMF, regardless of > their different wavelengths (!). the SFP receivers are wideband so they catch both 1300 and 1550 nm... and it is not accidental :) -- -mat From cisco-nsp at natecarlson.com Sun May 18 09:35:08 2008 From: cisco-nsp at natecarlson.com (Nate Carlson) Date: Sun, 18 May 2008 08:35:08 -0500 (CDT) Subject: [c-nsp] 2811 and Etherchannel with onboard FE interfaces In-Reply-To: <920404479412A34EAA2ADE3D8CA7C51A94C1@olcs-43.nsc-technology.com> References: <920404479412A34EAA2ADE3D8CA7C51A94C1@olcs-43.nsc-technology.com> Message-ID: On Fri, 16 May 2008, Michael Heimann wrote: > It works since IOS 12.4(17.6): (Page 6) > http://www.cisco.com/en/US/prod/collateral/routers/ps5855/prod_white_pap > er0900aecd806f698a.pdf Hey, cool - I also look forward to this feature being in the T-train. As a side note, that document has some of the worst Engrish I've ever seen from Cisco.. yikes. ------------------------------------------------------------------------ | nate carlson | natecars at natecarlson.com | http://www.natecarlson.com | | depriving some poor village of its idiot since 1981 | ------------------------------------------------------------------------ From swmike at swm.pp.se Sun May 18 09:47:10 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Sun, 18 May 2008 15:47:10 +0200 (CEST) Subject: [c-nsp] 10GE sanity check In-Reply-To: <482FF5B2.1080009@forthnet.gr> References: <482F9909.3090006@hep.caltech.edu> <482FF5B2.1080009@forthnet.gr> Message-ID: On Sun, 18 May 2008, Tassos Chatzithomaoglou wrote: > I had (accidentally) SFP 1000BaseLX/LH and 1000BaseZX talk to each other through SMF, regardless of > their different wavelengths (!). 10GBASE-LX4 is 4 times ~2.5 gig in a CWDM format, built into a single package, that's very different from 10GBASE-SR or LR which is single channel. The difference between LX and ZX is mostly in the transmitter (1310 and 1550nm respectively), even though the receiver is also more sensitive on the ZX, all receivers are wideband and will take most of the light from around 1200 or so, up to over 1600nm. So if one wants to do ~20 km and LX doesn't work, one can usually do ZX at only one end, as 1550nm light only has half the attenuation of 1310nm light, which means more of the light get to the receiver for it to be enough with the ~ -18dB sensitivty of LX, you don't really need the ~24dB of ZX. The -24dB receiver on the ZX can be sensitive enough to receive the LX on the other end correctly. Gigabit ethernet is mostly a play with attenuation and only attenuation, whereas on 10G things like dispersion and other factors start to be important as well. -- Mikael Abrahamsson email: swmike at swm.pp.se From danletkeman at gmail.com Sun May 18 11:45:06 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 18 May 2008 10:45:06 -0500 Subject: [c-nsp] 1131ag input and crc errors Message-ID: Hello, I have an 1131ag that has a lot of input and crc errors on both the wlan interface and the ethernet interface. It seems to be an on going thing, it has the latest ios, and is connected to an edge switch which is connected to the core switch. All other traffic seems to be fine on that switch. Could it be a hardware problem? Dan. From ross at kallisti.us Sun May 18 11:54:33 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Sun, 18 May 2008 11:54:33 -0400 Subject: [c-nsp] Strange message on the console In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A5015E1FB9@xmb-ams-331.emea.cisco.com> References: <20080518055656.GA16726@kallisti.us> <67F7C1FAF83A074AA3520D8F155782A5015E1FB9@xmb-ams-331.emea.cisco.com> Message-ID: <20080518155433.GA20084@kallisti.us> On Sun, May 18, 2008 at 08:25:49AM +0200, Arie Vayner (avayner) wrote: > Ross, > > This is a bug caused by a some HW limitation. What the message says is > the packets RECEIVED on a specific VLAN, and which are destined to the > local router (like in your case), and in case rate-limiting for this > traffic is enabled - then this traffic would hit the OUTPUT ACL > configured on the same VLAN - which is basically wrong... > > Hope you see the issue now. Aha - yes, now I get it. I was misunderstanding the message. > The workaround would be simple - make the ACLs permit the traffic... Does this issue affect VLANs that have no output ACL? Thanks Arie, Ross > > This issue is not there on the newer 3C/3CXL based SUPs. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ross Vandegrift > Sent: Sunday, May 18, 2008 08:57 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Strange message on the console > > Hi everyone, > > I was messing around with rate-limiting ARP resolution on a 6500 > SUP720-3bxl. After entering "mls rate-limit unicast cef glean 250 50", > IOS printed this message on the console: > > %Packets requiring ARP resolution will be subject to the output ACLs of > the input VLAN > > Uhhhh, duh? I would hope that traffic would always be subject to the > input VLAN's output ACL, since that would be how one would expect ACLs > to work - ie, that they actually do something.... I can't imagine that > this means to imply that output ACLs only work when glean rate-limiting > is enabled. > > Google finds nothing on this message - anyone have any info on this > curious bit? > > > -- > Ross Vandegrift > ross at kallisti.us > > "The good Christian should beware of mathematicians, and all those who > make empty prophecies. The danger already exists that the mathematicians > have made a covenant with the devil to darken the spirit and to confine > man in the bonds of Hell." > --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From avayner at cisco.com Sun May 18 13:23:41 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 18 May 2008 19:23:41 +0200 Subject: [c-nsp] Strange message on the console In-Reply-To: <20080518155433.GA20084@kallisti.us> References: <20080518055656.GA16726@kallisti.us> <67F7C1FAF83A074AA3520D8F155782A5015E1FB9@xmb-ams-331.emea.cisco.com> <20080518155433.GA20084@kallisti.us> Message-ID: <67F7C1FAF83A074AA3520D8F155782A5015E207E@xmb-ams-331.emea.cisco.com> If the VLAN has no egress ACL, then it would permit any traffic, and there would be no issue... Arie -----Original Message----- From: Ross Vandegrift [mailto:ross at kallisti.us] Sent: Sunday, May 18, 2008 18:55 PM To: Arie Vayner (avayner) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Strange message on the console On Sun, May 18, 2008 at 08:25:49AM +0200, Arie Vayner (avayner) wrote: > Ross, > > This is a bug caused by a some HW limitation. What the message says is > the packets RECEIVED on a specific VLAN, and which are destined to the > local router (like in your case), and in case rate-limiting for this > traffic is enabled - then this traffic would hit the OUTPUT ACL > configured on the same VLAN - which is basically wrong... > > Hope you see the issue now. Aha - yes, now I get it. I was misunderstanding the message. > The workaround would be simple - make the ACLs permit the traffic... Does this issue affect VLANs that have no output ACL? Thanks Arie, Ross > > This issue is not there on the newer 3C/3CXL based SUPs. > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ross > Vandegrift > Sent: Sunday, May 18, 2008 08:57 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Strange message on the console > > Hi everyone, > > I was messing around with rate-limiting ARP resolution on a 6500 > SUP720-3bxl. After entering "mls rate-limit unicast cef glean 250 > 50", IOS printed this message on the console: > > %Packets requiring ARP resolution will be subject to the output ACLs > of the input VLAN > > Uhhhh, duh? I would hope that traffic would always be subject to the > input VLAN's output ACL, since that would be how one would expect ACLs > to work - ie, that they actually do something.... I can't imagine > that this means to imply that output ACLs only work when glean > rate-limiting is enabled. > > Google finds nothing on this message - anyone have any info on this > curious bit? > > > -- > Ross Vandegrift > ross at kallisti.us > > "The good Christian should beware of mathematicians, and all those who > make empty prophecies. The danger already exists that the > mathematicians have made a covenant with the devil to darken the > spirit and to confine man in the bonds of Hell." > --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Ross Vandegrift ross at kallisti.us "The good Christian should beware of mathematicians, and all those who make empty prophecies. The danger already exists that the mathematicians have made a covenant with the devil to darken the spirit and to confine man in the bonds of Hell." --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 From streiner at cluebyfour.org Sun May 18 13:36:40 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sun, 18 May 2008 13:36:40 -0400 (EDT) Subject: [c-nsp] 10GE sanity check In-Reply-To: <482FF5B2.1080009@forthnet.gr> References: <482F9909.3090006@hep.caltech.edu> <482FF5B2.1080009@forthnet.gr> Message-ID: On Sun, 18 May 2008, Tassos Chatzithomaoglou wrote: > I had (accidentally) SFP 1000BaseLX/LH and 1000BaseZX talk to each other through SMF, regardless of > their different wavelengths (!). > > Although everything worked fine (passing traffic through) for some minutes, i replaced one of the > SFPs in order to be sure i won't meet any problems in the future. In a case like that, you could see problems over time because the laser in the ZX SFP could overload the receiver in the LX one, depending on the cable distance between the two units. jms > Azher Mughal wrote on 18/5/2008 5:48 ??: >> It should not work as both have different encoding and no of wavelengths. >> >> http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_paper0900aecd802a648b.html >> >> -Azher >> >> Justin M. Streiner wrote: >>> I'm just looking for a quick sanity check here on 10GE optics. >>> >>> A 10GBASE-LX4 xenpak or X2 module will not talk to a 10GBASE-LR module, >>> correct? I'd test this assertion in my lab, but I don't have a spare LR >>> module at the moment. From what I've read of the coding and transmission >>> specs for both types of optics, they wouldn't seem to be compatible, but I >>> could be wrong :) CCO doesn't seem to have much info on module-to-module >>> compatibility, probably because they assume the optics will be the same at >>> both ends, but vendor differences in this case make that impossible. >>> >>> Thanks in advance >>> jms >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ltd at cisco.com Sun May 18 18:13:24 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 19 May 2008 08:13:24 +1000 Subject: [c-nsp] 10GE sanity check In-Reply-To: References: <482F9909.3090006@hep.caltech.edu> <482FF5B2.1080009@forthnet.gr> Message-ID: <4830AA04.7030908@cisco.com> hi Mikael, Mikael Abrahamsson wrote: > So if one wants to do ~20 km and LX doesn't work, one can usually do ZX at > only one end, as 1550nm light only has half the attenuation of 1310nm > light, which means more of the light get to the receiver for it to be > enough with the ~ -18dB sensitivty of LX, you don't really need the ~24dB > of ZX. The -24dB receiver on the ZX can be sensitive enough to receive the > LX on the other end correctly. > are you operating any links like this in production today with real traffic? i'd love to see what (if any) CRC/Framing errors you may be recording, some people think that running equipment in this manner significantly compromizes the bit-error-rate of the link. i don't have evidence either way, but "show int x/y" counters would be a great proof point of it not being an issue. cheers, lincoln. From hank at efes.iucc.ac.il Sun May 18 22:18:15 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Mon, 19 May 2008 05:18:15 +0300 (IDT) Subject: [c-nsp] Strangeness with eFlexwan POS ports on 7600 Message-ID: We are encountering some very strange behavior on POS interfaces seated inside eFlexwans on a 7613 with SUP720. On a 7613 running 12.2(18)SXE6b we do not see any of this strangeness. On a 7613 running 12.2(18)SXF11 - we do. The strangeness is hard to define. It appeared first when we tried to bring up a backup STM-1 circuit which hadn't been used in a year and would only pass about 700kbps. We blamed the carrier but now suspect a subtle bug in IOS. Other POS interfaces also show pkt loss, whereas one other POS interface - which happened to be the only live one with constant moving traffic does not show any strangeness. When doing ping from the router to the other side of the interface, we see deterministic pkt loss like this: POS3/0/1 Sending 10000, 100-byte ICMP Echos to xxx.139.237.2, timeout is 2 seconds: !!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!! !!!!!.!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!! !!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.! The drop on this link is periodic, it's not random, every 14th packet is dropped. We have no rate limiting enabled. Depending on packet size of ping - we get different deterministic results. After playing with the bad interface for a while (shut, no shut, sdh parms, moved to another free POS port, SDH tester equipment, loopbacks, etc.), it suddenly came alive and no longer lost any packets. Has anyone encountered anything similar to this? Otherwise, this is gonna be hell to debug with TAC. Thanks, Hank From mylists at battleop.com Sun May 18 22:56:46 2008 From: mylists at battleop.com (Richey) Date: Sun, 18 May 2008 22:56:46 -0400 Subject: [c-nsp] access-list speed limiting. Message-ID: <006c01c8b95b$faf8f000$f0ead000$@com> I've got a several users on our wireless network I need to limit to 3Mb. I've tried several ways to limit their speed but they are still getting 12Mbps to 15Mbps when I push an .iso across the link with an FTP session. For our average user I wouldn't care but these guys get home in the evening and hit it for all it's worth for hours on end. I am coming out of a 3660 into a 3524 switch. I then take it into a point to point wireless link where the far end radio connects to an AP. Right now I am doing the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out rate-limit input access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop rate-limit output access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop access-list 150 permit ip host x.x.10.71 any I've also tried the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out traffic-shape group 155 3000000 75000 75000 1000 Richey From cchurc05 at harris.com Sun May 18 23:25:22 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 18 May 2008 22:25:22 -0500 Subject: [c-nsp] access-list speed limiting. In-Reply-To: <006c01c8b95b$faf8f000$f0ead000$@com> References: <006c01c8b95b$faf8f000$f0ead000$@com> Message-ID: Richey, I can't tell if your ethernet int you have a config for faces the customers or the upstream, but it seems that the direction is the issue. Your access list matches a particular host to any. But not the opposite. Add a second entry to the ACL matching any -> host, see if it now works correctly. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richey Sent: Sunday, May 18, 2008 10:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] access-list speed limiting. I've got a several users on our wireless network I need to limit to 3Mb. I've tried several ways to limit their speed but they are still getting 12Mbps to 15Mbps when I push an .iso across the link with an FTP session. For our average user I wouldn't care but these guys get home in the evening and hit it for all it's worth for hours on end. I am coming out of a 3660 into a 3524 switch. I then take it into a point to point wireless link where the far end radio connects to an AP. Right now I am doing the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out rate-limit input access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop rate-limit output access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop access-list 150 permit ip host x.x.10.71 any I've also tried the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out traffic-shape group 155 3000000 75000 75000 1000 Richey _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Mon May 19 00:47:51 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Sun, 18 May 2008 21:47:51 -0700 Subject: [c-nsp] access-list speed limiting. In-Reply-To: Message-ID: rate limiting doesen't work on data coming into an interface. You have to rate limit on the data going out, on the interface that is facing the customer. Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Church, Charles > Sent: Sunday, May 18, 2008 8:25 PM > To: Richey; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] access-list speed limiting. > > > Richey, > > I can't tell if your ethernet int you have a config for faces > the customers or the upstream, but it seems that the direction is the > issue. Your access list matches a particular host to any. But not the > opposite. Add a second entry to the ACL matching any -> host, see if it > now works correctly. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richey > Sent: Sunday, May 18, 2008 10:57 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] access-list speed limiting. > > > I've got a several users on our wireless network I need to limit to > 3Mb. > I've tried several ways to limit their speed but they are still getting > 12Mbps to 15Mbps when I push an .iso across the link with an FTP > session. > For our average user I wouldn't care but these guys get home in the > evening > and hit it for all it's worth for hours on end. > > > > I am coming out of a 3660 into a 3524 switch. I then take it into a > point > to point wireless link where the far end radio connects to an AP. > > > > Right now I am doing the following: > > > > interface FastEthernet0/1.103 > > description DA1-SM2 Link > > encapsulation dot1Q 103 > > ip address x.x.34.193 255.255.255.248 > > ip access-group 102 out > > rate-limit input access-group 150 3000000 16000 24000 conform-action > transmit exceed-action drop > > rate-limit output access-group 150 3000000 16000 24000 conform-action > transmit exceed-action drop > > > > access-list 150 permit ip host x.x.10.71 any > > > > > > I've also tried the following: > > > > interface FastEthernet0/1.103 > > description DA1-SM2 Link > > encapsulation dot1Q 103 > > ip address x.x.34.193 255.255.255.248 > > ip access-group 102 out > > traffic-shape group 155 3000000 75000 75000 1000 > > > > > > Richey > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From swmike at swm.pp.se Mon May 19 02:31:09 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 19 May 2008 08:31:09 +0200 (CEST) Subject: [c-nsp] 10GE sanity check In-Reply-To: <4830AA04.7030908@cisco.com> References: <482F9909.3090006@hep.caltech.edu> <482FF5B2.1080009@forthnet.gr> <4830AA04.7030908@cisco.com> Message-ID: On Mon, 19 May 2008, Lincoln Dale wrote: > are you operating any links like this in production today with real traffic? I have. > i'd love to see what (if any) CRC/Framing errors you may be recording, some > people think that running equipment in this manner significantly compromizes > the bit-error-rate of the link. > i don't have evidence either way, but "show int x/y" counters would be a > great proof point of it not being an issue. Let me give you concrete numbers that show that this is not a problem. LX and ZX receivers are wideband (1265nm - 1600nm and 1270nm - 1600nm respectively). They do approx -3 to +5 dBm (ZX) and -10dBm to -3dBm (LX) transmitting and receivers are sensitive down to -22dBm (ZX, often this is -24dBm on other models I've seen) and -16 to -19 dBm (LX). So let's say we have a 30km link, with 0.2dB attenuation per km at 1550, and 0.4dB per km at 1310. This means the ZX transmits at -3dBm and with 30*0.2 sees 6dB loss and is received at -9 dBm. No problem for the LX receiver. The LX is transmitting at -10dBm, sees 30*0.4 dB loss and is received at -22dBm. This is ok for the ZX receiver, but not for an LX receiver. This works, there is no magic about it, it's just up to calculating the attenuation. Then again, operationally, handling this case might be complicated due to people having to understand the math, so I guess most organisations just go the easy route and get ZX at both ends as that might be easier as there is less understanding involved. -- Mikael Abrahamsson email: swmike at swm.pp.se From tomas at soitron.com Mon May 19 03:59:10 2008 From: tomas at soitron.com (Tomas Daniska) Date: Mon, 19 May 2008 09:59:10 +0200 Subject: [c-nsp] 10GE sanity check In-Reply-To: <4830AA04.7030908@cisco.com> References: <482F9909.3090006@hep.caltech.edu><482FF5B2.1080009@forthnet.gr> <4830AA04.7030908@cisco.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3014840E1@kenya.tronet.as> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Lincoln Dale > > Mikael Abrahamsson wrote: > > So if one wants to do ~20 km and LX doesn't work, one can usually do ZX > at > > only one end, as 1550nm light only has half the attenuation of 1310nm > > light, which means more of the light get to the receiver for it to be > > enough with the ~ -18dB sensitivty of LX, you don't really need the > ~24dB > > of ZX. The -24dB receiver on the ZX can be sensitive enough to receive > the > > LX on the other end correctly. > > > > are you operating any links like this in production today with real > traffic? A year ago we had to do similar setup on a 60km dark fibre span for a 7600 to a 12k. The 7600 was ok as ZX xenpak (it was a 67xx card) was available but the 12k did not have ZR XFP yet so we went with something like ZX xenpak <-> ER XFP, worked like a charm. > i'd love to see what (if any) CRC/Framing errors you may be recording, > some people think that running equipment in this manner significantly > compromizes the bit-error-rate of the link. > i don't have evidence either way, but "show int x/y" counters would be a > great proof point of it not being an issue. It's history for now so I don't have anything handy. No increased BER though -- deejay From rodunn at cisco.com Mon May 19 05:36:25 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 19 May 2008 05:36:25 -0400 Subject: [c-nsp] access-list speed limiting. In-Reply-To: References: Message-ID: <20080519093625.GC19880@rtp-cse-489.cisco.com> On Sun, May 18, 2008 at 09:47:51PM -0700, Ted Mittelstaedt wrote: > rate limiting doesen't work on data coming into an interface. I think you are talking about shaping not CAR or MQC with police. They work on input. Rodney > > You have to rate limit on the data going out, on the interface > that is facing the customer. > > Ted > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Church, Charles > > Sent: Sunday, May 18, 2008 8:25 PM > > To: Richey; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] access-list speed limiting. > > > > > > Richey, > > > > I can't tell if your ethernet int you have a config for faces > > the customers or the upstream, but it seems that the direction is the > > issue. Your access list matches a particular host to any. But not the > > opposite. Add a second entry to the ACL matching any -> host, see if it > > now works correctly. > > > > Chuck > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richey > > Sent: Sunday, May 18, 2008 10:57 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] access-list speed limiting. > > > > > > I've got a several users on our wireless network I need to limit to > > 3Mb. > > I've tried several ways to limit their speed but they are still getting > > 12Mbps to 15Mbps when I push an .iso across the link with an FTP > > session. > > For our average user I wouldn't care but these guys get home in the > > evening > > and hit it for all it's worth for hours on end. > > > > > > > > I am coming out of a 3660 into a 3524 switch. I then take it into a > > point > > to point wireless link where the far end radio connects to an AP. > > > > > > > > Right now I am doing the following: > > > > > > > > interface FastEthernet0/1.103 > > > > description DA1-SM2 Link > > > > encapsulation dot1Q 103 > > > > ip address x.x.34.193 255.255.255.248 > > > > ip access-group 102 out > > > > rate-limit input access-group 150 3000000 16000 24000 conform-action > > transmit exceed-action drop > > > > rate-limit output access-group 150 3000000 16000 24000 conform-action > > transmit exceed-action drop > > > > > > > > access-list 150 permit ip host x.x.10.71 any > > > > > > > > > > > > I've also tried the following: > > > > > > > > interface FastEthernet0/1.103 > > > > description DA1-SM2 Link > > > > encapsulation dot1Q 103 > > > > ip address x.x.34.193 255.255.255.248 > > > > ip access-group 102 out > > > > traffic-shape group 155 3000000 75000 75000 1000 > > > > > > > > > > > > Richey > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Mon May 19 05:37:51 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 19 May 2008 05:37:51 -0400 Subject: [c-nsp] Anyone doing MQC classification post encap with crytpo/dmvpn/ipsec? Message-ID: <20080519093751.GD19880@rtp-cse-489.cisco.com> What I mean is do you have a setup where you do QOS based on classfication *after* crypto? ie: match on ipsec destination addresses for classfication in a QOS policy to get per spoke QOS Rodney From mylists at battleop.com Mon May 19 07:15:54 2008 From: mylists at battleop.com (Richey) Date: Mon, 19 May 2008 07:15:54 -0400 Subject: [c-nsp] access-list speed limiting. In-Reply-To: References: Message-ID: <00b501c8b9a1$b4dbdc40$1e9394c0$@com> I am trying to limit them to 3Mb down 3Mb up. When I am testing I am seeing full speed both directions. I did have some success by changing my access-list 150 permit ip host x.x.10.71 any to access-list 150 permit ip any host x.x.10.71 but I end up with about 1Mb of traffic instead of 3Mb. Richey -----Original Message----- From: Mike Louis [mailto:MLouis at nwnit.com] Sent: Sunday, May 18, 2008 11:52 PM To: Richey Subject: RE: [c-nsp] access-list speed limiting. Looks like you are limiting in the upstream direction..are u trying to rate limit their downloads or uploads or both -----Original Message----- From: Richey Sent: Sunday, May 18, 2008 10:59 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] access-list speed limiting. I've got a several users on our wireless network I need to limit to 3Mb. I've tried several ways to limit their speed but they are still getting 12Mbps to 15Mbps when I push an .iso across the link with an FTP session. For our average user I wouldn't care but these guys get home in the evening and hit it for all it's worth for hours on end. I am coming out of a 3660 into a 3524 switch. I then take it into a point to point wireless link where the far end radio connects to an AP. Right now I am doing the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out rate-limit input access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop rate-limit output access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop access-list 150 permit ip host x.x.10.71 any I've also tried the following: interface FastEthernet0/1.103 description DA1-SM2 Link encapsulation dot1Q 103 ip address x.x.34.193 255.255.255.248 ip access-group 102 out traffic-shape group 155 3000000 75000 75000 1000 Richey _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From ltd at cisco.com Mon May 19 07:22:59 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 19 May 2008 21:22:59 +1000 Subject: [c-nsp] access-list speed limiting. In-Reply-To: <00b501c8b9a1$b4dbdc40$1e9394c0$@com> References: <00b501c8b9a1$b4dbdc40$1e9394c0$@com> Message-ID: <48316313.30502@cisco.com> Richey wrote: > I am trying to limit them to 3Mb down 3Mb up. When I am testing I am > seeing full speed both directions. I did have some success by changing my > access-list 150 permit ip host x.x.10.71 any to access-list 150 permit ip > any host x.x.10.71 you will need BOTH of the above if you want to enforce both directions. > but I end up with about 1Mb of traffic instead of 3Mb. > that is about right. policing compared to shaping, see http://www.cisco.com/warp/public/105/policevsshape.html cheers, lincoln. From david.freedman at uk.clara.net Mon May 19 08:13:54 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 19 May 2008 13:13:54 +0100 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <8c829ec10805141332p4542a3eeu8d2b3191aee92d55@mail.gmail.com> References: <200805141102.m4EB2r1X024270@amer-mta101.csc.com> <8c829ec10805141332p4542a3eeu8d2b3191aee92d55@mail.gmail.com> Message-ID: <48316F02.9090807@uk.clara.net> With regards to TCP MSS, I've had to do this multiple times before, the problem is almost always down to Microsoft Windows (TM) : - Having a ridiculous MSS (larger than MTU) - Not doing pMTUd by default - not honouring registry set MSS despite repeated reboots I've had to go out of my way a few times now to demonstrate this to customers who are baffled by the fact that a product they pay good money for could possibly perform an such a suboptimal way :) A good way of demonstrating network capability I find is using iperf to send a stream of UDP packets across the network where the IP packet size is all the way up to the MTU (UDP+IP headers = 28 , so UDP payload size of MTU-28 should suffice) and the DF bit set (providing nothing along the path interferes with DF like some DSL implementations like to these days) Saturating links as well is generally a good idea to demonstrate that traffic can raise to such a level. Dave. Chris Riling wrote: > Last time I had to solve a similar problem, it ended up being related to one > application not honoring the TCP window size in the OS. Turns out the > application would only use X K regardless of what you set the window to in > the OS. It took many webex school bus sessions demonstrating the differences > in iperf before they understood.. Essentially if was proving that the > network itself was capable of pushing the data, and that the problem must > lie at an upper layer... Still had to go way above and beyond normal duties; > I'm not even remotely a systems admin... :) > > Chris > > > On 5/14/08, Joe Loiacono wrote: >> >> NetQoS SA is an appliance. It can be placed anywhere but typically >> connects to a data center switch and aggreagte ports are SPAN'd to it. >> Among other graphs which are also valuable, the keys one for exonerating >> the network fall into the Server Response Time group. Here you will get >> four individual graphs and one composite of the four. The transactions >> being broken down into four components: >> >> Network RTT >> Retransmission time >> Data Transfer time >> Server Response time >> >> In a particular problem we were looking at, the Data Transfer and Server >> Response times radically dominated the composite graph. From this >> information, the problem was isolated to the internal client-server >> interaction of a web-portal load balancing application. The network was >> exonerted :-) >> >> Might be a similar situation for the Outlook configuration as an earlier >> post mentioned. >> >> Joe >> >> "Aaron R" wrote on 05/14/2008 07:04:34 AM: >> >> > I have heard of NetQoS. Is this an appliance or a piece of software? >> Where >> > does it run? The site does not give much away. >> > >> > Cheers, >> > >> > Aaron. >> > >> > -----Original Message----- >> > From: cisco-nsp-bounces at puck.nether.net >> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono >> > Sent: Tuesday, May 13, 2008 11:56 PM >> > To: Rick Martin >> > Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net >> > Subject: Re: [c-nsp] Prove it's not the network! >> > >> > Two things might help. >> > >> > 1) Active performance monitoring >> > >> > Set up iperf on both ends of your link. Periodically (e.g., for 30 >> seconds >> > every hour) burst as high as you can (large windows, etc.). Graph this >> > continually. That will show the actuall capacity achievable. You can >> even >> > set up multiple client-server iperf pairs and use comparisons betwen >> them >> > to isolate problems to different network segments. See, for example: >> > http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your >> >> > own :-) >> > >> > 2) Application performance monitoring >> > >> > NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data >> >> > center and can track performance from all clients to any specified >> > application (e.g., Outlook). What is neat about it is you don't have to >> > instrument the clients to be able to understand their performance - it >> is >> > all determined by examing the TCP traffic flow traversing the single >> point >> > where SA is installed. The reports break the performance down into >> several >> > segments, one of which is the network. This can eliminate the network as >> a >> > source of performance problems (if that is the case.) >> > >> > I don't work work for NetQoS, and there are other similar products. >> > >> > Joe >> > >> > >> > >> > >> > >> > >> > "Rick Martin" >> > Sent by: cisco-nsp-bounces at puck.nether.net >> > 05/13/2008 11:15 AM >> > >> > To >> > >> > cc >> > >> > Subject >> > [c-nsp] Prove it's not the network! >> > >> > >> > >> > >> > >> > >> > >> > I know this is not really a Cisco specific question but it is >> > definitely in support of Cisco hardware. >> > >> > How do most of you folks prove that "the problem" is not the network? >> > We utilize CA Spectrum and eHealth for availability and statistical >> > analysis but in some instances that does not cut it. We don't typically >> > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. >> > Customers complain that their access is slow, we show that they are >> > using all available bandwidth and eventually sell them more bandwidth >> > and the problem is resolved. >> > >> > The more difficult effort is when there is plenty of available >> > bandwidth and a particular application is slow (Outlook in the case I am >> > involved in now). This is a very high level political official and we >> > must come to a resolution. All tools we have available to us today >> > indicate that there is not a problem with the network. Typical >> > utilization on the T1 is about 500 to 600K peak during the day. Certain >> > management continues to point the finger at the network. We have used >> > Internet based speed tests that at times show less than 1.5Meg download >> > speeds, I explain the variables in the Internet and the particular tool >> > in use as well as local contention for the bandwidth etc to no avail, >> > once they see less than 1.5 meg speed the finger points to the network. >> > I still must somehow "prove" that the network is not the issue. >> > >> > I am interested in an Internet speed test like tool to install at the >> > core of our network that would provide a sustained upload or download >> > test that would run for longer periods of time than a regular speed >> > test. I would like to fill the pipe while graphing in Ehealth or as part >> > of the selected tool to prove that the contracted bandwidth is available >> > in both directions. >> > >> > Any recommendations for products would be appreciated. We are currently >> > looking at SolarWinds WAN Killer and a traffic generator from Omnicore >> > LanTraffic V2. I am also open to different "types" of solutions to point >> > to where the problem is actually located. >> > >> > Thanks in advance for any suggestions >> > >> > Rick Martin >> > Network Engineer >> > State of Arkansas, Department of Information Systems >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon May 19 08:13:54 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 19 May 2008 13:13:54 +0100 Subject: [c-nsp] Prove it's not the network! In-Reply-To: <8c829ec10805141332p4542a3eeu8d2b3191aee92d55@mail.gmail.com> References: <200805141102.m4EB2r1X024270@amer-mta101.csc.com> <8c829ec10805141332p4542a3eeu8d2b3191aee92d55@mail.gmail.com> Message-ID: <48316F02.9090807@uk.clara.net> With regards to TCP MSS, I've had to do this multiple times before, the problem is almost always down to Microsoft Windows (TM) : - Having a ridiculous MSS (larger than MTU) - Not doing pMTUd by default - not honouring registry set MSS despite repeated reboots I've had to go out of my way a few times now to demonstrate this to customers who are baffled by the fact that a product they pay good money for could possibly perform an such a suboptimal way :) A good way of demonstrating network capability I find is using iperf to send a stream of UDP packets across the network where the IP packet size is all the way up to the MTU (UDP+IP headers = 28 , so UDP payload size of MTU-28 should suffice) and the DF bit set (providing nothing along the path interferes with DF like some DSL implementations like to these days) Saturating links as well is generally a good idea to demonstrate that traffic can raise to such a level. Dave. Chris Riling wrote: > Last time I had to solve a similar problem, it ended up being related to one > application not honoring the TCP window size in the OS. Turns out the > application would only use X K regardless of what you set the window to in > the OS. It took many webex school bus sessions demonstrating the differences > in iperf before they understood.. Essentially if was proving that the > network itself was capable of pushing the data, and that the problem must > lie at an upper layer... Still had to go way above and beyond normal duties; > I'm not even remotely a systems admin... :) > > Chris > > > On 5/14/08, Joe Loiacono wrote: >> >> NetQoS SA is an appliance. It can be placed anywhere but typically >> connects to a data center switch and aggreagte ports are SPAN'd to it. >> Among other graphs which are also valuable, the keys one for exonerating >> the network fall into the Server Response Time group. Here you will get >> four individual graphs and one composite of the four. The transactions >> being broken down into four components: >> >> Network RTT >> Retransmission time >> Data Transfer time >> Server Response time >> >> In a particular problem we were looking at, the Data Transfer and Server >> Response times radically dominated the composite graph. From this >> information, the problem was isolated to the internal client-server >> interaction of a web-portal load balancing application. The network was >> exonerted :-) >> >> Might be a similar situation for the Outlook configuration as an earlier >> post mentioned. >> >> Joe >> >> "Aaron R" wrote on 05/14/2008 07:04:34 AM: >> >> > I have heard of NetQoS. Is this an appliance or a piece of software? >> Where >> > does it run? The site does not give much away. >> > >> > Cheers, >> > >> > Aaron. >> > >> > -----Original Message----- >> > From: cisco-nsp-bounces at puck.nether.net >> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Loiacono >> > Sent: Tuesday, May 13, 2008 11:56 PM >> > To: Rick Martin >> > Cc: cisco-nsp-bounces at puck.nether.net; cisco-nsp at puck.nether.net >> > Subject: Re: [c-nsp] Prove it's not the network! >> > >> > Two things might help. >> > >> > 1) Active performance monitoring >> > >> > Set up iperf on both ends of your link. Periodically (e.g., for 30 >> seconds >> > every hour) burst as high as you can (large windows, etc.). Graph this >> > continually. That will show the actuall capacity achievable. You can >> even >> > set up multiple client-server iperf pairs and use comparisons betwen >> them >> > to isolate problems to different network segments. See, for example: >> > http:ensight.eos.nasa.gov (this is custom, so you'd have to develop your >> >> > own :-) >> > >> > 2) Application performance monitoring >> > >> > NetQoS has a sharp tool called SuperAgent (SA). SA installs in your data >> >> > center and can track performance from all clients to any specified >> > application (e.g., Outlook). What is neat about it is you don't have to >> > instrument the clients to be able to understand their performance - it >> is >> > all determined by examing the TCP traffic flow traversing the single >> point >> > where SA is installed. The reports break the performance down into >> several >> > segments, one of which is the network. This can eliminate the network as >> a >> > source of performance problems (if that is the case.) >> > >> > I don't work work for NetQoS, and there are other similar products. >> > >> > Joe >> > >> > >> > >> > >> > >> > >> > "Rick Martin" >> > Sent by: cisco-nsp-bounces at puck.nether.net >> > 05/13/2008 11:15 AM >> > >> > To >> > >> > cc >> > >> > Subject >> > [c-nsp] Prove it's not the network! >> > >> > >> > >> > >> > >> > >> > >> > I know this is not really a Cisco specific question but it is >> > definitely in support of Cisco hardware. >> > >> > How do most of you folks prove that "the problem" is not the network? >> > We utilize CA Spectrum and eHealth for availability and statistical >> > analysis but in some instances that does not cut it. We don't typically >> > have much trouble proving that a T1 is serving up 1.5 meg of bandwidth. >> > Customers complain that their access is slow, we show that they are >> > using all available bandwidth and eventually sell them more bandwidth >> > and the problem is resolved. >> > >> > The more difficult effort is when there is plenty of available >> > bandwidth and a particular application is slow (Outlook in the case I am >> > involved in now). This is a very high level political official and we >> > must come to a resolution. All tools we have available to us today >> > indicate that there is not a problem with the network. Typical >> > utilization on the T1 is about 500 to 600K peak during the day. Certain >> > management continues to point the finger at the network. We have used >> > Internet based speed tests that at times show less than 1.5Meg download >> > speeds, I explain the variables in the Internet and the particular tool >> > in use as well as local contention for the bandwidth etc to no avail, >> > once they see less than 1.5 meg speed the finger points to the network. >> > I still must somehow "prove" that the network is not the issue. >> > >> > I am interested in an Internet speed test like tool to install at the >> > core of our network that would provide a sustained upload or download >> > test that would run for longer periods of time than a regular speed >> > test. I would like to fill the pipe while graphing in Ehealth or as part >> > of the selected tool to prove that the contracted bandwidth is available >> > in both directions. >> > >> > Any recommendations for products would be appreciated. We are currently >> > looking at SolarWinds WAN Killer and a traffic generator from Omnicore >> > LanTraffic V2. I am also open to different "types" of solutions to point >> > to where the problem is actually located. >> > >> > Thanks in advance for any suggestions >> > >> > Rick Martin >> > Network Engineer >> > State of Arkansas, Department of Information Systems >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From MLouis at nwnit.com Mon May 19 09:04:47 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 19 May 2008 09:04:47 -0400 Subject: [c-nsp] access-list speed limiting. In-Reply-To: <48316313.30502@cisco.com> References: <00b501c8b9a1$b4dbdc40$1e9394c0$@com> <48316313.30502@cisco.com> Message-ID: I had this problem with policing using the standard MQC in 3550s. I had to adjust the burst size until I got the speed that I wanted. Burst size greatly affects overall throughput you can achieve. You need to figure out your throughput, say 3000000 and divide that by your policing interval, can't recall what it is for CAR but lets say its 1/100, and you get 30000 bits per interval. You may have to convert that to bytes so divide by 8 and you get your burst size for that data rate. HTH mike CCO has some write ups on policing and intervals. Do a search for "leaky bucket". -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lincoln Dale Sent: Monday, May 19, 2008 7:23 AM To: Richey Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] access-list speed limiting. Richey wrote: > I am trying to limit them to 3Mb down 3Mb up. When I am testing I am > seeing full speed both directions. I did have some success by changing my > access-list 150 permit ip host x.x.10.71 any to access-list 150 permit ip > any host x.x.10.71 you will need BOTH of the above if you want to enforce both directions. > but I end up with about 1Mb of traffic instead of 3Mb. > that is about right. policing compared to shaping, see http://www.cisco.com/warp/public/105/policevsshape.html cheers, lincoln. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From cwhitten at metronetsys.com Mon May 19 09:54:36 2008 From: cwhitten at metronetsys.com (Chad Whitten) Date: Mon, 19 May 2008 08:54:36 -0500 Subject: [c-nsp] cisco ios dhcp server Message-ID: <13bf195a0805190654r1befe66bxcc432d0084a34c85@mail.gmail.com> I have used the Cisco IOS DHCP server before but only to serve subnets and vlans that are local to the router/switch. Can the IOS DHCP server handle DHCP requests from outside the local network (relayed to it via another router)? I realize this would require additional network pools and such on the Cisco, just wondering if it can be done as I would with a Unix ISC DHCP server? Thanks -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com From whisper555 at gmail.com Mon May 19 10:12:03 2008 From: whisper555 at gmail.com (Whisper) Date: Tue, 20 May 2008 00:12:03 +1000 Subject: [c-nsp] cisco ios dhcp server In-Reply-To: <13bf195a0805190654r1befe66bxcc432d0084a34c85@mail.gmail.com> References: <13bf195a0805190654r1befe66bxcc432d0084a34c85@mail.gmail.com> Message-ID: <5333e1040805190712r2c536bdbgb57b71fc5b0c1508@mail.gmail.com> Chad, this is what you are probably looking for http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdipadr.html#wp1018606 *ip helper-address* & *ip forward-protocol* Cheers* * On Mon, May 19, 2008 at 11:54 PM, Chad Whitten wrote: > I have used the Cisco IOS DHCP server before but only to serve subnets > and vlans that are local to the router/switch. Can the IOS DHCP > server handle DHCP requests from outside the local network (relayed to > it via another router)? I realize this would require additional > network pools and such on the Cisco, just wondering if it can be done > as I would with a Unix ISC DHCP server? > > Thanks > > -- > Chad Whitten > Metro Network Solutions > (601) 366-6630 Phone > (601) 366-6066 Fax > (601) 842-6804 Cellular > cwhitten at metronetsys.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cwhitten at metronetsys.com Mon May 19 11:12:22 2008 From: cwhitten at metronetsys.com (Chad Whitten) Date: Mon, 19 May 2008 10:12:22 -0500 Subject: [c-nsp] cisco ios dhcp server In-Reply-To: <5333e1040805190712r2c536bdbgb57b71fc5b0c1508@mail.gmail.com> References: <13bf195a0805190654r1befe66bxcc432d0084a34c85@mail.gmail.com> <5333e1040805190712r2c536bdbgb57b71fc5b0c1508@mail.gmail.com> Message-ID: <13bf195a0805190812s70c72167q1ecd1842e0be9085@mail.gmail.com> No, I'm familiar with those commands, thats what I would use on a remote Cisco router to forward the DHCP requests up to a central DHCP server. My question is, can the IOS DHCP server respond to requests relayed to it by another router? On Mon, May 19, 2008 at 9:12 AM, Whisper wrote: > Chad, this is what you are probably looking for > > http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdipadr.html#wp1018606 > > ip helper-address & ip forward-protocol > > Cheers > > On Mon, May 19, 2008 at 11:54 PM, Chad Whitten > wrote: >> >> I have used the Cisco IOS DHCP server before but only to serve subnets >> and vlans that are local to the router/switch. Can the IOS DHCP >> server handle DHCP requests from outside the local network (relayed to >> it via another router)? I realize this would require additional >> network pools and such on the Cisco, just wondering if it can be done >> as I would with a Unix ISC DHCP server? >> >> Thanks >> >> -- >> Chad Whitten >> Metro Network Solutions >> (601) 366-6630 Phone >> (601) 366-6066 Fax >> (601) 842-6804 Cellular >> cwhitten at metronetsys.com >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com From p.mayers at imperial.ac.uk Mon May 19 11:15:33 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 19 May 2008 16:15:33 +0100 Subject: [c-nsp] SXH2a broken with non-MDT SAFI peers Message-ID: <48319995.5070900@imperial.ac.uk> All, All; this is just a heads-up. I'll open a TAC case as soon as Cisco un-break my CCO account (aside: what kind of incompetent buffoons do Cisco have running their website?) I'm testing SXH2a on a 6500/sup720 and have run into some problems. Specifically, we have: RR1 --- RR2 | | \--RTR--/ * RR1 & RR2 are running 12.2(18)SXF, and are route-reflectors * RTR is running SXH2a and is a client of both RRs The MDT SAFI code is supposed to detect a non-MDT capable router and send the "old" VPNv4 communities. This doesn't seem to be working, and there seems to be an off-by-one-byte error. On RR1 I see (I realise I'm using real IPs, but it's necessary for the demo) using "sh ip bgp vpnv4 all neighbors $RTR routes" Network Next Hop Metric LocPrf Weight Path Route Distinguisher: 50688:0:29512344 *>i11.0.0.0 194.82.152.11 0 100 0 ? If we decode the RD into hex, and back into decimal, it's: 198.0 : 0 : 1.194.82.152 ...and then obviously the "11" from the 1st octet of the route. A working router shows: Route Distinguisher: 2:39878:1 *>i194.82.152.9/32 194.82.152.9 0 100 0 ? Sigh. From mylists at battleop.com Mon May 19 11:42:56 2008 From: mylists at battleop.com (Richey) Date: Mon, 19 May 2008 11:42:56 -0400 Subject: [c-nsp] access-list speed limiting. In-Reply-To: References: <00b501c8b9a1$b4dbdc40$1e9394c0$@com> <48316313.30502@cisco.com> Message-ID: <012201c8b9c7$0272fd60$0758f820$@com> Thanks for all of the suggestions. One thing I see is when someone ask for help and they report back that it's fixed but they don't say what they ended up doing to fix the problem. So here is what seems to work. I threw out the following: rate-limit input access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop rate-limit output access-group 150 3000000 16000 24000 conform-action transmit exceed-action drop Then I added: traffic-shape group 150 3000000 75000 75000 1000 then in my access-list I added: access-list 150 permit ip x.x.10.71 host any in addition to: access-list 150 permit ip host x.x.10.71 any Now the bandwidth hogs are at the 3Mb they are paying for and the sales guys have stopped knocking on my door. Thanks for the help Richey -----Original Message----- From: Mike Louis [mailto:MLouis at nwnit.com] Sent: Monday, May 19, 2008 9:05 AM To: Lincoln Dale; Richey Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] access-list speed limiting. I had this problem with policing using the standard MQC in 3550s. I had to adjust the burst size until I got the speed that I wanted. Burst size greatly affects overall throughput you can achieve. You need to figure out your throughput, say 3000000 and divide that by your policing interval, can't recall what it is for CAR but lets say its 1/100, and you get 30000 bits per interval. You may have to convert that to bytes so divide by 8 and you get your burst size for that data rate. HTH mike CCO has some write ups on policing and intervals. Do a search for "leaky bucket". -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lincoln Dale Sent: Monday, May 19, 2008 7:23 AM To: Richey Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] access-list speed limiting. Richey wrote: > I am trying to limit them to 3Mb down 3Mb up. When I am testing I am > seeing full speed both directions. I did have some success by changing my > access-list 150 permit ip host x.x.10.71 any to access-list 150 permit ip > any host x.x.10.71 you will need BOTH of the above if you want to enforce both directions. > but I end up with about 1Mb of traffic instead of 3Mb. > that is about right. policing compared to shaping, see http://www.cisco.com/warp/public/105/policevsshape.html cheers, lincoln. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From sdavid at ecritel.net Mon May 19 11:55:48 2008 From: sdavid at ecritel.net (=?iso-8859-1?Q?DAVID_S=E9bastien?=) Date: Mon, 19 May 2008 17:55:48 +0200 Subject: [c-nsp] Catalyst 2960G & Tacacs Message-ID: HI, I met some difficulties to set up my switch 2960G with tacacs. I have configured a username in local and set an authentification list as follow : AAA authentification login console group tacacs+ local. My server tacacs is down. When I restart my switch , I cannot connect to my device because prompt for my username is impossible. To get an acces I must put a cable in order to have an interface UP. This is my error : Switch con0 is now available Press RETURN to get started. % Authentication failed % Authentication failed % Authentication failed For a cisco 2950 all is fonctionnal. Thanks for help Best regards, S?bastien DAVID Service Exploitation R?seau Ecritel site de Clichy : 7-9, rue Petit 92582 Clichy Cedex T?l: 01.73.02.50.76 Fax: 01.47.56.04.48 Email: sdavid at ecritel.net Site web: www.ecritel.fr This message and any attachments (the "message") is intended solely for the addressees and is confidential. If you receive this message in error, please delete it and immediately notify the sender. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval. The internetcan not guarantee the integrity of this message. ECRITEL (and its subsidiaries) shall (will) not therefore be liable for the message if modified. --------------------------------------------- Ce message et toutes les pieces jointes (ci-apres le "message") sont etablis a l'intention exclusive de ses destinataires et sont confidentiels. Si vous recevez ce message par erreur, merci de le detruire et d'en avertir immediatement l'expediteur. Toute utilisation de ce message non conforme a sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. L'internet ne permettant pas d'assurer l'integrite de ce message, ECRITEL (et ses filiales) decline(nt) toute responsabilite au titre de ce message, dans l'hypothese ou il aurait ete modifie. From A.L.M.Buxey at lboro.ac.uk Mon May 19 12:05:21 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 19 May 2008 17:05:21 +0100 Subject: [c-nsp] Catalyst 2960G & Tacacs In-Reply-To: References: Message-ID: <20080519160521.GA20279@lboro.ac.uk> Hi, > HI, > > > > I met some difficulties to set up my switch 2960G with tacacs. I have configured a username in local and set an authentification list as follow : you need to configure the groups for it to use local if server fails. eg aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host 192.168.1.0 tacacs-server host 192.168.0.255 tacacs-server key 7 alan From c.spurgeon at mail.utexas.edu Mon May 19 11:10:54 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Mon, 19 May 2008 10:10:54 -0500 Subject: [c-nsp] Strange message on the console In-Reply-To: <20080518055656.GA16726@kallisti.us> References: <20080518055656.GA16726@kallisti.us> Message-ID: <20080519151054.GA24505@argus.gw.utexas.edu> That cryptic console message means what it says, and I agree that it's hard to understand. I think it *should* say that you've just gone down the rabbit hole, and the next stop is the Mad Hatter's tea party. That's how it felt when I was trying to debug what was happening as a result. Here's an NSP thread where this was discussed. As noted, this is apparently fixed in later ASICs (sup720C/CXL): http://puck.nether.net/pipermail/cisco-nsp/2007-February/038465.html -Charles On Sun, May 18, 2008 at 01:56:33AM -0400, Ross Vandegrift wrote: > Hi everyone, > > I was messing around with rate-limiting ARP resolution on a 6500 > SUP720-3bxl. After entering "mls rate-limit unicast cef glean 250 > 50", IOS printed this message on the console: > > %Packets requiring ARP resolution will be subject to the output ACLs of the input VLAN > > Uhhhh, duh? I would hope that traffic would always be subject to the > input VLAN's output ACL, since that would be how one would expect > ACLs to work - ie, that they actually do something.... I can't > imagine that this means to imply that output ACLs only work when glean > rate-limiting is enabled. > > Google finds nothing on this message - anyone have any info on this > curious bit? > > > -- > Ross Vandegrift > ross at kallisti.us > > "The good Christian should beware of mathematicians, and all those who > make empty prophecies. The danger already exists that the mathematicians > have made a covenant with the devil to darken the spirit and to confine > man in the bonds of Hell." > --St. Augustine, De Genesi ad Litteram, Book II, xviii, 37 > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jesse.Fields at wesd.org Mon May 19 14:52:05 2008 From: Jesse.Fields at wesd.org (Fields, Jesse) Date: Mon, 19 May 2008 11:52:05 -0700 Subject: [c-nsp] cisco ios dhcp server In-Reply-To: <13bf195a0805190812s70c72167q1ecd1842e0be9085@mail.gmail.com> References: <13bf195a0805190654r1befe66bxcc432d0084a34c85@mail.gmail.com> <5333e1040805190712r2c536bdbgb57b71fc5b0c1508@mail.gmail.com> <13bf195a0805190812s70c72167q1ecd1842e0be9085@mail.gmail.com> Message-ID: <06D9FD985A42704BB0E8F483ACA3FE2E3C5221BE64@miranda.wesd.org> Yes, the router should act as a fully functional DHCP server. You just need to setup the pools for the remote networks and ip helper the requests to it. >From the Cisco docs -- "The Cisco IOS DHCP server can accept broadcasts from locally attached LAN segments or from DHCP requests that have been forwarded by other DHCP relay agents within the network." There are some advanced options available if you want to get fancy. =) This explains it better than I: http://www.cisco.com/en/US/docs/ios/ipaddr/configuration/guide/iad_dhcp_svr_cfg.html#wp1122709 I hope this is what you were looking for. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chad Whitten Sent: Monday, May 19, 2008 8:12 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] cisco ios dhcp server No, I'm familiar with those commands, thats what I would use on a remote Cisco router to forward the DHCP requests up to a central DHCP server. My question is, can the IOS DHCP server respond to requests relayed to it by another router? On Mon, May 19, 2008 at 9:12 AM, Whisper wrote: > Chad, this is what you are probably looking for > > http://www.cisco.com/en/US/docs/ios/12_1/iproute/command/reference/1rdipadr.html#wp1018606 > > ip helper-address & ip forward-protocol > > Cheers > > On Mon, May 19, 2008 at 11:54 PM, Chad Whitten > wrote: >> >> I have used the Cisco IOS DHCP server before but only to serve subnets >> and vlans that are local to the router/switch. Can the IOS DHCP >> server handle DHCP requests from outside the local network (relayed to >> it via another router)? I realize this would require additional >> network pools and such on the Cisco, just wondering if it can be done >> as I would with a Unix ISC DHCP server? >> >> Thanks >> >> -- >> Chad Whitten >> Metro Network Solutions >> (601) 366-6630 Phone >> (601) 366-6066 Fax >> (601) 842-6804 Cellular >> cwhitten at metronetsys.com >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- Chad Whitten Metro Network Solutions (601) 366-6630 Phone (601) 366-6066 Fax (601) 842-6804 Cellular cwhitten at metronetsys.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon May 19 14:00:50 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 19 May 2008 19:00:50 +0100 Subject: [c-nsp] Maintenace management Message-ID: <4831C052.4060703@imperial.ac.uk> All, We seem to have an incredibly hard time managing our maintenance contracts. Quite aside from the vagaries of CCO ("Sorry sir, your contracts have disappared from your profile, no TAC access for *you*") we are unable to gather all our maintenance into one (or a small number of) contract(s) and what contracts we have are very difficult to inventory. It goes without saying that SCC is a bad joke. Do any of you manage to do it better? How? From hank at efes.iucc.ac.il Mon May 19 13:25:40 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Mon, 19 May 2008 20:25:40 +0300 (IDT) Subject: [c-nsp] Strangeness with eFlexwan POS ports on 7600 In-Reply-To: References: Message-ID: On Mon, 19 May 2008, Hank Nussbacher wrote: Cisco TAC found that the one interface that worked didn't have uRPF enabled whereas the others did: ip verify unicast source reachable-via rx allow-default 170 What is amazing is that this caused deterministic pkt loss. I have removed it and pkt loss went away. Reapplied the ip verify and pkt loss still was 0! Truly amazing. Any clues why this would happen? Thanks, Hank > We are encountering some very strange behavior on POS interfaces seated > inside eFlexwans on a 7613 with SUP720. On a 7613 running 12.2(18)SXE6b we > do not see any of this strangeness. On a 7613 running 12.2(18)SXF11 - we do. > > The strangeness is hard to define. It appeared first when we tried to bring > up a backup STM-1 circuit which hadn't been used in a year and would only > pass about 700kbps. We blamed the carrier but now suspect a subtle bug in > IOS. Other POS interfaces also show pkt loss, whereas one other POS > interface - which happened to be the only live one with constant moving > traffic does not show any strangeness. > > When doing ping from the router to the other side of the interface, we see > deterministic pkt loss like this: > POS3/0/1 > Sending 10000, 100-byte ICMP Echos to xxx.139.237.2, timeout is 2 seconds: > !!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!! > !!!!!.!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!! > !!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!!.!!!!!!!!!!!!!.! > > The drop on this link is periodic, it's not random, every 14th packet is > dropped. We have no rate limiting enabled. Depending on packet size of ping > - we get different deterministic results. > > After playing with the bad interface for a while (shut, no shut, sdh parms, > moved to another free POS port, SDH tester equipment, loopbacks, etc.), it > suddenly came alive and no longer lost any packets. > > Has anyone encountered anything similar to this? > > Otherwise, this is gonna be hell to debug with TAC. > > Thanks, > Hank > From sdavid at ecritel.net Mon May 19 12:08:51 2008 From: sdavid at ecritel.net (=?iso-8859-1?Q?DAVID_S=E9bastien?=) Date: Mon, 19 May 2008 18:08:51 +0200 Subject: [c-nsp] Catalyst 2960G & Tacacs In-Reply-To: <20080519160521.GA20279@lboro.ac.uk> References: <20080519160521.GA20279@lboro.ac.uk> Message-ID: Thanks for help, But my configuration is OK with cisco 2950 only with 2960 I have a problem. This is my configuration aaa : aaa authentication login telnet group tacacs+ local aaa authentication login console group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization commands 1 default group tacacs+ if-authenticated aaa authorization commands 15 default group tacacs+ if-authenticated aaa authorization exec default if-authenticated aaa authorization config-commands aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting connection default start-stop group tacacs+ aaa accounting system default start-stop group tacacs+ tacacs-server host x.x.x.x timeout 1 line console 0 login authentication console line vty 0 4 logging synchronous login authentication telnet transport input ssh -----Message d'origine----- De?: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] Envoy??: lundi 19 mai 2008 18:05 ??: DAVID S?bastien Cc?: cisco-nsp at puck.nether.net Objet?: Re: [c-nsp] Catalyst 2960G & Tacacs Hi, > HI, > > > > I met some difficulties to set up my switch 2960G with tacacs. I have configured a username in local and set an authentification list as follow : you need to configure the groups for it to use local if server fails. eg aaa authentication login default group tacacs+ enable aaa authentication enable default group tacacs+ enable aaa authorization exec default group tacacs+ if-authenticated aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ tacacs-server host 192.168.1.0 tacacs-server host 192.168.0.255 tacacs-server key 7 alan From petelists at templin.org Mon May 19 17:16:54 2008 From: petelists at templin.org (Pete Templin) Date: Mon, 19 May 2008 16:16:54 -0500 Subject: [c-nsp] IPv6 and ISIS on GSR Message-ID: <4831EE46.2040503@templin.org> List, We're beginning our IPv6 deployment, and running into some surprises already. I've taken a GSR out of the forwarding path and successfully applied some IPv6 addresses to its interfaces. However, as soon as I put "ipv6 router isis" on any interface, my v4 isis adjacencies drop within the dead interval and the router "falls off the network". Removing the command(s) brings the router back into happy adjacencies. My first hunch was that it was a condition of the single topology, so I then tried applying the 'ipv6 router isis' to all interfaces that had 'ip router isis' on them...still no success. Any thoughts on what I'm doing wrong? 12.0(32)S8 on a 12008. Thanks, Pete From jhigham at epri.com Mon May 19 17:19:41 2008 From: jhigham at epri.com (Higham, Josh) Date: Mon, 19 May 2008 14:19:41 -0700 Subject: [c-nsp] Maintenace management In-Reply-To: <4831C052.4060703@imperial.ac.uk> References: <4831C052.4060703@imperial.ac.uk> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273ECECE1@uspalex02.epri.com> Purchase enough where you have a vendor who will manage it for you and the cell number of an account rep at Cisco that you can call if there are problems. Another important item is to make everything coterminus (generally the end of the year) so that you can set aside time and make sure to cover everything that you need, rather than doing it on an ad-hoc basis. We recently had an RMA delayed by several days because the TAC entitlement DB did not match the account entitlement DB, even though the contracts had been purchased months before. I can't imagine what actually happened or why the process even uses two different databases. Thanks, Josh > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers > Sent: Monday, May 19, 2008 11:01 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Maintenace management > > All, > > We seem to have an incredibly hard time managing our > maintenance contracts. > > Quite aside from the vagaries of CCO ("Sorry sir, your contracts have > disappared from your profile, no TAC access for *you*") we > are unable to > gather all our maintenance into one (or a small number of) > contract(s) > and what contracts we have are very difficult to inventory. > > It goes without saying that SCC is a bad joke. > > Do any of you manage to do it better? How? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ATolstykh at integrysgroup.com Mon May 19 16:57:00 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Mon, 19 May 2008 15:57:00 -0500 Subject: [c-nsp] Maintenance management In-Reply-To: <4831C052.4060703@imperial.ac.uk> Message-ID: http://lamp.elasalle.com Awesome reports, SmartNet contract management (even if it was purchased from a 3rd party vendor), credit manager, ability to change coverage level, associate modules with the chassis, update site information etc. On 5/19/08 1:00 PM, "Phil Mayers" wrote: > All, > > We seem to have an incredibly hard time managing our maintenance contracts. > > Quite aside from the vagaries of CCO ("Sorry sir, your contracts have > disappared from your profile, no TAC access for *you*") we are unable to > gather all our maintenance into one (or a small number of) contract(s) > and what contracts we have are very difficult to inventory. > > It goes without saying that SCC is a bad joke. > > Do any of you manage to do it better? How? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From tvarriale at comcast.net Mon May 19 17:16:44 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Mon, 19 May 2008 16:16:44 -0500 Subject: [c-nsp] Maintenace management References: <4831C052.4060703@imperial.ac.uk> Message-ID: <010f01c8b9f7$8a165840$f211a8c0@flamwsugsmul5v> I have always found a good partner willing to take one for the team and take care of it (I used to be that partner...twice). It's definately not fun. Never has been...never will. tv ----- Original Message ----- From: "Phil Mayers" To: Sent: Monday, May 19, 2008 1:00 PM Subject: [c-nsp] Maintenace management > All, > > We seem to have an incredibly hard time managing our maintenance > contracts. > > Quite aside from the vagaries of CCO ("Sorry sir, your contracts have > disappared from your profile, no TAC access for *you*") we are unable to > gather all our maintenance into one (or a small number of) contract(s) > and what contracts we have are very difficult to inventory. > > It goes without saying that SCC is a bad joke. > > Do any of you manage to do it better? How? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jesse.Fields at wesd.org Mon May 19 19:09:07 2008 From: Jesse.Fields at wesd.org (Fields, Jesse) Date: Mon, 19 May 2008 16:09:07 -0700 Subject: [c-nsp] Maintenace management In-Reply-To: <4831C052.4060703@imperial.ac.uk> References: <4831C052.4060703@imperial.ac.uk> Message-ID: <06D9FD985A42704BB0E8F483ACA3FE2E3C5221BE69@miranda.wesd.org> We use: http://www.uptimesciences.com/ We had similar issues finding a vendor that really cared to understand and keep up to date on the SmartNet nuances year to year. These guys keep on top of it. Getting our contracts aligned with our budgeting cycle was another great perk as well. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Monday, May 19, 2008 11:01 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Maintenace management All, We seem to have an incredibly hard time managing our maintenance contracts. Quite aside from the vagaries of CCO ("Sorry sir, your contracts have disappared from your profile, no TAC access for *you*") we are unable to gather all our maintenance into one (or a small number of) contract(s) and what contracts we have are very difficult to inventory. It goes without saying that SCC is a bad joke. Do any of you manage to do it better? How? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Michael.Balasko at cityofhenderson.com Mon May 19 19:47:04 2008 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Mon, 19 May 2008 16:47:04 -0700 Subject: [c-nsp] Maintenace management In-Reply-To: <4831C052.4060703@imperial.ac.uk> References: <4831C052.4060703@imperial.ac.uk> Message-ID: <9AF22D15085E7D409ED5710CBC779E93060B0956@COHNTCS09.ci.henderson.nv.us> I have been doing this for a few years now and what I do is a combination of our vendor (Mountain States Networking), a bit of legwork on my part and CiscoWorks. They make sure everything we purchase is placed on the proper contract and they resolve any issues relating to that. Once our renewal is nearing term, I work with them to make sure all of our gear is covered. I then request a coverage report from MSN and revalidate that everything we need covered is covered. The key for us is to keep the contracts down to a bare min and follow up to make sure everything is as it should be. I know 99% of folks are anti-CiscoWorks, but it does have the easy button for this (Contract Connection) that I am quite pleased with. I know some folks scoff at 350 devices, but that's currently what we carry support on and the process isn't that bad. It probably takes me 20-30 concentrated hours a year to make sure it's all "right". Not sure how that relates to the rest of the world, but it seems to be a reasonable investment to me. Michael Balasko CCSP,MCSE,MCNE,SCP Network Specialist II City of Henderson 240 Water St. Henderson, NV 89015 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Phil Mayers Sent: Monday, May 19, 2008 11:01 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Maintenace management All, We seem to have an incredibly hard time managing our maintenance contracts. Quite aside from the vagaries of CCO ("Sorry sir, your contracts have disappared from your profile, no TAC access for *you*") we are unable to gather all our maintenance into one (or a small number of) contract(s) and what contracts we have are very difficult to inventory. It goes without saying that SCC is a bad joke. Do any of you manage to do it better? How? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lsawyer at gci.com Mon May 19 19:48:28 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Mon, 19 May 2008 15:48:28 -0800 Subject: [c-nsp] IPv6 and ISIS on GSR In-Reply-To: <4831EE46.2040503@templin.org> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA07804D0C@FNB1EX01.gci.com> Pete Templin writes: > We're beginning our IPv6 deployment, and running into some > surprises already. I've taken a GSR out of the forwarding > path and successfully applied some IPv6 addresses to its > interfaces. However, as soon as I put "ipv6 router isis" on > any interface, my v4 isis adjacencies drop within the dead > interval and the router "falls off the network". > Removing the command(s) brings the router back into happy adjacencies. > > My first hunch was that it was a condition of the single > topology, so I then tried applying the 'ipv6 router isis' to > all interfaces that had 'ip router isis' on them...still no success. > > Any thoughts on what I'm doing wrong? 12.0(32)S8 on a 12008. > If you're mixing IPv6 and IPv6, there's a little more work to do: Here's kind of a "blanket" config that should cover 95%+ !------------------------------ ! You can safely ignore errors here ! ipv6 unicast-routing ipv6 cef ipv6 cef distributed ! ! ! router isis is-type level-2-only ! ! This is the big one, for converged 4+6 metric-style wide no adjacency-check ! address-family ipv6 multi-topology no adjacency-check ! ! interface Lo0 description *** Management IP Address ipv6 enable ipv6 addr 0100:0100:FFFF:FFFF:0000:0000:0000:0017/128 ipv6 router isis ! ! You may -still- get route convergence distruptions. We got around it by having a separate EIGRP process running at the same time that we were migrating off of. From kgraham at industrial-marshmallow.com Mon May 19 21:35:16 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 19 May 2008 18:35:16 -0700 (PDT) Subject: [c-nsp] 100Base-FX with HWIC-1GE-SFP? Message-ID: <568165.3872.qm@web902.biz.mail.mud.yahoo.com> Can anyone confirm whether the HWIC-1GE-SFP will do 100Base-FX? The only option that appears to be supported on the ISR's is the NM-1FE-FX-V2, which with a nearly identical list price seems is obviously far less desirable assuming that the HWIC can do the job. From freimer at ctiusa.com Mon May 19 23:20:45 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Mon, 19 May 2008 23:20:45 -0400 Subject: [c-nsp] Catalyst 2960G & Tacacs In-Reply-To: References: <20080519160521.GA20279@lboro.ac.uk> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D051F@EXCHANGE.ctiusa.com> Why are you using a timeout of 1 second for your TACACS+ server? That's awfully short, especially if you use two-factor authentication or a punt from ACS to an external database. If anything I've had to increase the timeout from the default. Your authorization command doesn't look right either. You would obviously also need to define some local username(s) with appropriate privilege levels and (hopefully) a secret in order for "local" fallback to work. You can't fallback to local if you have no local usernames... If authentication to the ACS isn't working, check the ACS failure logs, and also do some debugs on the router/switch. You can setup buffered logging, unplug your connection to your ACS, do your test, then plug back in to get the detailed messages in the log on why AAA is failing. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of DAVID S?bastien > Sent: Monday, May 19, 2008 12:09 PM > To: A.L.M.Buxey at lboro.ac.uk > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Catalyst 2960G & Tacacs > > Thanks for help, > > But my configuration is OK with cisco 2950 only with 2960 I have a > problem. This is my configuration aaa : > > aaa authentication login telnet group tacacs+ local > aaa authentication login console group tacacs+ local > aaa authentication enable default group tacacs+ enable > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > aaa authorization exec default if-authenticated > aaa authorization config-commands > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa accounting connection default start-stop group tacacs+ > aaa accounting system default start-stop group tacacs+ > > > tacacs-server host x.x.x.x timeout 1 > > line console 0 > login authentication console > line vty 0 4 > logging synchronous > login authentication telnet > transport input ssh > > -----Message d'origine----- > De?: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] > Envoy??: lundi 19 mai 2008 18:05 > ??: DAVID S?bastien > Cc?: cisco-nsp at puck.nether.net > Objet?: Re: [c-nsp] Catalyst 2960G & Tacacs > > Hi, > > HI, > > > > > > > > I met some difficulties to set up my switch 2960G with tacacs. I have > configured a username in local and set an authentification list as > follow : > > you need to configure the groups for it to use local if server fails. > > eg > > aaa authentication login default group tacacs+ enable > aaa authentication enable default group tacacs+ enable > aaa authorization exec default group tacacs+ if-authenticated > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > > tacacs-server host 192.168.1.0 > tacacs-server host 192.168.0.255 > tacacs-server key 7 > > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080519/19c91815/attachment.bin From tedm at toybox.placo.com Tue May 20 00:30:39 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 19 May 2008 21:30:39 -0700 Subject: [c-nsp] access-list speed limiting. In-Reply-To: <20080519093625.GC19880@rtp-cse-489.cisco.com> Message-ID: Your right as another poster pointed out. I think the OP probably doesen't want to rate limit his customers sending data to the world, but rather he wants to shape the data that the world is sending to his customers so they don't hog it all. But in the absense of further clarification from the OP on what he wants to do, I'll wait and see. Ted > -----Original Message----- > From: Rodney Dunn [mailto:rodunn at cisco.com] > Sent: Monday, May 19, 2008 2:36 AM > To: Ted Mittelstaedt > Cc: Church, Charles; Richey; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] access-list speed limiting. > > > On Sun, May 18, 2008 at 09:47:51PM -0700, Ted Mittelstaedt wrote: > > rate limiting doesen't work on data coming into an interface. > > I think you are talking about shaping not CAR or MQC with police. > They work on input. > > Rodney > > > > > You have to rate limit on the data going out, on the interface > > that is facing the customer. > > > > Ted > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Church, Charles > > > Sent: Sunday, May 18, 2008 8:25 PM > > > To: Richey; cisco-nsp at puck.nether.net > > > Subject: Re: [c-nsp] access-list speed limiting. > > > > > > > > > Richey, > > > > > > I can't tell if your ethernet int you have a config for faces > > > the customers or the upstream, but it seems that the direction is the > > > issue. Your access list matches a particular host to any. > But not the > > > opposite. Add a second entry to the ACL matching any -> > host, see if it > > > now works correctly. > > > > > > Chuck > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net > > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richey > > > Sent: Sunday, May 18, 2008 10:57 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: [c-nsp] access-list speed limiting. > > > > > > > > > I've got a several users on our wireless network I need to limit to > > > 3Mb. > > > I've tried several ways to limit their speed but they are > still getting > > > 12Mbps to 15Mbps when I push an .iso across the link with an FTP > > > session. > > > For our average user I wouldn't care but these guys get home in the > > > evening > > > and hit it for all it's worth for hours on end. > > > > > > > > > > > > I am coming out of a 3660 into a 3524 switch. I then take it into a > > > point > > > to point wireless link where the far end radio connects to an AP. > > > > > > > > > > > > Right now I am doing the following: > > > > > > > > > > > > interface FastEthernet0/1.103 > > > > > > description DA1-SM2 Link > > > > > > encapsulation dot1Q 103 > > > > > > ip address x.x.34.193 255.255.255.248 > > > > > > ip access-group 102 out > > > > > > rate-limit input access-group 150 3000000 16000 24000 conform-action > > > transmit exceed-action drop > > > > > > rate-limit output access-group 150 3000000 16000 24000 conform-action > > > transmit exceed-action drop > > > > > > > > > > > > access-list 150 permit ip host x.x.10.71 any > > > > > > > > > > > > > > > > > > I've also tried the following: > > > > > > > > > > > > interface FastEthernet0/1.103 > > > > > > description DA1-SM2 Link > > > > > > encapsulation dot1Q 103 > > > > > > ip address x.x.34.193 255.255.255.248 > > > > > > ip access-group 102 out > > > > > > traffic-shape group 155 3000000 75000 75000 1000 > > > > > > > > > > > > > > > > > > Richey > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From zivl at gilat.net Tue May 20 06:02:58 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 20 May 2008 13:02:58 +0300 Subject: [c-nsp] iBGP not propogating route to 0/8 In-Reply-To: <482E352E.5010209@justinshore.com> References: <482CABBF.3010009@justinshore.com> <482DFDC3.1000406@forthnet.gr> <482E352E.5010209@justinshore.com> Message-ID: Let us know if and when you do put such HOWTO online! Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Justin Shore Sent: Saturday, May 17, 2008 4:30 AM To: Tassos Chatzithomaoglou Cc: 'Cisco-nsp' Subject: Re: [c-nsp] iBGP not propogating route to 0/8 The default-info originate solution makes me nervous without a lab to test this in. Forcing the advertisement with the network statement though works like a champ. I hadn't even considered that this was being caused by Cisco's martian handling. But as David Sinn pointed out, there are more prefixes than just 0/8 that are being suppressed. I'll use the network command to force the advertisement for those networks too. I need to put up a RTBH HOWTO on my website I think. Thanks. TGIF! Justin Tassos Chatzithomaoglou wrote: > I think it has to do with the default route "confusion"... > > 1) You can use "default-information originate" under the bgp process and > trick bgp that this is the default route (i guess only the network part > is checked). The network is shown as "0.0.0.0/8" which means that the > router doesn't consider /8 to be the default length of 0.0.0.0, like in > 3.0.0.0. > > R1>sh ip bgp > BGP table version is 20, local router ID is 1.1.1.1 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > > Network Next Hop Metric LocPrf Weight Path > *>i0.0.0.0/8 1.1.1.2 0 500 0 i > *>i3.0.0.0 1.1.1.2 0 500 0 i > > > 2) You can use "network 0.0.0.0 mask 255.0.0.0 route-map static-to-bgp" > under bgp and force its advertisement. > > Method 1 requires redistribution of the route, method 2 requires route > to be present in IGP/static. > In your case, you have both ;) > > -- > Tassos > > > David Sinn wrote on 16/5/2008 7:06 ??: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On May 15, 2008, at 2:31 PM, Justin Shore wrote: >> >>> I can't think of any reason why this prefix wouldn't be advertised. >>> Any >>> ideas? I noticed it today because I have customers trying to hit 0/8 >>> IPs (0.4.24.200 for example) that my egress ACLs are catching. >> >> This is due to how Cisco treats martian networks per their >> interpretation (or real meaning) of RFC 1812. Since the following >> are martians, to cover the "Should not" route part of 5.3.7, they >> won't install them in the route table. >> >> 0.0.0.0/8 >> 127.0.0.0/8 >> 128.0.0.0/16 >> 181.255.0.0/16 >> 192.0.0.0/24 >> 233.255.255.0/24 >> 240.0.0.0/4 >> >> I've only personally tested 240.0.0.0/4 and it will not install in >> the route table. I've also not tried to figure out what more or >> less specific routes you could try and install to cover these blocks. >> >> David >> >> >>> Thanks >>> Justin >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.9 (Darwin) >> >> iEYEARECAAYFAkgtsPYACgkQLa9jIE3ZamNprgCfUAoV0GXj0Ob1HNg8pyifER1a >> 6T8AoIWpvrB87i+VjRmp3avNPNRTJAV8 >> =1Klc >> -----END PGP SIGNATURE----- >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From sdavid at ecritel.net Tue May 20 08:06:26 2008 From: sdavid at ecritel.net (=?iso-8859-1?Q?DAVID_S=E9bastien?=) Date: Tue, 20 May 2008 14:06:26 +0200 Subject: [c-nsp] Catalyst 2960G & Tacacs In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC95028D051F@EXCHANGE.ctiusa.com> References: <20080519160521.GA20279@lboro.ac.uk> <98B7739FB65BF04F9B3233AB842EEC95028D051F@EXCHANGE.ctiusa.com> Message-ID: Hi Thanks for your answer, but I do not use ACS solution but open source software host in debian server. I have define a username in order to have the possibility to connect on my devices if my server failed. I have set a timeout 1s when my server is unreachable commands execute by username is faster. Thanks for help Sebastien -----Message d'origine----- De?: Fred Reimer [mailto:freimer at ctiusa.com] Envoy??: mardi 20 mai 2008 05:21 ??: DAVID S?bastien; A.L.M.Buxey at lboro.ac.uk Cc?: cisco-nsp at puck.nether.net Objet?: RE: [c-nsp] Catalyst 2960G & Tacacs Why are you using a timeout of 1 second for your TACACS+ server? That's awfully short, especially if you use two-factor authentication or a punt from ACS to an external database. If anything I've had to increase the timeout from the default. Your authorization command doesn't look right either. You would obviously also need to define some local username(s) with appropriate privilege levels and (hopefully) a secret in order for "local" fallback to work. You can't fallback to local if you have no local usernames... If authentication to the ACS isn't working, check the ACS failure logs, and also do some debugs on the router/switch. You can setup buffered logging, unplug your connection to your ACS, do your test, then plug back in to get the detailed messages in the log on why AAA is failing. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of DAVID S?bastien > Sent: Monday, May 19, 2008 12:09 PM > To: A.L.M.Buxey at lboro.ac.uk > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Catalyst 2960G & Tacacs > > Thanks for help, > > But my configuration is OK with cisco 2950 only with 2960 I have a > problem. This is my configuration aaa : > > aaa authentication login telnet group tacacs+ local > aaa authentication login console group tacacs+ local > aaa authentication enable default group tacacs+ enable > aaa authorization commands 1 default group tacacs+ if-authenticated > aaa authorization commands 15 default group tacacs+ if-authenticated > aaa authorization exec default if-authenticated > aaa authorization config-commands > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > aaa accounting connection default start-stop group tacacs+ > aaa accounting system default start-stop group tacacs+ > > > tacacs-server host x.x.x.x timeout 1 > > line console 0 > login authentication console > line vty 0 4 > logging synchronous > login authentication telnet > transport input ssh > > -----Message d'origine----- > De?: A.L.M.Buxey at lboro.ac.uk [mailto:A.L.M.Buxey at lboro.ac.uk] > Envoy??: lundi 19 mai 2008 18:05 > ??: DAVID S?bastien > Cc?: cisco-nsp at puck.nether.net > Objet?: Re: [c-nsp] Catalyst 2960G & Tacacs > > Hi, > > HI, > > > > > > > > I met some difficulties to set up my switch 2960G with tacacs. I have > configured a username in local and set an authentification list as > follow : > > you need to configure the groups for it to use local if server fails. > > eg > > aaa authentication login default group tacacs+ enable > aaa authentication enable default group tacacs+ enable > aaa authorization exec default group tacacs+ if-authenticated > aaa accounting exec default start-stop group tacacs+ > aaa accounting commands 1 default start-stop group tacacs+ > aaa accounting commands 15 default start-stop group tacacs+ > > tacacs-server host 192.168.1.0 > tacacs-server host 192.168.0.255 > tacacs-server key 7 > > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rblayzor.bulk at inoc.net Tue May 20 09:29:12 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Tue, 20 May 2008 09:29:12 -0400 Subject: [c-nsp] iBGP not propogating route to 0/8 In-Reply-To: References: <482CABBF.3010009@justinshore.com> Message-ID: On May 16, 2008, at 3:52 AM, Christian Bering wrote: > IOS seems to treat anything starting with 0.0.0.0 as a default no > matter > the mask so it won't be propagated internally unless you enable > 'default-information originate'. That should be considered a bug and reported to TAC if so. Just because 0/8 is IANA reserved doesn't mean it's not a valid prefix. Default should only be matched on a zero sized prefix, not zero's in the first eight bits of the network. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From have.an.email at gmail.com Tue May 20 11:18:35 2008 From: have.an.email at gmail.com (Nathan) Date: Tue, 20 May 2008 17:18:35 +0200 Subject: [c-nsp] Bridging ATM on 7206? Message-ID: <9f785d120805200818w6def6c8etb498aae829ec65ef@mail.gmail.com> Hi, I have a 7206 G1 running 12.3(21) with a PA-A3 interface. The ATM interface has sub-interfaces, aal5snap encapsulated, each one of which corresponds to one PVC and to one IP network (30 or /31 usually), either public or in a VRF. I do not control the other end of the fiber link. The other end of each PVC is usually some device that translates between AAL5SNAP and Ethernet, connected to some customer-owned equipement. It seems that VLAN tags received on the Ethernet are encapsulated into AAL5SNAP, so the customer should be able to configure 802.1q trunking on the ethernet. Question 1: can I bridge together two PVCs so that the ATM packets that come in on one PVC go right out again on the other without being de-encapsulated, or at least no layer-2 changes? Question 2: can I set up something that permits me to distinguish VLANs on the vlan-into-aal5snap-encapsulated PVCs, seeing each PVC as a 802.1q trunk? I've found LANE, I've found "atm pvc vcd vpi vci", but I don't see how to tie it all together, especially if I want to put each VLAN in a separate VRF. Basically what I want to do is have several PVCs, each containing a 802.1q trunk, and bridge them together, something like this: - vlan 5 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 that has no IP address on my 7206 - vlan 6 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 that has a public IP address on my 7206 - vlan 7 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 that has a private IP address in a VRF on my 7206 so that the network behaves as if the several customer devices on the several PVCs were all connected to a simple switch. Feasible? I'll take partial solutions too . . . -- Thanks Nathan From schilling2006 at gmail.com Tue May 20 11:26:13 2008 From: schilling2006 at gmail.com (schilling) Date: Tue, 20 May 2008 11:26:13 -0400 Subject: [c-nsp] PACL RACL and SPAN in Catalyst 6500? Message-ID: We have 12.2(18)SXF11 in production and 12.2(33)SXH in test on PFC3bxl. We want to SPAN the internet traffic after the border RACL applied on L3 SVI to reduce the false positive of snort alert such like udp 1443 etc. We SPANned the SVI, but are getting all sort of traffic without filtering. If we remove the same ACL from L3 SVI and apply it to physical interface as PACL, then span the SVI, will we be able to get spanned traffic after the PACL? Thanks. Schilling From mcrocker at crocker.com Tue May 20 12:08:04 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Tue, 20 May 2008 12:08:04 -0400 Subject: [c-nsp] Bridging ATM on 7206? In-Reply-To: <9f785d120805200818w6def6c8etb498aae829ec65ef@mail.gmail.com> References: <9f785d120805200818w6def6c8etb498aae829ec65ef@mail.gmail.com> Message-ID: <1E6C1668-D288-49A1-8A38-03E054D0451C@crocker.com> Nathan, It sounds like what you want to do should be possible. I'm not sure if the 7206 can do it or not. I'm pretty sure a Redback SE-400 can do it. You need to unwrap the layers of the onion... Build a Bridge group on the 7206 and attach each PVC to it. That should create one big layer 2 'switch' which should be transparent to the VLAN tags on the PVCs. You now need to figure out how to get routed interfaces on the 7206 attaches to the bridge group. You could do that with BVIs or you could attach G0/1 to the bridge-group and then put a cross connect cable into G0/2 and create the VLAN interfaces on G0/2 something like bridge 1 protocol vlan-bridge bridge irb interface ATM1/0.50 no ip address pvc 50/50 encapsulation aal5snap bridge-group 1 interface ATM1/0.51 no ip address pvc 51/51 encapsulation aal5snap bridge-group 1 [...] interface bvi 1.6 bridge 1 route ip encapsulation dot1q 6 ip address 6.6.6.6 255.255.255.0 interface bvi 1.7 bridge 1 route ip encapsulation dot1q 7 ip vrf PRIVATE_IP ip address 7.7.7.7 255.255.255.0 I have no idea if this is even close to a working config but it is the way I would think it should work. On May 20, 2008, at 11:18 AM, Nathan wrote: > Hi, > > I have a 7206 G1 running 12.3(21) with a PA-A3 interface. The ATM > interface has sub-interfaces, aal5snap encapsulated, each one of which > corresponds to one PVC and to one IP network (30 or /31 usually), > either public or in a VRF. I do not control the other end of the fiber > link. The other end of each PVC is usually some device that translates > between AAL5SNAP and Ethernet, connected to some customer-owned > equipement. > > It seems that VLAN tags received on the Ethernet are encapsulated into > AAL5SNAP, so the customer should be able to configure 802.1q trunking > on the ethernet. > > Question 1: can I bridge together two PVCs so that the ATM packets > that come in on one PVC go right out again on the other without being > de-encapsulated, or at least no layer-2 changes? > > Question 2: can I set up something that permits me to distinguish > VLANs on the vlan-into-aal5snap-encapsulated PVCs, seeing each PVC as > a 802.1q trunk? I've found LANE, I've found "atm pvc vcd vpi vci", > but I don't see how to tie it all together, especially if I want to > put each VLAN in a separate VRF. > > Basically what I want to do is have several PVCs, each containing a > 802.1q trunk, and bridge them together, something like this: > > - vlan 5 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 > that has no IP address on my 7206 > - vlan 6 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 > that has a public IP address on my 7206 > - vlan 7 on PVCs 50/50, 50/51, 50/52 together into a single layer 2 > that has a private IP address in a VRF on my 7206 > > so that the network behaves as if the several customer devices on the > several PVCs were all connected to a simple switch. > > Feasible? I'll take partial solutions too . . . > > -- > Thanks > Nathan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From criling at gmail.com Tue May 20 14:03:19 2008 From: criling at gmail.com (Chris Riling) Date: Tue, 20 May 2008 14:03:19 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls Message-ID: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Hi All, I know this has been asked thousands of times before, but I don't think anyone has ever answered it in quite the same fasion. I'm thinking about turning on netflow on my border routers (7606's with Sup32's / full routes); Think I'll see any issues from turning on the exports? Also, specifically, we're looking to see the ability to generate reports for say, a /22, and the amount of transfer for each host in the /22 that has entered / exited our network at the border (MRTG on the switchports isn't going to cut it). I've heard that a lot of people use ntop for this sort of thing, but in the demo I wasn't able to find anything that did exactly this, and I wanted to consult the list before turning on Netflow at the border routers anyway. I've also heard of people using stager for the report generation; can stager do the same sort of thing? Thanks, Chris From peter at rathlev.dk Tue May 20 14:27:48 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 20 May 2008 20:27:48 +0200 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: <1211308068.19371.16.camel@dusken.sys.mjna.net> Hi Chris, On Tue, 2008-05-20 at 14:03 -0400, Chris Riling wrote: > I know this has been asked thousands of times before, but I don't think > anyone has ever answered it in quite the same fasion. I'm thinking > about turning on netflow on my border routers (7606's with Sup32's / > full routes); Impressive. I didn't think Sup32 could do full routes any longer. :-) > Think I'll see any issues from turning on the exports? It shouldn't have any impact on the hardware forwarding of the box, but the export uses some CPU on the MSFC. On our Sup720s the CPU spends most of its time around 0-1%, exporting on average ~400 flows per second. They're not really doing much else with the CPU though, no full tables or anything. The Sup32 may be stressed a little more, and it all depends on how many flows you export. You also need to think about the TCAM, there's a limit on how many flows you can store at once, maybe forcing you to use aggressive aging timers. AFAIK no Netflow configuration should have any impact on the forwarding performance of the box, but I may be very wrong. ;-) > Also, specifically, we're looking to see the ability to generate > reports for say, a /22, and the amount of transfer for each host in > the /22 that has entered / exited our network at the border (MRTG on > the switchports isn't going to cut it). I've heard that a lot of > people use ntop for this sort of thing, but in the demo I wasn't able > to find anything that did exactly this, and I wanted to consult the > list before turning on Netflow at the border routers anyway. I've also > heard of people using stager for the report generation; can stager do > the same sort of thing? We're using nfdump/NFSen and it can do all kinds of sweet things regarding aggregation. We're not using it for billing though, just for base lining and such. This reminds me: All the flows we receive max out at ~2.1GB. I'd like to assume that this is because the switches automatically ages flows before they reach the 32-bit limit (or 31-bit?); can anyone confirm this? Regards, Peter From criling at gmail.com Tue May 20 14:39:38 2008 From: criling at gmail.com (Chris Riling) Date: Tue, 20 May 2008 14:39:38 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <1211308068.19371.16.camel@dusken.sys.mjna.net> References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> <1211308068.19371.16.camel@dusken.sys.mjna.net> Message-ID: <8c829ec10805201139m7e17a0d2k8be9791187fa878c@mail.gmail.com> Haha, yeah, I *knew* that was going to come up... the FIB TCAM is running at about 99% capacity, but I haven't had any issues yet; I'm hoping I can software switch until they're willing to spring for 720's, otherwise it looks like I won't be taking full routes anymore... :) Ultimately, I guess I'll just have to install some different packages and do some experimenting... Thanks! Chris On 5/20/08, Peter Rathlev wrote: > > Hi Chris, > > On Tue, 2008-05-20 at 14:03 -0400, Chris Riling wrote: > > I know this has been asked thousands of times before, but I don't think > > anyone has ever answered it in quite the same fasion. I'm thinking > > about turning on netflow on my border routers (7606's with Sup32's / > > full routes); > > Impressive. I didn't think Sup32 could do full routes any longer. :-) > > > Think I'll see any issues from turning on the exports? > > It shouldn't have any impact on the hardware forwarding of the box, but > the export uses some CPU on the MSFC. On our Sup720s the CPU spends most > of its time around 0-1%, exporting on average ~400 flows per second. > They're not really doing much else with the CPU though, no full tables > or anything. The Sup32 may be stressed a little more, and it all depends > on how many flows you export. > > You also need to think about the TCAM, there's a limit on how many flows > you can store at once, maybe forcing you to use aggressive aging timers. > > AFAIK no Netflow configuration should have any impact on the forwarding > performance of the box, but I may be very wrong. ;-) > > > Also, specifically, we're looking to see the ability to generate > > reports for say, a /22, and the amount of transfer for each host in > > the /22 that has entered / exited our network at the border (MRTG on > > the switchports isn't going to cut it). I've heard that a lot of > > people use ntop for this sort of thing, but in the demo I wasn't able > > to find anything that did exactly this, and I wanted to consult the > > list before turning on Netflow at the border routers anyway. I've also > > heard of people using stager for the report generation; can stager do > > the same sort of thing? > > We're using nfdump/NFSen and it can do all kinds of sweet things > regarding aggregation. We're not using it for billing though, just for > base lining and such. > > This reminds me: All the flows we receive max out at ~2.1GB. I'd like to > assume that this is because the switches automatically ages flows before > they reach the 32-bit limit (or 31-bit?); can anyone confirm this? > > Regards, > Peter > > > From apowers at lancope.com Tue May 20 14:46:47 2008 From: apowers at lancope.com (Adam Powers) Date: Tue, 20 May 2008 14:46:47 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <1211308068.19371.16.camel@dusken.sys.mjna.net> Message-ID: You are correct. The exporter will unnaturally expire the cache entry and start a new one when the octet counter overflows. YMMV from one Netflow cache implementation to another. BTW: For systems that use ?sort | uniq? approach for Netflow deduplication this effect would mess things up. Setting lower active timers (I recommend 60 seconds) would help. On 5/20/08 2:27 PM, "Peter Rathlev" wrote: > Hi Chris, > > On Tue, 2008-05-20 at 14:03 -0400, Chris Riling wrote: >> > I know this has been asked thousands of times before, but I don't think >> > anyone has ever answered it in quite the same fasion. I'm thinking >> > about turning on netflow on my border routers (7606's with Sup32's / >> > full routes); > > Impressive. I didn't think Sup32 could do full routes any longer. :-) > >> > Think I'll see any issues from turning on the exports? > > It shouldn't have any impact on the hardware forwarding of the box, but > the export uses some CPU on the MSFC. On our Sup720s the CPU spends most > of its time around 0-1%, exporting on average ~400 flows per second. > They're not really doing much else with the CPU though, no full tables > or anything. The Sup32 may be stressed a little more, and it all depends > on how many flows you export. > > You also need to think about the TCAM, there's a limit on how many flows > you can store at once, maybe forcing you to use aggressive aging timers. > > AFAIK no Netflow configuration should have any impact on the forwarding > performance of the box, but I may be very wrong. ;-) > >> > Also, specifically, we're looking to see the ability to generate >> > reports for say, a /22, and the amount of transfer for each host in >> > the /22 that has entered / exited our network at the border (MRTG on >> > the switchports isn't going to cut it). I've heard that a lot of >> > people use ntop for this sort of thing, but in the demo I wasn't able >> > to find anything that did exactly this, and I wanted to consult the >> > list before turning on Netflow at the border routers anyway. I've also >> > heard of people using stager for the report generation; can stager do >> > the same sort of thing? > > We're using nfdump/NFSen and it can do all kinds of sweet things > regarding aggregation. We're not using it for billing though, just for > base lining and such. > > This reminds me: All the flows we receive max out at ~2.1GB. I'd like to > assume that this is because the switches automatically ages flows before > they reach the 32-bit limit (or 31-bit?); can anyone confirm this? > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Adam Powers Chief Technology Officer Lancope, Inc. c. 678.725.1028 f. 678.302.8744 e. adam at lancope.com From jloiacon at csc.com Tue May 20 14:48:15 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Tue, 20 May 2008 14:48:15 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: Hi Chris, Netflow is very useful for establishing customer chargebacks based on actual usage. Keep in mind however that in practice it is not perfect, as you can lose netflow information from several sources though generally it is not much (e.g., device table overflow, lost UDP netflow packets, collector overload, etc.) Despite this possibility, you can get a very close and useful picture of specified traffic sets. Have you considered open-source flow-tools/FlowViewer? The FlowTracker capability allows you to maintain long-term RRDtool graphs for any user you want. You can also group users and look at them as a group. I track over 120 such individual users here at NASA GSFC. That said, if you're going to look at all 1024 hosts (in a /22) then graphs wouldn't be practical; you would need to invoke a textual report periodically. If you're going to collect netflow though, flow-tools/FlowViewer offers a lot of analysis tools to enhance your picture of your network. Check out screenshots, etc. for FlowViewer:at: http://ensight.eos.nasa.gov/FlowViewer/ Joe "Chris Riling" Sent by: cisco-nsp-bounces at puck.nether.net 05/20/2008 02:03 PM To cisco-nsp at puck.nether.net cc Subject [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls Hi All, I know this has been asked thousands of times before, but I don't think anyone has ever answered it in quite the same fasion. I'm thinking about turning on netflow on my border routers (7606's with Sup32's / full routes); Think I'll see any issues from turning on the exports? Also, specifically, we're looking to see the ability to generate reports for say, a /22, and the amount of transfer for each host in the /22 that has entered / exited our network at the border (MRTG on the switchports isn't going to cut it). I've heard that a lot of people use ntop for this sort of thing, but in the demo I wasn't able to find anything that did exactly this, and I wanted to consult the list before turning on Netflow at the border routers anyway. I've also heard of people using stager for the report generation; can stager do the same sort of thing? Thanks, Chris _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue May 20 14:53:28 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 20 May 2008 13:53:28 -0500 Subject: [c-nsp] Maintenace management In-Reply-To: <4831C052.4060703@imperial.ac.uk> References: <4831C052.4060703@imperial.ac.uk> Message-ID: <48331E28.2020709@justinshore.com> I've spent the last 6 months working on getting our contracts straightened out and ready for renewal. I've run into a number of major problems. First was the sheer number of contracts that we'd accumulated over time. We bought some things through our sister company, a partner. Some of the contracts were in their name. We bought all of our new items direct from Cisco but they managed to be on about a dozen different contracts even though they were all bought on the same damn PO. As items were shipped Cisco, in its infinite wisdom, created a new contract and put the items that just shipped on that contract instead of putting everything on one big contract. We had numerous internal items that were on assorted contracts and some that weren't covered at all. Still more internal items were mixed up with the sister company and we discovered that we'd been paying for the coverage on some of their items. Even worse was that somehow some of the sister company's customer SmartNets had somehow gotten associated with us. We also had numerous ISP contracts. Some of the items had been bought 3rd-party or off of eBay. 2 of them still had active contracts being paid by the previous owner (thank you Wal-Mart!). We also had contracts on leased CPE equipment that I didn't know about (I'm still hearing new items fitting in this category every couple of months). To say that our current arrangement was a "cluster" would be putting it lightly. I spent the last 6 months trying to sort things out. First I had to have an accurate list of what we had including model #s, serial #s, device locations, device names, etc. Every detail that I'd need to track that device effectively. Unfortunately this required a lot of driving time to manually read serial #s off of chassis since you can't pull the SN out of many Cisco devices. Who ever got the brilliant idea to put the SN sticker for the PIX 515Es on the *side* of the chassis where it's covered by the 2-post rack should be taken out and flogged with 1700 series power cords with the power bricks attached. I worked with a Cisco rep to create contracts for each of the device categories we have (internal, ISP, CPE) and for each service level we wanted (24x7x4 and 8x5xNBD). This is when we discovered that you can't have a Sup's service level differ from the other linecars in a chassis (see C-NSP archives). In the end the price was so high that we decided to look at return-to-factory options (RTF). So we reworked the quotes again with RTF prices and included lab hardware. I built spreadsheets with both options to tally things up so I could present it to management. Unfortunately my numbers aren't accurate because Cisco insists on pre-dating some of our hardware back to the day that our contracts expired (they expired far sooner than the year that we paid for because of a problematic sales process. We didn't get the major pieces until January but the 1yr contracts expired in November for everything we bought last year. Nice). So here we are 6 months later with a ton of hardware that isn't covered and me trying to work the wrinkles out of the prices so I can present it to management. In short, how do we manage our contracts? With blood, sweat and tears; and brute force. I blame a lot of the hassle on Cisco's SmartNet process. Apparently there isn't a way to have a single general account that you can then associate *items* with (according to what Cisco folks are telling me). Instead items are associated with service contracts that can not be modified after the purchase has been placed. So in the end, instead of having a single account and a bunch of devices associated with it and one bill at the end of the year, you end up with an insane amount of contracts and no way to organize them until the next year when you get to redo everything and create new contracts again. And yes, the SCC is a joke. The amount of money we've lost this year to the work required to get our contracts straightened out is immense. The system needs an overhaul and organization. Justin Phil Mayers wrote: > All, > > We seem to have an incredibly hard time managing our maintenance contracts. > > Quite aside from the vagaries of CCO ("Sorry sir, your contracts have > disappared from your profile, no TAC access for *you*") we are unable to > gather all our maintenance into one (or a small number of) contract(s) > and what contracts we have are very difficult to inventory. > > It goes without saying that SCC is a bad joke. > > Do any of you manage to do it better? How? From criling at gmail.com Tue May 20 14:57:08 2008 From: criling at gmail.com (Chris Riling) Date: Tue, 20 May 2008 14:57:08 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: <8c829ec10805201157t8e15054mb2c0bb2227f0d17e@mail.gmail.com> That sounds pretty cool... I wouldn't be looking to pull info on all 1024 hosts in one report.. I'd be pulling info on groups of IPs; grouped by customer or machine, and I'd want to look at the amount of data transferred over the last 30 days or something... The reason I can't just look at switchports is because some of these customers use their network connections inside of our data center for more things than just internet access (i.e. I want to check at the border so I only see traffic that left our network toward the internet, or from the internet toward these hosts... I don't care about any usage incurred due to backup jobs, or other data transfer within the data center) Thanks! Chris On 5/20/08, Joe Loiacono wrote: > > > Hi Chris, > > Netflow is very useful for establishing customer chargebacks based on > actual usage. Keep in mind however that in practice it is not perfect, as > you can lose netflow information from several sources though generally it is > not much (e.g., device table overflow, lost UDP netflow packets, collector > overload, etc.) Despite this possibility, you can get a very close and > useful picture of specified traffic sets. > > Have you considered open-source flow-tools/FlowViewer? The FlowTracker > capability allows you to maintain long-term RRDtool graphs for any user you > want. You can also group users and look at them as a group. I track over 120 > such individual users here at NASA GSFC. That said, if you're going to look > at all 1024 hosts (in a /22) then graphs wouldn't be practical; you would > need to invoke a textual report periodically. > > If you're going to collect netflow though, flow-tools/FlowViewer offers a > lot of analysis tools to enhance your picture of your network. Check out > screenshots, etc. for FlowViewer:at: > > http://ensight.eos.nasa.gov/FlowViewer/ > > Joe > > > > > > > *"Chris Riling" * > Sent by: cisco-nsp-bounces at puck.nether.net > > 05/20/2008 02:03 PM > To > cisco-nsp at puck.nether.net cc > Subject > [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls > > > > > Hi All, > > I know this has been asked thousands of times before, but I don't think > anyone has ever answered it in quite the same fasion. I'm thinking about > turning on netflow on my border routers (7606's with Sup32's / full > routes); > Think I'll see any issues from turning on the exports? Also, specifically, > we're looking to see the ability to generate reports for say, a /22, and > the > amount of transfer for each host in the /22 that has entered / exited our > network at the border (MRTG on the switchports isn't going to cut it). I've > heard that a lot of people use ntop for this sort of thing, but in the demo > I wasn't able to find anything that did exactly this, and I wanted to > consult the list before turning on Netflow at the border routers anyway. > I've also heard of people using stager for the report generation; can > stager > do the same sort of thing? > > Thanks, > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From freimer at ctiusa.com Tue May 20 15:05:08 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Tue, 20 May 2008 15:05:08 -0400 Subject: [c-nsp] Maintenace management In-Reply-To: <48331E28.2020709@justinshore.com> References: <4831C052.4060703@imperial.ac.uk> <48331E28.2020709@justinshore.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D077A@EXCHANGE.ctiusa.com> >And yes, the SCC is a joke SCC? CSCC to the rescue!!! Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Justin Shore > Sent: Tuesday, May 20, 2008 2:53 PM > To: Phil Mayers > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Maintenace management > > I've spent the last 6 months working on getting our contracts > straightened out and ready for renewal. I've run into a number of > major > problems. First was the sheer number of contracts that we'd > accumulated > over time. We bought some things through our sister company, a > partner. > Some of the contracts were in their name. We bought all of our new > items direct from Cisco but they managed to be on about a dozen > different contracts even though they were all bought on the same damn > PO. As items were shipped Cisco, in its infinite wisdom, created a new > contract and put the items that just shipped on that contract instead > of > putting everything on one big contract. We had numerous internal items > that were on assorted contracts and some that weren't covered at all. > Still more internal items were mixed up with the sister company and we > discovered that we'd been paying for the coverage on some of their > items. Even worse was that somehow some of the sister company's > customer SmartNets had somehow gotten associated with us. We also had > numerous ISP contracts. Some of the items had been bought 3rd-party or > off of eBay. 2 of them still had active contracts being paid by the > previous owner (thank you Wal-Mart!). We also had contracts on leased > CPE equipment that I didn't know about (I'm still hearing new items > fitting in this category every couple of months). To say that our > current arrangement was a "cluster" would be putting it lightly. > > I spent the last 6 months trying to sort things out. First I had to > have an accurate list of what we had including model #s, serial #s, > device locations, device names, etc. Every detail that I'd need to > track that device effectively. Unfortunately this required a lot of > driving time to manually read serial #s off of chassis since you can't > pull the SN out of many Cisco devices. Who ever got the brilliant idea > to put the SN sticker for the PIX 515Es on the *side* of the chassis > where it's covered by the 2-post rack should be taken out and flogged > with 1700 series power cords with the power bricks attached. I worked > with a Cisco rep to create contracts for each of the device categories > we have (internal, ISP, CPE) and for each service level we wanted > (24x7x4 and 8x5xNBD). This is when we discovered that you can't have a > Sup's service level differ from the other linecars in a chassis (see > C-NSP archives). In the end the price was so high that we decided to > look at return-to-factory options (RTF). So we reworked the quotes > again with RTF prices and included lab hardware. I built spreadsheets > with both options to tally things up so I could present it to > management. Unfortunately my numbers aren't accurate because Cisco > insists on pre-dating some of our hardware back to the day that our > contracts expired (they expired far sooner than the year that we paid > for because of a problematic sales process. We didn't get the major > pieces until January but the 1yr contracts expired in November for > everything we bought last year. Nice). > > So here we are 6 months later with a ton of hardware that isn't covered > and me trying to work the wrinkles out of the prices so I can present > it > to management. In short, how do we manage our contracts? With blood, > sweat and tears; and brute force. > > I blame a lot of the hassle on Cisco's SmartNet process. Apparently > there isn't a way to have a single general account that you can then > associate *items* with (according to what Cisco folks are telling me). > Instead items are associated with service contracts that can not be > modified after the purchase has been placed. So in the end, instead of > having a single account and a bunch of devices associated with it and > one bill at the end of the year, you end up with an insane amount of > contracts and no way to organize them until the next year when you get > to redo everything and create new contracts again. And yes, the SCC is > a joke. The amount of money we've lost this year to the work required > to get our contracts straightened out is immense. The system needs an > overhaul and organization. > > Justin > > > > Phil Mayers wrote: > > All, > > > > We seem to have an incredibly hard time managing our maintenance > contracts. > > > > Quite aside from the vagaries of CCO ("Sorry sir, your contracts have > > disappared from your profile, no TAC access for *you*") we are unable > to > > gather all our maintenance into one (or a small number of) > contract(s) > > and what contracts we have are very difficult to inventory. > > > > It goes without saying that SCC is a bad joke. > > > > Do any of you manage to do it better? How? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080520/18fd0b0f/attachment.bin From jloiacon at csc.com Tue May 20 15:25:36 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Tue, 20 May 2008 15:25:36 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <8c829ec10805201157t8e15054mb2c0bb2227f0d17e@mail.gmail.com> Message-ID: Well if you're looking at larger subsets, then FlowTracker might work for you. You can delineate your user group via a CIDR block (e.g., 192.168.100.40/29), group of IPs (up to 10, separated by commas, e.g., 192.168.100.70, 192.168.100.71, etc.), or a combination of the two (e.g., 192.168.100.40/29, 192.168.110.49, 192.168.100.50) RRDtool maximums, minimums, averages, and 95th pct. are provided for each of the five time periods (last 24 hours, last week, last 4 weeks, etc.). You also have the ability, via the web interface, to dump each of the data points into a list. Joe "Chris Riling" wrote on 05/20/2008 02:57:08 PM: > That sounds pretty cool... I wouldn't be looking to pull info on all > 1024 hosts in one report.. I'd be pulling info on groups of IPs; > grouped by customer or machine, and I'd want to look at the amount > of data transferred over the last 30 days or something... The reason > I can't just look at switchports is because some of these customers > use their network connections inside of our data center for more > things than just internet access (i.e. I want to check at the border > so I only see traffic that left our network toward the internet, or > from the internet toward these hosts... I don't care about any usage > incurred due to backup jobs, or other data transfer within the data center) From peter at rathlev.dk Tue May 20 15:25:05 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 20 May 2008 21:25:05 +0200 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls Message-ID: <1211311505.19820.9.camel@dusken.sys.mjna.net> On Tue, 2008-05-20 at 14:46 -0400, Adam Powers wrote: > On Tue, 2008-05-20 at 20:27 +0200, Peter Rathlev wrote: > > This reminds me: All the flows we receive max out at ~2.1GB. I'd like > > to assume that this is because the switches automatically ages flows > > before they reach the 32-bit limit (or 31-bit?); can anyone confirm > > this? > > You are correct. The exporter will unnaturally expire the cache entry > and start a new one when the octet counter overflows. > > YMMV from one Netflow cache implementation to another. > > BTW: For systems that use "sort | uniq" approach for Netflow > deduplication this effect would mess things up. Setting lower active > timers (I recommend 60 seconds) would help. The lowest I can set "mls aging long" to is 64 seconds (Sup720), and a 1Gbps connection could hit 2^32 bytes in less than that, even at something like 75% use. And if we're talking 2^31 it's even worse. Well, it seems NFSen can find out what to do, the aggregation numbers look okay. Thanks, Peter From networkslave2 at gmail.com Tue May 20 15:56:33 2008 From: networkslave2 at gmail.com (Mike) Date: Tue, 20 May 2008 12:56:33 -0700 Subject: [c-nsp] BGP - filtered 00 route redistribution Message-ID: <5bf0f79a0805201256ted38bbfmb5bb460a315e31e@mail.gmail.com> Hello All, We are planning to redistribute a 0 0 internet route into our IPeFR (AT&T MPLS) cloud, but only want select sites to see the advertisement. Let's say we have sites A-D and want to redistribute the 00 route from A, want B to use the path, but not C&D. What would be the cleanest way to achieve this goal? I think this filter would work. It would require updates to every router which isn't the worst thing, but looking for alternatives. route-map deny-default deny 10 match ip address prefix-list prefix-list ! route-map deny-default permit 15 ! ip prefix-list deny-default seq 5 permit 0.0.0.0/0 le 32 From pol at leissner.se Tue May 20 15:39:06 2008 From: pol at leissner.se (Peter Olsson) Date: Tue, 20 May 2008 21:39:06 +0200 Subject: [c-nsp] (Unknown error 0) when upgrading 7609 SUP720 Message-ID: <20080520193906.GE4707@pol.leissner.se> A customer has bought two 7609, each with redundant SUP720. Both shipped with one SUP720 mounted in slot 5, and the other SUP720 we had to mount ourselves, in slot 6. Both 7609 boots fine, and all SUP720 seems fine. However, the two redundant SUP720 in slot 6 both have a different IOS than the pre-mounted SUP720 in slot 5. Slot 5 SUP720 in both 7609: c7600s72033-advipservicesk9-mz.122-33.SRB2.bin Slot 6 SUP720 in 7609 #1: s72033-ipservices_wan-vz.122-18.SXF11.bin Slot 6 SUP720 in 7609 #2: s72033-ipservicesk9_wan-mz.122-18.SXF11.bin In order to get the redundancy we want, we have to upgrade the slot 6 SUP720's to the SRB image. But this fails. I have upgraded the slot 5 SUP720's to SRB3, no problems. But as soon as I try to upgrade the slot 6 SUP720's with the same image file, they refuse with "(Unknown error 0)". After a lot of wasted time I discovered that if I rename the image file from c7600s72033-advipservicesk9-mz.122-33.SRB3.bin to s72033-advipservicesk9-mz.122-33.SRB3.bin, the slot 6 SUP720 accept the file. However, I haven't dared reload with that file active, I have already got one of the slot 6 SUP720's stuck in rommon because of previous testing of this problem. (By the way, I can't understand what reason there is behind not having tftpdnld in rommon in 7609.) Can anyone shed some light on this upgrade problem? Thanks! -- Peter Olsson pol at leissner.se From jj at powerset.com Tue May 20 16:34:24 2008 From: jj at powerset.com (Jonathan Crawford) Date: Tue, 20 May 2008 13:34:24 -0700 Subject: [c-nsp] BGP - filtered 00 route redistribution In-Reply-To: <5bf0f79a0805201256ted38bbfmb5bb460a315e31e@mail.gmail.com> References: <5bf0f79a0805201256ted38bbfmb5bb460a315e31e@mail.gmail.com> Message-ID: <84E2AE771361E9419DD0EFBD31F09C4D4F5D2D2636@EXVMBX015-1.exch015.msoutlookonline.net> That will reject any route, not just your 0/0 route. Remove the "le 32" to only match a default (0.0.0.0/0 exact). -Jonathan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Sent: Tuesday, May 20, 2008 12:57 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP - filtered 00 route redistribution Hello All, We are planning to redistribute a 0 0 internet route into our IPeFR (AT&T MPLS) cloud, but only want select sites to see the advertisement. Let's say we have sites A-D and want to redistribute the 00 route from A, want B to use the path, but not C&D. What would be the cleanest way to achieve this goal? I think this filter would work. It would require updates to every router which isn't the worst thing, but looking for alternatives. route-map deny-default deny 10 match ip address prefix-list prefix-list ! route-map deny-default permit 15 ! ip prefix-list deny-default seq 5 permit 0.0.0.0/0 le 32 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue May 20 16:37:04 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 20 May 2008 22:37:04 +0200 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: <20080520203703.GD3278@greenie.muc.de> Hi, On Tue, May 20, 2008 at 02:03:19PM -0400, Chris Riling wrote: > I know this has been asked thousands of times before, but I don't think > anyone has ever answered it in quite the same fasion. I'm thinking about > turning on netflow on my border routers (7606's with Sup32's / full routes); > Think I'll see any issues from turning on the exports? Also, specifically, > we're looking to see the ability to generate reports for say, a /22, and the > amount of transfer for each host in the /22 that has entered / exited our > network at the border (MRTG on the switchports isn't going to cut it). As far as I know, netflow on the PFC3* cannot aggregate to /22 boundaries - so you'll get lots of flows for individual IPs, and need to aggregate in the collector machine. I wonder why you're aiming that way, though. Why am I saying this? We have a very nice and shiny netflow based accounting and billing system - and it takes *quite* some effort to maintain, and to construct the network in ways to keep it working ("do not overload the netflow engine on *this* router, do not plug together those boxes *that* way, otherwise you'll get doubly-counted flows"). So we're actually trying to get rid of IP address based billing - and move to "router interface based billing" (SNMP counters on SVI interfaces). This, if done right, scales pretty much unbounded - as opposed to netflow, which always hits some upper limit somewhere. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080520/1ce9d6ee/attachment.bin From criling at gmail.com Tue May 20 17:03:56 2008 From: criling at gmail.com (Chris Riling) Date: Tue, 20 May 2008 17:03:56 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <20080520203703.GD3278@greenie.muc.de> References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> <20080520203703.GD3278@greenie.muc.de> Message-ID: <8c829ec10805201403r1e5e2e01pd8c2c70a544df25@mail.gmail.com> I track based on interface where I can (which is most everywhere), but there is one portion of the network where this is not really possible due to design issues of something I inherited... I'm in the process of changing that, but realistically I'll never entirely get away from having to do *some* form of IP based accounting, only limit the scope of interfaces where I'll see the traffic when the network is more segmented. Then I can pull netflow info from specific interfaces which would have a very small number of subnets hanging off of them, but I'd still have to sort it by some sort of L2 or L3 info... Chris On 5/20/08, Gert Doering wrote: > > Hi, > > On Tue, May 20, 2008 at 02:03:19PM -0400, Chris Riling wrote: > > I know this has been asked thousands of times before, but I don't > think > > anyone has ever answered it in quite the same fasion. I'm thinking about > > turning on netflow on my border routers (7606's with Sup32's / full > routes); > > Think I'll see any issues from turning on the exports? Also, > specifically, > > we're looking to see the ability to generate reports for say, a /22, and > the > > amount of transfer for each host in the /22 that has entered / exited our > > network at the border (MRTG on the switchports isn't going to cut it). > > As far as I know, netflow on the PFC3* cannot aggregate to /22 boundaries > - so you'll get lots of flows for individual IPs, and need to aggregate > in the collector machine. > > I wonder why you're aiming that way, though. > > Why am I saying this? We have a very nice and shiny netflow based > accounting and billing system - and it takes *quite* some effort to > maintain, and to construct the network in ways to keep it working ("do > not overload the netflow engine on *this* router, do not plug together > those boxes *that* way, otherwise you'll get doubly-counted flows"). > > So we're actually trying to get rid of IP address based billing - and > move to "router interface based billing" (SNMP counters on SVI interfaces). > > This, if done right, scales pretty much unbounded - as opposed to netflow, > which always hits some upper limit somewhere. > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > From philxor at gmail.com Tue May 20 17:15:24 2008 From: philxor at gmail.com (Phil Bedard) Date: Tue, 20 May 2008 17:15:24 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: Using Netflow for billing works fine, as long as the traffic is a manageable level, hardware resources are there, and things are setup correctly such that you aren't double-counting, etc. If the amount of data you are dealing with is on the small side it works really well, when you are pushing Gb/s through the router, not so well. Some have mentioned flow-tracker as a tool you could use to aggregate per subnet, it works well. You can also setup reports using flow- report? that is included in the flow-tools package. While it only runs on Windows, Solarwind's Orion Traffic Analyzer will generate reports based on groups of IP addresses. Phil On May 20, 2008, at 2:03 PM, Chris Riling wrote: > Hi All, > > I know this has been asked thousands of times before, but I > don't think > anyone has ever answered it in quite the same fasion. I'm thinking > about > turning on netflow on my border routers (7606's with Sup32's / full > routes); > Think I'll see any issues from turning on the exports? Also, > specifically, > we're looking to see the ability to generate reports for say, a /22, > and the > amount of transfer for each host in the /22 that has entered / > exited our > network at the border (MRTG on the switchports isn't going to cut > it). I've > heard that a lot of people use ntop for this sort of thing, but in > the demo > I wasn't able to find anything that did exactly this, and I wanted to > consult the list before turning on Netflow at the border routers > anyway. > I've also heard of people using stager for the report generation; > can stager > do the same sort of thing? > > Thanks, > Chris > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dwinkworth at wi.rr.com Tue May 20 19:32:35 2008 From: dwinkworth at wi.rr.com (Wink) Date: Tue, 20 May 2008 18:32:35 -0500 Subject: [c-nsp] 12.4T IOS for 7206vxr... Message-ID: <48335F93.4000201@wi.rr.com> All: We are looking to implement GET/GDOI in our environment and we have QoS requirements. It seems that all 12.4T IOSes up through 12.4(15)T1 had serious QoS issues. However, now it seems all of subsequent IOSes have been redacted/deferred with software advisories with the exception of the latest IOS 12.4(15)T5. What, if any, experience do any of you have with 12.4(15)T3 - T5? Any big issues with CEF, BGP, EIGRP (or redistribution between the two)? Crypto issues? Thanks. Derick From mcrocker at crocker.com Tue May 20 20:39:56 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Tue, 20 May 2008 20:39:56 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: References: <8c829ec10805201103r368a4f19le9afc0374a3bf584@mail.gmail.com> Message-ID: What kind of machine do you need to store the netflow data? Assuming pulling data from a couple routers with a 400-500mbps average bandwidth. How much CPU power to you nee to grind through the data and how much drive space do you need to handle a couple months of data? On May 20, 2008, at 5:15 PM, Phil Bedard wrote: > Using Netflow for billing works fine, as long as the traffic is a > manageable level, hardware resources are there, and things are setup > correctly such that you aren't double-counting, etc. If the amount > of data you are dealing with is on the small side it works really > well, when you are pushing Gb/s through the router, not so well. > > Some have mentioned flow-tracker as a tool you could use to aggregate > per subnet, it works well. You can also setup reports using flow- > report? that is included in the flow-tools package. While it only > runs on Windows, Solarwind's Orion Traffic Analyzer will generate > reports based on groups of IP addresses. > > > Phil > > > On May 20, 2008, at 2:03 PM, Chris Riling wrote: > >> Hi All, >> >> I know this has been asked thousands of times before, but I >> don't think >> anyone has ever answered it in quite the same fasion. I'm thinking >> about >> turning on netflow on my border routers (7606's with Sup32's / full >> routes); >> Think I'll see any issues from turning on the exports? Also, >> specifically, >> we're looking to see the ability to generate reports for say, a /22, >> and the >> amount of transfer for each host in the /22 that has entered / >> exited our >> network at the border (MRTG on the switchports isn't going to cut >> it). I've >> heard that a lot of people use ntop for this sort of thing, but in >> the demo >> I wasn't able to find anything that did exactly this, and I wanted to >> consult the list before turning on Netflow at the border routers >> anyway. >> I've also heard of people using stager for the report generation; >> can stager >> do the same sort of thing? >> >> Thanks, >> Chris >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From wyatt.eliasson at gmail.com Wed May 21 09:06:12 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Ishmael Jovial Gyllenvarg) Date: Wed, 21 May 2008 15:06:12 +0200 Subject: [c-nsp] PFC 3CXL vs PFC 3BXL Message-ID: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> Hi All Has anyone gotten the facts straigh about the diffrences between these two? Seems like cisco don?t what too have them in a table next too each other if it showes more then CPU speed etc etc. Where looking to build a few Edge machines and trying too figure out if the CXL is actually any better for this. Best regards Mattias Gyllenvarg Omnitron From jloiacon at csc.com Wed May 21 10:12:07 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Wed, 21 May 2008 10:12:07 -0400 Subject: [c-nsp] Usage Billing w/ Netflow / Implementation Pitfalls In-Reply-To: Message-ID: Just some local implementation statistics: Number of exporters: 23 Gigabytes netflow/day: 6Gbytes Busy router: 1 Gbyte/day Avg router: 300 Mbytes/day Total netflow bandwidth to collector: 2Mbps peak; <1Mbps average Collector hardware: PowerEdge SC1430 Dual Core Intel. Xeon. 5120; 1066MHZ 4GB 667MHz (2X2GB) SAMSUNG SpinPoint T Series HD501LJ 500GB 7200 RPM SATA 3.0Gb/s Hard Drive (total about $1500) Typical 'crank' times (web response times) depends on specified filter: FlowViewer top-talkers, 1 hour, avg router: 2 seconds FlowGrapher typical, 1 hour, avg router: 1 second FlowViewer top-talkers, 1 hour, busy router: 6 seconds FlowGrapher typical, 1 hour, busy router: 8 seconds FlowViewer top-talkers, 24 hours, avg router: ~15 seconds FlowGrapher typical, 24 hours, avg router: ~15 seconds I would put your routers in the average category (above) for comparison. So two months of average router would be about 20-30 Gbytes. If you have a 6500 and you collect intra-VLAN it could be more. Joe cisco-nsp-bounces at puck.nether.net wrote on 05/20/2008 08:39:56 PM: > > What kind of machine do you need to store the netflow data? Assuming > pulling data from a couple routers with a 400-500mbps average > bandwidth. > How much CPU power to you nee to grind through the data and how much > drive space do you need to handle a couple months of data? > > > On May 20, 2008, at 5:15 PM, Phil Bedard wrote: > > > Using Netflow for billing works fine, as long as the traffic is a > > manageable level, hardware resources are there, and things are setup > > correctly such that you aren't double-counting, etc. If the amount > > of data you are dealing with is on the small side it works really > > well, when you are pushing Gb/s through the router, not so well. > > > > Some have mentioned flow-tracker as a tool you could use to aggregate > > per subnet, it works well. You can also setup reports using flow- > > report? that is included in the flow-tools package. While it only > > runs on Windows, Solarwind's Orion Traffic Analyzer will generate > > reports based on groups of IP addresses. > > > > > > Phil > > > > > > On May 20, 2008, at 2:03 PM, Chris Riling wrote: > > > >> Hi All, > >> > >> I know this has been asked thousands of times before, but I > >> don't think > >> anyone has ever answered it in quite the same fasion. I'm thinking > >> about > >> turning on netflow on my border routers (7606's with Sup32's / full > >> routes); > >> Think I'll see any issues from turning on the exports? Also, > >> specifically, > >> we're looking to see the ability to generate reports for say, a /22, > >> and the > >> amount of transfer for each host in the /22 that has entered / > >> exited our > >> network at the border (MRTG on the switchports isn't going to cut > >> it). I've > >> heard that a lot of people use ntop for this sort of thing, but in > >> the demo > >> I wasn't able to find anything that did exactly this, and I wanted to > >> consult the list before turning on Netflow at the border routers > >> anyway. > >> I've also heard of people using stager for the report generation; > >> can stager > >> do the same sort of thing? > >> > >> Thanks, > >> Chris > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mohacsi at niif.hu Wed May 21 10:31:54 2008 From: mohacsi at niif.hu (Mohacsi Janos) Date: Wed, 21 May 2008 16:31:54 +0200 (CEST) Subject: [c-nsp] PFC 3CXL vs PFC 3BXL In-Reply-To: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> References: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> Message-ID: <20080521163039.R91299@mignon.ki.iif.hu> On Wed, 21 May 2008, Wyatt Mattias Ishmael Jovial Gyllenvarg wrote: > Hi All > > Has anyone gotten the facts straigh about the diffrences between these two? > > Seems like cisco don?t what too have them in a table next too each > other if it showes more then CPU speed etc etc. > > Where looking to build a few Edge machines and trying too figure out > if the CXL is actually any better for this. Most important differenc the MAC table size. Best Regards, Janos > > Best regards > Mattias Gyllenvarg > Omnitron > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Wed May 21 10:57:22 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 21 May 2008 15:57:22 +0100 Subject: [c-nsp] PFC 3CXL vs PFC 3BXL In-Reply-To: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> References: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> Message-ID: <48343852.8080309@imperial.ac.uk> Wyatt Mattias Ishmael Jovial Gyllenvarg wrote: > Hi All > > Has anyone gotten the facts straigh about the diffrences between these two? Not many: * 96k instead of 64k mac addresses * support for VSS (virtual switching - "stacking for 6500s") * some minor bug fixes e.g. some of the rate limiters etc. > > Seems like cisco don?t what too have them in a table next too each > other if it showes more then CPU speed etc etc. No differences there. It's just the PFC (which is the forwarding ASIC), the MSFC is the same IIRC. > > Where looking to build a few Edge machines and trying too figure out > if the CXL is actually any better for this. The cost is identical, is it not? So, buy the -3C From joel.amao at ieee.org Wed May 21 11:22:45 2008 From: joel.amao at ieee.org (Joel Amao) Date: Wed, 21 May 2008 11:22:45 -0400 Subject: [c-nsp] PFC 3CXL vs PFC 3BXL In-Reply-To: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> References: <994752fe0805210606u51b2685chab572231f63dc449@mail.gmail.com> Message-ID: Think of 3CXL has an enhanced version of the 3BXL ...Not a next generation PFC card like some of the sales folks might suggest :-) . Main difference is the *theoretical* mac table entries , double acl mask/entries for IPV4/V6 and some enhanced hash of vlan ID in etherchannel operation. Joel > Date: Wed, 21 May 2008 15:06:12 +0200> From: wyatt.eliasson at gmail.com> To: cisco-nsp at puck.nether.net> Subject: [c-nsp] PFC 3CXL vs PFC 3BXL> > Hi All> > Has anyone gotten the facts straigh about the diffrences between these two?> > Seems like cisco don?t what too have them in a table next too each> other if it showes more then CPU speed etc etc.> > Where looking to build a few Edge machines and trying too figure out> if the CXL is actually any better for this.> > Best regards> Mattias Gyllenvarg> Omnitron> _______________________________________________> cisco-nsp mailing list cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp> archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Give to a good cause with every e-mail. Join the i?m Initiative from Microsoft. http://im.live.com/Messenger/IM/Join/Default.aspx?souce=EML_WL_ GoodCause From psirt at cisco.com Wed May 21 11:32:28 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 21 May 2008 11:32:28 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco Voice Portal Privilege Escalation Vulnerability Message-ID: <200805211134.cvp@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Voice Portal Privilege Escalation Vulnerability Advisory ID: cisco-sa-20080521-cvp http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml Revision 1.0 For Public Release 2008 May 21 1600 UTC (GMT) Summary ======= A vulnerability exists in the Cisco Unified Customer Voice Portal (CVP) where an authenticated user can create, modify, or delete a superuser account. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml. Affected Products ================= Vulnerable Products +------------------ CVP software versions prior to 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release are vulnerable. Note: CVP systems running software release 3.x are not vulnerable. Products Confirmed Not Vulnerable +-------------------------------- CVP systems running software release 3.x are not vulnerable. CVP systems running version 7.0(1) or later are not vulnerable. No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Unified Customer Voice Portal (CVP), which is part of Cisco Customer Interaction Network solution, provides customer voice and video self-service integration. Using CVP, organizations can provide intelligent, personalized self-service over the phone, allowing customers to efficiently retrieve the information they need from the contact center. There are three different user roles within CVP: superuser, administrator, and read-only access. A vulnerability exists in CVP where a user with an administrator role can create, modify, or delete a superuser account, which has greater system privileges. This vulnerability is documented in the Cisco Bug ID CSCsj93874 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2008-2053. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS Cat http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Possible to create & delete superuser accounts from user accounts (CSCsj93874) CVSS Base Score - 9.0 Access Vector - Network Access Complexity - Low Authentication - Single Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in full control of the system. Software Versions and Fixes =========================== This vulnerability is fixed in the Cisco Unified Customer Voice Portal (CVP) software version 4.0(2)_ES14 for the 4.0.x release, 4.1(1)_ES11 for the 4.1.x release, and 7.0(1) for the 7.x release. CVP software version 4.0(2)_ES14 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/36833091037661f49ad8152368c22bbf CVP software version 4.1(1)_ES11 can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/946b57654c80187da8c3cfc0aa02866e When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== There are no workarounds for this vulnerability. Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was found during internal product testing. Status of this Notice: Final ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-cvp.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100933 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFIND3o86n/Gc8U/uARAoLgAJ9Vxx0ti1CFaKrzxLFx9T/IapmQwQCglJsw 2zkjOWDEYSdtNE36ygSkqqs= =fWTq -----END PGP SIGNATURE----- From psirt at cisco.com Wed May 21 12:00:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 21 May 2008 18:00:00 +0200 Subject: [c-nsp] Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Message-ID: <200805211801.ssh@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco IOS Secure Shell Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080521-ssh http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml Revision 1.0 For Public Release 2008 May 21 1600 UTC (GMT) +-------------------------------------------------------------------- Summary ======= The Secure Shell server (SSH) implementation in Cisco IOS contains multiple vulnerabilities that allow unauthenticated users the ability to generate a spurious memory access error or, in certain cases, reload the device. The IOS SSH server is an optional service that is disabled by default, but its use is highly recommended as a security best practice for management of Cisco IOS devices. SSH can be configured as part of the AutoSecure feature in the initial configuration of IOS devices, AutoSecure run after initial configuration, or manually. Devices that are not configured to accept SSH connections are not affected by these vulnerabilities. Common Vulnerabilities and Exposures (CVE) identifier CVE-2008-1159 has been assigned to this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtm Affected Products ================= Vulnerable Products +------------------ Cisco devices running certain 12.4-based IOS releases and configured to be managed via SSH may be affected by this issue. The IOS secure shell server is disabled by default. To determine if SSH is enabled, use the show ip ssh command. Router#show ip ssh SSH Enabled - version 2.0 Authentication timeout: 120 secs; Authentication retries: 3 The previous output shows that SSH is enabled on this device and that the SSH protocol major version that is being supported is 2.0. If the text "SSH Disabled" is displayed, the device is not vulnerable. Possible values for the SSH protocol version reported by IOS are: * 1.5: only SSH protocol version 1 is enabled * 1.99: SSH protocol version 2 with SSH protocol version 1 compatibility enabled * 2.0: only SSH protocol version 2 is enabled For more information about SSH versions in IOS, please check the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gt_ssh2.html The SSH server is not available in all IOS images. Devices that do not support SSH are not vulnerable. Please consult the table of fixed software in the Software Version and Fixes section for the specific 12.4-based IOS releases that are affected. To determine the software running on a Cisco product, log in to the device and issue the show version command to display the system banner. Cisco IOS software will identify itself as "Internetwork Operating System Software" or simply "IOS". The image name will be displayed between parentheses on the next line of output followed by "Version" and the IOS release name. Other Cisco devices will not have the show version command or will give different output. The following example identifies a Cisco product running IOS release 12.4(17): Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(17), RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 07-Sep-07 16:05 by prod_rel_team ROM: System Bootstrap, Version 12.2(8r) [cmong 8r], RELEASE SOFTWARE (fc1) Router uptime is 1 week, 5 hours, 5 minutes System returned to ROM by power-on System image file is "flash:c2600-adventerprisek9-mz.124-17.bin" Additional information about Cisco IOS release naming is available at http://www.cisco.com/warp/public/620/1.html Products Confirmed Not Vulnerable +-------------------------------- Cisco devices that do not run IOS are not affected. Cisco IOS devices that do not have the SSH server feature enabled are not affected. IOS-XR images are not affected. The following IOS release trains are not affected: * 10-based releases * 11-based releases * 12.0-based releases * 12.1-based releases * 12.2-based releases * 12.3-based releases IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Secure shell (SSH) was developed as a secure replacement for the telnet, ftp, rlogin, rsh, and rcp protocols, which allow for the remote access of devices. The main difference between SSH and older protocols is that SSH provides strong authentication, guarantees confidentiality, and uses encrypted transactions. The server side of the SSH implementation in Cisco IOS contains multiple vulnerabilities that allow an unauthenticated user to generate a spurious memory access or, in certain cases, reload the device. If the attacker is able to reload the device, these vulnerabilities could be repeatedly exploited to cause an extended Denial of Service (DoS) condition. A device with the SSH server enabled is vulnerable. These vulnerabilities are documented in Cisco Bug IDs: * CSCsk42419 ( registered customers only) * CSCsk60020 ( registered customers only) * CSCsh51293 ( registered customers only) Vulnerability Scoring Details ============================= Cisco is providing scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. Cisco will provide a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided an FAQ to answer additional questions regarding CVSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss * CSCsk42419 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsk60020 - SSHv2 spurious memory access CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * CSCsh51293 - Spurious memory access when SSH packets received CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in a spurious memory access or, in certain cases, reload the device potentially resulting in a DoS condition. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center ("TAC") or your contracted maintenance provider for assistance. Each row of the Cisco IOS software table (below) describes a release train and the platforms or products for which it is intended. If a given release train is vulnerable, then the earliest possible releases that contain the fix (the "First Fixed Release") and the anticipated date of availability for each are listed in the "Rebuild" and "Maintenance" columns. A device running a release in the given train that is earlier than the release in a specific column (less than the First Fixed Release) is known to be vulnerable. The release should be upgraded at least to the indicated release or a later version (greater than or equal to the First Fixed Release label). For more information on the terms "Rebuild" and "Maintenance," consult the following URL: http://www.cisco.com/warp/public/620/1.html IOS releases prior to 12.4(7), 12.4(13d)JA, and 12.4(9)T are not affected by this vulnerability. +----------------------------------------+ | Major | Availability of Repaired | | Release | Releases | |------------+---------------------------| | Affected | First Fixed | Recommended | | 12.0-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.0 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.1-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.1 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.2-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.2 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.3-Based | Release | Release | | Releases | | | |----------------------------------------| | There are no affected 12.3 based | | releases | |----------------------------------------| | Affected | First Fixed | Recommended | | 12.4-Based | Release | Release | | Releases | | | |------------+-------------+-------------| | | 12.4(13f) | | | | | | | | 12.4(16b) | | | 12.4 | | 12.4(18b) | | | 12.4(17a) | | | | | | | | 12.4(18) | | |------------+-------------+-------------| | | Only 12.4 | | | | (13d)JA and | | | | 12.4(13d) | | | | JA1 are | | | 12.4JA | vulnerable, | 12.4(16b) | | | all other | JA3 | | | 12.4JA | | | | releases | | | | are not | | | | affected. | | |------------+-------------+-------------| | 12.4JK | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JMC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4JX | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MD | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4MR | 12.4(16)MR2 | 12.4(16)MR | |------------+-------------+-------------| | 12.4SW | 12.4(15)SW1 | 12.4(15)SW1 | |------------+-------------+-------------| | | 12.4(9)T6 | | | | | | | | 12.4(11)T4 | | | 12.4T | | 12.4(15)T5 | | | 12.4(15)T2 | | | | | | | | 12.4(20)T | | |------------+-------------+-------------| | 12.4XA | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XB | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XC | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XD | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XE | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XF | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XG | Not | | | | Vulnerable | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XJ | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | | Vulnerable; | | | 12.4XK | first fixed | 12.4(15)T5 | | | in 12.4T | | |------------+-------------+-------------| | 12.4XL | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XM | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XN | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XQ | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XT | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XV | Vulnerable; | | | | contact TAC | | |------------+-------------+-------------| | 12.4XW | 12.4(11)XW6 | 12.4(11)XW6 | |------------+-------------+-------------| | 12.4XY | Not | | | | Vulnerable | | |------------+-------------+-------------| | 12.4XZ | Not | | | | Vulnerable | | +----------------------------------------+ Workarounds =========== If disabling the IOS SSH Server is not feasible, the following workarounds may be useful to some customers in their environments. Telnet +----- Telnet is not vulnerable to the issue described in this advisory and may be used as an insecure alternative to SSH. Telnet does not encrypt the authentication information or data; therefore, it should only be enabled for trusted local networks. VTY Access Class +--------------- It is possible to limit the exposure of the Cisco device by applying a VTY access class to allow only known, trusted hosts to connect to the device via SSH. For more information on restricting traffic to VTYs, please consult: http://cisco.com/en/US/products/sw/iosswrel/ps1835/products_command_reference_chapter09186a00800873c8.html#wp1017389 The following example permits access to VTYs from the 192.168.1.0/24 netblock and the single IP address 172.16.1.2 while denying access from anywhere else: Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255 Router(config)# access-list 1 permit host 172.16.1.2 Router(config)# line vty 0 4 Router(config-line)# access-class 1 in Different Cisco platforms support different numbers of terminal lines. Check your device's configuration to determine the correct number of terminal lines for your platform. Infrastructure ACLs (iACL) +------------------------- Although it is often difficult to block traffic transiting your network, it is possible to identify traffic that should never be allowed to target your infrastructure devices and block that traffic at the border of your network. Infrastructure ACLs are considered a network security best practice and should be considered as a long-term addition to good network security as well as a workaround for this specific vulnerability. The ACL example shown below should be included as part of the deployed infrastructure access-list, which will protect all devices with IP addresses in the infrastructure IP address range. A sample access list for devices running Cisco IOS is below: !--- Permit SSH services from trusted hosts destined !--- to infrastructure addresses. access-list 150 permit tcp TRUSTED_HOSTS MASK INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Deny SSH packets from all other sources destined to infrastructure addresses. access-list 150 deny tcp any INFRASTRUCTURE_ADDRESSES MASK eq 22 !--- Permit all other traffic to transit the device. access-list 150 permit IP any any interface serial 2/0 ip access-group 150 in The white paper titled "Protecting Your Core: Infrastructure Protection Access Control Lists" presents guidelines and recommended deployment techniques for infrastructure protection access lists. This white paper can be obtained here: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml Control Plane Policing (CoPP) +---------------------------- The Control Plane Policing (CoPP) feature may be used to mitigate these vulnerabilities. In the following example, only SSH traffic from trusted hosts and with 'receive' destination IP addresses is permitted to reach the route processor (RP). Note: Dropping traffic from unknown or untrusted IP addresses may affect hosts with dynamically assigned IP addresses from connecting to the Cisco IOS device. access-list 152 deny tcp TRUSTED_ADDRESSES MASK any eq 22 access-list 152 permit tcp any any eq 22 ! class-map match-all COPP-KNOWN-UNDESIRABLE match access-group 152 ! ! policy-map COPP-INPUT-POLICY class COPP-KNOWN-UNDESIRABLE drop ! control-plane service-policy input COPP-INPUT-POLICY In the above CoPP example, the ACL entries that match the exploit packets with the "permit" action result in these packets being discarded by the policy-map "drop" function, while packets that match the "deny" action are not affected by the policy-map drop function. CoPP is available in Cisco IOS release trains 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T. Additional information on the configuration and use of the CoPP feature can be found at the following URL: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6642/prod_white_paper0900aecd804fa16a.html Obtaining Fixed Software ======================== Cisco has made free software available to address this vulnerability for affected customers. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/public/sw-license-agreement.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml Do not contact either "psirt at cisco.com" or "security-alert at cisco.com" for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com Customers using Third-party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreement with third-party support organizations such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but who do not hold a Cisco service contract and customers who purchase through third-party vendors but are unsuccessful at obtaining fixed software through their point of sale should get their upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Have your product serial number available and give the URL of this notice as evidence of your entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including special localized telephone numbers and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was discovered by Cisco internal testing and customer service requests. Status of This Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at http://www.cisco.com/warp/public/707/cisco-sa-20080521-ssh.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-21 | public | | | | release. | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkg0RSMACgkQ86n/Gc8U/uCX8QCaA9y2y/y0uC1DPonlJwMGR1Kd jaMAnAz/4J+L7nxWxhppehcJsr0bGmsA =WzxB -----END PGP SIGNATURE----- From psirt at cisco.com Wed May 21 12:29:16 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 21 May 2008 12:29:16 -0400 Subject: [c-nsp] Cisco Security Advisory: Cisco Service Control Engine Denial of Service Vulnerabilities Message-ID: <200805211229.sce@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Cisco Service Control Engine Denial of Service Vulnerabilities Advisory ID: cisco-sa-20080521-sce http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml Revision 1.0 For Public Release 2008 May 21 1600 UTC (GMT) Summary ======= Three Secure Shell (SSH) vulnerabilities exist in the Cisco Service Control Engine (SCE) that may result in system instability or a reload of the SCE. The first vulnerability may be triggered during SSH login activity that is conducted within aggressive time frames. The second vulnerability may be triggered with normal SSH login activity in combination with other SCE management actions occurring simultaneously. The third vulnerability may be triggered during SSH login and is specific to the usage of unique invalid authentication credentials. Cisco has made free upgrade software available to address these vulnerabilities for affected customers. There are no workarounds for these vulnerabilities. Note: These vulnerabilities are independent of each other; a device may be affected by one vulnerability and not by the others. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml. Affected Products ================= Vulnerable Products +------------------ The SCE 1000 and 2000 series devices are affected by the following vulnerabilities if the SSH server on the SCE is enabled: * System vulnerability to SSH login activity - affects SCE software versions prior to 3.1.6. * SSH login activity leads to illegal Input/Output operations - affects SCE software versions prior to 3.0.7 and 3.1.0. * SCE SSH authentication sequence anomaly - affects SCE software versions prior to 3.1.6. Note: The SCE SSH server is disabled by default. To determine whether you are running a vulnerable version of Cisco Service Control Operating System (SCOS) software, issue the "Show Version" command-line interface (CLI) command. The following example shows a Cisco SCE that runs software release 3.1.6: SCE2000#>show version System version: Version 3.1.6 Build 157 Build time: Mar 31 2008, 18:58:49 (Change-list 303626) Software version is: Version 3.1.6 Build 157 Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by these vulnerabilities. Details ======= Cisco SCE 1000 and 2000 series devices provide high-capacity advanced application-level bandwidth optimization, stateful application inspection, session-based classification and control of network traffic. The SCE solution allows for the detection and control of network applications including: web browsing, multimedia streaming, and peer-to-peer (P2P). This Security Advisory describes multiple distinct vulnerabilities. These vulnerabilities are independent of each other. * System vulnerability to SSH login activity A vulnerability impacting the SCE SSH server may be triggered during SSH login activity, resulting in system instability or a reload of the SCE. Specific SSH processes may encounter temporary resource unavailability if called within aggressive intervals. This vulnerability is documented in Cisco Bug ID CSCsi68582 and has been assigned Common Vulnerabilities and Exposures (CVE) ID CVE-2008-0534. * SSH login activity leads to illegal Input/Output operations A second vulnerability exists in the SCE SSH server that may be triggered with normal SSH traffic to the SCE management interface occurring in conjunction with other management tasks. During this event, an illegal IO operation may impact the SCE management agent, requiring a reboot of the SCE to recover management access. This vulnerability is documented in Cisco Bug ID CSCsh49563 and has been assigned CVE ID CVE-2008-0536. * SCE SSH authentication sequence anomaly A third vulnerability exists in the SCE SSH server that may also be triggered during the SSH login process but unrelated to login attempt frequency or other concurrent management tasks. This issue is triggered by the usage of specific SSH credentials that attempt to change the authentication method, resulting in an authentication sequence anomaly impacting system stability. This vulnerability is documented in Cisco Bug ID CSCsm14239 and has been assigned CVE ID CVE-2008-0535. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding VSS at http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html. Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * System vulnerability to SSH login activity (CSCsi68582) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SSH login activity leads to illegal I/O operations (CSCsh49563) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed * SCE SSH authentication sequence anomaly (CSCsm14239) CVSS Base Score - 7.8 Access Vector - Network Access Complexity - Low Authentication - None Confidentiality Impact - None Integrity Impact - None Availability Impact - Complete CVSS Temporal Score - 6.4 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of these vulnerabilities may result in the loss of management access or, in some cases, cause vulnerable SCE devices to reload. Software Versions and Fixes =========================== When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. The following list contains the first fixed software release for each vulnerability: +---------------------------------------+ | | Affected | First | | Vulnerability | Major | Fixed | | | Release | Release | |------------------+----------+---------| | System | 1.x | 3.1.6 | |vulnerability to |----------+---------| | SSH login | 2.x | 3.1.6 | |activity |----------+---------| | | 3.x | 3.1.6 | |------------------+----------+---------| | | 1.x | 3.0.7 | |SSH login |----------+---------| | activity leads | 2.x | 3.0.7 | |to illegal IO |----------+---------| | operations | 3.x | 3.0.7, | | | | 3.1.0 | |------------------+----------+---------| | | 1.x | 3.1.6 | |SCE SSH |----------+---------| | authentication | 2.x | 3.1.6 | |sequence anomaly |----------+---------| | | 3.x | 3.1.6 | +---------------------------------------+ SCOS software version 3.1.6 contains the fixes for all vulnerabilities described in this document. SCOS software is available for download from the following location on cisco.com: http://www.cisco.com/pcgi-bin/tablebuild.pl/scos?psrtdcat20e2 Workarounds =========== There are no workarounds for these vulnerabilities. Filtering SSH traffic with Access Control Lists (ACLs) to affected SCE devices on the SCE management interface or on screening devices can provide a mitigation technique for these vulnerabilities. Restricting SCE SSH management interface access to only trusted devices through the use of SCE ACLs or Transit ACLs is strongly recommended. Additional information about SCE ACLs is available in the "Configuring the Management Interface and Security" section of the SCE Software Configuration Guide: http://www.cisco.com/en/US/products/ps6134/products_configuration_guide_chapter09186a00808498b9.html#wp1060396 Additional information about tACLs is available in Transit Access Control Lists: Filtering at Your Edge: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml Obtaining Fixed Software ======================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities described in this advisory. The SSH login activity vulnerability was discovered during the resolution of customer support cases. The illegal Input/Output operation and authentication sequence anomaly were discovered by Cisco during internal testing. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080521-sce.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-May-21 | Initial public release. | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: May 21, 2008 Document ID: 100706 +-------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFINE1U86n/Gc8U/uARAt0+AJ409BqcGWyfNNy1ZxGKj5m0IElUKwCdFCqC iNU22mLg2pFDqnDyLstihPI= =oKHO -----END PGP SIGNATURE----- From justin at justinshore.com Wed May 21 13:17:01 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 21 May 2008 12:17:01 -0500 Subject: [c-nsp] 12.4T IOS for 7206vxr... In-Reply-To: <48335F93.4000201@wi.rr.com> References: <48335F93.4000201@wi.rr.com> Message-ID: <4834590D.5080107@justinshore.com> I used 12.4T on our 7206s (G1s) from 6T on up to 15T5 without any trouble. BGP, IS-IS, OSPF, uRPF, no crypto or QoS. The only bug that I got bit by was a the CoPP crashing bug that existed in all 12.4Ts until 15T. And as of today it looks like I've got many dozen 12.4T installs with a SSH vulnerability to fix. Thank you VTY ACLs. Justin Wink wrote: > All: > > We are looking to implement GET/GDOI in our environment and we have QoS > requirements. > > It seems that all 12.4T IOSes up through 12.4(15)T1 had serious QoS > issues. However, now it seems all of subsequent IOSes have been > redacted/deferred with software advisories with the exception of the > latest IOS 12.4(15)T5. > > What, if any, experience do any of you have with 12.4(15)T3 - T5? Any > big issues with CEF, BGP, EIGRP (or redistribution between the two)? > Crypto issues? From jcartier at acs.on.ca Wed May 21 14:07:46 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 21 May 2008 14:07:46 -0400 Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG Message-ID: Hey All, I've heard somewhere...and possibly read somewhere that in order to get the full 50 AP allotment out of a Cisco Wireless LAN Controller 4402 model, 50 AP, you have to Port-Channel/LAG the two Gigabit ports together. If the ports are not PO/LAG together then you will not be able to join the maximum of 50 APs to the controller. True or False? From jhigham at epri.com Wed May 21 14:26:22 2008 From: jhigham at epri.com (Higham, Josh) Date: Wed, 21 May 2008 11:26:22 -0700 Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG In-Reply-To: References: Message-ID: <4C3B8C75B5899943AEC675BA6DD46273ECEFB1@uspalex02.epri.com> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Cartier > Sent: Wednesday, May 21, 2008 11:08 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG > > I've heard somewhere...and possibly read somewhere that in > order to get > the full 50 AP allotment out of a Cisco Wireless LAN Controller 4402 > model, 50 AP, you have to Port-Channel/LAG the two Gigabit ports > together. Not correct, to my knowledge. We have the 4404 100 AP units and none of our channels are bonded. During the AP discovery process the controller assigns the AP to a given port to maintain distribution, so I can't see any reason why it would be necessary to have them bonded. Thanks, Josh From jcartier at acs.on.ca Wed May 21 14:26:48 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 21 May 2008 14:26:48 -0400 Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG In-Reply-To: <4C3B8C75B5899943AEC675BA6DD46273ECEFB1@uspalex02.epri.com> Message-ID: Thanks for the reply Josh! I understand your statement below, and I agree with it 100% with the understanding that your referencing a scenario with a 4404. Unfortunately our customer has purchased a 4402... -----Original Message----- From: Higham, Josh [mailto:jhigham at epri.com] Sent: Wednesday, May 21, 2008 2:26 PM To: Jeff Cartier; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco WCL- 4402 - Max AP & LAG > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Cartier > Sent: Wednesday, May 21, 2008 11:08 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG > > I've heard somewhere...and possibly read somewhere that in > order to get > the full 50 AP allotment out of a Cisco Wireless LAN Controller 4402 > model, 50 AP, you have to Port-Channel/LAG the two Gigabit ports > together. Not correct, to my knowledge. We have the 4404 100 AP units and none of our channels are bonded. During the AP discovery process the controller assigns the AP to a given port to maintain distribution, so I can't see any reason why it would be necessary to have them bonded. Thanks, Josh From tik at lufttransport.no Wed May 21 15:26:06 2008 From: tik at lufttransport.no (Tor-Ivar Kristoffersen) Date: Wed, 21 May 2008 21:26:06 +0200 Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG In-Reply-To: References: <4C3B8C75B5899943AEC675BA6DD46273ECEFB1@uspalex02.epri.com> Message-ID: <441C449160381D49A93241C6EE5B80160BBD8739E5@ltexchange.lufttransport.no> Hi all Partially correct :) The thing you are reffering to is a statement in the docs that states that in order to utilize 50 ap'on the 4402 you need to connect both interfaces. The maximum number of access points that is allowed on a single port on the 4402 is 48 Best regards Tor-Ivar Kristoffersen -----Opprinnelig melding----- Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] P? vegne av Jeff Cartier Sendt: 21. mai 2008 20:27 Til: Higham, Josh; cisco-nsp at puck.nether.net Emne: Re: [c-nsp] Cisco WCL- 4402 - Max AP & LAG Thanks for the reply Josh! I understand your statement below, and I agree with it 100% with the understanding that your referencing a scenario with a 4404. Unfortunately our customer has purchased a 4402... -----Original Message----- From: Higham, Josh [mailto:jhigham at epri.com] Sent: Wednesday, May 21, 2008 2:26 PM To: Jeff Cartier; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Cisco WCL- 4402 - Max AP & LAG > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Cartier > Sent: Wednesday, May 21, 2008 11:08 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG > > I've heard somewhere...and possibly read somewhere that in > order to get > the full 50 AP allotment out of a Cisco Wireless LAN Controller 4402 > model, 50 AP, you have to Port-Channel/LAG the two Gigabit ports > together. Not correct, to my knowledge. We have the 4404 100 AP units and none of our channels are bonded. During the AP discovery process the controller assigns the AP to a given port to maintain distribution, so I can't see any reason why it would be necessary to have them bonded. Thanks, Josh _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rupert.finnigan at googlemail.com Wed May 21 15:55:39 2008 From: rupert.finnigan at googlemail.com (Rupert Finnigan) Date: Wed, 21 May 2008 20:55:39 +0100 Subject: [c-nsp] LWAPP Problems Message-ID: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> Hi, I've run into a problem with our Wireless Network that I can't resolve and Google's not helping out much! I've got a Cisco 4402 Controller with 14 1242 AP's. Until very recently, all has been fine and the system's been running without problem. The controller's been power cycled during a outage, and now none of the AP's will join back up. The controller is logging these two messages: May 21 20:49:52 172.21.8.3 May 21 20:50:47.987 spam_lrad.c:1368 LWAPP-3-DECODE_ERR: Error decoding discovery request from AP 00:1f:9d:21:e1:a0 May 21 20:49:52 172.21.8.3 May 21 20:50:47.987 spam_lrad.c:1209 LWAPP-3-DISC_INTF_ERR2: Ignoring discovery request received on a wrong VLAN (3) on interface (1) in L3 LWAPP mode for each AP every ten seconds. I can't think of anything that's changed on the setup, and am really stumped as to what's going on. The AP's are assigned their IP's via DHCP with Option 43 configured, and are all in VLAN 3, with the ap-manager interface configured appropriately. I'm wandering if there's any strange SSL certificate issue, but can't really find any documentation to clarify what it might be. Any help would be very gratefully received! Rupert From jcartier at acs.on.ca Wed May 21 15:56:11 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Wed, 21 May 2008 15:56:11 -0400 Subject: [c-nsp] LWAPP Problems In-Reply-To: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> Message-ID: Any chance you can post the running-config of your WLC? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rupert Finnigan Sent: Wednesday, May 21, 2008 3:56 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] LWAPP Problems Hi, I've run into a problem with our Wireless Network that I can't resolve and Google's not helping out much! I've got a Cisco 4402 Controller with 14 1242 AP's. Until very recently, all has been fine and the system's been running without problem. The controller's been power cycled during a outage, and now none of the AP's will join back up. The controller is logging these two messages: May 21 20:49:52 172.21.8.3 May 21 20:50:47.987 spam_lrad.c:1368 LWAPP-3-DECODE_ERR: Error decoding discovery request from AP 00:1f:9d:21:e1:a0 May 21 20:49:52 172.21.8.3 May 21 20:50:47.987 spam_lrad.c:1209 LWAPP-3-DISC_INTF_ERR2: Ignoring discovery request received on a wrong VLAN (3) on interface (1) in L3 LWAPP mode for each AP every ten seconds. I can't think of anything that's changed on the setup, and am really stumped as to what's going on. The AP's are assigned their IP's via DHCP with Option 43 configured, and are all in VLAN 3, with the ap-manager interface configured appropriately. I'm wandering if there's any strange SSL certificate issue, but can't really find any documentation to clarify what it might be. Any help would be very gratefully received! Rupert _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From david.freedman at uk.clara.net Wed May 21 17:33:42 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 21 May 2008 22:33:42 +0100 Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) Message-ID: Does this work? Release notes for 12.2(25)SEE state this is not a supported feature , currently running 12.2(44)SE2 and no mention of this anymore , commands are there but not accepted such: #router bgp 1234 #address-family ipv6 unicast #nei 2001:988::4 remote-as 1234 % BGP context not been initialized properly. Is this or is this not supported, if not, does anybody know when is it planned? Regards, ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From tomz at cisco.com Wed May 21 17:58:20 2008 From: tomz at cisco.com (Tom Zingale (tomz)) Date: Wed, 21 May 2008 14:58:20 -0700 Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) In-Reply-To: References: Message-ID: The 3750 does not support IPv6 BGP. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of David Freedman > Sent: Wednesday, May 21, 2008 2:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) > > Does this work? > > Release notes for 12.2(25)SEE state this is not a supported feature , > currently > running 12.2(44)SE2 and no mention of this anymore , commands are there > but not accepted such: > > #router bgp 1234 > #address-family ipv6 unicast > #nei 2001:988::4 remote-as 1234 > % BGP context not been initialized properly. > > Is this or is this not supported, if not, does anybody know when is it > planned? > > Regards, > > ------------------------------------------------ > David Freedman > Group Network Engineering > Claranet Limited > http://www.clara.net > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at pins.net Wed May 21 18:12:19 2008 From: jason at pins.net (Jason Berenson) Date: Wed, 21 May 2008 18:12:19 -0400 Subject: [c-nsp] QoS ATM sub interface Message-ID: <48349E43.2040902@pins.net> Greetings, I've recently simplified QoS on our edge routers. Here's what we're using: class-map match-any Core_Voice_Signaling match access-group name Core_Voice_Signaling class-map match-any Core_Voice_RTP match access-group name Core_Voice_RTP policy-map voice class Core_Voice_Signaling bandwidth percent 5 class Core_Voice_RTP priority percent 70 class class-default fair-queue random-detect dscp-based ip access-list extended Core_Voice_RTP remark DSCP 24 = TOS 3 permit udp any any dscp cs3 remark DSCP ef permit udp any any dscp ef ip access-list extended Core_Voice_Signaling remark SIP Signalling permit udp any any eq 5060 permit tcp any any eq 5061 remark MGCP Signaling permit udp any any eq 2727 permit udp any any eq 2427 remark Samsung Signaling permit udp any any eq 6000 permit udp any any eq 9000 remark Cisco Skinny Signaling permit udp any any eq 2000 permit tcp any any eq 2000 remark Allworx Signaling permit udp any any eq 2088 permit tcp any any eq 8081 For some reason when I apply 'voice' to an ATM sub-interface it doesn't seem to show up under the show policy-map interface command. interface ATM3/0.15 point-to-point ip address 1.1.1.1 255.255.255.252 pvc x/yyy vbr-nrt 2688 2688 10 tx-ring-limit 10 oam-pvc manage encapsulation aal5mux ip service-policy output voice ! router#show policy-map interface atm3/0.15 router# Any suggestions would be greatly appreciated. Along with any comments/suggestions on the way I have QoS configured. Thanks, Jason From david.freedman at uk.clara.net Wed May 21 18:17:28 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Wed, 21 May 2008 23:17:28 +0100 Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) References: Message-ID: Many thanks for the swift reply, is it on the roadmap for this platform at all? ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net -----Original Message----- From: Tom Zingale (tomz) [mailto:tomz at cisco.com] Sent: Wed 5/21/2008 22:58 To: David Freedman; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] IPv6 BGP for 3750 (vanilla) The 3750 does not support IPv6 BGP. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of David Freedman > Sent: Wednesday, May 21, 2008 2:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) > > Does this work? > > Release notes for 12.2(25)SEE state this is not a supported feature , > currently > running 12.2(44)SE2 and no mention of this anymore , commands are there > but not accepted such: > > #router bgp 1234 > #address-family ipv6 unicast > #nei 2001:988::4 remote-as 1234 > % BGP context not been initialized properly. > > Is this or is this not supported, if not, does anybody know when is it > planned? > > Regards, > > ------------------------------------------------ > David Freedman > Group Network Engineering > Claranet Limited > http://www.clara.net > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mohacsi at niif.hu Wed May 21 18:33:06 2008 From: mohacsi at niif.hu (Mohacsi Janos) Date: Thu, 22 May 2008 00:33:06 +0200 (CEST) Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) In-Reply-To: References: Message-ID: <20080522002559.O487@mignon.ki.iif.hu> Don't know . We asked a year ago the same feature. Regards Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 On Wed, 21 May 2008, David Freedman wrote: > Many thanks for the swift reply, is it on the roadmap for this platform at all? > > ------------------------------------------------ > David Freedman > Group Network Engineering > Claranet Limited > http://www.clara.net > > > > -----Original Message----- > From: Tom Zingale (tomz) [mailto:tomz at cisco.com] > Sent: Wed 5/21/2008 22:58 > To: David Freedman; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] IPv6 BGP for 3750 (vanilla) > > The 3750 does not support IPv6 BGP. > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of David Freedman >> Sent: Wednesday, May 21, 2008 2:34 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] IPv6 BGP for 3750 (vanilla) >> >> Does this work? >> >> Release notes for 12.2(25)SEE state this is not a supported feature , >> currently >> running 12.2(44)SE2 and no mention of this anymore , commands are > there >> but not accepted such: >> >> #router bgp 1234 >> #address-family ipv6 unicast >> #nei 2001:988::4 remote-as 1234 >> % BGP context not been initialized properly. >> >> Is this or is this not supported, if not, does anybody know when is it >> planned? >> >> Regards, >> >> ------------------------------------------------ >> David Freedman >> Group Network Engineering >> Claranet Limited >> http://www.clara.net >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jmayer at loplof.de Wed May 21 19:00:50 2008 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 22 May 2008 01:00:50 +0200 Subject: [c-nsp] LWAPP Problems In-Reply-To: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> Message-ID: <20080521230050.GA15390@thot.informatik.uni-kl.de> On Wed, May 21, 2008 at 08:55:39PM +0100, Rupert Finnigan wrote: > the setup, and am really stumped as to what's going on. The AP's are > assigned their IP's via DHCP with Option 43 configured, and are all in VLAN > 3, with the ap-manager interface configured appropriately. I'm wandering if IIRC, the DHCP-server should hand out the Managment address, not the AP-Manager address. ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From jhigham at epri.com Wed May 21 19:25:22 2008 From: jhigham at epri.com (Higham, Josh) Date: Wed, 21 May 2008 16:25:22 -0700 Subject: [c-nsp] LWAPP Problems In-Reply-To: <20080521230050.GA15390@thot.informatik.uni-kl.de> References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> <20080521230050.GA15390@thot.informatik.uni-kl.de> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273ECF03F@uspalex02.epri.com> That is correct. The AP will connect to the management interface, which will then direct it to one of the AP manager interfaces, verified on our equipment. Thanks, Josh > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joerg Mayer > Sent: Wednesday, May 21, 2008 4:01 PM > To: Rupert Finnigan > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] LWAPP Problems > > On Wed, May 21, 2008 at 08:55:39PM +0100, Rupert Finnigan wrote: > > the setup, and am really stumped as to what's going on. The AP's are > > assigned their IP's via DHCP with Option 43 configured, and > are all in VLAN > > 3, with the ap-manager interface configured appropriately. > I'm wandering if > > IIRC, the DHCP-server should hand out the Managment address, not the > AP-Manager address. > > ciao > Joerg > -- > Joerg Mayer > > We are stuck with technology when what we really want is just > stuff that > works. Some say that should read Microsoft instead of technology. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tomas at soitron.com Wed May 21 22:18:11 2008 From: tomas at soitron.com (Tomas Daniska) Date: Thu, 22 May 2008 04:18:11 +0200 Subject: [c-nsp] 3750ME, EoMPLS and OSPF Message-ID: <6B43981C32F8464CB24CEE209DA32BD3014843AE@kenya.tronet.as> Hi, maybe it's just too late for me to find the reason. I've tried migrating a VLAN to VLAN-mode EoMPLS on 3750ME. Everything is clear, except that multicasts do not pass and OSPF does not come up over the pseudowire. Unicasts and broadcasts are OK. Disabling igmp snooping on the vlan and disabling mac learning had no effect. Am I missing something? thanks -- Tomas Daniska systems engineer Soitron, a.s. Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. From kapsi1911 at hotmail.com Thu May 22 01:09:00 2008 From: kapsi1911 at hotmail.com (D W) Date: Thu, 22 May 2008 01:09:00 -0400 Subject: [c-nsp] Enterprise MPLS connectivity question In-Reply-To: <4C3B8C75B5899943AEC675BA6DD46273ECF03F@uspalex02.epri.com> References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> <20080521230050.GA15390@thot.informatik.uni-kl.de> <4C3B8C75B5899943AEC675BA6DD46273ECF03F@uspalex02.epri.com> Message-ID: Hello, I've been tossing around a few ideas for an enterprise MPLS-based solution. The idea would involve the SP runnig a CSC based model with the enterprise customer at multiple large sites. The reason is to support multiple sub-organizations within the enterrpise that exist at most site........Taking a look at moving towards more of an internal service provider model due to various reasons. My question is how willing are providers these days to run a label advertisement protocol with customers? I'm also wondering if there are additinal costs compared to a customer running a multi-VRF (multiple sub-interfaces) CE solution. There are a couple of caveats in doing this, but I'm just trying to get a general feel for this type of MPLS Service Provider support for enterprise customers. Thanks, Dave _________________________________________________________________ E-mail for the greater good. Join the i?m Initiative from Microsoft. http://im.live.com/Messenger/IM/Join/Default.aspx?source=EML_WL_ GreaterGood From oliver.gorwits at oucs.ox.ac.uk Thu May 22 01:56:06 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Thu, 22 May 2008 06:56:06 +0100 Subject: [c-nsp] LWAPP Problems In-Reply-To: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> Message-ID: <48350AF6.6040005@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Rupert, Rupert Finnigan wrote: | The controller's been power cycled during a outage, and now none | of the AP's will join back up. The controller is logging these | two messages: | | May 21 20:50:47.987 | spam_lrad.c:1209 LWAPP-3-DISC_INTF_ERR2: Ignoring discovery | request received on a wrong VLAN (3) on interface (1) If you had a power cut which reloaded more network devices than just the controller, it's worth checking your network switch config(s). We've seen cases where someone forgot to save a configuration change, and [months later] on reload it's all wiped clean. Double check your APs really are all on Vlan3 (and it's the same Vlan3). HTH, regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINQr22NPq7pwWBt4RAmByAJ9o2G9Z+rhLdjEZXuWn66J4ddQP7ACgwABY IUvUMHzaw9GRo5tf/Tkfdkw= =IbcM -----END PGP SIGNATURE----- From have.an.email at gmail.com Thu May 22 02:36:30 2008 From: have.an.email at gmail.com (Nathan) Date: Thu, 22 May 2008 08:36:30 +0200 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <48349E43.2040902@pins.net> References: <48349E43.2040902@pins.net> Message-ID: <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> On Thu, May 22, 2008 at 12:12 AM, Jason Berenson wrote: > Greetings, > > I've recently simplified QoS on our edge routers. Here's what we're using: > > class-map match-any Core_Voice_Signaling > match access-group name Core_Voice_Signaling > class-map match-any Core_Voice_RTP > match access-group name Core_Voice_RTP > > policy-map voice > class Core_Voice_Signaling > bandwidth percent 5 > class Core_Voice_RTP > priority percent 70 > class class-default > fair-queue > random-detect dscp-based > > ip access-list extended Core_Voice_RTP > remark DSCP 24 = TOS 3 > permit udp any any dscp cs3 > remark DSCP ef > permit udp any any dscp ef You could run that without any access-list. I expect/hope that would be less resource-intensive. > ip access-list extended Core_Voice_Signaling > remark SIP Signalling > permit udp any any eq 5060 > permit tcp any any eq 5061 That does need an access-list though. Pity. Personally I don't do it, either signalling is in the AF class, or it piggybacks on the EF class, or it doesn't get prioritized. Is there anyone who can give an example of voice problems experienced when signaling packets get delayed or even lost? > For some reason when I apply 'voice' to an ATM sub-interface it doesn't > seem to show up under the show policy-map interface command. Isn't there something in the logs? I don't know what log-level it is, I usually run debugging, and when a service-policy is not applied there is is never any error in the session like there would be if there was a syntax error, but always something useful in the logs. Turn on "terminal monitor" . . . -- HTH Nathan From peter at rathlev.dk Thu May 22 03:52:40 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 22 May 2008 09:52:40 +0200 Subject: [c-nsp] Enterprise MPLS connectivity question In-Reply-To: References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> <20080521230050.GA15390@thot.informatik.uni-kl.de> <4C3B8C75B5899943AEC675BA6DD46273ECF03F@uspalex02.epri.com> Message-ID: <1211442760.2289.9.camel@dusken.sys.mjna.net> Hi Dave, On Thu, 2008-05-22 at 01:09 -0400, D W wrote: > I've been tossing around a few ideas for an enterprise MPLS-based > solution. The idea would involve the SP runnig a CSC based model with > the enterprise customer at multiple large sites. The reason is to > support multiple sub-organizations within the enterrpise that exist at > most site........Taking a look at moving towards more of an internal > service provider model due to various reasons. My question is how > willing are providers these days to run a label advertisement protocol > with customers? I'm also wondering if there are additinal costs > compared to a customer running a multi-VRF (multiple sub-interfaces) > CE solution. The most obvious extra cost for the SP would be to have customer facing equipment that can do label imposition. For enterprise networks, typically requiring lots of bandwidth (Gigs) this could mean the difference between a 3750 (VRF Lite only) CPE and e.g. a ME6524. If the CPE is a router that can do MPLS already, there would be the licence cost for MPLS enabled software. > There are a couple of caveats in doing this, but I'm just > trying to get a general feel for this type of MPLS Service Provider > support for enterprise customers. If you just want to run MPLS through an SP they could sell you some VPLS og other L2 transport through which you could run anything. If you're thinking large scale, multi-site connection, the L3 MPLS VPN is good. I think the best thing is to contact some SPs directly and hear how they would help you solve the problem. Regards, Peter From oliver.gorwits at oucs.ox.ac.uk Thu May 22 03:56:34 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Thu, 22 May 2008 08:56:34 +0100 Subject: [c-nsp] Cisco WCL- 4402 - Max AP & LAG In-Reply-To: <441C449160381D49A93241C6EE5B80160BBD8739E5@ltexchange.lufttransport.no> References: <4C3B8C75B5899943AEC675BA6DD46273ECEFB1@uspalex02.epri.com> <441C449160381D49A93241C6EE5B80160BBD8739E5@ltexchange.lufttransport.no> Message-ID: <48352732.5070601@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tor-Ivar Kristoffersen wrote: | The thing you are reffering to is a statement in the docs that states | that in order to utilize 50 ap'on the 4402 you need to connect both | interfaces. The maximum number of access points that is allowed on a | single port on the 4402 is 48 *nods* Here's the doc link which explains the options: http://www.cisco.com/en/US/docs/wireless/controller/5.0/configuration/guide/c5mint.html#wp1116126 - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINScy2NPq7pwWBt4RAoxHAJ91F5cj/EouJrds5v+le2njEL3GZgCgsnM9 DGeLSfqdDAGVTG/YkIK1YZQ= =E7tV -----END PGP SIGNATURE----- From rupert.finnigan at googlemail.com Thu May 22 04:38:18 2008 From: rupert.finnigan at googlemail.com (Rupert Finnigan) Date: Thu, 22 May 2008 09:38:18 +0100 Subject: [c-nsp] LWAPP Problems In-Reply-To: <48350AF6.6040005@oucs.ox.ac.uk> References: <518564410805211255o7e652692id7c2e54499c50b89@mail.gmail.com> <48350AF6.6040005@oucs.ox.ac.uk> Message-ID: <518564410805220138k157f204axb1b3551437de595c@mail.gmail.com> Hi, Thanks to all who offered advise - It was the IP address in the end. I'd setup DHCP Option 43 to the ap-manager interface address, and not the management one. Now that's corrected all is fine. I'm still confused as to how this particular network has worked in the past though! Thanks again, Rupert From jason.plank at comcast.net Thu May 22 09:28:18 2008 From: jason.plank at comcast.net (jason.plank at comcast.net) Date: Thu, 22 May 2008 13:28:18 +0000 Subject: [c-nsp] LWAPP Problems Message-ID: <052220081328.16918.483574F20007699500004216220730003305020E049FD202019C0E06@comcast.net> I have always used the ap-manager interface in my DHCP option 43 configuration. My understanding is that the Management interface is used for controller to controller traffic to terminate EOIP tunnels. I would call your configuration correct now :) -- Regards, Jason Plank CCIE #16560 e: jason.plank at comcast.net -------------- Original message ---------------------- From: "Rupert Finnigan" > Hi, > > Thanks to all who offered advise - It was the IP address in the end. I'd > setup DHCP Option 43 to the ap-manager interface address, and not the > management one. Now that's corrected all is fine. I'm still confused as to > how this particular network has worked in the past though! > > Thanks again, > > Rupert > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From freimer at ctiusa.com Thu May 22 10:08:30 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 10:08:30 -0400 Subject: [c-nsp] LWAPP Problems In-Reply-To: <052220081328.16918.483574F20007699500004216220730003305020E049FD202019C0E06@comcast.net> References: <052220081328.16918.483574F20007699500004216220730003305020E049FD202019C0E06@comcast.net> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0CFF@EXCHANGE.ctiusa.com> Your configuration is wrong then. The DHCP option should point to the management interface. The AP should do a LWAPP Discover and the management interface should return a list of IP addresses that the AP can connect to (ap-manager address(es)), along with the relative load on each interface (max AP's and total AP's). See section 5.2.4 and 5.2.5 of the draft: 5.2.4. WTP Manager Control IPv4 Address The WTP Manager Control IPv4 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and their current load. This message element is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 99 for WTP Manager Control IPv4 Address Length: 6 5.2.5. WTP Manager Control IPv6 Address The WTP Manager Control IPv6 Address message element is sent by the AC to the WTP during the discovery process and is used by the AC to provide the interfaces available on the AC, and their current load. This message element is useful for the WTP to perform load balancing across multiple interfaces. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IP Address | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | WTP Count | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type: 137 for WTP Manager Control IPv6 Address Length: 6 IP Address: The IP Address of an interface. WTP Count: The number of WTPs currently connected to the interface. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of jason.plank at comcast.net > Sent: Thursday, May 22, 2008 9:28 AM > To: Rupert Finnigan; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] LWAPP Problems > > I have always used the ap-manager interface in my DHCP option 43 > configuration. My understanding is that the Management interface is > used for controller to controller traffic to terminate EOIP tunnels. I > would call your configuration correct now :) > > -- > Regards, > > Jason Plank > CCIE #16560 > e: jason.plank at comcast.net > > -------------- Original message ---------------------- > From: "Rupert Finnigan" > > Hi, > > > > Thanks to all who offered advise - It was the IP address in the end. > I'd > > setup DHCP Option 43 to the ap-manager interface address, and not the > > management one. Now that's corrected all is fine. I'm still confused > as to > > how this particular network has worked in the past though! > > > > Thanks again, > > > > Rupert > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/1dc49292/attachment.bin From jason.plank at comcast.net Thu May 22 10:36:32 2008 From: jason.plank at comcast.net (jason.plank at comcast.net) Date: Thu, 22 May 2008 14:36:32 +0000 Subject: [c-nsp] LWAPP Problems Message-ID: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> Interesting. Why does it work? -- Regards, Jason Plank CCIE #16560 e: jason.plank at comcast.net -------------- Original message ---------------------- From: "Fred Reimer" -------------- next part -------------- An embedded message was scrubbed... From: "Fred Reimer" Subject: RE: [c-nsp] LWAPP Problems Date: Thu, 22 May 2008 14:08:50 +0000 Size: 9157 Url: https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/7f67ce2b/attachment-0001.mht From jason at pins.net Thu May 22 11:26:54 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 22 May 2008 11:26:54 -0400 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> Message-ID: <483590BE.1090103@pins.net> Nathan, - We prioritize signaling because if one starts to lose OPTIONS messages for example the call will be torn down. - How can I run that without an ACL? - Nothing useful in the logs and nothing gets printed to console. We need to have different QoS maps for custom jobs so applying a map just to the main ATM interface isn't doable. It has to be applied to the VC since we're using CBWFQ: router(config-subif)# service-policy output voice CBWFQ : Not supported on subinterfaces I checked Ciscos site and this policy should be fine on the VC. Here's the old policy I was using: policy-map voice class voice-signaling bandwidth percent 5 class voice-traffic priority percent 70 class class-default fair-queue random-detect We were matching on mostly IP/ports with the old one. Also, we aren't going over the 75% limit of reserved bandwidth on the interface so setting max-reserved-bandwidth 99 did not help. Thanks, Jason Nathan wrote: > On Thu, May 22, 2008 at 12:12 AM, Jason Berenson wrote: > >> Greetings, >> >> I've recently simplified QoS on our edge routers. Here's what we're using: >> >> class-map match-any Core_Voice_Signaling >> match access-group name Core_Voice_Signaling >> class-map match-any Core_Voice_RTP >> match access-group name Core_Voice_RTP >> >> policy-map voice >> class Core_Voice_Signaling >> bandwidth percent 5 >> class Core_Voice_RTP >> priority percent 70 >> class class-default >> fair-queue >> random-detect dscp-based >> >> ip access-list extended Core_Voice_RTP >> remark DSCP 24 = TOS 3 >> permit udp any any dscp cs3 >> remark DSCP ef >> permit udp any any dscp ef >> > > You could run that without any access-list. I expect/hope that would > be less resource-intensive. > > >> ip access-list extended Core_Voice_Signaling >> remark SIP Signalling >> permit udp any any eq 5060 >> permit tcp any any eq 5061 >> > > That does need an access-list though. Pity. Personally I don't do it, > either signalling is in the AF class, or it piggybacks on the EF > class, or it doesn't get prioritized. Is there anyone who can give an > example of voice problems experienced when signaling packets get > delayed or even lost? > > >> For some reason when I apply 'voice' to an ATM sub-interface it doesn't >> seem to show up under the show policy-map interface command. >> > > Isn't there something in the logs? I don't know what log-level it is, > I usually run debugging, and when a service-policy is not applied > there is is never any error in the session like there would be if > there was a syntax error, but always something useful in the logs. > Turn on "terminal monitor" . . . > > From SPfister at dps.k12.oh.us Thu May 22 12:11:17 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Thu, 22 May 2008 12:11:17 -0400 Subject: [c-nsp] Need help with L2TPv3 Message-ID: <483562E4.9E6F.00B8.0@dps.k12.oh.us> I'm trying to get L2TPv3 figured out to help with a project. I've got a test network consisting of 2 3640s (which is what is going to be used as the endpoints of the tunnels in the production network) connect by a crossover cable. Even using sample configs from the cisco site, I can't seem to keep the tunnel from going down after about a minutes. I think it may be an authentication problem. Does anyone have a working L2TPv3 tunnel between two 3640s? Thank you! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From freimer at ctiusa.com Thu May 22 12:21:56 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 12:21:56 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <483562E4.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> Yes, with 3845's, post your test config. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 12:11 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Need help with L2TPv3 > > I'm trying to get L2TPv3 figured out to help with a project. I've got a > test network consisting of 2 3640s (which is what is going to be used > as the endpoints of the tunnels in the production network) connect by a > crossover cable. Even using sample configs from the cisco site, I can't > seem to keep the tunnel from going down after about a minutes. I think > it may be an authentication problem. > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > Thank you! > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/4a40107d/attachment.bin From jmayer at loplof.de Thu May 22 12:30:58 2008 From: jmayer at loplof.de (Joerg Mayer) Date: Thu, 22 May 2008 18:30:58 +0200 Subject: [c-nsp] LWAPP Problems In-Reply-To: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> References: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> Message-ID: <20080522163058.GB15390@thot.informatik.uni-kl.de> On Thu, May 22, 2008 at 02:36:32PM +0000, jason.plank at comcast.net wrote: > Interesting. > > Why does it work? If management and ap-manager addresses are in the same VLAN on the controller then perhaps that particular controller model with that particular software will forward the packet to the right interface. Ciao Joerg -- Joerg Mayer We are stuck with technology when what we really want is just stuff that works. Some say that should read Microsoft instead of technology. From jhigham at epri.com Thu May 22 12:45:03 2008 From: jhigham at epri.com (Higham, Josh) Date: Thu, 22 May 2008 09:45:03 -0700 Subject: [c-nsp] LWAPP Problems In-Reply-To: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> References: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273ECF0E7@uspalex02.epri.com> If an access point has connected to a controller, I believe that it attempts to connect to that controller as part of the discovery process. It is another of those 'invisible' configuration errors, that only raises its head months or years after the fact. You could test with a new access point, or change your management IP address and bounce an AP. You can also watch LWAPP debug on the console while power cycling the access point, and/or span the port and verify. Thanks, Josh > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > jason.plank at comcast.net > Sent: Thursday, May 22, 2008 7:37 AM > To: Fred Reimer; Rupert Finnigan; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] LWAPP Problems > > Interesting. > > Why does it work? > > -- > Regards, > > Jason Plank > CCIE #16560 > e: jason.plank at comcast.net > > -------------- Original message ---------------------- > From: "Fred Reimer" > > > From freimer at ctiusa.com Thu May 22 13:03:18 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 13:03:18 -0400 Subject: [c-nsp] LWAPP Problems In-Reply-To: <4C3B8C75B5899943AEC675BA6DD46273ECF0E7@uspalex02.epri.com> References: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> <4C3B8C75B5899943AEC675BA6DD46273ECF0E7@uspalex02.epri.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0DAF@EXCHANGE.ctiusa.com> When an AP initially connects to a controller it will save the list of controllers in the same mobility group to NVRAM, and attempt to connect to those controller (management addresses) upon reboot. It is likely a "caveat" in the code running on the controller/AP, or a result of a "proper" management address being stored in the AP and the AP using that rather than what is being passed in DHCP. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Higham, Josh > Sent: Thursday, May 22, 2008 12:45 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] LWAPP Problems > > If an access point has connected to a controller, I believe that it > attempts to connect to that controller as part of the discovery > process. > It is another of those 'invisible' configuration errors, that only > raises its head months or years after the fact. > > You could test with a new access point, or change your management IP > address and bounce an AP. You can also watch LWAPP debug on the > console > while power cycling the access point, and/or span the port and verify. > > Thanks, > Josh > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > > jason.plank at comcast.net > > Sent: Thursday, May 22, 2008 7:37 AM > > To: Fred Reimer; Rupert Finnigan; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] LWAPP Problems > > > > Interesting. > > > > Why does it work? > > > > -- > > Regards, > > > > Jason Plank > > CCIE #16560 > > e: jason.plank at comcast.net > > > > -------------- Original message ---------------------- > > From: "Fred Reimer" > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/4fe6d87f/attachment.bin From rblayzor.bulk at inoc.net Thu May 22 13:23:19 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Thu, 22 May 2008 13:23:19 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <483562E4.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <4BE5A953-6B92-4A94-AF56-E218A86CA520@inoc.net> On May 22, 2008, at 12:11 PM, Steven Pfister wrote: > Does anyone have a working L2TPv3 tunnel between two 3640s? According to the feature navigator, L2TPv3 doesn't exist on the 3600 series. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From SPfister at dps.k12.oh.us Thu May 22 13:25:20 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Thu, 22 May 2008 13:25:20 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <83557802-4021-4C87-A131-1C69D4C0E2CD@inoc.net> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> <83557802-4021-4C87-A131-1C69D4C0E2CD@inoc.net> Message-ID: <4835743F.9E6F.00B8.0@dps.k12.oh.us> I know, but the image I'm using (12.3(14)T7) does have all the commands, and the tunnel does come up very briefly. Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> Robert Blayzor 5/22/2008 1:21 PM >>> On May 22, 2008, at 12:11 PM, Steven Pfister wrote: > Does anyone have a working L2TPv3 tunnel between two 3640s? According to feature navigator, L2TPv3 doesn't exist on the 3600 series. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From SPfister at dps.k12.oh.us Thu May 22 13:37:08 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Thu, 22 May 2008 13:37:08 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> <98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> Message-ID: <48357703.9E6F.00B8.0@dps.k12.oh.us> The configs are below. By the way... whenever I post to this list, I get replies both to me and to the list (so I get two copies). Is this intentional? Just curious... Thanks! --Steve ---------- router 1 ---------- Current configuration : 1374 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SanFran ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! l2tp-class l2-dyn password 7 15025C0600722C21 cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.102 255.255.255.0 ! interface FastEthernet0/0 no ip address duplex auto speed auto no cdp enable ! interface FastEthernet0/0.200 encapsulation dot1Q 200 no snmp trap link-status no cdp enable xconnect 10.1.1.103 33 pw-class pw-dynamic ! interface FastEthernet0/0.201 encapsulation dot1Q 201 no snmp trap link-status no cdp enable ! interface ATM2/0 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/1 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/2 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! interface ATM2/3 no ip address shutdown no atm ilmi-keepalive no scrambling-payload ! ip http server ! ip classless ! ! no cdp run ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 login ! ! end ---------- router 2 ---------- Current configuration : 901 bytes ! version 12.3 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname NewYork ! boot-start-marker boot-end-marker ! ! no aaa new-model ! resource policy ! memory-size iomem 15 ip subnet-zero ! ! ip cef no ip dhcp use vrf connected ! ! l2tp-class l2-dyn hostname NewYork password 7 0616582B48160E1C cookie size 8 ! pseudowire-class pw-dynamic encapsulation l2tpv3 protocol l2tpv3 l2-dyn ip local interface Loopback0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface Loopback0 ip address 10.1.1.103 255.255.255.0 ! interface FastEthernet1/0 no ip address duplex auto speed auto no cdp enable ! interface FastEthernet1/0.201 encapsulation dot1Q 201 no cdp enable xconnect 10.1.1.102 34 pw-class pw-dynamic ! ip http server ! ip classless ! ! no cdp run ! ! control-plane ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 ! ! end >>> "Fred Reimer" 5/22/2008 12:21 PM >>> Yes, with 3845's, post your test config. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 12:11 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Need help with L2TPv3 > > I'm trying to get L2TPv3 figured out to help with a project. I've got a > test network consisting of 2 3640s (which is what is going to be used > as the endpoints of the tunnels in the production network) connect by a > crossover cable. Even using sample configs from the cisco site, I can't > seem to keep the tunnel from going down after about a minutes. I think > it may be an authentication problem. > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > Thank you! > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From rblayzor.bulk at inoc.net Thu May 22 13:41:41 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Thu, 22 May 2008 13:41:41 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <4835743F.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> <83557802-4021-4C87-A131-1C69D4C0E2CD@inoc.net> <4835743F.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <1F30AFB6-2721-44F2-9483-60EFBDC85B82@inoc.net> On May 22, 2008, at 1:25 PM, Steven Pfister wrote: > I know, but the image I'm using (12.3(14)T7) does have all the > commands, and the tunnel does come up very briefly. Well then your config should look something like (assuming a Ethernet to Ethernet L2 vpn): Router A: l2tp-class foo authentication password bar pseudowire-class test_l2tp encapsulation l2tpv3 protocol l2tpv3 foo ip local interface ... interface FastEthernet0/1 xconnect 1.1.1.1 555 pw-class test_l2tp Router B: l2tp-class foo authentication password bar pseudowire-class test_l2tp encapsulation l2tpv3 protocol l2tpv3 foo ip local interface ... interface FastEthernet0/1 xconnect 2.2.2.2 555 pw-class test_l2tp If the tunnel comes up and you can pass traffic, then it goes down, that's not authentication. If it were an authentication issue, your tunnel should not be coming up at all. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From dcp at dcptech.com Thu May 22 13:44:13 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 22 May 2008 13:44:13 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <4835743F.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us><83557802-4021-4C87-A131-1C69D4C0E2CD@inoc.net> <4835743F.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <00b501c8bc33$79cb74f0$aa0b740a@cisco.com> Why does it not stay up. GRE is smart enough to tell you if you have a recursive routing loop. L2TPv3 has no clue since it would be a second box doing the routing outside of the L2TPv3 router. The router only knows that the next hop changed. How long has the next hop been installed in the routing table? Post a drawing and configs somewhere where we can go have a quick look. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 1:25 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Need help with L2TPv3 > > I know, but the image I'm using (12.3(14)T7) does have all > the commands, and the tunnel does come up very briefly. > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > >>> Robert Blayzor 5/22/2008 1:21 PM >>> > On May 22, 2008, at 12:11 PM, Steven Pfister wrote: > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > According to feature navigator, L2TPv3 doesn't exist on the > 3600 series. > > -- > Robert Blayzor, BOFH > INOC, LLC > rblayzor at inoc.net > http://www.inoc.net/~rblayzor/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Thu May 22 13:47:10 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 22 May 2008 13:47:10 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <48357703.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us><98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> <48357703.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <00b601c8bc33$e0e6b870$aa0b740a@cisco.com> There is no routing protocol configured in your sample configs? No static route to the next hop. No interface with an ip address, besides the loopback. I still think recursive route somewhere. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 1:37 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Need help with L2TPv3 > > The configs are below. > > By the way... whenever I post to this list, I get replies > both to me and to the list (so I get two copies). Is this > intentional? Just curious... > > Thanks! > > --Steve > > ---------- > router 1 > ---------- > > Current configuration : 1374 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname SanFran > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > password 7 15025C0600722C21 > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.102 255.255.255.0 > ! > interface FastEthernet0/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet0/0.200 > encapsulation dot1Q 200 > no snmp trap link-status > no cdp enable > xconnect 10.1.1.103 33 pw-class pw-dynamic > ! > interface FastEthernet0/0.201 > encapsulation dot1Q 201 > no snmp trap link-status > no cdp enable > ! > interface ATM2/0 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/1 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/2 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/3 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > login > ! > ! > end > > ---------- > router 2 > ---------- > > Current configuration : 901 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname NewYork > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > hostname NewYork > password 7 0616582B48160E1C > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.103 255.255.255.0 > ! > interface FastEthernet1/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet1/0.201 > encapsulation dot1Q 201 > no cdp enable > xconnect 10.1.1.102 34 pw-class pw-dynamic > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > ! > ! > end > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > Yes, with 3845's, post your test config. > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > Sent: Thursday, May 22, 2008 12:11 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Need help with L2TPv3 > > > > I'm trying to get L2TPv3 figured out to help with a > project. I've got a > > test network consisting of 2 3640s (which is what is going > to be used > > as the endpoints of the tunnels in the production network) > connect by a > > crossover cable. Even using sample configs from the cisco > site, I can't > > seem to keep the tunnel from going down after about a > minutes. I think > > it may be an authentication problem. > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > Thank you! > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oliver.gorwits at oucs.ox.ac.uk Thu May 22 13:54:14 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Thu, 22 May 2008 18:54:14 +0100 Subject: [c-nsp] LWAPP Problems In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC95028D0DAF@EXCHANGE.ctiusa.com> References: <052220081436.13716.483584F00005E60800003594220075109005020E049FD202019C0E06@comcast.net> <4C3B8C75B5899943AEC675BA6DD46273ECF0E7@uspalex02.epri.com> <98B7739FB65BF04F9B3233AB842EEC95028D0DAF@EXCHANGE.ctiusa.com> Message-ID: <4835B346.4070108@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Fred Reimer wrote: | When an AP initially connects to a controller it will save the | list of controllers in the same mobility group to NVRAM, and | attempt to connect to those controller (management addresses) | upon reboot. On this point I *think* I heard differently from our SE, but I could be mistaken... namely that the "NVRAM" mentioned in the documentation doesn't store a controller list between reboots, only between disconnects of the Ethernet uplink or controller uplink. regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINbNG2NPq7pwWBt4RApl6AJ9r0cFGgNd9YXKO8QuowjQ5fZHR4ACgvBCL psgLGOkDN1Um9IHRysQwHNQ= =OrZ8 -----END PGP SIGNATURE----- From joe at netbyjoe.com Thu May 22 14:03:19 2008 From: joe at netbyjoe.com (Joe Freeman) Date: Thu, 22 May 2008 13:03:19 -0500 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <48357703.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> <98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> <48357703.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <5da6cd9f0805221103u51150563q349014d5264038e2@mail.gmail.com> Can you ping the loopbacks from the opposite router? There's nothing in either config that indicates how traffic flows from one router to the other. You said you're using an ethernet x-over to connect them, but surely it's not on the ports on which you've setup xconn statements. Each router must be able to see the other's loop0 ip address for this to work. Joe On Thu, May 22, 2008 at 12:37 PM, Steven Pfister wrote: > The configs are below. > > By the way... whenever I post to this list, I get replies both to me and to > the list (so I get two copies). Is this intentional? Just curious... > > Thanks! > > --Steve > > ---------- > router 1 > ---------- > > Current configuration : 1374 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname SanFran > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > password 7 15025C0600722C21 > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.102 255.255.255.0 > ! > interface FastEthernet0/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet0/0.200 > encapsulation dot1Q 200 > no snmp trap link-status > no cdp enable > xconnect 10.1.1.103 33 pw-class pw-dynamic > ! > interface FastEthernet0/0.201 > encapsulation dot1Q 201 > no snmp trap link-status > no cdp enable > ! > interface ATM2/0 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/1 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/2 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/3 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > login > ! > ! > end > > ---------- > router 2 > ---------- > > Current configuration : 901 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname NewYork > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > hostname NewYork > password 7 0616582B48160E1C > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.103 255.255.255.0 > ! > interface FastEthernet1/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet1/0.201 > encapsulation dot1Q 201 > no cdp enable > xconnect 10.1.1.102 34 pw-class pw-dynamic > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > ! > ! > end > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > Yes, with 3845's, post your test config. > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > Sent: Thursday, May 22, 2008 12:11 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Need help with L2TPv3 > > > > I'm trying to get L2TPv3 figured out to help with a project. I've got a > > test network consisting of 2 3640s (which is what is going to be used > > as the endpoints of the tunnels in the production network) connect by a > > crossover cable. Even using sample configs from the cisco site, I can't > > seem to keep the tunnel from going down after about a minutes. I think > > it may be an authentication problem. > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > Thank you! > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ecables at gmail.com Thu May 22 14:04:31 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 22 May 2008 11:04:31 -0700 Subject: [c-nsp] DMVPN Rollout -- MTU questions Message-ID: We are preparing to rollout a dual headend / dual cloud DMVPN solution for remote sites, distributed throughout the country. We have migrated a couple of sites over, and have experienced some intermittent connectivity problems, which appear to be related to MTU settings. I've read all of the DMVPN documentation (design guide / best practices) I can find, along with the "Resolve IP Fragmentation, MTU, MSS, and PMTUD Issues with GRE and IPSEC" document on cisco.com, but I'm still having some trouble finding a systematic approach to setting MTU, and/or knowing when the use of tcp adjust-mss is needed. Based on the DMVPN best practices design guide, we have implemented the following: - IP MTU 1400 - Tunnel PMTUD The above, however, doesn't seem to work in some cases. Users as these sites complain of intermittent connectivity problems, which seem to be solved rather quickly by reducing the IP MTU, and configuring TCP adjust-mss. I do have concern as to why PTMUD isn't working as expected (sending ICMP unreachables to the client to adjust their MTU accordingly), and exactly what values to set both IP MTU to, as well as TCP adjust-mss, assuming it's necessary. Below are the templates/configs used for both the Headend / Remote Site configs: Headend #1: ! crypto isakmp policy 1 encryption aes 128 authentication pre-share group 5 crypto isakmp key pass123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM ! interface Tunnel0 description DMVPN mGRE Tunnel bandwidth 44210 ip address x.x.x.1 255.255.255.224 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 10 ip nhrp holdtime 1800 ip nhrp server-only ip ospf network point-to-multipoint ip ospf hello-interval 5 load-interval 30 qos pre-classify tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN ! Headend #2 ! crypto isakmp policy 1 encryption aes 128 authentication pre-share group 5 crypto isakmp key pass123 address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM ! interface Tunnel0 description DMVPN mGRE Tunnel bandwidth 44210 ip address x.x.x.33 255.255.255.224 no ip redirects ip mtu 1400 ip nhrp map multicast dynamic ip nhrp network-id 20 ip nhrp holdtime 1800 ip nhrp server-only ip ospf network point-to-multipoint ip ospf hello-interval 5 load-interval 30 qos pre-classify tunnel source GigabitEthernet0/1 tunnel mode gre multipoint tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN ! Remote Site: ! crypto isakmp policy 1 encr aes authentication pre-share group 5 crypto isakmp key pass123 address x.x.x.x crypto isakmp key pass123 address x.x.x.x ! crypto ipsec transform-set DMVPN_TRANSFORM esp-aes esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto ipsec profile DMVPN set transform-set DMVPN_TRANSFORM ! interface Tunnel0 bandwidth 1536 ip address x.x.x.x 255.255.255.224 ip mtu 1400 ip nhrp map x.x.x.1 x.x.x.x ip nhrp map multicast x.x.x.x ip nhrp network-id 10 ip nhrp holdtime 1800 ip nhrp nhs x.x.x.1 ip ospf network point-to-point ip ospf hello-interval 5 qos pre-classify tunnel source GigabitEthernet0/0 tunnel destination x.x.x.x tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN ! interface Tunnel1 bandwidth 1536 ip address x.x.x.x 255.255.255.224 ip mtu 1400 ip nhrp map x.x.x.33 x.x.x.x ip nhrp map multicast x.x.x.x ip nhrp network-id 20 ip nhrp holdtime 1800 ip nhrp nhs x.x.x.33 ip ospf network point-to-point ip ospf cost 1000 ip ospf hello-interval 5 qos pre-classify tunnel source GigabitEthernet0/0 tunnel destination x.x.x.x tunnel path-mtu-discovery tunnel protection ipsec profile DMVPN ! Any advice would be appreciated. -- Eric Cables From freimer at ctiusa.com Thu May 22 14:06:57 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 14:06:57 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <48357703.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us><98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> <48357703.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0DF5@EXCHANGE.ctiusa.com> It laziness because a reply to all sends traffic to both... Your loopback addresses are in the same subnet, which is not a valid configuration. As someone else mentioned, you'll need a route to the loopback address of the other end, either via a dynamic routing protocol or static routes. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 1:37 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Need help with L2TPv3 > > The configs are below. > > By the way... whenever I post to this list, I get replies both to me > and to the list (so I get two copies). Is this intentional? Just > curious... > > Thanks! > > --Steve > > ---------- > router 1 > ---------- > > Current configuration : 1374 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname SanFran > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > password 7 15025C0600722C21 > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.102 255.255.255.0 > ! > interface FastEthernet0/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet0/0.200 > encapsulation dot1Q 200 > no snmp trap link-status > no cdp enable > xconnect 10.1.1.103 33 pw-class pw-dynamic > ! > interface FastEthernet0/0.201 > encapsulation dot1Q 201 > no snmp trap link-status > no cdp enable > ! > interface ATM2/0 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/1 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/2 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > interface ATM2/3 > no ip address > shutdown > no atm ilmi-keepalive > no scrambling-payload > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > login > ! > ! > end > > ---------- > router 2 > ---------- > > Current configuration : 901 bytes > ! > version 12.3 > service timestamps debug datetime msec > service timestamps log datetime msec > no service password-encryption > ! > hostname NewYork > ! > boot-start-marker > boot-end-marker > ! > ! > no aaa new-model > ! > resource policy > ! > memory-size iomem 15 > ip subnet-zero > ! > ! > ip cef > no ip dhcp use vrf connected > ! > ! > l2tp-class l2-dyn > hostname NewYork > password 7 0616582B48160E1C > cookie size 8 > ! > pseudowire-class pw-dynamic > encapsulation l2tpv3 > protocol l2tpv3 l2-dyn > ip local interface Loopback0 > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > ! > interface Loopback0 > ip address 10.1.1.103 255.255.255.0 > ! > interface FastEthernet1/0 > no ip address > duplex auto > speed auto > no cdp enable > ! > interface FastEthernet1/0.201 > encapsulation dot1Q 201 > no cdp enable > xconnect 10.1.1.102 34 pw-class pw-dynamic > ! > ip http server > ! > ip classless > ! > ! > no cdp run > ! > ! > control-plane > ! > ! > ! > ! > ! > ! > ! > ! > ! > line con 0 > line aux 0 > line vty 0 4 > ! > ! > end > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > Yes, with 3845's, post your test config. > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > Sent: Thursday, May 22, 2008 12:11 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Need help with L2TPv3 > > > > I'm trying to get L2TPv3 figured out to help with a project. I've got > a > > test network consisting of 2 3640s (which is what is going to be used > > as the endpoints of the tunnels in the production network) connect by > a > > crossover cable. Even using sample configs from the cisco site, I > can't > > seem to keep the tunnel from going down after about a minutes. I > think > > it may be an authentication problem. > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > Thank you! > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/d97dd130/attachment.bin From tahir.uddin at alliancebernstein.com Thu May 22 14:21:27 2008 From: tahir.uddin at alliancebernstein.com (Uddin, Tahir) Date: Thu, 22 May 2008 14:21:27 -0400 Subject: [c-nsp] EIGRP vs BGP route selection Message-ID: <1E79A7919A9B16468E407A8DEAB65A43049297ED@METROEVS3.ac.lp.acml.com> Hi All, I am summarizing an issue I am seeing, wondering if anyone might have some input on this. In the following topology, I have a floating static route (distance 250) redistributed into EIGRP on R1 which sends the redistributed route to R2 which sends it to R3. R4 sees the EIGRP route from R3 and an EBGP route from R4. I would have thought that R3 would pick the EBGP route since EBGP as a protocol has a admin distance of 20 as opposed to the EIGRP admin distance of 170 but I see the EIGRP route in the routing table of R3. Based on TACs recommendation, we ended up using a route map that applies a higher weight to the EBGP route to make it more preferable. Shouldn't R3 use the EBGP route by default because it has lower admin distance compared to redistributed EIGRP. Static EIGRP EIGRP EBGP 10.10.10.0/24 -------------------------R1------------------------R2------------------- -R3------------------------R4-----------10.10.10.0/24 Thanks ----------------------------------------- The information contained in this transmission may be privileged and confidential and is intended only for the use of the person(s) named above. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. Please note that we do not accept account orders and/or instructions by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. If you, as the intended recipient of this message, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please "reply" to the sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, New York, NY 10105. From justin at justinshore.com Thu May 22 14:47:28 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 22 May 2008 13:47:28 -0500 Subject: [c-nsp] EoMPLS, 2800s & 7600 w/ 6700 linecards Message-ID: <4835BFC0.6070709@justinshore.com> I have a customer wanting a new PtP circuit and I'm trying to figure out how to get it to them. We don't have the ability to build out a L2 path all the way to them without burning more fiber and that's just not scalable. I'm looking at other options, namely MPLS. Here's what I'm basically trying to figure out in case people don't want to read all the stuff below. 1) can I pick up a VLAN off of a 1Q trunk on a 6700 series linecard in a 7600 and use it for EoMPLS? I'd prefer to pick it up with a SVI but I could do the sub-int-based VLAN if needed. 2) can a 2800 terminate the xconnect in a VLAN that can be assigned to a NM-16ESW or HWIC? I'm planning on replacing the 2821 with a 7201 and a switch down the road so in the future I can also do the sub-int-based xconnect termination on the 7201's ints facing the switch. For EoMPLS is using sub-interfaces the most common implementation method with the hardware I have to work with? Here's the long version: I touch the customer with fiber using media converters attached to a NM-16ESW on a 2821. The 2821 is dual-homed to the 7600s in the CO off of the 2800's built-in GigE ports. The IGP is IS-IS but I'm working on putting customer prefixes into iBGP. I have not extended MPLS to the edge devices that can support it, yet. I figured though that this circuit would prompt me to do that. The circuit would be dropped a dozen miles away at another CO and handed to us on Ethernet. I'm working on another project to place a 15454 at each of the 2 COs and using Xponder cards to transport numerous GigE PtP links between the sites over a pair of 10G rings. I'm considering placing a single (or pair) 4948 at each site to combine lower bandwidth PtPs together before feeding a single GigE into an Xponder, ie not wasting expensive ports on the the expensive Xponders. What I'm thinking about here is taking the PtP at the remote CO via Ethernet into a 4948 or Xponder on a specific VLAN. Then carrying that down to one of the 7600s (no DWDM filters at this time). Picking up that VLAN and sticking it in a L2VPN. Adding MPLS to the links between the 2821 and the 7600s. And finally dropping off that L2VPN on a VLAN on the 2821 assigned to a 1Q trunk on the NM-16ESW. Also, I'll add an 8 port 2960 or 3560 at the customer's site to break out the VLANs off the 1Q trunk and offer up individual links to the customer. I've learned through past dealings with the 6700 linecards in my 7600s that I have very limited MPLS capabilities to work with. How do I do stuff a VLAN into a L2VPN from a 1Q trunk coming into a 6724-SFP or 6748-GE? Second, on the 2800, how do I terminate the L2VPN in a VLAN that I can use on the NM-16ESW? What's in the middle should be relatively easy. It's the edges that I'm struggling with. I see that 12.4(11)T added AToM support to the ISRs and it specifically mentioned "Ethernet to VLAN Mode" as an option. I'm running a more recent 12.4T release anyway so this should work fine. Unfortunately I haven't been able to find any implementation docs. All I can find are general docs or sales docs. http://www.cisco.com/en/US/products/ps6441/prod_bulletin09186a00804a8728.html#wp1083948 I may have the ability to place a ME3750 at the remote CO. If that happens then I should be able to do EoMPLS from that edge back to the 2800. I do not know if I'll be able to free up that ME3750 though. So I need to know if I can set up EoMPLS with VLANs on the 7600 and 2800 specifically. What's in the middle I'm less concerned about. Thanks Justin From SPfister at dps.k12.oh.us Thu May 22 15:10:30 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Thu, 22 May 2008 15:10:30 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <5da6cd9f0805221116h79469067j206ae6625c486f76@mail.gmail.com> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us> <98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com> <48357703.9E6F.00B8.0@dps.k12.oh.us> <5da6cd9f0805221103u51150563q349014d5264038e2@mail.gmail.com> <48357EC7.9E6F.00B8.0@dps.k12.oh.us> <5da6cd9f0805221116h79469067j206ae6625c486f76@mail.gmail.com> Message-ID: <48358CE4.9E6F.00B8.0@dps.k12.oh.us> Thanks to all that responded. I've made changes to the config and I can ping the other router's ethernet and loopback addresses. The tunnel doesn't show up at all now, though. Do I need to have something plugged into the ethernet ports with the xconnect statements? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Joe Freeman" 5/22/2008 2:16 PM >>> It looks like you're trying to do an 'ip unnumbered' config on those ethernet ports. IP unnumbered only works on p2p interfaces. You need to have the interfaces between the two routers numbered and static routes, or a routing protocol in place to ensure reachability between them. Also, I'd change the loopback addresses to /32 masks. with the configuration you have, I'd also make sure the connection between the routers is on a different port than the vlans you are trying to xconnect at layer 2. Joe On Thu, May 22, 2008 at 1:10 PM, Steven Pfister wrote: > No I can't ping the loopbacks. That's been bothering me. I've added > 10.2.2.x addresses to the FastEthernet ports (which I thought I had problems > with earlier) and I can ping those from the other router. And I've added > static routes for the 10.1.1.x network pointing at the FastEthernet > interfaces. Still can't ping the loopback addresses. > > I thought it was strange, but that's what the sample configs had. > > Yes, the xconnect statements are on the same interfaces the crossover is > connected to. I can try adding ethernet ports to each side and see what > happens. > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > >>> "Joe Freeman" 5/22/2008 2:03 PM >>> > Can you ping the loopbacks from the opposite router? There's nothing in > either config that indicates how traffic flows from one router to the > other. > > > You said you're using an ethernet x-over to connect them, but surely it's > not on the ports on which you've setup xconn statements. > > Each router must be able to see the other's loop0 ip address for this to > work. > > Joe > > On Thu, May 22, 2008 at 12:37 PM, Steven Pfister > wrote: > > > The configs are below. > > > > By the way... whenever I post to this list, I get replies both to me and > to > > the list (so I get two copies). Is this intentional? Just curious... > > > > Thanks! > > > > --Steve > > > > ---------- > > router 1 > > ---------- > > > > Current configuration : 1374 bytes > > ! > > version 12.3 > > service timestamps debug datetime msec > > service timestamps log datetime msec > > no service password-encryption > > ! > > hostname SanFran > > ! > > boot-start-marker > > boot-end-marker > > ! > > ! > > no aaa new-model > > ! > > resource policy > > ! > > memory-size iomem 15 > > ip subnet-zero > > ! > > ! > > ip cef > > no ip dhcp use vrf connected > > ! > > ! > > l2tp-class l2-dyn > > password 7 15025C0600722C21 > > cookie size 8 > > ! > > pseudowire-class pw-dynamic > > encapsulation l2tpv3 > > protocol l2tpv3 l2-dyn > > ip local interface Loopback0 > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > interface Loopback0 > > ip address 10.1.1.102 255.255.255.0 > > ! > > interface FastEthernet0/0 > > no ip address > > duplex auto > > speed auto > > no cdp enable > > ! > > interface FastEthernet0/0.200 > > encapsulation dot1Q 200 > > no snmp trap link-status > > no cdp enable > > xconnect 10.1.1.103 33 pw-class pw-dynamic > > ! > > interface FastEthernet0/0.201 > > encapsulation dot1Q 201 > > no snmp trap link-status > > no cdp enable > > ! > > interface ATM2/0 > > no ip address > > shutdown > > no atm ilmi-keepalive > > no scrambling-payload > > ! > > interface ATM2/1 > > no ip address > > shutdown > > no atm ilmi-keepalive > > no scrambling-payload > > ! > > interface ATM2/2 > > no ip address > > shutdown > > no atm ilmi-keepalive > > no scrambling-payload > > ! > > interface ATM2/3 > > no ip address > > shutdown > > no atm ilmi-keepalive > > no scrambling-payload > > ! > > ip http server > > ! > > ip classless > > ! > > ! > > no cdp run > > ! > > ! > > control-plane > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > line con 0 > > line aux 0 > > line vty 0 4 > > login > > ! > > ! > > end > > > > ---------- > > router 2 > > ---------- > > > > Current configuration : 901 bytes > > ! > > version 12.3 > > service timestamps debug datetime msec > > service timestamps log datetime msec > > no service password-encryption > > ! > > hostname NewYork > > ! > > boot-start-marker > > boot-end-marker > > ! > > ! > > no aaa new-model > > ! > > resource policy > > ! > > memory-size iomem 15 > > ip subnet-zero > > ! > > ! > > ip cef > > no ip dhcp use vrf connected > > ! > > ! > > l2tp-class l2-dyn > > hostname NewYork > > password 7 0616582B48160E1C > > cookie size 8 > > ! > > pseudowire-class pw-dynamic > > encapsulation l2tpv3 > > protocol l2tpv3 l2-dyn > > ip local interface Loopback0 > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > interface Loopback0 > > ip address 10.1.1.103 255.255.255.0 > > ! > > interface FastEthernet1/0 > > no ip address > > duplex auto > > speed auto > > no cdp enable > > ! > > interface FastEthernet1/0.201 > > encapsulation dot1Q 201 > > no cdp enable > > xconnect 10.1.1.102 34 pw-class pw-dynamic > > ! > > ip http server > > ! > > ip classless > > ! > > ! > > no cdp run > > ! > > ! > > control-plane > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > ! > > line con 0 > > line aux 0 > > line vty 0 4 > > ! > > ! > > end > > > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > > Yes, with 3845's, post your test config. > > > > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > > Senior Network Engineer > > Coleman Technologies, Inc. > > 954-298-1697 > > > > > > > -----Original Message----- > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > > Sent: Thursday, May 22, 2008 12:11 PM > > > To: cisco-nsp at puck.nether.net > > > Subject: [c-nsp] Need help with L2TPv3 > > > > > > I'm trying to get L2TPv3 figured out to help with a project. I've got a > > > test network consisting of 2 3640s (which is what is going to be used > > > as the endpoints of the tunnels in the production network) connect by a > > > crossover cable. Even using sample configs from the cisco site, I can't > > > seem to keep the tunnel from going down after about a minutes. I think > > > it may be an authentication problem. > > > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > > > Thank you! > > > > > > Steve Pfister > > > Technical Coordinator, > > > The Office of Information Technology > > > Dayton Public Schools > > > 115 S. Ludlow St. > > > Dayton, OH 45402 > > > > > > Office (937) 542-3149 > > > Cell (937) 673-6779 > > > Direct Connect: 137*131747*8 > > > Email spfister at dps.k12.oh.us > > > > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From freimer at ctiusa.com Thu May 22 15:18:55 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 15:18:55 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <48358CE4.9E6F.00B8.0@dps.k12.oh.us> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us><98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com><48357703.9E6F.00B8.0@dps.k12.oh.us><5da6cd9f0805221103u51150563q349014d5264038e2@mail.gmail.com><48357EC7.9E6F.00B8.0@dps.k12.oh.us><5da6cd9f0805221116h79469067j206ae6625c486f76@mail.gmail.com> <48358CE4.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0E45@EXCHANGE.ctiusa.com> It may not bring up the link without a reason to; you might need to generate some traffic and have both Ethernet ports plugged in... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 3:11 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Need help with L2TPv3 > > Thanks to all that responded. I've made changes to the config and I can > ping the other router's ethernet and loopback addresses. The tunnel > doesn't show up at all now, though. Do I need to have something plugged > into the ethernet ports with the xconnect statements? > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > >>> "Joe Freeman" 5/22/2008 2:16 PM >>> > It looks like you're trying to do an 'ip unnumbered' config on those > ethernet ports. IP unnumbered only works on p2p interfaces. > > You need to have the interfaces between the two routers numbered and > static > routes, or a routing protocol in place to ensure reachability between > them. > > Also, I'd change the loopback addresses to /32 masks. > > with the configuration you have, I'd also make sure the connection > between > the routers is on a different port than the vlans you are trying to > xconnect > at layer 2. > > Joe > > On Thu, May 22, 2008 at 1:10 PM, Steven Pfister > > wrote: > > > No I can't ping the loopbacks. That's been bothering me. I've added > > 10.2.2.x addresses to the FastEthernet ports (which I thought I had > problems > > with earlier) and I can ping those from the other router. And I've > added > > static routes for the 10.1.1.x network pointing at the FastEthernet > > interfaces. Still can't ping the loopback addresses. > > > > I thought it was strange, but that's what the sample configs had. > > > > Yes, the xconnect statements are on the same interfaces the crossover > is > > connected to. I can try adding ethernet ports to each side and see > what > > happens. > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > > > >>> "Joe Freeman" 5/22/2008 2:03 PM >>> > > Can you ping the loopbacks from the opposite router? There's nothing > in > > either config that indicates how traffic flows from one router to the > > other. > > > > > > You said you're using an ethernet x-over to connect them, but surely > it's > > not on the ports on which you've setup xconn statements. > > > > Each router must be able to see the other's loop0 ip address for this > to > > work. > > > > Joe > > > > On Thu, May 22, 2008 at 12:37 PM, Steven Pfister > > > wrote: > > > > > The configs are below. > > > > > > By the way... whenever I post to this list, I get replies both to > me and > > to > > > the list (so I get two copies). Is this intentional? Just > curious... > > > > > > Thanks! > > > > > > --Steve > > > > > > ---------- > > > router 1 > > > ---------- > > > > > > Current configuration : 1374 bytes > > > ! > > > version 12.3 > > > service timestamps debug datetime msec > > > service timestamps log datetime msec > > > no service password-encryption > > > ! > > > hostname SanFran > > > ! > > > boot-start-marker > > > boot-end-marker > > > ! > > > ! > > > no aaa new-model > > > ! > > > resource policy > > > ! > > > memory-size iomem 15 > > > ip subnet-zero > > > ! > > > ! > > > ip cef > > > no ip dhcp use vrf connected > > > ! > > > ! > > > l2tp-class l2-dyn > > > password 7 15025C0600722C21 > > > cookie size 8 > > > ! > > > pseudowire-class pw-dynamic > > > encapsulation l2tpv3 > > > protocol l2tpv3 l2-dyn > > > ip local interface Loopback0 > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Loopback0 > > > ip address 10.1.1.102 255.255.255.0 > > > ! > > > interface FastEthernet0/0 > > > no ip address > > > duplex auto > > > speed auto > > > no cdp enable > > > ! > > > interface FastEthernet0/0.200 > > > encapsulation dot1Q 200 > > > no snmp trap link-status > > > no cdp enable > > > xconnect 10.1.1.103 33 pw-class pw-dynamic > > > ! > > > interface FastEthernet0/0.201 > > > encapsulation dot1Q 201 > > > no snmp trap link-status > > > no cdp enable > > > ! > > > interface ATM2/0 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/1 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/2 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/3 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > ip http server > > > ! > > > ip classless > > > ! > > > ! > > > no cdp run > > > ! > > > ! > > > control-plane > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > line con 0 > > > line aux 0 > > > line vty 0 4 > > > login > > > ! > > > ! > > > end > > > > > > ---------- > > > router 2 > > > ---------- > > > > > > Current configuration : 901 bytes > > > ! > > > version 12.3 > > > service timestamps debug datetime msec > > > service timestamps log datetime msec > > > no service password-encryption > > > ! > > > hostname NewYork > > > ! > > > boot-start-marker > > > boot-end-marker > > > ! > > > ! > > > no aaa new-model > > > ! > > > resource policy > > > ! > > > memory-size iomem 15 > > > ip subnet-zero > > > ! > > > ! > > > ip cef > > > no ip dhcp use vrf connected > > > ! > > > ! > > > l2tp-class l2-dyn > > > hostname NewYork > > > password 7 0616582B48160E1C > > > cookie size 8 > > > ! > > > pseudowire-class pw-dynamic > > > encapsulation l2tpv3 > > > protocol l2tpv3 l2-dyn > > > ip local interface Loopback0 > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Loopback0 > > > ip address 10.1.1.103 255.255.255.0 > > > ! > > > interface FastEthernet1/0 > > > no ip address > > > duplex auto > > > speed auto > > > no cdp enable > > > ! > > > interface FastEthernet1/0.201 > > > encapsulation dot1Q 201 > > > no cdp enable > > > xconnect 10.1.1.102 34 pw-class pw-dynamic > > > ! > > > ip http server > > > ! > > > ip classless > > > ! > > > ! > > > no cdp run > > > ! > > > ! > > > control-plane > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > line con 0 > > > line aux 0 > > > line vty 0 4 > > > ! > > > ! > > > end > > > > > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > > > Yes, with 3845's, post your test config. > > > > > > > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > > > Senior Network Engineer > > > Coleman Technologies, Inc. > > > 954-298-1697 > > > > > > > > > > -----Original Message----- > > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > > > Sent: Thursday, May 22, 2008 12:11 PM > > > > To: cisco-nsp at puck.nether.net > > > > Subject: [c-nsp] Need help with L2TPv3 > > > > > > > > I'm trying to get L2TPv3 figured out to help with a project. I've > got a > > > > test network consisting of 2 3640s (which is what is going to be > used > > > > as the endpoints of the tunnels in the production network) > connect by a > > > > crossover cable. Even using sample configs from the cisco site, I > can't > > > > seem to keep the tunnel from going down after about a minutes. I > think > > > > it may be an authentication problem. > > > > > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > > > > > Thank you! > > > > > > > > Steve Pfister > > > > Technical Coordinator, > > > > The Office of Information Technology > > > > Dayton Public Schools > > > > 115 S. Ludlow St. > > > > Dayton, OH 45402 > > > > > > > > Office (937) 542-3149 > > > > Cell (937) 673-6779 > > > > Direct Connect: 137*131747*8 > > > > Email spfister at dps.k12.oh.us > > > > > > > > > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > Steve Pfister > > > Technical Coordinator, > > > The Office of Information Technology > > > Dayton Public Schools > > > 115 S. Ludlow St. > > > Dayton, OH 45402 > > > > > > Office (937) 542-3149 > > > Cell (937) 673-6779 > > > Direct Connect: 137*131747*8 > > > Email spfister at dps.k12.oh.us > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/31fb1ac9/attachment.bin From SPfister at dps.k12.oh.us Thu May 22 15:25:58 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Thu, 22 May 2008 15:25:58 -0400 Subject: [c-nsp] Need help with L2TPv3 In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC95028D0E45@EXCHANGE.ctiusa.com> References: <483562E4.9E6F.00B8.0@dps.k12.oh.us><98B7739FB65BF04F9B3233AB842EEC95028D0D8A@EXCHANGE.ctiusa.com><48357703.9E6F.00B8.0@dps.k12.oh.us><5da6cd9f0805221103u51150563q349014d5264038e2@mail.gmail.com><48357EC7.9E6F.00B8.0@dps.k12.oh.us><5da6cd9f0805221116h79469067j206ae6625c486f76@mail.gmail.com> <48358CE4.9E6F.00B8.0@dps.k12.oh.us> <98B7739FB65BF04F9B3233AB842EEC95028D0E45@EXCHANGE.ctiusa.com> Message-ID: <48359084.9E6F.00B8.0@dps.k12.oh.us> Yes, I should have known... connecting switches to the routers brought the tunnel up and I think everything is OK now... Thanks to all who responded! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Fred Reimer" 5/22/2008 3:18 PM >>> It may not bring up the link without a reason to; you might need to generate some traffic and have both Ethernet ports plugged in... Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Steven Pfister > Sent: Thursday, May 22, 2008 3:11 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Need help with L2TPv3 > > Thanks to all that responded. I've made changes to the config and I can > ping the other router's ethernet and loopback addresses. The tunnel > doesn't show up at all now, though. Do I need to have something plugged > into the ethernet ports with the xconnect statements? > > Steve Pfister > Technical Coordinator, > The Office of Information Technology > Dayton Public Schools > 115 S. Ludlow St. > Dayton, OH 45402 > > Office (937) 542-3149 > Cell (937) 673-6779 > Direct Connect: 137*131747*8 > Email spfister at dps.k12.oh.us > > > >>> "Joe Freeman" 5/22/2008 2:16 PM >>> > It looks like you're trying to do an 'ip unnumbered' config on those > ethernet ports. IP unnumbered only works on p2p interfaces. > > You need to have the interfaces between the two routers numbered and > static > routes, or a routing protocol in place to ensure reachability between > them. > > Also, I'd change the loopback addresses to /32 masks. > > with the configuration you have, I'd also make sure the connection > between > the routers is on a different port than the vlans you are trying to > xconnect > at layer 2. > > Joe > > On Thu, May 22, 2008 at 1:10 PM, Steven Pfister > > wrote: > > > No I can't ping the loopbacks. That's been bothering me. I've added > > 10.2.2.x addresses to the FastEthernet ports (which I thought I had > problems > > with earlier) and I can ping those from the other router. And I've > added > > static routes for the 10.1.1.x network pointing at the FastEthernet > > interfaces. Still can't ping the loopback addresses. > > > > I thought it was strange, but that's what the sample configs had. > > > > Yes, the xconnect statements are on the same interfaces the crossover > is > > connected to. I can try adding ethernet ports to each side and see > what > > happens. > > > > Steve Pfister > > Technical Coordinator, > > The Office of Information Technology > > Dayton Public Schools > > 115 S. Ludlow St. > > Dayton, OH 45402 > > > > Office (937) 542-3149 > > Cell (937) 673-6779 > > Direct Connect: 137*131747*8 > > Email spfister at dps.k12.oh.us > > > > > > >>> "Joe Freeman" 5/22/2008 2:03 PM >>> > > Can you ping the loopbacks from the opposite router? There's nothing > in > > either config that indicates how traffic flows from one router to the > > other. > > > > > > You said you're using an ethernet x-over to connect them, but surely > it's > > not on the ports on which you've setup xconn statements. > > > > Each router must be able to see the other's loop0 ip address for this > to > > work. > > > > Joe > > > > On Thu, May 22, 2008 at 12:37 PM, Steven Pfister > > > wrote: > > > > > The configs are below. > > > > > > By the way... whenever I post to this list, I get replies both to > me and > > to > > > the list (so I get two copies). Is this intentional? Just > curious... > > > > > > Thanks! > > > > > > --Steve > > > > > > ---------- > > > router 1 > > > ---------- > > > > > > Current configuration : 1374 bytes > > > ! > > > version 12.3 > > > service timestamps debug datetime msec > > > service timestamps log datetime msec > > > no service password-encryption > > > ! > > > hostname SanFran > > > ! > > > boot-start-marker > > > boot-end-marker > > > ! > > > ! > > > no aaa new-model > > > ! > > > resource policy > > > ! > > > memory-size iomem 15 > > > ip subnet-zero > > > ! > > > ! > > > ip cef > > > no ip dhcp use vrf connected > > > ! > > > ! > > > l2tp-class l2-dyn > > > password 7 15025C0600722C21 > > > cookie size 8 > > > ! > > > pseudowire-class pw-dynamic > > > encapsulation l2tpv3 > > > protocol l2tpv3 l2-dyn > > > ip local interface Loopback0 > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Loopback0 > > > ip address 10.1.1.102 255.255.255.0 > > > ! > > > interface FastEthernet0/0 > > > no ip address > > > duplex auto > > > speed auto > > > no cdp enable > > > ! > > > interface FastEthernet0/0.200 > > > encapsulation dot1Q 200 > > > no snmp trap link-status > > > no cdp enable > > > xconnect 10.1.1.103 33 pw-class pw-dynamic > > > ! > > > interface FastEthernet0/0.201 > > > encapsulation dot1Q 201 > > > no snmp trap link-status > > > no cdp enable > > > ! > > > interface ATM2/0 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/1 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/2 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > interface ATM2/3 > > > no ip address > > > shutdown > > > no atm ilmi-keepalive > > > no scrambling-payload > > > ! > > > ip http server > > > ! > > > ip classless > > > ! > > > ! > > > no cdp run > > > ! > > > ! > > > control-plane > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > line con 0 > > > line aux 0 > > > line vty 0 4 > > > login > > > ! > > > ! > > > end > > > > > > ---------- > > > router 2 > > > ---------- > > > > > > Current configuration : 901 bytes > > > ! > > > version 12.3 > > > service timestamps debug datetime msec > > > service timestamps log datetime msec > > > no service password-encryption > > > ! > > > hostname NewYork > > > ! > > > boot-start-marker > > > boot-end-marker > > > ! > > > ! > > > no aaa new-model > > > ! > > > resource policy > > > ! > > > memory-size iomem 15 > > > ip subnet-zero > > > ! > > > ! > > > ip cef > > > no ip dhcp use vrf connected > > > ! > > > ! > > > l2tp-class l2-dyn > > > hostname NewYork > > > password 7 0616582B48160E1C > > > cookie size 8 > > > ! > > > pseudowire-class pw-dynamic > > > encapsulation l2tpv3 > > > protocol l2tpv3 l2-dyn > > > ip local interface Loopback0 > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > interface Loopback0 > > > ip address 10.1.1.103 255.255.255.0 > > > ! > > > interface FastEthernet1/0 > > > no ip address > > > duplex auto > > > speed auto > > > no cdp enable > > > ! > > > interface FastEthernet1/0.201 > > > encapsulation dot1Q 201 > > > no cdp enable > > > xconnect 10.1.1.102 34 pw-class pw-dynamic > > > ! > > > ip http server > > > ! > > > ip classless > > > ! > > > ! > > > no cdp run > > > ! > > > ! > > > control-plane > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > ! > > > line con 0 > > > line aux 0 > > > line vty 0 4 > > > ! > > > ! > > > end > > > > > > >>> "Fred Reimer" 5/22/2008 12:21 PM >>> > > > Yes, with 3845's, post your test config. > > > > > > > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > > > Senior Network Engineer > > > Coleman Technologies, Inc. > > > 954-298-1697 > > > > > > > > > > -----Original Message----- > > > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > > > bounces at puck.nether.net] On Behalf Of Steven Pfister > > > > Sent: Thursday, May 22, 2008 12:11 PM > > > > To: cisco-nsp at puck.nether.net > > > > Subject: [c-nsp] Need help with L2TPv3 > > > > > > > > I'm trying to get L2TPv3 figured out to help with a project. I've > got a > > > > test network consisting of 2 3640s (which is what is going to be > used > > > > as the endpoints of the tunnels in the production network) > connect by a > > > > crossover cable. Even using sample configs from the cisco site, I > can't > > > > seem to keep the tunnel from going down after about a minutes. I > think > > > > it may be an authentication problem. > > > > > > > > Does anyone have a working L2TPv3 tunnel between two 3640s? > > > > > > > > Thank you! > > > > > > > > Steve Pfister > > > > Technical Coordinator, > > > > The Office of Information Technology > > > > Dayton Public Schools > > > > 115 S. Ludlow St. > > > > Dayton, OH 45402 > > > > > > > > Office (937) 542-3149 > > > > Cell (937) 673-6779 > > > > Direct Connect: 137*131747*8 > > > > Email spfister at dps.k12.oh.us > > > > > > > > > > > > _______________________________________________ > > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > Steve Pfister > > > Technical Coordinator, > > > The Office of Information Technology > > > Dayton Public Schools > > > 115 S. Ludlow St. > > > Dayton, OH 45402 > > > > > > Office (937) 542-3149 > > > Cell (937) 673-6779 > > > Direct Connect: 137*131747*8 > > > Email spfister at dps.k12.oh.us > > > > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan.m.nguyen at gmail.com Thu May 22 15:47:24 2008 From: luan.m.nguyen at gmail.com (Luan Nguyen) Date: Thu, 22 May 2008 15:47:24 -0400 Subject: [c-nsp] EIGRP vs BGP route selection In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A43049297ED@METROEVS3.ac.lp.acml.com> References: <1E79A7919A9B16468E407A8DEAB65A43049297ED@METROEVS3.ac.lp.acml.com> Message-ID: <19cdad00805221247p175c030coecefbf8a265b3e6d@mail.gmail.com> You have to have EIGRP redistribute into BGP as well? Once in the BGP table, local redistribute routes will have a weight of 32768 which will be prefered over the EBGP weight of 0. I remember reading over at the Netpro forum and someone said that it's a racing condition: EIGRP converge faster and get there first. You either does the TAC suggestion or you could use route-map to set things to influence EIGRP redistributed routes to lower priority. But you have to do it though. If you don't do anything and just clear eigrp and the BGP route get in the routing table, later if that link fails, EIGRP will be in there and won't get out even if the link comes back up. -lmn On Thu, May 22, 2008 at 2:21 PM, Uddin, Tahir < tahir.uddin at alliancebernstein.com> wrote: > Hi All, > > I am summarizing an issue I am seeing, wondering if anyone might have > some input on this. > > In the following topology, I have a floating static route (distance 250) > redistributed into EIGRP on R1 which sends the redistributed route to R2 > which sends it to R3. R4 sees the EIGRP route from R3 and an EBGP route > from R4. I would have thought that R3 would pick the EBGP route since > EBGP as a protocol has a admin distance of 20 as opposed to the EIGRP > admin distance of 170 but I see the EIGRP route in the routing table of > R3. Based on TACs recommendation, we ended up using a route map that > applies a higher weight to the EBGP route to make it more preferable. > Shouldn't R3 use the EBGP route by default because it has lower admin > distance compared to redistributed EIGRP. > > > > Static EIGRP > EIGRP EBGP > > 10.10.10.0/24 > -------------------------R1------------------------R2------------------- > -R3------------------------R4-----------10.10.10.0/24 > > > > Thanks > > > > > > > ----------------------------------------- > The information contained in this transmission may be privileged and > confidential and is intended only for the use of the person(s) named > above. If you are not the intended recipient, or an employee or agent > responsible > for delivering this message to the intended recipient, any review, > dissemination, > distribution or duplication of this communication is strictly prohibited. > If you are > not the intended recipient, please contact the sender immediately by reply > e-mail > and destroy all copies of the original message. Please note that we do not > accept > account orders and/or instructions by e-mail, and therefore will not be > responsible > for carrying out such orders and/or instructions. If you, as the intended > recipient > of this message, the purpose of which is to inform and update our clients, > prospects > and consultants of developments relating to our services and products, > would not > like to receive further e-mail correspondence from the sender, please > "reply" to the > sender indicating your wishes. In the U.S.: 1345 Avenue of the Americas, > New York, > NY 10105. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From have.an.email at gmail.com Thu May 22 16:56:29 2008 From: have.an.email at gmail.com (Nathan) Date: Thu, 22 May 2008 22:56:29 +0200 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <483590BE.1090103@pins.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> Message-ID: <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> On Thu, May 22, 2008 at 5:26 PM, Jason Berenson wrote: > Nathan, > > - We prioritize signaling because if one starts to lose OPTIONS messages for > example the call will be torn down. OK thanks :-) > - How can I run that without an ACL? The only way would be to make sure they get tagged on coming in to your network. But the ACL is not the problem, it might have been the problem if you were seeing too much CPU... > - Nothing useful in the logs and nothing gets printed to console. We need > to have different QoS maps for custom jobs so applying a map just to the > main ATM interface isn't doable. It has to be applied to the VC since we're > using CBWFQ: > > router(config-subif)# service-policy output voice > CBWFQ : Not supported on subinterfaces Yes, it's logical too because the policy has to know the available bandwidth, and that's at the VC level. > I checked Ciscos site and this policy should be fine on the VC. Here's the > old policy I was using: > > policy-map voice > class voice-signaling > bandwidth percent 5 > class voice-traffic > priority percent 70 > class class-default > fair-queue > random-detect > > We were matching on mostly IP/ports with the old one. You can apply the old policy but not the new one? What version IOS, what router platform, what ATM interface model? Looking at your config I can't see any difference between what you are doing and what I have done for years without any problems on PA-A3 cards on 7206VXR NPE-300 or G1 running most any MPLS-enabled IOSes from 12.2T through 12.3 up to 12.4T. Some things you might try: - check that you are logging debugging messages (I have no idea what level any errors might be at) - if you can apply the "old" config, try to find the difference between the config that you can apply and the one you want to but can't; try to reduce the difference by trial and error. - if you can't apply any config, check that your hardware (router and interface card) and your IOS can do what you want - Post to the list the IOS and the hardware used as well ans the configs that work and do not work. Afraid I can't help you any more than that... -- HTH Nathan From jason at pins.net Thu May 22 18:06:10 2008 From: jason at pins.net (Jason Berenson) Date: Thu, 22 May 2008 18:06:10 -0400 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> Message-ID: <4835EE52.1010603@pins.net> Nathan, Thanks for your help. Here's some more information that I probably should have provided in my first email. I will continue to do some trial and error debugging. 7206 NPE-G1 PA-A3-OC3MM c7200-is-mz.124-19.bin -Jason Nathan wrote: > On Thu, May 22, 2008 at 5:26 PM, Jason Berenson wrote: > >> Nathan, >> >> - We prioritize signaling because if one starts to lose OPTIONS messages for >> example the call will be torn down. >> > > OK thanks :-) > > >> - How can I run that without an ACL? >> > > The only way would be to make sure they get tagged on coming in to your network. > > But the ACL is not the problem, it might have been the problem if you > were seeing too much CPU... > > >> - Nothing useful in the logs and nothing gets printed to console. We need >> to have different QoS maps for custom jobs so applying a map just to the >> main ATM interface isn't doable. It has to be applied to the VC since we're >> using CBWFQ: >> >> router(config-subif)# service-policy output voice >> CBWFQ : Not supported on subinterfaces >> > > Yes, it's logical too because the policy has to know the available > bandwidth, and that's at the VC level. > > >> I checked Ciscos site and this policy should be fine on the VC. Here's the >> old policy I was using: >> >> policy-map voice >> class voice-signaling >> bandwidth percent 5 >> class voice-traffic >> priority percent 70 >> class class-default >> fair-queue >> random-detect >> >> We were matching on mostly IP/ports with the old one. >> > > You can apply the old policy but not the new one? > > What version IOS, what router platform, what ATM interface model? > > Looking at your config I can't see any difference between what you are > doing and what I have done for years without any problems on PA-A3 > cards on 7206VXR NPE-300 or G1 running most any MPLS-enabled IOSes > from 12.2T through 12.3 up to 12.4T. > > Some things you might try: > > - check that you are logging debugging messages (I have no idea what > level any errors might be at) > > - if you can apply the "old" config, try to find the difference > between the config that you can apply and the one you want to but > can't; try to reduce the difference by trial and error. > > - if you can't apply any config, check that your hardware (router and > interface card) and your IOS can do what you want > > - Post to the list the IOS and the hardware used as well ans the > configs that work and do not work. > > Afraid I can't help you any more than that... > > From jarrod.friedland at gmail.com Thu May 22 21:51:50 2008 From: jarrod.friedland at gmail.com (Jarrod Friedland) Date: Fri, 23 May 2008 11:51:50 +1000 Subject: [c-nsp] 6509 power supply question Message-ID: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Hi All We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - anyway, one of the power supplies has died, we are sourcing a replacement however, in the meantime I have another 6509 sitting next to me however it has 1800W power supplies. The question Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues with doing this we should be aware of? I have asked this question of cisco integrators however all we get is "The engineers have put their heads together and say NO" Its not something we would normally do however this is only temporary but I cant do until we know conclusively that it will not have a detrimental affect on the 6509 or any of its contents. Thanks -- -- Jarrod From petelists at templin.org Thu May 22 21:57:43 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 22 May 2008 20:57:43 -0500 Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: <48362497.5080401@templin.org> Jarrod Friedland wrote: > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues > with doing this we should be aware of? I have asked this question of cisco > integrators however all we get is "The engineers have put their heads > together and say NO" My understanding is YES, with the notion that you'd only have the output of the 1300W (1152W IIRC) available to the system, but that shouldn't be a problem for you at this time. Caveat: I have had three 6509s fry simultaneously (ALL ports "inactive") due to DC power issues (it's the only logical conclusion I can draw from the facts available); the only thing thought to be good once the dust settled was the power supplies. The cards showed ports 'inactive' when inserted into known-good chassis, the sups showed ports 'inactive' locally and on known-good linecards when inserted into known-good chassis, and the chassis showed ports 'inactive' when loaded with known-good cards. So you may want to take my advice with a grain of salt. ;) pt From freimer at ctiusa.com Thu May 22 23:31:00 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Thu, 22 May 2008 23:31:00 -0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D0F49@EXCHANGE.ctiusa.com> con.clu.sive (kn-klsv) adj. Serving to put an end to doubt, question, or uncertainty; decisive. I don't think you will ever know "conclusively." The best bet is to create a TAC case and have them put a 1300W and 1800W power supply in a 65009 chassis loaded with the same cards that you have. Good luck with getting that done before your replacement arrives (it isn't there yet?) I'd concur with the rest of the engineers that say it should not be a problem, FWIW. At least you don't have one of those funky power cords that were wired wrong and when plugged in would energize the whole chassis. That must have been a shocking discovery! HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jarrod Friedland > Sent: Thursday, May 22, 2008 9:52 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 6509 power supply question > > Hi All > > We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - > anyway, > one of the power supplies has died, we are sourcing a replacement > however, > in the meantime I have another 6509 sitting next to me however it has > 1800W > power supplies. > > The question > > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the > issues > with doing this we should be aware of? I have asked this question of > cisco > integrators however all we get is "The engineers have put their heads > together and say NO" > > Its not something we would normally do however this is only temporary > but I > cant do until we know conclusively that it will not have a detrimental > affect on the 6509 or any of its contents. > > Thanks > > -- > > -- > Jarrod > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080522/bf1f4865/attachment.bin From md4799 at googlemail.com Fri May 23 00:41:25 2008 From: md4799 at googlemail.com (Mark Dauven) Date: Fri, 23 May 2008 06:41:25 +0200 Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: Hi, I don't know an answer to your question. But there is a tool called 'power calculator' for the cat65k on cisco.com. Maybe this Cam help your find an answer. regards Mark Am 23.05.2008 um 03:51 schrieb "Jarrod Friedland" : > Hi All > > We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - > anyway, > one of the power supplies has died, we are sourcing a replacement > however, > in the meantime I have another 6509 sitting next to me however it > has 1800W > power supplies. > > The question > > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the > issues > with doing this we should be aware of? I have asked this question of > cisco > integrators however all we get is "The engineers have put their heads > together and say NO" > > Its not something we would normally do however this is only > temporary but I > cant do until we know conclusively that it will not have a detrimental > affect on the 6509 or any of its contents. > > Thanks > > -- > > -- > Jarrod > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From kgraham at industrial-marshmallow.com Fri May 23 00:57:08 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 22 May 2008 21:57:08 -0700 (PDT) Subject: [c-nsp] 6509 power supply question Message-ID: <122271.43869.qm@web905.biz.mail.mud.yahoo.com> > We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - anyway, > one of the power supplies has died, we are sourcing a replacement however, > in the meantime I have another 6509 sitting next to me however it has 1800W > power supplies. Does 'sh mod' say they're 1800W's, or are you just believing the "1800W" label on the front: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008015bfa8.shtml From bwann-nsp at wann.net Fri May 23 00:57:01 2008 From: bwann-nsp at wann.net (Bryan Wann) Date: Thu, 22 May 2008 23:57:01 -0500 (CDT) Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: On Fri, 23 May 2008, Jarrod Friedland wrote: > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues > with doing this we should be aware of? I have asked this question of cisco > integrators however all we get is "The engineers have put their heads > together and say NO" I've upgraded PSUs on 6509s without shutting them down, i.e. 2500 W -> 4000 W, or 4000 W -> 6000 W by swapping them out one at a time. During the times there was a mismatch, e.g. a 2500 W + 4000 W I don't remember there being anything of concern. kind regards, bryan From aaronis at people.net.au Fri May 23 03:13:45 2008 From: aaronis at people.net.au (aaron) Date: Fri, 23 May 2008 15:13:45 +0800 Subject: [c-nsp] ASA SSL VPN License Message-ID: <200805230718.m4N7IKFD024882@puck.nether.net> Hey Guys, Is there a Cisco feature such as the feature navigator for the Cisco ASA series appliances? I am trying to determine the features that we are licensed for, in particular the amount of VPN SSL connections that are allowed with our current license. Cheers, Aaron. From alasdair.gow at lumison.net Fri May 23 03:20:51 2008 From: alasdair.gow at lumison.net (Alasdair Gow) Date: Fri, 23 May 2008 08:20:51 +0100 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <200805230718.m4N7IKFD024882@puck.nether.net> References: <200805230718.m4N7IKFD024882@puck.nether.net> Message-ID: <48367053.3000303@lumison.net> Show Ver tells you eg Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 250 WebVPN Peers : 2 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled key line being WebVPN Peers : 2 Regards, aaron wrote: > Hey Guys, > > > > Is there a Cisco feature such as the feature navigator for the Cisco ASA > series appliances? > > > > I am trying to determine the features that we are licensed for, in > particular the amount of VPN SSL connections that are allowed with our > current license. > > > > Cheers, > > > > Aaron. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alasdair Gow Lumison t: 0845 1199 900 d: 0131 514 4042 P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From aaronis at people.net.au Fri May 23 03:21:05 2008 From: aaronis at people.net.au (Aaron R) Date: Fri, 23 May 2008 15:21:05 +0800 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <48367053.3000303@lumison.net> Message-ID: <200805230725.m4N7PcTv027490@puck.nether.net> Ahh of course Web VPN peers :) Thanks mate. Aaron. -----Original Message----- From: Alasdair Gow [mailto:alasdair.gow at lumison.net] Sent: Friday, May 23, 2008 3:21 PM To: aaron Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASA SSL VPN License Show Ver tells you eg Licensed features for this platform: Maximum Physical Interfaces : Unlimited Maximum VLANs : 100 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled VPN Peers : 250 WebVPN Peers : 2 AnyConnect for Mobile : Disabled AnyConnect for Linksys phone : Disabled Advanced Endpoint Assessment : Disabled key line being WebVPN Peers : 2 Regards, aaron wrote: > Hey Guys, > > > > Is there a Cisco feature such as the feature navigator for the Cisco ASA > series appliances? > > > > I am trying to determine the features that we are licensed for, in > particular the amount of VPN SSL connections that are allowed with our > current license. > > > > Cheers, > > > > Aaron. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alasdair Gow Lumison t: 0845 1199 900 d: 0131 514 4042 P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From koug at intracom.gr Fri May 23 03:04:03 2008 From: koug at intracom.gr (John Kougoulos) Date: Fri, 23 May 2008 10:04:03 +0300 (GTB Daylight Time) Subject: [c-nsp] DMVPN Rollout -- MTU questions In-Reply-To: References: Message-ID: On Thu, 22 May 2008, Eric Cables wrote: > > The above, however, doesn't seem to work in some cases. Users as these > sites complain of intermittent connectivity problems, which seem to be > solved rather quickly by reducing the IP MTU, and configuring TCP > adjust-mss. I do have concern as to why PTMUD isn't working as expected > (sending ICMP unreachables to the client to adjust their MTU accordingly), > and exactly what values to set both IP MTU to, as well as TCP adjust-mss, > assuming it's necessary. > unless you have lots of large UDP packets (near 1500bytes), I prefer to use "ip mtu 1500" on tunnel interface, with "ip tcp adjust-mss 1360", or something similar. This way TCP packets don't go over 1400bytes and the service is MTU transparent. Of course you will have fragmentations in case of large non-TCP packets, but let's hope/assume that these will not be too many.... Best Regards, John From A.L.M.Buxey at lboro.ac.uk Fri May 23 04:20:36 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 23 May 2008 09:20:36 +0100 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <200805230718.m4N7IKFD024882@puck.nether.net> References: <200805230718.m4N7IKFD024882@puck.nether.net> Message-ID: <20080523082036.GB5866@lboro.ac.uk> Hi, > I am trying to determine the features that we are licensed for, in > particular the amount of VPN SSL connections that are allowed with our > current license. shouldnt the ASDM front page info for the device also tell you? alan From gary.ciscomail at gmail.com Fri May 23 04:21:30 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 23 May 2008 09:21:30 +0100 Subject: [c-nsp] BGP Route selection Message-ID: Hi All I have router A receiving network 80.0.0.0 from router 1 and router 2. Router 2 weights its metric so that it is less favourable. In router A's BGP table I can see both routes and the route from Router 1 is placed in the global routing table. Fine. When you turn off Router1, Router A removes the route from the routing table and installs the less favoured route from Router2. What you would expect. When I turn on Router1, Router A does not put the better route back into the routing table, even though it sees both in its BGP table. Anyone know why? Regards G From howie at thingy.com Fri May 23 04:00:46 2008 From: howie at thingy.com (Howard Jones) Date: Fri, 23 May 2008 09:00:46 +0100 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <200805230718.m4N7IKFD024882@puck.nether.net> References: <200805230718.m4N7IKFD024882@puck.nether.net> Message-ID: <483679AE.9010200@thingy.com> aaron wrote: > Hey Guys, > > > > Is there a Cisco feature such as the feature navigator for the Cisco ASA > series appliances? > show version will tell you what you already have. A related question though: how do you find out which licenses add what? I recently wanted an unrestricted DMZ (but not HA, 50 users or 25 vpn peers) on an ASA5505, and I couldn't find any guide to what the licensing options were. Is there a secret guide? Howie From alasdair.gow at lumison.net Fri May 23 04:25:20 2008 From: alasdair.gow at lumison.net (Alasdair Gow) Date: Fri, 23 May 2008 09:25:20 +0100 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <20080523082036.GB5866@lboro.ac.uk> References: <200805230718.m4N7IKFD024882@puck.nether.net> <20080523082036.GB5866@lboro.ac.uk> Message-ID: <48367F70.3050907@lumison.net> It does but not immediately, you need to click on license in the device dashboard. Regards, Alasdair A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > > >> I am trying to determine the features that we are licensed for, in >> particular the amount of VPN SSL connections that are allowed with our >> current license. >> > > shouldnt the ASDM front page info for the device also tell you? > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alasdair Gow Lumison t: 0845 1199 900 d: 0131 514 4042 P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From alasdair.gow at lumison.net Fri May 23 05:11:35 2008 From: alasdair.gow at lumison.net (Alasdair Gow) Date: Fri, 23 May 2008 10:11:35 +0100 Subject: [c-nsp] ASA SSL VPN License In-Reply-To: <483679AE.9010200@thingy.com> References: <200805230718.m4N7IKFD024882@puck.nether.net> <483679AE.9010200@thingy.com> Message-ID: <48368A47.6020604@lumison.net> The only documentation I've been able to find is the following http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/prod_brochure0900aecd80402e36.html Useful for the product number for upgrading a base 5510 to sec plus :D Down towards the bottom of the page. Cheers, Alasdair Howard Jones wrote: > aaron wrote: > >> Hey Guys, >> >> >> >> Is there a Cisco feature such as the feature navigator for the Cisco ASA >> series appliances? >> >> > show version will tell you what you already have. > > A related question though: how do you find out which licenses add what? > I recently wanted an unrestricted DMZ (but not HA, 50 users or 25 vpn > peers) on an ASA5505, and I couldn't find any guide to what the > licensing options were. > > Is there a secret guide? > > Howie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Alasdair Gow Lumison t: 0845 1199 900 d: 0131 514 4042 P.S. It's a hat-trick - Lumison have been nominated for best business broadband, best email and best VoIP provider for the 2008 ISPAs -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From kajtzu at basen.net Fri May 23 05:37:33 2008 From: kajtzu at basen.net (Kaj Niemi) Date: Fri, 23 May 2008 12:37:33 +0300 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <483590BE.1090103@pins.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> Message-ID: <0EDC27D1-1AAF-4535-8BCA-D67376679B79@basen.net> Hi, On May 22, 2008, at 18:26, Jason Berenson wrote: > - We prioritize signaling because if one starts to lose OPTIONS > messages > for example the call will be torn down. > > - How can I run that without an ACL? > > - Nothing useful in the logs and nothing gets printed to console. We > need to have different QoS maps for custom jobs so applying a map just > to the main ATM interface isn't doable. It has to be applied to the > VC > since we're using CBWFQ: > > router(config-subif)# service-policy output voice > CBWFQ : Not supported on subinterfaces > > I checked Ciscos site and this policy should be fine on the VC. You're now applying it for the subif ("config-subif"), not on the PVC itself ("config-if-atm-vc"). Try: int ATM1/0.1 ip addr 10.0.0.1 255.255.255.254 pvc 0/100 service-policy output voice HTH Kaj -- Kaj J. Niemi +358 45 63 12000 From kajtzu at basen.net Fri May 23 05:44:46 2008 From: kajtzu at basen.net (Kaj Niemi) Date: Fri, 23 May 2008 12:44:46 +0300 Subject: [c-nsp] DMVPN Rollout -- MTU questions In-Reply-To: References: Message-ID: <7FCD0CA9-FC80-438E-A861-C636BB168807@basen.net> Hi, On May 22, 2008, at 21:04, Eric Cables wrote: > I've read all of the DMVPN documentation (design guide / best > practices) I > can find, along with the "Resolve IP Fragmentation, MTU, MSS, and > PMTUD > Issues with GRE and IPSEC" document on cisco.com, but I'm still > having some > trouble finding a systematic approach to setting MTU, and/or knowing > when > the use of tcp adjust-mss is needed. > > Based on the DMVPN best practices design guide, we have implemented > the > following: > - IP MTU 1400 > - Tunnel PMTUD > > The above, however, doesn't seem to work in some cases. Users as > these > sites complain of intermittent connectivity problems, which seem to be > solved rather quickly by reducing the IP MTU, and configuring TCP > adjust-mss. I do have concern as to why PTMUD isn't working as > expected > (sending ICMP unreachables to the client to adjust their MTU > accordingly), > and exactly what values to set both IP MTU to, as well as TCP adjust- > mss, > assuming it's necessary. My experience has been that, instead of playing with interface/server MTUs, simply setting ip tcp adjust-mss 1300 on any customer ingress interface (very, very, very conservative) resolves any issues. Most issues in a typical rollout seem to originate from Windows boxes and Windows administrators. Are ICMP unreachables actually sent? Do they get encapsulated into a tunnel? Do you filter ICMP somewhere? HTH Kaj -- Kaj J. Niemi +358 45 63 12000 From snar at paranoia.ru Fri May 23 06:36:55 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Fri, 23 May 2008 14:36:55 +0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: <20080523103655.GA4452@paranoia.ru> On Fri, May 23, 2008 at 11:51:50AM +1000, Jarrod Friedland wrote: > Hi All > > We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - anyway, > one of the power supplies has died, we are sourcing a replacement however, > in the meantime I have another 6509 sitting next to me however it has 1800W > power supplies. > > The question > > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues > with doing this we should be aware of? I have asked this question of cisco > integrators however all we get is "The engineers have put their heads > together and say NO" We running different power supplies on one of our 6509 for years, no problems with that configuration: Switch#show power system power redundancy mode = redundant system power total = 2331.00 Watts (55.50 Amps @ 42V) system power used = 584.22 Watts (13.91 Amps @ 42V) system power available = 1746.78 Watts (41.59 Amps @ 42V) Power-Capacity PS-Fan Output Oper PS Type Watts A @42V Status Status State ---- ------------------ ------- ------ ------ ------ ----- 1 WS-CDC-1300W 1153.32 27.46 OK OK on 2 WS-CAC-2500W 2331.00 55.50 OK OK on From A.L.M.Buxey at lboro.ac.uk Fri May 23 06:51:30 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 23 May 2008 11:51:30 +0100 Subject: [c-nsp] 6509 power supply question In-Reply-To: <20080523103655.GA4452@paranoia.ru> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <20080523103655.GA4452@paranoia.ru> Message-ID: <20080523105130.GA6663@lboro.ac.uk> Hi, > We running different power supplies on one of our 6509 for years, > no problems with that configuration: yes, you just need to be very careful that your blades dont draw too much power for the one not in use. eg if you are currently on a 2500W supply...and that fails , leaving you with only a 1300W then your blades may take too much for that and thus some will fail. eg in the scenario posted... > Switch#show power > system power redundancy mode = redundant > system power total = 2331.00 Watts (55.50 Amps @ 42V) > system power used = 584.22 Watts (13.91 Amps @ 42V) > system power available = 1746.78 Watts (41.59 Amps @ 42V) so, system thinks its got 1746 available.... and 2331 supplied.. however: > PS Type Watts A @42V Status Status State > ---- ------------------ ------- ------ ------ ------ ----- > 1 WS-CDC-1300W 1153.32 27.46 OK OK on > 2 WS-CAC-2500W 2331.00 55.50 OK OK on that 1300W wont provide enough if the power used was eg 1341.55 Watts as the system THINKS its got 2500.... alan From ltd at cisco.com Fri May 23 07:10:44 2008 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 23 May 2008 21:10:44 +1000 Subject: [c-nsp] 6509 power supply question In-Reply-To: <20080523103655.GA4452@paranoia.ru> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <20080523103655.GA4452@paranoia.ru> Message-ID: <4836A634.7030601@cisco.com> Alexandre Snarskii wrote: > On Fri, May 23, 2008 at 11:51:50AM +1000, Jarrod Friedland wrote: > >> Hi All >> >> We have a 6509 with 2 x 1300W power supplies? rephrase we had :) - anyway, >> one of the power supplies has died, we are sourcing a replacement however, >> in the meantime I have another 6509 sitting next to me however it has 1800W >> power supplies. >> >> The question >> >> Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues >> with doing this we should be aware of? I have asked this question of cisco >> integrators however all we get is "The engineers have put their heads >> together and say NO" >> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Chassis_Installation/Cat6500/0apwsply.html#wp1030039 cheers, lincoln. From snar at paranoia.ru Fri May 23 07:15:40 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Fri, 23 May 2008 15:15:40 +0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: <20080523105130.GA6663@lboro.ac.uk> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <20080523103655.GA4452@paranoia.ru> <20080523105130.GA6663@lboro.ac.uk> Message-ID: <20080523111540.GB4452@paranoia.ru> On Fri, May 23, 2008 at 11:51:30AM +0100, A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > > > We running different power supplies on one of our 6509 for years, > > no problems with that configuration: > > yes, you just need to be very careful that your blades dont > draw too much power for the one not in use. eg if you are currently > on a 2500W supply...and that fails , leaving you with only > a 1300W then your blades may take too much for that and thus some > will fail. Yes, I should note that this system is old one, Sup2 based, with old fans, using only 584.22 Watts, so even when we lose AC power - 1300Watt DC power supply provides enough power to run. > eg in the scenario posted... > > > Switch#show power > > system power redundancy mode = redundant > > system power total = 2331.00 Watts (55.50 Amps @ 42V) > > system power used = 584.22 Watts (13.91 Amps @ 42V) > > system power available = 1746.78 Watts (41.59 Amps @ 42V) > > so, system thinks its got 1746 available.... and 2331 supplied.. > however: > > > PS Type Watts A @42V Status Status State > > ---- ------------------ ------- ------ ------ ------ ----- > > 1 WS-CDC-1300W 1153.32 27.46 OK OK on > > 2 WS-CAC-2500W 2331.00 55.50 OK OK on > > that 1300W wont provide enough if the power used was eg 1341.55 Watts > as the system THINKS its got 2500.... From have.an.email at gmail.com Fri May 23 08:16:33 2008 From: have.an.email at gmail.com (Nathan) Date: Fri, 23 May 2008 14:16:33 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: References: Message-ID: <9f785d120805230516q7b1ee4c3n534859fcde2f7026@mail.gmail.com> On Fri, May 23, 2008 at 10:21 AM, Gary Roberton wrote: > Hi All > > I have router A receiving network 80.0.0.0 from router 1 and router 2. > Router 2 weights its metric so that it is less favourable. > > In router A's BGP table I can see both routes and the route from Router 1 is > placed in the global routing table. Fine. > > When you turn off Router1, Router A removes the route from the routing table > and installs the less favoured route from Router2. What you would expect. > > When I turn on Router1, Router A does not put the better route back into the > routing table, even though it sees both in its BGP table. Just a hunch, but are you redistributing the route through OSPF or some other protocol too? You'll need to look closely at the first character on each line in the "show ip bgp" and "show ip route" output to see where the route is coming from (you'll get full text when you run "show ip bgp x.x.x.x" and "show ip route x.x.x.x") > Anyone know why? try "show ip bgp x.x.x.x" to begin with. -- HTH, Nathan From petelists at templin.org Fri May 23 08:20:22 2008 From: petelists at templin.org (Pete Templin) Date: Fri, 23 May 2008 07:20:22 -0500 Subject: [c-nsp] BGP Route selection In-Reply-To: References: Message-ID: <4836B686.3060004@templin.org> Gary Roberton wrote: > I have router A receiving network 80.0.0.0 from router 1 and router 2. > Router 2 weights its metric so that it is less favourable. Are routers 1 and 2 in your AS, or in another AS? Also, please clarify 'weights its metric' - do you mean it adjusts weight, it adjusts metric, it adjusts origin, etc.? > In router A's BGP table I can see both routes and the route from Router 1 is > placed in the global routing table. Fine. Are you seeing the various BGP knobs showing the settings you'd expect from above? > When you turn off Router1, Router A removes the route from the routing table > and installs the less favoured route from Router2. What you would expect. > > When I turn on Router1, Router A does not put the better route back into the > routing table, even though it sees both in its BGP table. Are you seeing the various BGP knobs showing the settings you'd expect from above? pt From rblayzor.bulk at inoc.net Fri May 23 08:31:20 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Fri, 23 May 2008 08:31:20 -0400 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <4835EE52.1010603@pins.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> Message-ID: <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> On May 22, 2008, at 6:06 PM, Jason Berenson wrote: > 7206 NPE-G1 > PA-A3-OC3MM > c7200-is-mz.124-19.bin Been down this path several times, so hopefully this helps. Have you tried using a hierarchal QoS policy? Also you may want to set your tx-ring-limit to the minimum, ie: 3 or you might have some jitter issues. That being said, you need to use a nested QoS policy, something like: class-map match-any voip-sig match ip dscp af31 cs5 class-map match-any voip-rtp match ip dscp cs3 ef ! policy-map max-voice class voip-rtp priority percent 70 class voip-sig bandwidth percent 5 class class-default fair-queue policy-map atm-3m-voip class class-default shape average 3000000 service-policy max-voice Then you can apply your policy map to the sub interface.... HTH. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From djweis at internetsolver.com Fri May 23 08:44:33 2008 From: djweis at internetsolver.com (Dave Weis) Date: Fri, 23 May 2008 07:44:33 -0500 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> Message-ID: <4836BC31.7040303@internetsolver.com> Robert Blayzor wrote: > class-map match-any voip-sig > match ip dscp af31 cs5 > class-map match-any voip-rtp > match ip dscp cs3 ef > ! > policy-map max-voice > class voip-rtp > priority percent 70 > class voip-sig > bandwidth percent 5 > class class-default > fair-queue > policy-map atm-3m-voip > class class-default > shape average 3000000 > service-policy max-voice We are using class-range for our PVC's and there is no method or pattern to which speeds of customer will terminate on any specific VCI. How can I make something like this work in a more general fashion? dave From gary.ciscomail at gmail.com Fri May 23 10:08:54 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 23 May 2008 15:08:54 +0100 Subject: [c-nsp] BGP Route selection In-Reply-To: <4836B686.3060004@templin.org> References: <4836B686.3060004@templin.org> Message-ID: All The network in question is actually 90.0.0.0. All routers are in their own separate AS. The route in question is a connected network not redistributed. To make it clearer; Router X has network 90.0.0.0 connected Router X advertises to both Router1 and Router2. Router 1 sends it on to Router A Router 2 has a route map that does 'set metric 50' and then passes it onto RouterA. We want RouterA to go via Router1 whenever Router1 is up Router A BGP table entry is shown here; * 90.0.0.0 10.40.1.6 50 0 64604 1000 i *> 10.40.1.2 0 64603 1000 i Router A puts 10.40.1.2 route into global routing table Router1 goes down Router A puts 10.40.1.6 route into global routing table Router1 comes up RouterA puts entry back in BGP table but leaves route in global table alone. Any help appreciated. On Fri, May 23, 2008 at 1:20 PM, Pete Templin wrote: > Gary Roberton wrote: > > I have router A receiving network 80.0.0.0 from router 1 and router 2. >> Router 2 weights its metric so that it is less favourable. >> > > Are routers 1 and 2 in your AS, or in another AS? Also, please clarify > 'weights its metric' - do you mean it adjusts weight, it adjusts metric, it > adjusts origin, etc.? > > In router A's BGP table I can see both routes and the route from Router 1 >> is >> placed in the global routing table. Fine. >> > > Are you seeing the various BGP knobs showing the settings you'd expect from > above? > > When you turn off Router1, Router A removes the route from the routing >> table >> and installs the less favoured route from Router2. What you would expect. >> >> When I turn on Router1, Router A does not put the better route back into >> the >> routing table, even though it sees both in its BGP table. >> > > Are you seeing the various BGP knobs showing the settings you'd expect from > above? > > pt > From streiner at cluebyfour.org Fri May 23 10:35:43 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Fri, 23 May 2008 10:35:43 -0400 (EDT) Subject: [c-nsp] 6509 power supply question In-Reply-To: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: On Fri, 23 May 2008, Jarrod Friedland wrote: > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? Are the issues > with doing this we should be aware of? I have asked this question of cisco > integrators however all we get is "The engineers have put their heads > together and say NO" I don't think having power supplies with two different wattage ratings would hurt any of the guts, but I've never had to do this, so I can't say with any certainty how the switch will behave. It might: 1. function normally 2. function, but the redundancy won't work 3. function, but the switch will complain 4. shut down 5. do something unpredictable like shut down all of the linecards... jms From jmaimon at ttec.com Fri May 23 10:42:17 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Fri, 23 May 2008 10:42:17 -0400 Subject: [c-nsp] DMVPN Rollout -- MTU questions In-Reply-To: References: Message-ID: <4836D7C9.8070109@ttec.com> John Kougoulos wrote: > > On Thu, 22 May 2008, Eric Cables wrote: > >> The above, however, doesn't seem to work in some cases. Users as these >> sites complain of intermittent connectivity problems, which seem to be >> solved rather quickly by reducing the IP MTU, and configuring TCP >> adjust-mss. I do have concern as to why PTMUD isn't working as expected >> (sending ICMP unreachables to the client to adjust their MTU accordingly), >> and exactly what values to set both IP MTU to, as well as TCP adjust-mss, >> assuming it's necessary. >> > > unless you have lots of large UDP packets (near 1500bytes), I prefer to > use "ip mtu 1500" on tunnel interface, with "ip tcp adjust-mss 1360", > or something similar. > > This way TCP packets don't go over 1400bytes and the service is MTU > transparent. Of course you will have fragmentations in case of large > non-TCP packets, but let's hope/assume that these will not be too many.... > > Best Regards, > John I like that solution as well, except for when the router doesnt actually fragment and transmit but drops instead. Then its worse. Yes, probably a bug. Furthermore, there really should be a way to correlate tunnel pmtud and tcp adjust-mss and to be in lockstep. Original PMTUD is a stupid protocol hack that relies on producing and detecting error conditions for proper operation which in my book is a real design no-no and now we have all been paying the price for years. Thanks to that bone-headedness we have effectively lost a good deal of the "inter" part of the internet protocol. It was supposed to mean that the protocol works across different networks. Now its effectively ethernet or ethernet like only + hacks. From jeff-kell at utc.edu Fri May 23 10:45:53 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Fri, 23 May 2008 10:45:53 -0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: <4836D8A1.20307@utc.edu> On a somewhat related note... we have a 6509 that was "somehow" originally wired for 110v, so we're only getting half the power rating out of them. I have new 220v mains, plugs, and cables ready... can they be bumped over one at a time hot, or does it have to be down cold? Seems to be a similar issue -- you'll have two power supplies giving you two different delivered power amounts in the same chassis. Jeff From dcp at dcptech.com Fri May 23 10:47:33 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 23 May 2008 10:47:33 -0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> Message-ID: <012101c8bce3$f3ed1c60$aa0b740a@cisco.com> http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note0918 6a008015bfa8.shtml There is no such thing as an 1800W Power Supply. The 1300W is what is delivered to power line cards. The 1800W is the total supply requirement. The above url discusses both this as well as what happens when running different power supplys. I was thinking that this had changed, but I can't find what I was thinking (which was that they would run in redundant at the lower power supply ability if capable) but it doesn't appear that way. -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Justin M. Streiner > Sent: Friday, May 23, 2008 10:36 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 6509 power supply question > > On Fri, 23 May 2008, Jarrod Friedland wrote: > > > Can I run a 6509 with 1 x 1300W and 1 x 1800W (redundant)? > Are the issues > > with doing this we should be aware of? I have asked this > question of cisco > > integrators however all we get is "The engineers have put > their heads > > together and say NO" > > I don't think having power supplies with two different > wattage ratings > would hurt any of the guts, but I've never had to do this, so > I can't say > with any certainty how the switch will behave. > > It might: > 1. function normally > 2. function, but the redundancy won't work > 3. function, but the switch will complain > 4. shut down > 5. do something unpredictable like shut down all of the linecards... > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jml at packetpimp.org Fri May 23 09:56:16 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Fri, 23 May 2008 09:56:16 -0400 Subject: [c-nsp] DMVPN Rollout -- MTU questions In-Reply-To: <7FCD0CA9-FC80-438E-A861-C636BB168807@basen.net> References: <7FCD0CA9-FC80-438E-A861-C636BB168807@basen.net> Message-ID: <4836CD00.7060008@packetpimp.org> IME, something in the chain blocking icmp packet-too-big messages will cause problems. I've tried to explain to some people we network with that blocking all icmp is not a good idea, tcp/ip needs certain types allowed to work properly. In this case for PMTUD (path MTU discovery) to work. Kaj Niemi wrote: > Hi, > > On May 22, 2008, at 21:04, Eric Cables wrote: > >> I've read all of the DMVPN documentation (design guide / best >> practices) I >> can find, along with the "Resolve IP Fragmentation, MTU, MSS, and PMTUD >> Issues with GRE and IPSEC" document on cisco.com, but I'm still having >> some >> trouble finding a systematic approach to setting MTU, and/or knowing when >> the use of tcp adjust-mss is needed. >> >> Based on the DMVPN best practices design guide, we have implemented the >> following: >> - IP MTU 1400 >> - Tunnel PMTUD >> >> The above, however, doesn't seem to work in some cases. Users as these >> sites complain of intermittent connectivity problems, which seem to be >> solved rather quickly by reducing the IP MTU, and configuring TCP >> adjust-mss. I do have concern as to why PTMUD isn't working as expected >> (sending ICMP unreachables to the client to adjust their MTU >> accordingly), >> and exactly what values to set both IP MTU to, as well as TCP adjust-mss, >> assuming it's necessary. > > My experience has been that, instead of playing with interface/server > MTUs, simply setting ip tcp adjust-mss 1300 on any customer ingress > interface (very, very, very conservative) resolves any issues. Most > issues in a typical rollout seem to originate from Windows boxes and > Windows administrators. > > Are ICMP unreachables actually sent? Do they get encapsulated into a > tunnel? Do you filter ICMP somewhere? > > > > > HTH > > Kaj > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jchome at jc-ix.net Fri May 23 11:07:17 2008 From: jchome at jc-ix.net (Frederic Jaeckel) Date: Fri, 23 May 2008 17:07:17 +0200 Subject: [c-nsp] 6509 power supply question In-Reply-To: <4836D8A1.20307@utc.edu> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <4836D8A1.20307@utc.edu> Message-ID: <20080523170717.17a029ac@jc-ix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, On Fri, 23 May 2008 10:45:53 -0400 Jeff Kell wrote: > Seems to be a similar issue -- you'll have two power supplies giving you > two different delivered power amounts in the same chassis. we upgraded 3.000 W power supplys to 6.000 W supplys on the fly on various 6509-E chassis. No reboots, no problems. We use them in redundant mode. best regards, Frederic Jaeckel Network Engineer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (NetBSD) iEYEARECAAYFAkg23aUACgkQ4KzeyjX6J+DwYACfSgeQDs4sKddLWX0PQijZIej9 0wgAn286cLbDLv7cYpk6XYNtGiKnegrE =o+aR -----END PGP SIGNATURE----- From b.turnbow at twt.it Fri May 23 11:08:58 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 23 May 2008 17:08:58 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: References: <4836B686.3060004@templin.org> Message-ID: Setting the metric is not going to affect your BGP route selection. On router A you can set the weight Or on router 2 you can prepend an AS.(you could have used local preference if the as was the same) Check out http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml On how BGP selects paths Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton Sent: venerd? 23 maggio 2008 16.09 To: Pete Templin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Route selection All The network in question is actually 90.0.0.0. All routers are in their own separate AS. The route in question is a connected network not redistributed. To make it clearer; Router X has network 90.0.0.0 connected Router X advertises to both Router1 and Router2. Router 1 sends it on to Router A Router 2 has a route map that does 'set metric 50' and then passes it onto RouterA. We want RouterA to go via Router1 whenever Router1 is up Router A BGP table entry is shown here; * 90.0.0.0 10.40.1.6 50 0 64604 1000 i *> 10.40.1.2 0 64603 1000 i Router A puts 10.40.1.2 route into global routing table Router1 goes down Router A puts 10.40.1.6 route into global routing table Router1 comes up RouterA puts entry back in BGP table but leaves route in global table alone. Any help appreciated. On Fri, May 23, 2008 at 1:20 PM, Pete Templin wrote: > Gary Roberton wrote: > > I have router A receiving network 80.0.0.0 from router 1 and router 2. >> Router 2 weights its metric so that it is less favourable. >> > > Are routers 1 and 2 in your AS, or in another AS? Also, please clarify > 'weights its metric' - do you mean it adjusts weight, it adjusts metric, it > adjusts origin, etc.? > > In router A's BGP table I can see both routes and the route from Router 1 >> is >> placed in the global routing table. Fine. >> > > Are you seeing the various BGP knobs showing the settings you'd expect from > above? > > When you turn off Router1, Router A removes the route from the routing >> table >> and installs the less favoured route from Router2. What you would expect. >> >> When I turn on Router1, Router A does not put the better route back into >> the >> routing table, even though it sees both in its BGP table. >> > > Are you seeing the various BGP knobs showing the settings you'd expect from > above? > > pt > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mcgrath at fas.harvard.edu Fri May 23 11:26:01 2008 From: mcgrath at fas.harvard.edu (Scott McGrath) Date: Fri, 23 May 2008 11:26:01 -0400 Subject: [c-nsp] 6509 power supply question In-Reply-To: <4836D8A1.20307@utc.edu> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <4836D8A1.20307@utc.edu> Message-ID: <4836E209.7080507@fas.harvard.edu> Jeff, I've done this before but one of the power supplies was sufficient to run the chassis What you need to do 1 - set the power to combined mode ( since the PS units will not match ) 2 - remove one of the power supplies 110V cable 3 - install the 'new' power supply cable 4 - power it up and make sure it's online and recognized by the supervisor(s) 5 - repeat steps 2-4 for second PS 6 - set power back to redundant 7 - Enjoy all the new power in your chassis Only risk here is if you lose power on the single supply powering the chassis during your window. We did this a lot during our upgrade program as initially each single 6509 was distribution for about 50 buildings on our campus we now have 2 at each 'core' and each building has a feed from each. So for obvious reasons the no shutdown option was attactive to us. - Scott Jeff Kell wrote: > On a somewhat related note... we have a 6509 that was "somehow" > originally wired for 110v, so we're only getting half the power rating > out of them. I have new 220v mains, plugs, and cables ready... can they > be bumped over one at a time hot, or does it have to be down cold? > > Seems to be a similar issue -- you'll have two power supplies giving you > two different delivered power amounts in the same chassis. > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Fri May 23 11:53:24 2008 From: petelists at templin.org (Pete Templin) Date: Fri, 23 May 2008 10:53:24 -0500 Subject: [c-nsp] BGP Route selection In-Reply-To: References: <4836B686.3060004@templin.org> Message-ID: <4836E874.6090308@templin.org> Gary Roberton wrote: > Router A BGP table entry is shown here; > > * 90.0.0.0 10.40.1.6 > 50 0 64604 1000 i > > *> 10.40.1.2 > 0 64603 1000 i > Paths come from different neighbor ASes, so MED doesn't apply unless you override default behavior. On most newer IOSes, oldest path wins, so everything's working as expected. You should tweak a different knob to achieve the desired results. Origin code comes to mind as an easy twiddle. Or, have the remote routers send a community to request a particular local preference (as someone else suggested) - you'll need a community-list and a route-map to catch this. Or just write a route-map to adjust local-pref or weight upon local receipt of the prefix. pt From rick.martin at arkansas.gov Fri May 23 11:54:34 2008 From: rick.martin at arkansas.gov (Rick Martin) Date: Fri, 23 May 2008 10:54:34 -0500 Subject: [c-nsp] 6509 power supply question In-Reply-To: <4836D8A1.20307@utc.edu> References: <7ec1a0760805221851p37c396acjf93b435724634d3a@mail.gmail.com> <4836D8A1.20307@utc.edu> Message-ID: >Jeff wrote; On a somewhat related note... we have a 6509 that was "somehow" originally wired for 110v, so we're only getting half the power rating out of them. I have new 220v mains, plugs, and cables ready... can they be bumped over one at a time hot, or does it have to be down cold? I had the same scenario, the key factor is the sup - if you have sup 720 the sup, fans and blades require more wattage than the 1300 watt power supply can provide, the switch failed in our case when we attempted to roll one power supply over to the 208VAC source. Once we had one 208 VAC source and the resulting 2500 watt power supply in place the switch fired back up and we then swapped sources in the other power supply with no further ill effects. With sup 2's we had no troubles upgrading one (power source) at a time. From gary.ciscomail at gmail.com Fri May 23 11:58:52 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 23 May 2008 16:58:52 +0100 Subject: [c-nsp] BGP Route selection In-Reply-To: <4836E874.6090308@templin.org> References: <4836B686.3060004@templin.org> <4836E874.6090308@templin.org> Message-ID: Pete To clarify - if I just adjust the local preference on the receiving router, that should do it? But if I didn't have an admin control of the receiving router I would do it on the advertising router by requesting a community. Just sanity checking... On Fri, May 23, 2008 at 4:53 PM, Pete Templin wrote: > Gary Roberton wrote: > > Router A BGP table entry is shown here; >> >> * 90.0.0.0 10.40.1.6 >> 50 0 64604 1000 i >> >> *> 10.40.1.2 >> 0 64603 1000 i >> >> > Paths come from different neighbor ASes, so MED doesn't apply unless you > override default behavior. > > On most newer IOSes, oldest path wins, so everything's working as expected. > > You should tweak a different knob to achieve the desired results. Origin > code comes to mind as an easy twiddle. Or, have the remote routers send a > community to request a particular local preference (as someone else > suggested) - you'll need a community-list and a route-map to catch this. Or > just write a route-map to adjust local-pref or weight upon local receipt of > the prefix. > > pt > From gary.ciscomail at gmail.com Fri May 23 12:27:31 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 23 May 2008 17:27:31 +0100 Subject: [c-nsp] BGP Route selection In-Reply-To: References: <4836B686.3060004@templin.org> <4836E874.6090308@templin.org> Message-ID: Update - used local preference set on the receiving router and got the behaviour I wanted. Thanks to all for help and suggestions. I did it using set local-pref on a route map of the receiving router. Cheers Have a good weekend. Gary On Fri, May 23, 2008 at 4:58 PM, Gary Roberton wrote: > Pete > > To clarify - if I just adjust the local preference on the receiving > router, that should do it? > > But if I didn't have an admin control of the receiving router I would do it > on the advertising router by requesting a community. > > Just sanity checking... > > > > On Fri, May 23, 2008 at 4:53 PM, Pete Templin > wrote: > >> Gary Roberton wrote: >> >> Router A BGP table entry is shown here; >>> >>> * 90.0.0.0 10.40.1.6 >>> 50 0 64604 1000 i >>> >>> *> 10.40.1.2 >>> 0 64603 1000 i >>> >>> >> Paths come from different neighbor ASes, so MED doesn't apply unless you >> override default behavior. >> >> On most newer IOSes, oldest path wins, so everything's working as >> expected. >> >> You should tweak a different knob to achieve the desired results. Origin >> code comes to mind as an easy twiddle. Or, have the remote routers send a >> community to request a particular local preference (as someone else >> suggested) - you'll need a community-list and a route-map to catch this. Or >> just write a route-map to adjust local-pref or weight upon local receipt of >> the prefix. >> >> pt >> > > From howard at leadmon.net Fri May 23 12:35:06 2008 From: howard at leadmon.net (Howard Leadmon) Date: Fri, 23 May 2008 12:35:06 -0400 Subject: [c-nsp] BGP Route selection In-Reply-To: References: <4836B686.3060004@templin.org> Message-ID: I use two different tweaks here to make sure stuff like this works as you desire. One I use 'bgp bestpath compare-routerid' so I can pretty much tell which way things are going, as if not it will stay as you say in the oldest pathway even when things come back. By also adding this comparison in, when announcements come and go it looks at it all again. You can also use route-map's to decide your favorite paths by default, if you normally want to go path A for your traffic flow, set something like 'set local-preference 125' in a route-map for it. That will make you prefer that route, and I also always set path B to a value less than that. Not sure if the above is the Cisco recommended way, but it's sure worked OK for me.. --- Howard > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gary Roberton > Sent: Friday, May 23, 2008 10:09 AM > To: Pete Templin > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] BGP Route selection > > All > > The network in question is actually 90.0.0.0. All routers are in their own > separate AS. The route in question is a connected network not > redistributed. > > To make it clearer; > Router X has network 90.0.0.0 connected > Router X advertises to both Router1 and Router2. > Router 1 sends it on to Router A > Router 2 has a route map that does 'set metric 50' and then passes it onto > RouterA. > We want RouterA to go via Router1 whenever Router1 is up > > Router A BGP table entry is shown here; > > * 90.0.0.0 10.40.1.6 50 0 64604 1000 i > > *> 10.40.1.2 0 64603 1000 i > > Router A puts 10.40.1.2 route into global routing table > Router1 goes down > Router A puts 10.40.1.6 route into global routing table > Router1 comes up > RouterA puts entry back in BGP table but leaves route in global table alone. > > Any help appreciated. > > > > > > > On Fri, May 23, 2008 at 1:20 PM, Pete Templin wrote: > > > Gary Roberton wrote: > > > > I have router A receiving network 80.0.0.0 from router 1 and router 2. > >> Router 2 weights its metric so that it is less favourable. > >> > > > > Are routers 1 and 2 in your AS, or in another AS? Also, please clarify > > 'weights its metric' - do you mean it adjusts weight, it adjusts metric, > it > > adjusts origin, etc.? > > > > In router A's BGP table I can see both routes and the route from Router 1 > >> is > >> placed in the global routing table. Fine. > >> > > > > Are you seeing the various BGP knobs showing the settings you'd expect > from > > above? > > > > When you turn off Router1, Router A removes the route from the routing > >> table > >> and installs the less favoured route from Router2. What you would > expect. > >> > >> When I turn on Router1, Router A does not put the better route back into > >> the > >> routing table, even though it sees both in its BGP table. > >> > > > > Are you seeing the various BGP knobs showing the settings you'd expect > from > > above? > > > > pt > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From have.an.email at gmail.com Fri May 23 16:43:04 2008 From: have.an.email at gmail.com (Nathan) Date: Fri, 23 May 2008 22:43:04 +0200 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> Message-ID: <9f785d120805231343u24f21a7jc6afd41f46482fac@mail.gmail.com> On Fri, May 23, 2008 at 2:31 PM, Robert Blayzor wrote: > On May 22, 2008, at 6:06 PM, Jason Berenson wrote: >> 7206 NPE-G1 >> PA-A3-OC3MM >> c7200-is-mz.124-19.bin I usually use IOS-es with a j instead of i, but I hope any 12.4 has QoS... > Been down this path several times, so hopefully this helps. > > Have you tried using a hierarchal QoS policy? Also you may want to > set your tx-ring-limit to the minimum, ie: 3 or you might have some > jitter issues. > > That being said, you need to use a nested QoS policy, something like: This should not be necessary, since the ATM definition provides the bandwidth. Maybe for the fair-queue, but... Jason, test without that :-) Here's what works for me (very slightly edited): class-map match-any routing match dscp cs6 cs7 class-map match-any voice match dscp cs5 ef match ip dscp 4 class-map match-any af43 match ip dscp af43 policy-map outgoingaf class voice priority percent 50 class af43 bandwidth percent 20 class routing bandwidth percent 1 class class-default vc-class atm DSL-1 vbr-nrt 1280 1280 94 encapsulation aal5snap interface ATM3/0.xxx point-to-point ip address x.x.x.x x.x.x.x ip verify unicast reverse-path pvc 1/xxx class-vc DSL-1 service-policy output outgoingaf But I've often used access-lists and ISTR fair-queue without any problems (or when there was a problem I always had something in the logs). -- HTH Nathan From virendra.rode at gmail.com Fri May 23 17:09:43 2008 From: virendra.rode at gmail.com (virendra rode //) Date: Fri, 23 May 2008 14:09:43 -0700 Subject: [c-nsp] outages mailing list is back online! Message-ID: <48373297.8070403@gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 [ Apologies to those of you who receive this note in multiple forums. ] Hello all, I wanted to drop a quick note to everyone and explain how/why things took so long and I deeply apologize for the service interruption. Apparently the machine hosting outages mailing list went belly up during the package upgrade (postfix/mailman/apache) in order to bring the system up to date. This was suppose to be a planned upgrade which unfortunately turned out to be sysadmin's nightmare. During the headless chicken syndrome it led into further issues and from there on murphy took over that led to a prolonged outage. We are working towards a cluster setup (active-active cluster) where we will be able to pull the host out of operation without affecting the service in the future. Something we are also looking into is a separate instance in availability zones (multi-site) in order to protect applications/ host availability from failure of a single location. We deeply regret the delay this caused the mailing list to be off the air. Many thanks to Gadi Evron / Randy Vanghn / James Eastman / Larry Vaden / Joe St Sauver and other members of the team who work effortlessly to resurrect this list. Without there help and direction outages list wouldn't exist today. I'm indebted to them. Suggestions, comments are welcome. If interested, you can subscribe to the list at, http://isotf.org/mailman/listinfo/outages respectfully, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFINzKXpbZvCIJx1bcRAv0lAJ46sBa9/uZ/lbl54ehE7tgNZiySZgCghKsq AjuiEP7kwKGXSsJqDBBe08w= =1OV7 -----END PGP SIGNATURE----- From ml at t-b-o-h.net Fri May 23 17:18:09 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Fri, 23 May 2008 17:18:09 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? Message-ID: <200805232118.m4NLI9wL063312@himinbjorg.tucs-beachin-obx-house.com> Hi, Does anyone know of a good discussion list for the RADIUS protocol? I've got a deep down protocol question I can't seem to find the answer to, and of the resources I've tried I can't find the answer. (It has nothing to do with a Cisco piece of gear, but I figured there were atleast a few guys here that still use it. ;) ) Thanks, Tuc From A.L.M.Buxey at lboro.ac.uk Fri May 23 17:23:49 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 23 May 2008 22:23:49 +0100 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805232118.m4NLI9wL063312@himinbjorg.tucs-beachin-obx-house.com> References: <200805232118.m4NLI9wL063312@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <20080523212349.GA8280@lboro.ac.uk> Hi, > Hi, > > Does anyone know of a good discussion list for the RADIUS protocol? > I've got a deep down protocol question I can't seem to find the answer to, > and of the resources I've tried I can't find the answer. (It has nothing to > do with a Cisco piece of gear, but I figured there were atleast a few guys > here that still use it. ;) ) the RFC for RADIUS is 2865 - thats the deep-down stuff. how a RADIUS server or bit of hardware implmements the RFC is another thing altogether ;-) alan From ml at t-b-o-h.net Fri May 23 17:41:54 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Fri, 23 May 2008 17:41:54 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <20080523212349.GA8280@lboro.ac.uk> Message-ID: <200805232141.m4NLfsv7063595@himinbjorg.tucs-beachin-obx-house.com> > > Hi, > > Hi, > > > > Does anyone know of a good discussion list for the RADIUS protocol? > > I've got a deep down protocol question I can't seem to find the answer to, > > and of the resources I've tried I can't find the answer. (It has nothing to > > do with a Cisco piece of gear, but I figured there were atleast a few guys > > here that still use it. ;) ) > > the RFC for RADIUS is 2865 - thats the deep-down stuff. > how a RADIUS server or bit of hardware implmements the RFC > is another thing altogether ;-) > Read the RFCs (You saw where I was admonished to do so before...). Both 65 and 66 (Since my question spans the 2 of them) I don't see in the RFCs what I need to know. So looking for a group of people who might actually be able to listen to the situation I have to present and tell me how its handled. Don't care if the NAS is Cisco, Livingston, Chillispot, etc. Don't care if the server is Cistron, FreeRadius, Steel Belted.... I'm just looking to find out how certain situations are handled by any combination of NAS and server. Thanks, Tuc From jmaimon at ttec.com Fri May 23 18:07:13 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Fri, 23 May 2008 18:07:13 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805232141.m4NLfsv7063595@himinbjorg.tucs-beachin-obx-house.com> References: <200805232141.m4NLfsv7063595@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <48374011.1040902@ttec.com> Tuc at T-B-O-H.NET wrote: >> Hi, >>> Hi, >>> >>> Does anyone know of a good discussion list for the RADIUS protocol? You could try the freeradius list. You could also try the freeradius server. From jason at lixfeld.ca Fri May 23 17:36:22 2008 From: jason at lixfeld.ca (Jason Lixfeld) Date: Fri, 23 May 2008 17:36:22 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805232118.m4NLI9wL063312@himinbjorg.tucs-beachin-obx-house.com> References: <200805232118.m4NLI9wL063312@himinbjorg.tucs-beachin-obx-house.com> Message-ID: Join the free-radius list. Alan Dekok, the principle author of the FreeRADIUS suite knows RADIUS inside and out. He'd most certainly be able to answer your question. http://www.freeradius.org/list/index.html On 23-May-08, at 5:18 PM, Tuc at T-B-O-H.NET wrote: > Hi, > > Does anyone know of a good discussion list for the RADIUS protocol? > I've got a deep down protocol question I can't seem to find the > answer to, > and of the resources I've tried I can't find the answer. (It has > nothing to > do with a Cisco piece of gear, but I figured there were atleast a > few guys > here that still use it. ;) ) > > Thanks, Tuc > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ml at t-b-o-h.net Fri May 23 18:47:05 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Fri, 23 May 2008 18:47:05 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <48374011.1040902@ttec.com> Message-ID: <200805232247.m4NMl5xI064352@himinbjorg.tucs-beachin-obx-house.com> > > > > Tuc at T-B-O-H.NET wrote: > >> Hi, > >>> Hi, > >>> > >>> Does anyone know of a good discussion list for the RADIUS protocol? > > You could try the freeradius list. You could also try the freeradius server. > Been there, done that, told to RTFRFCs, its not about FreeRadius but the protocol, go elsehwere, thank you, goodbye. Hence my search elsewhere...... Thanks, Tuc From freimer at ctiusa.com Fri May 23 19:03:12 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Fri, 23 May 2008 19:03:12 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805232247.m4NMl5xI064352@himinbjorg.tucs-beachin-obx-house.com> References: <48374011.1040902@ttec.com> <200805232247.m4NMl5xI064352@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D1206@EXCHANGE.ctiusa.com> Why don't you just ask your question, and if anyone can help you or point you in the right direction we will? I know you said it is not a Cisco product question, but there have been enough emails already that initially asking the question, but asking for direct replies instead of to the list because it wasn't a Cisco question, would probably have been more efficient. Thanks, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H.NET > Sent: Friday, May 23, 2008 6:47 PM > To: Joe Maimon > Cc: A.L.M.Buxey at lboro.ac.uk; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Discussion list for RADIUS? > > > > > > > > > Tuc at T-B-O-H.NET wrote: > > >> Hi, > > >>> Hi, > > >>> > > >>> Does anyone know of a good discussion list for the RADIUS > protocol? > > > > You could try the freeradius list. You could also try the freeradius > server. > > > Been there, done that, told to RTFRFCs, its not about FreeRadius > but > the protocol, go elsehwere, thank you, goodbye. > > Hence my search elsewhere...... > > Thanks, Tuc > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080523/87d407dc/attachment.bin From Ronen at conticomp.com Fri May 23 19:28:51 2008 From: Ronen at conticomp.com (Ronen Isaac) Date: Fri, 23 May 2008 16:28:51 -0700 Subject: [c-nsp] BootVars Keep Erasing Themselves Message-ID: Hello All, I have run into a baffling wall and after 4 days or tinkering and reading online I am turning to you hoping that you might be of assistance. I have a Cat6509 w/ SUP2/MSFC2 that I converted from Hybrid mode to Native mode following these instructions to the letter: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note 09186a008015bfa6.shtml I reloaded the switch a couple of times and even turned off/on the power briefly to make sure all settings took. Everything seemed to work great. I then turned it off for a day and when I turned it back on it booted through the SP OK but when starting to boot the RP I get this, "Warning: Rommon NVRAM area is corrupted" and it goes to ROMMON mode. I then added the bootvars again and made sure the register was at 0x2102 and reset the switch. It loaded through... While in IOS I went ahead and did and "erase nvram" to format and start over. I then redid the bootvars, did a "remote command switch show boot" to ensure the SP bootvars were OK and reloaded the switch. It loaded all the way through and the bootvars were intact. So I turn it off and let it sit for 10 min, fire it up and again I get the same error, "Warning: Rommon NVRAM area is corrupted" and it goes to ROMMON mode. I do this for about 2 days. I then proceeded to upgrade the image and the ROMMON, redid the config, turned off the switch, waited 10 min and it still didn't take. If you have any thoughts I would greatly appreciate hearing them. Thanks so much for your time and have a great weekend! Image: 12.2(18)SXF14 ROMMON: 12.2(17r)S5 P.S. There is only one SUP in the chassis and this happens on 2 separate sup engines. Kind Regards, Ronen Isaac Continental Computers 920 N. Nash St. Bldg B El Segundo, CA 90245 310/416-1200:voice 310/350-8456:cell 310/416-1443:fax ronen at conticomp.com www.conticomp.com www.wlanmall.com www.webuycisco.com AOL IM: ccro02 **Your trusted partner for DEC, CISCO, COMPAQ, JUNIPER, MOTOROLA CANOPY, AIRAYA, PROXIM, AXIS IP Cameras, MILESTONE Surveillance Software and more for over 20 years! From jay at west.net Fri May 23 20:07:21 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 23 May 2008 17:07:21 -0700 Subject: [c-nsp] ASA IPSec VPN redundancy - locks up on return of main link Message-ID: <48375C39.8070000@west.net> Scenario: IPSec LAN-to-LAN tunnel between two ASA appliances, both running 7.2(3). Remote site has an E-1 connection and a backup via DSL, set up with track commands for default routes. Tracking is working as verified by Internet traffic switching successfully to backup link and back. VPN traffic fails over normally to backup link. When primary link is restored, VPN traffic stops flowing until ISAKMP is manually cleared. Failing the backup connection will also restore connectivity by the main link. This appears to be because there is already an ISAKMP SA on the backup link, and hence the primary ISAKMP SA refuses to negotiate to the same peer. However, the routing is trying to go to the main link but there is no SA, so traffic fails. We've tried playing with DPD, etc. to no avail. Possible options seem to be somehow tying the ISAKMP to the track command or establishing a second SA to the same peer that stays up. A clue or a pointer to one would be appreciated. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From ml at t-b-o-h.net Fri May 23 22:47:50 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Fri, 23 May 2008 22:47:50 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC95028D1206@EXCHANGE.ctiusa.com> Message-ID: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> Hi, What it boils down to is that when you auth, you have the potential for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that you are authorized with that attribute. You send the accounting start record and off the user goes. 10 minutes into the session, the operators/a process/whatever decides to change your Radius entry so that the new Session-Timeout would be 5 minutes. How, if at all, does the NAS become aware of this? It doesn't seem that accounting records play into any of this. I see where in 2866 you send a type 4, and get a type 5 back (Accounting-Request and Accounting-Response). The Accounting-Response seems like it only says "I've seen, I've recorded, thank you". If the ID was deleted, it appears it might not care. I'm just wondering except for constantly re-authorizing and getting the Session-Timeout (Or worse, an Access-Reject) is there any way for a NAS to know that the Session-Timeout has expired, the ID is no longer valid, etc. Thanks, Tuc > > Why don't you just ask your question, and if anyone can help you or point > you in the right direction we will? I know you said it is not a Cisco > product question, but there have been enough emails already that initially > asking the question, but asking for direct replies instead of to the list > because it wasn't a Cisco question, would probably have been more efficient. > > Thanks, > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Tuc at T-B-O-H.NET > > Sent: Friday, May 23, 2008 6:47 PM > > To: Joe Maimon > > Cc: A.L.M.Buxey at lboro.ac.uk; cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Discussion list for RADIUS? > > > > > > > > > > > > > > Tuc at T-B-O-H.NET wrote: > > > >> Hi, > > > >>> Hi, > > > >>> > > > >>> Does anyone know of a good discussion list for the RADIUS > > protocol? > > > > > > You could try the freeradius list. You could also try the freeradius > > server. > > > > > Been there, done that, told to RTFRFCs, its not about FreeRadius > > but > > the protocol, go elsehwere, thank you, goodbye. > > > > Hence my search elsewhere...... > > > > Thanks, Tuc From jcdarby at usgs.gov Fri May 23 23:18:35 2008 From: jcdarby at usgs.gov (Justin C. Darby) Date: Fri, 23 May 2008 22:18:35 -0500 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> References: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <56C4B4ED-EDC6-46C3-A346-6A8B2FF854A5@usgs.gov> As far as I am aware (from years of working at ISP's), neither will a RADIUS server send nor most NAS devices ever check the status of any attribute post login (I don't even think they can, but it's been a long time since I've read the RFC's). Meaning, if you change the session timeout, it wont apply to any active sessions. The most that ever happens after authentication is radius accounting messages, which the NAS may send when a users session ends, or really whenever it wants (e.g. if it's resetting counters because they've exceeded the maximum storage size of the radius accounting attribute, or on some devices when you reset the interface counters it sends an accounting message with the old counter statistics before doing so). The only way to guarantee the policy change is made is to disconnect the user and force them to re-authenticate. In our case, we had this issue come up when DSL users changed bandwidth plans, and we had to disconnect them after making a change to that attribute. Justin On May 23, 2008, at 9:47 PM, Tuc at T-B-O-H.NET wrote: > Hi, > > What it boils down to is that when you auth, you have the potential > for a "Session-Timeout" reply. Lets say its 120 minutes. You get > back that > you are authorized with that attribute. > > You send the accounting start record and off the user goes. 10 > minutes > into the session, the operators/a process/whatever decides to change > your Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at > all, does > the NAS become aware of this? > > It doesn't seem that accounting records play into any of this. I > see where in 2866 you send a type 4, and get a type 5 back > (Accounting-Request > and Accounting-Response). The Accounting-Response seems like it only > says > "I've seen, I've recorded, thank you". If the ID was deleted, it > appears it > might not care. > > I'm just wondering except for constantly re-authorizing and getting > the Session-Timeout (Or worse, an Access-Reject) is there any way > for a NAS > to know that the Session-Timeout has expired, the ID is no longer > valid, etc. > > Thanks, Tuc >> >> Why don't you just ask your question, and if anyone can help you or >> point >> you in the right direction we will? I know you said it is not a >> Cisco >> product question, but there have been enough emails already that >> initially >> asking the question, but asking for direct replies instead of to >> the list >> because it wasn't a Cisco question, would probably have been more >> efficient. >> >> Thanks, >> >> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS >> Senior Network Engineer >> Coleman Technologies, Inc. >> 954-298-1697 From ml at t-b-o-h.net Fri May 23 23:42:35 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Fri, 23 May 2008 23:42:35 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <56C4B4ED-EDC6-46C3-A346-6A8B2FF854A5@usgs.gov> Message-ID: <200805240342.m4O3gZix078546@himinbjorg.tucs-beachin-obx-house.com> Hi Justin, Thanks, thats pretty much what I understood. I was hoping that maybe while I was sending "Accounting-Request" packets with interim updates to time and input/output octets, that I was reading the "Accounting-Reply" wrong and potentially could get some sort of a notification that the time had expired, user is no longer valid, etc. I was hoping that the device wouldn't have to be the one to keep track of it, that it could be oblivious and all of a sudden get a reply of "Thanks for the update, but you should know the user is (deleted, out of time, over his octets, crazy {Thats the "AR2TUC" reply. ;) }) Okay, I guess I have to store the data and just before I update accounting check to see if the user is "over the limits". (Unless anyone contridicts what you say, but its what I understood too) Thanks, Tuc > > As far as I am aware (from years of working at ISP's), neither will a > RADIUS server send nor most NAS devices ever check the status of any > attribute post login (I don't even think they can, but it's been a > long time since I've read the RFC's). Meaning, if you change the > session timeout, it wont apply to any active sessions. The most that > ever happens after authentication is radius accounting messages, which > the NAS may send when a users session ends, or really whenever it > wants (e.g. if it's resetting counters because they've exceeded the > maximum storage size of the radius accounting attribute, or on some > devices when you reset the interface counters it sends an accounting > message with the old counter statistics before doing so). > > The only way to guarantee the policy change is made is to disconnect > the user and force them to re-authenticate. In our case, we had this > issue come up when DSL users changed bandwidth plans, and we had to > disconnect them after making a change to that attribute. > > Justin > > On May 23, 2008, at 9:47 PM, Tuc at T-B-O-H.NET wrote: > > > Hi, > > > > What it boils down to is that when you auth, you have the potential > > for a "Session-Timeout" reply. Lets say its 120 minutes. You get > > back that > > you are authorized with that attribute. > > > > You send the accounting start record and off the user goes. 10 > > minutes > > into the session, the operators/a process/whatever decides to change > > your Radius > > entry so that the new Session-Timeout would be 5 minutes. How, if at > > all, does > > the NAS become aware of this? > > > > It doesn't seem that accounting records play into any of this. I > > see where in 2866 you send a type 4, and get a type 5 back > > (Accounting-Request > > and Accounting-Response). The Accounting-Response seems like it only > > says > > "I've seen, I've recorded, thank you". If the ID was deleted, it > > appears it > > might not care. > > > > I'm just wondering except for constantly re-authorizing and getting > > the Session-Timeout (Or worse, an Access-Reject) is there any way > > for a NAS > > to know that the Session-Timeout has expired, the ID is no longer > > valid, etc. > > > > Thanks, Tuc > >> > >> Why don't you just ask your question, and if anyone can help you or > >> point > >> you in the right direction we will? I know you said it is not a > >> Cisco > >> product question, but there have been enough emails already that > >> initially > >> asking the question, but asking for direct replies instead of to > >> the list > >> because it wasn't a Cisco question, would probably have been more > >> efficient. > >> > >> Thanks, > >> > >> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > >> Senior Network Engineer > >> Coleman Technologies, Inc. > >> 954-298-1697 > From doon.bulk at inoc.net Sat May 24 00:03:55 2008 From: doon.bulk at inoc.net (Patrick Muldoon) Date: Sat, 24 May 2008 00:03:55 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> References: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> Message-ID: \On May 23, 2008, at 10:47 PM, Tuc at T-B-O-H.NET wrote: > Hi, > > What it boils down to is that when you auth, you have the potential > for a "Session-Timeout" reply. Lets say its 120 minutes. You get > back that > you are authorized with that attribute. > > You send the accounting start record and off the user goes. 10 > minutes > into the session, the operators/a process/whatever decides to change > your Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at > all, does > the NAS become aware of this? Our in house tools use Radius COA(change of authorization) to make changes to accounts while they are online if the NAS they are on supports it, so you might look into seeing if your NAS/Radius servers can support it (We use COA with Radiator against Cisco 7200s terminating PPPoE sessions all the time). Basically our tools will update the user database with whatever accounts changes where requested, consult the sessions tables to see if they can locate the user online, and if so will issue the radius COA with the updated attribute. We normally use it to dynamically Apply ACLS(Change-Filter-Request) or to kick them offline (Disconnect-Request). Not 100% sure if you can dynamically adjust the Session-Timeout, but you could build some intelligence into the tool to say, adjusting session timeout to 5 minutes, they already been online greater than 5 minutes. so update their Attributes, and the send the disconnect-request). When they log back in they will know have the 5 minute session timeout.. HTH, -Patrick -- Patrick Muldoon Network/Software Engineer INOC (http://www.inoc.net) PGPKEY (http://www.inoc.net/~doon) Key ID: 0x370D752C Meets quality standards: Compiles without errors. From robert at tellurian.com Sat May 24 00:19:53 2008 From: robert at tellurian.com (Robert Boyle) Date: Sat, 24 May 2008 00:19:53 -0400 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? Message-ID: <1211602794_354303@mail1.tellurian.net> Hello, I remember that one of the big features of the 7200VXR series was the new TDM bus which would enable TDM switching between cards. I have never needed to use it, but now it would come in handy. I have found lots of marketing info on Cisco's website, but no cookbook configs. Here is the situation, I have a bunch of channelized DS3s (used for IP) terminating on a VXR (PA-MC-T3 cards) and I would like to get a voice PRI delivered from the same carrier and "cross connect" it to a T1 port (PA-MC-8T1?) on the router which could go to my equipment which can accept a PRI - an AS5300 in this case. Any config samples and/or gotchas would be appreciated. Do I need new enhanced cards for this? or can my old cards kicking around in the spares closet handle the job? -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From pekkas at netcore.fi Sat May 24 01:11:38 2008 From: pekkas at netcore.fi (Pekka Savola) Date: Sat, 24 May 2008 08:11:38 +0300 (EEST) Subject: [c-nsp] DMVPN Rollout -- MTU questions In-Reply-To: <7FCD0CA9-FC80-438E-A861-C636BB168807@basen.net> References: <7FCD0CA9-FC80-438E-A861-C636BB168807@basen.net> Message-ID: On Fri, 23 May 2008, Kaj Niemi wrote: > My experience has been that, instead of playing with interface/server MTUs, > simply setting ip tcp adjust-mss 1300 on any customer ingress interface > (very, very, very conservative) resolves any issues. Most issues in a typical > rollout seem to originate from Windows boxes and Windows administrators. This would lead to big UDP,etc. packets getting blackholed, so setting mtu also on interface basis is required. This certainly has come up and happened in decreased-MTU setups Finland.. -- Pekka Savola "You each name yourselves king, yet the Netcore Oy kingdom bleeds." Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings From A.L.M.Buxey at lboro.ac.uk Sat May 24 03:36:41 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sat, 24 May 2008 08:36:41 +0100 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> References: <98B7739FB65BF04F9B3233AB842EEC95028D1206@EXCHANGE.ctiusa.com> <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <20080524073641.GA15169@lboro.ac.uk> Hi, > Hi, > > What it boils down to is that when you auth, you have the potential > for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that > you are authorized with that attribute. > > You send the accounting start record and off the user goes. 10 minutes > into the session, the operators/a process/whatever decides to change your Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at all, does > the NAS become aware of this? RFC 3576 - Change of Authorization - CoA the NAS and the server have to support it. with this, you can change many variables that are part of the AAA - eg Session-Timeout, their Address etc etc Accounting packets are very different - just 'heres some data' and 'thankyou' responses really. Like many people I am very worried about DoS abilities due to lack of verification of this data. - I could spoof the NAS and send a 'they've been on for 7200 minutes' packet and et voila. everyone gets disconnected :-( alan From progressus at gmail.com Sat May 24 06:10:59 2008 From: progressus at gmail.com (Progressus) Date: Sat, 24 May 2008 11:10:59 +0100 Subject: [c-nsp] IP Address Management Software Message-ID: Hi all, I am currently running a project at Internet Solutions, to develop our own IP Database and Management system. This is designed around many of our existing client databases and systems that we have. We are still in the beginning phase of implementation, but hope to have the system up and running with all our addresses in place by the end of this year. I had looked around, but I was not able to find anything that suited our needs. * Tracks/assigns all WAN IPs for customers routers * Tracks/assigns all subnets assigned to customers * Monitors customer database for cancellations to automatically reclaim IP space from customers that have moved on * Manage all netblocks assigned from RIPE * Provides utilization reports specifically in reference to how close am I to the magical 80% to request more IPs. * Provides utilization information for each of our 12 markets around the country so that I know when we are running low on IPs for a region. If we are low, a couple of clicks and the IP pools are automatically refreshed. * Daily scrubs of all /24's to be used for customer subnet assignments (not WAN IPs) to look for /24's that are completely used and then take them out of the search path when assigning IPs for customers (this is to speed up the assignments... no need to look for holes in blocks that you know are full). * Tracks ASN's of our customers * Automatic report to request more IPs from RIPE. My question: What are your opinion about best solution to do this needs? Thanks for your time. Best Regards From lukasz at bromirski.net Sat May 24 07:44:36 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 24 May 2008 13:44:36 +0200 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <1211602794_354303@mail1.tellurian.net> References: <1211602794_354303@mail1.tellurian.net> Message-ID: <4837FFA4.8010803@bromirski.net> Robert Boyle wrote: > I remember that one of the big features of the 7200VXR series was the > new TDM bus which would enable TDM switching between cards. I have > never needed to use it, but now it would come in handy. I have found > lots of marketing info on Cisco's website, but no cookbook configs. > Here is the situation, I have a bunch of channelized DS3s (used for > IP) terminating on a VXR (PA-MC-T3 cards) and I would like to get a > voice PRI delivered from the same carrier and "cross connect" it to a > T1 port (PA-MC-8T1?) on the router which could go to my equipment > which can accept a PRI - an AS5300 in this case. Any config samples > and/or gotchas would be appreciated. Do I need new enhanced cards for > this? or can my old cards kicking around in the spares closet handle the job? VXR indeed added the TDM bus into the 7200 capabilities, which essentially means you can use 'connect' or 'cross-connect' commands in config mode to cross-connect DS0 between various PA/controllers and use DSP farming. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From diogo.montagner at gmail.com Sat May 24 08:32:32 2008 From: diogo.montagner at gmail.com (Diogo Montagner) Date: Sat, 24 May 2008 09:32:32 -0300 Subject: [c-nsp] BootVars Keep Erasing Themselves In-Reply-To: References: Message-ID: <84eb7a820805240532y30c5fe83yab9a7aada8e5de3@mail.gmail.com> Hi Ronen, check the bugs for your rommon version. I experienced some problems like you under rommon version 8.1.3 using SUP720. Regards, Diogo On Fri, May 23, 2008 at 8:28 PM, Ronen Isaac wrote: > Hello All, > > I have run into a baffling wall and after 4 days or tinkering and > reading online I am turning to you hoping that you might be of > assistance. I have a Cat6509 w/ SUP2/MSFC2 that I converted from Hybrid > mode to Native mode following these instructions to the letter: > > > > http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note > 09186a008015bfa6.shtml > > > > I reloaded the switch a couple of times and even turned off/on the power > briefly to make sure all settings took. Everything seemed to work > great. > > > > I then turned it off for a day and when I turned it back on it booted > through the SP OK but when starting to boot the RP I get this, "Warning: > Rommon NVRAM area is corrupted" and it goes to ROMMON mode. > > > > I then added the bootvars again and made sure the register was at 0x2102 > and reset the switch. It loaded through... > > > > While in IOS I went ahead and did and "erase nvram" to format and start > over. I then redid the bootvars, did a "remote command switch show > boot" to ensure the SP bootvars were OK and reloaded the switch. It > loaded all the way through and the bootvars were intact. > > > > So I turn it off and let it sit for 10 min, fire it up and again I get > the same error, "Warning: Rommon NVRAM area is corrupted" and it goes to > ROMMON mode. I do this for about 2 days. > > > > I then proceeded to upgrade the image and the ROMMON, redid the config, > turned off the switch, waited 10 min and it still didn't take. > > > > If you have any thoughts I would greatly appreciate hearing them. > Thanks so much for your time and have a great weekend! > > > > Image: 12.2(18)SXF14 > > ROMMON: 12.2(17r)S5 > > > > P.S. There is only one SUP in the chassis and this happens on 2 separate > sup engines. > > > > > > Kind Regards, > Ronen Isaac > Continental Computers > 920 N. Nash St. Bldg B > El Segundo, CA 90245 > 310/416-1200:voice > 310/350-8456:cell > 310/416-1443:fax > ronen at conticomp.com > www.conticomp.com > > www.wlanmall.com > www.webuycisco.com > AOL IM: ccro02 > > > > **Your trusted partner for DEC, CISCO, COMPAQ, JUNIPER, MOTOROLA CANOPY, > AIRAYA, PROXIM, AXIS IP Cameras, MILESTONE Surveillance Software and > more for over 20 years! > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- ./diogo -montagner From ml at t-b-o-h.net Sat May 24 09:29:32 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Sat, 24 May 2008 09:29:32 -0400 (EDT) Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <20080524073641.GA15169@lboro.ac.uk> Message-ID: <200805241329.m4ODTWJR085669@himinbjorg.tucs-beachin-obx-house.com> > > Hi, > > Hi, > > > > What it boils down to is that when you auth, you have the potential > > for a "Session-Timeout" reply. Lets say its 120 minutes. You get back that > > you are authorized with that attribute. > > > > You send the accounting start record and off the user goes. 10 minutes > > into the session, the operators/a process/whatever decides to change your Radius > > entry so that the new Session-Timeout would be 5 minutes. How, if at all, does > > the NAS become aware of this? > > RFC 3576 - Change of Authorization - CoA > > the NAS and the server have to support it. with this, you can > change many variables that are part of the AAA - eg Session-Timeout, > their Address etc etc > > Accounting packets are very different - just 'heres some data' > and 'thankyou' responses really. Like many people I am very worried > about DoS abilities due to lack of verification of this data. > - I could spoof the NAS and send a 'they've been on for 7200 minutes' > packet and et voila. everyone gets disconnected :-( > > alan > Hi, I guess I guided this a bit into the wrong territory. I didn't realize there was a CoA. The issue wasn't so much that the Session-Timeout would BE change, its that with usage it DOES change. I basically was trying to avoid having to keep track of time in my application. More of Radius telling me "Hey, its time to go" instead of my deciding it. There is a large section where a user may be provisioned, and during the session the provisioning rejected (Credit card disallowed, fraud, TOS violation) but the main crux was trying not to keep the "limits" locally. I guess the protocol doesn't allow for it, so I have to keep track/time/count myself. Thanks, I think I have everything I need! (Well, except for how to "use" a file in perl thats a bareword (use $authorization_module;) . Tried to : eval "use authorization_module;" : but its just not working. But not a c-nsp issue. :) ) Thanks, Tuc From berni at birkenwald.de Sat May 24 10:41:14 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Sat, 24 May 2008 14:41:14 +0000 (UTC) Subject: [c-nsp] FWSM vlans down after host SSO Message-ID: Hello everyone, we are having a pretty serious problem with one of our boxes. 6509 2* WS-SUP720-BASE + WS-F6K-PFC3B running 12.2(33)SXH1 modular 1* WS-X6704-10GE 2* WS-X6724-SFP 2* WS-X6408A-GBIC 1* WS-SVC-NAM-2 1* WS-SVC-FWM-1 running 3.1(4) The FWSM has 10 contexts in routing mode and 4 contexts in transparent mode. One of the routed contexts has IPv6 enabled. Every few days the 6500 does a SSO failover without much explaination. Console output of the formerly active Sup just starts with the System Bootstrap again, there is nothing really useful in the remote syslog, other than a lot UPDOWN messages the first message is May 24 13:37:04 CEST: %OIR-SP-3-PWRCYCLE: Card in module 5, is being power-cycled (RF request) (module 5 was the active Sup before, so it doesn't match CSCsh34467 which should be resolved in SXH1 anyway). This is all very inconvenient, but SSO is fast enough for this network and everything comes back as it should. Except for the FWSM, while the failover happens every transport VLAN (between the hosting 6500 and the FWSM) goes to up/down state and stays there. Interestingly the traffic does not stop immediately, while the failover and the final "%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3500, changed state to down" was at 13:37, the system monitoring the IPv6 customer did not see outages before 14:20. The only thing that seems to help in this mess is to reboot the FWSM. Reload on the FWSM console does not work by the way (it seems to hang), I had to use "hw-module module 9 reset" every time this happened so far. Anyone having any ideas? I can get to the test kit in the lab on Monday earliest unfortunately. Bernhard From freimer at ctiusa.com Sat May 24 11:19:43 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Sat, 24 May 2008 11:19:43 -0400 Subject: [c-nsp] FWSM vlans down after host SSO In-Reply-To: References: Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D1250@EXCHANGE.ctiusa.com> I had a similar problem at a customer running 12.2(18)SXF? Modular code. I would stay away from modular code for another few years. The bug was a memory leak, which was supposedly fixed, only to discover other bugs. The eventual fix was to "downgrade" to non-modular code. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Bernhard Schmidt > Sent: Saturday, May 24, 2008 10:41 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] FWSM vlans down after host SSO > > Hello everyone, > > we are having a pretty serious problem with one of our boxes. > > 6509 > 2* WS-SUP720-BASE + WS-F6K-PFC3B running 12.2(33)SXH1 modular > 1* WS-X6704-10GE > 2* WS-X6724-SFP > 2* WS-X6408A-GBIC > 1* WS-SVC-NAM-2 > 1* WS-SVC-FWM-1 running 3.1(4) > > The FWSM has 10 contexts in routing mode and 4 contexts in transparent > mode. One of the routed contexts has IPv6 enabled. > > Every few days the 6500 does a SSO failover without much explaination. > Console output of the formerly active Sup just starts with the System > Bootstrap again, there is nothing really useful in the remote syslog, > other than a lot UPDOWN messages the first message is > > May 24 13:37:04 CEST: %OIR-SP-3-PWRCYCLE: Card in module 5, is being > power-cycled (RF request) > > (module 5 was the active Sup before, so it doesn't match CSCsh34467 > which should be resolved in SXH1 anyway). > > This is all very inconvenient, but SSO is fast enough for this network > and everything comes back as it should. Except for the FWSM, while the > failover happens every transport VLAN (between the hosting 6500 and the > FWSM) goes to up/down state and stays there. Interestingly the traffic > does not stop immediately, while the failover and the final > "%LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3500, changed > state > to down" was at 13:37, the system monitoring the IPv6 customer did not > see outages before 14:20. > > The only thing that seems to help in this mess is to reboot the FWSM. > Reload on the FWSM console does not work by the way (it seems to hang), > I had to use "hw-module module 9 reset" every time this happened so > far. > > Anyone having any ideas? I can get to the test kit in the lab on Monday > earliest unfortunately. > > Bernhard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080524/077e699e/attachment.bin From mksmith at adhost.com Sat May 24 11:49:57 2008 From: mksmith at adhost.com (Michael Smith) Date: Sat, 24 May 2008 08:49:57 -0700 Subject: [c-nsp] IP Address Management Software In-Reply-To: Message-ID: Hello: > From: Progressus > Date: Sat, 24 May 2008 11:10:59 +0100 > To: > Subject: [c-nsp] IP Address Management Software > > Hi all, > > I am currently running a project at Internet Solutions, to develop our own > IP Database and Management system. This is designed around many of > our existing client databases and systems that we have. > We are still in the beginning phase of implementation, but hope to have > the system up and running with all our addresses in place by the end > of this year. > > I had looked around, but I was not able to find anything that suited our > needs. > > * Tracks/assigns all WAN IPs for customers routers > > * Tracks/assigns all subnets assigned to customers > > * Monitors customer database for cancellations to automatically reclaim IP > space from customers that have moved on > > * Manage all netblocks assigned from RIPE > > * Provides utilization reports specifically in reference to how close am I > to the magical 80% to request more IPs. > > * Provides utilization information for each of our 12 markets around the > country so that I know when we are running low on IPs for a region. If we > are low, a couple of clicks and the IP pools are automatically refreshed. > > * Daily scrubs of all /24's to be used for customer subnet assignments (not > WAN IPs) to look for /24's that are completely used and then take them out > of the search path when assigning IPs for customers (this is to speed up the > assignments... no need to look for holes in blocks that you know are full). > * Tracks ASN's of our customers > > * Automatic report to request more IPs from RIPE. > > My question: > > What are your opinion about best solution to do this needs? > > Thanks for your time. > > Best Regards We use IPPlan - http://sourceforge.net/project/showfiles.php?group_id=32122 and have customized some interactive scripts to do some of the things above, particularly related to auto-SWIP and reclamation. It's very extensible and also very stable. However, it has no support for IPv6 and the author is not inclined to write in the support (apparently those requesting it haven't ponied up any cash to help with the project and it would be a fairly massive rewrite). With that said, if you are growing your own you should seriously consider writing in IPv6 support now. Regards, Mike From streiner at cluebyfour.org Sat May 24 13:14:26 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Sat, 24 May 2008 13:14:26 -0400 (EDT) Subject: [c-nsp] FWSM vlans down after host SSO In-Reply-To: References: Message-ID: On Sat, 24 May 2008, Bernhard Schmidt wrote: > The only thing that seems to help in this mess is to reboot the FWSM. > Reload on the FWSM console does not work by the way (it seems to hang), > I had to use "hw-module module 9 reset" every time this happened so far. > > Anyone having any ideas? I can get to the test kit in the lab on Monday > earliest unfortunately. Have you searched for possibly relevant bugs on CCO? 3.1(4) is pretty old, and I suspect that if/when you open a case with Cisco, the first thing they will recommend is that you upgrade to a newer version of code. I have 3.2(4) running in production on about 20 FWSMs and it's pretty stable, using both transparent and routed contexts. I can't speak to the IPv6 functionality at the moment because I'm not running any v6 contexts. That's probably something I should turn up in my lab :) 4.0(1) came out in the last week or so, but I haven't had a chance to try it out in my lab yet. A quick scan of the FWSM bug list shows some items that could be related to your situation, but without more details, I could only guess... I think opening a case with the TAC would be your best option at this point. jms From linux.yahoo at gmail.com Sat May 24 13:50:42 2008 From: linux.yahoo at gmail.com (Manu Chao) Date: Sat, 24 May 2008 19:50:42 +0200 Subject: [c-nsp] AAA Message-ID: <7100ed370805241050i4a7d4c56tbe9b49014565565d@mail.gmail.com> Does Radius Accounting require Radius Authentification? Or is it possible to enable Radius accounting only without authentification? From freimer at ctiusa.com Sat May 24 14:01:47 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Sat, 24 May 2008 14:01:47 -0400 Subject: [c-nsp] AAA In-Reply-To: <7100ed370805241050i4a7d4c56tbe9b49014565565d@mail.gmail.com> References: <7100ed370805241050i4a7d4c56tbe9b49014565565d@mail.gmail.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC95028D125C@EXCHANGE.ctiusa.com> You can do accounting without authentication/authorization. I've used a separate AAA accounting server on an ASA to send accounting updates to a Cisco NAC Appliance (CAS) for VPN SSO, while doing authentication to a Cisco ACS (RADIUS) for authentication and authorization (downloadable ACLs). HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Manu Chao > Sent: Saturday, May 24, 2008 1:51 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] AAA > > Does Radius Accounting require Radius Authentification? > > Or is it possible to enable Radius accounting only without > authentification? > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080524/04ca1325/attachment.bin From berni at birkenwald.de Sat May 24 15:29:30 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Sat, 24 May 2008 19:29:30 +0000 (UTC) Subject: [c-nsp] FWSM vlans down after host SSO References: Message-ID: Justin M. Streiner wrote: >> The only thing that seems to help in this mess is to reboot the FWSM. >> Reload on the FWSM console does not work by the way (it seems to hang), >> I had to use "hw-module module 9 reset" every time this happened so far. >> >> Anyone having any ideas? I can get to the test kit in the lab on Monday >> earliest unfortunately. > > Have you searched for possibly relevant bugs on CCO? 3.1(4) is pretty > old, and I suspect that if/when you open a case with Cisco, the first > thing they will recommend is that you upgrade to a newer version of code. > I have 3.2(4) running in production on about 20 FWSMs and it's pretty > stable, using both transparent and routed contexts. I can't speak to the > IPv6 functionality at the moment because I'm not running any v6 contexts. > That's probably something I should turn up in my lab :) 4.0(1) came out > in the last week or so, but I haven't had a chance to try it out in my > lab yet. > > A quick scan of the FWSM bug list shows some items that could be related > to your situation, but without more details, I could only guess... I browsed through the list but could not find anything specific. I agree upgrading to the latest 3.1(10) at least would be good, but I have to discuss this with our firewall guys. I will have a look at opening a TAC case on Monday (situation here is ... complicated). Bernhard From aaronis at people.net.au Sun May 25 03:53:40 2008 From: aaronis at people.net.au (aaron) Date: Sun, 25 May 2008 15:53:40 +0800 Subject: [c-nsp] Finding the SNMP OID! Message-ID: <200805250758.m4P7wRlk043512@puck.nether.net> Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. From avayner at cisco.com Sun May 25 04:07:11 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 25 May 2008 10:07:11 +0200 Subject: [c-nsp] Finding the SNMP OID! In-Reply-To: <200805250758.m4P7wRlk043512@puck.nether.net> References: <200805250758.m4P7wRlk043512@puck.nether.net> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50162B6BD@xmb-ams-331.emea.cisco.com> Aaron, Try taking a look at this tool: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en You can use the search tab, and just use the OID name, or use the translate/browse tab - I think you would like it. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of aaron Sent: Sunday, May 25, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaronis at people.net.au Sun May 25 04:18:32 2008 From: aaronis at people.net.au (Aaron R) Date: Sun, 25 May 2008 16:18:32 +0800 Subject: [c-nsp] Finding the SNMP OID! In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50162B6BD@xmb-ams-331.emea.cisco.com> Message-ID: <200805250823.m4P8NHSq048184@puck.nether.net> Hi Arie, Yep I've used this tool, but it doesn't really help me.. I guess because there are that many OID's it can seem like looking for a needle in a haystack. Thanks for your help. Aaron. -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Sunday, May 25, 2008 4:07 PM To: aaron; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Aaron, Try taking a look at this tool: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en You can use the search tab, and just use the OID name, or use the translate/browse tab - I think you would like it. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of aaron Sent: Sunday, May 25, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dhooper at emerge.net.au Sun May 25 04:26:05 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Sun, 25 May 2008 16:26:05 +0800 Subject: [c-nsp] Finding the SNMP OID! References: <200805250758.m4P7wRlk043512@puck.nether.net> Message-ID: .1.3.6.1.4.1.9.9.42.1.5.1.1.1 for http rtt time. Their is no really easy way to find the OID's you need, I use a mixture of the cisco snmp tool on the website and just searching for text in the individual mib files. The parent mibs are required to build some of the table views. -Dan ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of aaron Sent: Sun 5/25/2008 3:53 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sun May 25 04:28:18 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 25 May 2008 10:28:18 +0200 Subject: [c-nsp] Finding the SNMP OID! In-Reply-To: <200805250820.m4P8KJFS011742@sj-core-2.cisco.com> References: <67F7C1FAF83A074AA3520D8F155782A50162B6BD@xmb-ams-331.emea.cisco.com> <200805250820.m4P8KJFS011742@sj-core-2.cisco.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50162B6C4@xmb-ams-331.emea.cisco.com> Aaron, what are you looking for specifically? If you are looking for IP SLA info, take a look at this link: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42 This is the root of the RTTMON-MIB which contains all the IP SLA data. The statistics part is here: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42.1.3 And as a specific example, the Jitter data can be retrieved using these OIDs: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42.1.3.5.1 Arie -----Original Message----- From: Aaron R [mailto:aaronis at people.net.au] Sent: Sunday, May 25, 2008 11:19 AM To: Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Hi Arie, Yep I've used this tool, but it doesn't really help me.. I guess because there are that many OID's it can seem like looking for a needle in a haystack. Thanks for your help. Aaron. -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Sunday, May 25, 2008 4:07 PM To: aaron; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Aaron, Try taking a look at this tool: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en You can use the search tab, and just use the OID name, or use the translate/browse tab - I think you would like it. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of aaron Sent: Sunday, May 25, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Sun May 25 04:29:37 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 25 May 2008 10:29:37 +0200 Subject: [c-nsp] Finding the SNMP OID! In-Reply-To: References: <200805250758.m4P7wRlk043512@puck.nether.net> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50162B6C6@xmb-ams-331.emea.cisco.com> Instead of searching for the text in the files, just use the web tool, go to the search tab, and make sure to tick the "Include object descriptions in search" Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Daniel Hooper Sent: Sunday, May 25, 2008 11:26 AM To: aaron; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Finding the SNMP OID! .1.3.6.1.4.1.9.9.42.1.5.1.1.1 for http rtt time. Their is no really easy way to find the OID's you need, I use a mixture of the cisco snmp tool on the website and just searching for text in the individual mib files. The parent mibs are required to build some of the table views. -Dan ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of aaron Sent: Sun 5/25/2008 3:53 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaronis at people.net.au Sun May 25 04:32:15 2008 From: aaronis at people.net.au (Aaron R) Date: Sun, 25 May 2008 16:32:15 +0800 Subject: [c-nsp] Finding the SNMP OID! In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50162B6C4@xmb-ams-331.emea.cisco.com> Message-ID: <200805250837.m4P8axBo052871@puck.nether.net> Thanks guys. :) -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Sunday, May 25, 2008 4:28 PM To: Aaron R Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Aaron, what are you looking for specifically? If you are looking for IP SLA info, take a look at this link: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42 This is the root of the RTTMON-MIB which contains all the IP SLA data. The statistics part is here: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42.1.3 And as a specific example, the Jitter data can be retrieved using these OIDs: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en&translate=T ranslate&objectInput=1.3.6.1.4.1.9.9.42.1.3.5.1 Arie -----Original Message----- From: Aaron R [mailto:aaronis at people.net.au] Sent: Sunday, May 25, 2008 11:19 AM To: Arie Vayner (avayner); cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Hi Arie, Yep I've used this tool, but it doesn't really help me.. I guess because there are that many OID's it can seem like looking for a needle in a haystack. Thanks for your help. Aaron. -----Original Message----- From: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sent: Sunday, May 25, 2008 4:07 PM To: aaron; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Finding the SNMP OID! Aaron, Try taking a look at this tool: http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en You can use the search tab, and just use the OID name, or use the translate/browse tab - I think you would like it. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of aaron Sent: Sunday, May 25, 2008 10:54 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Finding the SNMP OID! Hey guys, Is there any easy way to find an OID within a MIB? For example I am interested in monitoring IP SLA information (not traps) I would like to graph the RTT response of IP SLA HTTP requests. Trying to find the right OID within the MIB seems to be very complicated indeed. I have tried to grab the MIB but my MIB viewer complains that I need all the parent MIB's. I am not interested in downloading all these MIB's. Is there anyone with any thoughts? Cheers, Aaron. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rblayzor.bulk at inoc.net Sun May 25 08:15:05 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Sun, 25 May 2008 08:15:05 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> References: <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <2A532C0D-461D-48EC-880A-67D1594BFD68@inoc.net> On May 23, 2008, at 10:47 PM, Tuc at T-B-O-H.NET wrote: > You send the accounting start record and off the user goes. 10 > minutes > into the session, the operators/a process/whatever decides to change > your Radius > entry so that the new Session-Timeout would be 5 minutes. How, if at > all, does > the NAS become aware of this? Easy, it doesn't. RADIUS servers do not PUSH attributes to an active NAS session. There are some dynamic-author features that some Cisco NAS's support where you can change attributes of an existing session, but that's not the roll of a RADIUS server. You'd have to have a client side app to push server like conversation back to the NAS. Authorization is only done once at login time. If you change attributes, normally the only way to do so is to reset the session and have them reauth. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From rblayzor.bulk at inoc.net Sun May 25 08:19:37 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Sun, 25 May 2008 08:19:37 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <20080524073641.GA15169@lboro.ac.uk> References: <98B7739FB65BF04F9B3233AB842EEC95028D1206@EXCHANGE.ctiusa.com> <200805240247.m4O2lonB077933@himinbjorg.tucs-beachin-obx-house.com> <20080524073641.GA15169@lboro.ac.uk> Message-ID: <14FCC9E1-0699-4249-9849-FF850548F1E4@inoc.net> On May 24, 2008, at 3:36 AM, A.L.M.Buxey at lboro.ac.uk wrote: > the NAS and the server have to support it. with this, you can > change many variables that are part of the AAA - eg Session-Timeout, > their Address etc etc To clarify this more, the *server* does not have to support it. Essentially COA turns the NAS into a pseudo RADIUS server and you must use a client side app to generate RADIUS requests to make the COA changes. Typically this is not the function of any RADIUS server to handle internally. Generally it's does with a 3rd party or RADIUS client utility to generate the COA packets and send them to a NAS with dynamic-author configured. Works like a charm. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From rblayzor.bulk at inoc.net Sun May 25 08:28:39 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Sun, 25 May 2008 08:28:39 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805241329.m4ODTWJR085669@himinbjorg.tucs-beachin-obx-house.com> References: <200805241329.m4ODTWJR085669@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <1177CFDB-4AF5-454D-81BA-7A2FF3E4B8FE@inoc.net> On May 24, 2008, at 9:29 AM, Tuc at T-B-O-H.NET wrote: > The issue wasn't so much that the Session-Timeout would BE change, > its > that with usage it DOES change. I'm confused, why does the Session-Timeout change? Do you mean you have timed usage accounts and they're only allowed X amount of time over a series of logins for a particular period? > I basically was trying to avoid having to keep > track of time in my application. More of Radius telling me "Hey, its > time to > go" instead of my deciding it. Ok, I think what I just mentioned is what you're trying to do. But yes, the only way to do that is for you to account the time and dynamically size the Session-Timeout, the only way to enforce that change is either via a CoA or re-authorization after login. > There is a large section where a user may be > provisioned, and during the session the provisioning rejected > (Credit card > disallowed, fraud, TOS violation) but the main crux was trying not > to keep > the "limits" locally. I guess the protocol doesn't allow for it, so > I have to > keep track/time/count myself. That's really the only way. But CoA is very handy for resetting settings manually or changing ACL's and other attributes on the fly. I don't see why you couldn't push a new Session-Timeout online... I believe if you sent a Session-Timeout of (1) and the user has already been online a while, that would probably drop the session. Never tried that though! :-) -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From david.freedman at uk.clara.net Sun May 25 18:16:24 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Sun, 25 May 2008 23:16:24 +0100 Subject: [c-nsp] Finding the SNMP OID! Message-ID: Try this: http://www.convergence.cx/scripts/saaqosmaker.gz This is a perl script I use to get some basic stats out of SAA , it produces an MRTG style configuration, when pointed at a host and given the community string ( a bit like MRTG's "configmaker" tool), you can easily modify it and add probe types, I only include basic ones. Dave. ------------------------------------------------ David Freedman Group Network Engineering Claranet Limited http://www.clara.net From paul at paulstewart.org Mon May 26 03:17:32 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 26 May 2008 03:17:32 -0400 Subject: [c-nsp] VLAN 1005 Translation? Message-ID: <000001c8bf00$91571e10$b4055a30$@org> I have a GigE coming in from another provider and they are sending us a trunk - one of the VLAN's is 1005 (yup, that's right). This is a 7606 Sup720-3BXL Not fully understanding the purpose of 1005, it doesn't work. Trying to take a trunk in from them and then send 1005 and a few others out to another box. The other VLAN's work fine. So, I thought I might be able to do VLAN translation - is that possible on 1005? I just want to take 1005 and translate it to 900: interface GigabitEthernet4/7 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 18,84,108,127,131,139,151,163,164,172,175,176 switchport trunk allowed vlan add 180,193,195,196,198,200,243,245,326,341,364 switchport trunk allowed vlan add 381,382,389,391,402,696,1005 switchport mode trunk switchport vlan mapping enable switchport vlan mapping 1005 900 Is there anything I can do to make this work or is my config wrong? Also, do I have to translate *back* somewhere such as the "outgoing" port? Thanks very much, Paul From dhooper at emerge.net.au Mon May 26 04:40:15 2008 From: dhooper at emerge.net.au (Daniel Hooper) Date: Mon, 26 May 2008 16:40:15 +0800 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <000001c8bf00$91571e10$b4055a30$@org> References: <000001c8bf00$91571e10$b4055a30$@org> Message-ID: Can you change the type of vlan? On my 3550's 1005 is showing as trnet, are you able to change it to enet? Just out of interest, is their a way to achieve VLAN mapping on the 3550 platform? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Monday, 26 May 2008 3:18 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VLAN 1005 Translation? > > I have a GigE coming in from another provider and they are sending us a > trunk - one of the VLAN's is 1005 (yup, that's right). This is a 7606 > Sup720-3BXL > > Not fully understanding the purpose of 1005, it doesn't work. Trying > to > take a trunk in from them and then send 1005 and a few others out to > another > box. The other VLAN's work fine. > > So, I thought I might be able to do VLAN translation - is that possible > on > 1005? I just want to take 1005 and translate it to 900: > > interface GigabitEthernet4/7 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan > 18,84,108,127,131,139,151,163,164,172,175,176 > switchport trunk allowed vlan add > 180,193,195,196,198,200,243,245,326,341,364 > switchport trunk allowed vlan add 381,382,389,391,402,696,1005 > switchport mode trunk > switchport vlan mapping enable > switchport vlan mapping 1005 900 > > > Is there anything I can do to make this work or is my config wrong? > Also, > do I have to translate *back* somewhere such as the "outgoing" port? > > Thanks very much, > > Paul > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Mon May 26 05:37:16 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 26 May 2008 11:37:16 +0200 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: References: <000001c8bf00$91571e10$b4055a30$@org> Message-ID: <1211794636.4340.10.camel@dusken.sys.mjna.net> On Mon, 2008-05-26 at 16:40 +0800, Daniel Hooper wrote: > Can you change the type of vlan? On my 3550's 1005 is showing as trnet, > are you able to change it to enet? The type of VLAN 1005 doesn't seem to be changeable, at least not on C6k/Sup720: R1(config)#vlan 1005 R1(config-vlan)#media ethernet Default VLAN 1005 may not have its type changed. R1(config-vlan)# VLAN mapping seems to be configurable though, but I don't know if it works: R1(config)#vlan mapping dot1q 1005 isl 200 R1(config)#do show run | incl ^vlan mapping vlan mapping dot1q 1005 isl 200 R1(config)# I don't have anything that can use VLAN 1005. When I add VLAN 1005 to a trunk it doesn't create an STP instance: R1(config)#interface GigabitEthernet4/3 R1(config-if)#switchport trunk allowed vlan add 1005 R1(config-if)#^Z R1#show run interface GigabitEthernet4/3 Building configuration... Current configuration : 308 bytes ! interface GigabitEthernet4/3 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1005 switchport mode trunk switchport nonegotiate switchport vlan mapping enable no ip address end R1#show interface GigabitEthernet4/3 status Port Name Status Vlan Duplex Speed Type Gi4/3 connected trunk full 1000 1000BaseLH R1#show spanning-tree vlan 1005 Spanning tree instance(s) for vlan 1005 does not exist. R1# > Just out of interest, is their a way to achieve VLAN mapping on the > 3550 platform? IOS 12.2(25)SEE2 on 3550 can't do it, neither can IOS 12.2(35)SE5 on 3750. So I think none of the "small" L3-switches can. Regards, Peter From sthaug at nethelp.no Mon May 26 06:07:49 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 26 May 2008 12:07:49 +0200 (CEST) Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <1211794636.4340.10.camel@dusken.sys.mjna.net> References: <000001c8bf00$91571e10$b4055a30$@org> <1211794636.4340.10.camel@dusken.sys.mjna.net> Message-ID: <20080526.120749.74718245.sthaug@nethelp.no> > > Can you change the type of vlan? On my 3550's 1005 is showing as trnet, > > are you able to change it to enet? > > The type of VLAN 1005 doesn't seem to be changeable, at least not on > C6k/Sup720: Some of us have been telling Cisco for a long time that they need to introduce a mode where the old historical baggage of special handling for VLAN 1002 - 1005 is completely removed. But so far no luck. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From paul at paulstewart.org Mon May 26 06:14:50 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 26 May 2008 06:14:50 -0400 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <1211794636.4340.10.camel@dusken.sys.mjna.net> References: <000001c8bf00$91571e10$b4055a30$@org> <1211794636.4340.10.camel@dusken.sys.mjna.net> Message-ID: <019201c8bf19$57f76da0$07e648e0$@org> Thanks Peter (and Daniel)... I wasn't able to change it neither... Ended up talking to the provider's NOC and they did a VLAN change on their side ....;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Rathlev Sent: Monday, May 26, 2008 5:37 AM To: Daniel Hooper Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] VLAN 1005 Translation? On Mon, 2008-05-26 at 16:40 +0800, Daniel Hooper wrote: > Can you change the type of vlan? On my 3550's 1005 is showing as trnet, > are you able to change it to enet? The type of VLAN 1005 doesn't seem to be changeable, at least not on C6k/Sup720: R1(config)#vlan 1005 R1(config-vlan)#media ethernet Default VLAN 1005 may not have its type changed. R1(config-vlan)# VLAN mapping seems to be configurable though, but I don't know if it works: R1(config)#vlan mapping dot1q 1005 isl 200 R1(config)#do show run | incl ^vlan mapping vlan mapping dot1q 1005 isl 200 R1(config)# I don't have anything that can use VLAN 1005. When I add VLAN 1005 to a trunk it doesn't create an STP instance: R1(config)#interface GigabitEthernet4/3 R1(config-if)#switchport trunk allowed vlan add 1005 R1(config-if)#^Z R1#show run interface GigabitEthernet4/3 Building configuration... Current configuration : 308 bytes ! interface GigabitEthernet4/3 switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 1005 switchport mode trunk switchport nonegotiate switchport vlan mapping enable no ip address end R1#show interface GigabitEthernet4/3 status Port Name Status Vlan Duplex Speed Type Gi4/3 connected trunk full 1000 1000BaseLH R1#show spanning-tree vlan 1005 Spanning tree instance(s) for vlan 1005 does not exist. R1# > Just out of interest, is their a way to achieve VLAN mapping on the > 3550 platform? IOS 12.2(25)SEE2 on 3550 can't do it, neither can IOS 12.2(35)SE5 on 3750. So I think none of the "small" L3-switches can. Regards, Peter _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- No virus found in this incoming message. Checked by AVG. Version: 7.5.524 / Virus Database: 269.24.1/1464 - Release Date: 5/24/2008 8:56 AM From cisco at ibctech.ca Mon May 26 08:41:49 2008 From: cisco at ibctech.ca (Steve Bertrand) Date: Mon, 26 May 2008 08:41:49 -0400 Subject: [c-nsp] Discussion list for RADIUS? In-Reply-To: <200805241329.m4ODTWJR085669@himinbjorg.tucs-beachin-obx-house.com> References: <200805241329.m4ODTWJR085669@himinbjorg.tucs-beachin-obx-house.com> Message-ID: <483AB00D.4020502@ibctech.ca> > Thanks, I think I have everything I need! (Well, except for how to > "use" a file in perl thats a bareword (use $authorization_module;) . Tried > to : eval "use authorization_module;" : but its just not working. But not > a c-nsp issue. :) ) I know it's not Cisco related, and I don't know exactly what context you are trying to 'use' the file, but have you tried declaring your $authorization_module variable with a path in quotes? eg: my $auth_module = 'path/to/auth_module_file'; require $auth_module; This will get you around the 'bareword' problem when using strict, depending on your context of course. Steve From rbf+cisco-nsp at panix.com Mon May 26 12:21:53 2008 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Mon, 26 May 2008 11:21:53 -0500 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <000001c8bf00$91571e10$b4055a30$@org> References: <000001c8bf00$91571e10$b4055a30$@org> Message-ID: <20080526162153.GA13684@panix.com> On Mon, May 26, 2008 at 03:17:32AM -0400, Paul Stewart wrote: > > So, I thought I might be able to do VLAN translation - is that possible on > 1005? I just want to take 1005 and translate it to 900: I think it's possible, but haven't ever tried it. > interface GigabitEthernet4/7 > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 18,84,108,127,131,139,151,163,164,172,175,176 > switchport trunk allowed vlan add > 180,193,195,196,198,200,243,245,326,341,364 > switchport trunk allowed vlan add 381,382,389,391,402,696,1005 > switchport mode trunk > switchport vlan mapping enable > switchport vlan mapping 1005 900 > > Is there anything I can do to make this work or is my config wrong? Also, > do I have to translate *back* somewhere such as the "outgoing" port? VLAN translation logically occurs as the last step before transmission and the first step after reception. So, with the "vlan mapping" configuration above, the VLAN will be 900 everywhere in the switch configuration (other interfaces, SVIs, the vlan database, etc.) but will appear on the physical 4/7 port with a tag of 1005. (That is, right before transmission, the 900 will be replaced with 1005. And reight after reception, the 1005 will be replaced with 900.) So ... in your configuration above, what happens is a frame is received with a tag of 1005, that's replaced with 900, and then the frame is discarded since vlan 900 is not allowed on the trunk. As a minimum, the following is needed: interface GigabiEthernet4/7 switchport trunk allowed vlan remove 1005 switchport trunk allowed vlan add 900 You also need to make sure vlan 900 is configured on the switch (in the vlan database, etc.) and that you refer to it as vlan 900 anywhere else it's referenced (in SVIs, on other interfaces, etc.). -- Brett From jeff-kell at utc.edu Mon May 26 12:26:40 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Mon, 26 May 2008 12:26:40 -0400 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <20080526.120749.74718245.sthaug@nethelp.no> References: <000001c8bf00$91571e10$b4055a30$@org> <1211794636.4340.10.camel@dusken.sys.mjna.net> <20080526.120749.74718245.sthaug@nethelp.no> Message-ID: <483AE4C0.1040503@utc.edu> sthaug at nethelp.no wrote: > Some of us have been telling Cisco for a long time that they need to > introduce a mode where the old historical baggage of special handling > for VLAN 1002 - 1005 is completely removed. Amen to that! Jeff From jason at pins.net Mon May 26 15:48:15 2008 From: jason at pins.net (Jason Berenson) Date: Mon, 26 May 2008 15:48:15 -0400 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <9f785d120805231343u24f21a7jc6afd41f46482fac@mail.gmail.com> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> <9f785d120805231343u24f21a7jc6afd41f46482fac@mail.gmail.com> Message-ID: <483B13FF.607@pins.net> Nathan, et al, It turns out this may be a cisco bug. I have a ticket opened with TAC and will send an update when this is fixed in case anyone cares. -Jason Nathan wrote: > On Fri, May 23, 2008 at 2:31 PM, Robert Blayzor wrote: > >> On May 22, 2008, at 6:06 PM, Jason Berenson wrote: >> >>> 7206 NPE-G1 >>> PA-A3-OC3MM >>> c7200-is-mz.124-19.bin >>> > > I usually use IOS-es with a j instead of i, but I hope any 12.4 has QoS... > > >> Been down this path several times, so hopefully this helps. >> >> Have you tried using a hierarchal QoS policy? Also you may want to >> set your tx-ring-limit to the minimum, ie: 3 or you might have some >> jitter issues. >> >> That being said, you need to use a nested QoS policy, something like: >> > > This should not be necessary, since the ATM definition provides the > bandwidth. Maybe for the fair-queue, but... Jason, test without that > :-) > > Here's what works for me (very slightly edited): > > class-map match-any routing > match dscp cs6 cs7 > class-map match-any voice > match dscp cs5 ef > match ip dscp 4 > class-map match-any af43 > match ip dscp af43 > > policy-map outgoingaf > class voice > priority percent 50 > class af43 > bandwidth percent 20 > class routing > bandwidth percent 1 > class class-default > > vc-class atm DSL-1 > vbr-nrt 1280 1280 94 > encapsulation aal5snap > > interface ATM3/0.xxx point-to-point > ip address x.x.x.x x.x.x.x > ip verify unicast reverse-path > pvc 1/xxx > class-vc DSL-1 > service-policy output outgoingaf > > But I've often used access-lists and ISTR fair-queue without any > problems (or when there was a problem I always had something in the > logs). > > From jason at pins.net Mon May 26 15:59:06 2008 From: jason at pins.net (Jason Berenson) Date: Mon, 26 May 2008 15:59:06 -0400 Subject: [c-nsp] VLAN 1005 Translation? In-Reply-To: <483AE4C0.1040503@utc.edu> References: <000001c8bf00$91571e10$b4055a30$@org> <1211794636.4340.10.camel@dusken.sys.mjna.net> <20080526.120749.74718245.sthaug@nethelp.no> <483AE4C0.1040503@utc.edu> Message-ID: <483B168A.8010308@pins.net> Brett, How about this scenario, we receive a GigE link from VZB for their TLS service on one of our 3560's. We have internal VRF vlans already in use for customers. If VZB drops customer A off as vlan 100 but we're already using vlan 200 for customer A, how would I map that through? I don't think there's a switchport vlan map command for the 3560's but there is a "switchport private-vlan mapping" command. Would that do what I want? Any tips/config snippits would be greatly appreciated. Thanks, Jason Jeff Kell wrote: > sthaug at nethelp.no wrote: > >> Some of us have been telling Cisco for a long time that they need to >> introduce a mode where the old historical baggage of special handling >> for VLAN 1002 - 1005 is completely removed. >> > > Amen to that! > > Jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jcartier at acs.on.ca Mon May 26 16:23:55 2008 From: jcartier at acs.on.ca (Jeff Cartier) Date: Mon, 26 May 2008 16:23:55 -0400 Subject: [c-nsp] Free MIB Browser? Message-ID: Just looking for some opinions of a good MIB Browser (Pref: Free) for Cisco equipment (including ONS). From hank at efes.iucc.ac.il Mon May 26 17:40:00 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 27 May 2008 00:40:00 +0300 Subject: [c-nsp] Free MIB Browser? In-Reply-To: Message-ID: <5.1.0.14.2.20080527003842.00b216d0@efes.iucc.ac.il> At 04:23 PM 26-05-08 -0400, Jeff Cartier wrote: >Just looking for some opinions of a good MIB Browser (Pref: Free) for >Cisco equipment (including ONS). I like Getif: http://www.wtcs.org/snmp4tpc/getif.htm -Hank From ml at t-b-o-h.net Mon May 26 19:29:30 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H.NET) Date: Mon, 26 May 2008 19:29:30 -0400 (EDT) Subject: [c-nsp] Free MIB Browser? In-Reply-To: Message-ID: <200805262329.m4QNTUTc030524@himinbjorg.tucs-beachin-obx-house.com> > > Just looking for some opinions of a good MIB Browser (Pref: Free) for > Cisco equipment (including ONS). > MBrowse if you have a compute platform that'll support it : http://www.kill-9.org/mbrowse/ Never used, but BlackOwl MIB Browser: http://sourceforge.net/projects/blackowl Maybe some others mentioned : http://linas.org/linux/NMS.html Tuc From hank at efes.iucc.ac.il Mon May 26 20:00:26 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 27 May 2008 03:00:26 +0300 Subject: [c-nsp] IPv6 duplicate address Message-ID: <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> When we did some line testing and did some loop testing on the link we got: %IPV6-4-DUPLICATE: Duplicate address FE80::215:2CFF:FE87:B240 on POS11/0/0 petach-tikva-gp# sho ipv6 int pos11/0/0 POS11/0/0 is up, line protocol is up IPv6 is stalled, link-local address is FE80::215:2CFF:FE87:B240 [DUP] Description: STM-16 to GEANT2 DE POP Global unicast address(es): 2001:798:14:10AA::1E, subnet is 2001:798:14:10AA::1C/126 [TEN] The interface entered the stall state and did not leave stalled state until IPv6 addressing was disabled and reenabled on the link. In: http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t2/ipv6/ftipv6c.htm#10168 Cisco states "An interface returning to administratively "up" restarts duplicate address detection for all of the unicast IPv6 addresses on the interface." It would appear if an interface goes from up (looped) to up (non-looped), IOS does not check for dup addresses and the interface stays stalled. Is this how it should be or is this an IOS bug (12.2(18)SXF11)? I know I can use "ipv6 nd dad attempts 5" but wanted to know whether I should open a TAC case for this. Thanks, Hank From mksmith at adhost.com Mon May 26 20:44:57 2008 From: mksmith at adhost.com (Michael Smith) Date: Mon, 26 May 2008 17:44:57 -0700 Subject: [c-nsp] IPv6 duplicate address In-Reply-To: <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> Message-ID: Hello Hank: > From: Hank Nussbacher > Date: Tue, 27 May 2008 03:00:26 +0300 > To: > Subject: [c-nsp] IPv6 duplicate address > > When we did some line testing and did some loop testing on the link we got: > %IPV6-4-DUPLICATE: Duplicate address FE80::215:2CFF:FE87:B240 on POS11/0/0 > > petach-tikva-gp# sho ipv6 int pos11/0/0 > POS11/0/0 is up, line protocol is up > IPv6 is stalled, link-local address is FE80::215:2CFF:FE87:B240 [DUP] > Description: STM-16 to GEANT2 DE POP > Global unicast address(es): > 2001:798:14:10AA::1E, subnet is 2001:798:14:10AA::1C/126 [TEN] > The interface entered the stall state and did not leave stalled state until > IPv6 addressing was disabled and reenabled on the link. > > In: > http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/ > 122t2/ipv6/ftipv6c.htm#10168 > Cisco states "An interface returning to administratively "up" restarts > duplicate address detection for all of the unicast IPv6 addresses on the > interface." It would appear if an interface goes from up (looped) to up > (non-looped), IOS does not check for dup addresses and the interface stays > stalled. Is this how it should be or is this an IOS bug (12.2(18)SXF11)? > > I know I can use "ipv6 nd dad attempts 5" but wanted to know whether I > should open a TAC case for this. > Why not disable it entirely? If you have a POS interface connected to another one directly, couldn't you set it to 0? Regards, Mike From loopback at ezxyz.com Mon May 26 21:56:19 2008 From: loopback at ezxyz.com (Loopback EZ) Date: Mon, 26 May 2008 20:56:19 -0500 Subject: [c-nsp] VRF BGP Instance over GRE Tunnel In-Reply-To: <20080526162153.GA13684@panix.com> References: <000001c8bf00$91571e10$b4055a30$@org> <20080526162153.GA13684@panix.com> Message-ID: <483B6A43.2080904@ezxyz.com> Have a strange situation that I need input on a viable design. The proposed network (Network Z) will be using an transit provider ( Provider A)whom has direct peer connection to Quest, Level 3 and ATT all via the same BGP peering router, this provider also has direct links to Research and Education networks, in this network all traffic has a BGP community tag indicating its source. The network that is being designed will provide access for general internet and R&E traffic. The goal is to be able to meter and rate limit all general internet access but not touch the R & E traffic. The rate limiting design should be effective in outgoing and incoming general internet traffic. Network Z members will establish an EBGP peering connection with the closest Network Z BGP border router. It is NOT an option to establish a direct connection to ATT, Level 3 etc at this time. One possible design would be to use two VRF entities in Network Z border BGP routers, VRF-1 would establish an EBGP peer with Provider A's nearest border BGP router (A-1) and accept all R & E networks via a filter on the community, VRF-2 would establish an EBGP peer with Provider A's BGP router (A-2) that has the Peer Connection with Quest, ATT and Level 3 over a GRE tunnel. This connection would accept all routes other than R & E networks via the community filter. Members would then establish an EBGP session with both VRF entities. Using the GRE tunnel should ensure that all "general internet" traffic would leave our network via the GRE tunnel and be handed off my Provider A directly to ATT, Level 3 and Quest at Router A-2 since the route will have the most efficient path for the Network Z members. General R & E traffic will use Router A-1 as the most efficient. Return traffic from the internet should also follow this path since it will come via Providers A connections and be directly inserted into the GRE tunnel at Router A-2 General R&E traffic should all follow the other path since it will following private peering points between the R & E networks and not transit the general internet. An option would be to use Multi-Hop EBGP instead of the GRE tunnel but since the traffic would have to follow Provider A's IGP to actually forward the traffic it is unclear whether return traffic would be forwarded out the correct VRF since Network Z's prefix would be present Please give me your comments, alternate suggestions, and thoughts. This is a very hacked up idea but not sure of any method that will accomplish the goal given that a direct ISP connection is not viable at this time. From cisco at ibctech.ca Mon May 26 23:19:01 2008 From: cisco at ibctech.ca (Steve Bertrand) Date: Mon, 26 May 2008 23:19:01 -0400 Subject: [c-nsp] IPv6 duplicate address In-Reply-To: References: Message-ID: <483B7DA5.3030109@ibctech.ca> >> In: >> http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/ >> 122t2/ipv6/ftipv6c.htm#10168 >> Cisco states "An interface returning to administratively "up" restarts >> duplicate address detection for all of the unicast IPv6 addresses on the >> interface." It would appear if an interface goes from up (looped) to up >> (non-looped), IOS does not check for dup addresses and the interface stays >> stalled. Is this how it should be or is this an IOS bug (12.2(18)SXF11)? >> >> I know I can use "ipv6 nd dad attempts 5" but wanted to know whether I >> should open a TAC case for this. >> > > Why not disable it entirely? If you have a POS interface connected to > another one directly, couldn't you set it to 0? Hmmm. I don't think that this is the OP's point. If I'm not misunderstanding the problem, could this be an issue that either was missed in the framework of RFC 4861, or perhaps an implementation issue? I would think/hope that DAD under Neighbor Discovery would sort this out, and not permanently stall an interface. If anything, shouldn't the on-link interface expire the entry and then retry? What does the Neighbor Discovery neighbor cache show when this happens? (I don't know how to check this on a Cisco device, only on FreeBSD). I don't think this is how it should be, but perhaps I understand wrong. I would have thought that going from up (looped) to up (non-looped) or vise-versa (or up-down-up in general) would provide a ND cache reset, at least for the addresses attached to the on-link interface(s). Steve From hank at efes.iucc.ac.il Mon May 26 23:57:02 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 27 May 2008 06:57:02 +0300 (IDT) Subject: [c-nsp] IPv6 duplicate address In-Reply-To: References: Message-ID: On Mon, 26 May 2008, Michael Smith wrote: >> I know I can use "ipv6 nd dad attempts 5" but wanted to know whether I >> should open a TAC case for this. >> > > Why not disable it entirely? If you have a POS interface connected to > another one directly, couldn't you set it to 0? > > Regards, > > Mike Probably could, but if this is a bug or not working as specified via RFC, I'd like to open a TAC case. -Hank From gert at greenie.muc.de Tue May 27 02:16:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 27 May 2008 08:16:15 +0200 Subject: [c-nsp] IPv6 duplicate address In-Reply-To: <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> References: <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> Message-ID: <20080527061615.GC426@greenie.muc.de> Hi, On Tue, May 27, 2008 at 03:00:26AM +0300, Hank Nussbacher wrote: > When we did some line testing and did some loop testing on the link we got: > %IPV6-4-DUPLICATE: Duplicate address FE80::215:2CFF:FE87:B240 on POS11/0/0 > > petach-tikva-gp# sho ipv6 int pos11/0/0 > POS11/0/0 is up, line protocol is up > IPv6 is stalled, link-local address is FE80::215:2CFF:FE87:B240 [DUP] [..] > I know I can use "ipv6 nd dad attempts 5" but wanted to know whether I > should open a TAC case for this. I have seen this as well, and it's especially annoying if it happens as consequence of a link outage from the carrier (link going down, going into "loop" state, then coming back to "up") - if you're unlucky, a short glitch can kill your IPv6 on the line hard until you manually reset the interface. The current behaviour is pretty much a direct consequence from the RFC (DAD is mandatory), but I think that IOS could be a bit more smart about it, like "restart DAD every 5 minutes" or "recognize a looped->up transition on the interface, and then restart DAD". So - by all means, please open a TAC case. As a workaround, we have used "ipv6 nd dad attempts 5" on the specific line that gave us headaches - so we've never pressed the issue with Cisco. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080527/003fa654/attachment.bin From hank at efes.iucc.ac.il Tue May 27 02:18:49 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 27 May 2008 09:18:49 +0300 Subject: [c-nsp] IPv6 duplicate address In-Reply-To: <20080527061615.GC426@greenie.muc.de> References: <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> <5.1.0.14.2.20080527025233.00b1dc60@efes.iucc.ac.il> Message-ID: <5.1.0.14.2.20080527091815.00b00e90@efes.iucc.ac.il> At 08:16 AM 27-05-08 +0200, Gert Doering wrote: >I have seen this as well, and it's especially annoying if it happens >as consequence of a link outage from the carrier (link going down, going >into "loop" state, then coming back to "up") - if you're unlucky, a short >glitch can kill your IPv6 on the line hard until you manually reset the >interface. > >The current behaviour is pretty much a direct consequence from the RFC >(DAD is mandatory), but I think that IOS could be a bit more smart about >it, like "restart DAD every 5 minutes" or "recognize a looped->up=20 >transition on the interface, and then restart DAD". > >So - by all means, please open a TAC case. > >As a workaround, we have used "ipv6 nd dad attempts 5" on the specific >line that gave us headaches - so we've never pressed the issue with Cisco. Opened TAC case. Will update after I have a bugid. -Hank From nicolist at securite.org Tue May 27 03:11:06 2008 From: nicolist at securite.org (Nicolas FISCHBACH) Date: Tue, 27 May 2008 09:11:06 +0200 Subject: [c-nsp] IOS Rookit: the sky isn't falling (yet) Message-ID: <483BB40A.1040506@securite.org> I finally got to see Topo's presentation this week-end at PH-Neutral and discuss it with him and FX. Given that the slides aren't online yet [1], that Core hasn't published Topo's technical paper on their website [2] yet either, and that I'm done replying to direct inquiries about it [3], here's a summary of the IOS rootkit saga and its impact on the Service Provider community (from my point of view :) Topo spent a lot of time (and if you ever loaded an IOS image in IDA you know what I'm talking about) analyzing strings and functions in IOS. In his proof of concept he located the code doing the password check and adds a trampoline to his backdoor code (by saving paramaters, glueing the two codes together, doing the "new" password check and returning properly to the main code path). Nice lesson on 101 hooking on IOS. The (oversimplified) modus operandi is pretty straight forward: take an image, decompress it, have his tool locate the function and later patch it, add his code by overwriting large strings, (re)compress the image and (re)calculate/fix the checksums. Pretty neat. The fact that he doesn't do basic binary patching makes the approach portable and not architecture, version or feature set specific. This image then needs to be uploaded to the router and the device need to be reloaded. This backdoor is persistent (vs the old backdoor trick using the TCL shell [4] which wasn't - or if you want to turn it into a non-volatile one it was easy to detect as in clear text in the startup/running configuration). An alternative approach is to use gdb on the router (and combine it with a TCL script to make it easier) and patch on the fly. This is non-persistent, but some people don't wan't to leave traces as large as an IOS image behind :) Or another alternative approach: network boot the router via TFTP. At the end of the day this is nothing new from a rootkit technology point of view, but it's in the IOS/router world. He deserves credit to actually have researched this in deep and managed to make it work (it's much more difficult to achieve this on a mostly undocumented and large binary than on common OSes). Respect. What's the best way to actually test this when you don't have the HW you ask ? Dynamips [9] is the answer. As long as the rootkit isn't too advanced and e.g. also hooks the write/copy functions (e.g. an attacker could store the image diff on the system and play a "proper" memory dump or proper IOS back when you write core/copy to TFTP) then FX's CIR[7] is the forensics tool of choice. On platforms where the IOS image is stored on an external flash card forensics may be easier. Here's [8] a "screenshot" of CIR vs Topo. So what's the impact today ? Topo's proof of concept doesn't bypass ACLs (rACLs, VTY ACLs), AAA, etc [yet], requires enable rights, a new image and a reload (or enable only if you do gdb-on-the-fly patching). In summary it's "noisy" and unless you bought the router on an auction site and/or download IOS from "alternative" sources) you should notice (or probably deserve to get owned :) See the Cisco PSIRT response for best current practices on securing routers [10] and my old forensics presentation [3]. In the past FX [5] and Mike Lynn [6] proved that code execution is doable. This is a different approach. Can it be combined ? Probably. It is much more complex ? Yes. Is it going to be architecture specific ? Probably. Future developments ? I'm surprised people still focus on the IOS side of things and don't attack the bootrom code as it's smaller and usually never changed unless you bring in some new/unsupported hardware/features. IOS-XR is probably going to become a target too as it makes some of these things easier [11] but code signing may have to be broken/bypassed first. This has been done on other devices, so it's just one more layer to attack. An alternative rootkit ? Privilege level 16 used by the Lawful Intercept [12] feature could be abused to do some of this too. Or the other way around: use a "patched" IOS to keep an eye on Law Enforcement's operations on the router as privilege level 15 doesn't allow it and the only alternative is to sniff the traffic export. I've probably missed some stuff (and got some stuff wrong), but this summary became way too long already and it's late. Feedback welcome! [1] Dragos should post them soon here: http://www.eusecwest.com/ [2] Watch http://www.coresecurity.com/?module=ContentMod&action=news&id=papers [3] Google "IOS rootkit" used to return the presentation below as first hit "Cisco Router Forensics" - http://www.securite.org/presentations/secip/ [4] http://seclists.org/bugtraq/2007/Nov/0384.html [5] http://www.phenoelit-us.org/ultimaratio/index.html http://www.milw0rm.com/exploits/77 [6] http://cryptome.org/lynn-cisco.pdf [7] http://cir.recurity.com/ [8] http://www.securite.org/nico/XP/CIRvsTopo.jpg [9] http://www.ipflow.utc.fr/index.php/Cisco_7200_Simulator [10] http://www.cisco.com/en/US/products/products_security_response09186a0080997783.html [11] http://lists.darklab.org/pipermail/darklab/2005-August/000029.html [12] http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/lawf_int.html Nico. -- Nicolas FISCHBACH Senior Manager - Network Engineering/Security - COLT Telecom e:(nico at securite.org) w: From antonio.acuesta at dhl.com Tue May 27 03:31:56 2008 From: antonio.acuesta at dhl.com (Antonio Acuesta (DHL AU)) Date: Tue, 27 May 2008 15:31:56 +0800 Subject: [c-nsp] Cisco Call Manager Express. In-Reply-To: <20080430.203002.74745800.sthaug@nethelp.no> References: <6A200388CCDEE04485DA0BB2BA064E3103915AEA@TANGO.melita.local> <20080430.203002.74745800.sthaug@nethelp.no> Message-ID: <18ECC8BF0702EF47A4B1E089E91022DC3E9270@KULDCEX013.kul-dc.dhl.com> Hi, Just a simple question: How will I know the CME version using a command line? Thanks. From brad.henshaw at qcn.com.au Tue May 27 04:08:01 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Tue, 27 May 2008 18:08:01 +1000 Subject: [c-nsp] Cisco Call Manager Express. In-Reply-To: <18ECC8BF0702EF47A4B1E089E91022DC3E9270@KULDCEX013.kul-dc.dhl.com> Message-ID: <3B0B088532A4A44C97875AA89AEF971B23E20B@qcnexc01.corp.qcn> Antonio Acuesta (DHL AU) wrote: > How will I know the CME version using a command line? show telephony-service Regards, Brad From hiromasa.sekiguchi at ctc-g.co.jp Tue May 27 06:37:34 2008 From: hiromasa.sekiguchi at ctc-g.co.jp (Hiromasa Sekiguchi) Date: Tue, 27 May 2008 19:37:34 +0900 Subject: [c-nsp] 802.1d-2004 Message-ID: <483BE46E.902@ctc-g.co.jp> Hi, Does catalyst switch implement 802.1d-2004? If yes, in which version was it implemented by new software feature? I'd like to know about cat6500-sup720. Regards, From lee.e.rian at census.gov Tue May 27 07:45:06 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Tue, 27 May 2008 07:45:06 -0400 Subject: [c-nsp] Free MIB Browser? In-Reply-To: References: Message-ID: -----"Jeff Cartier" wrote: ----- >To: >From: "Jeff Cartier" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 05/26/2008 04:23PM >Subject: [c-nsp] Free MIB Browser? > >Just looking for some opinions of a good MIB Browser (Pref: Free) >for Cisco equipment (including ONS). I like net-snmp (http://net-snmp.sourceforge.net/). No GUI, so it's real easy to make scripts like chgTime=`/usr/local/bin/snmpget -c $RKEY -m CISCO-CONFIG-MAN-MIB -OqUtv $DEV CISCO-CONFIG-MAN-MIB::ccmHistoryRunningLastChanged.0` savTime=`/usr/local/bin/snmpget -c $RKEY -m CISCO-CONFIG-MAN-MIB -OqUtv $DEV CISCO-CONFIG-MAN-MIB::ccmHistoryStartupLastChanged.0` if [ $savTime -lt $chgTime ]; then printf "%-14s config needs to be saved %s %s\n" $DEV $chgTime $savTime fi to get a list of devices that need a "wr mem" and /usr/local/bin/snmpbulkwalk -m CISCO-IMAGE-MIB -Oq $COMM $DEV ciscoImageString | \ /usr/bin/nawk -v dev=$DEV ' $1 ~ /ciscoImageString/ { # the image mib returns info with each field separated by dollar signs! n = split($2,f,"$") if ( f[1] == "CW_IMAGE" ) image = f[2] else if ( f[1] == "CW_FAMILY" ) family = f[2] else if ( f[1] == "CW_FEATURE" ) features = f[2] else if ( f[1] == "CW_VERSION" ) { ver = f[2] while ( substr(ver,length(ver),1) ~ /[ ,]/ ) ver = substr(ver,1,length(ver)-1) } next } END { printf("%-18s %-14s %-10s %s\n", dev, ver, family, features) ver = family = features = "***" } ' to get a quick inventory of what version of software your IOS devices are running. Regards, Lee From achatz at forthnet.gr Tue May 27 08:12:56 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 27 May 2008 15:12:56 +0300 Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <483B13FF.607@pins.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> <9f785d120805231343u24f21a7jc6afd41f46482fac@mail.gmail.com> <483B13FF.607@pins.net> Message-ID: <483BFAC8.60403@forthnet.gr> I had a similar problem on a 7200 running 12.2(14)S1. Although the service-policy was appearing under the atm vc, there wasn't any output produced with "sh policy-map int". interface ATM6/0.1 point-to-point mtu 1500 ip address x.x.x.x pvc 100/100 abr 18000 2300 oam-pvc manage encapsulation aal5snap service-policy output TEST 7200#sh policy-map int atm6/0.1 7200# 7200#sh policy-map int atm6/0.1 7200# But after some mins it worked (!) without any change from my side. 7200#sh policy-map int atm6/0.1 ATM6/0.1: VC 100/100 - Service-policy output: TEST ... ... ... -- Tassos Jason Berenson wrote on 26/5/2008 10:48 ??: > Nathan, et al, > > It turns out this may be a cisco bug. I have a ticket opened with TAC > and will send an update when this is fixed in case anyone cares. > > -Jason > > Nathan wrote: >> On Fri, May 23, 2008 at 2:31 PM, Robert Blayzor wrote: >> >>> On May 22, 2008, at 6:06 PM, Jason Berenson wrote: >>> >>>> 7206 NPE-G1 >>>> PA-A3-OC3MM >>>> c7200-is-mz.124-19.bin >>>> >> I usually use IOS-es with a j instead of i, but I hope any 12.4 has QoS... >> >> >>> Been down this path several times, so hopefully this helps. >>> >>> Have you tried using a hierarchal QoS policy? Also you may want to >>> set your tx-ring-limit to the minimum, ie: 3 or you might have some >>> jitter issues. >>> >>> That being said, you need to use a nested QoS policy, something like: >>> >> This should not be necessary, since the ATM definition provides the >> bandwidth. Maybe for the fair-queue, but... Jason, test without that >> :-) >> >> Here's what works for me (very slightly edited): >> >> class-map match-any routing >> match dscp cs6 cs7 >> class-map match-any voice >> match dscp cs5 ef >> match ip dscp 4 >> class-map match-any af43 >> match ip dscp af43 >> >> policy-map outgoingaf >> class voice >> priority percent 50 >> class af43 >> bandwidth percent 20 >> class routing >> bandwidth percent 1 >> class class-default >> >> vc-class atm DSL-1 >> vbr-nrt 1280 1280 94 >> encapsulation aal5snap >> >> interface ATM3/0.xxx point-to-point >> ip address x.x.x.x x.x.x.x >> ip verify unicast reverse-path >> pvc 1/xxx >> class-vc DSL-1 >> service-policy output outgoingaf >> >> But I've often used access-lists and ISTR fair-queue without any >> problems (or when there was a problem I always had something in the >> logs). >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Tue May 27 08:13:47 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 27 May 2008 13:13:47 +0100 Subject: [c-nsp] Free MIB Browser? In-Reply-To: References: Message-ID: <483BFAFB.4060607@imperial.ac.uk> lee.e.rian at census.gov wrote: > -----"Jeff Cartier" wrote: ----- > >> To: >> From: "Jeff Cartier" >> Sent by: cisco-nsp-bounces at puck.nether.net >> Date: 05/26/2008 04:23PM >> Subject: [c-nsp] Free MIB Browser? >> >> Just looking for some opinions of a good MIB Browser (Pref: Free) >> for Cisco equipment (including ONS). > > I like net-snmp (http://net-snmp.sourceforge.net/). No GUI, so it's real > easy to make scripts like I think that's more or less the *opposite* of a MIB browser :o) Having said that - net-snmp past certain versions includes "snmptranslate" which is useful at the CLI: $ snmptranslate -Ib -Tp mpls +--mplsVpnMIB(118) | +--mplsVpnMIB#(0) | | | +--mplsVrfIfUp(1) | +--mplsVrfIfDown(2) | +--mplsNumVrfRouteMidThreshExceeded(3) | +--mplsNumVrfRouteMaxThreshExceeded(4) | +--mplsNumVrfSecIllegalLabelThreshExceeded(5) | +--mplsVpnNotifications(0) | +--mplsVpnObjects(1) | | | +--mplsVpnScalars(1) | | | | | +-- -R-- Gauge mplsVpnConfiguredVrfs(1) | | +-- -R-- Gauge mplsVpnActiveVrfs(2) | | +-- -R-- Gauge mplsVpnConnectedInterfaces(3) | | +-- -RW- EnumVal mplsVpnNotificationEnable(4) | | | Textual Convention: TruthValue | | | Values: true(1), false(2) | | +-- -R-- Gauge mplsVpnVrfConfMaxPossibleRoutes(5) | | | +--mplsVpnConf(2) | | | | | +--mplsVpnInterfaceConfTable(1) | | | | | | | +--mplsVpnInterfaceConfEntry(1) | | | | Index: mplsVpnVrfName, mplsVpnInterfaceConfIndex ...or to find an individual oid: $ snmptranslate -Ib -Tad mplsVpnInterfaceConfTable MPLS-VPN-MIB::mplsVpnInterfaceConfTable mplsVpnInterfaceConfTable OBJECT-TYPE -- FROM MPLS-VPN-MIB MAX-ACCESS not-accessible STATUS mandatory DESCRIPTION "This table specifies per-interface MPLS capability and associated information." ::= { iso(1) org(3) dod(6) internet(1) experimental(3) mplsVpnMIB(118) mplsVpnObjects(1) mplsVpnConf(2) 1 } From mgabi at ase.ro Tue May 27 08:20:17 2008 From: mgabi at ase.ro (Gabriel Mateiciuc) Date: Tue, 27 May 2008 15:20:17 +0300 Subject: [c-nsp] Router 1841 - IOS 12.4(19) - ipsec + nat - pptp behind nat not working Message-ID: <012401c8bff4$0627dba0$127792e0$@ro> Hello, Did anyone else hit the CSCsm34632 bug ? Quote Cisco: Symptoms: PPTP connection does not get established properly. Users are stuck in authentication phase Conditions: Occurs when PPTP server is behind a NAT router configured with a static NAT entry. Workaround: There is no workaround. Has anyone found a work-around ? I run IOS 12.4(19). Anyone tried to go back to some 12.3 version ? Any input would be appreciated. Gabriel Mateiciuc Academia de Studii Economice Departamentul Re?ele Echipa Infrastructura From freimer at ctiusa.com Tue May 27 08:39:52 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Tue, 27 May 2008 08:39:52 -0400 Subject: [c-nsp] 802.1d-2004 In-Reply-To: <483BE46E.902@ctc-g.co.jp> References: <483BE46E.902@ctc-g.co.jp> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950297A697@EXCHANGE.ctiusa.com> You know http://www.cisco.com has a search function. Searching for 6500 802.1d-2004 turns up this: http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a00 80094cfa.shtml HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Hiromasa Sekiguchi > Sent: Tuesday, May 27, 2008 6:38 AM > To: cisco-nsp > Subject: [c-nsp] 802.1d-2004 > > Hi, > > Does catalyst switch implement 802.1d-2004? > > If yes, in which version was it implemented by new software feature? > > I'd like to know about cat6500-sup720. > > Regards, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080527/1c9c46c6/attachment.bin From rusiawan at ipv6.or.id Tue May 27 09:13:26 2008 From: rusiawan at ipv6.or.id (andi rusiawan) Date: Tue, 27 May 2008 20:13:26 +0700 Subject: [c-nsp] CPU Utilization vs PPC Utilization ? Message-ID: <8e4c9ac30805270613leb0af06maa5c3b3ab4ff71da@mail.gmail.com> Hi, I have newbie question, what is the difference between CPU and PPC utilization ? Thanks. -- Best Regards -arsw- From justin at justinshore.com Tue May 27 10:01:08 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 27 May 2008 09:01:08 -0500 Subject: [c-nsp] EoMPLS, 2800s & 7600 w/ 6700 linecards In-Reply-To: <4835BFC0.6070709@justinshore.com> References: <4835BFC0.6070709@justinshore.com> Message-ID: <483C1424.2000903@justinshore.com> Any takers? EoMPLS with an ISR on one end terminating the L2VPN in a VLAN for use on a NM-16ESW and a 7600 on the other end running SR with 6700 linecards doing sub-int based EoMPLS if needed. Any thoughts or opinions? Muchas gracias Justin Justin Shore wrote: > I have a customer wanting a new PtP circuit and I'm trying to figure out > how to get it to them. We don't have the ability to build out a L2 path > all the way to them without burning more fiber and that's just not > scalable. I'm looking at other options, namely MPLS. > > Here's what I'm basically trying to figure out in case people don't want > to read all the stuff below. 1) can I pick up a VLAN off of a 1Q trunk > on a 6700 series linecard in a 7600 and use it for EoMPLS? I'd prefer > to pick it up with a SVI but I could do the sub-int-based VLAN if > needed. 2) can a 2800 terminate the xconnect in a VLAN that can be > assigned to a NM-16ESW or HWIC? I'm planning on replacing the 2821 with > a 7201 and a switch down the road so in the future I can also do the > sub-int-based xconnect termination on the 7201's ints facing the switch. > For EoMPLS is using sub-interfaces the most common implementation > method with the hardware I have to work with? > > Here's the long version: > > I touch the customer with fiber using media converters attached to a > NM-16ESW on a 2821. The 2821 is dual-homed to the 7600s in the CO off > of the 2800's built-in GigE ports. The IGP is IS-IS but I'm working on > putting customer prefixes into iBGP. I have not extended MPLS to the > edge devices that can support it, yet. I figured though that this > circuit would prompt me to do that. The circuit would be dropped a > dozen miles away at another CO and handed to us on Ethernet. I'm > working on another project to place a 15454 at each of the 2 COs and > using Xponder cards to transport numerous GigE PtP links between the > sites over a pair of 10G rings. I'm considering placing a single (or > pair) 4948 at each site to combine lower bandwidth PtPs together before > feeding a single GigE into an Xponder, ie not wasting expensive ports on > the the expensive Xponders. > > What I'm thinking about here is taking the PtP at the remote CO via > Ethernet into a 4948 or Xponder on a specific VLAN. Then carrying that > down to one of the 7600s (no DWDM filters at this time). Picking up > that VLAN and sticking it in a L2VPN. Adding MPLS to the links between > the 2821 and the 7600s. And finally dropping off that L2VPN on a VLAN > on the 2821 assigned to a 1Q trunk on the NM-16ESW. Also, I'll add an 8 > port 2960 or 3560 at the customer's site to break out the VLANs off the > 1Q trunk and offer up individual links to the customer. I've learned > through past dealings with the 6700 linecards in my 7600s that I have > very limited MPLS capabilities to work with. How do I do stuff a VLAN > into a L2VPN from a 1Q trunk coming into a 6724-SFP or 6748-GE? Second, > on the 2800, how do I terminate the L2VPN in a VLAN that I can use on > the NM-16ESW? What's in the middle should be relatively easy. It's the > edges that I'm struggling with. > > I see that 12.4(11)T added AToM support to the ISRs and it specifically > mentioned "Ethernet to VLAN Mode" as an option. I'm running a more > recent 12.4T release anyway so this should work fine. Unfortunately I > haven't been able to find any implementation docs. All I can find are > general docs or sales docs. > > http://www.cisco.com/en/US/products/ps6441/prod_bulletin09186a00804a8728.html#wp1083948 > > I may have the ability to place a ME3750 at the remote CO. If that > happens then I should be able to do EoMPLS from that edge back to the > 2800. I do not know if I'll be able to free up that ME3750 though. So > I need to know if I can set up EoMPLS with VLANs on the 7600 and 2800 > specifically. What's in the middle I'm less concerned about. > > Thanks > Justin > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hiromasa.sekiguchi at ctc-g.co.jp Tue May 27 10:09:13 2008 From: hiromasa.sekiguchi at ctc-g.co.jp (Hiromasa Sekiguchi) Date: Tue, 27 May 2008 23:09:13 +0900 Subject: [c-nsp] 802.1d-2004 In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950297A697@EXCHANGE.ctiusa.com> References: <483BE46E.902@ctc-g.co.jp><98B7739FB65BF04F9B3233AB842EEC950297A697@EXCHANGE.ctiusa.com> Message-ID: <483C1609.5060705@ctc-g.co.jp> Can we check which 802.1d is support on switch by command? # 802.1d-1998 or 802.1d-2004 Regards, Fred Reimer wrote [2008/05/27 21:39(JST)]: > You know http://www.cisco.com has a search function. Searching for 6500 > 802.1d-2004 turns up this: > > http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper09186a00 > 80094cfa.shtml > > HTH, > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- >> bounces at puck.nether.net] On Behalf Of Hiromasa Sekiguchi >> Sent: Tuesday, May 27, 2008 6:38 AM >> To: cisco-nsp >> Subject: [c-nsp] 802.1d-2004 >> >> Hi, >> >> Does catalyst switch implement 802.1d-2004? >> >> If yes, in which version was it implemented by new software feature? >> >> I'd like to know about cat6500-sup720. >> >> Regards, From mtinka at globaltransit.net Tue May 27 08:59:37 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 27 May 2008 20:59:37 +0800 Subject: [c-nsp] Interarea MPLS-TE Message-ID: <200805272059.45186.mtinka@globaltransit.net> Hi all. As at early January, IOS did not support the MPLS-TE AutoRoute feature when used with interarea tunnels. Just checking to find out whether this is still the case. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080527/47df6551/attachment.bin From freimer at ctiusa.com Tue May 27 10:25:19 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Tue, 27 May 2008 10:25:19 -0400 Subject: [c-nsp] 802.1d-2004 In-Reply-To: <483C1609.5060705@ctc-g.co.jp> References: <483BE46E.902@ctc-g.co.jp><98B7739FB65BF04F9B3233AB842EEC950297A697@EXCHANGE.ctiusa.com> <483C1609.5060705@ctc-g.co.jp> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950297A711@EXCHANGE.ctiusa.com> Sure, do a spanning-tree mode rapid. If it accepts it, then the switch supports Rapid STP, if not, the it doesn't ;-) Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: Hiromasa Sekiguchi [mailto:hiromasa.sekiguchi at ctc-g.co.jp] > Sent: Tuesday, May 27, 2008 10:09 AM > To: Fred Reimer > Cc: cisco-nsp > Subject: Re: [c-nsp] 802.1d-2004 > > Can we check which 802.1d is support on switch by command? > # 802.1d-1998 or 802.1d-2004 > > Regards, > > Fred Reimer wrote [2008/05/27 21:39(JST)]: > > You know http://www.cisco.com has a search function. Searching for > 6500 > > 802.1d-2004 turns up this: > > > > > http://www.cisco.com/en/US/tech/tk389/tk621/technologies_white_paper091 > 86a00 > > 80094cfa.shtml > > > > HTH, > > > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > > Senior Network Engineer > > Coleman Technologies, Inc. > > 954-298-1697 > > > > > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > >> bounces at puck.nether.net] On Behalf Of Hiromasa Sekiguchi > >> Sent: Tuesday, May 27, 2008 6:38 AM > >> To: cisco-nsp > >> Subject: [c-nsp] 802.1d-2004 > >> > >> Hi, > >> > >> Does catalyst switch implement 802.1d-2004? > >> > >> If yes, in which version was it implemented by new software feature? > >> > >> I'd like to know about cat6500-sup720. > >> > >> Regards, -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080527/0e8dcef7/attachment.bin From philxor at gmail.com Tue May 27 10:30:15 2008 From: philxor at gmail.com (Phil Bedard) Date: Tue, 27 May 2008 10:30:15 -0400 Subject: [c-nsp] EoMPLS, 2800s & 7600 w/ 6700 linecards In-Reply-To: <483C1424.2000903@justinshore.com> References: <4835BFC0.6070709@justinshore.com> <483C1424.2000903@justinshore.com> Message-ID: Sub-int EoMPLS works great, no idea about doing the same on the NM-16ESW. The ISR is a software-based platform and it should work at on one of the built-in ports, but I don't know about the feature support/limitations when combined with the ESW modules. Phil On May 27, 2008, at 10:01 AM, Justin Shore wrote: > Any takers? EoMPLS with an ISR on one end terminating the L2VPN in a > VLAN for use on a NM-16ESW and a 7600 on the other end running SR with > 6700 linecards doing sub-int based EoMPLS if needed. Any thoughts or > opinions? > > Muchas gracias > Justin > > > > Justin Shore wrote: >> I have a customer wanting a new PtP circuit and I'm trying to >> figure out >> how to get it to them. We don't have the ability to build out a L2 >> path >> all the way to them without burning more fiber and that's just not >> scalable. I'm looking at other options, namely MPLS. >> >> Here's what I'm basically trying to figure out in case people don't >> want >> to read all the stuff below. 1) can I pick up a VLAN off of a 1Q >> trunk >> on a 6700 series linecard in a 7600 and use it for EoMPLS? I'd >> prefer >> to pick it up with a SVI but I could do the sub-int-based VLAN if >> needed. 2) can a 2800 terminate the xconnect in a VLAN that can be >> assigned to a NM-16ESW or HWIC? I'm planning on replacing the 2821 >> with >> a 7201 and a switch down the road so in the future I can also do the >> sub-int-based xconnect termination on the 7201's ints facing the >> switch. >> For EoMPLS is using sub-interfaces the most common implementation >> method with the hardware I have to work with? >> >> Here's the long version: >> >> I touch the customer with fiber using media converters attached to a >> NM-16ESW on a 2821. The 2821 is dual-homed to the 7600s in the CO >> off >> of the 2800's built-in GigE ports. The IGP is IS-IS but I'm >> working on >> putting customer prefixes into iBGP. I have not extended MPLS to the >> edge devices that can support it, yet. I figured though that this >> circuit would prompt me to do that. The circuit would be dropped a >> dozen miles away at another CO and handed to us on Ethernet. I'm >> working on another project to place a 15454 at each of the 2 COs and >> using Xponder cards to transport numerous GigE PtP links between the >> sites over a pair of 10G rings. I'm considering placing a single (or >> pair) 4948 at each site to combine lower bandwidth PtPs together >> before >> feeding a single GigE into an Xponder, ie not wasting expensive >> ports on >> the the expensive Xponders. >> >> What I'm thinking about here is taking the PtP at the remote CO via >> Ethernet into a 4948 or Xponder on a specific VLAN. Then carrying >> that >> down to one of the 7600s (no DWDM filters at this time). Picking up >> that VLAN and sticking it in a L2VPN. Adding MPLS to the links >> between >> the 2821 and the 7600s. And finally dropping off that L2VPN on a >> VLAN >> on the 2821 assigned to a 1Q trunk on the NM-16ESW. Also, I'll add >> an 8 >> port 2960 or 3560 at the customer's site to break out the VLANs off >> the >> 1Q trunk and offer up individual links to the customer. I've learned >> through past dealings with the 6700 linecards in my 7600s that I have >> very limited MPLS capabilities to work with. How do I do stuff a >> VLAN >> into a L2VPN from a 1Q trunk coming into a 6724-SFP or 6748-GE? >> Second, >> on the 2800, how do I terminate the L2VPN in a VLAN that I can use on >> the NM-16ESW? What's in the middle should be relatively easy. >> It's the >> edges that I'm struggling with. >> >> I see that 12.4(11)T added AToM support to the ISRs and it >> specifically >> mentioned "Ethernet to VLAN Mode" as an option. I'm running a more >> recent 12.4T release anyway so this should work fine. >> Unfortunately I >> haven't been able to find any implementation docs. All I can find >> are >> general docs or sales docs. >> >> http://www.cisco.com/en/US/products/ps6441/prod_bulletin09186a00804a8728.html#wp1083948 >> >> I may have the ability to place a ME3750 at the remote CO. If that >> happens then I should be able to do EoMPLS from that edge back to the >> 2800. I do not know if I'll be able to free up that ME3750 >> though. So >> I need to know if I can set up EoMPLS with VLANs on the 7600 and 2800 >> specifically. What's in the middle I'm less concerned about. >> >> Thanks >> Justin >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Tue May 27 11:22:05 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 27 May 2008 10:22:05 -0500 Subject: [c-nsp] EoMPLS, 2800s & 7600 w/ 6700 linecards In-Reply-To: References: <4835BFC0.6070709@justinshore.com> <483C1424.2000903@justinshore.com> Message-ID: <483C271D.2040801@justinshore.com> Morning, Phil. Unfortunately my 2 on-board ports are tied up and can't be retasked for this purpose (since you can only raise the MTU on the on-board ports on the ISRs and not the add-on ports, this preventing any meaningful use of MPLS through the add-on ports). I found a doc that talked about EoMPLS to a VLAN on an ISR but unfortunately the doc had no technical text. It was all high-level product overview fluff. I know the ISRs have some EoMPLS capabilities but having been bit before assuming that a product would do something, I want to know exactly how to configure this before I tell sales that we can provide that service. If I can find example config from Cisco that shows the L2VPN terminating in a SVI and that VLAN then being used on a trunk on a L2 port then I can be reasonably confident that what I'm trying to do will work. I may try to test it myself later today to see if I can make it work. That may be easier than finding the right doc on cisco.com. Thanks Justin Phil Bedard wrote: > Sub-int EoMPLS works great, no idea about doing the same on the > NM-16ESW. The ISR is a software-based platform and it should work at on > one of the built-in ports, but I don't know about the feature > support/limitations when combined with the ESW modules. > > > Phil > > > On May 27, 2008, at 10:01 AM, Justin Shore wrote: > >> Any takers? EoMPLS with an ISR on one end terminating the L2VPN in a >> VLAN for use on a NM-16ESW and a 7600 on the other end running SR with >> 6700 linecards doing sub-int based EoMPLS if needed. Any thoughts or >> opinions? >> >> Muchas gracias >> Justin >> >> >> >> Justin Shore wrote: >>> I have a customer wanting a new PtP circuit and I'm trying to figure out >>> how to get it to them. We don't have the ability to build out a L2 path >>> all the way to them without burning more fiber and that's just not >>> scalable. I'm looking at other options, namely MPLS. >>> >>> Here's what I'm basically trying to figure out in case people don't want >>> to read all the stuff below. 1) can I pick up a VLAN off of a 1Q trunk >>> on a 6700 series linecard in a 7600 and use it for EoMPLS? I'd prefer >>> to pick it up with a SVI but I could do the sub-int-based VLAN if >>> needed. 2) can a 2800 terminate the xconnect in a VLAN that can be >>> assigned to a NM-16ESW or HWIC? I'm planning on replacing the 2821 with >>> a 7201 and a switch down the road so in the future I can also do the >>> sub-int-based xconnect termination on the 7201's ints facing the switch. >>> For EoMPLS is using sub-interfaces the most common implementation >>> method with the hardware I have to work with? >>> >>> Here's the long version: >>> >>> I touch the customer with fiber using media converters attached to a >>> NM-16ESW on a 2821. The 2821 is dual-homed to the 7600s in the CO off >>> of the 2800's built-in GigE ports. The IGP is IS-IS but I'm working on >>> putting customer prefixes into iBGP. I have not extended MPLS to the >>> edge devices that can support it, yet. I figured though that this >>> circuit would prompt me to do that. The circuit would be dropped a >>> dozen miles away at another CO and handed to us on Ethernet. I'm >>> working on another project to place a 15454 at each of the 2 COs and >>> using Xponder cards to transport numerous GigE PtP links between the >>> sites over a pair of 10G rings. I'm considering placing a single (or >>> pair) 4948 at each site to combine lower bandwidth PtPs together before >>> feeding a single GigE into an Xponder, ie not wasting expensive ports on >>> the the expensive Xponders. >>> >>> What I'm thinking about here is taking the PtP at the remote CO via >>> Ethernet into a 4948 or Xponder on a specific VLAN. Then carrying that >>> down to one of the 7600s (no DWDM filters at this time). Picking up >>> that VLAN and sticking it in a L2VPN. Adding MPLS to the links between >>> the 2821 and the 7600s. And finally dropping off that L2VPN on a VLAN >>> on the 2821 assigned to a 1Q trunk on the NM-16ESW. Also, I'll add an 8 >>> port 2960 or 3560 at the customer's site to break out the VLANs off the >>> 1Q trunk and offer up individual links to the customer. I've learned >>> through past dealings with the 6700 linecards in my 7600s that I have >>> very limited MPLS capabilities to work with. How do I do stuff a VLAN >>> into a L2VPN from a 1Q trunk coming into a 6724-SFP or 6748-GE? Second, >>> on the 2800, how do I terminate the L2VPN in a VLAN that I can use on >>> the NM-16ESW? What's in the middle should be relatively easy. It's the >>> edges that I'm struggling with. >>> >>> I see that 12.4(11)T added AToM support to the ISRs and it specifically >>> mentioned "Ethernet to VLAN Mode" as an option. I'm running a more >>> recent 12.4T release anyway so this should work fine. Unfortunately I >>> haven't been able to find any implementation docs. All I can find are >>> general docs or sales docs. >>> >>> http://www.cisco.com/en/US/products/ps6441/prod_bulletin09186a00804a8728.html#wp1083948 >>> >>> >>> I may have the ability to place a ME3750 at the remote CO. If that >>> happens then I should be able to do EoMPLS from that edge back to the >>> 2800. I do not know if I'll be able to free up that ME3750 though. So >>> I need to know if I can set up EoMPLS with VLANs on the 7600 and 2800 >>> specifically. What's in the middle I'm less concerned about. >>> >>> Thanks >>> Justin >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From link at pobox.com Tue May 27 14:52:53 2008 From: link at pobox.com (Terje Bless) Date: Tue, 27 May 2008 20:52:53 +0200 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encrypted traffic? Message-ID: Hi all, We're setting up a WAN connecting 12 main sites and maybe 100 smaller sites. Each of the main sites will have 1Gbps links and the smaller will have on the order of < 100Mbps (average will probably start closer to 10Mbps and possibly climb towards 100Mbps over time). All traffic over this WAN must be encrypted. Given the (sparse, I know) information above, what model router would you suggest? Gut feeling? Experience? I'm specifically looking at ASR1000 vs. 7200VXR vs. Cat6500/7600. We're having a discussion internally where a lot of people are suggesting a 7206VXR, whereas I started out thinking along the lines of a 6500/7600 series box and am now leaning towards an ASR1000 series box as a sort of ?compromise position? (partly because the 7600 BU haven't got their act together on GET VPN support yet, and the 6500 folk only makes vague mumbling noises about Q4/2008 with no real conviction). I'm a bit sceptical about the 7200 series based on what little I've picked up about its architecture, performance, scalability, and probable useful lifespan (those 1Gbps pipes hopefully won't be saturated from Day 1, but...). Granted I've barely laid hands on one of those boxes, whereas I've worked quite a bit with 6500/7600 (I'm a LAN kind of guy at heart ;D), so I'm probably a bit biased. My quick calculations suggest the 6500/7600 series will be overkill, but everything else will be somewhere between slightly oversubscribed (ASR1000: 10Gbps backplane / ~2.5Gbps encrypted IMIX) to very oversubscribed (7200VXR: 1.8Gbps backplane / 600Mbps encrypted IMIX)[0]. [0] ? These are the marketing numbers picked from /guest/ on CCO. The numbers quoted by our Cisco rep and various informal sources are? variable. There's also a whole bunch of feature-support issues (QoS; we may need to run MPLS on top of this, or maybe beneath; GET is spec'ed, but DMVPN et al are still possibilities; plan is to use external ASA for FW, but may end up doing IOS Firewall; not planning on doing NAT, but a case might pop up; no need for IPv6, multicast, etc. today, but... etc. etc.), but I'm deliberately ignoring those for the purposes of this post. Anyways, I'm a bit too green at choosing router iron on this scale to feel entirely confident in my assessment here. Any of you lot feel I'm way off? Agree with me? Think I should look at other boxes entirely? TIA, -link PS. If ?Help me pick a box please? messages are off-topic and known to agitate the natives, my apologies. I tried to find a FAQ and Google only came up with the thread back in ~2000 concluding c-nsp didn't need one. :-) -- >I suggest you attend some sort of anger management class.... That's where you learn to upset the PHBs? -- Peter da Silva From mailinglists at unix-scripts.com Tue May 27 15:26:43 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Tue, 27 May 2008 12:26:43 -0700 Subject: [c-nsp] Cisco PfR In-Reply-To: References: Message-ID: Anybody? > I'm looking to deploy PfR in my network. Right now the network is simple > for the most part. two 7206VXR-NPE-G2's each with a upstream connected, > they are also linked to eachother. Then both borders connect to my > core/access layer which is a stack of 3750G's. OSPF is run between core > and > borders. With PfR how large of a router do i need to use as the master? > Right now the network only pushes around 200mbit but the network total > capacity is capable of pushing 4GB. > > ~Shaun From sbr at infonet.ee Tue May 27 16:18:44 2008 From: sbr at infonet.ee (Konstantin Barinov) Date: Tue, 27 May 2008 23:18:44 +0300 Subject: [c-nsp] C4948-10G power problems - FYI Message-ID: <1386011056.20080527231844@infonet.ee> Hello community, Today experienced very strange C4948-10G failure, for your information. It was a brand new box, in service for 3 weeks. Today it went off-line. Came to site and saw interesting situation - both AC power supplies had green light "Power IN" but both were red "Power OUT" and both power supplies smelled a well-known smell of fried electronics. What is more interesting - both PSU's were connected to different APC SmartUPS 1500 units, and no power anomalies were logged by UPS'es. I suspect a hardware design flaw, where internal problem in switch itself killed both power supplies. Wow. Never saw anything like that. :( br -- Konstantin Barinov INFONET AS, Tallinn, Estonia From christian at visr.org Tue May 27 16:28:33 2008 From: christian at visr.org (Christian) Date: Tue, 27 May 2008 16:28:33 -0400 Subject: [c-nsp] Cisco PfR In-Reply-To: References: Message-ID: <9b62cf2f0805271328n33451abcg2eec2d51a35327f2@mail.gmail.com> you should be fine... fyi: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/prod_qas0900aecd806c4f03.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/product_data_sheet0900aecd806c4ee4.html On Tue, May 27, 2008 at 3:26 PM, Shaun R. wrote: > Anybody? > > > I'm looking to deploy PfR in my network. Right now the network is simple > > for the most part. two 7206VXR-NPE-G2's each with a upstream connected, > > they are also linked to eachother. Then both borders connect to my > > core/access layer which is a stack of 3750G's. OSPF is run between core > > and > > borders. With PfR how large of a router do i need to use as the master? > > Right now the network only pushes around 200mbit but the network total > > capacity is capable of pushing 4GB. > > > > ~Shaun > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rblayzor.bulk at inoc.net Tue May 27 16:32:53 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Tue, 27 May 2008 16:32:53 -0400 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encrypted traffic? In-Reply-To: References: Message-ID: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> On May 27, 2008, at 2:52 PM, Terje Bless wrote: > We're having a discussion internally where a lot of people are > suggesting a 7206VXR, whereas I started out thinking along the > lines of a 6500/7600 series box and am now leaning towards an > ASR1000 series box as a sort of ?compromise position? > (partly because the 7600 BU haven't got their act together on > GET VPN support yet, and the 6500 folk only makes vague mumbling > noises about Q4/2008 with no real conviction). A 7206VXR even with a NPE-G2 will in no way be able to handle the traffic demands you're looking at. I can't speak for the ASR, but if you're looking for multi-gigabit encrypted links I'd look at the 7600 with the IPSEC offload SIP/SPAs. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From DLasher at newedgenetworks.com Tue May 27 17:17:02 2008 From: DLasher at newedgenetworks.com (Lasher, Donn) Date: Tue, 27 May 2008 14:17:02 -0700 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic? In-Reply-To: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> References: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> Message-ID: >A 7206VXR even with a NPE-G2 will in no way be able to handle the >traffic demands you're looking at. I can't speak for the ASR, but if >you're looking for multi-gigabit encrypted links I'd look at the 7600 >with the IPSEC offload SIP/SPAs. At least on paper, the SA-VAM2, and C7200 VSA modules, in a 7200/NPE-G2 could at least make a good showing at what you're talking about here. The C7200 module, goes into the "IO" slot in the front, and is on its' own 600m bus, not shared with the slots. Stats look like this: (http://www.cisco.com/en/US/partner/docs/ios/12_4t/12_4t11/ft_vsa1.html) ------------------ The VSA provides hardware-accelerated support for multiple encryption functions: *128/192/256-bit AES in hardware *DES standard mode with 56-bit key: Cipher Block Chaining (CBC) *Performance to 900 Mbps encrypted throughput with 300-byte packets and 1000 tunnels *5000 tunnels for DES/3DES/AES *Secure Hash Algorithm1 (SHA-1) and Message Digest 5 (MD5) hash algorithms *Rivest, Shamir, Adelman (RSA) public-key algorithm *Diffie-Hellman Groups 1, 2 and 5 ----------------- I agree, a 6500/7600 chassis would scale better, but the 7200 could take a decent shot. From rblayzor.bulk at inoc.net Tue May 27 18:29:10 2008 From: rblayzor.bulk at inoc.net (Robert Blayzor) Date: Tue, 27 May 2008 18:29:10 -0400 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic? In-Reply-To: References: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> Message-ID: On May 27, 2008, at 5:17 PM, Lasher, Donn wrote: > At least on paper, the SA-VAM2, and C7200 VSA modules, in a 7200/NPE- > G2 > could at least make a good showing at what you're talking about here. Good showing, are you serious? "We're setting up a WAN connecting 12 main sites and maybe 100 smaller sites. Each of the main sites will have 1Gbps links and the smaller will have on the order of < 100Mbps (average will probably start closer to 10Mbps and possibly climb towards 100Mbps over time)." 12 x 1GE 100 X 100Mbps. While I realize he may not be looking at wire speed throughput on every connection, considering an NPE-G2 is probably really only good for maybe a max of 500-800Mbps of "typical" traffic, and the lack of ports.... it's not even worth considering. A 7206VXR might "get your foot in the door" as a proof of concept, with those requirements you'd be replacing it almost immediately. -- Robert Blayzor, BOFH INOC, LLC rblayzor at inoc.net http://www.inoc.net/~rblayzor/ From kgraham at industrial-marshmallow.com Tue May 27 18:29:52 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 27 May 2008 15:29:52 -0700 (PDT) Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encrypted traffic? Message-ID: <654557.25178.qm@web906.biz.mail.mud.yahoo.com> > We're setting up a WAN connecting 12 main sites and maybe 100 > smaller sites. Each of the main sites will have 1Gbps links and > the smaller will have on the order of < 100Mbps [...] > All traffic over this WAN must be encrypted. Is the WAN all direct PtP? Based on link speeds you cited, presumably this is ethernet? If yes to both of these, it might be worth bringing up 802.1AE/af with your account team, as old roadmaps suggested that it may be an option soon. > Given the (sparse, I know) information above, what model router > would you suggest? Gut feeling? Experience? > > I'm specifically looking at ASR1000 vs. 7200VXR vs. Cat6500/7600. The VPN SPA's are probably the best approach if you're really touching those traffic levels, though the bump-in-the-wire config for them is awkward (and annoying, since presumably it could be managed internally to support 'tunnel protection'-style SA's). If you can cope w/ multiple tunnels (and devices) for the larger links, NPE-G2/VSA's will give you the most flexible solution from a redeployment and future configuration standpoint. For smaller sites still, ISR's could be used w/ the same configuration. > I'm a bit sceptical about the 7200 series based on what little > I've picked up about its architecture, performance, scalability, > and probable useful lifespan (those 1Gbps pipes hopefully won't > be saturated from Day 1, but...). Yeah, the NPE-G2/VSA would be fine for a few of the smaller sites, but won't handle the main ones. The biggest problem is getting a consistent solution -- those would be great with the ASR1000's or 6500's for larger sites. With those 3 platforms you get 3 divergent branches of software. Since Cisco has touted this as a feature, rather than a temporary necessity, a uniform config for your different sites is inconsistent with their direction. From agristina+cisco-nsp at gmail.com Tue May 27 18:56:42 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Tue, 27 May 2008 15:56:42 -0700 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic? In-Reply-To: References: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> Message-ID: <70bb1b8f0805271556o5c779041pee93cfa8191addd5@mail.gmail.com> On Tue, May 27, 2008 at 3:29 PM, Robert Blayzor wrote: > On May 27, 2008, at 5:17 PM, Lasher, Donn wrote: >> At least on paper, the SA-VAM2, and C7200 VSA modules, in a 7200/NPE- >> G2 >> could at least make a good showing at what you're talking about here. > > > > Good showing, are you serious? > > "We're setting up a WAN connecting 12 main sites and maybe 100 > smaller sites. Each of the main sites will have 1Gbps links and > the smaller will have on the order of < 100Mbps (average will > probably start closer to 10Mbps and possibly climb towards > 100Mbps over time)." > > 12 x 1GE > 100 X 100Mbps. > > While I realize he may not be looking at wire speed throughput on > every connection, considering an NPE-G2 is probably really only good > for maybe a max of 500-800Mbps of "typical" traffic, and the lack of > ports.... it's not even worth considering. > > A 7206VXR might "get your foot in the door" as a proof of concept, > with those requirements you'd be replacing it almost immediately. > I've looked at 10Gb IPSec throughput recently, and I'd say you'd be hard pressed on any platform. The current easiest/cost effective way to do it is to break out terminating the IPSec and switching and routing. Since you are multiple tunnels terminating to get 10Gb+ of encrypted traffic, this is easy. I'd look into the biggest ASAs (5580-40) for Ipsec termination and then deal with routing/switching termination of your customers conventionally. I'd probably start with a few ASAs. The customer termination part I didn't follow closely enough to suggest hardware. It makes it easier to troubleshoot as well. From DLasher at newedgenetworks.com Tue May 27 19:10:34 2008 From: DLasher at newedgenetworks.com (Lasher, Donn) Date: Tue, 27 May 2008 16:10:34 -0700 Subject: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic? In-Reply-To: References: <0AB3987F-A8C3-4F74-AE0C-B636131674B1@inoc.net> Message-ID: >>From: Robert Blayzor [mailto:rblayzor.bulk at inoc.net] >>Subject: Re: [c-nsp] 7600 vs. 7200 vs. ASR1000 for multi-gigabit encryptedtraffic? >>On May 27, 2008, at 5:17 PM, Lasher, Donn wrote: >> At least on paper, the SA-VAM2, and C7200 VSA modules, in a 7200/NPE- >> G2 >> could at least make a good showing at what you're talking about here. >Good showing, are you serious? >"We're setting up a WAN connecting 12 main sites and maybe 100 >smaller sites. Each of the main sites will have 1Gbps links and >the smaller will have on the order of < 100Mbps (average will >probably start closer to 10Mbps and possibly climb towards >100Mbps over time)." As other posters have pointed out, you're talking about a couple of different roles. In a deployment this size, good design dictates more than (1) termination device at each site. "Smaller sites" would be completely fine with the VSA modules in the 7200. Depending on how many tunnels you wanted to terminate on each "Main" site, you could use 7200's there as well, with smaller numbers of tunnels per router. I suspect however, it may not scale well, and the main sites would be better served with the 6500/7600 chassis. From mailinglists at unix-scripts.com Tue May 27 19:53:32 2008 From: mailinglists at unix-scripts.com (Shaun) Date: Tue, 27 May 2008 16:53:32 -0700 Subject: [c-nsp] Cisco PfR In-Reply-To: <9b62cf2f0805271328n33451abcg2eec2d51a35327f2@mail.gmail.com> References: <9b62cf2f0805271328n33451abcg2eec2d51a35327f2@mail.gmail.com> Message-ID: Doesnt look to help me out at all, i'm trying to figure out how large of a router i will need to be the master. It sounds like the master will have copys of the route table from each border so i assume i need a device with enough ram to hold that. But what about throughput and cpu? I'm wondering if somthing small like a 2800 would work or if i need to get another 7206.. ~Shaun ----- Original Message ----- From: Christian To: Shaun R. Cc: cisco-nsp at puck.nether.net Sent: Tuesday, May 27, 2008 1:28 PM Subject: Re: [c-nsp] Cisco PfR you should be fine... fyi: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/prod_qas0900aecd806c4f03.html http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps6599/ps8787/product_data_sheet0900aecd806c4ee4.html On Tue, May 27, 2008 at 3:26 PM, Shaun R. wrote: Anybody? > I'm looking to deploy PfR in my network. Right now the network is simple > for the most part. two 7206VXR-NPE-G2's each with a upstream connected, > they are also linked to eachother. Then both borders connect to my > core/access layer which is a stack of 3750G's. OSPF is run between core > and > borders. With PfR how large of a router do i need to use as the master? > Right now the network only pushes around 200mbit but the network total > capacity is capable of pushing 4GB. > > ~Shaun _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jason at pins.net Tue May 27 23:18:50 2008 From: jason at pins.net (Jason Berenson) Date: Tue, 27 May 2008 23:18:50 -0400 Subject: [c-nsp] Frame to ATM Message-ID: <483CCF1A.8080603@pins.net> Greetings, We just got a new Covad DS3 and ordered an end T1 as frame relay. The backhaul is ATM. Here's my network: customer (dlci 16 and 17) --> covad cloud --> atm switch (0/xxx) --> atm switch (0/xxx) --> cisco 7206 (atm pvc) Here's what I did on the customer router: interface Serial0 no ip address encapsulation frame-relay IETF no fair-queue frame-relay lmi-type ansi ! interface Serial0.1 point-to-point frame-relay interface-dlci 17 ppp Virtual-Template17 ! interface Virtual-Template17 ip address 10.3.4.210 255.255.255.252 ! Here's the core: interface ATM3/0.26 point-to-point pvc 0/70 ip addr inarp protocol ppp Virtual-Template1000 ! interface Virtual-Template1000 ip address 10.3.4.209 255.255.255.252 ! I'm not sure if this is going to work yet. Has anyone done this before? If so, does this look right? Thanks, Jason From Joel.Snyder at Opus1.COM Tue May 27 23:40:41 2008 From: Joel.Snyder at Opus1.COM (Joel Snyder) Date: Tue, 27 May 2008 20:40:41 -0700 Subject: [c-nsp] Frame to ATM In-Reply-To: <483CCF1A.8080603@pins.net> References: <483CCF1A.8080603@pins.net> Message-ID: <483CD439.7050104@opus1.com> We do our FR->ATM a little differently than normal ATM->ATM. I don't know if this is the most elegant way to do it, but here is a fragment on the ATM side the works. interface ATM1/0.2037 point-to-point description PVC 34 to AirAuto 16/YBGA/001348 PVC 16 bandwidth 1544 ip address 207.182.63.117 255.255.255.252 ip access-group FILTERFROMAIRAUTO in no snmp trap link-status pvc FR-Airauto 2/37 vbr-rt 1544 1544 ! Compare this to a typical ATM->ATM (we have two kinds: dynamic and static): interface ATM1/0.151 point-to-point description Don Trumbo/dynamic ip policy route-map SET-PRECEDENCE no snmp trap link-status pvc Don-Trumbo 1/151 class-vc radsl-dynamic vc-class atm radsl-dynamic encapsulation aal5mux ppp Virtual-Template2 ! vc-class atm radsl-static encapsulation aal5mux ppp Virtual-Template1 interface Virtual-Template1 description Used for static-addressed DSL mtu 2048 ip unnumbered FastEthernet2/0 logging event subif-link-status ppp authentication pap ! interface Virtual-Template2 description Used for dynamic-addressed DSL mtu 2048 ip unnumbered FastEthernet2/0 logging event subif-link-status peer default ip address pool dsldynamic ppp authentication pap callin Jason Berenson wrote: > Greetings, > > We just got a new Covad DS3 and ordered an end T1 as frame relay. The > backhaul is ATM. Here's my network: > > customer (dlci 16 and 17) --> covad cloud --> atm switch (0/xxx) --> atm > switch (0/xxx) --> cisco 7206 (atm pvc) > > Here's what I did on the customer router: > > interface Serial0 > no ip address > encapsulation frame-relay IETF > no fair-queue > frame-relay lmi-type ansi > ! > interface Serial0.1 point-to-point > frame-relay interface-dlci 17 ppp Virtual-Template17 > ! > interface Virtual-Template17 > ip address 10.3.4.210 255.255.255.252 > ! > > Here's the core: > > interface ATM3/0.26 point-to-point > pvc 0/70 > ip addr inarp > protocol ppp Virtual-Template1000 > ! > interface Virtual-Template1000 > ip address 10.3.4.209 255.255.255.252 > ! > > I'm not sure if this is going to work yet. Has anyone done this > before? If so, does this look right? > > Thanks, > Jason > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719 Senior Partner, Opus One Phone: +1 520 324 0494 jms at Opus1.COM http://www.opus1.com/jms From cboyd at gizmopartners.com Tue May 27 23:39:05 2008 From: cboyd at gizmopartners.com (Chris Boyd) Date: Tue, 27 May 2008 22:39:05 -0500 Subject: [c-nsp] Frame to ATM In-Reply-To: <483CCF1A.8080603@pins.net> References: <483CCF1A.8080603@pins.net> Message-ID: <9865CB39-F5B7-4370-8E2F-B406FEA47F4B@gizmopartners.com> On May 27, 2008, at 10:18 PM, Jason Berenson wrote: > I'm not sure if this is going to work yet. Has anyone done this > before? If so, does this look right? It's been 15 years, and it doesn't look right. IIRC, you have to use FRATM and AAL5mux on the ATM side. May have to turn off keepalives on the frame side as well--memory is fuzzy on that. --Chris From jmaimon at ttec.com Wed May 28 01:05:10 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 28 May 2008 01:05:10 -0400 Subject: [c-nsp] Frame to ATM In-Reply-To: <483CCF1A.8080603@pins.net> References: <483CCF1A.8080603@pins.net> Message-ID: <483CE806.1050200@ttec.com> Jason Berenson wrote: > Greetings, > > We just got a new Covad DS3 and ordered an end T1 as frame relay. The > backhaul is ATM. Here's my network: Covad will perform FRF ATM conversion for you. You just take the pvc and do your ip routing on it. Now if you want a multilink configuration, thats a bit different. This is the simplest way to do it CPE conf t int s0 no ip addr enc fra IETF frame-relay lmi-type ansi int s0.16 p ip address 10.3.4.210 255.255.255.252 frame-relay interface-dlci 16 ip route 0.0.0.0 0.0.0.0 s0.16 10.3.4.209 end CORE conf t int a3/0.70 p ip address 10.3.4.209 255.255.255.252 pvc 0/70 end > > customer (dlci 16 and 17) --> covad cloud --> atm switch (0/xxx) --> atm > switch (0/xxx) --> cisco 7206 (atm pvc) Why dlci 16 and 17? > > Here's what I did on the customer router: > > interface Serial0 > no ip address > encapsulation frame-relay IETF > no fair-queue > frame-relay lmi-type ansi > ! > interface Serial0.1 point-to-point > frame-relay interface-dlci 17 ppp Virtual-Template17 Why are you bothering with ppp? > ! > interface Virtual-Template17 > ip address 10.3.4.210 255.255.255.252 > ! > > Here's the core: > > interface ATM3/0.26 point-to-point > pvc 0/70 > ip addr inarp > protocol ppp Virtual-Template1000 > ! > interface Virtual-Template1000 > ip address 10.3.4.209 255.255.255.252 Why are you bothering with ppp? Just put the IP address on the subinterface. > ! > > I'm not sure if this is going to work yet. Has anyone done this > before? If so, does this look right? > > Thanks, > Jason Its fairly common. From mailinglists at unix-scripts.com Wed May 28 03:42:59 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 28 May 2008 00:42:59 -0700 Subject: [c-nsp] Both my borders crashed? Message-ID: Both my border routers look to have crashed at the same time. Anybody know why from this error? If not how can i find out what happened? Both routers are 7206VXR-NPE-G2's border2 uptime is 2 days, 19 hours, 20 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 UTC Sun May 25 2008 System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" border1 uptime is 2 days, 19 hours, 19 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 UTC Fri Mar 30 2001 System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" From b.turnbow at twt.it Wed May 28 04:14:18 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 28 May 2008 10:14:18 +0200 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: SegV exceptions are related to software issues, there is a doc on the cisco site on how to troubleshoot them. The short answer is you are going to need to change your ios release. Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun R. Sent: mercoled? 28 maggio 2008 9.43 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Both my borders crashed? Both my border routers look to have crashed at the same time. Anybody know why from this error? If not how can i find out what happened? Both routers are 7206VXR-NPE-G2's border2 uptime is 2 days, 19 hours, 20 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 UTC Sun May 25 2008 System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" border1 uptime is 2 days, 19 hours, 19 minutes System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 UTC Fri Mar 30 2001 System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Wed May 28 05:01:30 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 28 May 2008 11:01:30 +0200 Subject: [c-nsp] Frame to ATM In-Reply-To: <483CE806.1050200@ttec.com> References: <483CCF1A.8080603@pins.net> <483CE806.1050200@ttec.com> Message-ID: One other thing to check into is if they will map oam to lmi (don't know about covad) . That way you could use oam-pvc manage on the vcs to check end to end connectivity. Otherwise the ATM side will always be "up" even if the frame relay side is down. Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Maimon Sent: mercoled? 28 maggio 2008 7.05 To: Jason Berenson Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Frame to ATM Jason Berenson wrote: > Greetings, > > We just got a new Covad DS3 and ordered an end T1 as frame relay. The > backhaul is ATM. Here's my network: Covad will perform FRF ATM conversion for you. You just take the pvc and do your ip routing on it. Now if you want a multilink configuration, thats a bit different. This is the simplest way to do it CPE conf t int s0 no ip addr enc fra IETF frame-relay lmi-type ansi int s0.16 p ip address 10.3.4.210 255.255.255.252 frame-relay interface-dlci 16 ip route 0.0.0.0 0.0.0.0 s0.16 10.3.4.209 end CORE conf t int a3/0.70 p ip address 10.3.4.209 255.255.255.252 pvc 0/70 end > > customer (dlci 16 and 17) --> covad cloud --> atm switch (0/xxx) --> atm > switch (0/xxx) --> cisco 7206 (atm pvc) Why dlci 16 and 17? > > Here's what I did on the customer router: > > interface Serial0 > no ip address > encapsulation frame-relay IETF > no fair-queue > frame-relay lmi-type ansi > ! > interface Serial0.1 point-to-point > frame-relay interface-dlci 17 ppp Virtual-Template17 Why are you bothering with ppp? > ! > interface Virtual-Template17 > ip address 10.3.4.210 255.255.255.252 > ! > > Here's the core: > > interface ATM3/0.26 point-to-point > pvc 0/70 > ip addr inarp > protocol ppp Virtual-Template1000 > ! > interface Virtual-Template1000 > ip address 10.3.4.209 255.255.255.252 Why are you bothering with ppp? Just put the IP address on the subinterface. > ! > > I'm not sure if this is going to work yet. Has anyone done this > before? If so, does this look right? > > Thanks, > Jason Its fairly common. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed May 28 07:29:51 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 28 May 2008 07:29:51 -0400 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: <20080528112951.GE22337@rtp-cse-489.cisco.com> Can you post a 'sh stack' from both of them? Also, always try to post the 'sh stack' in the crash decoder on CCO and see what you get. Rodney On Wed, May 28, 2008 at 12:42:59AM -0700, Shaun R. wrote: > Both my border routers look to have crashed at the same time. Anybody know > why from this error? If not how can i find out what happened? Both routers > are 7206VXR-NPE-G2's > > > border2 uptime is 2 days, 19 hours, 20 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 > UTC Sun May 25 2008 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > border1 uptime is 2 days, 19 hours, 19 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 > UTC Fri Mar 30 2001 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hsa at ntt.net.id Wed May 28 08:36:01 2008 From: hsa at ntt.net.id (Hendry Sarumpaet) Date: Wed, 28 May 2008 19:36:01 +0700 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: <122597158.20080528193601@ntt.net.id> Just FYI , We've facing bad experience a year ago while run Train release on NPE-G2 replace it with 12.2-SB give us more better result. -- hsa Wednesday, May 28, 2008, 2:42:59 PM, you wrote: > Both my border routers look to have crashed at the same time. Anybody know > why from this error? If not how can i find out what happened? Both routers > are 7206VXR-NPE-G2's > border2 uptime is 2 days, 19 hours, 20 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 > UTC Sun May 25 2008 > System image file is > "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > border1 uptime is 2 days, 19 hours, 19 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 > UTC Fri Mar 30 2001 > System image file is > "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Best regards, From justin at justinshore.com Wed May 28 09:00:02 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 28 May 2008 08:00:02 -0500 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: <483D5752.1080803@justinshore.com> Are these routers vulnerable to the regex DoS from last Winter/Fall? I forget what release addressed the issue but IIRC a ROM error was what the router gave when it booted back up. Do you allow public (or limited) route-server access on those boxes to anyone? Have you secured your boxes against the recent SSH DoS attacks? Justin Shaun R. wrote: > Both my border routers look to have crashed at the same time. Anybody know > why from this error? If not how can i find out what happened? Both routers > are 7206VXR-NPE-G2's > > > border2 uptime is 2 days, 19 hours, 20 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 > UTC Sun May 25 2008 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > border1 uptime is 2 days, 19 hours, 19 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 > UTC Fri Mar 30 2001 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" From streiner at cluebyfour.org Wed May 28 09:34:31 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Wed, 28 May 2008 09:34:31 -0400 (EDT) Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: On Wed, 28 May 2008, Shaun R. wrote: > Both my border routers look to have crashed at the same time. Anybody know > why from this error? If not how can i find out what happened? Both routers > are 7206VXR-NPE-G2's > > > border2 uptime is 2 days, 19 hours, 20 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 05:05:00 > UTC Sun May 25 2008 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > border1 uptime is 2 days, 19 hours, 19 minutes > System returned to ROM by error - a SegV exception, PC 0x13EF030 at 07:51:26 > UTC Fri Mar 30 2001 > System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" Could be a memory corruption (software) issue, access violation (some process trying to scribble into a register that it's not allowed to touch), scribbling into the wrong memory region, etc... If you want to find out what caused this, yor best bet is to go to the TAC. Considering both routers crashed with the same message, I'll bet it's a bug in that particular version of IOS. "T" train releases are where new features are intriduced and allowed to bake for awhile before being rolled into a mainline release. As such, they can be more bug-prone and my advice has always been not to use T train releases on production routers unless there is absolutely no other choice. It also looks like the clock on border1 is in need of an adjustment :) jms From djweis at internetsolver.com Wed May 28 10:26:38 2008 From: djweis at internetsolver.com (Dave Weis) Date: Wed, 28 May 2008 09:26:38 -0500 (CDT) Subject: [c-nsp] QoS ATM sub interface In-Reply-To: <734461A6-7B04-4F72-83BD-D79F6FC64552@inoc.net> References: <48349E43.2040902@pins.net> <9f785d120805212336g511d3348jbc3f53b772a66777@mail.gmail.com> <483590BE.1090103@pins.net> <9f785d120805221356x68af4599u120c716d1097ba28@mail.gmail.com> <4835EE52.1010603@pins.net> <635CB0D5-7CCD-4F52-9255-035DC3185161@inoc.net> <4836BC31.7040303@internetsolver.com> <734461A6-7B04-4F72-83BD-D79F6FC64552@inoc.net> Message-ID: On Fri, 23 May 2008, Robert Blayzor wrote: > On May 23, 2008, at 8:44 AM, Dave Weis wrote: >> We are using class-range for our PVC's and there is no method or pattern >> to which speeds of customer will terminate on any specific VCI. How can >> I make something like this work in a more general fashion? > > If you're using RADIUS you try enabling dbs and sending back some attributes: > > cisco-avpair atm:peak-cell-rate=1536 > cisco-avpair atm:sustainable-cell-rate=1536 cisco-avpair > atm:vc-qos-policy-out=max-voice We are using radius, this would be the least painful. We have the speeds in the database and can pass them back via radius easily. Is most of this handled on the PA or will it cause a huge processor load increase? We are currently terminating to a PA-A3-OC3 > That would shape the VC's to vbr-nrt 1.5m and apply the QoS policy you want. > (at least this is the way it works in 12.2SB) I'll give that a try. Would it be reasonable to use priority queueing instead of basing QoS/allocation on bandwidth of the subinterfaces? dave -- Dave Weis djweis at internetsolver.com http://www.internetsolver.com/ From gert at greenie.muc.de Wed May 28 11:15:29 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 28 May 2008 17:15:29 +0200 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <4837FFA4.8010803@bromirski.net> References: <1211602794_354303@mail1.tellurian.net> <4837FFA4.8010803@bromirski.net> Message-ID: <20080528151528.GQ426@greenie.muc.de> Hi, On Sat, May 24, 2008 at 01:44:36PM +0200, ?ukasz Bromirski wrote: > VXR indeed added the TDM bus into the 7200 capabilities, which > essentially means you can use 'connect' or 'cross-connect' commands in > config mode to cross-connect DS0 between various PA/controllers and > use DSP farming. So what cards can make use of it? And *how* to do it? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080528/caaf8645/attachment.bin From robert at tellurian.com Wed May 28 11:30:57 2008 From: robert at tellurian.com (Robert Boyle) Date: Wed, 28 May 2008 11:30:57 -0400 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <20080528151528.GQ426@greenie.muc.de> References: <1211602794_354303@mail1.tellurian.net> <4837FFA4.8010803@bromirski.net> <20080528151528.GQ426@greenie.muc.de> Message-ID: <1211988673_137069@mail1.tellurian.net> At 11:15 AM 5/28/2008, you wrote: >On Sat, May 24, 2008 at 01:44:36PM +0200, ?ukasz Bromirski wrote: > > VXR indeed added the TDM bus into the 7200 capabilities, which > > essentially means you can use 'connect' or 'cross-connect' commands in > > config mode to cross-connect DS0 between various PA/controllers and > > use DSP farming. > >So what cards can make use of it? And *how* to do it? Not much and it's pretty useless. Nobody has been able to tell me how to do it. We use the cross-connect command all day long to connect ATM PVCs from one router to another router and another ATM circuit via IP. (simplified ATM-ATM MPLS sort of) For packet based traffic, it's easy. For ISDN PRI (clock dependent data) from one interface T3 to another T1, it doesn't work according to Cisco. If the MIX bus doesn't actually use the TDM backplane in the VXR is that just a vaporware "feature"? Is anyone using it to do anything? I'm just curious. Here's more info from Cisco about the MIX bus. It seems like a pretty useless feature. Why bother? Just use a crossover T1 cable between the two ports without using the router. If you are switching DS0s, why? That's only one voice channel and not enough data for anything other than maybe an ATM machine or credit card processor or a legacy text terminal app? If it can only switch within a single card, it isn't using the bus on the VXR. I don't get it. Does anyone else understand this more than I do or than the cisco tech below did? -Robert From: "Andrea XXXXXXXXX" To: Subject: SR XXXXXXXXXXX - TDM Bus in VXR Date: Tue, 27 May 2008 17:55:10 -0600 Hello Robert, Thank you for your patience. I did a research and in this case the only card that supports TDM cross connect (or drop and insert) is the PA-MCX-8TE1, and this feature only works on the ports (controllers) within the same MIX PA and not between the PAs. In regards the dial-in modem questions, I would advise you to open a new TAC case since this technology is handled my a different group of engineers that will be able to answer your questions in regards the appropriate hardware for dial-in modem (terminating calls on a PRI). Best Regards, Andrea XXXXXXXXX Cisco TAC Engineer Multiservice Voice Team Monday through Thursday 10:00 am - 7:00 pm Eastern Time (GMT-04:00) Friday 12:00 pm - 9:00 pm Eastern Time (GMT-04:00) Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From jmaimon at ttec.com Wed May 28 11:32:16 2008 From: jmaimon at ttec.com (Joe Maimon) Date: Wed, 28 May 2008 11:32:16 -0400 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <20080528151528.GQ426@greenie.muc.de> References: <1211602794_354303@mail1.tellurian.net> <4837FFA4.8010803@bromirski.net> <20080528151528.GQ426@greenie.muc.de> Message-ID: <483D7B00.7070207@ttec.com> Gert Doering wrote: > Hi, > > On Sat, May 24, 2008 at 01:44:36PM +0200, ?ukasz Bromirski wrote: >> VXR indeed added the TDM bus into the 7200 capabilities, which >> essentially means you can use 'connect' or 'cross-connect' commands in >> config mode to cross-connect DS0 between various PA/controllers and >> use DSP farming. > > So what cards can make use of it? And *how* to do it? > > gert > Last time I asked, I found that one of the things you could not make use of it for was to terminate analog dialup. From psirt at cisco.com Wed May 28 11:30:00 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wednesday, 28 May 2008 10:30:00 -0500 Subject: [c-nsp] Cisco Security Advisory: CiscoWorks Common Services Arbitrary Code Execution Vulnerability Message-ID: <200805281030.cw@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: CiscoWorks Common Services Arbitrary Code Execution Vulnerability Advisory ID: cisco-sa-20080528-cw Revision 1.0 For Public Release 2008 May 28 1600 UTC (GMT) +--------------------------------------------------------------------- Summary ======= CiscoWorks Common Services contains a vulnerability that could allow a remote attacker to execute arbitrary code. Cisco has released free software updates that address this vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20080528-cw.shtml. Affected Products ================= Vulnerable Products +------------------ CiscoWorks Common Services versions 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1, and 3.1.1 are vulnerable. The following Cisco products that use CiscoWorks Common Services as their base are also affected by this vulnerability. +---------------------------------------+ | | Product | Common | | Product | Version | Services | | | | Version | |-----------------+----------+----------| | Cisco Unified | | | | Operations | 1.1 | 3.0.3 | | Manager (CUOM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Operations | 2.0 | 3.0.3 | | Manager (CUOM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Operations | 2.0.1 | 3.0.5 | | Manager (CUOM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Operations | 2.0.2 | 3.0.5 | | Manager (CUOM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Operations | 2.0.3 | 3.0.5 | | Manager (CUOM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Service Monitor | 1.1 | 3.0.3 | | (CUSM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Service Monitor | 2.0 | 3.0.4 | | (CUSM) | | | |-----------------+----------+----------| | Cisco Unified | | | | Service Monitor | 2.0.1 | 3.0.5 | | (CUSM) | | | |-----------------+----------+----------| | CiscoWorks QoS | 4.0, | | | Policy Manager | 4.0.1, | 3.0.5 | | (QPM) | and | | | | 4.0.2 | | |-----------------+----------+----------| | CiscoWorks LAN | 2.5, | | | Management | 2.5.1, | 3.0.3 | | Solution (LMS) | 2.6 | | |-----------------+----------+----------| | CiscoWorks LAN | 2.6 | | | Management | Update | 3.0.5 | | Solution (LMS) | | | |-----------------+----------+----------| | CiscoWorks LAN | | | | Management | 3.0 | 3.1 | | Solution (LMS) | | | |-----------------+----------+----------| | CiscoWorks LAN | 3.0 | | | Management | December | 3.1.1 | | Solution (LMS) | 2007 | | | | Update | | |-----------------+----------+----------| | Cisco Security | 3.0 | 3.0.3 | | Manager (CSM) | | | |-----------------+----------+----------| | Cisco Security | 3.0.1 | 3.0.4 | | Manager (CSM) | | | |-----------------+----------+----------| | Cisco Security | 3.0.2 | 3.0.5 | | Manager (CSM) | | | |-----------------+----------+----------| | Cisco Security | 3.1 and | 3.0.5 | | Manager (CSM) | 3.1.1 | | |-----------------+----------+----------| | Cisco Security | 3.2 | 3.1 | | Manager (CSM) | | | |-----------------+----------+----------| | Cisco | | | | TelePresence | | | | Readiness | 1.0 | 3.0.5 | | Assessment | | | | Manager (CTRAM) | | | +---------------------------------------+ Note: CiscoWorks Voice Manager (CVM) and Cisco Unified Intelligent Contact Management (ICM) could be vulnerable if their underlying Common Services versions were upgraded. Products Confirmed Not Vulnerable +-------------------------------- Products that use CiscoWorks Common Services version 3.2 and later or Common Management Framework (CMF) version 2.2 are not vulnerable. The following CiscoWorks products are also not affected by this vulnerability: +---------------------------------------+ | | Product | Common | | Product | Version | Services | | | | Version | |------------------+---------+----------| | CiscoWorks IP | | | | Communications | 1.0 | 3.0 SP1 | | Manager | | | |------------------+---------+----------| | CiscoWorks IP | | | | Communications | 1.0 | 3.0 SP1 | | Service Monitor | | | +---------------------------------------+ Note: CiscoWorks Voice Manager (CVM) and Cisco Unified Intelligent Contact Management (ICM) could be vulnerable if their underlying Common Services versions were upgraded. No other Cisco products are currently known to be affected by this vulnerability. Details ======= CiscoWorks Common Services represents a common set of management services that are shared by CiscoWorks applications. CiscoWorks is a family of products based on Internet standards for managing networks and devices. Many CiscoWorks products use and depend on Common Services. CiscoWorks Common Services contains a vulnerability that could allow a remote attacker to execute arbitrary code. This vulnerability is documented in Cisco Bug ID CSCsm77245, and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2008-2054. Vulnerability Scoring Details ============================= Cisco has provided scores for the vulnerability in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at: http://intellishield.cisco.com/security/alertmanager/cvss * CSCsm77245 - CiscoWorks URL Misbehavior CVSS Base Score - 9.3 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Complete Integrity Impact - Complete Availability Impact - Complete CVSS Temporal Score - 7.7 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the user client machine. Software Versions and Fixes =========================== Cisco has released free software updates that address these vulnerabilities. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. This vulnerability has been corrected in CiscoWorks Common Services version 3.2 and in the following software patches: cwcs3.x-sol-CSCsm77245-0.tar.gz - for Solaris versions cwcs3.x-win-CSCsm77245-0.zip - for Windows versions The CiscoWorks Common Services patches can be downloaded from: http://www.cisco.com/pcgi-bin/tablebuild.pl/cw2000-cd-one When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== Filters such as Transit ACLs (tACLs) can be used to allow access to the Administration Workstation from only trusted hosts. Filters that deny HTTP packets using HTTPS packets using TCP port 443 and TCP port 1741 should be deployed throughout the network as part of a tACL policy to protect the network from traffic that enters the network at ingress access points. This policy should be configured to protect the network device where the filter is applied and other devices that are behind it. Filters for HTTPS packets that use TCP port 443 and TCP port 1741 should also be deployed in front of vulnerable network devices so only traffic from trusted clients is allowed. Note: Additional information about tACLs is available in "Transit Access Control Lists: Filtering at Your Edge": http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801afc76.shtml For additional information on XSS attacks and the methods used to exploit these vulnerabilities, please refer to the Cisco Applied Intelligence Response "Understanding Cross-Site Scripting (XSS) Threat Vectors", available at: http://www.cisco.com/warp/public/707/cisco-amb-20060922-understanding-xss.shtml Obtaining Fixed Software ======================== Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== The Cisco PSIRT team is not aware of any public announcements or malicious use of the vulnerability described in this advisory. This vulnerability was reported to Cisco by Dave Lewis from Liquidmatrix.org. Cisco PSIRT greatly appreciates the opportunity to work with researchers on security vulnerabilities, and we welcome the opportunity to review and assist in product reports. Status of this Notice: FINAL THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20080528-cw.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-teams at first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +---------------------------------------+ | Revision | | Initial | | 1.0 | 2008-May-28 | public | | | | release | +---------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/ products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/ go/psirt. -----BEGIN PGP SIGNATURE----- iD8DBQFIPXfg86n/Gc8U/uARAixwAJ9TWDByyM82Z1CP3+PST5nyEWif1wCePmhh VaI8iTxea7p+Zh3imAkhDgs= =kqQb -----END PGP SIGNATURE----- From gert at greenie.muc.de Wed May 28 11:42:56 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 28 May 2008 17:42:56 +0200 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <483D7B00.7070207@ttec.com> References: <1211602794_354303@mail1.tellurian.net> <4837FFA4.8010803@bromirski.net> <20080528151528.GQ426@greenie.muc.de> <483D7B00.7070207@ttec.com> Message-ID: <20080528154256.GR426@greenie.muc.de> Hi, On Wed, May 28, 2008 at 11:32:16AM -0400, Joe Maimon wrote: > Last time I asked, I found that one of the things you could not make use > of it for was to terminate analog dialup. I'm not *that* interested in "things you can *not* make use of it"... :-) ... but really wondering if there *is* anything that uses the TDM bus... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080528/1e6221a9/attachment.bin From mailinglists at unix-scripts.com Wed May 28 13:10:20 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 28 May 2008 10:10:20 -0700 Subject: [c-nsp] Both my borders crashed? In-Reply-To: <20080528112951.GE22337@rtp-cse-489.cisco.com> References: <20080528112951.GE22337@rtp-cse-489.cisco.com> Message-ID: Thanks i ran the sh stack through that tool and it gave me 3 possibilitys which where rated over .90 and according to them anything over .90 is probably the cause. Looks like this version i'm running has a few issues. I'm going to bump up and see if this corrects my problem! ~Shaun From mailinglists at unix-scripts.com Wed May 28 13:16:31 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 28 May 2008 10:16:31 -0700 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: Thanks, ya the clock on border1 is fixed now, i though i had it syncing with ntp. What release would you recommend, IOS Upgrade Planner shows only T and XD ~Shaun "Justin M. Streiner" wrote in message news:Pine.LNX.4.64.0805280927570.13485 at whammy.cluebyfour.org... > On Wed, 28 May 2008, Shaun R. wrote: > >> Both my border routers look to have crashed at the same time. Anybody >> know >> why from this error? If not how can i find out what happened? Both >> routers >> are 7206VXR-NPE-G2's >> >> >> border2 uptime is 2 days, 19 hours, 20 minutes >> System returned to ROM by error - a SegV exception, PC 0x13EF030 at >> 05:05:00 >> UTC Sun May 25 2008 >> System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" >> >> border1 uptime is 2 days, 19 hours, 19 minutes >> System returned to ROM by error - a SegV exception, PC 0x13EF030 at >> 07:51:26 >> UTC Fri Mar 30 2001 >> System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > Could be a memory corruption (software) issue, access violation (some > process trying to scribble into a register that it's not allowed to > touch), scribbling into the wrong memory region, etc... > > If you want to find out what caused this, yor best bet is to go to the > TAC. Considering both routers crashed with the same message, I'll bet > it's a bug in that particular version of IOS. "T" train releases are > where new features are intriduced and allowed to bake for awhile before > being rolled into a mainline release. As such, they can be more bug-prone > and my advice has always been not to use T train releases on production > routers unless there is absolutely no other choice. > > It also looks like the clock on border1 is in need of an adjustment :) > > jms > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Wed May 28 14:26:39 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 28 May 2008 14:26:39 -0400 Subject: [c-nsp] Both my borders crashed? In-Reply-To: References: Message-ID: <20080528182639.GN24979@rtp-cse-489.cisco.com> 12.4(15)T4. On Wed, May 28, 2008 at 10:16:31AM -0700, Shaun R. wrote: > Thanks, ya the clock on border1 is fixed now, i though i had it syncing with > ntp. > > What release would you recommend, IOS Upgrade Planner shows only T and XD > > ~Shaun > > > "Justin M. Streiner" wrote in message > news:Pine.LNX.4.64.0805280927570.13485 at whammy.cluebyfour.org... > > On Wed, 28 May 2008, Shaun R. wrote: > > > >> Both my border routers look to have crashed at the same time. Anybody > >> know > >> why from this error? If not how can i find out what happened? Both > >> routers > >> are 7206VXR-NPE-G2's > >> > >> > >> border2 uptime is 2 days, 19 hours, 20 minutes > >> System returned to ROM by error - a SegV exception, PC 0x13EF030 at > >> 05:05:00 > >> UTC Sun May 25 2008 > >> System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > >> > >> border1 uptime is 2 days, 19 hours, 19 minutes > >> System returned to ROM by error - a SegV exception, PC 0x13EF030 at > >> 07:51:26 > >> UTC Fri Mar 30 2001 > >> System image file is "bootflash:c7200p-advipservicesk9-mz.124-15.T1.bin" > > > > Could be a memory corruption (software) issue, access violation (some > > process trying to scribble into a register that it's not allowed to > > touch), scribbling into the wrong memory region, etc... > > > > If you want to find out what caused this, yor best bet is to go to the > > TAC. Considering both routers crashed with the same message, I'll bet > > it's a bug in that particular version of IOS. "T" train releases are > > where new features are intriduced and allowed to bake for awhile before > > being rolled into a mainline release. As such, they can be more bug-prone > > and my advice has always been not to use T train releases on production > > routers unless there is absolutely no other choice. > > > > It also looks like the clock on border1 is in need of an adjustment :) > > > > jms > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From squid at oranged.to Wed May 28 14:33:38 2008 From: squid at oranged.to (Jimmy Stewpot) Date: Wed, 28 May 2008 19:33:38 +0100 Subject: [c-nsp] 6500 diagnosing performance problems Message-ID: <483DA582.4010002@oranged.to> Hello, I am interested to know if anyone has any good resources or references that I can read in regards to diagnosing performance problems on the 6500 or any cisco switching platform. The reason I ask this is that we are currently experiencing performance problems with customers connected to the same blade communicating on that blade. If we move the servers onto other blades on the same switch we continue to see performance problems. I would like to know how I can go about learning to fix this type of problem. Any additional info would be greatly appreciated. Regards, Jimmy From MLouis at nwnit.com Wed May 28 14:39:54 2008 From: MLouis at nwnit.com (Mike Louis) Date: Wed, 28 May 2008 14:39:54 -0400 Subject: [c-nsp] 6500 diagnosing performance problems In-Reply-To: <483DA582.4010002@oranged.to> References: <483DA582.4010002@oranged.to> Message-ID: What type of supervisor and cards are you using in this setup? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jimmy Stewpot Sent: Wednesday, May 28, 2008 2:34 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 6500 diagnosing performance problems Hello, I am interested to know if anyone has any good resources or references that I can read in regards to diagnosing performance problems on the 6500 or any cisco switching platform. The reason I ask this is that we are currently experiencing performance problems with customers connected to the same blade communicating on that blade. If we move the servers onto other blades on the same switch we continue to see performance problems. I would like to know how I can go about learning to fix this type of problem. Any additional info would be greatly appreciated. Regards, Jimmy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From freimer at ctiusa.com Wed May 28 14:51:36 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Wed, 28 May 2008 14:51:36 -0400 Subject: [c-nsp] 6500 diagnosing performance problems In-Reply-To: <483DA582.4010002@oranged.to> References: <483DA582.4010002@oranged.to> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950297AC43@EXCHANGE.ctiusa.com> You need to understand the architecture of the 6500 platform in order to begin troubleshooting this on your own. I would suggest you create a TAC case and have them assist - that is what they are there for and what you pay maintenance fees for. If you don't want to, or can't because you don't have a contract, then you can start by looking at the following: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_white_ paper0900aecd80673385.html I found this by typing in "6500 architecture" on the Cisco.com web site front page. It was the first result, go figure. HTH, Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Jimmy Stewpot > Sent: Wednesday, May 28, 2008 2:34 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 6500 diagnosing performance problems > > Hello, > > I am interested to know if anyone has any good resources or references > that I can read in regards to diagnosing performance problems on the > 6500 or any cisco switching platform. The reason I ask this is that we > are currently experiencing performance problems with customers > connected > to the same blade communicating on that blade. If we move the servers > onto other blades on the same switch we continue to see performance > problems. I would like to know how I can go about learning to fix this > type of problem. > > Any additional info would be greatly appreciated. > > Regards, > > Jimmy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080528/5c14b3b3/attachment.bin From j1010y at gmail.com Wed May 28 15:12:46 2008 From: j1010y at gmail.com (Jay Young) Date: Wed, 28 May 2008 15:12:46 -0400 Subject: [c-nsp] DFC3CXL Message-ID: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> Can anyone confirm if the DFC3CXL is supported on: WS-X6704-10GE WS-X6748-SFP I thought they were support on all CEF720 cards but http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html seems to indicate they are not. Thanks, Jay From achatz at forthnet.gr Wed May 28 15:43:36 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 28 May 2008 22:43:36 +0300 Subject: [c-nsp] DFC3CXL In-Reply-To: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> Message-ID: <483DB5E8.6080109@forthnet.gr> They work fine ;) I guess someone forgot to update that (and many other) doc(s). -- Tassos Jay Young wrote on 28/5/2008 10:12 ??: > Can anyone confirm if the DFC3CXL is supported on: > > WS-X6704-10GE > WS-X6748-SFP > > I thought they were support on all CEF720 cards but > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html > > seems to indicate they are not. > > Thanks, > Jay > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aakhter at cisco.com Wed May 28 15:45:43 2008 From: aakhter at cisco.com (Aamer Akhter (aakhter)) Date: Wed, 28 May 2008 15:45:43 -0400 Subject: [c-nsp] Cisco PfR In-Reply-To: References: <9b62cf2f0805271328n33451abcg2eec2d51a35327f2@mail.gmail.com> Message-ID: Hi Shaun, Take a look at the SRND for PfR (there are scale numbers in there): http://www.cisco.com/application/pdf/en/us/guest/netsol/ns483/c649/ccmigration_09186a008094e673.pdf Generally, the MC limitations are coming from the number of controlled traffic classes (not the total number of routes). For internet facing BRs, we recommend a separate MC. Regards, -- Aamer Akhter / aa at cisco.com Ent & Commercial Systems, cisco Systems > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Shaun > Sent: Tuesday, May 27, 2008 7:54 PM > To: Christian > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Cisco PfR > > Doesnt look to help me out at all, i'm trying to figure out how large > of a router i will need to be the master. It sounds like the master > will have copys of the route table from each border so i assume i need > a device with enough ram to hold that. But what about throughput and > cpu? I'm wondering if somthing small like a 2800 would work or if i > need to get another 7206.. > > ~Shaun > ----- Original Message ----- > From: Christian > To: Shaun R. > Cc: cisco-nsp at puck.nether.net > Sent: Tuesday, May 27, 2008 1:28 PM > Subject: Re: [c-nsp] Cisco PfR > > > you should be fine... > > fyi: > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps659 > 9/ps8787/prod_qas0900aecd806c4f03.html > > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6554/ps659 > 9/ps8787/product_data_sheet0900aecd806c4ee4.html > > > On Tue, May 27, 2008 at 3:26 PM, Shaun R. scripts.com> wrote: > > Anybody? > > > > I'm looking to deploy PfR in my network. Right now the network > is simple > > for the most part. two 7206VXR-NPE-G2's each with a upstream > connected, > > they are also linked to eachother. Then both borders connect to > my > > core/access layer which is a stack of 3750G's. OSPF is run > between core > > and > > borders. With PfR how large of a router do i need to use as the > master? > > Right now the network only pushes around 200mbit but the network > total > > capacity is capable of pushing 4GB. > > > > ~Shaun > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From michael at lyngbol.dk Wed May 28 15:24:22 2008 From: michael at lyngbol.dk (Michael =?iso-8859-1?Q?Lyngb=F8l?=) Date: Wed, 28 May 2008 21:24:22 +0200 Subject: [c-nsp] DFC3CXL In-Reply-To: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> Message-ID: <20080528192422.GD18927@freesbee.wheel.dk> On 28.05.2008 15:12:46 -0400, Jay Young wrote: > Can anyone confirm if the DFC3CXL is supported on: > > WS-X6704-10GE Router#sh mod | inc SAL 1 4 CEF720 4 port 10-Gigabit Ethernet WS-X6704-10GE SALxxx 1 Distributed Forwarding Card WS-F6700-DFC3CXL SAL1212JS34 1.1 Ok > WS-X6748-SFP Haven't tried this module but I'm positive it's supported as well. /Michael -- Michael Lyngb?l -- michael at lyngbol dot dk Network Architect, AS3292 TDC, IP?backbone From pshem.k at gmail.com Wed May 28 21:00:44 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Thu, 29 May 2008 13:00:44 +1200 Subject: [c-nsp] Big L3VPN on 6500 Message-ID: <20fe625b0805281800p6831f2adi28c228ed73956f15@mail.gmail.com> Hi All, We provide L3 and L2 vpns services for our customers. Usually they have only a few routes (up to 1k), but this time it looks like we'll be providing transmission for a customer with almost 40k routes. They want to connect in 4 of our locations (using BGP). So far we ran the 6500s on standard cef settings: FIB TCAM maximum routes : ======================= Current :- ------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default) We have about 200k routes already (both ipv4 and vpnv4) and I started to wonder how the new customer will affect that. Are only routes (vpnv4 prefixes) that are in the fib counted (that's what I think) or will I see an increase of 4 * 40k entries (3 * vpnv4 + native peering)? What's the easiest way to calculate the memory consumption that will be caused by the new customer? kind regards Pshem From tvarriale at comcast.net Wed May 28 23:53:31 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 28 May 2008 22:53:31 -0500 Subject: [c-nsp] DFC3CXL References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> Message-ID: <001f01c8c13f$919ac980$f211a8c0@flamwsugsmul5v> I can at least confirm it works on the GE-TX blade. Sorry, no SFPs around here. tv ----- Original Message ----- From: "Jay Young" To: Sent: Wednesday, May 28, 2008 2:12 PM Subject: [c-nsp] DFC3CXL > Can anyone confirm if the DFC3CXL is supported on: > > WS-X6704-10GE > WS-X6748-SFP > > I thought they were support on all CEF720 cards but > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html > > seems to indicate they are not. > > Thanks, > Jay > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From md at bts.sk Thu May 29 03:23:47 2008 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Thu, 29 May 2008 09:23:47 +0200 Subject: [c-nsp] DFC3CXL In-Reply-To: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> Message-ID: <20080529072205.M13282@bts.sk> On Wed, 28 May 2008 15:12:46 -0400, Jay Young wrote > Can anyone confirm if the DFC3CXL is supported on: > > WS-X6704-10GE > WS-X6748-SFP > > I thought they were support on all CEF720 cards but > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html > > seems to indicate they are not. They are not supported on those modules with IOS 12.2(18)SXF* They are supported with IOS 12.2(33)SXH* M. From achatz at forthnet.gr Thu May 29 06:06:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 29 May 2008 13:06:28 +0300 Subject: [c-nsp] DFC3CXL In-Reply-To: <20080529072205.M13282@bts.sk> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> <20080529072205.M13282@bts.sk> Message-ID: <483E8024.30204@forthnet.gr> They work fine of SXF too ;) 6509>sh mod 3 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxxxxxxxxxx Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 3 xxxx.xxxx.xxxx to xxxx.xxxx.xxxx 2.6 12.2(14r)S5 12.2(18)SXF8 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 3 Distributed Forwarding Card WS-F6700-DFC3CXL xxxxxxxxxxx 1.1 Ok Mod Online Diag Status ---- ------------------- 3 Pass -- Tassos Marian D(urkovic( wrote on 29/5/2008 10:23 ??: > On Wed, 28 May 2008 15:12:46 -0400, Jay Young wrote >> Can anyone confirm if the DFC3CXL is supported on: >> >> WS-X6704-10GE >> WS-X6748-SFP >> >> I thought they were support on all CEF720 cards but >> >> > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html >> seems to indicate they are not. > > They are not supported on those modules with IOS 12.2(18)SXF* > They are supported with IOS 12.2(33)SXH* > > M. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Thu May 29 06:08:13 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 29 May 2008 13:08:13 +0300 Subject: [c-nsp] DFC3CXL In-Reply-To: <20080529072205.M13282@bts.sk> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> <20080529072205.M13282@bts.sk> Message-ID: <483E808D.7000603@forthnet.gr> They work fine on SXF too ;) 6509>sh mod 3 Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 3 48 CEF720 48 port 10/100/1000mb Ethernet WS-X6748-GE-TX xxxxxxxxxxx Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 3 xxxx.xxxx.xxxx to xxxx.xxxx.xxxx 2.6 12.2(14r)S5 12.2(18)SXF8 Ok Mod Sub-Module Model Serial Hw Status ---- --------------------------- ------------------ ----------- ------- ------- 3 Distributed Forwarding Card WS-F6700-DFC3CXL xxxxxxxxxxx 1.1 Ok Mod Online Diag Status ---- ------------------- 3 Pass -- Tassos Marian D(urkovic( wrote on 29/5/2008 10:23 ??: > On Wed, 28 May 2008 15:12:46 -0400, Jay Young wrote >> Can anyone confirm if the DFC3CXL is supported on: >> >> WS-X6704-10GE >> WS-X6748-SFP >> >> I thought they were support on all CEF720 cards but >> >> > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/hardware/Module_Installation/Mod_Install_Guide/0adtrcrd.html >> seems to indicate they are not. > > They are not supported on those modules with IOS 12.2(18)SXF* > They are supported with IOS 12.2(33)SXH* > > M. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From md at bts.sk Thu May 29 06:40:54 2008 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Thu, 29 May 2008 12:40:54 +0200 Subject: [c-nsp] DFC3CXL In-Reply-To: <483E808D.7000603@forthnet.gr> References: <24ad6e420805281212r2cb52772g7fc7b7044a3210d4@mail.gmail.com> <20080529072205.M13282@bts.sk> <483E808D.7000603@forthnet.gr> Message-ID: <20080529104054.GA25980@bts.sk> On Thu, May 29, 2008 at 01:08:13PM +0300, Tassos Chatzithomaoglou wrote: > They work fine on SXF too ;) Which exact SXF version? Should be disabled starting from SXF11: CSCsk12525 Disabling 67xx line cards with sutlej except Malabar . Sutlej = DFC3C/DFC3CXL Malabar = 6708 linecard With kind regards, M. From rodunn at cisco.com Thu May 29 09:18:58 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 29 May 2008 09:18:58 -0400 Subject: [c-nsp] Big L3VPN on 6500 In-Reply-To: <20fe625b0805281800p6831f2adi28c228ed73956f15@mail.gmail.com> References: <20fe625b0805281800p6831f2adi28c228ed73956f15@mail.gmail.com> Message-ID: <20080529131858.GC3767@rtp-cse-489.cisco.com> On Thu, May 29, 2008 at 01:00:44PM +1200, Pshem Kowalczyk wrote: > Hi All, > > We provide L3 and L2 vpns services for our customers. Usually they > have only a few routes (up to 1k), but this time it looks like we'll > be providing transmission for a customer with almost 40k routes. They > want to connect in 4 of our locations (using BGP). So far we ran the > 6500s on standard cef settings: > > FIB TCAM maximum routes : > ======================= > Current :- > ------- > IPv4 + MPLS - 512k (default) > IPv6 + IP Multicast - 256k (default) > > > We have about 200k routes already (both ipv4 and vpnv4) and I started > to wonder how the new customer will affect that. Are only routes > (vpnv4 prefixes) that are in the fib counted (that's what I think) or > will I see an increase of 4 * 40k entries (3 * vpnv4 + native > peering)? Only best path is loaded to TCAM. What's the easiest way to calculate the memory consumption > that will be caused by the new customer? Not an easy way unfortunately as the datastructures change a lot so the best way is to baseline and graph memory in comparison to number and type of routes. Rodney > > kind regards > Pshem > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mgabi at ase.ro Thu May 29 09:57:36 2008 From: mgabi at ase.ro (Gabriel Mateiciuc) Date: Thu, 29 May 2008 16:57:36 +0300 Subject: [c-nsp] Router 1841 - IOS 12.4(19) - ipsec + nat - pptp behind nat not working In-Reply-To: <012401c8bff4$0627dba0$127792e0$@ro> References: <012401c8bff4$0627dba0$127792e0$@ro> Message-ID: <018201c8c193$f3bef330$db3cd990$@ro> One last shot - reverted to 12.4.(15)T3 ... the damn thing works now. We experienced some nasty crashes with this version using NAT features but it seems using a clever combination of acl's and route-maps solves the problem. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gabriel Mateiciuc Sent: 27 mai 2008 15:20 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Router 1841 - IOS 12.4(19) - ipsec + nat - pptp behind nat not working Hello, Did anyone else hit the CSCsm34632 bug ? Quote Cisco: Symptoms: PPTP connection does not get established properly. Users are stuck in authentication phase Conditions: Occurs when PPTP server is behind a NAT router configured with a static NAT entry. Workaround: There is no workaround. Has anyone found a work-around ? I run IOS 12.4(19). Anyone tried to go back to some 12.3 version ? Any input would be appreciated. Gabriel Mateiciuc Academia de Studii Economice Departamentul Re?ele Echipa Infrastructura _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gary.ciscomail at gmail.com Thu May 29 11:01:59 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Thu, 29 May 2008 16:01:59 +0100 Subject: [c-nsp] Object tracking Message-ID: This one could be interesting... I have a tunnel interface that I only want to be up when the ethernet interface on the router is up. I don't want to relate the tunnel to the address of the ethernet, I need these to be separate. So, does anyone know if I can shut the interface if the status of the object changes? If you have any example code that would be great... Thanks Gary From rekordmeister at gmail.com Thu May 29 11:15:17 2008 From: rekordmeister at gmail.com (MKS) Date: Thu, 29 May 2008 15:15:17 +0000 Subject: [c-nsp] Single strand SMF 10GbE Message-ID: Hello List Is some vendor out there that offers single strand SMF 10GbE (X2/xenpak/whatever). Does someone know if this is on cisco's roadmap? Regards MKS From gaurav at inwire.net Thu May 29 11:15:49 2008 From: gaurav at inwire.net (Gaurav Sabharwal) Date: Thu, 29 May 2008 17:15:49 +0200 Subject: [c-nsp] Object tracking In-Reply-To: References: Message-ID: <483EC8A5.8060100@inwire.net> Gary, http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6550/prod_white_paper0900aecd803a4dad_ps6815_Products_White_Paper.html Event Manager example below. The example below is used to configure rate limit in DSL+Dial environment. Match a syslog pattern and take action 1.0 and 1.1. event manager applet configure-rate-limit event syslog pattern "LINEPROTO-5-UPDOWN.*Virtual-Access1.*up" action 1.0 cli command "enable" action 1.1 cli command "tclsh flash:confRL.tcl ATM0.1 Virtual-PPP1" HTH, - Gaurav on 05/29/2008 05:01 PM Gary Roberton said the following: > This one could be interesting... > > I have a tunnel interface that I only want to be up when the ethernet > interface on the router is up. I don't want to relate the tunnel to the > address of the ethernet, I need these to be separate. > > So, does anyone know if I can shut the interface if the status of the object > changes? If you have any example code that would be great... > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dean at eatworms.org.uk Thu May 29 11:24:08 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Thu, 29 May 2008 16:24:08 +0100 Subject: [c-nsp] Object tracking References: Message-ID: <005401c8c1a0$0b359c10$0b03010a@DEANPC> Method 1) Create an object to track the interface state Create a boolean object to reverse the state of the first object. Add a /32 static route to Null0 for the Tunnel Destination IP dependant on the 2nd object. If the interface is up Object 1 = True, Object 2 = False, Null0 route wont be installed. Tunnel Stays up. If the interface is down, Object 1 = False, Object 2 = True, Static route installed, Tunnel goes down. You'll need 12.4T I think to get all those bits. Method 2) Use the EEM to detect the interface down on the tracked interface - and trigger a CLI action to shut the tunnel interface (and the reverse aswell) Dean ----- Original Message ----- From: "Gary Roberton" To: Sent: Thursday, May 29, 2008 4:01 PM Subject: [c-nsp] Object tracking > This one could be interesting... > > I have a tunnel interface that I only want to be up when the ethernet > interface on the router is up. I don't want to relate the tunnel to the > address of the ethernet, I need these to be separate. > > So, does anyone know if I can shut the interface if the status of the > object > changes? If you have any example code that would be great... > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dean at eatworms.org.uk Thu May 29 11:30:51 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Thu, 29 May 2008 16:30:51 +0100 Subject: [c-nsp] Object tracking Message-ID: <005f01c8c1a0$f9f26680$0b03010a@DEANPC> Method 1) looks like this... track 1 interface Fa0/0 line-protocol track 2 list boolean object 1 not ip route 1.1.1.1 255.255.255.255 null0 track 2 Dean ----- Original Message ----- From: "Dean Smith" To: "Gary Roberton" ; Sent: Thursday, May 29, 2008 4:24 PM Subject: Re: [c-nsp] Object tracking > Method 1) > > Create an object to track the interface state > Create a boolean object to reverse the state of the first object. > Add a /32 static route to Null0 for the Tunnel Destination IP dependant on > the 2nd object. > > If the interface is up Object 1 = True, Object 2 = False, Null0 route wont > be installed. Tunnel Stays up. > If the interface is down, Object 1 = False, Object 2 = True, Static route > installed, Tunnel goes down. > > You'll need 12.4T I think to get all those bits. > > Method 2) > > Use the EEM to detect the interface down on the tracked interface - and > trigger a CLI action to shut the tunnel interface > (and the reverse aswell) > > Dean > ----- Original Message ----- > From: "Gary Roberton" > To: > Sent: Thursday, May 29, 2008 4:01 PM > Subject: [c-nsp] Object tracking > > >> This one could be interesting... >> >> I have a tunnel interface that I only want to be up when the ethernet >> interface on the router is up. I don't want to relate the tunnel to the >> address of the ethernet, I need these to be separate. >> >> So, does anyone know if I can shut the interface if the status of the >> object >> changes? If you have any example code that would be great... >> >> Thanks >> >> Gary >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rodunn at cisco.com Thu May 29 11:32:57 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 29 May 2008 11:32:57 -0400 Subject: [c-nsp] Router 1841 - IOS 12.4(19) - ipsec + nat - pptp behind nat not working In-Reply-To: <018201c8c193$f3bef330$db3cd990$@ro> References: <012401c8bff4$0627dba0$127792e0$@ro> <018201c8c193$f3bef330$db3cd990$@ro> Message-ID: <20080529153256.GB4993@rtp-cse-489.cisco.com> Can you try 12.4(18a or b) that has the fix? On Thu, May 29, 2008 at 04:57:36PM +0300, Gabriel Mateiciuc wrote: > One last shot - reverted to 12.4.(15)T3 ... the damn thing works now. > We experienced some nasty crashes with this version using NAT features but > it seems using a clever combination of acl's and route-maps solves the > problem. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gabriel Mateiciuc > Sent: 27 mai 2008 15:20 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Router 1841 - IOS 12.4(19) - ipsec + nat - pptp behind nat > not working > > Hello, > Did anyone else hit the CSCsm34632 bug ? > > Quote Cisco: > > Symptoms: PPTP connection does not get established properly. Users are stuck > in authentication phase > > Conditions: Occurs when PPTP server is behind a NAT router configured with a > static NAT entry. > > Workaround: There is no workaround. > > Has anyone found a work-around ? I run IOS 12.4(19). Anyone tried to go back > to some 12.3 version ? > > Any input would be appreciated. > > > Gabriel Mateiciuc > Academia de Studii Economice > Departamentul Re?ele > Echipa Infrastructura > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From up at 3.am Thu May 29 11:50:43 2008 From: up at 3.am (up at 3.am) Date: Thu, 29 May 2008 11:50:43 -0400 (EDT) Subject: [c-nsp] Overlapping NAT subnets and PPTP Message-ID: I have a customer that has a 2811 with a fairly complex NAT VPN configuration (an existing GRE tunnel, a bunch of static NAT mappings to it, etc). We just added a PPTP to it and ran into an overlapping subnet issue with it. They have over a hundred internal hosts on 192.168.1.0/24 and of course, many people who PPTP into it are using that same RFC1918 space on their LAN (it's hard coded into my Verizon router, for example). Since the incoming PPTP connections need to talk to those hosts, there is obviously a conflict. Cisco TAC's position was that they need to renumber to eliminate the conflict. That may be true, but we came up with an idea that seems like it should work as an alternative. That is to use something like: ip nat source static 192.168.1.20 10.3.3.20 or ip nat outside source static 192.168.1.20 10.3.3.20 to "fool" the incoming PPTP connected hosts. To some extent, it works. The incoming connections can now ping 10.3.3.20 and get responses (they could not ping 192.168.1.20). However, any attempt to connect to any TCP port on that host results in a "connection refused". Is this just a dead-end for this kludge, or is something else needed? Has anyone else succeeded with it? The customer just wants to avoid renumbering if possible (for now), so I just want to make sure that if this kludge doesn't work, I can explain why, or make it work if possible. Thanks in Advance! James Smallacombe PlantageNet, Inc. CEO and Janitor up at 3.am http://3.am ========================================================================= From mtinka at globaltransit.net Thu May 29 12:13:07 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 30 May 2008 00:13:07 +0800 Subject: [c-nsp] Single strand SMF 10GbE In-Reply-To: References: Message-ID: <200805300013.08460.mtinka@globaltransit.net> On Thursday 29 May 2008, MKS wrote: > Hello List > > Is some vendor out there that offers single strand SMF > 10GbE (X2/xenpak/whatever). > Does someone know if this is on cisco's roadmap? Cisco aren't doing 10Gbps yet - they are doing mux'ed 1Gbps links over CWDM (can use LACP to connect up to 4Gbps): http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b.html For 10Gbps, consider the following vendors: * MRV * Transition Networks * Ciena (acquired WWP) Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 832 bytes Desc: This is a digitally signed message part. URL: From ras at e-gerbil.net Thu May 29 14:40:58 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Thu, 29 May 2008 13:40:58 -0500 Subject: [c-nsp] Single strand SMF 10GbE In-Reply-To: References: Message-ID: <20080529184058.GE4889@gerbil.cluepon.net> On Thu, May 29, 2008 at 03:15:17PM +0000, MKS wrote: > Hello List > > Is some vendor out there that offers single strand SMF 10GbE > (X2/xenpak/whatever). > Does someone know if this is on cisco's roadmap? All those "single strand optics" do is integrate a small mux into a generic optic. I'm not aware of anybody making that kind of product for 10GE today (though it could certainly be done, look at LX4 those optics have an integrated 4ch mux :P), but you can easily accomplish the same goal with an external mux. Just send one color one direction, and another color the other direction, and you can mux whatever you'd like onto a single strand. This could be done with anything from DWDM optics to any generic $200 1310/1550 mux and an LR+ER (and maybe some attenuation) optic. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jeff-kell at utc.edu Thu May 29 16:07:14 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 29 May 2008 16:07:14 -0400 Subject: [c-nsp] Multiple VRFs into common 'internet' gateway Message-ID: <483F0CF2.6060303@utc.edu> We're in the planning process for a better way to get multiple VRFs meshed into a common 'internet' gateway, preferably without unintentional cross-leakage between them. There are brute-force methods (run them all to the edge) but we really do need to have some leakage across certain VRFs. For "full" leakage we just import/export RDs at the PE. We have a temporary workaround with an ASA taking a tagged vlan from each VRF as a separate logical interface, but this is a little messy. Takes lots of static routes, and anything we do leak across has to bounce out the the ASA and back again. It would appear that a FWSM in the PE could do this. Has anyone been down this road that would be willing to share some notes/pointers/warnings/war stories? Thanks in advance, Jeff From gert at greenie.muc.de Thu May 29 16:19:54 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 29 May 2008 22:19:54 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: References: <4836B686.3060004@templin.org> Message-ID: <20080529201954.GB426@greenie.muc.de> Hi, On Fri, May 23, 2008 at 03:08:54PM +0100, Gary Roberton wrote: > Router A BGP table entry is shown here; > > * 90.0.0.0 10.40.1.6 50 0 64604 1000 i > > *> 10.40.1.2 0 64603 1000 i Ah. Different next-hop ASes. You need to configure "bgp always-compare-med" or "bgp deterministic-med" to take the MED into account if the neighbour AS is not the same. Otherwise MED is ignored (because by original design, it's "multi exit discriminator", to be used for multiple paths to the *same* neighbour AS). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu May 29 16:20:25 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 29 May 2008 22:20:25 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: References: Message-ID: <20080529202025.GC426@greenie.muc.de> Hi, On Fri, May 23, 2008 at 05:08:58PM +0200, Brian Turnbow wrote: > Setting the metric is not going to affect your BGP route selection. Read up on the BGP decision algorithm :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Thu May 29 16:21:38 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 29 May 2008 22:21:38 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: <4836E874.6090308@templin.org> References: <4836B686.3060004@templin.org> <4836E874.6090308@templin.org> Message-ID: <20080529202138.GD426@greenie.muc.de> Hi, On Fri, May 23, 2008 at 10:53:24AM -0500, Pete Templin wrote: > You should tweak a different knob to achieve the desired results. > Origin code comes to mind as an easy twiddle. Or, have the remote > routers send a community to request a particular local preference (as > someone else suggested) - you'll need a community-list and a route-map > to catch this. Or just write a route-map to adjust local-pref or weight > upon local receipt of the prefix. I'm wondering why this, which is a fair amount of configuration stuff and lots of potential breakage, is supposed to be better than just telling the router to *use* the MED...? MED is a nice tool - and local-pref is most always way overkill. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From david.freedman at uk.clara.net Thu May 29 16:46:31 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 29 May 2008 21:46:31 +0100 Subject: [c-nsp] Object tracking In-Reply-To: References: Message-ID: <483F1627.2050501@uk.clara.net> Just out of interest, why?? Do you need the tunnel interface to be hard down, or just not to route via it when the ethernet interface is down? Dave. Gary Roberton wrote: > This one could be interesting... > > I have a tunnel interface that I only want to be up when the ethernet > interface on the router is up. I don't want to relate the tunnel to the > address of the ethernet, I need these to be separate. > > So, does anyone know if I can shut the interface if the status of the object > changes? If you have any example code that would be great... > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Thu May 29 16:46:31 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 29 May 2008 21:46:31 +0100 Subject: [c-nsp] Object tracking In-Reply-To: References: Message-ID: <483F1627.2050501@uk.clara.net> Just out of interest, why?? Do you need the tunnel interface to be hard down, or just not to route via it when the ethernet interface is down? Dave. Gary Roberton wrote: > This one could be interesting... > > I have a tunnel interface that I only want to be up when the ethernet > interface on the router is up. I don't want to relate the tunnel to the > address of the ethernet, I need these to be separate. > > So, does anyone know if I can shut the interface if the status of the object > changes? If you have any example code that would be great... > > Thanks > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Thu May 29 16:44:58 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 29 May 2008 15:44:58 -0500 Subject: [c-nsp] BGP Route selection In-Reply-To: <20080529202025.GC426@greenie.muc.de> References: <20080529202025.GC426@greenie.muc.de> Message-ID: <483F15CA.6070805@templin.org> Gert Doering wrote: > On Fri, May 23, 2008 at 05:08:58PM +0200, Brian Turnbow wrote: >> Setting the metric is not going to affect your BGP route selection. > > Read up on the BGP decision algorithm :-) "Your" can be singular or plural, specific or general. In this case, specifically, it is not going to affect his BGP route selection unless he enables 'always compare MED', since the paths come from two different neighbor ASes. pt From petelists at templin.org Thu May 29 16:52:47 2008 From: petelists at templin.org (Pete Templin) Date: Thu, 29 May 2008 15:52:47 -0500 Subject: [c-nsp] BGP Route selection In-Reply-To: <20080529201954.GB426@greenie.muc.de> References: <4836B686.3060004@templin.org> <20080529201954.GB426@greenie.muc.de> Message-ID: <483F179F.1090300@templin.org> Gert Doering wrote: > On Fri, May 23, 2008 at 03:08:54PM +0100, Gary Roberton wrote: >> Router A BGP table entry is shown here; >> >> * 90.0.0.0 10.40.1.6 50 0 64604 1000 i >> >> *> 10.40.1.2 0 64603 1000 i > > Ah. Different next-hop ASes. > > You need to configure "bgp always-compare-med" or "bgp deterministic-med" > to take the MED into account if the neighbour AS is not the same. > > Otherwise MED is ignored (because by original design, it's "multi exit > discriminator", to be used for multiple paths to the *same* neighbour AS). "bgp deterministic-med" will NOT help in this situation - the neighbor AS is different. Deterministic MED only helps if the default comparison sequence (newest and next-newest compared first, best-path-so-far and subsequently-older paths on each sequential comparison) won't discover the otherwise-best exit point. See http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094925.shtml for the Cisco scoop. pt From bwindle at fint.org Thu May 29 16:59:39 2008 From: bwindle at fint.org (Burton Windle) Date: Thu, 29 May 2008 16:59:39 -0400 (EDT) Subject: [c-nsp] counter bug? RxPause = multicasts Message-ID: I've got a 6500 with a Sup720 running 12.2(33)SXH1 with, among others, a WS-X6748-GE-TX blade. A port on the 6748 is seeing unusual port counters, where every RxPause frame is counted as a multicast packet (or vice versa, not sure which). Is this a bug in this code that someone else has seen, or some feature that I'm not familar with? C_6506>show int gig3/26 GigabitEthernet3/26 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 001e.be36.1d19 (bia 001e.be36.1d19) Description: SQ-001 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 13/255, rxload 11/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 1000Mb/s, media type is 10/100/1000BaseT input flow-control is on, output flow-control is on Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:28, output hang never Last clearing of "show interface" counters 6w6d Input queue: 0/2000/1/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 45814000 bits/sec, 6164 packets/sec 5 minute output rate 51731000 bits/sec, 6212 packets/sec 21690256068 packets input, 20171034172110 bytes, 0 no buffer Received 64229 broadcasts (10389 multicasts) 0 runts, 0 giants, 0 throttles 1 input errors, 1 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 10389 pause input 0 input packets with dribble condition detected 21616684473 packets output, 23513546564581 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out The config for this port is drop-dead simple: interface GigabitEthernet3/26 description SQ-001 switchport switchport access vlan 2 switchport mode access flowcontrol receive desired spanning-tree portfast end -- Burton Windle bwindle at fint.org From gert at greenie.muc.de Thu May 29 17:27:38 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 29 May 2008 23:27:38 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: <483F15CA.6070805@templin.org> References: <20080529202025.GC426@greenie.muc.de> <483F15CA.6070805@templin.org> Message-ID: <20080529212738.GE426@greenie.muc.de> Hi, On Thu, May 29, 2008 at 03:44:58PM -0500, Pete Templin wrote: > Gert Doering wrote: > > >On Fri, May 23, 2008 at 05:08:58PM +0200, Brian Turnbow wrote: > >>Setting the metric is not going to affect your BGP route selection. > > > >Read up on the BGP decision algorithm :-) > > "Your" can be singular or plural, specific or general. In this case, > specifically, it is not going to affect his BGP route selection unless > he enables 'always compare MED', since the paths come from two different > neighbor ASes. The generic statement "setting the metric is not going to affect your BGP route selection" is just not correct in this generality. It will not do without knobs *if the neighbours are in different ASes*, but otherwise, it will do so just fine. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From alonso.garciagarcia at wholesale.telefonica.com Thu May 29 19:00:23 2008 From: alonso.garciagarcia at wholesale.telefonica.com (alonso.garciagarcia at wholesale.telefonica.com) Date: Fri, 30 May 2008 01:00:23 +0200 Subject: [c-nsp] =?iso-8859-1?q?Alonso_Garcia_Garcia/TIWS_est=E1_ausente_d?= =?iso-8859-1?q?e_la_oficina=2E?= Message-ID: Estar? ausente de la oficina desde el 23/05/2008 y no volver? hasta el 16/06/2008. Responder? a su mensaje cuando regrese. En mi ausencia contactar con ?lvaro Alonso (alvaro.alonso at wholesale.telefonica.com) (+34) 91 483 06 57 I will be out of the office since May 23th till June 16th. During my absence, contact ?lvaro Alonso (alvaro.alonso at wholesale.telefonica.com) (+34) 91 483 06 57 From josmon at rigozsaurus.com Fri May 30 00:57:57 2008 From: josmon at rigozsaurus.com (John Osmon) Date: Thu, 29 May 2008 22:57:57 -0600 Subject: [c-nsp] 7200 VXR TDM Bus Crossconnects? In-Reply-To: <20080528154256.GR426@greenie.muc.de> References: <1211602794_354303@mail1.tellurian.net> <4837FFA4.8010803@bromirski.net> <20080528151528.GQ426@greenie.muc.de> <483D7B00.7070207@ttec.com> <20080528154256.GR426@greenie.muc.de> Message-ID: <20080530045757.GA17591@jeeves.rigozsaurus.com> On Wed, May 28, 2008 at 05:42:56PM +0200, Gert Doering wrote: > I'm not *that* interested in "things you can *not* make use of it"... :-) > > ... but really wondering if there *is* anything that uses the TDM bus... I've only found DS0 cross-connects among T1s on a MIX enabled card. Oh -- sorry. That doesn't use the TDM bus, does it? I guess we can't find anything that *does* use the TDM bus. From b.turnbow at twt.it Fri May 30 03:16:40 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 30 May 2008 09:16:40 +0200 Subject: [c-nsp] BGP Route selection In-Reply-To: <20080529202025.GC426@greenie.muc.de> References: <20080529202025.GC426@greenie.muc.de> Message-ID: You might want to check back on the mail and the context the phrase was used in. As the path was coming in from two different Ases using MED it wasn't working. He could have configured the end router to always compare MED, but by default it won't be used. Brian -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: gioved? 29 maggio 2008 22.20 To: Brian Turnbow Cc: Gary Roberton; Pete Templin; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP Route selection Hi, On Fri, May 23, 2008 at 05:08:58PM +0200, Brian Turnbow wrote: > Setting the metric is not going to affect your BGP route selection. Read up on the BGP decision algorithm :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From blahu77 at gmail.com Fri May 30 03:32:13 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 30 May 2008 08:32:13 +0100 Subject: [c-nsp] counter bug? RxPause = multicasts In-Reply-To: References: Message-ID: <383357750805300032m1614cdf4tbfbb0ac57e0b48b5@mail.gmail.com> 2008/5/29 Burton Windle : > > I've got a 6500 with a Sup720 running 12.2(33)SXH1 with, among others, a WS-X6748-GE-TX blade. A port on the 6748 is seeing unusual port counters, where every RxPause frame is counted as a multicast packet (or vice versa, not sure which). Is this a bug in this code that someone else has seen, or some feature that I'm not familar with? > Ethernet PAUSE frames are sent to multicast address 01-80-C2-00-00-01. Looks like there is a station on VLAN 2 that is sending that frames. Sniff the traffic to check what is the source MAC. > flowcontrol receive desired and you actually enabled PAUSE frames processing -- -mat From andrew.degtiariov at gmail.com Fri May 30 04:07:46 2008 From: andrew.degtiariov at gmail.com (Andrew Degtiariov) Date: Fri, 30 May 2008 11:07:46 +0300 Subject: [c-nsp] High CPU load on Catalyst 3550 Message-ID: <5d1b76f60805300107i6a622170g84f88af28b6e772c@mail.gmail.com> Last week our Catalyst 3550 running with hi CPU load: sw#sh proc cpu sorted | ex 0.00% 0.00% 0.00% CPU utilization for five seconds: 90%/34%; one minute: 91%; five minutes: 91% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 87 48708768 218888381 222 54.79% 55.62% 55.79% 0 MRD 75 111599244 850719660 131 0.63% 0.90% 0.88% 0 Spanning Tree 130 1040 482 2157 0.23% 0.04% 0.04% 1 Virtual Exec 37 159302752 109119572 1459 0.23% 0.33% 0.34% 0 Vegas Statistics 73 8762180 65394321 133 0.15% 0.08% 0.01% 0 IP Input 82 3088 168962 18 0.07% 0.00% 0.00% 0 TCP Timer 48 849872 36538518 23 0.07% 0.07% 0.07% 0 PI MATM Aging Pr 4 21503996 3928877 5473 0.00% 0.04% 0.05% 0 Check heaps 22 57900 36538726 1 0.00% 0.01% 0.00% 0 Per-Second Jobs 42 1348328 91343665 14 0.00% 0.09% 0.09% 0 L3MD_STAT 125 29615320 126985585 233 0.00% 0.15% 0.07% 0 IP SNMP 126 8130756 63496020 128 0.00% 0.05% 0.01% 0 PDU DISPATCHER 127 39578124 63496329 623 0.00% 0.31% 0.12% 0 SNMP ENGINE sw# Unfortunately nor cisco.com nor Google can't give me answer what is a MRD process :-( Anybody known what it this? -- Andrew Degtiariov DA-RIPE From p.mayers at imperial.ac.uk Fri May 30 05:42:18 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 30 May 2008 10:42:18 +0100 Subject: [c-nsp] 6500 NDE CPU load Message-ID: <483FCBFA.1090405@imperial.ac.uk> We have a netflow collector from a Large Software Vendor on loan. Said vendor waltzed in and coolly dropped into the conversation "yeah we'll be needing you to drop your flow timers to 60 seconds, including the "active flows" timer, else we won't get good results" I was... less than impressed. So I've been doing some statistical analysis of the distribution of flow ages and packet counts; once i've got the results, how can I predict the effect on CPU usage of a flow timer decrease? So I'm thinking of effects like; with the timers at defaults (no fast aging, 5 minutes inactive, 30 minutes active) how often does the CPU walk the netflow tcam? How long does a walk take? Will there be locking or contention issues? The box has sup720 PFC/DFC-3Bs and the netflow TCAM never overflows. From jared at puck.nether.net Fri May 30 09:39:56 2008 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 30 May 2008 09:39:56 -0400 Subject: [c-nsp] 6500 NDE CPU load In-Reply-To: <483FCBFA.1090405@imperial.ac.uk> References: <483FCBFA.1090405@imperial.ac.uk> Message-ID: On May 30, 2008, at 5:42 AM, Phil Mayers wrote: > We have a netflow collector from a Large Software Vendor on loan. > > Said vendor waltzed in and coolly dropped into the conversation > "yeah we'll be needing you to drop your flow timers to 60 seconds, > including the "active flows" timer, else we won't get good results" > > I was... less than impressed. > > So I've been doing some statistical analysis of the distribution of > flow ages and packet counts; once i've got the results, how can I > predict the effect on CPU usage of a flow timer decrease? there's a number of variables you should watch. please take the following with a grain of salt YMMV, etc.. Depending on your export options, you will need to watch your SP cpu utilization (as well as any DFCs). This may impact how responsive the SNMP subsystem is. Don't utilize the software-based sampling. This can drive the cpu load higher as well. You may see variations in performance depending on software revisions as well as adjusting the mls flow timers. Exporting the ASN data as well will cause additional cpu hits, and with more aggressive flow timers, you should expect the natural fallout from this. - Jared From danletkeman at gmail.com Fri May 30 10:31:27 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Fri, 30 May 2008 09:31:27 -0500 Subject: [c-nsp] blocking skype traffic Message-ID: Hello, Is there anyway to block skype traffic with the cisco firewall IOS? Thanks, Dan. From giesen at snickers.org Fri May 30 11:45:51 2008 From: giesen at snickers.org (Gary T. Giesen) Date: Fri, 30 May 2008 11:45:51 -0400 Subject: [c-nsp] Bridging Ethernet VLANs over T1 Message-ID: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> Hi all, I have an application that requires us to bridge Ethernet VLANs over a T1. I've previously done this using Nortel/Tasman boxes, and have got it working with a Cisco 1841 w/T1 WIC (per http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.html), but I'm having one issue. The Tasman/Nortel boxes allow me to inject an IP address into one of the VLANs for management purposes, whereas I can't for the life of me figure out how to do it in Cisco-land. Cisco config snippet: bridge 1 protocol ieee interface FastEthernet0/0 no ip address duplex auto speed auto vlan-id dot1q 10 description Data VLAN bridge-group 1 exit-vlan-config ! vlan-id dot1q 20 description Management VLAN bridge-group 1 exit-vlan-config ! ! interface Serial0/1/0 no ip address encapsulation ppp service-module t1 clock source internal bridge-group 1 Nortel/Tasman box on the other end: module t1 1 clock_source line exit t1 interface ethernet 0 ip address 10.10.10.10 255.255.255.0 ip multicast mode pass exit multicast qos exit qos vlan vlanid 10 no management exit vlan exit ethernet interface ethernet 1 qos exit qos exit ethernet interface bundle BCP-TEST link t1 1 description "Cisco-Nortel BCP Test" encapsulation ppp ppp mtu 64-1518-1600 mru 64-1518-4500 bcp bridge vlan exit bcp ip multicast pass red exit red qos exit qos exit bundle vlanfwd management vlanid 20 ip_interface address 192.168.127.2 255.255.255.248 default_route 192.168.127.1 VlanMgmt exit management add vlanid 10 BCP-TEST add vlanid 20 BCP-TEST exit vlanfwd As you can see, VLAN 10 is the data VLAN and VLAN 20 is the management VLAN. This setup works just fine Nortel-Nortel, but I need to be able to put an IP address (192.168.127.1/29 in this example) on the bridged VLAN20 on the Cisco so that I can do in-band management. If you have any thoughts, I'd love to hear them. Regards, GG From jay at west.net Fri May 30 12:05:24 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 30 May 2008 09:05:24 -0700 Subject: [c-nsp] Bridging Ethernet VLANs over T1 In-Reply-To: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> References: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> Message-ID: <484025C4.4030202@west.net> Gary T. Giesen wrote: > Hi all, > > I have an application that requires us to bridge Ethernet VLANs over a > T1. I've previously done this using Nortel/Tasman boxes, and have got > it working with a Cisco 1841 w/T1 WIC (per > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.html), > but I'm having one issue. The Tasman/Nortel boxes allow me to inject > an IP address into one of the VLANs for management purposes, whereas I > can't for the life of me figure out how to do it in Cisco-land. > > Cisco config snippet: > > bridge 1 protocol ieee > > interface FastEthernet0/0 > no ip address > duplex auto > speed auto > vlan-id dot1q 10 > description Data VLAN > bridge-group 1 > exit-vlan-config > ! > vlan-id dot1q 20 > description Management VLAN > bridge-group 1 > exit-vlan-config > ! > ! > > interface Serial0/1/0 > no ip address > encapsulation ppp > service-module t1 clock source internal > bridge-group 1 bridge irb bridge 1 proto ieee bridge 1 route ip int bvi1 ip address 10.10.10.11 255.255.255.0 -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From giesen at snickers.org Fri May 30 12:10:35 2008 From: giesen at snickers.org (Gary T. Giesen) Date: Fri, 30 May 2008 12:10:35 -0400 Subject: [c-nsp] Bridging Ethernet VLANs over T1 In-Reply-To: <484025C4.4030202@west.net> References: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> <484025C4.4030202@west.net> Message-ID: <9a9d0c6a0805300910x1ae58254re82633428e0d1b2a@mail.gmail.com> Jay, Thanks for the reply. Unfortunately that doesn't seem to work, I assume because there's no way to specify which VLAN that IP actually resides on. Normally bridge-groups/BVI's are only used to bridge one VLAN, but in this case it's bridging multiple VLANs. GG On Fri, May 30, 2008 at 12:05 PM, Jay Hennigan wrote: > Gary T. Giesen wrote: >> >> Hi all, >> >> I have an application that requires us to bridge Ethernet VLANs over a >> T1. I've previously done this using Nortel/Tasman boxes, and have got >> it working with a Cisco 1841 w/T1 WIC (per >> >> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.html), >> but I'm having one issue. The Tasman/Nortel boxes allow me to inject >> an IP address into one of the VLANs for management purposes, whereas I >> can't for the life of me figure out how to do it in Cisco-land. >> >> Cisco config snippet: >> >> bridge 1 protocol ieee >> >> interface FastEthernet0/0 >> no ip address >> duplex auto >> speed auto >> vlan-id dot1q 10 >> description Data VLAN >> bridge-group 1 >> exit-vlan-config >> ! >> vlan-id dot1q 20 >> description Management VLAN >> bridge-group 1 >> exit-vlan-config >> ! >> ! >> >> interface Serial0/1/0 >> no ip address >> encapsulation ppp >> service-module t1 clock source internal >> bridge-group 1 > > bridge irb > > bridge 1 proto ieee > bridge 1 route ip > > int bvi1 > ip address 10.10.10.11 255.255.255.0 > > > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > > From SPfister at dps.k12.oh.us Fri May 30 12:36:26 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Fri, 30 May 2008 12:36:26 -0400 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator Message-ID: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us From rodunn at cisco.com Fri May 30 12:42:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 30 May 2008 12:42:59 -0400 Subject: [c-nsp] blocking skype traffic In-Reply-To: References: Message-ID: <20080530164259.GY14249@rtp-cse-489.cisco.com> You can match it with NBAR in a MQC policy and set the action to drop. Only issue is it doesn't get all versions of skype though. Rodney On Fri, May 30, 2008 at 09:31:27AM -0500, Dan Letkeman wrote: > Hello, > > Is there anyway to block skype traffic with the cisco firewall IOS? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Fri May 30 12:48:22 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 30 May 2008 11:48:22 -0500 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> Message-ID: It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From notrevebr at gmail.com Fri May 30 13:12:13 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Fri, 30 May 2008 14:12:13 -0300 Subject: [c-nsp] Access via session command Message-ID: <3cf174360805301012w5c984e49oc8fe5332173d823b@mail.gmail.com> Hi all, I?m trying access to a msfc card through session command, but the access is not authenticated. The access via network its ok. What?s missing in config of MSFC? aaa new-model aaa authentication login default group radius local aaa authentication enable default group radius enable aaa authorization exec default group radius none aaa authorization network default group radius none aaa accounting exec default start-stop group radius line vty 0 4 exec-timeout 30 0 password 7 xxx transport input telnet ssh Tks all, Everton From up at 3.am Fri May 30 13:18:49 2008 From: up at 3.am (up at 3.am) Date: Fri, 30 May 2008 13:18:49 -0400 (EDT) Subject: [c-nsp] Access via session command In-Reply-To: <3cf174360805301012w5c984e49oc8fe5332173d823b@mail.gmail.com> References: <3cf174360805301012w5c984e49oc8fe5332173d823b@mail.gmail.com> Message-ID: On Fri, 30 May 2008, Everton Diniz wrote: > Hi all, > > I?m trying access to a msfc card through session command, but > the access is not authenticated. The access via network its ok. > > What?s missing in config of MSFC? > > aaa new-model > aaa authentication login default group radius local > aaa authentication enable default group radius enable > aaa authorization exec default group radius none Have you tried replacing the above with: aaa authorization exec default group radius local ? > aaa authorization network default group radius none > aaa accounting exec default start-stop group radius > > line vty 0 4 > exec-timeout 30 0 > password 7 xxx > transport input telnet ssh > > Tks all, > Everton > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > James Smallacombe PlantageNet, Inc. CEO and Janitor up at 3.am http://3.am ========================================================================= From SPfister at dps.k12.oh.us Fri May 30 13:42:23 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Fri, 30 May 2008 13:42:23 -0400 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <4840043E.9E6F.00B8.0@dps.k12.oh.us> It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From freimer at ctiusa.com Fri May 30 13:45:21 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Fri, 30 May 2008 13:45:21 -0400 Subject: [c-nsp] Bridging Ethernet VLANs over T1 In-Reply-To: <9a9d0c6a0805300910x1ae58254re82633428e0d1b2a@mail.gmail.com> References: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com><484025C4.4030202@west.net> <9a9d0c6a0805300910x1ae58254re82633428e0d1b2a@mail.gmail.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950297B2B5@EXCHANGE.ctiusa.com> By using the same bridge group number for both VLANs would you not be merging the two VLANs into one bridge group? That's not what you want, is it? You may want to use a separate bridge group number for the two VLANs, like the example in the document you quoted. bridge 1 protocol ieee bridge 2 protocol ieee ! interface ethernet 0 vlan-range dot1q 1 600 bridge-group 1 vlan-range dot1q 800 4000 bridge-group 2 ! interface serial 0 encapsulation ppp bridge-group 1 ! interface serial 1 encapsulation ppp bridge-group 2 Two bridge groups, two serial interfaces, for two separate VLANs. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gary T. Giesen > Sent: Friday, May 30, 2008 12:11 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 > > Jay, > > Thanks for the reply. Unfortunately that doesn't seem to work, I > assume because there's no way to specify which VLAN that IP actually > resides on. Normally bridge-groups/BVI's are only used to bridge one > VLAN, but in this case it's bridging multiple VLANs. > > GG > > On Fri, May 30, 2008 at 12:05 PM, Jay Hennigan wrote: > > Gary T. Giesen wrote: > >> > >> Hi all, > >> > >> I have an application that requires us to bridge Ethernet VLANs over > a > >> T1. I've previously done this using Nortel/Tasman boxes, and have > got > >> it working with a Cisco 1841 w/T1 WIC (per > >> > >> > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.h > tml), > >> but I'm having one issue. The Tasman/Nortel boxes allow me to inject > >> an IP address into one of the VLANs for management purposes, whereas > I > >> can't for the life of me figure out how to do it in Cisco-land. > >> > >> Cisco config snippet: > >> > >> bridge 1 protocol ieee > >> > >> interface FastEthernet0/0 > >> no ip address > >> duplex auto > >> speed auto > >> vlan-id dot1q 10 > >> description Data VLAN > >> bridge-group 1 > >> exit-vlan-config > >> ! > >> vlan-id dot1q 20 > >> description Management VLAN > >> bridge-group 1 > >> exit-vlan-config > >> ! > >> ! > >> > >> interface Serial0/1/0 > >> no ip address > >> encapsulation ppp > >> service-module t1 clock source internal > >> bridge-group 1 > > > > bridge irb > > > > bridge 1 proto ieee > > bridge 1 route ip > > > > int bvi1 > > ip address 10.10.10.11 255.255.255.0 > > > > > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available URL: From cchurc05 at harris.com Fri May 30 13:50:20 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 30 May 2008 12:50:20 -0500 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: <4840043E.9E6F.00B8.0@dps.k12.oh.us> References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> <4840043E.9E6F.00B8.0@dps.k12.oh.us> Message-ID: See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From leswarden at gmail.com Fri May 30 14:18:25 2008 From: leswarden at gmail.com (les) Date: Fri, 30 May 2008 13:18:25 -0500 Subject: [c-nsp] Single-mode GBIC question Message-ID: I've combed the web with no luck to the answer of my simple question.... If you use SINGLE-MODE fiber and gbics for very short runs (same room, across the street), can you damage the GBICS? What has been your experience. Oversaturation? Life-shortening? We typically use SM towards the telco and MM for internal but have ran into some legacy fiber where it's SM internal. I have electronic background so terminology is familiar. thanks in advance -les From joe at netbyjoe.com Fri May 30 14:23:49 2008 From: joe at netbyjoe.com (Joe Freeman) Date: Fri, 30 May 2008 13:23:49 -0500 Subject: [c-nsp] Bridging Ethernet VLANs over T1 In-Reply-To: <98B7739FB65BF04F9B3233AB842EEC950297B2B5@EXCHANGE.ctiusa.com> References: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> <484025C4.4030202@west.net> <9a9d0c6a0805300910x1ae58254re82633428e0d1b2a@mail.gmail.com> <98B7739FB65BF04F9B3233AB842EEC950297B2B5@EXCHANGE.ctiusa.com> Message-ID: <5da6cd9f0805301123j1dc622eaya0bbefef373f5d83@mail.gmail.com> If it were me, I'd look at using frame encaps on the T1, then use a seperate dlci for each vlan. On Fri, May 30, 2008 at 12:45 PM, Fred Reimer wrote: > By using the same bridge group number for both VLANs would you not be > merging the two VLANs into one bridge group? That's not what you want, is > it? You may want to use a separate bridge group number for the two VLANs, > like the example in the document you quoted. > > bridge 1 protocol ieee > bridge 2 protocol ieee > ! > interface ethernet 0 > vlan-range dot1q 1 600 > bridge-group 1 > vlan-range dot1q 800 4000 > bridge-group 2 > ! > interface serial 0 > encapsulation ppp > bridge-group 1 > ! > interface serial 1 > encapsulation ppp > bridge-group 2 > > Two bridge groups, two serial interfaces, for two separate VLANs. > > Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS > Senior Network Engineer > Coleman Technologies, Inc. > 954-298-1697 > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Gary T. Giesen > > Sent: Friday, May 30, 2008 12:11 PM > > To: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 > > > > Jay, > > > > Thanks for the reply. Unfortunately that doesn't seem to work, I > > assume because there's no way to specify which VLAN that IP actually > > resides on. Normally bridge-groups/BVI's are only used to bridge one > > VLAN, but in this case it's bridging multiple VLANs. > > > > GG > > > > On Fri, May 30, 2008 at 12:05 PM, Jay Hennigan wrote: > > > Gary T. Giesen wrote: > > >> > > >> Hi all, > > >> > > >> I have an application that requires us to bridge Ethernet VLANs over > > a > > >> T1. I've previously done this using Nortel/Tasman boxes, and have > > got > > >> it working with a Cisco 1841 w/T1 WIC (per > > >> > > >> > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.h > > tml), > > >> but I'm having one issue. The Tasman/Nortel boxes allow me to inject > > >> an IP address into one of the VLANs for management purposes, whereas > > I > > >> can't for the life of me figure out how to do it in Cisco-land. > > >> > > >> Cisco config snippet: > > >> > > >> bridge 1 protocol ieee > > >> > > >> interface FastEthernet0/0 > > >> no ip address > > >> duplex auto > > >> speed auto > > >> vlan-id dot1q 10 > > >> description Data VLAN > > >> bridge-group 1 > > >> exit-vlan-config > > >> ! > > >> vlan-id dot1q 20 > > >> description Management VLAN > > >> bridge-group 1 > > >> exit-vlan-config > > >> ! > > >> ! > > >> > > >> interface Serial0/1/0 > > >> no ip address > > >> encapsulation ppp > > >> service-module t1 clock source internal > > >> bridge-group 1 > > > > > > bridge irb > > > > > > bridge 1 proto ieee > > > bridge 1 route ip > > > > > > int bvi1 > > > ip address 10.10.10.11 255.255.255.0 > > > > > > > > > > > > -- > > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > > Impulse Internet Service - http://www.impulse.net/ > > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From freimer at ctiusa.com Fri May 30 14:27:03 2008 From: freimer at ctiusa.com (Fred Reimer) Date: Fri, 30 May 2008 14:27:03 -0400 Subject: [c-nsp] Bridging Ethernet VLANs over T1 In-Reply-To: <5da6cd9f0805301123j1dc622eaya0bbefef373f5d83@mail.gmail.com> References: <9a9d0c6a0805300845l5df2f3e8y20879da5f2bec152@mail.gmail.com> <484025C4.4030202@west.net> <9a9d0c6a0805300910x1ae58254re82633428e0d1b2a@mail.gmail.com> <98B7739FB65BF04F9B3233AB842EEC950297B2B5@EXCHANGE.ctiusa.com> <5da6cd9f0805301123j1dc622eaya0bbefef373f5d83@mail.gmail.com> Message-ID: <98B7739FB65BF04F9B3233AB842EEC950297B2DC@EXCHANGE.ctiusa.com> If it were me I'd use L2TPv3 xconnects. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 From: Joe Freeman [mailto:joe at netbyjoe.com] Sent: Friday, May 30, 2008 2:24 PM To: Fred Reimer Cc: giesen at snickers.org; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 If it were me, I'd look at using frame encaps on the T1, then use a seperate dlci for each vlan. On Fri, May 30, 2008 at 12:45 PM, Fred Reimer wrote: By using the same bridge group number for both VLANs would you not be merging the two VLANs into one bridge group? That's not what you want, is it? You may want to use a separate bridge group number for the two VLANs, like the example in the document you quoted. bridge 1 protocol ieee bridge 2 protocol ieee ! interface ethernet 0 vlan-range dot1q 1 600 bridge-group 1 vlan-range dot1q 800 4000 bridge-group 2 ! interface serial 0 encapsulation ppp bridge-group 1 ! interface serial 1 encapsulation ppp bridge-group 2 Two bridge groups, two serial interfaces, for two separate VLANs. Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS Senior Network Engineer Coleman Technologies, Inc. 954-298-1697 > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Gary T. Giesen > Sent: Friday, May 30, 2008 12:11 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Bridging Ethernet VLANs over T1 > > Jay, > > Thanks for the reply. Unfortunately that doesn't seem to work, I > assume because there's no way to specify which VLAN that IP actually > resides on. Normally bridge-groups/BVI's are only used to bridge one > VLAN, but in this case it's bridging multiple VLANs. > > GG > > On Fri, May 30, 2008 at 12:05 PM, Jay Hennigan wrote: > > Gary T. Giesen wrote: > >> > >> Hi all, > >> > >> I have an application that requires us to bridge Ethernet VLANs over > a > >> T1. I've previously done this using Nortel/Tasman boxes, and have > got > >> it working with a Cisco 1841 w/T1 WIC (per > >> > >> > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_bcp.h > tml), > >> but I'm having one issue. The Tasman/Nortel boxes allow me to inject > >> an IP address into one of the VLANs for management purposes, whereas > I > >> can't for the life of me figure out how to do it in Cisco-land. > >> > >> Cisco config snippet: > >> > >> bridge 1 protocol ieee > >> > >> interface FastEthernet0/0 > >> no ip address > >> duplex auto > >> speed auto > >> vlan-id dot1q 10 > >> description Data VLAN > >> bridge-group 1 > >> exit-vlan-config > >> ! > >> vlan-id dot1q 20 > >> description Management VLAN > >> bridge-group 1 > >> exit-vlan-config > >> ! > >> ! > >> > >> interface Serial0/1/0 > >> no ip address > >> encapsulation ppp > >> service-module t1 clock source internal > >> bridge-group 1 > > > > bridge irb > > > > bridge 1 proto ieee > > bridge 1 route ip > > > > int bvi1 > > ip address 10.10.10.11 255.255.255.0 > > > > > > > > -- > > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > > Impulse Internet Service - http://www.impulse.net/ > > Your local telephone and internet company - 805 884-6323 - WB6RDV > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3080 bytes Desc: not available URL: From mksmith at adhost.com Fri May 30 14:27:58 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 30 May 2008 11:27:58 -0700 Subject: [c-nsp] Single-mode GBIC question In-Reply-To: References: Message-ID: <17838240D9A5544AAA5FF95F8D52031604098F52@ad-exh01.adhost.lan> Hello Les: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of les > Sent: Friday, May 30, 2008 11:18 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Single-mode GBIC question > > I've combed the web with no luck to the answer of my simple question.... > > If you use SINGLE-MODE fiber and gbics for very short runs (same room, > across the street), can you damage the GBICS? > > What has been your experience. Oversaturation? Life-shortening? We > typically use SM towards the telco and MM for internal but have ran > into some legacy fiber where it's SM internal. I have electronic > background so terminology is familiar. > > thanks in advance > -les It depends. :-) If your using LX/LH optics you should be fine. Here's a good breakdown of TX/RX parameters on the various Cisco optics. On an LX/LH optics, your TX is -3 to -9.5 and your receive is -3 to -20, so even back to back at -3 to -3 you would be okay. http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product _data_sheet0900aecd8033f885.html Regards, Mike From mcrocker at crocker.com Fri May 30 14:31:03 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Fri, 30 May 2008 14:31:03 -0400 Subject: [c-nsp] Single-mode GBIC question In-Reply-To: References: Message-ID: > I've combed the web with no luck to the answer of my simple > question.... > > If you use SINGLE-MODE fiber and gbics for very short runs (same room, > across the street), can you damage the GBICS? If you use appropriately powered GBICs you won't harm your receivers 1000Base-LX is SM, 1310nm To verify look at your two GBICs, compare the transmit power of one GBIC to the maximum allowed receive power of the other. According to http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet09186a008014cb5e_ps872_Products_Data_Sheet.html The WS-G5486 1000BASE-LX GBIC transmits at -3 to -9.5 dBm and the receiver can receive between -3 and -19 bBm. That means that even with 0 loss between a pair of WS-G5486 GBICs the transmit won't overpower the receiver. WS-G5487 1000BASE-ZX on the other hand transmit at 5 to 0 dBm and receive at -3 to -23 dBm. If you are using 1000BASE-ZX optics on a short run you are 1) wasting money on expensive GBICs and 2) require the use of attenuators to add dB loss to the link to protect your receivers. > > > What has been your experience. Oversaturation? Life-shortening? We > typically use SM towards the telco and MM for internal but have ran > into some legacy fiber where it's SM internal. I have electronic > background so terminology is familiar. > > thanks in advance > -les > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From SPfister at dps.k12.oh.us Fri May 30 15:07:33 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Fri, 30 May 2008 15:07:33 -0400 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us> <4840043E.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <48401833.9E6F.00B8.0@dps.k12.oh.us> It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Fri May 30 15:22:22 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 30 May 2008 14:22:22 -0500 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: <48401833.9E6F.00B8.0@dps.k12.oh.us> References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us><4840043E.9E6F.00B8.0@dps.k12.oh.us> <48401833.9E6F.00B8.0@dps.k12.oh.us> Message-ID: Hmmm. Running out of ideas. What if you take out the NMs, and then try to boot it? If you can get it to come up, get a 'sho mem', and see how much is left. It could be an error on the FN. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 3:08 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From SPfister at dps.k12.oh.us Fri May 30 15:42:06 2008 From: SPfister at dps.k12.oh.us (Steven Pfister) Date: Fri, 30 May 2008 15:42:06 -0400 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us><4840043E.9E6F.00B8.0@dps.k12.oh.us> <48401833.9E6F.00B8.0@dps.k12.oh.us> Message-ID: <4840204C.9E6F.00B8.0@dps.k12.oh.us> Yes, it does come up without the NMs. What do I look at in 'sho mem'? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 3:22 PM >>> Hmmm. Running out of ideas. What if you take out the NMs, and then try to boot it? If you can get it to come up, get a 'sho mem', and see how much is left. It could be an error on the FN. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 3:08 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Curtis at GreenKey.net Fri May 30 15:48:05 2008 From: Curtis at GreenKey.net (Curtis Doty) Date: Fri, 30 May 2008 12:48:05 -0700 (PDT) Subject: [c-nsp] High CPU load on Catalyst 3550 In-Reply-To: <5d1b76f60805300107i6a622170g84f88af28b6e772c@mail.gmail.com> References: <5d1b76f60805300107i6a622170g84f88af28b6e772c@mail.gmail.com> Message-ID: <20080530194805.A8F956F05C@alopias.GreenKey.net> 11:07am Andrew Degtiariov said: > > Unfortunately nor cisco.com nor Google can't give me answer what is a > MRD process :-( > Anybody known what it this? WAG: Multicast Router Daemon? # show run | incl gmp ../C From agristina+cisco-nsp at gmail.com Fri May 30 20:32:12 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Fri, 30 May 2008 17:32:12 -0700 Subject: [c-nsp] Overlapping NAT subnets and PPTP In-Reply-To: References: Message-ID: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c@mail.gmail.com> One: most people use a real name on the list. Two: PPTP and PAT don't really mix. Read up on the PPTP protocol. If not just try a whole bunch of PPTP clients behind a PAT. I don't really value the PPTP protocol very highly. Three: IPSec can do double NAT or double PAT (disguise the same network at both ends) Four: VPN for B2B implementations are better off if everyone insists on publics for the interesting traffic networks, then each network owner can NAT at their "demarc". These are all things that are probably in the list archive. I hope you got more replies than this, and in a kinder gentler tone, but I'm in a hurry and didn't see anyone reply to you. On Thu, May 29, 2008 at 8:50 AM, wrote: > > I have a customer that has a 2811 with a fairly complex NAT VPN > configuration (an existing GRE tunnel, a bunch of static NAT mappings to it, > etc). > > We just added a PPTP to it and ran into an overlapping subnet issue with it. > They have over a hundred internal hosts on 192.168.1.0/24 and of course, > many people who PPTP into it are using that same RFC1918 space on their LAN > (it's hard coded into my Verizon router, for example). Since the incoming > PPTP connections need to talk to those hosts, there is obviously a conflict. > > Cisco TAC's position was that they need to renumber to eliminate the > conflict. That may be true, but we came up with an idea that seems like it > should work as an alternative. That is to use something like: > > ip nat source static 192.168.1.20 10.3.3.20 > or > ip nat outside source static 192.168.1.20 10.3.3.20 > > to "fool" the incoming PPTP connected hosts. To some extent, it works. The > incoming connections can now ping 10.3.3.20 and get responses (they could > not ping 192.168.1.20). However, any attempt to connect to any TCP port on > that host results in a "connection refused". > > Is this just a dead-end for this kludge, or is something else needed? Has > anyone else succeeded with it? The customer just wants to avoid renumbering > if possible (for now), so I just want to make sure that if this kludge > doesn't work, I can explain why, or make it work if possible. > > Thanks in Advance! > > James Smallacombe PlantageNet, Inc. CEO and Janitor > up at 3.am http://3.am > ========================================================================= > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From agristina+cisco-nsp at gmail.com Fri May 30 20:42:24 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Fri, 30 May 2008 17:42:24 -0700 Subject: [c-nsp] Single strand SMF 10GbE In-Reply-To: <200805300013.08460.mtinka@globaltransit.net> References: <200805300013.08460.mtinka@globaltransit.net> Message-ID: <70bb1b8f0805301742i25bfc00ckdff3f9bd8d874657@mail.gmail.com> On Thu, May 29, 2008 at 9:13 AM, Mark Tinka wrote: > On Thursday 29 May 2008, MKS wrote: > >> Hello List >> >> Is some vendor out there that offers single strand SMF >> 10GbE (X2/xenpak/whatever). >> Does someone know if this is on cisco's roadmap? > > Cisco aren't doing 10Gbps yet - they are doing mux'ed 1Gbps > links over CWDM (can use LACP to connect up to 4Gbps): > > http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b.html > > For 10Gbps, consider the following vendors: > > * MRV > * Transition Networks > * Ciena (acquired WWP) > > Cheers, > > Mark. Wow. I must be imagining all this 10Gb Ethernet Cisco gear I'm looking at. Nexus, 6500, etc. etc. DId you mean they aren't doing 10G CWDM or DWDM? The OP used 10GbE, but that could have been in error. From ras at e-gerbil.net Fri May 30 23:09:12 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 30 May 2008 22:09:12 -0500 Subject: [c-nsp] Single strand SMF 10GbE In-Reply-To: <70bb1b8f0805301742i25bfc00ckdff3f9bd8d874657@mail.gmail.com> References: <200805300013.08460.mtinka@globaltransit.net> <70bb1b8f0805301742i25bfc00ckdff3f9bd8d874657@mail.gmail.com> Message-ID: <20080531030912.GV4889@gerbil.cluepon.net> On Fri, May 30, 2008 at 05:42:24PM -0700, Andrew Gristina wrote: > Wow. I must be imagining all this 10Gb Ethernet Cisco gear I'm looking > at. Nexus, 6500, etc. etc. DId you mean they aren't doing 10G CWDM > or DWDM? > > The OP used 10GbE, but that could have been in error. The OP was asking about a single-strand 10GE product, not just "any" 10GE product, or even ordinary 10G DWDM products. Basically they're looking for a 10GE version of 1000BASE-BX, an integrated mux+transceiver in a standard pluggable package with a sigle strand connector, as desribed here: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html Everyone and their mother sells 10G DWDM gear (no CWDM though, probably because dealing with the dispersion of a wider band signal at 10G speeds is far harder than transmitting a narrow and stable 100GHz signal), but that has nothing to do with what they wanted. Also note as always that Cisco doesn't actually make any of this gear, nor do they do anything even vaguely "different" or "interesting" with it. This is all just trivial tuned optics and passive filters that you can get from anyone (at better densities, with more channels, and with better optical characteristics too), all Cisco does is slap their logo on it and mark it up 10x. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From up at 3.am Fri May 30 22:05:12 2008 From: up at 3.am (up at 3.am) Date: Fri, 30 May 2008 22:05:12 -0400 (EDT) Subject: [c-nsp] Overlapping NAT subnets and PPTP In-Reply-To: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c@mail.gmail.com> References: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c@mail.gmail.com> Message-ID: On Fri, 30 May 2008, Andrew Gristina wrote: > One: most people use a real name on the list. One: thank you for your response Two: my real name is in my .sig below, as it was on my initial post. up at 3.am is my real email address. really! > Two: PPTP and PAT don't really mix. Read up on the PPTP protocol. If > not just try a whole bunch of PPTP clients behind a PAT. I don't > really value the PPTP protocol very highly. I wasn't looking to do PAT, I was looking to fake out an overlapping NAT subnet conflict by using static maps from a non-conflicting subnet to the conflicting one. > Three: IPSec can do double NAT or double PAT (disguise the same > network at both ends) That's great, but the client wants users to be able to log in to the VPN from any MS client. There already is an IPSec GRE tunnel set up to another network on it, but that's not what they want here. > Four: VPN for B2B implementations are better off if everyone insists > on publics for the interesting traffic networks, then each network > owner can NAT at their "demarc". Perhaps I'm just not following you, but what we're talking about here (with these PPTP clients) are various users from all over the place...usually their home broadband network or from a hotel or whatever, where the LAN invariably is on 192.168.1.0/24. The client didn't consider this when numbering their 100+ node internal LAN on that same subnet, which is why I'm attempting this kludge. If this kludge is a waste of time, I'd just like to know that ASAP so I cna tell them they have to just do it. If it's doable, I'd like to know what I'm doing wrong. > These are all things that are probably in the list archive. I gave the archives a search, but didn't see anything on 'overlapping subnets'. > I hope you got more replies than this, and in a kinder gentler tone, > but I'm in a hurry and didn't see anyone reply to you. I appreciate the gesture. Thanks! > On Thu, May 29, 2008 at 8:50 AM, wrote: >> >> I have a customer that has a 2811 with a fairly complex NAT VPN >> configuration (an existing GRE tunnel, a bunch of static NAT mappings to it, >> etc). >> >> We just added a PPTP to it and ran into an overlapping subnet issue with it. >> They have over a hundred internal hosts on 192.168.1.0/24 and of course, >> many people who PPTP into it are using that same RFC1918 space on their LAN >> (it's hard coded into my Verizon router, for example). Since the incoming >> PPTP connections need to talk to those hosts, there is obviously a conflict. >> >> Cisco TAC's position was that they need to renumber to eliminate the >> conflict. That may be true, but we came up with an idea that seems like it >> should work as an alternative. That is to use something like: >> >> ip nat source static 192.168.1.20 10.3.3.20 >> or >> ip nat outside source static 192.168.1.20 10.3.3.20 >> >> to "fool" the incoming PPTP connected hosts. To some extent, it works. The >> incoming connections can now ping 10.3.3.20 and get responses (they could >> not ping 192.168.1.20). However, any attempt to connect to any TCP port on >> that host results in a "connection refused". >> >> Is this just a dead-end for this kludge, or is something else needed? Has >> anyone else succeeded with it? The customer just wants to avoid renumbering >> if possible (for now), so I just want to make sure that if this kludge >> doesn't work, I can explain why, or make it work if possible. >> >> Thanks in Advance! >> >> James Smallacombe PlantageNet, Inc. CEO and Janitor >> up at 3.am http://3.am >> ========================================================================= >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > James Smallacombe PlantageNet, Inc. CEO and Janitor up at 3.am http://3.am ========================================================================= From ras at e-gerbil.net Fri May 30 23:50:21 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 30 May 2008 22:50:21 -0500 Subject: [c-nsp] Single-mode GBIC question In-Reply-To: References: Message-ID: <20080531035021.GW4889@gerbil.cluepon.net> On Fri, May 30, 2008 at 01:18:25PM -0500, les wrote: > I've combed the web with no luck to the answer of my simple question.... > > If you use SINGLE-MODE fiber and gbics for very short runs (same room, > across the street), can you damage the GBICS? Technically speaking, there is no reason that multimode fiber wouldn't be just as efficient at transmitting too much light. An MMF core is much wider than SMF so its actually easier to transmit "more" light, it's just that on MMF the core is so wide the light bounces around inside the fiber and makes it much harder to clearly decode the signal. I assume what you actually mean is, is it possible for long reach optics (which one would normally use SMF with, in order to obtain those long distances) to transmit too much light and damage the GBICs? The answer is yes, but it's actually more a function of the receiving GBIC than the transmitting GBIC. The difference in TX power between a 10km LX optic and a 100km ZX optic are relatively minimal, but the 100km optic has a much more sensitive receiver. It's possible to blind an optic with an overly strong signal (you'll see bit errors before you see it just "go down"), but if you're going to cause damage it will be to a long haul optic with a very sensitive receiver. Generally speaking, it's pretty hard to cause any problems with a 10km LX or LR optic (unless its transmitting WAY higher than spec, which does happen from time to time especially on 10GE optics), even if you're running back to back optics a few inches apart. When you start getting into 40km ranges you run the risk of blinding the receiver on short distances and causing errors, and at 70/80/100km optics you run the risk of damage if you hook them up back to back. In those cases, you should use an attenuator. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jacob at vargas.com Sat May 31 01:22:27 2008 From: jacob at vargas.com (Jacob Vargas) Date: Fri, 30 May 2008 22:22:27 -0700 Subject: [c-nsp] cisco-nsp Digest, Vol 66, Issue 114 Message-ID: <2RBM3TVwygXY.XpBntz3R@sendmail.vargas.com> - original message - Subject: cisco-nsp Digest, Vol 66, Issue 114 From: cisco-nsp-request at puck.nether.net Date: 05/31/2008 1:47 am Send cisco-nsp mailing list submissions to cisco-nsp at puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to cisco-nsp-request at puck.nether.net You can reach the person managing the list at cisco-nsp-owner at puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..." Today's Topics: 1. Re: Memory requirements in Cisco Feature Navigator (Steven Pfister) 2. Re: Memory requirements in Cisco Feature Navigator (Church, Charles) 3. Re: Memory requirements in Cisco Feature Navigator (Steven Pfister) 4. Re: High CPU load on Catalyst 3550 (Curtis Doty) 5. Re: Overlapping NAT subnets and PPTP (Andrew Gristina) 6. Re: Single strand SMF 10GbE (Andrew Gristina) 7. Re: Single strand SMF 10GbE (Richard A Steenbergen) ---------------------------------------------------------------------- Message: 1 Date: Fri, 30 May 2008 15:07:33 -0400 From: "Steven Pfister" Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator To: Message-ID: <48401833.9E6F.00B8.0 at dps.k12.oh.us> Content-Type: text/plain; charset=US-ASCII It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 2 Date: Fri, 30 May 2008 14:22:22 -0500 From: "Church, Charles" Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator To: "Steven Pfister" , Message-ID: Content-Type: text/plain; charset="us-ascii" Hmmm. Running out of ideas. What if you take out the NMs, and then try to boot it? If you can get it to come up, get a 'sho mem', and see how much is left. It could be an error on the FN. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 3:08 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 3 Date: Fri, 30 May 2008 15:42:06 -0400 From: "Steven Pfister" Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator To: "Charles Church" , Message-ID: <4840204C.9E6F.00B8.0 at dps.k12.oh.us> Content-Type: text/plain; charset=US-ASCII Yes, it does come up without the NMs. What do I look at in 'sho mem'? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 3:22 PM >>> Hmmm. Running out of ideas. What if you take out the NMs, and then try to boot it? If you can get it to come up, get a 'sho mem', and see how much is left. It could be an error on the FN. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 3:08 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 4 Date: Fri, 30 May 2008 12:48:05 -0700 (PDT) From: Curtis Doty Subject: Re: [c-nsp] High CPU load on Catalyst 3550 To: Cisco NSPs Message-ID: <20080530194805.A8F956F05C at alopias.GreenKey.net> Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed 11:07am Andrew Degtiariov said: > > Unfortunately nor cisco.com nor Google can't give me answer what is a > MRD process :-( > Anybody known what it this? WAG: Multicast Router Daemon? # show run | incl gmp .../C ------------------------------ Message: 5 Date: Fri, 30 May 2008 17:32:12 -0700 From: "Andrew Gristina" Subject: Re: [c-nsp] Overlapping NAT subnets and PPTP To: up at 3.am Cc: cisco-nsp at puck.nether.net Message-ID: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 One: most people use a real name on the list. Two: PPTP and PAT don't really mix. Read up on the PPTP protocol. If not just try a whole bunch of PPTP clients behind a PAT. I don't really value the PPTP protocol very highly. Three: IPSec can do double NAT or double PAT (disguise the same network at both ends) Four: VPN for B2B implementations are better off if everyone insists on publics for the interesting traffic networks, then each network owner can NAT at their "demarc". These are all things that are probably in the list archive. I hope you got more replies than this, and in a kinder gentler tone, but I'm in a hurry and didn't see anyone reply to you. On Thu, May 29, 2008 at 8:50 AM, wrote: > > I have a customer that has a 2811 with a fairly complex NAT VPN > configuration (an existing GRE tunnel, a bunch of static NAT mappings to it, > etc). > > We just added a PPTP to it and ran into an overlapping subnet issue with it. > They have over a hundred internal hosts on 192.168.1.0/24 and of course, > many people who PPTP into it are using that same RFC1918 space on their LAN > (it's hard coded into my Verizon router, for example). Since the incoming > PPTP connections need to talk to those hosts, there is obviously a conflict. > > Cisco TAC's position was that they need to renumber to eliminate the > conflict. That may be true, but we came up with an idea that seems like it > should work as an alternative. That is to use something like: > > ip nat source static 192.168.1.20 10.3.3.20 > or > ip nat outside source static 192.168.1.20 10.3.3.20 > > to "fool" the incoming PPTP connected hosts. To some extent, it works. The > incoming connections can now ping 10.3.3.20 and get responses (they could > not ping 192.168.1.20). However, any attempt to connect to any TCP port on > that host results in a "connection refused". > > Is this just a dead-end for this kludge, or is something else needed? Has > anyone else succeeded with it? The customer just wants to avoid renumbering > if possible (for now), so I just want to make sure that if this kludge > doesn't work, I can explain why, or make it work if possible. > > Thanks in Advance! > > James Smallacombe PlantageNet, Inc. CEO and Janitor > up at 3.am http://3.am > ========================================================================= > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------ Message: 6 Date: Fri, 30 May 2008 17:42:24 -0700 From: "Andrew Gristina" Subject: Re: [c-nsp] Single strand SMF 10GbE To: mtinka at globaltransit.net Cc: MKS , cisco-nsp at puck.nether.net Message-ID: <70bb1b8f0805301742i25bfc00ckdff3f9bd8d874657 at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 On Thu, May 29, 2008 at 9:13 AM, Mark Tinka wrote: > On Thursday 29 May 2008, MKS wrote: > >> Hello List >> >> Is some vendor out there that offers single strand SMF >> 10GbE (X2/xenpak/whatever). >> Does someone know if this is on cisco's roadmap? > > Cisco aren't doing 10Gbps yet - they are doing mux'ed 1Gbps > links over CWDM (can use LACP to connect up to 4Gbps): > > http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6575/product_data_sheet0900aecd8029d01b.html > > For 10Gbps, consider the following vendors: > > * MRV > * Transition Networks > * Ciena (acquired WWP) > > Cheers, > > Mark. Wow. I must be imagining all this 10Gb Ethernet Cisco gear I'm looking at. Nexus, 6500, etc. etc. DId you mean they aren't doing 10G CWDM or DWDM? The OP used 10GbE, but that could have been in error. ------------------------------ Message: 7 Date: Fri, 30 May 2008 22:09:12 -0500 From: Richard A Steenbergen Subject: Re: [c-nsp] Single strand SMF 10GbE To: Andrew Gristina Cc: cisco-nsp at puck.nether.net, MKS Message-ID: <20080531030912.GV4889 at gerbil.cluepon.net> Content-Type: text/plain; charset=us-ascii On Fri, May 30, 2008 at 05:42:24PM -0700, Andrew Gristina wrote: > Wow. I must be imagining all this 10Gb Ethernet Cisco gear I'm looking > at. Nexus, 6500, etc. etc. DId you mean they aren't doing 10G CWDM > or DWDM? > > The OP used 10GbE, but that could have been in error. The OP was asking about a single-strand 10GE product, not just "any" 10GE product, or even ordinary 10G DWDM products. Basically they're looking for a 10GE version of 1000BASE-BX, an integrated mux+transceiver in a standard pluggable package with a sigle strand connector, as desribed here: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/ps6577/product_data_sheet0900aecd8033f885.html Everyone and their mother sells 10G DWDM gear (no CWDM though, probably because dealing with the dispersion of a wider band signal at 10G speeds is far harder than transmitting a narrow and stable 100GHz signal), but that has nothing to do with what they wanted. Also note as always that Cisco doesn't actually make any of this gear, nor do they do anything even vaguely "different" or "interesting" with it. This is all just trivial tuned optics and passive filters that you can get from anyone (at better densities, with more channels, and with better optical characteristics too), all Cisco does is slap their logo on it and mark it up 10x. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 66, Issue 114 ****************************************** From gert at greenie.muc.de Sat May 31 03:32:42 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 31 May 2008 09:32:42 +0200 Subject: [c-nsp] Overlapping NAT subnets and PPTP In-Reply-To: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c@mail.gmail.com> References: <70bb1b8f0805301732t6213f9a3t45a8cac3b9b9cf5c@mail.gmail.com> Message-ID: <20080531073242.GN426@greenie.muc.de> Hi, On Fri, May 30, 2008 at 05:32:12PM -0700, Andrew Gristina wrote: > Two: PPTP and PAT don't really mix. Read up on the PPTP protocol. If > not just try a whole bunch of PPTP clients behind a PAT. Cisco NAT/PAT can actually handle PPTP, if the IOS is recent enough (12.3 or so). The difficult thing is to remember which GRE packet belongs to what control connection, and NAT those correctly. > Three: IPSec can do double NAT or double PAT (disguise the same > network at both ends) IPSEC cannot do anything of this :-) - IPSEC is just a transport, as is PPTP. Whether or not a given IPSEC implementation can also run NAT on the IPSEC-Tunnel is not a question of "is the protocol superior?". OTOH, on Cisco you might run a GRE tunnel over IPSEC, and use that to do NAT to your heart's content. Or just do away with NAT and get real IP addresses. Which is the way to go. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From berk131 at gmail.com Sat May 31 08:51:46 2008 From: berk131 at gmail.com (Berkeley) Date: Sat, 31 May 2008 16:51:46 +0400 Subject: [c-nsp] unable to configure ip protocol for ACL in c5850tb Message-ID: Hi, it have c5850tb-p9-mz.123-11.T11 ios. When i try RSC1(config)#access-list 110 permit ? <0-255> An IP protocol number ahp Authentication Header Protocol eigrp Cisco's EIGRP routing protocol esp Encapsulation Security Payload gre Cisco's GRE tunneling icmp Internet Control Message Protocol igmp Internet Gateway Message Protocol ipinip IP in IP tunneling nos KA9Q NOS compatible IP over IP tunneling ospf OSPF routing protocol pcp Payload Compression Protocol pim Protocol Independent Multicast tcp Transmission Control Protocol udp User Datagram Protocol There is no "ip Any Internet Protocol" protocol, how i can define it ? From jlewis at lewis.org Sat May 31 09:43:52 2008 From: jlewis at lewis.org (Jon Lewis) Date: Sat, 31 May 2008 09:43:52 -0400 (EDT) Subject: [c-nsp] unable to configure ip protocol for ACL in c5850tb In-Reply-To: References: Message-ID: On Sat, 31 May 2008, Berkeley wrote: > Hi, > it have c5850tb-p9-mz.123-11.T11 ios. > When i try > RSC1(config)#access-list 110 permit ? > <0-255> An IP protocol number > > There is no "ip Any Internet Protocol" protocol, how i can define it ? What happens if you use protocol number 0? ip 0 IP # internet protocol, pseudo protocol number ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From cchurc05 at harris.com Sat May 31 10:10:38 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sat, 31 May 2008 09:10:38 -0500 Subject: [c-nsp] Memory requirements in Cisco Feature Navigator In-Reply-To: <4840204C.9E6F.00B8.0@dps.k12.oh.us> References: <483FF4C9.9E6F.00B8.0@dps.k12.oh.us><4840043E.9E6F.00B8.0@dps.k12.oh.us> <48401833.9E6F.00B8.0@dps.k12.oh.us> <4840204C.9E6F.00B8.0@dps.k12.oh.us> Message-ID: What do the top 3 lines look? The free bytes of the processor and I/O are probably most important. Chuck -----Original Message----- From: Steven Pfister [mailto:SPfister at dps.k12.oh.us] Sent: Friday, May 30, 2008 3:42 PM To: Church, Charles; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator Yes, it does come up without the NMs. What do I look at in 'sho mem'? Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 3:22 PM >>> Hmmm. Running out of ideas. What if you take out the NMs, and then try to boot it? If you can get it to come up, get a 'sho mem', and see how much is left. It could be an error on the FN. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 3:08 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It looks like without the command it defaults to 15%. Adding a 'memory-size iomem 5' doesn't seem to do too much... I think it still defaults to 15% Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 1:50 PM >>> See if it works without the command. Bypassing the config via the config register might do it too. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 1:42 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Memory requirements in Cisco Feature Navigator It's an IP plus image. It looks like there is a 'memory-size iomem 15' in the config. --Steve Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us >>> "Church, Charles" 5/30/2008 12:48 PM >>> It's possible that FN is wrong. What feature set are you using? Do you have 'memory-size iomem' configured on the router? Or something along those lines, if memory serves me right (pun intended). I believe the 2600s and 3600s supported the command. Dedicating a large amount to iomem might reduce the CPU memory to that which the router would find insufficient. Chuck Church Principal Network Engineer, CCIE #8776 Harris Information Technology Services EDS Contractor - Navy Marine Corps Intranet (NMCI) 1210 N. Parker Rd. | Greenville, SC 29609 Office: 864-335-9473 | Cell: 864-266-3978 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Steven Pfister Sent: Friday, May 30, 2008 12:36 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Memory requirements in Cisco Feature Navigator I've got an IOS (12.3(14)T7) that I'm trying to load onto a 3640 router. According to the feature navigator, it should require 96mb DRAM, 32mb flash, which this router has. But, when I try to boot it, it gives me an out-of-memory error and crashes during boot. Is the FN wrong, or is there something I can do? Thanks! Steve Pfister Technical Coordinator, The Office of Information Technology Dayton Public Schools 115 S. Ludlow St. Dayton, OH 45402 Office (937) 542-3149 Cell (937) 673-6779 Direct Connect: 137*131747*8 Email spfister at dps.k12.oh.us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sat May 31 17:30:48 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 31 May 2008 16:30:48 -0500 Subject: [c-nsp] preventing unwanted devices on the network Message-ID: Hello, I'm looking for the best way to prevent unwanted wireless routers or other unwanted bridging devices on a network. For example a wireless router with the wan port plugged in to the network or a router in bridging mode with dhcp off. >From other posts I have read about using dhcp snooping. I'm wondering if it works when someone plugs in a router into a switch because the "wan" port will only request an address, the dhcp will be on the routers "lan" side. Also I would like to prevent unwanted static ip addresses on this network as well. My current setup is a 3560 switch which has multiple 2960 switches connected to it. I would like to prevent this type of traffic right at the edge ports. Would an access list be the appropriate way to protect this? Unfortunately port security will not work for us. Thanks, Dan. From A.L.M.Buxey at lboro.ac.uk Sat May 31 17:43:58 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sat, 31 May 2008 22:43:58 +0100 Subject: [c-nsp] preventing unwanted devices on the network In-Reply-To: References: Message-ID: <20080531214358.GA21486@lboro.ac.uk> Hi, > Also I would like to prevent unwanted static ip addresses on this > network as well. My current setup is a 3560 switch which has multiple > 2960 switches connected to it. I would like to prevent this type of > traffic right at the edge ports. Would an access list be the > appropriate way to protect this? Unfortunately port security will not > work for us. you'll probably want the IP source guard functionality. this means the device will only touch IP addresses that are known via its IP to MAC binding table generated via DHCP (DHCP snooping drives the show) really its all part of the 'Turn It On' program. http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf alan From mcrocker at crocker.com Sat May 31 23:00:38 2008 From: mcrocker at crocker.com (Matthew Crocker) Date: Sat, 31 May 2008 23:00:38 -0400 Subject: [c-nsp] preventing unwanted devices on the network In-Reply-To: References: Message-ID: <408754A7-6EF8-4FE3-8805-067563E83559@crocker.com> 802.1x provides Ethernet (layer 2) access control. You enable it on your switch ports and all Ethernet devices need to authenticate. Using Radius you can assign authenticated users to various VLANs etc. Your devices need to support 802.1x in order to authenticate but most modern OSes have .1x clients http://www.cisco.com/en/US/products/ps6662/products_ios_protocol_option_home.html On May 31, 2008, at 5:30 PM, Dan Letkeman wrote: > Hello, > > I'm looking for the best way to prevent unwanted wireless routers or > other unwanted bridging devices on a network. For example a wireless > router with the wan port plugged in to the network or a router in > bridging mode with dhcp off. > >> From other posts I have read about using dhcp snooping. I'm >> wondering > if it works when someone plugs in a router into a switch because the > "wan" port will only request an address, the dhcp will be on the > routers "lan" side. > > Also I would like to prevent unwanted static ip addresses on this > network as well. My current setup is a 3560 switch which has multiple > 2960 switches connected to it. I would like to prevent this type of > traffic right at the edge ports. Would an access list be the > appropriate way to protect this? Unfortunately port security will not > work for us. > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From scott at labyrinth.org Sat May 31 23:01:35 2008 From: scott at labyrinth.org (Scott Keoseyan) Date: Sat, 31 May 2008 23:01:35 -0400 Subject: [c-nsp] preventing unwanted devices on the network In-Reply-To: References: Message-ID: <4842110F.40008@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 802.1x Dan Letkeman wrote: | Hello, | | I'm looking for the best way to prevent unwanted wireless routers or | other unwanted bridging devices on a network. For example a wireless | router with the wan port plugged in to the network or a router in | bridging mode with dhcp off. | |>From other posts I have read about using dhcp snooping. I'm wondering | if it works when someone plugs in a router into a switch because the | "wan" port will only request an address, the dhcp will be on the | routers "lan" side. | | Also I would like to prevent unwanted static ip addresses on this | network as well. My current setup is a 3560 switch which has multiple | 2960 switches connected to it. I would like to prevent this type of | traffic right at the edge ports. Would an access list be the | appropriate way to protect this? Unfortunately port security will not | work for us. | | Thanks, | Dan. | _______________________________________________ | cisco-nsp mailing list cisco-nsp at puck.nether.net | https://puck.nether.net/mailman/listinfo/cisco-nsp | archive at http://puck.nether.net/pipermail/cisco-nsp/ - -- Scott A. Keoseyan (scott at labyrinth.org) (704) 604-3381 Homepage : http://www.labyrinth.org/homepages/scott Blogpage : http://www.labyrinth.org/wp1 PGP Keys : http://www.labyrinth.org/homepages/scott/pgp.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIQhEPA7TpMPAlvEcRAh9tAJ4weGMBF4hjdiQ80zzC+HyizARKkgCgjUX0 veKgOvCw1RPBsTknPWPOiEY= =3zOp -----END PGP SIGNATURE----- From danletkeman at gmail.com Sat May 31 23:14:32 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 31 May 2008 22:14:32 -0500 Subject: [c-nsp] preventing unwanted devices on the network In-Reply-To: <20080531214358.GA21486@lboro.ac.uk> References: <20080531214358.GA21486@lboro.ac.uk> Message-ID: Thanks for this info. I will look into this some more, but I think there should be some stuff here that should help me. On Sat, May 31, 2008 at 4:43 PM, wrote: > Hi, > >> Also I would like to prevent unwanted static ip addresses on this >> network as well. My current setup is a 3560 switch which has multiple >> 2960 switches connected to it. I would like to prevent this type of >> traffic right at the edge ports. Would an access list be the >> appropriate way to protect this? Unfortunately port security will not >> work for us. > > you'll probably want the IP source guard functionality. this means > the device will only touch IP addresses that are known via its > IP to MAC binding table generated via DHCP (DHCP snooping drives > the show) > > really its all part of the 'Turn It On' program. > > http://www.cisco.com/web/strategy/docs/gov/turniton_cisf.pdf > > alan >