From lnarayanan.p at gmail.com Sat Nov 1 07:56:14 2008 From: lnarayanan.p at gmail.com (Lakshminarayanan P) Date: Sat, 1 Nov 2008 17:26:14 +0530 Subject: [c-nsp] OID to pick up Device Type of Cisco devices Message-ID: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> Hi All, There is a requirement for me to pick up "device types" of Cisco devices using SNMP. Could somebody share a OID or direct me to the MIB file that can help me get this information? For example, a 2811 polled with this OID should return a value which says that the device is a "Router". While I understand that a lot of Cisco modular devices can act as a Switch / Router / Firewall / Load Balancer based on the modules installed and/or the IOS running, I just need to get the basic device type. As an example, a Catalyst 6500 chassis polled with this OID should return something like "Switch" regardless of the presence of a Firewall Services Module on it. Is there such an Object? Thanks in anticipation..... Lakshminarayanan From mussieg at comcast.net Sat Nov 1 08:34:23 2008 From: mussieg at comcast.net (mussieg at comcast.net) Date: Sat, 01 Nov 2008 12:34:23 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices Message-ID: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> I highly doubt you will find an OID that tells you if a device is router or a switch. For awhile now, Cisco has managed to merge the various functions (bridge, switch, router ..etc) into a single chassis. Your best bet might be to create your own mapping file and use the output of sysDescr.0 to determine which one is which .. -------------- Original message ---------------------- From: "Lakshminarayanan P" > Hi All, > > > > There is a requirement for me to pick up "device types" of Cisco devices > using SNMP. Could somebody share a OID or direct me to the MIB file that can > help me get this information? > > > > For example, a 2811 polled with this OID should return a value which says > that the device is a "Router". > > > > While I understand that a lot of Cisco modular devices can act as a Switch / > Router / Firewall / Load Balancer based on the modules installed and/or the > IOS running, I just need to get the basic device type. As an example, a > Catalyst 6500 chassis polled with this OID should return something like > "Switch" regardless of the presence of a Firewall Services Module on it. > > > > Is there such an Object? > > > > Thanks in anticipation..... > > Lakshminarayanan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From adriankok2000 at yahoo.com.hk Sat Nov 1 07:51:51 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Sat, 1 Nov 2008 19:51:51 +0800 (CST) Subject: [c-nsp] acces list help and best way to do acess-list Message-ID: <676471.19513.qm@web33301.mail.mud.yahoo.com> Hi I have this original access-list in running config access-list 20 deny 192.168.0.0 access-list 20 permit any line vty 0 4 access-class 20 in and want to change to add log "access-list 20 deny 192.168.0.0 0.0.0.255 log" When I change router(config)#access-list 20 deny 192.168.0.0 0.0.0.255 log I realize it can't be changed and have to use "no" router(config)#no access-list 20 deny 192.168.0.0 0.0.0.255 When I use this command, I almost lost the connection from anywhere. My questions 1/ how can I prevent it happens? 2/ What is the best way to do the access-list in "line vty"? 3/ ls it good to use log in access-list? Not sure how router busy or not? thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From networking.stuff at googlemail.com Sat Nov 1 09:46:53 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Sat, 1 Nov 2008 19:16:53 +0530 Subject: [c-nsp] 3750 Etherchannel loadbalnace Message-ID: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> Hi, I have 3750 aggregation switches as aggregation layer to connect 2 access router to Core router. 3750 runs e etherchannel from to Core with 2 1 gig link I have src-mac based loadbalanced method used in 3750 and what I see that 3750 use only one link part of ethrchannel so during test when i have total traffic comming more than 1gig , i see drops.... Here are details : Mac address : 000d.edac.8900 ? Access Router 1 0006.d61b3c1a - Access Router r2 0015.c75d.d42c- Core router sw1.LAB-3750G#show etherchannel summary | beg Group Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(SU) - Gi2/0/1(P) Gi2/0/4(P) sw1.LAB-3750G# sw1.LAB-3750G#test etherchannel load-balance interface port-channel 1 mac 000d.edac.8900 0015.c75d.d42c Would select Gi2/0/1 of Po1 sw1.LAB-3750G# test etherchannel load-balance interface port-channel 1 mac 0006.d61b.3c1a 0015.c75d.d42c Would select Gi2/0/1 of Po1 As per above test, I see that 3750 select Gi2/0/1 for two source mac-address and that's reason i have only one link utilized.. Does some body knows the algorithm used by 3750 for above two source-mac address and how did it select always gi2/0/1 not other link for 2nd stream of traffic ?? Unforutnately I can't do src-dst-ip based loadbalnace becuase incomming traffic is MPLS labelled and existing 3750 doens't have capbility to understand MPLS so it takes as non-ip traffic.. Thanks in advance, Chintan From lee.e.rian at census.gov Sat Nov 1 11:00:52 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:00:52 -0400 Subject: [c-nsp] acces list help and best way to do acess-list In-Reply-To: <676471.19513.qm@web33301.mail.mud.yahoo.com> References: <676471.19513.qm@web33301.mail.mud.yahoo.com> Message-ID: >1/ how can I prevent it happens? line vty 0 4 no access-class 20 in >2/ What is the best way to do the access-list in "line vty"? How perfect can you be? If you aren't going to make any mistakes, create a file on a tftp server that has the no access-list 20 access-list 20 ... access-list 20 ... and do a conf net to get the changes applied. If make typos as often as I do, remove the access list from the vty, recreate the access list and, if there's no mistakes, reapply the access list: line vty 0 4 no access-class 20 in no access-list 20 access-list 20 ... access-list 20 ... line vty 0 4 access-class 20 in Even better is using a different access list number. I don't bother for vtys, but on our ISP link I alternate between access list numbers: no access-list 21 access-list 21 ... access-list 21 ... line vty 0 4 access-class 21 in >3/ ls it good to use log in access-list? >Not sure how router busy or not? It is extra overhead... but it's also a real easy way to see what's being blocked. Just be sure that the console logging level is low enough so that stuff doesn't get logged to the console. I like "no logging console" - but I watch the logs from a syslog server, so YMMV Regards, Lee -----adrian kok wrote: ----- >Hi > >I have this original access-list in running config > >access-list 20 deny 192.168.0.0 >access-list 20 permit any >line vty 0 4 >access-class 20 in > > > >and want to change to add log "access-list 20 deny >192.168.0.0 0.0.0.255 log" > >When I change >router(config)#access-list 20 deny 192.168.0.0 >0.0.0.255 log >I realize it can't be changed and have to use "no" >router(config)#no access-list 20 deny 192.168.0.0 >0.0.0.255 > > > >When I use this command, I almost lost the connection >from anywhere. > >My questions > >1/ how can I prevent it happens? > >2/ What is the best way to do the access-list in "line >vty"? > >3/ ls it good to use log in access-list? >Not sure how router busy or not? > >thank you From lee.e.rian at census.gov Sat Nov 1 11:30:23 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:30:23 -0400 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> Message-ID: -----mussieg wrote: ----- >I highly doubt you will find an OID that tells you if a device is >router or a switch. For awhile now, Cisco has managed to merge the >various functions (bridge, switch, router ..etc) into a single >chassis. Your best bet might be to create your own mapping file and >use the output of sysDescr.0 to determine which one is which .. Especially considering his example was a Catalyst 6500 chassis. He'd have to distinguish switched/routed ports present or not... I'm not a work, so I can't check, but the RFC1213 sysServices might show if the routing and/or bridging functionality is enabled: sysServices OBJECT-TYPE SYNTAX INTEGER (0..127) ACCESS read-only STATUS mandatory DESCRIPTION "A value which indicates the set of services that this entity primarily offers. The value is a sum. This sum initially takes the value zero, Then, for each layer, L, in the range 1 through 7, that this node performs transactions for, 2 raised to (L - 1) is added to the sum. For example, a node which performs primarily routing functions would have a value of 4 (2^(3-1)). In contrast, a node which is a host offering application services would have a value of 72 (2^(4-1) + 2^(7-1)). Note that in the context of the Internet suite of protocols, values should be calculated accordingly: layer functionality 1 physical (e.g., repeaters) 2 datalink/subnetwork (e.g., bridges) 3 internet (e.g., IP gateways) 4 end-to-end (e.g., IP hosts) 7 applications (e.g., mail relays) Lee > > >-------------- Original message ---------------------- >From: "Lakshminarayanan P" >> Hi All, >> >> >> >> There is a requirement for me to pick up "device types" of Cisco >devices >> using SNMP. Could somebody share a OID or direct me to the MIB file >that can >> help me get this information? >> >> >> >> For example, a 2811 polled with this OID should return a value >which says >> that the device is a "Router". >> >> >> >> While I understand that a lot of Cisco modular devices can act as a >Switch / >> Router / Firewall / Load Balancer based on the modules installed >and/or the >> IOS running, I just need to get the basic device type. As an >example, a >> Catalyst 6500 chassis polled with this OID should return something >like >> "Switch" regardless of the presence of a Firewall Services Module >on it. >> >> >> >> Is there such an Object? >> >> >> >> Thanks in anticipation..... >> >> Lakshminarayanan >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariev at vayner.net Sat Nov 1 11:37:59 2008 From: ariev at vayner.net (Arie Vayner) Date: Sat, 1 Nov 2008 17:37:59 +0200 Subject: [c-nsp] 3750 Etherchannel loadbalnace In-Reply-To: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> References: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> Message-ID: <20b13c6b0811010837p601e8ae9x5aeb2635193e4f54@mail.gmail.com> Chintan, The switches use a hash function. This means that if you have only 2 MACs, there is a 50:50 chance that only one link would be used... If the number of MACs is higher, the chances get better. On thing you could do is to split the traffic on the MPLS speaker's level by breaking the etherchannel, and running 2 VLANs end to end (each on a single link). This would allow the MPLS hosts to make the load sharing decision... Arie On Sat, Nov 1, 2008 at 3:46 PM, Chintan Shah < networking.stuff at googlemail.com> wrote: > Hi, > > I have 3750 aggregation switches as aggregation layer to connect 2 access > router to Core router. 3750 runs e etherchannel from to Core with 2 1 gig > link > > I have src-mac based loadbalanced method used in 3750 and what I see > that 3750 use only one link part of ethrchannel so during test when i have > total traffic comming more than 1gig , i see drops.... > > Here are details : > > > Mac address : 000d.edac.8900 ? Access Router 1 > > 0006.d61b3c1a - Access Router r2 > > 0015.c75d.d42c- Core router > > sw1.LAB-3750G#show etherchannel summary | beg Group > Group Port-channel Protocol Ports > > ------+-------------+-----------+----------------------------------------------- > 1 Po1(SU) - Gi2/0/1(P) Gi2/0/4(P) > > sw1.LAB-3750G# > > > sw1.LAB-3750G#test etherchannel load-balance interface port-channel 1 mac > 000d.edac.8900 0015.c75d.d42c > > Would select Gi2/0/1 of Po1 > > > sw1.LAB-3750G# test etherchannel load-balance interface port-channel 1 mac > 0006.d61b.3c1a 0015.c75d.d42c > > Would select Gi2/0/1 of Po1 > > As per above test, I see that 3750 select Gi2/0/1 for two source > mac-address > and that's reason i have only one link utilized.. > > Does some body knows the algorithm used by 3750 for above two source-mac > address and how did it select always gi2/0/1 not other link for 2nd stream > of traffic ?? > > Unforutnately I can't do src-dst-ip based loadbalnace becuase incomming > traffic is MPLS labelled and existing 3750 doens't have capbility to > understand MPLS so it takes as non-ip traffic.. > > > Thanks in advance, > Chintan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lee.e.rian at census.gov Sat Nov 1 11:57:09 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:57:09 -0400 Subject: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... In-Reply-To: <02f701c93b88$0d3f67e0$27be37a0$@net> References: <51636.47426.qm@web180013.mail.gq1.yahoo.com>, <02f701c93b88$0d3f67e0$27be37a0$@net> Message-ID: "mtu 1600" on the wan interface also works & doesn't require any changes on the lan interfaces :) Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: "'Derick Winkworth'" , "'Rodney Dunn'" > >From: "Luan Nguyen" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 02:39PM >cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" >and crypto... > >The MSS tells the maximum data a host will accept in an TCP/IP >datagram. >Each side reports the value to the other side and the sending will >abide by >it. It's all before encryption. >So typically like you said, people put ip tcp adjust-mss 1360 on the >group >member LAN interface and also set ip mtu 1400 on the WAN side hoping >for >PMTUD to work its magic. >Putting both on the WAN interface should work as well, though, I >don't quite >understand the backside is MPLS statement :)...the packet has to be >originated from somewhere. >There's a very good paper here on Fragmentation >http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0 >9186a00 >800d6979.shtml#t3 > > >Luan Nguyen >Chesapeake NetCraftsmen, LLC. >www.NetCraftsmen.net > >(blog) http://ccie-security.blogspot.com/ >(e) luan at netcraftsmen.net >(aim/yahoo): luancnc > > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick >Winkworth >Sent: Friday, October 31, 2008 11:52 AM >To: Rodney Dunn >Cc: cisco-nsp at puck.nether.net >Subject: [c-nsp] Order-of-operations question about "adjust-mss" and >crypto... > >If you apply the "ip tcp adjust-mss" command on an interface that has >a >crypto statement on it... > >Does it perform the MSS adjustment on outbound packets before they >are >encrypted? >Does it perform the MSS adjustment on inbound packets after they are >decrypted? > >I know that this is typically placed on a tunnel interface or, for >instance, >on an ethernet interface of a remote VPN site or something... but I >have a >case where we have many GET encryped sub-interfaces (each in their >own VRF) >which are the only logical IP interfaces on the box. The backside is >MPLS >so there is no place to put the statement there... so I was just >going to >apply it to the interfaces where the crypto maps are.. not sure if >this will >work. > >I'll probably have to lab it up I'm guessing. > >Derick >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From lee.e.rian at census.gov Sat Nov 1 12:02:39 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 12:02:39 -0400 Subject: [c-nsp] ME Switch Managment over Trunk Interfaces? In-Reply-To: <7A6C26B678F8EB48ADBA3A1C75FD250807115E@moe.pleasants.net> References: <7A6C26B678F8EB48ADBA3A1C75FD250807115E@moe.pleasants.net> Message-ID: Have you tried it without the "switchport trunk native vlan 106"? If the other side is tagging everything.. Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: >From: "cp" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 01:06PM >Subject: [c-nsp] ME Switch Managment over Trunk Interfaces? > >I'm new to Cisco ME switches, so please bare with my basic question. >I >am having a difficult time trying to manage the device over trunk >interface. It doesn't work. My management IP lives on a vlan >interface. >Below is my configuration. I tried vlan1 without luck too. Do I >really >have to burn a port for management? I'm probably missing something >simple. Any assistance is appreciated. > > > >Thanks, > >Chip > > > > > > > >vlan 100-106 > > > >interface GigabitEthernet0/1 > >port-type nni > >switchport trunk native vlan 106 > >switchport trunk allowed vlan 100-106 > >switchport mode trunk > > > >interface Vlan106 > >ip address 10.24.100.2 255.255.255.252 > > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Sat Nov 1 12:28:25 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 01 Nov 2008 17:28:25 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> Message-ID: <1225556905.14164.19.camel@abehat> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: > Especially considering his example was a Catalyst 6500 chassis. He'd have > to distinguish switched/routed ports present or not... > > I'm not a work, so I can't check, but the RFC1213 sysServices might show if > the routing and/or bridging functionality is enabled: I was thinking the same, but it doesn't seem very useful when trying it out. All the units I looked at was either "INTEGER: 6" (bridge and IP gateway) or "INTEGER: 78" (bridge, IP gateway, IP host and application host). Among the former was: - Small L3 switches (C3550s, C3560s and C3570s) - A C7206 doing VRF Lite and L2L VPN, running 12.4(12) IP/IPSEC/3DES. - Cat6500 Sup720s SXD acting as core routers (no MPLS). Among the latter was: - Cat 6500 Sup720s SXF acting as PEs. - C7600 Sup7600 SRB acting as PEs. - C2651XM 12.3(26), C2621 12.2(40) and C2801 12.4(19) doing DLSw and RTR - C2511 running 12.1 and doing serial line muxing. I can't seem to find a pattern that makes sense. Regards, Peter From lee.e.rian at census.gov Sat Nov 1 12:46:43 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 12:46:43 -0400 Subject: [c-nsp] acess-list In-Reply-To: <4909A926.2050801@templin.org> References: <102009.40727.qm@web33303.mail.mud.yahoo.com> <4908D510.8080800@gmail.com> <1225369421.4523.13.camel@abehat>, <4909A926.2050801@templin.org> Message-ID: -----Pete Templin wrote: ----- >Peter Rathlev wrote: > >> The router allocates the VTY from 0 an onwards, so the first person >> connecting gets VTY 0, next one VTY 1 and so on. There is practically no >> security benifits in having different ACLs on different VTYs. It is >> trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to >> VTY 5. In my eyes: Always treat every VTY the same. > >What about the reverse logic, putting a tighter ACL on higher VTYs? >I've heard of this as a safety valve: if too many connections are >open >to a router, the last few connections have to come from a key point. Cisco gave us that recommendation a long time ago - allow only very limited access to vty 4. It came in quite handy the few times ciscoworks decided it **really** wanted to talk so some box and opened as many connections to it as possible ... and then kept them open :( Lee From karl.gaissmaier at uni-ulm.de Sat Nov 1 13:17:09 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Sat, 01 Nov 2008 18:17:09 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> References: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> Message-ID: <490C8F15.2080809@uni-ulm.de> Hello, Lakshminarayanan P schrieb: > Hi All, > > > > There is a requirement for me to pick up "device types" of Cisco devices > using SNMP. Could somebody share a OID or direct me to the MIB file that can > help me get this information? > > > > For example, a 2811 polled with this OID should return a value which says > that the device is a "Router". > > > > While I understand that a lot of Cisco modular devices can act as a Switch / > Router / Firewall / Load Balancer based on the modules installed and/or the > IOS running, I just need to get the basic device type. As an example, a > Catalyst 6500 chassis polled with this OID should return something like > "Switch" regardless of the presence of a Firewall Services Module on it. if you only need to compare between a pure Layer2 or a Layer3 device, then you could use the following OID: > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > ACCESS read-write > STATUS mandatory > DESCRIPTION > "The indication of whether this entity is acting > as an IP gateway in respect to the forwarding of > datagrams received by, but not addressed to, this > entity. IP gateways forward datagrams. IP hosts > do not (except those source-routed via the host). > > Note that for some managed nodes, this object may > take on only a subset of the values possible. > Accordingly, it is appropriate for an agent to > return a `badValue' response if a management > station attempts to change this object to an > inappropriate value." > ::= { ip 1 } Example: snmpget YOUR-SWITCH .1.3.6.1.2.1.4.1.0 IP-MIB::ipForwarding.0 = INTEGER: notForwarding(2) snmpget YOUR-ROUTER .1.3.6.1.2.1.4.1.0 IP-MIB::ipForwarding.0 = INTEGER: forwarding(1) Regards Charly From lee.e.rian at census.gov Sat Nov 1 14:24:41 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 14:24:41 -0400 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <1225556905.14164.19.camel@abehat> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: -----Peter Rathlev wrote: ----- >On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: >> Especially considering his example was a Catalyst 6500 chassis. He'd have >> to distinguish switched/routed ports present or not... >> >> I'm not a work, so I can't check, but the RFC1213 sysServices might show if >> the routing and/or bridging functionality is enabled: > > >I was thinking the same, but it doesn't seem very useful when trying >it out. All the units I looked at was either > >"INTEGER: 6" (bridge and IP gateway) or >"INTEGER: 78" (bridge, IP gateway, IP host and application host). <.. snip ..> Too bad Cisco says what the box *can* do instead of what it's actually doing. Maybe RFC1213 ipForwarding would work ipForwarding OBJECT-TYPE SYNTAX INTEGER { forwarding(1), -- acting as a gateway not-forwarding(2) -- NOT acting as a gateway } but I kind of doubt it. We just got some SUP32s in to replace CatOS SUP2s (pure L2 switches) & I haven't been able to figure out yet how to tell them _not_ to play router. Only the directly connected router can talk to the sup32 if it's configured with a default gateway but no default route. Seems to me that you should only need a default route on something that's acting as a router. (If it makes any difference, "no ip proxy-arp" is the standard here :) So my guess is that they're going to say they're acting as a gateway even tho I don't want them to play router nor is there anything L3 configured on them beyond the management vlan IP address and syslog, tacacs, etc. server addresses. Lee From rakeshh at gmail.com Sat Nov 1 14:52:58 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sat, 1 Nov 2008 13:52:58 -0500 Subject: [c-nsp] EoMPLS + Control word + Fragementation Message-ID: <8a4649bb0811011152w60347e78ke3882b91e3f5ede8@mail.gmail.com> Hi, What critiria does a PE use to decide wheter it wants to use control word or not ? I want to test if we can configure an ingress PE to framgment L2 payload using a combination of B & E bit , and sequence number fields inside the control word. Is it possible to force a a Cisco PE to use/not use control word ? How can I configure the PE(CIsco box) to fragment L2 payload when its using a control word ? Regards, Rakesh From robert at tellurian.com Sat Nov 1 15:02:39 2008 From: robert at tellurian.com (Robert Boyle) Date: Sat, 01 Nov 2008 15:02:39 -0400 Subject: [c-nsp] Lightstream Alternative In-Reply-To: References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> Message-ID: <1225566160_64084@mail1.tellurian.net> At 03:21 AM 10/31/2008, you wrote: >I just need to switch pvc from one OC3/STM-1 to another and configure >soft-vc's. Have you tried L2TPv3? Quick, simple and it should do what you need. There is no ATM QOS or buffering, but you can shuttle packets from one port to another quite easily. We use it on 7200 series, but it is supposed to work on 7500, 10k, and 12k GSR stuff too. Dependent on your exact config, you may need two boxes to make it work with one OC3 on the first and the other OC3 the second. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From dale.shaw+cisco-nsp at gmail.com Sat Nov 1 16:48:02 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Sat, 1 Nov 2008 13:48:02 -0700 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> Message-ID: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Hi all, Here's the scenario: - L2 switchport in cat3750 "up/up" - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no dynamic MAC address) - Attached device not necessarily configured with an IP in the correct VLAN (mismatched with switchport) - endpoint IP configuration unknown I haven't really given this much consideration, but does anyone know of any tricks, ideally executed _from_ the switch, to encourage the attached device to spit back a frame? Essentially I want/need to figure out what's attached. Even knowing the MAC vendor would help. Other suggestions are welcome. I guess I could try things like a broadcast ping from a host in the same VLAN, make the port a trunk and madly ping sweep, but something more elegant would be nice. A physical inspection, in this case, is not possible. cheers, Dale From method at b.astral.ro Sat Nov 1 17:07:59 2008 From: method at b.astral.ro (Dan) Date: Sat, 01 Nov 2008 23:07:59 +0200 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Message-ID: <490CC52F.4020009@b.astral.ro> Hi , I would say set on port : port-security with mac-address sticky - > first frame must have a src mac-address ( or if there will be many you will have logs ) bpduguard enable -> if it's a switch ( with spanning-tree enabled ) you will have the port on err-disable Any cdp info ? Dan Dale Shaw wrote: > Hi all, > > Here's the scenario: > > - L2 switchport in cat3750 "up/up" > - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no > dynamic MAC address) > - Attached device not necessarily configured with an IP in the correct > VLAN (mismatched with switchport) - endpoint IP configuration unknown > > I haven't really given this much consideration, but does anyone know > of any tricks, ideally executed _from_ the switch, to encourage the > attached device to spit back a frame? Essentially I want/need to > figure out what's attached. Even knowing the MAC vendor would help. > > Other suggestions are welcome. I guess I could try things like a > broadcast ping from a host in the same VLAN, make the port a trunk and > madly ping sweep, but something more elegant would be nice. > > A physical inspection, in this case, is not possible. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From karl.gaissmaier at uni-ulm.de Sat Nov 1 17:22:02 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Sat, 01 Nov 2008 22:22:02 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: <490CC87A.20205@uni-ulm.de> Hello, ... > > Maybe RFC1213 ipForwarding would work > > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > > but I kind of doubt it. We just got some SUP32s in to replace CatOS SUP2s > (pure L2 switches) & I haven't been able to figure out yet how to tell them ... then you need a workaround. I agree, it's a real hassle with Cisco not supporting the most needed standard MIBs like IP-FORWARD-MIB, Q-BRIDGE-MIB, LLDP-MIB, ... Shame on your head, Cisco! Try the following OIDs with your boxes running different IOS versions to determine the number of routing entries: - ipForwardNumber: .1.3.6.1.2.1.4.24.1 (obsolete) or - ipCidrRouteNumber: .1.3.6.1.2.1.4.24.3 (deprecated) or - inetCidrRouteNumber: .1.3.6.1.2.1.4.24.6 (current) and if your Cisco boxes don't support any of these OIDs you have to look for the routing protocol and the corresponding MIBs. If all your routers speak for example OSPF, then you can determine your bridges and switches with some OIDs in the OSPF-MIB. Regards Charly From rakeshh at gmail.com Sat Nov 1 18:36:49 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sat, 1 Nov 2008 17:36:49 -0500 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <490CC52F.4020009@b.astral.ro> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <490CC52F.4020009@b.astral.ro> Message-ID: <8a4649bb0811011536w50a2f0a1l3bef3d805c120aff@mail.gmail.com> As Dan said , I would also use port security to get the source mac .You can also enable bpdguard on the switch port just to make sure that you are not receiving any BPDUs.If the switch port is a trunk you may want to enable port security for all vlans allowed on the trunk. -Rakesh. On Sat, Nov 1, 2008 at 4:07 PM, Dan wrote: > Hi , > > I would say set on port : > > port-security with mac-address sticky - > first frame must have a src > mac-address ( or if there will be many you will have logs ) > bpduguard enable -> if it's a switch ( with spanning-tree enabled ) you > will have the port on err-disable > Any cdp info ? > > Dan > > Dale Shaw wrote: > >> Hi all, >> >> Here's the scenario: >> >> - L2 switchport in cat3750 "up/up" >> - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no >> dynamic MAC address) >> - Attached device not necessarily configured with an IP in the correct >> VLAN (mismatched with switchport) - endpoint IP configuration unknown >> >> I haven't really given this much consideration, but does anyone know >> of any tricks, ideally executed _from_ the switch, to encourage the >> attached device to spit back a frame? Essentially I want/need to >> figure out what's attached. Even knowing the MAC vendor would help. >> >> Other suggestions are welcome. I guess I could try things like a >> broadcast ping from a host in the same VLAN, make the port a trunk and >> madly ping sweep, but something more elegant would be nice. >> >> A physical inspection, in this case, is not possible. >> >> cheers, >> Dale >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Sat Nov 1 18:46:35 2008 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 02 Nov 2008 09:46:35 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CC87A.20205@uni-ulm.de> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> Message-ID: <490CDC4B.2090802@cisco.com> Karl Gaissmaier wrote: >> Maybe RFC1213 ipForwarding would work >> >> ipForwarding OBJECT-TYPE >> SYNTAX INTEGER { >> forwarding(1), -- acting as a gateway >> not-forwarding(2) -- NOT acting as a gateway >> } >> >> but I kind of doubt it. We just got some SUP32s in to replace CatOS >> SUP2s >> (pure L2 switches) & I haven't been able to figure out yet how to >> tell them ipForwarding should work fine. it _should_ change behavior based on whether there are any L3 interfaces configured or not. the challenge is how to use this moving forward on Cisco platforms that have dedicated out-of-band management interfaces (e.g. Nexus platforms), because technically speaking, they ALWAYS have at L3 interface configured (mgmt0 out-of-band) which is L3 by definition because it exists in its own 'management' VRF). its one case where the MIB falls down & is showing its age. in the case of Nexus, we're thinking about 'lying' in the ipForwarding answer to exclude 'management VRF' but even so . . . cheers, lincoln. From blahu77 at gmail.com Sat Nov 1 19:01:02 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 1 Nov 2008 23:01:02 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CDC4B.2090802@cisco.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> Message-ID: <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> 2008/11/1 Lincoln Dale : > Karl Gaissmaier wrote: >>> >>> Maybe RFC1213 ipForwarding would work >>> >>> ipForwarding OBJECT-TYPE >>> SYNTAX INTEGER { >>> forwarding(1), -- acting as a gateway >>> not-forwarding(2) -- NOT acting as a gateway >>> } >>> > the challenge is how to use this moving forward on Cisco platforms that have > dedicated out-of-band management interfaces (e.g. Nexus platforms), because > technically speaking, they ALWAYS have at L3 interface configured (mgmt0 > out-of-band) which is L3 by definition because it exists in its own > 'management' VRF). > its one case where the MIB falls down & is showing its age. > in the case of Nexus, we're thinking about 'lying' in the ipForwarding > answer to exclude 'management VRF' but even so . . . does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? I understand that it should be 0 as it is a host, not a gateway, shouldn't it? -- -mat From ltd at cisco.com Sat Nov 1 19:08:02 2008 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 02 Nov 2008 10:08:02 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> Message-ID: <490CE152.40705@cisco.com> Mateusz B?aszczyk wrote: >> the challenge is how to use this moving forward on Cisco platforms that have >> dedicated out-of-band management interfaces (e.g. Nexus platforms), because >> technically speaking, they ALWAYS have at L3 interface configured (mgmt0 >> out-of-band) which is L3 by definition because it exists in its own >> 'management' VRF). >> its one case where the MIB falls down & is showing its age. >> in the case of Nexus, we're thinking about 'lying' in the ipForwarding >> answer to exclude 'management VRF' but even so . . . >> > > does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? > I understand that it should be 0 as it is a host, not a gateway, shouldn't it? > > IP-MIB::ipForwarding is not a per-VRF MIB. as such, i don't think your question makes sense. cheers, lincoln. From blahu77 at gmail.com Sat Nov 1 19:47:45 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 1 Nov 2008 23:47:45 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CE152.40705@cisco.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> <490CE152.40705@cisco.com> Message-ID: <383357750811011647m21b0a04h924be25dab1b9b38@mail.gmail.com> >> does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? >> I understand that it should be 0 as it is a host, not a gateway, >> shouldn't it? >> > IP-MIB::ipForwarding is not a per-VRF MIB. > as such, i don't think your question makes sense. > true, my bad. -- -mat From axhasan at gmail.com Sat Nov 1 22:34:09 2008 From: axhasan at gmail.com (Asad Hasan) Date: Sat, 1 Nov 2008 22:34:09 -0400 Subject: [c-nsp] Monitoring Routing Table Message-ID: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> Is there an OID that can pull back number of routes within the routing table? OID which can generate results such as 'show ip ro summ'. I found OID 1.3.6.1.2.1.4.21.1.1 and 1.3.6.1.2.1.4.21.1.9 (IpRouteTable and IpRouteProto), but this pulls back every routing entry. Also is there an OID that can pull back similar information for a VRF. Right now we are not summarizing any of our routes. Im planning to implement OSPF summarization and my goal is to see how how much routing table has been reduced and also start graphing the routing table information. Thanks in advance. Asad From dentonj at gmail.com Sun Nov 2 01:20:21 2008 From: dentonj at gmail.com (Jeffrey Denton) Date: Sun, 2 Nov 2008 06:20:21 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Message-ID: <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> On Sat, Nov 1, 2008 at 9:48 PM, Dale Shaw wrote: > Hi all, > > Here's the scenario: > > - L2 switchport in cat3750 "up/up" > - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no > dynamic MAC address) > - Attached device not necessarily configured with an IP in the correct > VLAN (mismatched with switchport) - endpoint IP configuration unknown > > I haven't really given this much consideration, but does anyone know > of any tricks, ideally executed _from_ the switch, to encourage the > attached device to spit back a frame? Essentially I want/need to > figure out what's attached. Even knowing the MAC vendor would help. > > Other suggestions are welcome. I guess I could try things like a > broadcast ping from a host in the same VLAN, make the port a trunk and > madly ping sweep, but something more elegant would be nice. > > A physical inspection, in this case, is not possible. Nothing elegant... You could always shutdown the port and wait for someone to complain. If it's not randomly generating traffic, then it's not a windows box. Switches tend to be noisy with layer 2 protocols. Firewall or UNIX/Linux based system? Does the duplex and speed show up as auto-negotiated (a-full, a-100)? You could try "no switchport" and the "ip add dhcp" on the interface to see if you can generate a response that way. Set an IP on the interface so that you can "ping 192.168.1.255 source ...". Pinging broadcast addresses might speed up the process. Setting up a SPAN or RSPAN might help you capture some traffic. "test cable-diagnostics tdr interface ..." would at least tell you how long the cable is. Setup the port as a trunk or port-channel or .... with auto-negotiation and see what happens. Set the switch up as a management cluster and then run "show cluster members". Use the other suggestions.... From dentonj at gmail.com Sun Nov 2 01:23:48 2008 From: dentonj at gmail.com (Jeffrey Denton) Date: Sun, 2 Nov 2008 06:23:48 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> Message-ID: <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> On Sun, Nov 2, 2008 at 6:20 AM, Jeffrey Denton wrote: > > Nothing elegant... > > You could always shutdown the port and wait for someone to complain. > > If it's not randomly generating traffic, then it's not a windows box. > Switches tend to be noisy with layer 2 protocols. Firewall or > UNIX/Linux based system? Does the duplex and speed show up as > auto-negotiated (a-full, a-100)? > > You could try "no switchport" and the "ip add dhcp" on the interface > to see if you can generate a response that way. Set an IP on the > interface so that you can "ping 192.168.1.255 source ...". Pinging > broadcast addresses might speed up the process. > > Setting up a SPAN or RSPAN might help you capture some traffic. > > "test cable-diagnostics tdr interface ..." would at least tell you how > long the cable is. > > Setup the port as a trunk or port-channel or .... with > auto-negotiation and see what happens. > > Set the switch up as a management cluster and then run "show cluster members". > > Use the other suggestions.... > SNMP sweeps.... From kiwi at oav.net Sun Nov 2 03:32:36 2008 From: kiwi at oav.net (Xavier Beaudouin) Date: Sun, 2 Nov 2008 09:32:36 +0100 Subject: [c-nsp] Cisco 3550 + BGP In-Reply-To: <87iqrdgjj9.fsf@clarabella.noc.seabone.net> References: <4906C4D2.50204@fnbs.net> <87iqrdgjj9.fsf@clarabella.noc.seabone.net> Message-ID: <2C770C78-4F18-47A6-BE91-2F9D8E8137BB@oav.net> Hello, Le 28 oct. 08 ? 10:23, Pierfrancesco Caci a ?crit : > :-> "Nimal" == Nimal David Sirimanne writes: > >> Anyone have any experience running BGP on Cisco 3550 platforms? Any >> idea how many BGP routes it can handle? > > last I tried (some 3 years ago) it died with about 7000 routes. > > died = cpu 100%, packet loss, black holes eating traffic and the > datacenter surrounding it... Hum, I run a couple of them for IX stuff... With a sdm prefer routing, you can handle : sh sdm prefer The current template is the routing template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1K VLANs. number of unicast mac addresses: 5K number of igmp groups: 1K number of qos aces: 512 number of security aces: 512 number of unicast routes: 16K number of multicast routes: 1K Anyway this is really low limits.... But can help sometime. Another stuff, there is some limitation ... ie ip prefix-list that handled by configuration of the switch but not evaluated when bgp is running :/ /Xavier From mdado at Airspan.com Sun Nov 2 06:26:10 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 11:26:10 +0000 Subject: [c-nsp] Client DHCP Server Message-ID: Guys, Anybody faced such a case before ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd _____________________________________________ From: Mohammed Dado Sent: 30 October 2008 12:24 To: cisco-nsp at puck.nether.net Subject: Client DHCP Server Gents, I have a customer facing a problem that his end-user WiFi router's are issuing IP addresses ! I'm under the impression that this could be stopped by the DHCP snooping binding configurations in the ISP end. Any ideas ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd << OLE Object: Picture (Device Independent Bitmap) >> [cid:identifierFooterImage] From simon at slimey.org Sun Nov 2 06:33:50 2008 From: simon at slimey.org (Simon Lockhart) Date: Sun, 2 Nov 2008 11:33:50 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: Message-ID: <20081102113350.GY18579@virtual.bogons.net> On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From mdado at Airspan.com Sun Nov 2 06:52:06 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 11:52:06 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: <20081102113350.GY18579@virtual.bogons.net> References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From cchurc05 at harris.com Sun Nov 2 07:58:19 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 2 Nov 2008 06:58:19 -0600 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Sun Nov 2 08:04:13 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 13:04:13 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> Message-ID: <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> My friends suggestion in such a problem is shut the port and wait for someone to start screamin.. If none, you can disconnect the cable :) -- -mat From mdado at Airspan.com Sun Nov 2 08:11:22 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:11:22 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sun Nov 2 08:21:35 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 2 Nov 2008 07:21:35 -0600 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Sun Nov 2 08:29:23 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 2 Nov 2008 08:29:23 -0500 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: <001501c93cef$056fc0b0$104f4210$@org> Does the Airspan equipment not support filtering? Almost all Wimax/BBW gear I work on has filtering for PPPOE, DHCP, Netbios etc. so someone can't plugin their router backwards and create havoc... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: November 2, 2008 8:22 AM To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mdado at Airspan.com Sun Nov 2 08:48:29 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:48:29 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: <001501c93cef$056fc0b0$104f4210$@org> References: <20081102113350.GY18579@virtual.bogons.net> <001501c93cef$056fc0b0$104f4210$@org> Message-ID: It does support filtering using our NMS monitoring tool. I'm investigating this as well. We've an option that helps stopping this from occurring which is discarding classifiers, this is created upon the service flow products depending on our customer network behaviour ! Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: 02 November 2008 15:29 To: 'Church, Charles'; Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server Does the Airspan equipment not support filtering? Almost all Wimax/BBW gear I work on has filtering for PPPOE, DHCP, Netbios etc. so someone can't plugin their router backwards and create havoc... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: November 2, 2008 8:22 AM To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mdado at Airspan.com Sun Nov 2 08:57:07 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:57:07 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: Yes. The 7500 is doing bridge and a DHCP server for clients is affecting multiple customers. It's almost your second proposed scenario. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 15:22 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Sun Nov 2 09:55:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 2 Nov 2008 09:55:36 -0500 Subject: [c-nsp] QOS Revisited Message-ID: <001601c93cfb$266bb2e0$734318a0$@org> Hi there. I'm trying to create a policy-map to be applied on a subinterface - Cisco 1841 router .. wanted to get a basic config running and then I'll expand it a bit more (separate signaling from the actual voice streams etc) class-map match-any Voice match access-group 10 ! ! policy-map VOIP class Voice set dscp cs5 class class-default set dscp default interface FastEthernet0/1.10 encapsulation dot1Q 10 ip address xx.xx.xx.129 255.255.255.192 pppoe enable group Moto900 no cdp enable service-policy output VOIP ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ip address xx.xx.xx.1 255.255.255.192 pppoe enable group Moto2400 no cdp enable service-policy output VOIP The configuration seems to be working per say but it's not setting dscp=5 even though it's idenfying the traffic source via the access-list: dis1-rtr-br#sh policy-map interface FastEthernet 0/1.20 FastEthernet0/1.20 Service-policy output: VOIP Class-map: Voice (match-any) 3625 packets, 834212 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: access-group 10 3625 packets, 834212 bytes 30 second rate 0 bps QoS Set dscp cs5 Packets marked 0 Class-map: class-default (match-any) 235110 packets, 298289353 bytes 30 second offered rate 4690000 bps, drop rate 0 bps Match: any QoS Set dscp default Packets marked 90 What am I doing wrong here? I don't understand if it's matching access-group 10 and showing the number of packets increasing then why does it not set dscp as I've told it to? Thanks in advance, Paul From scott at labyrinth.org Sun Nov 2 11:00:23 2008 From: scott at labyrinth.org (Scott Keoseyan) Date: Sun, 2 Nov 2008 11:00:23 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: <04F4AE1E-6B23-44EF-A0EB-89400BA7F832@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there not a MIB out there that contains/displays the contents of what's in the CDP neighbor table, and is this information not in the table itself... bridge/router/ip-phone/AP/etc.,,? I thought there was a network-management tool out there somewhere that used the contents of the CDP table to help map-out the network or something like that using this technique. Scott On Nov 1, 2008, at 2:24 PM, lee.e.rian at census.gov wrote: > -----Peter Rathlev wrote: ----- > >> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: >>> Especially considering his example was a Catalyst 6500 chassis. He'd > have >>> to distinguish switched/routed ports present or not... >>> >>> I'm not a work, so I can't check, but the RFC1213 sysServices >>> might show > if >>> the routing and/or bridging functionality is enabled: >> >> >> I was thinking the same, but it doesn't seem very useful when trying >> it out. All the units I looked at was either >> >> "INTEGER: 6" (bridge and IP gateway) or >> "INTEGER: 78" (bridge, IP gateway, IP host and application host). > <.. snip ..> > > Too bad Cisco says what the box *can* do instead of what it's actually > doing. > > Maybe RFC1213 ipForwarding would work > > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > > but I kind of doubt it. We just got some SUP32s in to replace CatOS > SUP2s > (pure L2 switches) & I haven't been able to figure out yet how to > tell them > _not_ to play router. Only the directly connected router can talk > to the > sup32 if it's configured with a default gateway but no default route. > Seems to me that you should only need a default route on something > that's > acting as a router. (If it makes any difference, "no ip proxy-arp" > is the > standard here :) So my guess is that they're going to say they're > acting > as a gateway even tho I don't want them to play router nor is there > anything L3 configured on them beyond the management vlan IP address > and > syslog, tacacs, etc. server addresses. > > Lee > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkNzpcACgkQA7TpMPAlvEcD8gCeKbcepeEmh0tubt0a7D/rDjAg GHMAn1iNyVdMiPpVwMNz6/v4WmdJTZb+ =5/bp -----END PGP SIGNATURE----- From cisco at peakpeak.com Sun Nov 2 12:20:27 2008 From: cisco at peakpeak.com (Networkers) Date: Sun, 02 Nov 2008 11:20:27 -0600 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: Message-ID: What code rev is in there? Thanks, Chris On 10/20/08 3:20 AM, "Brian Turnbow" wrote: > Please don't tell that to this router > > > policy-map llq > class sipRTP > priority 512 > class class-default > fair-queue > random-detect > > vc-class atm CVPHDSL-VoIP > vbr-nrt 1524 1524 > encapsulation aal5snap > > interface ATM3/0.20842 point-to-point > description cust 1 > ip address192.168.0.41 255.255.255.252 > pvc CVPH_CUSTVOIP 208/42 > class-vc CVPHDSL-VoIP > service-policy out llq > > 7200-accessjn3#sh policy-map int ATM3/0.20842 > ATM3/0.20842: VC 208/42 - > > Service-policy output: llq > > queue stats for all priority classes: > > queue limit 64 packets > (queue depth/total drops/no-buffer drops) 0/0/0 > (pkts output/bytes output) 5466056/418685691 > > Class-map: sipRTP (match-all) > 5466056 packets, 418685691 bytes > 5 minute offered rate 61000 bps, drop rate 0 bps > Match: access-group 5 > Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 > > Class-map: class-default (match-any) > 492783 packets, 493906760 bytes > 5 minute offered rate 509000 bps, drop rate 0 bps > Match: any > 492783 packets, 493906760 bytes > 5 minute rate 509000 bps > Queueing > queue limit 64 packets > (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 > (pkts output/bytes output) 492733/493866217 > Fair-queue: per-flow queue limit 16 > Exp-weight-constant: 9 (1/512) > Mean queue depth: 0 packets > class Transmitted Random drop Tail/Flow drop Minimum > Maximum Mark > pkts/bytes pkts/bytes pkts/bytes thresh > thresh prob > > 0 486842/493318682 0/0 50/40543 > 20 40 1/10 > 1 54/22464 0/0 0/0 > 22 40 1/10 > 2 6/746 0/0 0/0 > 24 40 1/10 > 3 0/0 0/0 0/0 > 26 40 1/10 > 4 5/330 0/0 0/0 > 28 40 1/10 > 5 20/1200 0/0 0/0 > 30 40 1/10 > 6 5753/515372 0/0 0/0 > 32 40 1/10 > 7 53/7423 0/0 0/0 > 34 40 1/10 > > http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example0 > 9186a0080094cf6.shtml > > > Brian > > > > > > From: Victor Cappuccio [mailto:vcappuccio at gmail.com] > Sent: venerd? 17 ottobre 2008 18.52 > To: Brian Turnbow > Cc: Networkers; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7206VXR and CBWFQ > > Hi, > > Subinterfaces and software interfaces do not have their own separate transmit > (Tx) ring; therefore, no congestion can occur. These interface types include > dialers, tunnels, and Frame Relay subinterfaces, and will only congest when > their main hardware interface Tx ring congests. The Tx ring state is an > indication of congestion for software interfaces. > > > router(config)# interface Serial0/0.1 > router(config-subif)# service-policy output test > CBWFQ : Not supported on subinterfaces > > > 1.- Create a child or lower-level policy that configures a queueing mechanism. > In the example below, we configure LLQ using the priority command and CBWFQ > using the bandwidth command. Refer to Congestion Management Overview for more > information. > > policy-map child > class voice > priority 512 > > 2. Create a parent or top-level policy that applies class-based shaping. Apply > the child policy as a command under the parent policy since the admission > control for the child class is done based on the shaping rate for the parent > class. > > policy-map parent > class class-default > shape average 2000000 > service-policy child > > 3. Apply the parent policy to the subinterface. > > interface Serial0/0.1 > service-policy parent > > Cisco Page: http://tinyurl.com/ytt8ge > > Note: Class-based shaping works at the interface and subinterface level. Cisco > IOS 12.2(2.5) introduces the ability to configure shaping on the main > interface and IP addresses on the subinterfaces. > > thanks, > > Victor Cappuccio > CCIE R/S# 20657 > CCSI# 30452 > www.anetworkerblog.com > > On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: >> Your pvc needs to be abr/vbr/cbr >> You can't do it on ubr >> >> Regards >> >> Brian >> >> >> >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers >> >> Sent: venerd? 17 ottobre 2008 17.10 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] 7206VXR and CBWFQ >> >> >> >> >> Whenever I try to apply the following I get an error message about how >> CBWFQ can't be applied to subinterfaces. What is the correct way to do >> this? >> >> Thanks, >> Chris >> >> class-map match-any VOIP >> match ip dscp ef >> match precedence 5 >> class-map match-all CRITICAL >> match access-group 100 >> >> policy-map MyCBWFQ >> class CRITICAL >> priority 48 >> class VOIP >> bandwidth 320 >> set precedence 6 >> >> vc-class atm MyClass >> ubr 1536 >> encapsulation aal5mux ppp Virtual-Template5 >> >> interface Virtual-Template5 >> ip unnumbered Loopback0 >> service-policy output MyCBWFQ >> peer default ip address pool default >> ppp authentication pap callin >> >> interface ATM2/0.1921 point-to-point >> pvc 1/1921 >> class-vc MyClass >> >> >> >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From giesen at snickers.org Sun Nov 2 14:05:33 2008 From: giesen at snickers.org (Gary T. Giesen) Date: Sun, 2 Nov 2008 14:05:33 -0500 Subject: [c-nsp] L2VPN Pseudowire Redundancy Message-ID: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> I'm not sure if this is possible, but maybe someone can give me some input on how to best achieve this. I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully redundant pseudowire (from the provider persective). The idea is to put two PE routers at each end of the pseudowire (with a common VLAN at each end shared through a switch), so that I can fully lose a PE router and the VC still stays up. The topology looks like this: [PE1] [PE3] CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 [PE2] [PE4] I've tried a number of ways using xconnect-peers and backup peers (per http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html ), and it works great when I only have redundancy on one end, but as soon as I add the 4th PE, nothing works anymore. When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a VC with PE4, when in reality I should only ever have one VC formed at any given time, and PE2 should never form a VC with PE4 until PE1 or PE3 goes down. Does anyone have any suggested configurations? Regards, GG From blahu77 at gmail.com Sun Nov 2 14:39:35 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 19:39:35 +0000 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> Message-ID: <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> you would have to land these xconnects on VPLS instance. so add 4 more devices that would be your N-PEs with VPLS instance and your current PEs would become U-PEs connected to the rest of the MPLS cloud with 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. But I am not sure it is possible on 7206. -- -mat 2008/11/2 Gary T. Giesen : > I'm not sure if this is possible, but maybe someone can give me some > input on how to best achieve this. > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > redundant pseudowire (from the provider persective). > > The idea is to put two PE routers at each end of the pseudowire (with > a common VLAN at each end shared through a switch), so that I can > fully lose a PE router and the VC still stays up. > > The topology looks like this: > > [PE1] [PE3] > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > [PE2] [PE4] > > I've tried a number of ways using xconnect-peers and backup peers (per > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > ), and it works great when I only have redundancy on one end, but as > soon as I add the 4th PE, nothing works anymore. > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > VC with PE4, when in reality I should only ever have one VC formed at > any given time, and PE2 should never form a VC with PE4 until PE1 or > PE3 goes down. > > Does anyone have any suggested configurations? > > Regards, > > GG > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From blahu77 at gmail.com Sun Nov 2 14:41:43 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 19:41:43 +0000 Subject: [c-nsp] Lightstream Alternative In-Reply-To: References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> Message-ID: <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> > If the SPA card for the 7600 could do the switching, the cat 6500 should > also be able to do it. But even for the 7600 I can't find any > information on atm switching. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 -- -mat From avayner at cisco.com Sun Nov 2 15:07:47 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 2 Nov 2008 21:07:47 +0100 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> I would suggest that you treat these 2 parallel PW's as 2 separate L2 connections. Each connection would be handed over to the end customer separately, and the customer can run STP end to end between their CE's. This way the failover between PW1 and PW2 would be based on CE-to-CE STP Alternatively, if the customer is using L3 CE's, then its just 2 parallel L3 links... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk Sent: Sunday, November 02, 2008 21:40 PM To: giesen at snickers.org Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy you would have to land these xconnects on VPLS instance. so add 4 more devices that would be your N-PEs with VPLS instance and your current PEs would become U-PEs connected to the rest of the MPLS cloud with 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. But I am not sure it is possible on 7206. -- -mat 2008/11/2 Gary T. Giesen : > I'm not sure if this is possible, but maybe someone can give me some > input on how to best achieve this. > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > redundant pseudowire (from the provider persective). > > The idea is to put two PE routers at each end of the pseudowire (with > a common VLAN at each end shared through a switch), so that I can > fully lose a PE router and the VC still stays up. > > The topology looks like this: > > [PE1] [PE3] > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > [PE2] [PE4] > > I've tried a number of ways using xconnect-peers and backup peers (per > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > ), and it works great when I only have redundancy on one end, but as > soon as I add the 4th PE, nothing works anymore. > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > VC with PE4, when in reality I should only ever have one VC formed at > any given time, and PE2 should never form a VC with PE4 until PE1 or > PE3 goes down. > > Does anyone have any suggested configurations? > > Regards, > > GG > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lee.e.rian at census.gov Sun Nov 2 18:06:13 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sun, 2 Nov 2008 18:06:13 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CDC4B.2090802@cisco.com> Message-ID: Lincoln Dale wrote on 11/01/2008 06:46:35 PM: > Karl Gaissmaier wrote: > >> Maybe RFC1213 ipForwarding would work > >> > >> ipForwarding OBJECT-TYPE > >> SYNTAX INTEGER { > >> forwarding(1), -- acting as a gateway > >> not-forwarding(2) -- NOT acting as a gateway > >> } > >> > >> but I kind of doubt it. We just got some SUP32s in to replace CatOS > >> SUP2s > >> (pure L2 switches) & I haven't been able to figure out yet how to > >> tell them > ipForwarding should work fine. it _should_ change behavior based on > whether there are any L3 interfaces configured or not. I hope not. Seems to me that it _should_ change behavior based on whether or not the device is acting as a router. Consider the case of all interfaces configured as a switchport. Plain old L2 switch - right? Now add an IP address under the vlan interface so that I can manage the switch. It still shouldn't be playing router - so ipForwarding should still return not-forwarding(2) > the challenge is how to use this moving forward on Cisco platforms that > have dedicated out-of-band management interfaces (e.g. Nexus platforms), > because technically speaking, they ALWAYS have at L3 interface > configured (mgmt0 out-of-band) which is L3 by definition because it > exists in its own 'management' VRF). I'm missing why having an L3 interface would make any difference. A cat2900xl configured with an L3 address for management purposes doesn't turn the box into a router. Why should simply configuring an L3 interface on a box change the value of ipForwarding? hrmm.. or are you saying that some boxes are *always* going to think they're a router regardless? Regards, Lee From lee.e.rian at census.gov Sun Nov 2 18:09:47 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sun, 2 Nov 2008 18:09:47 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <04F4AE1E-6B23-44EF-A0EB-89400BA7F832@labyrinth.org> Message-ID: Scott Keoseyan wrote on 11/02/2008 11:00:23 AM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is there not a MIB out there that contains/displays the contents of > what's in the CDP neighbor table, and is this information not in the > table itself... bridge/router/ip-phone/AP/etc.,,? I think what's in the CDP table is the same thing that's in the systems services MIB - what the box is capable of; not what it's actually configured to do. Lee > > I thought there was a network-management tool out there somewhere that > used the contents of the CDP table to help map-out the network or > something like that using this technique. > > Scott > > On Nov 1, 2008, at 2:24 PM, lee.e.rian at census.gov wrote: > > > -----Peter Rathlev wrote: ----- > > > >> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: > >>> Especially considering his example was a Catalyst 6500 chassis. He'd > > have > >>> to distinguish switched/routed ports present or not... > >>> > >>> I'm not a work, so I can't check, but the RFC1213 sysServices > >>> might show > > if > >>> the routing and/or bridging functionality is enabled: > >> > >> > >> I was thinking the same, but it doesn't seem very useful when trying > >> it out. All the units I looked at was either > >> > >> "INTEGER: 6" (bridge and IP gateway) or > >> "INTEGER: 78" (bridge, IP gateway, IP host and application host). > > <.. snip ..> > > > > Too bad Cisco says what the box *can* do instead of what it's actually > > doing. > > > > Maybe RFC1213 ipForwarding would work > > > > ipForwarding OBJECT-TYPE > > SYNTAX INTEGER { > > forwarding(1), -- acting as a gateway > > not-forwarding(2) -- NOT acting as a gateway > > } > > > > but I kind of doubt it. We just got some SUP32s in to replace CatOS > > SUP2s > > (pure L2 switches) & I haven't been able to figure out yet how to > > tell them > > _not_ to play router. Only the directly connected router can talk > > to the > > sup32 if it's configured with a default gateway but no default route. > > Seems to me that you should only need a default route on something > > that's > > acting as a router. (If it makes any difference, "no ip proxy-arp" > > is the > > standard here :) So my guess is that they're going to say they're > > acting > > as a gateway even tho I don't want them to play router nor is there > > anything L3 configured on them beyond the management vlan IP address > > and > > syslog, tacacs, etc. server addresses. > > > > Lee > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAkkNzpcACgkQA7TpMPAlvEcD8gCeKbcepeEmh0tubt0a7D/rDjAg > GHMAn1iNyVdMiPpVwMNz6/v4WmdJTZb+ > =5/bp > -----END PGP SIGNATURE----- From ltd at cisco.com Sun Nov 2 18:39:06 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 03 Nov 2008 10:39:06 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: Message-ID: <490E3A1A.6070604@cisco.com> lee.e.rian at census.gov wrote: > > Lincoln Dale wrote on 11/01/2008 06:46:35 PM: > > > Karl Gaissmaier wrote: > > >> Maybe RFC1213 ipForwarding would work > > >> > > >> ipForwarding OBJECT-TYPE > > >> SYNTAX INTEGER { > > >> forwarding(1), -- acting as a gateway > > >> not-forwarding(2) -- NOT acting as a > gateway > > >> } > > >> > > >> but I kind of doubt it. We just got some SUP32s in to replace CatOS > > >> SUP2s > > >> (pure L2 switches) & I haven't been able to figure out yet how to > > >> tell them > > > ipForwarding should work fine. it _should_ change behavior based on > > whether there are any L3 interfaces configured or not. > > I hope not. Seems to me that it _should_ change behavior based on > whether or not the device is acting as a router. Consider the case of > all interfaces configured as a switchport. Plain old L2 switch - > right? Now add an IP address under the vlan interface so that I can > manage the switch. It still shouldn't be playing router - so > ipForwarding should still return not-forwarding(2) the moment you've created a SVI, the device is now behaving as a L3 switch a.k.a. its routing. my understanding is that on something like a Catalyst 6500 the result of ipForwarding _will_ change based on the above logic. the logic may be a little bit more complicated than that - i can see that it probably makes more sense for the result to change only if there is either: - an SVI and there is at least 1 routed interface too, or - more than one SVI. because its not technically possible to be a "router" if you only have 1 L3 interface. :) note that i haven't verified the snmp response from a c6k for any of this, but the above would make the most sense in terms of responding whether there is "IP Forwarding" aka "L3 switching" aka "routing" going on. > > > the challenge is how to use this moving forward on Cisco platforms that > > have dedicated out-of-band management interfaces (e.g. Nexus > platforms), > > because technically speaking, they ALWAYS have at L3 interface > > configured (mgmt0 out-of-band) which is L3 by definition because it > > exists in its own 'management' VRF). > > I'm missing why having an L3 interface would make any difference. A > cat2900xl configured with an L3 address for management purposes > doesn't turn the box into a router. Why should simply configuring an > L3 interface on a box change the value of ipForwarding? well - Catalyst 2900XL doesn't do L3 switching (i guess thats why you chose it as an example), so to my mind, it should not ever respond saying that it can do IP Forwarding. > > hrmm.. or are you saying that some boxes are *always* going to think > they're a router regardless? i think that may be the case today, yes. getting back to the original poster's question, one true method one could use to determine of a device is operating as a 'router' or as a L2 switch is to use a SNMP OID that indicates whether the device is participating in a L3 routing protocol, e.g. if you use OSPF as your IGP, then querying an OID associated with that perhaps makes more sense. that would never be ambiguous. cheers, lincoln. From rakeshh at gmail.com Sun Nov 2 21:24:47 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sun, 2 Nov 2008 20:24:47 -0600 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> Message-ID: <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> How about creating two psudowires , PE1- PE3 and PE2-PE4 ? This will give you two logical point to point connections between SW1 and SW2 and at the same time take care of device (PE) failure . STP,by default, will take care of the redundancy. You may also want to use UDLD and/or PAGP or LACP to provide end to end link status. -Rakesh. On Sun, Nov 2, 2008 at 2:07 PM, Arie Vayner (avayner) wrote: > I would suggest that you treat these 2 parallel PW's as 2 separate L2 > connections. > Each connection would be handed over to the end customer separately, and > the customer can run STP end to end between their CE's. > This way the failover between PW1 and PW2 would be based on CE-to-CE STP > > Alternatively, if the customer is using L3 CE's, then its just 2 parallel > L3 links... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk > Sent: Sunday, November 02, 2008 21:40 PM > To: giesen at snickers.org > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy > > you would have to land these xconnects on VPLS instance. > so add 4 more devices that would be your N-PEs with VPLS instance and your > current PEs would become U-PEs connected to the rest of the MPLS cloud with > 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. > > But I am not sure it is possible on 7206. > > > > -- > -mat > > > 2008/11/2 Gary T. Giesen : > > I'm not sure if this is possible, but maybe someone can give me some > > input on how to best achieve this. > > > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > > redundant pseudowire (from the provider persective). > > > > The idea is to put two PE routers at each end of the pseudowire (with > > a common VLAN at each end shared through a switch), so that I can > > fully lose a PE router and the VC still stays up. > > > > The topology looks like this: > > > > [PE1] [PE3] > > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > > [PE2] [PE4] > > > > I've tried a number of ways using xconnect-peers and backup peers (per > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > > ), and it works great when I only have redundancy on one end, but as > > soon as I add the 4th PE, nothing works anymore. > > > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > > VC with PE4, when in reality I should only ever have one VC formed at > > any given time, and PE2 should never form a VC with PE4 until PE1 or > > PE3 goes down. > > > > Does anyone have any suggested configurations? > > > > Regards, > > > > GG > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From netgeek at bgp4.net Sun Nov 2 23:34:17 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Sun, 02 Nov 2008 20:34:17 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? Message-ID: <490E7F49.8070901@bgp4.net> I'm interested in hearing about people's experiences with SXF15/15a, especially in an internet edge/full BGP route table type environment. So far I've run into one oddity with SXF15 (BGP wasn't updating the local routing table until a clear ip route *), and I'm debating whether to downgrade. Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting of the SXH beast still. From b.turnbow at twt.it Mon Nov 3 02:49:29 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 3 Nov 2008 08:49:29 +0100 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: Cisco IOS Software, 7200 Software (C7200P-JS-M), Version 12.2(31)SB13, RELEASE SOFTWARE (fc1) Brian ________________________________ From: Networkers [mailto:cisco at peakpeak.com] Sent: domenica 2 novembre 2008 18.20 To: Brian Turnbow; Victor Cappuccio Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ What code rev is in there? Thanks, Chris On 10/20/08 3:20 AM, "Brian Turnbow" wrote: Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 486842/493318682 0/0 50/40543 20 40 1/10 1 54/22464 0/0 0/0 22 40 1/10 2 6/746 0/0 0/0 24 40 1/10 3 0/0 0/0 0/0 26 40 1/10 4 5/330 0/0 0/0 28 40 1/10 5 20/1200 0/0 0/0 30 40 1/10 6 5753/515372 0/0 0/0 32 40 1/10 7 53/7423 0/0 0/0 34 40 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian ________________________________ From: Victor Cappuccio [mailto:vcappuccio at gmail.com] Sent: venerd? 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 2000000 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent Cisco Page: http://tinyurl.com/ytt8ge Note: Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: venerd? 17 ottobre 2008 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From karl.gaissmaier at uni-ulm.de Mon Nov 3 03:30:16 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Mon, 03 Nov 2008 09:30:16 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <490EB698.4080304@uni-ulm.de> Hi, Janet Sullivan schrieb: .. > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. my tests with SXH on a sup720-3B showed a constant higher load of the switch processor compared to any SXF version: Version SXF: > cat65# remote command switch show proc cpu sort > > CPU utilization for five seconds: 14%/1%; one minute: 11%; five minutes: 11% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 41 18207424 33591134 542 5.51% 6.73% 6.77% 0 slcp process > 133 321528 49015 6559 4.47% 0.37% 0.16% 0 L2 MAC oob sync > 101 4551988 195787 23249 1.67% 1.70% 1.68% 0 Vlan Statistics Version SXH: The slcp process is consuming always at least 20% on SXH releases on the same box. Remarks: The box is used as a LAN collapsed backbone router, terminating ~ 170 SVIs with about 8k MAC addresses in the LAN. Best Regards Charly From dgranzer at gmail.com Mon Nov 3 03:49:04 2008 From: dgranzer at gmail.com (David Granzer) Date: Mon, 3 Nov 2008 09:49:04 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <844ef89c0811030049h5316a727s34e457f308b5e086@mail.gmail.com> Hello, we had exactly the same troubles with SXF15, now we are back to previous version. It seemed like CEF related bug. David On Mon, Nov 3, 2008 at 5:34 AM, Janet Sullivan wrote: > I'm interested in hearing about people's experiences with SXF15/15a, > especially in an internet edge/full BGP route table type environment. So far > I've run into one oddity with SXF15 (BGP wasn't updating the local routing > table until a clear ip route *), and I'm debating whether to downgrade. > > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting of > the SXH beast still. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Mon Nov 3 04:23:07 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 03 Nov 2008 10:23:07 +0100 (CET) Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490E3A1A.6070604@cisco.com> References: <490E3A1A.6070604@cisco.com> Message-ID: <20081103.102307.74668825.sthaug@nethelp.no> > the moment you've created a SVI, the device is now behaving as a L3 > switch a.k.a. its routing. This may be true on the 6500/7600. It's definitely not true on for instance 3550/3560/3750, where you need an explicit "ip routing" for the box to perform IP forwarding. > my understanding is that on something like a Catalyst 6500 the result of > ipForwarding _will_ change based on the above logic. Seems reasonable for the 6500/7600, but quite *un*reasonable for boxes like 3550/3560/3750 given the default of "no ip routing". Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ibrahim.abozaid at gmail.com Mon Nov 3 04:41:06 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Mon, 3 Nov 2008 11:41:06 +0200 Subject: [c-nsp] Strange beahvior of Catalyst 6509 Message-ID: Hi All we had Cat 6509 gear running 12.0(7)XE1 image on MSFC , we faced a strange behavior as all servers and clients connected to a VLAN can't exchange any packet size exceeding a certain limit although no configuration is used to limit that and no IP reachability problem exist the problem has solved after deleting VLAN SVI and create it again any one has any idea what can be the problem is ? i searched IOS bugs and can't get any bug with this symptoms thanks --Ibrahim From ivan at ig.sk Mon Nov 3 04:01:42 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Mon, 3 Nov 2008 11:01:42 +0200 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> Message-ID: <200811031001.42096.ivan@ig.sk> If the goal is hardware redundancy (to ensure working VC when one of the PE's fails), you can create one VC and configure it using two separate loopback ip addresses. You will assign a loopback interface to PE1 and PE2 with the same ip address. The other couple of PE's - PE3 and PE4 - will share another ip address on their loopbacks. Every PE will have VC configured using these ip addresses, you will choose one of each couple as primary and configure IGP to pick ip address of the primary PE's and propagate it across the backbone. In case of primary PE failure will IGP do its job - propagate the loopback ip address of the backup PE and allow LDP to establish new session between working PE's. Ivan On Monday 03 November 2008, Rakesh Hegde wrote: > How about creating two psudowires , PE1- PE3 and PE2-PE4 ? This > will give you two logical point to point connections between SW1 > and SW2 and at the same time take care of device (PE) failure . > STP,by default, will take care of the redundancy. You may also > want to use UDLD and/or PAGP or LACP to provide end to end link > status. > > -Rakesh. > > On Sun, Nov 2, 2008 at 2:07 PM, Arie Vayner (avayner) wrote: > > I would suggest that you treat these 2 parallel PW's as 2 > > separate L2 connections. > > Each connection would be handed over to the end customer > > separately, and the customer can run STP end to end between their > > CE's. > > This way the failover between PW1 and PW2 would be based on > > CE-to-CE STP > > > > Alternatively, if the customer is using L3 CE's, then its just 2 > > parallel L3 links... > > > > Arie > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto: > > cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk > > Sent: Sunday, November 02, 2008 21:40 PM > > To: giesen at snickers.org > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy > > > > you would have to land these xconnects on VPLS instance. > > so add 4 more devices that would be your N-PEs with VPLS instance > > and your current PEs would become U-PEs connected to the rest of > > the MPLS cloud with 1 xconnect to the "active" N-PE and backup > > xconnect to the "standby" N-PE. > > > > But I am not sure it is possible on 7206. > > > > > > > > -- > > -mat > > > > 2008/11/2 Gary T. Giesen : > > > I'm not sure if this is possible, but maybe someone can give me > > > some input on how to best achieve this. > > > > > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a > > > fully redundant pseudowire (from the provider persective). > > > > > > The idea is to put two PE routers at each end of the pseudowire > > > (with a common VLAN at each end shared through a switch), so > > > that I can fully lose a PE router and the VC still stays up. > > > > > > The topology looks like this: > > > > > > [PE1] > > > [PE3] CE1 --- [SW1] ---< > [MPLS CLOUD] < > > > >--- [SW2] --- CE2 [PE2] [PE4] > > > > > > I've tried a number of ways using xconnect-peers and backup > > > peers (per > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseud > > >o.html ), and it works great when I only have redundancy on one > > > end, but as soon as I add the 4th PE, nothing works anymore. > > > > > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 > > > forms a VC with PE4, when in reality I should only ever have > > > one VC formed at any given time, and PE2 should never form a VC > > > with PE4 until PE1 or PE3 goes down. > > > > > > Does anyone have any suggested configurations? > > > > > > Regards, > > > > > > GG > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Nov 3 05:15:22 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 10:15:22 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <490ECF3A.70804@imperial.ac.uk> Janet Sullivan wrote: > I'm interested in hearing about people's experiences with SXF15/15a, > especially in an internet edge/full BGP route table type environment. So > far I've run into one oddity with SXF15 (BGP wasn't updating the local > routing table until a clear ip route *), and I'm debating whether to > downgrade. That bug was discussed on the list recently. Search for the thread "SXH3 ghost bugs". It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still has all the *other* bugs that SXH3 has, including the SCP-crasher) SXF15a wasn't out last time I looked, so I don't know, but I assume SXF15a cures the BGP bug. > > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. Consensus seems to be that unless you specifically need some of the 12.2(33) features, you're best on SXF We've just recently *down*graded from SXH2a on one box; the progress of that train has been inadequate for our stability needs. We've actually been very stable on SXF10 for a while now (over 1 year on our busiest box). From A.L.M.Buxey at lboro.ac.uk Mon Nov 3 05:23:27 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 3 Nov 2008 10:23:27 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ECF3A.70804@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> Message-ID: <20081103102327.GB32130@lboro.ac.uk> Hi, > We've actually been very stable on SXF10 for a while now (over 1 year on > our busiest box). any reason you're not using SXF12a - the safeharbor release? we've had to upgrade a box to SXF15 to 'fix' a bug in SXF9..so I'll see what happens to that box.. alan From p.mayers at imperial.ac.uk Mon Nov 3 05:44:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 10:44:19 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081103102327.GB32130@lboro.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> Message-ID: <490ED603.2020903@imperial.ac.uk> A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > >> We've actually been very stable on SXF10 for a while now (over 1 year on >> our busiest box). > > any reason you're not using SXF12a - the safeharbor release? That was not what we had running and tested elsewhere. There are no problems etc. that I know of in 12a if that's what you mean. I'm aware that SXF10 is actually deferred in favour of SXF10a, but frankly this tells me all I need to know: me-core#sh ver | inc ^IOS|uptime IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(18)SXF10, RELEASE SOFTWARE (fc1) me-core uptime is 1 year, 7 weeks, 1 day, 18 hours, 20 minutes We tend to upgrade only if we're well overdue, or there's a specific bug or feature we need. If matters had progressed differently we'd probably have had SXF12a on a busy router, and that would have become our target image. From A.L.M.Buxey at lboro.ac.uk Mon Nov 3 06:08:26 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 3 Nov 2008 11:08:26 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ED603.2020903@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> <490ED603.2020903@imperial.ac.uk> Message-ID: <20081103110826.GA32765@lboro.ac.uk> Hi, > That was not what we had running and tested elsewhere. There are no ah, fair enough. the 'run with it,and if no problems or features required,stay with it' approach is a fine way of operating imho :-) alan From dwinkworth at att.net Mon Nov 3 07:16:18 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Mon, 3 Nov 2008 04:16:18 -0800 (PST) Subject: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... Message-ID: <299162.64956.qm@web180012.mail.gq1.yahoo.com> Indeed it does. This is the preferred route. Abandon dealing with fragmentation altogether. Sadly, some MPLS access options (like ethernet access) have a limitation of 1500 byte MTUs in the cloud. My thought is, just do the MSS adjustments at the sites with this limitation. We are seeing some corruption of fragments with GET in 12.4(15)T5. Thats what this is about. So we upgraded to T7 and jacked up the MTUs wherever possible. ----- Original Message ---- From: "lee.e.rian at census.gov" To: Luan Nguyen Cc: Derick Winkworth ; Rodney Dunn ; cisco-nsp at puck.nether.net Sent: Saturday, November 1, 2008 10:57:09 AM Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... "mtu 1600" on the wan interface also works & doesn't require any changes on the lan interfaces :) Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: "'Derick Winkworth'" , "'Rodney Dunn'" > >From: "Luan Nguyen" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 02:39PM >cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" >and crypto... > >The MSS tells the maximum data a host will accept in an TCP/IP >datagram. >Each side reports the value to the other side and the sending will >abide by >it. It's all before encryption. >So typically like you said, people put ip tcp adjust-mss 1360 on the >group >member LAN interface and also set ip mtu 1400 on the WAN side hoping >for >PMTUD to work its magic. >Putting both on the WAN interface should work as well, though, I >don't quite >understand the backside is MPLS statement :)...the packet has to be >originated from somewhere. >There's a very good paper here on Fragmentation >http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0 >9186a00 >800d6979.shtml#t3 > > >Luan Nguyen >Chesapeake NetCraftsmen, LLC. >www.NetCraftsmen.net > >(blog) http://ccie-security.blogspot.com/ >(e) luan at netcraftsmen.net >(aim/yahoo): luancnc > > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick >Winkworth >Sent: Friday, October 31, 2008 11:52 AM >To: Rodney Dunn >Cc: cisco-nsp at puck.nether.net >Subject: [c-nsp] Order-of-operations question about "adjust-mss" and >crypto... > >If you apply the "ip tcp adjust-mss" command on an interface that has >a >crypto statement on it... > >Does it perform the MSS adjustment on outbound packets before they >are >encrypted? >Does it perform the MSS adjustment on inbound packets after they are >decrypted? > >I know that this is typically placed on a tunnel interface or, for >instance, >on an ethernet interface of a remote VPN site or something... but I >have a >case where we have many GET encryped sub-interfaces (each in their >own VRF) >which are the only logical IP interfaces on the box. The backside is >MPLS >so there is no place to put the statement there... so I was just >going to >apply it to the interfaces where the crypto maps are.. not sure if >this will >work. > >I'll probably have to lab it up I'm guessing. > >Derick >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From netgeek at bgp4.net Mon Nov 3 09:49:12 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Mon, 03 Nov 2008 06:49:12 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081103102327.GB32130@lboro.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> Message-ID: <490F0F68.3020208@bgp4.net> A.L.M.Buxey at lboro.ac.uk wrote: > we've had to upgrade a box to SXF15 to 'fix' a bug in SXF9..so > I'll see what happens to that box.. > > alan We just went from SXF9 to SXF15. I notice SXF15a is out, anyone know the story behind it? From netgeek at bgp4.net Mon Nov 3 09:52:28 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Mon, 03 Nov 2008 06:52:28 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ECF3A.70804@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> Message-ID: <490F102C.7070106@bgp4.net> Phil Mayers wrote: > Janet Sullivan wrote: >> I'm interested in hearing about people's experiences with SXF15/15a, >> especially in an internet edge/full BGP route table type environment. >> So far I've run into one oddity with SXF15 (BGP wasn't updating the >> local routing table until a clear ip route *), and I'm debating >> whether to downgrade. > > That bug was discussed on the list recently. Search for the thread "SXH3 > ghost bugs". > > It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still > has all the *other* bugs that SXH3 has, including the SCP-crasher) I thought the ghost bug was fixed in SXF15? Wasn't there a discussion about how it had been both found and fixed in that version? In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local routing table on the box did not. That seems slightly different than the ghost bug as I understood it, but I'd be happy to be proven wrong. From streiner at cluebyfour.org Mon Nov 3 09:05:43 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 3 Nov 2008 09:05:43 -0500 (EST) Subject: [c-nsp] Monitoring Routing Table In-Reply-To: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> References: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> Message-ID: On Sat, 1 Nov 2008, Asad Hasan wrote: > Is there an OID that can pull back number of routes within the routing > table? OID which can generate results such as 'show ip ro summ'. I found OID > 1.3.6.1.2.1.4.21.1.1 and 1.3.6.1.2.1.4.21.1.9 (IpRouteTable and > IpRouteProto), but this pulls back every routing entry. Also is there an OID > that can pull back similar information for a VRF. Not sure about VRFs, as I don't use them at the moment, but you can run a count on the number of entries that are returned by polling ipRouteTable to get the number of routes. You can also try it with ipRouteProto and just looking at connected + static + OSPF. That might actually be better, if you carry IBGP w/full views on your routers since it will be less taxing on the router's CPU. If you're planning to do this with something like MRTG, I believe it has an option you can to use to count the number of routes. If you're not using MRTG, it would be easy enough to write a script to poll the appropriate OID and pipe the output into a counter to get the number you're looking for. jms From p.mayers at imperial.ac.uk Mon Nov 3 10:13:02 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 15:13:02 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <490F14FE.7080302@imperial.ac.uk> Janet Sullivan wrote: > Phil Mayers wrote: >> Janet Sullivan wrote: >>> I'm interested in hearing about people's experiences with SXF15/15a, >>> especially in an internet edge/full BGP route table type environment. >>> So far I've run into one oddity with SXF15 (BGP wasn't updating the >>> local routing table until a clear ip route *), and I'm debating >>> whether to downgrade. >> >> That bug was discussed on the list recently. Search for the thread >> "SXH3 ghost bugs". >> >> It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still >> has all the *other* bugs that SXH3 has, including the SCP-crasher) > > I thought the ghost bug was fixed in SXF15? Wasn't there a discussion > about how it had been both found and fixed in that version? You could be right: http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg15107.html I might be thinking of the BFD bug. > > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. > Well either way - it adds to the reports of SXF15 being a poor release: http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg14944.html From dkcctc at gmail.com Mon Nov 3 10:55:09 2008 From: dkcctc at gmail.com (Daniel Chapman) Date: Mon, 3 Nov 2008 10:55:09 -0500 Subject: [c-nsp] IOS and Calea Feature Set References: <4909F8A0.4040200@mt.net> Message-ID: <001e01c93dcc$8d87cdc0$0c01000a@cittel.com> The Lawful Intercept feature uses SNMP V3 and MIBs like ciscoIpTapMIB and ciscoTap2MIB. You setup a group and a view including these mibs and intiate the intercept from your mediation/sniffer device. It can be tricky if you are doing PPP, because you specify the IP to tap. Your configuration could include setting up a AAA group and allowing the mediation device to receive accounting records to determine end-user IP addresses. The median device needs to be able to act as a RADIUS server so it isn't marked Dead by the AAA processes in the router. Dan ----- Original Message ----- From: "Forrest W Christian" To: Sent: Thursday, October 30, 2008 1:10 PM Subject: [c-nsp] IOS and Calea Feature Set > I'm working on improving my CALEA compliance here. One of the big things > I need to handle is better extraction of frames out of several cisco > routers we have scattered around our network. > Today, we handle our CALEA requests by using a span/mirroring port on a > switch plugged into a CALEA collection device which conforms to the WISPA > CALEA standard. That way, we can capture all of the internet and most of > the on-network traffic, but not quite 100% since traffic which never > leaves the border router doesn't ever exit the border router so it can't > be captured for Law Enforcement. > > It looks like the IP Traffic Export would allow me to basically use the > tools we already have in place for this. But, I also am looking at the > CALEA features in the later IOS'es. Unfortunately, the documentation is > written in CALEA-speak, which makes for confusing reading, especially when > you are trying to figure out what pieces you need to make this work. > > I'm curious if someone on-list has gotten the CALEA features to work in a > Broadband provider setting, and if so, if they could perhaps point me in > the right direction as far as what pieces we need (aka specific products > instead of "functions") other than the Cisco router w/CALEA features? > > -forrest > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From markom at markom.info Mon Nov 3 11:15:20 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 3 Nov 2008 16:15:20 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> Message-ID: <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> On Sun, Nov 2, 2008 at 13:04, Mateusz B?aszczyk wrote: > My friends suggestion in such a problem is shut the port and wait for > someone to start screamin.. > If none, you can disconnect the cable :) Given that no mac addresses are learned on the port, there is probably no traffic there and shutting it down shouldn't do any real damage. ... unless it's some really weird (Ericsson?) device that uses that port to stay alive or some similar nonsense. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From c.spurgeon at mail.utexas.edu Mon Nov 3 10:54:22 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Mon, 3 Nov 2008 09:54:22 -0600 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <20081103155422.GA32332@argus.gw.utexas.edu> As noted on NSP recently, SXF15 appears to share some bugs with SXH3. We've found that the set of shared bugs includes the "crashes when route-map is removed" bug (CSCsk21935, which will be fixed via CSCsm75286 according to the TAC). We first encountered the SXH3 route-map issue when a core router crashed during a route-map removal that is performed by a script twice a day. We downgraded to SXF6, which we have been running for nearly two years on our core routers with no issues (including one BGP peering box with a full route table). A little while later we upgraded the core box that had crashed on SXH3 to SXF15 to deal with the multicast vulnerability (cisco-sa-20080924-multicast). Two weeks after the upgrade that core router crashed on the route-map bug, which is the first time we had seen that in SXF code. >From which we deduce that SXF15 picked up some bugs from the SXH branch which are not present in SXF6. Not sure where along the path that happened, although from Phil's report it sounds like SXF10 is running stably as well. We modified our route-map script, and are continuing to run on SXF15 on that core box (which is not a BGP peering box) with no other issues found (we don't use scp, so we have avoided that particular SXH and presumably SXF15 bug as well). Since Cisco appears to be spreading the buggy code around in later releases of SXF code, it's getting difficult to find a stable release that *stays* stable. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 On Mon, Nov 03, 2008 at 06:52:05AM -0800, Janet Sullivan wrote: > Phil Mayers wrote: > >Janet Sullivan wrote: > >>I'm interested in hearing about people's experiences with SXF15/15a, > >>especially in an internet edge/full BGP route table type environment. > >>So far I've run into one oddity with SXF15 (BGP wasn't updating the > >>local routing table until a clear ip route *), and I'm debating > >>whether to downgrade. > > > >That bug was discussed on the list recently. Search for the thread "SXH3 > >ghost bugs". > > > >It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still > >has all the *other* bugs that SXH3 has, including the SCP-crasher) > > I thought the ghost bug was fixed in SXF15? Wasn't there a discussion > about how it had been both found and fixed in that version? > > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tomas at soitron.com Mon Nov 3 15:11:58 2008 From: tomas at soitron.com (Tomas Daniska) Date: Mon, 3 Nov 2008 21:11:58 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com><3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com><8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com><8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com><383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> > -----Original Message----- > Given that no mac addresses are learned on the port, there is probably > no traffic there and shutting it down shouldn't do any real damage. Wrong. There are appliances/applications that are quiet enough not to populate (or timeout) the mac tables, just sittin' there and receiving traffic. And even though there is no mac entry for that address, the switch simply floods the traffic (by default... unless you configure block-unknown-unicast) to all ports, including the one with the quiet black box But - yes, there often is no other option for 'discovery' of such devices than to shut down and wait for complaints -- deejay From markom at markom.info Mon Nov 3 15:18:58 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 3 Nov 2008 20:18:58 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> Message-ID: <1fb747910811031218i42ac8ea2o1a69c478ca282f84@mail.gmail.com> On Mon, Nov 3, 2008 at 20:11, Tomas Daniska wrote: > Wrong. There are appliances/applications that are quiet enough not to populate (or timeout) the mac tables, just sittin' there and receiving traffic. And even though there is no mac entry for that address, the switch simply floods the traffic (by default... unless you configure block-unknown-unicast) to all ports, including the one with the quiet black box I stand corrected about the listen-only device. I must admit it didn't cross my mind :-). -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From kohlstetter at blue-networks.de Mon Nov 3 17:30:59 2008 From: kohlstetter at blue-networks.de (Peer Kohlstetter) Date: Mon, 3 Nov 2008 23:30:59 +0100 Subject: [c-nsp] MPLS VPN Design with very fast convergence Message-ID: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> Hi, I'm currently working on a Design for a MPLS VPN with very fast convergence times. We have the goal to reach a maximum convergence time of 1,5 seconds when a single error occurs. In the Backbone I try to work with FRR (FastReRoute). Between PE and CE I'm not sure what protocol to use. I'm also thinking about L3VPN or L2VPN solution. Are there any information, whitepapers, designs about such a solution in the web? Do somebody have experience with such convergence times in a MPLS environment? Thanks and best regrads, Peer From christian at broknrobot.com Mon Nov 3 22:24:10 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 3 Nov 2008 22:24:10 -0500 Subject: [c-nsp] Whats up with this? In-Reply-To: References: Message-ID: new edge router, os will run ios-xr On Fri, Oct 31, 2008 at 5:03 PM, Mike Louis wrote: > http://www.cisco.com/cdc_content_elements/flash/netsol/sp/getready/index.html?POSITION=banner&COUNTRY_SITE=us&CAMPAIGN=GetReady&CREATIVE=Corner+Banner+Ad+go/getready&REFERRING_SITE=CISCO%2ECOM+INDEX > > > ________________________________ > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p_ambedkar at rediffmail.com Mon Nov 3 23:46:04 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 4 Nov 2008 04:46:04 -0000 Subject: [c-nsp] Layer-2 backup Message-ID: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> ? hi, i want to implement layer-2 backup with minimum delay with cisco 2950 switches. i have seen flexlinks, but this is for cisco 3500 series and above. please help me in this regard. Thanks in advance. bye. From ben.steele at internode.on.net Mon Nov 3 23:55:12 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 4 Nov 2008 15:25:12 +1030 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <001501c93e39$862b9170$9282b450$@steele@internode.on.net> Check out rapid spanning-tree (802.1w) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ambedkar Sent: Tuesday, 4 November 2008 3:16 PM To: cisco_nsp Subject: [c-nsp] Layer-2 backup ? hi, i want to implement layer-2 backup with minimum delay with cisco 2950 switches. i have seen flexlinks, but this is for cisco 3500 series and above. please help me in this regard. Thanks in advance. bye. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From risnaini at indo.net.id Mon Nov 3 23:56:58 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Tue, 04 Nov 2008 11:56:58 +0700 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <490FD61A.6030707@indo.net.id> STP 40 ms. rgs a. rahman isnaini r.sutan ambedkar wrote: > > hi, i want to implement layer-2 backup with minimum delay with cisco > 2950 switches. > i have seen flexlinks, but this is for cisco 3500 series and above. > > please help me in this regard. > Thanks in advance. > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From sethm at rollernet.us Tue Nov 4 00:28:42 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 03 Nov 2008 21:28:42 -0800 Subject: [c-nsp] HWIC-3G-* experience? Message-ID: <490FDD8A.9050104@rollernet.us> Does anyone have any experience with the HWIC-3G-* cards in real life? I'm considering emergency access plans using these as opposed to traditional methods, and I'd be interested in any success or horror stories before jumping in. ~Seth From rshughes at gmail.com Tue Nov 4 00:49:55 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Tue, 4 Nov 2008 00:49:55 -0500 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: Site survey, site survey, site survey. I've had limited exposure with the 3G's and haven't enjoyed it. Make sure whichever carrier you're evaluating/planning with perform site surveys for each and every location; this will help put some of the burden on them to prove that your specific facility is even capable of riding on the link. Some will often offer cables for extending the dipole antenna for better placement for signal. Quite honestly, pick a carrier you have the best relationship with and make them come to the table for support of these. Without their intervention/support, you'll be left pulling your hair out. Make sure your design for the backup connection involves some type of dynamic crypto map as you'll often change ip addresses on these networks which can lead to interesting anti-replay issues. One of my customers is having reasonable success with this for fast office deployments but the nuts of it boils down to proper site assessments before installation and the logistics around it. Good Luck. On Tue, Nov 4, 2008 at 12:28 AM, Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? I'm > considering emergency access plans using these as opposed to traditional > methods, and I'd be interested in any success or horror stories before > jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Tue Nov 4 01:16:52 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 4 Nov 2008 07:16:52 +0100 Subject: [c-nsp] MPLS VPN Design with very fast convergence In-Reply-To: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> References: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784065200CF@xmb-ams-333.emea.cisco.com> Peer Kohlstetter <> wrote on Monday, November 03, 2008 23:31: > Hi, > > I'm currently working on a Design for a MPLS VPN with very fast > convergence times. > > We have the goal to reach a maximum convergence time of 1,5 seconds > when a single error occurs. > > In the Backbone I try to work with FRR (FastReRoute). Between PE and > CE I'm not sure what protocol to use. I'm also thinking about L3VPN or > L2VPN solution. > > Are there any information, whitepapers, designs about such a solution > in the web? > > Do somebody have experience with such convergence times in a MPLS > environment? generally in IOS, 1.5 sec is tricky to achieve (especially in scaled configs), and it might not be for free. In a nutshell: For core failures, you can tune your IGP to converge in sub-second, assuming you can detect core link/node failures quickly enough, so you might need to evaluate BFD. I wouldn't run TE-FRR for this target. Edge/PE failures are detected via IGP and reacted upon using BGP NHT. But invalidating the next-hops involve a table walk in IOS, so depending on your size of the BGP table on the PEs, this can take its time. Make sure all PEs have an alternate next-hop to converge to already imported in the VRF to avoid import-scanner delay. PE-CE link failures might also require BFD to be detected quickly, and rely on BGP processing (as well as table scans, so BGP table size matters). New features like "PE-CE Link Protection" could help here. We're working on BGP-PIC (Prefix Independent Convergence) to speed up things, but this is not yet available in IOS (IOS-XR already uses part of it and optimized other things as well). Not running a PE-CE protocol can speed up things in some configs (i.e. directly-connected voice gateways where PEs speak HSRP).. I guess you'll achieve 1-1.5 sec in the lab, but scaling this up in IOS is tricky.. oli From brett at looney.id.au Tue Nov 4 01:19:46 2008 From: brett at looney.id.au (Brett Looney) Date: Tue, 4 Nov 2008 15:19:46 +0900 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <064e01c93e45$57ce8e70$076bab50$@id.au> > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. We've had good experiences with them here in Oz. Had a few that were DOA or failed during firmware upgrade but have been replaced under maintenance. But 99% have been rock solid. In fact, had a customer primary land-line link fail the other day, router automagically failed across to the 3G and with WAAS in place no-one even noticed. Not suitable for running VoIP across today but that may come (for us here down-under, anyway) mid 2009. B. From edward_iong_ at hotmail.com Tue Nov 4 03:14:33 2008 From: edward_iong_ at hotmail.com (Edward Iong) Date: Tue, 4 Nov 2008 08:14:33 +0000 Subject: [c-nsp] multicast-routing Message-ID: about multicast-routing there are two switches -SW1 and SW2 SW1 is connected to an sender, a router, reciever 1 and SW2 SW2 is connected to Reciever 2 Why reciever 2 cannot recieve the multicast packet? _________________________________________________________________ When your life is on the go?take your life with you. http://clk.atdmt.com/MRT/go/115298558/direct/01/ From ygauteron at gmail.com Tue Nov 4 03:20:23 2008 From: ygauteron at gmail.com (Yann Gauteron) Date: Tue, 4 Nov 2008 09:20:23 +0100 Subject: [c-nsp] multicast-routing In-Reply-To: References: Message-ID: <8097baf0811040020q3f2aee2q1947d45210df6b7@mail.gmail.com> I forget where I left my crystal ball. Can anybody help me to find it ? From achatz at forthnet.gr Tue Nov 4 03:51:38 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 04 Nov 2008 10:51:38 +0200 Subject: [c-nsp] multicast-routing In-Reply-To: References: Message-ID: <49100D1A.80104@forthnet.gr> Edward, have a look at the following link: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008059a9df.shtml -- Tassos Edward Iong wrote on 04/11/2008 10:14: > about multicast-routing > > > there are two switches -SW1 and SW2 > SW1 is connected to an sender, a router, reciever 1 and SW2 > SW2 is connected to Reciever 2 > > > Why reciever 2 cannot recieve the multicast packet? > > > _________________________________________________________________ > When your life is on the go---take your life with you. > http://clk.atdmt.com/MRT/go/115298558/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Tue Nov 4 04:25:07 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Tue, 04 Nov 2008 10:25:07 +0100 Subject: [c-nsp] Lightstream Alternative In-Reply-To: <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> Message-ID: <491014F3.3090304@buelow-masiak.de> Mateusz B?aszczyk schrieb: >> If the SPA card for the 7600 could do the switching, the cat 6500 should >> also be able to do it. But even for the 7600 I can't find any >> information on atm switching. > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 > Okay, this should work for PVCs. But this wouldn't work for soft-vc's. We're using soft-vc's for redundancy reasons in some scenarios. So our network will self repair the failure of one router, atm-switch or interlink between to pops. As I see, there's probably no way to replace the lightstream with a device, which could be atm-switch as well as router. So we need to rely on a atm-switch at the pop. Sebastian From blahu77 at gmail.com Tue Nov 4 04:38:08 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 4 Nov 2008 09:38:08 +0000 Subject: [c-nsp] Lightstream Alternative In-Reply-To: <491014F3.3090304@buelow-masiak.de> References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> <491014F3.3090304@buelow-masiak.de> Message-ID: <383357750811040138h726b1178lf9e02ab7ff8593d7@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/4 Sebastian Ganschow : > Mateusz B?aszczyk schrieb: >>> If the SPA card for the 7600 could do the switching, the cat 6500 should >>> also be able to do it. But even for the 7600 I can't find any >>> information on atm switching. >> >> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 >> > > Okay, this should work for PVCs. But this wouldn't work for soft-vc's. for soft-vcs you can utilize mpls xconnects (AToM atm to atm), Also supported by aforementioned. > We're using soft-vc's for redundancy reasons in some scenarios. So our > network will self repair the failure of one router, atm-switch or interlink > between to pops. > > As I see, there's probably no way to replace the lightstream with a device, > which could be atm-switch as well as router. So we need to rely on a > atm-switch at the pop. I think at this stage you can do 1) for pvcs on same box - the "connect" between atm pvcs 2) for pvcs (soft-vcs) between 2 boxes - the "xconnect" between atm pvcs on different boxes. - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJEBf++BuaDRxlXKsRAt0gAJ99Xz+CSOBHnOd5JyoxXHz4fDtuyQCgiaf7 LEt7rqDJ6g2+Y+WisxUBF/w= =PK6f -----END PGP SIGNATURE----- From gk at ax.tc Tue Nov 4 05:16:46 2008 From: gk at ax.tc (Gerald Krause) Date: Tue, 04 Nov 2008 11:16:46 +0100 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <4910210E.6090300@ax.tc> Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. Works here in Germany with T-Mobile (UMTS/HSDPA). We use it as backup for some DSL circuits. Good signal coverage is a precondition, that's why we have ordered a special external antenna: http://www.wimo.com/cgi-bin/verteiler.pl?url=gsm-antennas_e.html Maybe a little bit dangerous: We have to unlock the SIM card permanently, at least in our setup with a 1841 and a HWIC-3G-GSM. So a stealer could use it without cracking. -- Gerald (ax/tc) From howie at thingy.com Tue Nov 4 05:32:37 2008 From: howie at thingy.com (Howard Jones) Date: Tue, 04 Nov 2008 10:32:37 +0000 Subject: [c-nsp] Message Types/Classes? (%PLATFORM_RPC-3-MSG_THROTTLED) Message-ID: <491024C5.4040404@thingy.com> I'm seeing a lot of this in the logs of a 3750: %PLATFORM_RPC-3-MSG_THROTTLED: RPC Msg Dropped by throttle mechanism: type 37, class 14, max_msg 32, total throttled 24852 Thing is, where do I find out what message type 37 class 14 is? the Output Interpreter just gives a generic message for %PLATFORM_RPC-3-MSG_THROTTLED, but not specifics for certain messages. I would have expected to be able to find a giant table of these somewhere, but haven't had any luck so far... Can anyone point me in the right direction? Cheers, Howie From dwinkworth at att.net Tue Nov 4 06:39:24 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 04 Nov 2008 05:39:24 -0600 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <4910346C.8070703@att.net> (1) We've had good experience with this. Decent throughput, but high amount of jitter/latency. Its just another internet access method at this point... it works fine. Really its about the carrier... (2) Cables and antennas as needed for getting the signal required can be expensive if you go through the wrong channels (like Cisco... don't do it!) (3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited usage. They offer great deals on cables and antennas. They also do free site-surveys, noone else does that we talked to. (4) AT&T. Variable bill rates. AT&T can work something out through their account reps where you will never be charged more than a certain amount every month, but its supposed to be for "backup only" so if you use it frequenty... you can go through your sales rep to make sure you don't get locked out or whatever. Right now, they offer a service to back-up MPLS circuits, but they manage the endpoint at your site... this is their ANIRA product. You configure VRRP on your router and they configure it on theirs. You configure whatever tracking you want so that when a failure occurs, AT&T's ANIRA router takes over and gets you back to the cloud (through the internet though)... (5) Verizon. No variable billing. The best throughput with dual-antennas. They also offer internet-to-MPLS backup like AT&T and Sprint, but you get to manage the endpoint. (6) There is no direct-to-VRF type MPLS backup at this time, but all three carriers are rolling it out from what I understand. When this occurs, the card will come up direct to the MPLS cloud. Until then, its VPN tunnel to somewhere over the internet. Permanent IP is available. Some of them can create "private" subnets on the internet for you... you get a public IP in a /27 or something and it can only talk to other IPs in that /27. hmmm... Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008 4:59 PM > > From kharananda at subisu.net.np Tue Nov 4 07:36:22 2008 From: kharananda at subisu.net.np (kharananda) Date: Tue, 04 Nov 2008 18:21:22 +0545 Subject: [c-nsp] sending BPDUs in tagged frame in MST Message-ID: <491041C6.8030706@subisu.net.np> Dear All, I need to send BPDUs in tagged frame. I don't want to use PVST and PVST+ since stp instances per VLAN is not preferable at least in my scenario. I want to use standard STP or RSTP or MST. Is there any command in cisco where I can send BPDUs in tagged (vlan) frame. I have been trying this in Catalyst 2950. If this can be done on other higher end cisco switches please suggest me on this. Regards, Khara Nanda Luitel. From luan at netcraftsmen.net Tue Nov 4 08:20:50 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Tue, 4 Nov 2008 08:20:50 -0500 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <4910346C.8070703@att.net> References: <490FDD8A.9050104@rollernet.us> <4910346C.8070703@att.net> Message-ID: <04a101c93e80$281b8d00$7852a700$@net> We've been having good results with Verizon. Couple months ago, they got EVDO backup to Internet and MPLS as well - for VPN products, and in the process of making the backend systems ready to roll out. No permanent IP yet and the IP are from Verizon Wireless. So, even though they might say it's directly from the MPLS cloud, they still have to route around and around in their networks since Internet and MPLS are from Verizon Business. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth Sent: Tuesday, November 04, 2008 6:39 AM To: Seth Mattinen Cc: cisco-nsp Subject: Re: [c-nsp] HWIC-3G-* experience? (1) We've had good experience with this. Decent throughput, but high amount of jitter/latency. Its just another internet access method at this point... it works fine. Really its about the carrier... (2) Cables and antennas as needed for getting the signal required can be expensive if you go through the wrong channels (like Cisco... don't do it!) (3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited usage. They offer great deals on cables and antennas. They also do free site-surveys, noone else does that we talked to. (4) AT&T. Variable bill rates. AT&T can work something out through their account reps where you will never be charged more than a certain amount every month, but its supposed to be for "backup only" so if you use it frequenty... you can go through your sales rep to make sure you don't get locked out or whatever. Right now, they offer a service to back-up MPLS circuits, but they manage the endpoint at your site... this is their ANIRA product. You configure VRRP on your router and they configure it on theirs. You configure whatever tracking you want so that when a failure occurs, AT&T's ANIRA router takes over and gets you back to the cloud (through the internet though)... (5) Verizon. No variable billing. The best throughput with dual-antennas. They also offer internet-to-MPLS backup like AT&T and Sprint, but you get to manage the endpoint. (6) There is no direct-to-VRF type MPLS backup at this time, but all three carriers are rolling it out from what I understand. When this occurs, the card will come up direct to the MPLS cloud. Until then, its VPN tunnel to somewhere over the internet. Permanent IP is available. Some of them can create "private" subnets on the internet for you... you get a public IP in a /27 or something and it can only talk to other IPs in that /27. hmmm... Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008 4:59 PM > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Tue Nov 4 08:37:04 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 4 Nov 2008 13:37:04 +0000 Subject: [c-nsp] sending BPDUs in tagged frame in MST In-Reply-To: <491041C6.8030706@subisu.net.np> References: <491041C6.8030706@subisu.net.np> Message-ID: <383357750811040537o3024fc25g98fe3f96b7b19b2d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I need to send BPDUs in tagged frame. I don't want to use PVST and > PVST+ since stp instances per VLAN is not preferable at least in my > scenario. > > I want to use standard STP or RSTP or MST. Is there any command in cisco > where I can send BPDUs in tagged (vlan) frame. I have been trying this > in Catalyst 2950. what do you want to achieve? 1) if you want pass MSTP over through your network you should be using l2 protocol tunneling. Router(config-if)# l2protocol-tunnel stp 2) if you want to tag MSTP BPDUs send over a link between 2 switches that are in the same region - I think it is not possible > If this can be done on other higher end cisco switches please suggest me > on this. as above.. Best regards, - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJEE//+BuaDRxlXKsRAu0OAJ9cFqrMWY2S8b2/89n1u33UGKNysQCfQesh jdqx6bw56i0fzIfEPOyVByI= =o30I -----END PGP SIGNATURE----- From tvarriale at comcast.net Tue Nov 4 10:00:18 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 4 Nov 2008 09:00:18 -0600 Subject: [c-nsp] HWIC-3G-* experience? References: <490FDD8A.9050104@rollernet.us> Message-ID: <004101c93e8e$0defd770$0100fea9@flamadam> Decent experience here. As another posted stated make sure you have decent connectivity where the box is going to reside. The only real downside is "low" bandwidth and high latency and jitter. So, no VoIP obviously and you will definately know when you are on backup. And, make sure you test with your carrier...especially if you are going to be backing up into a MPLS net. tv ----- Original Message ----- From: "Seth Mattinen" To: "cisco-nsp" Sent: Monday, November 03, 2008 11:28 PM Subject: [c-nsp] HWIC-3G-* experience? > Does anyone have any experience with the HWIC-3G-* cards in real life? I'm > considering emergency access plans using these as opposed to traditional > methods, and I'd be interested in any success or horror stories before > jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From csirek at cooler.hu Tue Nov 4 11:20:39 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 04 Nov 2008 17:20:39 +0100 Subject: [c-nsp] ACK/RST rate-limit? Message-ID: <49107657.6060401@cooler.hu> Hi List, I have a Cisco 7600 / Sup720-3BXL (12.2.18SXF6). Only the telnet port (23/tcp) is open. If i try to open a session to a random port, i get back a TCP ACK/RST packet from the CPU. I think it is normal. :) But if I send lot of SYN packets to random ports, i get back lot of ACK/RST but it send the CPU to me, and it will make a big load on the CPU. So the question: can i limit the number of ACK/RST packets/sec what the router send back to the SYN sender? Thanks! Laszlo From rakeshh at gmail.com Tue Nov 4 11:41:56 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Tue, 4 Nov 2008 10:41:56 -0600 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <49107657.6060401@cooler.hu> References: <49107657.6060401@cooler.hu> Message-ID: <8a4649bb0811040841q5c0e78c5ufddee702890b8268@mail.gmail.com> Have you tried control plane polcing ? -Rakesh On Tue, Nov 4, 2008 at 10:20 AM, Nemeth Laszlo wrote: > Hi List, > > I have a Cisco 7600 / Sup720-3BXL (12.2.18SXF6). > > Only the telnet port (23/tcp) is open. > > If i try to open a session to a random port, i get back a TCP ACK/RST > packet from the CPU. I think it is normal. :) > > But if I send lot of SYN packets to random ports, i get back lot of ACK/RST > but it send the CPU to me, and it will make a big load on the CPU. > > So the question: can i limit the number of ACK/RST packets/sec what the > router send back to the SYN sender? > > Thanks! > > Laszlo > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Tue Nov 4 12:21:07 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 4 Nov 2008 18:21:07 +0100 Subject: [c-nsp] CISCO-AAL5-MIB Message-ID: Hello all, I have some vxrs running 12.2.31SB13 and have run into a strange situation. We use snmp for statistics gathering ecc . Specifically we use the aal5 mib for atm info gathering 1.3.6.1.4.1.9.9.66.1.1.1.1.1 Everything seemed to be going fine but now I see that some vcs do not show up in the mib. I can see the aal5 interface in the ifindex and browsing .1.3.6.1.2.1.2.2 everything is fine there are statistics names ecc for the interfaces Yet in the cisco mib nothing, and there is also nothing in the ATM-EXT-Mib for these pvcs as well. There is no configuration difference between the pvcs correctly showing up and those that aren't. I have checked the bug toolkit yet not found anything. Has anyone ran into this? Any suggestions? Thanks Brian From adriankok2000 at yahoo.com.hk Tue Nov 4 11:51:22 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Wed, 5 Nov 2008 00:51:22 +0800 (CST) Subject: [c-nsp] command auto and ftp server Message-ID: <885233.53283.qm@web33307.mail.mud.yahoo.com> Hi all I read cisco lab book, it said to disble aut summary but don't explain why can you explain to me? which ftp server is easy to use to backup? or whicch way to backup except fpt server? Thank you for your help again Send instant messages to your online friends http://uk.messenger.yahoo.com From omar.parihuana at gmail.com Tue Nov 4 14:21:57 2008 From: omar.parihuana at gmail.com (omar parihuana) Date: Tue, 4 Nov 2008 14:21:57 -0500 Subject: [c-nsp] Accounting VPN PIX and ACS Message-ID: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From thomas at czarnetzki.net Tue Nov 4 13:47:52 2008 From: thomas at czarnetzki.net (Thomas Czarnetzki) Date: Tue, 04 Nov 2008 19:47:52 +0100 Subject: [c-nsp] Cisco 6509: WS-F6K-MSFC2 missing on WS-X6K-S2U-MSFC2 Message-ID: <491098D8.4060003@czarnetzki.net> Hi I have a Cisco 6509 with Supervisor-Engine 2 (WS-X6K-S2U-MSFC2). According to the specification they have a MSFC2 on it, but i can see that in the Output of "show version". I have put Out the Card and compare pictures from the MSFC2-Module with the Card. So i can confirm, that a MSFC2 is really mounted on the Card. I have a second SUP2 with the same specification and a Second Chassis. The Problem is the same, so that i think, it can't be a hardware failure. The output is as follows: Console> (enable) show version WS-C6509 Software, Version NmpSW: 8.5(1) Copyright (c) 1995-2005 by Cisco Systems NMP S/W compiled on Oct 22 2005, 11:11:35 System Bootstrap Version: 7.1(1) System Boot Image File is 'bootflash:cat6000-sup2k8.8-5-1.bin' System Configuration register is 0x10f Hardware Version: 2.0 Model: WS-C6509 Serial #: ... PS1 Module: WS-CAC-1300W Serial #: ... Mod Port Model Serial # Versions --- ---- ------------------- ----------- -------------------------------------- 1 2 WS-X6K-S2U-MSFC2 ... Hw : 5.3 Fw : 7.1(1) Fw1: 6.1(3) Sw : 8.5(1) Sw1: 8.5(1) WS-F6K-PFC2 ... Hw : 3.5 Sw : DRAM FLASH NVRAM Module Total Used Free Total Used Free Total Used Free ------ ------- ------- ------- ------- ------- ------- ----- ----- ----- 1 262144K 88516K 173628K 31232K 31232K 0K 512K 270K 242K Uptime is 0 day, 0 hour, 27 minutes Console> (enable) Has somebody an idea why the module is not recognized? Regards Thomas From achatz at forthnet.gr Tue Nov 4 15:21:31 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 04 Nov 2008 22:21:31 +0200 Subject: [c-nsp] Cisco 6509: WS-F6K-MSFC2 missing on WS-X6K-S2U-MSFC2 In-Reply-To: <491098D8.4060003@czarnetzki.net> References: <491098D8.4060003@czarnetzki.net> Message-ID: <4910AECB.8000400@forthnet.gr> Thomas, have a look at the following link: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013495f.shtml#msfc_2 -- Tassos Thomas Czarnetzki wrote on 04/11/2008 20:47: > Hi > > I have a Cisco 6509 with Supervisor-Engine 2 (WS-X6K-S2U-MSFC2). > > According to the specification they have a MSFC2 on it, but i can see > that in the Output of "show version". > I have put Out the Card and compare pictures from the MSFC2-Module with > the Card. So i can confirm, that a MSFC2 is really mounted on the Card. > > I have a second SUP2 with the same specification and a Second Chassis. > The Problem is the same, so that i think, it can't be a hardware failure. > > > The output is as follows: > > Console> (enable) show version > WS-C6509 Software, Version NmpSW: 8.5(1) > Copyright (c) 1995-2005 by Cisco Systems > NMP S/W compiled on Oct 22 2005, 11:11:35 > > System Bootstrap Version: 7.1(1) > System Boot Image File is 'bootflash:cat6000-sup2k8.8-5-1.bin' > System Configuration register is 0x10f > > Hardware Version: 2.0 Model: WS-C6509 Serial #: ... > > PS1 Module: WS-CAC-1300W Serial #: ... > > Mod Port Model Serial # Versions > --- ---- ------------------- ----------- > -------------------------------------- > 1 2 WS-X6K-S2U-MSFC2 ... Hw : 5.3 > Fw : 7.1(1) > Fw1: 6.1(3) > Sw : 8.5(1) > Sw1: 8.5(1) > WS-F6K-PFC2 ... Hw : 3.5 > Sw : > > DRAM FLASH NVRAM > Module Total Used Free Total Used Free Total Used Free > ------ ------- ------- ------- ------- ------- ------- ----- ----- ----- > 1 262144K 88516K 173628K 31232K 31232K 0K 512K 270K 242K > > Uptime is 0 day, 0 hour, 27 minutes > Console> (enable) > > > Has somebody an idea why the module is not recognized? > > Regards > > Thomas > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Tue Nov 4 15:49:33 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 4 Nov 2008 15:49:33 -0500 Subject: [c-nsp] Weird BGP Routing Problem Message-ID: <003101c93ebe$d965de10$8c319a30$@org> Hi there... Sometime this morning, we noted a sudden increase in outbound traffic to one of our transit providers. Have now realized that some routes that should prefer peering are now going via transit. What makes this very strange is that in our routing table, the best route chosen is not being honoured - very confused about this... Below is an example: core1-rtr-to#sh ip bgp xxx.xxx.xxx.105 BGP routing table entry for xxx.xxx.xxx.0/18, version 36369947 Paths: (5 available, best #1, table default) Not advertised to any peer xxxx xxx.32.245.67 from xx.75.100.39 (xx.75.100.39) Origin IGP, metric 0, localpref 200, valid, internal, best Community: 5645:5000 11666:2000 11666:2001 Highest localpref, low metric and all kinds of other good reasons state this is the best route. But this isn't the route being chosen and I don't know why...?? The route being chosen is one AS hop longer, local-pref of 100 (instead of 200 above) and for what it's worth a metric of 50 (not that it matters at this point) Feeling kinda silly here - but why is the route not the best route? ;) Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRC, RELEASE SOFTWARE (fc3) Thanks for any input... Paul From ccoueffe at gmail.com Tue Nov 4 15:57:39 2008 From: ccoueffe at gmail.com (charly coueffe) Date: Tue, 4 Nov 2008 21:57:39 +0100 Subject: [c-nsp] Frame error Message-ID: Hi, I have a problem between two 10 Gig interfaces. I have many errors between two routers 7606. I have two types of error : giants and frame and i search the problem. R2#sh int te5/2 | inc Desc|MTU|error|frame|gian Description: R2 - R1 MTU 9216 bytes, BW 10000000 Kbit, DLY 10 usec, 0 runts, 2864673045 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 1 interface resets R1#sh int te5/3 | inc error|giant|Desc|MTU Description: R1 - R2 MTU 9216 bytes, BW 10000000 Kbit, DLY 10 usec, 0 runts, 10853142 giants, 0 throttles 0 input errors, 0 CRC, 2266 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets In the ONT book the frame error, runt and giant are explain in the QoS part. I think that the frame error are related about the size of the buffer and not a physical problem with the connector or optical fiber. I have seen in the configuration that the hold queue is configure with 4096 packets. interface TenGigabitEthernet5/3 description R1 - R2 mtu 9216 ip address xxxxxxxxxxxxxxxxxxxxxx no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache load-interval 30 mls qos trust cos mpls label protocol ldp mpls ip no cdp enable no mop enabled no clns route-cache hold-queue 4096 in hold-queue 4096 out end Do you think that the problem come of the configuration ? Because I have change the Xen-Pack and card 10 gig, and i have the same problem. Thanks for your help. Regards. Charly From chrismcc at pricegrabber.com Tue Nov 4 18:42:14 2008 From: chrismcc at pricegrabber.com (Christopher McCrory) Date: Tue, 04 Nov 2008 15:42:14 -0800 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <1225842135.7393.6.camel@localhost> Hello... On Tue, 2008-11-04 at 04:46 +0000, ambedkar wrote: > > hi, i want to implement layer-2 backup with minimum delay with cisco > 2950 switches. > i have seen flexlinks, but this is for cisco 3500 series and above. > uplinkfast > please help me in this regard. > Thanks in advance. > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christopher McCrory "The guy that keeps the servers running" To the optimist, the glass is half full. To the pessimist, the glass is half empty. To the engineer, the glass is twice as big as it needs to be. From gregariouspearl at gmail.com Tue Nov 4 23:34:41 2008 From: gregariouspearl at gmail.com (Muhammad Salman Zahid) Date: Wed, 5 Nov 2008 09:34:41 +0500 Subject: [c-nsp] command auto and ftp server In-Reply-To: <885233.53283.qm@web33307.mail.mud.yahoo.com> References: <885233.53283.qm@web33307.mail.mud.yahoo.com> Message-ID: <44c523750811042034g1c42ccf0qd4e6af1f86ef1b6d@mail.gmail.com> no auto-summary This is useful when you are using classless routing protocols. If you don't disable it then it will auto summarize your subnets. Guild FTP is a software easy to use for the backup. you have to define the ftp user name and password. ip ftp username [User name] ip ftp password [Password] FTP server must be a reachable network from your device. Also, you can use TFTP server such as solar wind. MSZ. On Tue, Nov 4, 2008 at 9:51 PM, adrian kok wrote: > Hi all > > I read cisco lab book, it said to disble aut summary > but don't explain why > can you explain to me? > > which ftp server is easy to use to backup? > > or whicch way to backup except fpt server? > > Thank you for your help again > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "Death is no the greatest loss in life .... The greatest loss is what dies inside you while U live...!" From rakeshh at gmail.com Wed Nov 5 00:36:38 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Tue, 4 Nov 2008 23:36:38 -0600 Subject: [c-nsp] 6509 sup 720 + export map Message-ID: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> Hello, I am not able to filter prefixes using export map under vrf on a 6509 . I can set attibutes by matching prefixes with out issues , it's just that I can not filter them . I have tried 12.2(33)SXH3a and 12.2(18)SXF7 with no luck. I was wondering if anybody had come accross the same issue. -Rakesh From oboehmer at cisco.com Wed Nov 5 01:24:11 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 5 Nov 2008 07:24:11 +0100 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> Rakesh Hegde <> wrote on Wednesday, November 05, 2008 06:37: > Hello, > > I am not able to filter prefixes using export map under vrf on a > 6509 . I can set attibutes by matching prefixes with out issues , > it's just that I can not filter them . I have tried 12.2(33)SXH3a and > 12.2(18)SXF7 with no luck. > > I was wondering if anybody had come accross the same issue. if I recall correctly, we can't filter/drop routes in VRF export-maps (we can in import-maps).. you could set "no-advertise" or a bogus route-target extcommunity to prevent it from being advertised to your RRs/remote PEs or from being imported into other VRFs. If you don't want to export a certain VRF prefix, just don't redistribute it into BGP (if it's a non-BGP route to begin with). oli From gert at greenie.muc.de Wed Nov 5 02:55:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 08:55:58 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <49107657.6060401@cooler.hu> References: <49107657.6060401@cooler.hu> Message-ID: <20081105075558.GK8535@greenie.muc.de> Hi, On Tue, Nov 04, 2008 at 05:20:39PM +0100, Nemeth Laszlo wrote: > So the question: can i limit the number of ACK/RST packets/sec what the > router send back to the SYN sender? Yes. Check www.cisco.com for "control-plane policing" (CoPP) - this is exactly what you need. It needs a bit of consideration what sort of packets the router is meant to receive ("routing protocols", anyone?) and you should lab-test it before rolling out on production routers. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 5 02:58:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 08:58:24 +0100 Subject: [c-nsp] Weird BGP Routing Problem In-Reply-To: <003101c93ebe$d965de10$8c319a30$@org> References: <003101c93ebe$d965de10$8c319a30$@org> Message-ID: <20081105075824.GL8535@greenie.muc.de> Hi, On Tue, Nov 04, 2008 at 03:49:33PM -0500, Paul Stewart wrote: > Sometime this morning, we noted a sudden increase in outbound traffic to one > of our transit providers. Have now realized that some routes that should > prefer peering are now going via transit. > > What makes this very strange is that in our routing table, the best route > chosen is not being honoured - very confused about this... > > Below is an example: > > core1-rtr-to#sh ip bgp xxx.xxx.xxx.105 > BGP routing table entry for xxx.xxx.xxx.0/18, version 36369947 > Paths: (5 available, best #1, table default) > Not advertised to any peer > xxxx > xxx.32.245.67 from xx.75.100.39 (xx.75.100.39) > Origin IGP, metric 0, localpref 200, valid, internal, best > Community: 5645:5000 11666:2000 11666:2001 > > Highest localpref, low metric and all kinds of other good reasons state this > is the best route. But this isn't the route being chosen and I don't know > why...?? We don't know either, because you're not showing the relevant data to answer, and my crystal ball seems to be cloudy today. One possible guess would be that there is a more-specific route for the specific destination that you're observing. Start with "show ip route xxx.xx.xx.105", then check where that route is coming from, and why it's not the BGP route. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tim at pelican.org Wed Nov 5 04:03:14 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 5 Nov 2008 09:03:14 -0000 (GMT) Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> Message-ID: <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > if I recall correctly, we can't filter/drop routes in VRF export-maps > (we can in import-maps).. you could set "no-advertise" or a bogus > route-target extcommunity to prevent it from being advertised to your > RRs/remote PEs or from being imported into other VRFs. > If you don't want to export a certain VRF prefix, just don't > redistribute it into BGP (if it's a non-BGP route to begin with). Or don't set the export-target that should only be on *some* routes in the VRF config, just set on the matching routes in the export-map. I'm not sure, off the top of my head, what happens if you have a VRF with *no* export-target defined in the VRF config, but an rt ext-community set on some routes in the export map - does the redist from 'local' BGP into MP-BGP still happen? I know there are some gotchas in the other direction; even if you're matching an RT in the import map, you still need it as an import target, or the prefix is dropped before it gets as far as the map. Regards, Tim. From oboehmer at cisco.com Wed Nov 5 05:27:33 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 5 Nov 2008 11:27:33 +0100 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> Tim Franklin wrote on Wednesday, November 05, 2008 10:03: > On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > >> if I recall correctly, we can't filter/drop routes in VRF export-maps >> (we can in import-maps).. you could set "no-advertise" or a bogus >> route-target extcommunity to prevent it from being advertised to your >> RRs/remote PEs or from being imported into other VRFs. >> If you don't want to export a certain VRF prefix, just don't >> redistribute it into BGP (if it's a non-BGP route to begin with). > > Or don't set the export-target that should only be on *some* routes > in the VRF config, just set on the matching routes in the export-map. ack, this would work as well. > I'm > not sure, off the top of my head, what happens if you have a VRF with *no* > export-target defined in the VRF config, but an rt ext-community set > on some routes in the export map - does the redist from 'local' BGP into > MP-BGP still happen? yes, and if you don't set an rt-extcomm in the export-map, the prefix is left without a RT. > I know there are some gotchas in the other > direction; even if you're matching an RT in the import map, you still > need it as an import target, or the prefix is dropped before it gets as > far as the map. right, this is due to the automatic route-target filter which only examines the "route-target import" statements in the VRF, not the route-maps. oli From aaronis at people.net.au Wed Nov 5 05:48:47 2008 From: aaronis at people.net.au (Aaron R) Date: Wed, 5 Nov 2008 19:48:47 +0900 Subject: [c-nsp] Accounting VPN PIX and ACS In-Reply-To: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Message-ID: <200811051049.mA5An2ch037655@puck.nether.net> Hi, You can use netflow on your external router if you have one. ESP protocol or Protocol 50. Take a look at what protocols your VPN client is using for transport and filter netflow based on this info. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of omar parihuana Sent: Wednesday, November 05, 2008 4:22 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Accounting VPN PIX and ACS Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Wed Nov 5 05:58:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 11:58:39 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <20081105105839.GN8535@greenie.muc.de> Hi, On Sun, Nov 02, 2008 at 08:34:17PM -0800, Janet Sullivan wrote: > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. We're actually quite happy with SXH3a. SXH3 is evil (BGP ghost). I haven't tested anything on SXF more recent than SXF13a, and that is working quite well for us as well. There have been reports about crashes and BGP funkiness in SXF15, so I'd be a bit wary. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 5 06:00:53 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 12:00:53 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <20081105110053.GO8535@greenie.muc.de> Hi, On Mon, Nov 03, 2008 at 06:52:28AM -0800, Janet Sullivan wrote: > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. That's definitely different from the Ghost Bugs. In the ghost bugs, at least as far as I observed, updates BGP table -> routing table happened just fine. Only BGP withdraw messages to other (i-)BGP peers were sometimes lost, so a route "stuck" in the other router's BGP table. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From elmi at 4ever.de Wed Nov 5 07:24:48 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Wed, 5 Nov 2008 13:24:48 +0100 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? Message-ID: <20081105122448.GK93039@ronin.4ever.de> Re again, I am running into trouble with the CEF load sharing algorithm on the ASR / IOS-XE platform. We've had this kind of setup with 7301s for four years now, and it's never given us any trouble. Distributed traffic pretty evenly (whenever it was not only one or two top-talkers hitting us). With the new ASR / IOS-XE (1.1.2 currently, but I have found nothing in the release notes of later versions) traffic distribution has become in favour of the server with the lowest IP address - very much so. It's getting 85% of all packets. The setup in brief (all IPv4): z.z.z.z = Service address a.a.a.a, a.a.a.b, a.a.a.c = Interface addresses of three servers, a my colleague denies this 2. The tunnel balancing algorithm (which to my knowledge includes source/dest IP addresses _and_ ports) has been altered. 3. The tunnel balancing algorithm (which to my knowledge includes source/dest IP addresses _and_ ports) is now buggy. Experiment 1 Changing the algorithm to "include-ports source". Did not change the traffic pattern a bit. I didn't expect a change, since AFAIK it would do the same as the "tunnel" algorithm. Experiment 2 I added a.a.a.d to srv1, a.a.a.e to srv2 and a.a.a.f to srv3 and the appropriate routes: rt#sh ip route static ip route z.z.z.z 255.255.255.255 a.a.a.a ip route z.z.z.z 255.255.255.255 a.a.a.b ip route z.z.z.z 255.255.255.255 a.a.a.c ip route z.z.z.z 255.255.255.255 a.a.a.d ip route z.z.z.z 255.255.255.255 a.a.a.e ip route z.z.z.z 255.255.255.255 a.a.a.f rt#sh ip cef z.z.z.z z.z.z.z/32 nexthop a.a.a.a GigabitEthernet0/0/3 nexthop a.a.a.b GigabitEthernet0/0/3 nexthop a.a.a.c GigabitEthernet0/0/3 nexthop a.a.a.d GigabitEthernet0/0/3 nexthop a.a.a.e GigabitEthernet0/0/3 nexthop a.a.a.f GigabitEthernet0/0/3 This changed the distribution pattern from 10:1:2 to a somewhat better 5:1:2. It still shows a strong favouring of the server with the smallest IP address. Experiment 3 I removed the z.z.z.z -> a.a.a.d route, so that Server 1 would only have 1/5 of the routing table pointing to it, while Servers 2 and 3 get twice as many slots in routing and forwarding table. I'll spare you the cef output here. This changed the distribution pattern - not at all, at least not noticeably. I wonder what I have stumbled onto here, and whether someone around or at Cisco knows about a change in the algorithms that would lead to such an effect. I would also be very interested in some paper that really explained the load-sharing algorithms, since everything one can find about the tunnel algorithm is: "The tunnel keyword sets the load-balancing algorithm to one that can be used in tunnel environments or in environments where there are only a few IP source and destination address pairs. " I appreciate any help - the server is still holding, but it's really bad Karma, and I'd like to find a way to do my L3 poor man's load balancing in a working fashion. Elmar. From A.L.M.Buxey at lboro.ac.uk Wed Nov 5 08:02:20 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 5 Nov 2008 13:02:20 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081105105839.GN8535@greenie.muc.de> References: <490E7F49.8070901@bgp4.net> <20081105105839.GN8535@greenie.muc.de> Message-ID: <20081105130220.GA9543@lboro.ac.uk> Hi, > We're actually quite happy with SXH3a. SXH3 is evil (BGP ghost). so far...(touch wood) our 2 SXH3a boxes have been quite happy. > I haven't tested anything on SXF more recent than SXF13a, and that is > working quite well for us as well. There have been reports about crashes > and BGP funkiness in SXF15, so I'd be a bit wary. unfortunately we've been rushed into migrating all our systems up to SXF15a due to several issues with various services we deliver on our network (eg VoIP) - I'm awaiting the exact firmware version in which fixes were introduced but since every previous version also had undocumented features it was felt that a half-hearted upgrade eg SXF12a was a moot point. I'm still delving into the SXH notes to see if we can just ove wholesale across....anyone running WISMs on SXH boxes? alan From adriankok2000 at yahoo.com.hk Wed Nov 5 07:52:11 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Wed, 5 Nov 2008 20:52:11 +0800 (CST) Subject: [c-nsp] anaysis networrk Message-ID: <799205.58383.qm@web33305.mail.mud.yahoo.com> Hi Can I know the different between wireshark vs etheral? which one is better to anaylsis network? other than two, any suggestion Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From anderson.levi at gmail.com Wed Nov 5 08:59:23 2008 From: anderson.levi at gmail.com (Anderson Levi) Date: Wed, 5 Nov 2008 16:59:23 +0300 Subject: [c-nsp] anaysis networrk In-Reply-To: <799205.58383.qm@web33305.mail.mud.yahoo.com> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: Ethereal was renamed Wireshark sometime in '06. On Wed, Nov 5, 2008 at 3:52 PM, adrian kok wrote: > Hi > > Can I know the different between wireshark vs etheral? > > which one is better to anaylsis network? > > other than two, any suggestion > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From avayner at cisco.com Wed Nov 5 09:44:20 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 5 Nov 2008 15:44:20 +0100 Subject: [c-nsp] anaysis networrk In-Reply-To: <799205.58383.qm@web33305.mail.mud.yahoo.com> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A5021BAD51@xmb-ams-331.emea.cisco.com> http://en.wikipedia.org/wiki/Wireshark -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of adrian kok Sent: Wednesday, November 05, 2008 14:52 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] anaysis networrk Hi Can I know the different between wireshark vs etheral? which one is better to anaylsis network? other than two, any suggestion Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From csirek at cooler.hu Wed Nov 5 09:51:47 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 05 Nov 2008 15:51:47 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <20081105075558.GK8535@greenie.muc.de> References: <49107657.6060401@cooler.hu> <20081105075558.GK8535@greenie.muc.de> Message-ID: <4911B303.2020007@cooler.hu> Hi, Gert Doering wrote: > It needs a bit of consideration what sort of packets the router is meant > to receive ("routing protocols", anyone?) and you should lab-test it before > rolling out on production routers. It's a border test router with BGP and OSPF. I made a config from this page: http://aharp.ittns.northwestern.edu/papers/copp.html Now i'm flooding my router with SYN packets and it's interesting... Whitout control-plane policy the cpu goes on 100%. This normal :) If i set the CPP the CPU in every 4. minutes goes up to 100% until 20 seconds and go back down to 0-2% until the next 4 minutes. And again goes up... It's the cpu "log": > show processes cpu | exclude 0\.00\% 0\.00\% 0\.00\% CPU utilization for five seconds: 79%/79%;one minute: 6%;five minutes:2% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23872 29219 817 0.00% 0.07% 0.05% 0 Exec 5 24736 1940 12750 0.00% 0.23% 0.18% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minu 122 589744 2731281 215 0.00% 0.01% 0.23% 0 IP Input 179 3532 17519 201 0.00% 0.02% 0.00% 0 CEF proce after 4 sec: tartalek_6500#cpu CPU utilization for five seconds: 96%/8%;one minute: 14%;five minutes:3% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23884 29224 817 0.07% 0.07% 0.05% 0 Exec 5 24736 1940 12750 0.00% 0.21% 0.18% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minut 122 591616 2731775 216 87.91% 7.05% 1.69% 0 IP Input 179 3532 17522 201 0.07% 0.02% 0.00% 0 CEF proce after 4 sec: CPU utilization for five seconds: 50%/32%;one minute:17%;five minutes:4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23912 29234 817 0.39% 0.09% 0.06% 0 Exec 5 24736 1940 12750 0.00% 0.19% 0.17% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minut 122 592324 2732929 216 17.59% 7.89% 1.95% 0 IP Input 179 3532 17528 201 0.00% 0.02% 0.00% 0 CEF process after 4 sec: CPU utilization for five seconds: 1%/0%; one minute: 15%;five minutes:4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23944 29244 818 0.79% 0.15% 0.07% 0 Exec 5 24736 1940 12750 0.00% 0.18% 0.17% 0 Chec heap 37 4388 204 21509 0.00% 0.01% 0.00% 0 Per-minut 122 592324 2733929 216 0.07% 7.26% 1.92% 0 IP Input 179 3532 17534 201 0.00% 0.02% 0.00% 0 CEF proce This 0% cpu is to the next 4 minutes. It's a Sup720-3BXL with 12.2.18SXF6. I know it's not a new IOS, but it's very stable in my network. My policy config is: class-map match-all cp-normal-in description Control plane normal traffic match access-group name cp-normal-in class-map match-all cp-critical-in description Control plane critcal traffic match access-group name cp-critical-in class-map match-any cp-undesirable-in description Control plane undesirable traffic match access-group name cp-undesirable-in class-map match-all cp-important-in description Control plane important traffic match access-group name cp-important-in class-map match-all cp-default-in description Control plane default traffic match access-group 2 ! ! policy-map control-plane-in class cp-critical-in class cp-important-in police cir 128000 bc 24000 be 48000 conform-action transmit exceed-action drop violate-action drop class cp-normal-in police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop class cp-undesirable-in police cir 32000 bc 1000 be 1000 conform-action transmit exceed-action drop violate-action drop class cp-default-in police cir 128000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop ! ip access-list extended cp-critical-in remark Control plane critical traffic - inbound remark OSPF permit ospf host 10.0.0.101 any permit ospf host 10.0.0.102 any remark PIM permit pim host 10.0.0.101 any permit pim host 10.0.0.102 any remark IGMP permit igmp any 224.0.0.0 15.255.255.255 remark BGP permit tcp host 10.0.0.101 eq bgp host 10.0.0.1 permit tcp host 10.0.0.102 host 10.0.0.1 eq bgp deny ip any any ip access-list extended cp-important-in remark Control plane important traffic - inbound remark SSH/TELNET permit tcp 10.0.0.0 0.0.0.255 any range 22 telnet deny ip any any ip access-list extended cp-normal-in remark Control plane normal traffic - inbound remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable deny ip any any ip access-list extended cp-undesirable-in remark Control plane undesirable traffic - inbound remark NTP permit udp any any eq ntp remark SNMPTRAP permit udp any any eq snmptrap deny ip any any ! access-list 2 remark utility ACL to allow everything access-list 2 permit any If I set the CIR from 128000 to 32000 in cp-default-in class, i see a very litle cpu load between the 100%, but this wave is on every 4 minutes... So i thing the 4 minutes wave caused by CPP settings. But why?? Laszlo From justin at justinshore.com Wed Nov 5 09:56:24 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 05 Nov 2008 08:56:24 -0600 Subject: [c-nsp] PA-A3-T3 Message-ID: <4911B418.1070502@justinshore.com> Is the PA-A3-T3 ATM only? I have to use a DS3 for backhaul from a small remote POP and would like to avoid the ATM overhead if at all possible. I have a pair of PA-A3-T3s sitting around I thought I could use if they could be configured for frame or something else without the ATM tax. Thanks Justin From csirek at cooler.hu Wed Nov 5 09:58:51 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 05 Nov 2008 15:58:51 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <4911B303.2020007@cooler.hu> References: <49107657.6060401@cooler.hu> <20081105075558.GK8535@greenie.muc.de> <4911B303.2020007@cooler.hu> Message-ID: <4911B4AB.4040200@cooler.hu> Nemeth Laszlo wrote: > If I set the CIR from 128000 to 32000 in cp-default-in class, i see a > very litle cpu load between the 100%, but this wave is on every 4 > minutes... So i thing the 4 minutes wave caused by CPP settings. But why?? Sorry, i see the small (10-20%) cpu load INSTEAD 100% in every 4. minutes to 20 seconds. Laszlo From david at davidcoulson.net Wed Nov 5 10:00:51 2008 From: david at davidcoulson.net (David Coulson) Date: Wed, 05 Nov 2008 10:00:51 -0500 Subject: [c-nsp] PA-A3-T3 In-Reply-To: <4911B418.1070502@justinshore.com> References: <4911B418.1070502@justinshore.com> Message-ID: <4911B523.3090108@davidcoulson.net> Yep, they only do ATM. A PA-T3 (or, PA-MC-T3+) is required to do frame or a plain old DS-3. That's why a PA-A3-T3 goes for next to nothing on the used market. Justin Shore wrote: > Is the PA-A3-T3 ATM only? I have to use a DS3 for backhaul from a > small remote POP and would like to avoid the ATM overhead if at all > possible. I have a pair of PA-A3-T3s sitting around I thought I could > use if they could be configured for frame or something else without > the ATM tax. > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cklam at ias.edu Wed Nov 5 09:46:50 2008 From: cklam at ias.edu (Christina Klam) Date: Wed, 05 Nov 2008 09:46:50 -0500 Subject: [c-nsp] More info on bugs CSCsi03864 & CSCsi49150 Message-ID: <1225896410.3240.28.camel@klamtest.net.ias.edu> All, Last week our core router (a 6509) crashed. After reading the crashinfo and the logs, we determined the the source of the crash to be CSCsi49150 (%PM-SP-4-PORT_BOUNCED: Port Gi2/3 was bounced by Consistency Check IDBS). ----------- Conditions: Not specific to standby. Seen on both active and standby. Seen in images where fix for CSCsi03864 is present. Workaround None. Further information: This bug is to backout the bug CSCsi03864 ----------- Does anyone know more about these two bugs than what is in Bug Toolkit? Currently, info on CSCsi03864 is reserved for cisco only eyes. So, I have no info about it. The only solution given by Cisco is to upgrade from 12.2(33)SXH2 to SXH3 or SXH3a. Because of the bugs in SXH3a that I have read this last week on cisco-nsp, I am reluctant to do so. I am hoping to wait until SXHi comes out. I just wish I knew more about the bugs so I could make a more educated decision on the value of waiting. Thanks, C. Klam Institute for Advanced Study From brun0_filipe at yahoo.com Wed Nov 5 10:36:43 2008 From: brun0_filipe at yahoo.com (Bruno Filipe) Date: Wed, 5 Nov 2008 07:36:43 -0800 (PST) Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Message-ID: <616511.7071.qm@web39701.mail.mud.yahoo.com> Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhhhhhhhhhhhhhhhhhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd shhhhhhhhhhhhhhhh encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150-192.168.91.240 inside dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain genius.co.ao dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440 : end [OK] asa# DEBUG OUTPUT OUTPUT OMMITTED :: asa# debug crypto isakmp 127 asa# terminal monitor Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) , : TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) , : AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0 :: :: OUTPUT OMMITTED :: :: Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry From mr.dave.jacobs at gmail.com Wed Nov 5 11:08:18 2008 From: mr.dave.jacobs at gmail.com (David Jacobs) Date: Wed, 5 Nov 2008 11:08:18 -0500 Subject: [c-nsp] ISIS Route Flapping Issue Message-ID: Hello All, So I just encountered a very strange issue and I was trying to get some more information or opinions on what Just happened. I am using a Cisco 7507, previously running an RSP16 - 2 GEIP cards and an OC3 card on a VIP2-50. On one particular day one of our GEIP cards lost connectivity to one of our core routers, I used standard troubleshooting techniques IE: change the cable, change the Gbic reset the card - all of which had no effect. I replaced the GEIP with a brand new one and I placed it in a different slot, I still could not get connectivity. As a last ditch effort I reloaded the router and this is where things get weird. After the router reload, we started experiencing odd ISIS issues, on all of our routers we noticed our problem 7507's Loopback address begin to flap I did a sh ip route X.X.X.X and at times it would say x.x.x.x/32 and other times I would just see x.x.x.x/16. Quite obviously this made life for my frame relay customers life misery. After trying all sorts of steps we could not get the flapping to stop. In a last ditch effort we offloaded our OC3 onto another router,( we are still using this router as a lifeboat.) To skip ahead, I ended up getting a new 7507 chassis, brand new RSP 4 and brand new GEIP's and OC3 cards. I reconfigured the router with the same Ip and ISIS config and WHAMMO the same ISIS route flapping begins to happen. After many hours of troubleshooting one thing I did was change the ISIS NET address, once this was changed things went back to normal. Why would changing the NET address suddenly stop an ISIS route from flapping? Apologies for the long email, but this problem has been happening for quite a few weeks now. Any comments or suggestions would be appreciated Thanks DaveJ From willay at gmail.com Wed Nov 5 11:08:24 2008 From: willay at gmail.com (William) Date: Wed, 5 Nov 2008 16:08:24 +0000 Subject: [c-nsp] problems filtering multicast Message-ID: Hi, I'm running multicast routing with sparse-dense-mode and I'd like to filter out some of the addresses, I've created a standard access list permitting the multicast addresses i want to be routed out and then a deny any at the end. I've applied it to the interface using the ip igmp access-group command but it doesn't seem to be affective, the end hosts are still receiving the multicast streams which i've attempted to filter out. The hardware is a 6500 (catos) with a sup2, the configuration looks like so on the first switch: interface vlan999 ip address 192.168.99.254255.255.255.0 ip pim sparse-dense-mode ip igmp access-group multicast ip access-list standard multicast permit 239.255.1.1 deny any The end host is on a 3750, I tried applying the access-list and ip igmp access-group statement to the vlan interface where the end host is and the multicast traffic that I wish to be filtered is still coming over. Am I doing something terribly wrong here for it not to work? Thank you for your time. W From jmb287 at gmail.com Wed Nov 5 11:08:32 2008 From: jmb287 at gmail.com (Mike Brown) Date: Wed, 5 Nov 2008 09:08:32 -0700 Subject: [c-nsp] Need pin-outs for a ONS 15454/15327 Password recovery cable Message-ID: <1a85d2430811050808h5a361478x277c6d2c60d456e7@mail.gmail.com> Hi, does anyone here know the pin-outs for the password recovery cable that connects to a TCC/TCC+/TCC2 card?? We have a client that has an ONS that they are locked out of. Cisco is being a real PIA. Thanks in advance. From Drikus.Brits at is.co.za Wed Nov 5 11:17:40 2008 From: Drikus.Brits at is.co.za (Drikus Brits) Date: Wed, 5 Nov 2008 18:17:40 +0200 Subject: [c-nsp] Accounting VPN PIX and ACS References: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Message-ID: <89D2AE9E4EAAB34FABDBF2913867C62F1A18DB4B@ZABRYSVISEX04.af.didata.local> Hi, I'm assuming that you have already setup accounting to be pushed thru to your ACS ? On your acs you can selectively choose what you want to log. Essentially, you can use either RADIUS or TACACS+ to log your accounting packets. I'd prefer the Radius method though, especially since it is for remote access usage. Your setup shouldn't change much, apart from you changing to RADIUS instead of TACACS+. As long as your keys on the ACS & PIX is the same , you should get Authentication & Accounting logs. Do you still need docs on how to change these and set it up ? Regards, -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of omar parihuana Sent: Tuesday, November 04, 2008 9:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Accounting VPN PIX and ACS Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you. From cisco-nsp at slepicka.net Wed Nov 5 11:24:38 2008 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 05 Nov 2008 10:24:38 -0600 Subject: [c-nsp] problems filtering multicast] Message-ID: <4911C8C6.7030103@slepicka.net> use the ip multicast boundary command: http://www.cisco.com/en/US/docs/ios/12_2/ipmulti/command/reference/1rfmult1.html#wp1058494 e.g. ip access-l standard mcast_boundary_vl999 permit 224.9.9.9 int vl999 ip multicast boundary mcast_boundary_vl999 James William wrote: > Hi, > > I'm running multicast routing with sparse-dense-mode and I'd like to > filter out some of the addresses, I've created a standard access list > permitting the multicast addresses i want to be routed out and then a > deny any at the end. > > I've applied it to the interface using the ip igmp access-group > command but it doesn't seem to be affective, the end hosts > are still receiving the multicast streams which i've attempted to > filter out. > > The hardware is a 6500 (catos) with a sup2, the configuration looks > like so on the first switch: > > interface vlan999 > ip address 192.168.99.254255.255.255.0 > ip pim sparse-dense-mode > ip igmp access-group multicast > > > ip access-list standard multicast > permit 239.255.1.1 > deny any > > The end host is on a 3750, I tried applying the access-list and ip > igmp access-group statement to the vlan interface where the end host > is and the multicast traffic that I wish to be filtered is still > coming over. > > Am I doing something terribly wrong here for it not to work? > > Thank you for your time. > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Wed Nov 5 11:30:31 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 05 Nov 2008 10:30:31 -0600 Subject: [c-nsp] PA-A3-T3 In-Reply-To: <4911B523.3090108@davidcoulson.net> References: <4911B418.1070502@justinshore.com> <4911B523.3090108@davidcoulson.net> Message-ID: <4911CA27.5060001@justinshore.com> David Coulson wrote: > Yep, they only do ATM. A PA-T3 (or, PA-MC-T3+) is required to do frame > or a plain old DS-3. > > That's why a PA-A3-T3 goes for next to nothing on the used market. After thinking about it a bit more, I think we'll use the ATM PAs to get this project off the ground and get some revenue coming in. When we start running short on BW rather than buy the non-ATM versions will skip the DS3 entirely and jump to an OC3. That would make the most sense I think. Thanks for the info Justin From ross at kallisti.us Wed Nov 5 11:51:46 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 5 Nov 2008 11:51:46 -0500 Subject: [c-nsp] ip cef optimize neighbor resolution Message-ID: <20081105165146.GA8842@kallisti.us> Hi everyone, Has anyone running SXH on a SUP720-3B(-XL) series 6500 tried "ip cef optimize neighbor resolution"? Cisco's docs seem to offer the usual tautologous explanation, and as a bonus, include a circular reference: "The ip cef optimize neighbor resolution command is very similar to the ipv6 cef optimize neighbor resolution command, except that it is IPv4-specific." http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.html#wp1036767 "The ipv6 cef optimize neighbor resolution command is very similar to the ip cef optimize neighbor resolution command, except that it is IPv6-specific." http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.html#wp1037762 Both indicate that it triggers "Layer 2 address resolution of neighbors directly from Cisco Express Forwarding for IPv[46]". Has anyone tried this? It sounds like this could be a win for a pair of 6500s I have with unexplainable high RP utilization problems - the boxes terminate a lot of VLANs and have a lot of ARP responsibilities. But I can't really find much discussion of it. Thanks! -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From peter at rathlev.dk Wed Nov 5 12:19:04 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 05 Nov 2008 18:19:04 +0100 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: References: Message-ID: <1225905544.13955.6.camel@abehat> Hi David, On Wed, 2008-11-05 at 11:08 -0500, David Jacobs wrote: > I did a sh ip route X.X.X.X and at times it would say x.x.x.x/32 and > other times I would just see x.x.x.x/16. Quite obviously this made > life for my frame relay customers life misery. > After trying all sorts of steps we could not get the flapping to stop. > In a last ditch effort we offloaded our OC3 onto another router,( we > are still using this router as a lifeboat.) What did the box itself have in its routing table at this time? How does the box lift the host prefix into IS-IS? Does a "debug isis rib resdistribution" give any clues? > To skip ahead, I ended up getting a new 7507 chassis, brand new RSP 4 > and brand new GEIP's and OC3 cards. I reconfigured the router with the > same Ip and ISIS config and WHAMMO the same ISIS route flapping begins > to happen. After many hours of troubleshooting one thing I did was > change the ISIS NET address, once this was changed things went back to > normal. Brand new 7500 hardware? Where? ;-) > Why would changing the NET address suddenly stop an ISIS route from > flapping? A shot in the dark, but you wouldn't happen to have another box with the same NET on your network? Regards, Peter From gert at greenie.muc.de Wed Nov 5 12:22:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 18:22:15 +0100 Subject: [c-nsp] 12.2SRC or 12.4T for 7200VXR NPE400 In-Reply-To: <4909F5F1.6030406@mt.net> References: <4909F5F1.6030406@mt.net> Message-ID: <20081105172215.GQ8535@greenie.muc.de> Hi, On Thu, Oct 30, 2008 at 11:59:13AM -0600, Forrest W Christian wrote: > The must-have features in my mind are: > > BGP4 w/Long ASN Complain to your Cisco sales representative. And do it loudly. To my knowledge, there is *still* no IOS version with support for 32bit-AS-Numbers (IOS XR has this since a year or so). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From luan at netcraftsmen.net Wed Nov 5 13:08:13 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 5 Nov 2008 13:08:13 -0500 Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP In-Reply-To: <616511.7071.qm@web39701.mail.mud.yahoo.com> References: <616511.7071.qm@web39701.mail.mud.yahoo.com> Message-ID: <06a601c93f71$77debc30$679c3490$@net> Maybe try using the global commands no vpn-addr-assign local no vpn-addr-assign aaa vpn-addr-assign dhcp And under tunnel-group COMPANY-TUNNEL-GROUP general-attributes Add: default-group-policy COMPANY-REMOTE-ACCESS Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bruno Filipe Sent: Wednesday, November 05, 2008 10:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhhhhhhhhhhhhhhhhhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd shhhhhhhhhhhhhhhh encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150-192.168.91.240 inside dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain genius.co.ao dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440 : end [OK] asa# DEBUG OUTPUT OUTPUT OMMITTED :: asa# debug crypto isakmp 127 asa# terminal monitor Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) , : TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) , : AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0 :: :: OUTPUT OMMITTED :: :: Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Wed Nov 5 15:07:48 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 5 Nov 2008 15:07:48 -0500 Subject: [c-nsp] show ip cef resources Message-ID: This is kind of a trivial question but does anyone know at or around what numbers the 'show ip cef resources' is no longer G (Green?) It has been creeping up over the last year or so and I'm just trying to make sure we plan accordingly. Thanks, -Drew From bob at tink.com Wed Nov 5 17:04:32 2008 From: bob at tink.com (Bob Tinkelman) Date: Wed, 05 Nov 2008 17:04:32 -0500 (EST) Subject: [c-nsp] ipsec over gre with nhrp Message-ID: <01N1KT6EUKF89AQUIH@queens.tink.com> I'm doing something that I thought I'd done before, but am running into problems and need a sanity check. I have 2 "customer site routers", each configured for main access via T1 and backup Internet access via a cable-modem service with a dynamic ip address. They also have an ipsec vpn to route internal (192.168/16 and 10/8) nets between the two sites, using crypto maps on the T1 serial ports in the standard way. All that works. I wanted to provide a backup to the ipsec VPN using the cable modem ports, and proceeded as follows: o I configured a multi-point tunnel with both customer sites using nhrp to connect to one of my routers. [This works. the routers can ping either other over the tunnel.] This was done because otherwise the routers, each with a dynamic ip address, would have trouble finding each other. o I mimic'd the ipsec vpn on the T1 serial interfaces, building a similar one on the tunnel interfaces. [This didn't work, and it's pretty clear why.] Here are the relevant portions of the config. [I'm willing to share more, but wanted to keep this post managable.] Interface housing the cable-modem: | CT-gw#sho run int fa0/1 | Building configuration... | | Current configuration : 186 bytes | ! | interface FastEthernet0/1 | description Cable modem connection | ip address dhcp | ip access-group from-cablemodem in | ip nat outside | ip virtual-reassembly | duplex auto | speed auto | end | CT-gw# The address dhcp-assigned by the carrier: | CT-gw#sho int fa0/1 | inc Internet address | Internet address is 192.168.1.64/24 | CT-gw# The tunnel interface: | CT-gw#sho run int t202 | Building configuration... | | Current configuration : 729 bytes | ! | interface Tunnel202 | description Dynamic multi-point ISPnet-customer tunnel | bandwidth 1000 | ip address 69.48.189.23 255.255.255.0 | ip access-group from-world in | no ip redirects | ip mtu 1416 | ip nat inside | ip nhrp authentication | ip nhrp map multicast 165.254.97.2 | ip nhrp map multicast 165.254.147.2 | ip nhrp map 69.48.189.1 165.254.97.2 | ip nhrp map 69.48.189.2 165.254.147.2 | ip nhrp network-id | ip nhrp holdtime 300 | ip nhrp nhs 69.48.189.1 | ip nhrp nhs 69.48.189.2 | ip nhrp server-only | ip virtual-reassembly | no ip route-cache cef | no ip route-cache | no ip mroute-cache | delay 1000 | tunnel source FastEthernet0/1 | tunnel mode gre multipoint | tunnel key | crypto map CLINTON-TU-202-MAP | end | CT-gw# The tunnel is working: | CT-gw#ping 69.48.189.24 | | Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: | !!!!! | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 ms | CT-gw# | CT-gw#tr 69.48.189.24 | | Type escape sequence to abort. | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) | | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 msec | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec | CT-gw# The crypto map is defined like this: | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP | crypto map CLINTON-TU-202-MAP local-address Tunnel202 | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp | set peer 69.48.189.24 | set transform-set TRANSFORM-SET-FL | match address CT-inside-to-FL-inside | ! But it's not working. It looks like it's using the wrong ip address for the "local address" of the crypto map. It's using the dhcp-assigned address of Fa0/1, when I'd thought it should be using the address of Tu202. | CT-gw#sho crypto map int t202 >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: 192.168.1.64 | | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp | Peer = 69.48.189.24 | Extended IP access list CT-inside-to-FL-inside | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 0.0.0.255 10.1.1.0 0.0.0.255 | Current peer: 69.48.189.24 | Security association lifetime: 4608000 kilobytes/3600 seconds | PFS (Y/N): N | Transform sets={ | TRANSFORM-SET-FL, | } | Interfaces using crypto map CLINTON-TU-202-MAP: | Tunnel202 | CT-gw# I think it's pretty clear that 192.168.1.64 won't cut it as one end of the VPN. The two customer sites are in CT and FL, both with their "cable modem connections" actually being ATT DSL services. [Long story; don't ask.] Amusingly, both show the leases with the same IP Addr and gateway, as in: | CT-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:58:12 | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356234312D4661302F31 | Hostname: CT-gw | FL-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:57:26 | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356337392D4661302F31 | Hostname: FL-gw | FL-gw# I don't think that's relevant. I think the problem is that I need to get the crypto map to use the 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. Thoughts? -- Bob Tinkelman From luan at netcraftsmen.net Wed Nov 5 21:11:36 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 5 Nov 2008 21:11:36 -0500 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <01N1KT6EUKF89AQUIH@queens.tink.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> Message-ID: <06ee01c93fb4$ff03c4b0$fd0b4e10$@net> You have to use tunnel protection profile instead. Get rid of the local-address, and put these in: crypto isakmp policy 3000 encr aes 256 authentication pre-share group 5 crypto isakmp key test address 165.254.97.2 crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile foo set transform-set TEST set pfs group5 ! Int tun202 No crypto map tunnel protection ipsec profile foo Then route over the tunnel accordingly...intstead of using ACL to match traffic. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (blog) http://ccie-security.blogspot.com/ (e) luan at netcraftsmen.net (aim/yahoo): luancnc -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Tinkelman Sent: Wednesday, November 05, 2008 5:05 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ipsec over gre with nhrp I'm doing something that I thought I'd done before, but am running into problems and need a sanity check. I have 2 "customer site routers", each configured for main access via T1 and backup Internet access via a cable-modem service with a dynamic ip address. They also have an ipsec vpn to route internal (192.168/16 and 10/8) nets between the two sites, using crypto maps on the T1 serial ports in the standard way. All that works. I wanted to provide a backup to the ipsec VPN using the cable modem ports, and proceeded as follows: o I configured a multi-point tunnel with both customer sites using nhrp to connect to one of my routers. [This works. the routers can ping either other over the tunnel.] This was done because otherwise the routers, each with a dynamic ip address, would have trouble finding each other. o I mimic'd the ipsec vpn on the T1 serial interfaces, building a similar one on the tunnel interfaces. [This didn't work, and it's pretty clear why.] Here are the relevant portions of the config. [I'm willing to share more, but wanted to keep this post managable.] Interface housing the cable-modem: | CT-gw#sho run int fa0/1 | Building configuration... | | Current configuration : 186 bytes | ! | interface FastEthernet0/1 | description Cable modem connection | ip address dhcp | ip access-group from-cablemodem in | ip nat outside | ip virtual-reassembly | duplex auto | speed auto | end | CT-gw# The address dhcp-assigned by the carrier: | CT-gw#sho int fa0/1 | inc Internet address | Internet address is 192.168.1.64/24 | CT-gw# The tunnel interface: | CT-gw#sho run int t202 | Building configuration... | | Current configuration : 729 bytes | ! | interface Tunnel202 | description Dynamic multi-point ISPnet-customer tunnel | bandwidth 1000 | ip address 69.48.189.23 255.255.255.0 | ip access-group from-world in | no ip redirects | ip mtu 1416 | ip nat inside | ip nhrp authentication | ip nhrp map multicast 165.254.97.2 | ip nhrp map multicast 165.254.147.2 | ip nhrp map 69.48.189.1 165.254.97.2 | ip nhrp map 69.48.189.2 165.254.147.2 | ip nhrp network-id | ip nhrp holdtime 300 | ip nhrp nhs 69.48.189.1 | ip nhrp nhs 69.48.189.2 | ip nhrp server-only | ip virtual-reassembly | no ip route-cache cef | no ip route-cache | no ip mroute-cache | delay 1000 | tunnel source FastEthernet0/1 | tunnel mode gre multipoint | tunnel key | crypto map CLINTON-TU-202-MAP | end | CT-gw# The tunnel is working: | CT-gw#ping 69.48.189.24 | | Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: | !!!!! | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 ms | CT-gw# | CT-gw#tr 69.48.189.24 | | Type escape sequence to abort. | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) | | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 msec | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec | CT-gw# The crypto map is defined like this: | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP | crypto map CLINTON-TU-202-MAP local-address Tunnel202 | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp | set peer 69.48.189.24 | set transform-set TRANSFORM-SET-FL | match address CT-inside-to-FL-inside | ! But it's not working. It looks like it's using the wrong ip address for the "local address" of the crypto map. It's using the dhcp-assigned address of Fa0/1, when I'd thought it should be using the address of Tu202. | CT-gw#sho crypto map int t202 >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: 192.168.1.64 | | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp | Peer = 69.48.189.24 | Extended IP access list CT-inside-to-FL-inside | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 0.0.0.255 10.1.1.0 0.0.0.255 | Current peer: 69.48.189.24 | Security association lifetime: 4608000 kilobytes/3600 seconds | PFS (Y/N): N | Transform sets={ | TRANSFORM-SET-FL, | } | Interfaces using crypto map CLINTON-TU-202-MAP: | Tunnel202 | CT-gw# I think it's pretty clear that 192.168.1.64 won't cut it as one end of the VPN. The two customer sites are in CT and FL, both with their "cable modem connections" actually being ATT DSL services. [Long story; don't ask.] Amusingly, both show the leases with the same IP Addr and gateway, as in: | CT-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:58:12 | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356234312D4661302F31 | Hostname: CT-gw | FL-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:57:26 | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356337392D4661302F31 | Hostname: FL-gw | FL-gw# I don't think that's relevant. I think the problem is that I need to get the crypto map to use the 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. Thoughts? -- Bob Tinkelman _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Wed Nov 5 21:55:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 6 Nov 2008 10:55:03 +0800 Subject: [c-nsp] watchdog timeout - nmi reset Message-ID: <200811061055.12235.mtinka@globaltransit.net> Hi all. We've had a bit of bad luck lately with a couple of NPE-G1's suddenly reloading due watchdog timeouts. In all cases, we've been running 12.2SRC (first SRC1, and currently SRC2). Without any crashinfo generated from the reload, Cisco say this points to a hardware problem. We initially experienced this on an NPE-G1 built in 2003 (the chassis might have been built about the same time also). But then it also affected NPE-G1's built in 2005, as well as 2007. We swapped out one of them that has been rebooting more frequently (once every 2 months) with a 2007-model NPE-G1. This just failed a few days back, same reason. This morning, yet another 2007-model NPE-G1 also experienced the same problem. This one had never done this before. It also is installed in a 2007-model chassis. The following is consistent: * The watchdog timeout reset is affecting only our NPE-G1's. * All NPE-G2's and 7201's, running SRC2, are not affected. * It affects both old and new NPE-G1's. * It affects both old and new chassis'. * All routers are running 12.2(33)SRC2. We're going to open another case with TAC on this, but I feel this is going to be drawn out. It would have been easier if this affected either ONLY the old model NPE-G1's, or the new model NPE-G1's; because then we could either chalk it down to old boards or a bad batch (the 2007 models were all built to the same order). But since this is affecting both old and new, and the information suggests it's not software-related, it gets tricky. Aside from software, the only other thing that unites both the old and new chassis'/processors is PA-2FE-TX cards we bought for both the old and new models. Suffice it to say that before the older NPE-G1's were running SRC (they either run 12.3 mainline or 12.2S), we didn't see this issue. Appreciate any thoughts here. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rakeshh at gmail.com Wed Nov 5 22:11:57 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Wed, 5 Nov 2008 21:11:57 -0600 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <01N1KT6EUKF89AQUIH@queens.tink.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> Message-ID: <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> Hello, With the information you have provided, what I can see is that you are trying IPSEC over GRE . I had come accross a similar issue where the router used the GRE tunnel source interface to build the IPSEC tunnel even though I had the tunnel interface as the local interface for the crypto map. This is exactly what you are seeing here. I resloved the issue by learing a loopback through the tunnel and using it as the IPSEC tunnel source/destination points with the local loopback as the local interface for crypto map. You also need to point any traffic to be encrypted, matching the destination subnet in crypto acl, to the tunnel interface . Thre is a simpler and prefered way of doing this using VTI interfaces . In your case this is going to be GRE protection using IPSEC . It has worked great for us. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html Hope this helps -Rakesh On Wed, Nov 5, 2008 at 4:04 PM, Bob Tinkelman wrote: > I'm doing something that I thought I'd done before, but am > running into problems and need a sanity check. > > I have 2 "customer site routers", each configured for main > access via T1 and backup Internet access via a cable-modem > service with a dynamic ip address. > > They also have an ipsec vpn to route internal (192.168/16 and > 10/8) nets between the two sites, using crypto maps on the > T1 serial ports in the standard way. > > All that works. > > I wanted to provide a backup to the ipsec VPN using the cable > modem ports, and proceeded as follows: > > o I configured a multi-point tunnel with both customer sites > using nhrp to connect to one of my routers. [This works. > the routers can ping either other over the tunnel.] > This was done because otherwise the routers, each with a > dynamic ip address, would have trouble finding each other. > > o I mimic'd the ipsec vpn on the T1 serial interfaces, building > a similar one on the tunnel interfaces. [This didn't work, > and it's pretty clear why.] > > > Here are the relevant portions of the config. [I'm willing to > share more, but wanted to keep this post managable.] > > Interface housing the cable-modem: > > | CT-gw#sho run int fa0/1 > | Building configuration... > | > | Current configuration : 186 bytes > | ! > | interface FastEthernet0/1 > | description Cable modem connection > | ip address dhcp > | ip access-group from-cablemodem in > | ip nat outside > | ip virtual-reassembly > | duplex auto > | speed auto > | end > | CT-gw# > > The address dhcp-assigned by the carrier: > > | CT-gw#sho int fa0/1 | inc Internet address > | Internet address is 192.168.1.64/24 > | CT-gw# > > The tunnel interface: > > | CT-gw#sho run int t202 > | Building configuration... > | > | Current configuration : 729 bytes > | ! > | interface Tunnel202 > | description Dynamic multi-point ISPnet-customer tunnel > | bandwidth 1000 > | ip address 69.48.189.23 255.255.255.0 > | ip access-group from-world in > | no ip redirects > | ip mtu 1416 > | ip nat inside > | ip nhrp authentication > | ip nhrp map multicast 165.254.97.2 > | ip nhrp map multicast 165.254.147.2 > | ip nhrp map 69.48.189.1 165.254.97.2 > | ip nhrp map 69.48.189.2 165.254.147.2 > | ip nhrp network-id > | ip nhrp holdtime 300 > | ip nhrp nhs 69.48.189.1 > | ip nhrp nhs 69.48.189.2 > | ip nhrp server-only > | ip virtual-reassembly > | no ip route-cache cef > | no ip route-cache > | no ip mroute-cache > | delay 1000 > | tunnel source FastEthernet0/1 > | tunnel mode gre multipoint > | tunnel key > | crypto map CLINTON-TU-202-MAP > | end > | CT-gw# > > The tunnel is working: > > | CT-gw#ping 69.48.189.24 > | > | Type escape sequence to abort. > | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: > | !!!!! > | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 > ms > | CT-gw# > > | CT-gw#tr 69.48.189.24 > | > | Type escape sequence to abort. > | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) > | > | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 > msec > | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec > | CT-gw# > > The crypto map is defined like this: > > | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP > | crypto map CLINTON-TU-202-MAP local-address Tunnel202 > | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp > | set peer 69.48.189.24 > | set transform-set TRANSFORM-SET-FL > | match address CT-inside-to-FL-inside > | ! > > But it's not working. > > It looks like it's using the wrong ip address for the "local > address" of the crypto map. > > It's using the dhcp-assigned address of Fa0/1, when I'd thought > it should be using the address of Tu202. > > | CT-gw#sho crypto map int t202 > >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: > 192.168.1.64 > | > | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp > | Peer = 69.48.189.24 > | Extended IP access list CT-inside-to-FL-inside > | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 > 0.0.0.255 10.1.1.0 0.0.0.255 > | Current peer: 69.48.189.24 > | Security association lifetime: 4608000 kilobytes/3600 seconds > | PFS (Y/N): N > | Transform sets={ > | TRANSFORM-SET-FL, > | } > | Interfaces using crypto map CLINTON-TU-202-MAP: > | Tunnel202 > | CT-gw# > > I think it's pretty clear that 192.168.1.64 won't cut it as one end > of the VPN. > > > > The two customer sites are in CT and FL, both with their "cable modem > connections" actually being ATT DSL services. [Long story; don't ask.] > > Amusingly, both show the leases with the same IP Addr and gateway, as in: > > | CT-gw#sho dhcp lease > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > | Temp sub net mask: 255.255.255.0 > | DHCP Lease server: 192.168.1.254, state: 3 Bound > | DHCP transaction id: 1FD4 > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > | Temp default-gateway addr: 192.168.1.254 > | Next timer fires after: 07:58:12 > | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 > | Client-ID hex dump: 636973636F2D303031392E353535302E > | 356234312D4661302F31 > | Hostname: CT-gw > > > | FL-gw#sho dhcp lease > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > | Temp sub net mask: 255.255.255.0 > | DHCP Lease server: 192.168.1.254, state: 3 Bound > | DHCP transaction id: 1FD4 > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > | Temp default-gateway addr: 192.168.1.254 > | Next timer fires after: 07:57:26 > | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 > | Client-ID hex dump: 636973636F2D303031392E353535302E > | 356337392D4661302F31 > | Hostname: FL-gw > | FL-gw# > > > I don't think that's relevant. > > I think the problem is that I need to get the crypto map to use the > 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. > > Thoughts? > -- > Bob Tinkelman > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From risnaini at indo.net.id Wed Nov 5 23:43:50 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 06 Nov 2008 11:43:50 +0700 Subject: [c-nsp] anaysis networrk In-Reply-To: References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: <49127606.4020403@indo.net.id> Yah :) Wireshark more features. Anderson Levi wrote: > Ethereal was renamed Wireshark sometime in '06. > > On Wed, Nov 5, 2008 at 3:52 PM, adrian kok wrote: > >> Hi >> >> Can I know the different between wireshark vs etheral? >> >> which one is better to anaylsis network? >> >> other than two, any suggestion >> >> Thank you >> >> Send instant messages to your online friends http://uk.messenger.yahoo.com >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From fropert at packetfault.org Thu Nov 6 03:05:16 2008 From: fropert at packetfault.org (Francois ROPERT) Date: Thu, 06 Nov 2008 09:05:16 +0100 Subject: [c-nsp] anaysis networrk In-Reply-To: <49127606.4020403@indo.net.id> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> <49127606.4020403@indo.net.id> Message-ID: <4912A53C.4050609@packetfault.org> More features and above all more SECURITY. Wireshark dissectors are tested against fuzzing by Mister G. Combs and should be by dissectors authors by running tools/fuzz-test.sh before putting public dissectors on bugs.wireshark.org. My advice here is to always use the last version for limiting exposure of your computer if you don't want to get pwned by a miscreant who knows counter forensics attack against ethereal/wireshark (intentionnaly crash a wireshark with malicious packets to hide *FACTS* from the analyst eyes). Francois a. rahman isnaini r.sutan a ?crit : > Yah :) > Wireshark more features. > > Anderson Levi wrote: >> Ethereal was renamed Wireshark sometime in '06. >> >> On Wed, Nov 5, 2008 at 3:52 PM, adrian kok >> wrote: >> >>> Hi >>> >>> Can I know the different between wireshark vs etheral? >>> >>> which one is better to anaylsis network? >>> >>> other than two, any suggestion >>> >>> Thank you >>> >>> Send instant messages to your online friends >>> http://uk.messenger.yahoo.com >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From antal.gergely at hu.digi.tv Thu Nov 6 03:16:53 2008 From: antal.gergely at hu.digi.tv (Antal GERGELY) Date: Thu, 06 Nov 2008 09:16:53 +0100 Subject: [c-nsp] 12.2SRC or 12.4T for 7200VXR NPE400 In-Reply-To: <20081105172215.GQ8535@greenie.muc.de> References: <4909F5F1.6030406@mt.net> <20081105172215.GQ8535@greenie.muc.de> Message-ID: <4912A7F5.9050309@hu.digi.tv> fyi about 4B ASN :) Gert Doering wrote: > Hi, > > On Thu, Oct 30, 2008 at 11:59:13AM -0600, Forrest W Christian wrote: >> The must-have features in my mind are: >> >> BGP4 w/Long ASN > > Complain to your Cisco sales representative. And do it loudly. > > To my knowledge, there is *still* no IOS version with support for > 32bit-AS-Numbers (IOS XR has this since a year or so). > > gert > > -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From Anton.Schweitzer at o2.com Thu Nov 6 03:56:33 2008 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Thu, 6 Nov 2008 09:56:33 +0100 Subject: [c-nsp] Cisco 881 3G Router Experiences In-Reply-To: <4912A53C.4050609@packetfault.org> Message-ID: Hi, is anybody here using a Cisco 881 3G Router with IPSEC and can share his experiences/config with me ? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. From david.freedman at uk.clara.net Thu Nov 6 04:28:35 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 06 Nov 2008 09:28:35 +0000 Subject: [c-nsp] show ip cef resources In-Reply-To: References: Message-ID: What kind of box is this? GSR? what kind of cards? Dave. Drew Weaver wrote: > This is kind of a trivial question but does anyone know at or around what numbers the 'show ip cef resources' is no longer G (Green?) > > It has been creeping up over the last year or so and I'm just trying to make sure we plan accordingly. > > Thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Nov 6 04:49:27 2008 From: ltd at cisco.com (Lincoln Dale) Date: Thu, 06 Nov 2008 20:49:27 +1100 Subject: [c-nsp] ip cef optimize neighbor resolution In-Reply-To: <20081105165146.GA8842@kallisti.us> References: <20081105165146.GA8842@kallisti.us> Message-ID: <4912BDA7.2000605@cisco.com> hi Ross, Ross Vandegrift wrote: > Hi everyone, > > Has anyone running SXH on a SUP720-3B(-XL) series 6500 tried "ip cef > optimize neighbor resolution"? > > Cisco's docs seem to offer the usual tautologous explanation, and as a > bonus, include a circular reference: > LOL, classic. > Both indicate that it triggers "Layer 2 address resolution of neighbors > directly from Cisco Express Forwarding for IPv[46]". > > Has anyone tried this? It sounds like this could be a win for a pair > of 6500s I have with unexplainable high RP utilization problems - the > boxes terminate a lot of VLANs and have a lot of ARP responsibilities. > But I can't really find much discussion of it. > the feature is essentially an enhancement for how CEF Gleans and the like are handled. if you're familiar with how those kinds of things work, they would typically need to punt to software to resolve a (not yet available) adjacency through ARP or similar. the enhancement/optimization here is that it can do it with fewer CPU cycles. as to whether this would help in your scenario, its certainly a possibility. but unless what you're seeing is a relatively short period of higher CPU during ARP / IP to MAC discovery, me thinks you may want to look into what your ARP aging timers are relative to your MAC aging timers. cheers, lincoln. From willay at gmail.com Thu Nov 6 05:58:51 2008 From: willay at gmail.com (William) Date: Thu, 6 Nov 2008 10:58:51 +0000 Subject: [c-nsp] problems filtering multicast] In-Reply-To: <4911C8C6.7030103@slepicka.net> References: <4911C8C6.7030103@slepicka.net> Message-ID: Thanks James this worked perfectly! Cheers. W 2008/11/5 James Slepicka : > use the ip multicast boundary command: > http://www.cisco.com/en/US/docs/ios/12_2/ipmulti/command/reference/1rfmult1.html#wp1058494 > > e.g. > ip access-l standard mcast_boundary_vl999 > permit 224.9.9.9 > > int vl999 > ip multicast boundary mcast_boundary_vl999 > > James > > William wrote: >> >> Hi, >> >> I'm running multicast routing with sparse-dense-mode and I'd like to >> filter out some of the addresses, I've created a standard access list >> permitting the multicast addresses i want to be routed out and then a >> deny any at the end. >> >> I've applied it to the interface using the ip igmp access-group >> command but it doesn't seem to be affective, the end hosts >> are still receiving the multicast streams which i've attempted to >> filter out. >> >> The hardware is a 6500 (catos) with a sup2, the configuration looks >> like so on the first switch: >> >> interface vlan999 >> ip address 192.168.99.254255.255.255.0 >> ip pim sparse-dense-mode >> ip igmp access-group multicast >> >> >> ip access-list standard multicast >> permit 239.255.1.1 >> deny any >> >> The end host is on a 3750, I tried applying the access-list and ip >> igmp access-group statement to the vlan interface where the end host >> is and the multicast traffic that I wish to be filtered is still >> coming over. >> >> Am I doing something terribly wrong here for it not to work? >> >> Thank you for your time. >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From willay at gmail.com Thu Nov 6 06:03:42 2008 From: willay at gmail.com (William) Date: Thu, 6 Nov 2008 11:03:42 +0000 Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? Message-ID: Hi Chaps, I use to have a VPN tunnel running between two sites using Cisco Pix 6.x, the B end now has a dynamic IP address every time the router reloads which means the tunnel has gone down and to get it back up we have to reconfigure a ISAKMP key and change our config here on the A end. Is there a way I can get round this? the router infront of our B-end PIX is not Cisco nor is it under our control. My client downgraded their Internet Service package which also meant that they now have a dynamic IP address :( Thanks for your time. W From mvanton at gmail.com Thu Nov 6 06:05:10 2008 From: mvanton at gmail.com (vince anton) Date: Thu, 6 Nov 2008 12:05:10 +0100 Subject: [c-nsp] 10G MMF on 12k ? Message-ID: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Hi Im looking at enabling 10G on the 12k platform and it looks like the SPA-1x10GE-L-V2 is the one to go for inside a SIP601. But it seems like the SPA only supports single mode SFPs. Im finding hard to believe that i need to use single mode fibre to connect the SPA to a switch in the same rack, besides the fact that I then most likely need to use optical attenuators to 'fix' the fact that Im using single mode fibre for such short distance !! whats everyone doing with 10G on the 12k out there ? Thanks, anton From swmike at swm.pp.se Thu Nov 6 06:15:03 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 6 Nov 2008 12:15:03 +0100 (CET) Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Message-ID: On Thu, 6 Nov 2008, vince anton wrote: > Im looking at enabling 10G on the 12k platform and it looks like the > SPA-1x10GE-L-V2 is the one to go for inside a SIP601. But it seems like > the SPA only supports single mode SFPs. The SPA-1x10GE-L-V2 supports XFP, not SFP. > Im finding hard to believe that i need to use single mode fibre to connect > the SPA to a switch in the same rack, besides the fact that I then most > likely need to use optical attenuators to 'fix' the fact that Im using > single mode fibre for such short distance !! There is no need to use attenuators for 10GBASE-LR even if you run it over a 1 meter cable. Also, I would be very surprised if cisco didn't support SR in that module, where did you get that information? > whats everyone doing with 10G on the 12k out there ? For 10GE on 12k, I'd say the SIP-601 + SPA1x10GE-L-V2 is the best way to go. -- Mikael Abrahamsson email: swmike at swm.pp.se From mvanton at gmail.com Thu Nov 6 07:12:55 2008 From: mvanton at gmail.com (vince anton) Date: Thu, 6 Nov 2008 13:12:55 +0100 Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Message-ID: <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> > > There is no need to use attenuators for 10GBASE-LR even if you run it over > a 1 meter cable. Also, I would be very surprised if cisco didn't support SR > in that module, where did you get that information? > The datasheet doesnt say anything about supporting SR in that SPA. looks like 10km with LR optics is the lowest you can go to cross a rack !!! - check it out at http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd804dc62d.html whats everyone doing with 10G on the 12k out there ? For 10GE on 12k, I'd say the SIP-601 + SPA1x10GE-L-V2 is the best way to go. > thanks for that :-) cheers, anton From swmike at swm.pp.se Thu Nov 6 07:18:57 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 6 Nov 2008 13:18:57 +0100 (CET) Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: On Thu, 6 Nov 2008, vince anton wrote: > The datasheet doesnt say anything about supporting SR in that SPA. looks > like 10km with LR optics is the lowest you can go to cross a rack !!! - > check it out at > http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd804dc62d.html Yes, I think you're right, the XFP-10G-MM-SR isn't listed as supported on any of the SPA based platforms. Talk to your account team and ask why and if it'll change in the future. Compared to what the SIP-601 and the SPA costs, the price difference between SM and MM isn't that great, but I guess that if you standardise on MM within site (we use SM everywhere) I guess this might be a hassle. -- Mikael Abrahamsson email: swmike at swm.pp.se From Jamie.Stephens at chartercom.com Thu Nov 6 09:17:58 2008 From: Jamie.Stephens at chartercom.com (Stephens, Jamie A) Date: Thu, 6 Nov 2008 08:17:58 -0600 Subject: [c-nsp] BGP Question In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com><87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: Is there a command to allow received routes from the same AS #? E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. From luan at netcraftsmen.net Thu Nov 6 09:25:07 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 09:25:07 -0500 Subject: [c-nsp] BGP Question In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com><87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: <072d01c9401b$780d6c10$68284430$@net> Neighbor allowas-in Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephens, Jamie A Sent: Thursday, November 06, 2008 9:18 AM To: cisco-nsp Subject: [c-nsp] BGP Question Is there a command to allow received routes from the same AS #? E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Thu Nov 6 09:46:39 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 6 Nov 2008 06:46:39 -0800 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> Message-ID: Make certain that if you have multiple tunnels on your gateway device that use the same tunnel source/ipsec profile, that you specify the "shared" keyword at the end of the tunnel protection statement. -- Eric Cables On Wed, Nov 5, 2008 at 7:11 PM, Rakesh Hegde wrote: > Hello, > > With the information you have provided, what I can see is that you are > trying IPSEC over GRE . I had come accross a similar issue where the > router > used the GRE tunnel source interface to build the IPSEC tunnel even though > I > had the tunnel interface as the local interface for the crypto map. This is > exactly what you are seeing here. I resloved the issue by learing a > loopback > through the tunnel and using it as the IPSEC tunnel source/destination > points with the local loopback as the local interface for crypto map. > You also need to point any traffic to be encrypted, matching > the destination subnet in crypto acl, to the tunnel interface . > > Thre is a simpler and prefered way of doing this using VTI interfaces . > In > your case this is going to be GRE protection using IPSEC . It has worked > great for us. > > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html > > Hope this helps > > -Rakesh > > > On Wed, Nov 5, 2008 at 4:04 PM, Bob Tinkelman wrote: > > > I'm doing something that I thought I'd done before, but am > > running into problems and need a sanity check. > > > > I have 2 "customer site routers", each configured for main > > access via T1 and backup Internet access via a cable-modem > > service with a dynamic ip address. > > > > They also have an ipsec vpn to route internal (192.168/16 and > > 10/8) nets between the two sites, using crypto maps on the > > T1 serial ports in the standard way. > > > > All that works. > > > > I wanted to provide a backup to the ipsec VPN using the cable > > modem ports, and proceeded as follows: > > > > o I configured a multi-point tunnel with both customer sites > > using nhrp to connect to one of my routers. [This works. > > the routers can ping either other over the tunnel.] > > This was done because otherwise the routers, each with a > > dynamic ip address, would have trouble finding each other. > > > > o I mimic'd the ipsec vpn on the T1 serial interfaces, building > > a similar one on the tunnel interfaces. [This didn't work, > > and it's pretty clear why.] > > > > > > Here are the relevant portions of the config. [I'm willing to > > share more, but wanted to keep this post managable.] > > > > Interface housing the cable-modem: > > > > | CT-gw#sho run int fa0/1 > > | Building configuration... > > | > > | Current configuration : 186 bytes > > | ! > > | interface FastEthernet0/1 > > | description Cable modem connection > > | ip address dhcp > > | ip access-group from-cablemodem in > > | ip nat outside > > | ip virtual-reassembly > > | duplex auto > > | speed auto > > | end > > | CT-gw# > > > > The address dhcp-assigned by the carrier: > > > > | CT-gw#sho int fa0/1 | inc Internet address > > | Internet address is 192.168.1.64/24 > > | CT-gw# > > > > The tunnel interface: > > > > | CT-gw#sho run int t202 > > | Building configuration... > > | > > | Current configuration : 729 bytes > > | ! > > | interface Tunnel202 > > | description Dynamic multi-point ISPnet-customer tunnel > > | bandwidth 1000 > > | ip address 69.48.189.23 255.255.255.0 > > | ip access-group from-world in > > | no ip redirects > > | ip mtu 1416 > > | ip nat inside > > | ip nhrp authentication > > | ip nhrp map multicast 165.254.97.2 > > | ip nhrp map multicast 165.254.147.2 > > | ip nhrp map 69.48.189.1 165.254.97.2 > > | ip nhrp map 69.48.189.2 165.254.147.2 > > | ip nhrp network-id > > | ip nhrp holdtime 300 > > | ip nhrp nhs 69.48.189.1 > > | ip nhrp nhs 69.48.189.2 > > | ip nhrp server-only > > | ip virtual-reassembly > > | no ip route-cache cef > > | no ip route-cache > > | no ip mroute-cache > > | delay 1000 > > | tunnel source FastEthernet0/1 > > | tunnel mode gre multipoint > > | tunnel key > > | crypto map CLINTON-TU-202-MAP > > | end > > | CT-gw# > > > > The tunnel is working: > > > > | CT-gw#ping 69.48.189.24 > > | > > | Type escape sequence to abort. > > | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: > > | !!!!! > > | Success rate is 100 percent (5/5), round-trip min/avg/max = > 140/141/144 > > ms > > | CT-gw# > > > > | CT-gw#tr 69.48.189.24 > > | > > | Type escape sequence to abort. > > | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) > > | > > | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec > 28 > > msec > > | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec > > | CT-gw# > > > > The crypto map is defined like this: > > > > | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP > > | crypto map CLINTON-TU-202-MAP local-address Tunnel202 > > | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp > > | set peer 69.48.189.24 > > | set transform-set TRANSFORM-SET-FL > > | match address CT-inside-to-FL-inside > > | ! > > > > But it's not working. > > > > It looks like it's using the wrong ip address for the "local > > address" of the crypto map. > > > > It's using the dhcp-assigned address of Fa0/1, when I'd thought > > it should be using the address of Tu202. > > > > | CT-gw#sho crypto map int t202 > > >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: > > 192.168.1.64 > > | > > | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp > > | Peer = 69.48.189.24 > > | Extended IP access list CT-inside-to-FL-inside > > | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 > > 0.0.0.255 10.1.1.0 0.0.0.255 > > | Current peer: 69.48.189.24 > > | Security association lifetime: 4608000 kilobytes/3600 seconds > > | PFS (Y/N): N > > | Transform sets={ > > | TRANSFORM-SET-FL, > > | } > > | Interfaces using crypto map CLINTON-TU-202-MAP: > > | Tunnel202 > > | CT-gw# > > > > I think it's pretty clear that 192.168.1.64 won't cut it as one end > > of the VPN. > > > > > > > > The two customer sites are in CT and FL, both with their "cable modem > > connections" actually being ATT DSL services. [Long story; don't ask.] > > > > Amusingly, both show the leases with the same IP Addr and gateway, as in: > > > > | CT-gw#sho dhcp lease > > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > > | Temp sub net mask: 255.255.255.0 > > | DHCP Lease server: 192.168.1.254, state: 3 Bound > > | DHCP transaction id: 1FD4 > > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > > | Temp default-gateway addr: 192.168.1.254 > > | Next timer fires after: 07:58:12 > > | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 > > | Client-ID hex dump: 636973636F2D303031392E353535302E > > | 356234312D4661302F31 > > | Hostname: CT-gw > > > > > > | FL-gw#sho dhcp lease > > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > > | Temp sub net mask: 255.255.255.0 > > | DHCP Lease server: 192.168.1.254, state: 3 Bound > > | DHCP transaction id: 1FD4 > > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > > | Temp default-gateway addr: 192.168.1.254 > > | Next timer fires after: 07:57:26 > > | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 > > | Client-ID hex dump: 636973636F2D303031392E353535302E > > | 356337392D4661302F31 > > | Hostname: FL-gw > > | FL-gw# > > > > > > I don't think that's relevant. > > > > I think the problem is that I need to get the crypto map to use the > > 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. > > > > Thoughts? > > -- > > Bob Tinkelman > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mr.dave.jacobs at gmail.com Thu Nov 6 09:48:28 2008 From: mr.dave.jacobs at gmail.com (David Jacobs) Date: Thu, 6 Nov 2008 09:48:28 -0500 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: <1225905544.13955.6.camel@abehat> References: <1225905544.13955.6.camel@abehat> Message-ID: Hello Peter, thank you for your reply, I changed my NET address back to the original and reloaded and I tried to dig up more data on this FYI This is what my config looks like on this box. router isis net 49.0001.0001.5011.1565.00 is-type level-2-only metric-style wide spf-interval 30 log-adjacency-changes redistribute connected redistribute static ip > > >What did the box itself have in its routing table at this time? How does > >the box lift the host prefix into IS-IS? Does a "debug isis rib > >resdistribution" give any clues? > Here is a summary of what is in the routing table now... router1#sh ip route summary IP routing table name is Default-IP-Routing-Table(0) Route Source Networks Subnets Overhead Memory (bytes) connected 0 4 256 608 static 1 6 448 1064 isis 144 6179 732864 961096 Level 1: 0 Level 2: 6323 "debug isis rib redis" doesnt seem to lend any clues unfortunately. I did find something odd, although When I did a "sh clns interface" I am seeing the "circuit ID:" of the neighboring core routers in the Circuit ID field GigabitEthernet5/0/0 is up, line protocol is up Level-2 Metric: 99999, Priority: 64, Circuit ID: Name of Neighboring Router1 GigabitEthernet6/0/0 is up, line protocol is up Level-2 Metric: 99999, Priority: 64, Circuit ID: Name of Neighboring Router2 but when I do this from all other routers, the Circuit ID is the local hostname of the router. Not sure if that has anything to do with it or not. When I do a "sh spf-log" this is the message I keep seeing On Cisco 00:24:50 72 109 8 router1.00-00 TLVCONTENT 00:24:20 72 109 8 router1.00-00 TLVCONTENT 00:23:50 76 109 8 router1.00-00 TLVCONTENT 00:23:20 64 109 8 router1.00-00 TLVCONTENT 00:22:50 76 109 8 router1.00-00 TLVCONTENT 00:22:20 72 109 8 router1.00-00 TLVCONTENT 00:21:50 72 109 8 router1.00-00 TLVCONTENT 00:21:20 72 109 8 router1.00-00 TLVCONTENT 00:20:50 72 109 8 router1.00-00 TLVCONTENT 00:20:19 72 108 7 router1.00-00 TLVCONTENT 00:19:49 72 108 8 router1.00-00 TLVCONTENT 00:19:19 68 108 8 router1.00-00 TLVCONTENT and on Foundry 1m55s 450ms 78 6 router1.00-00 Area Address TLV Change 2m26s 450ms 39 17 router1.00-00 Area Address TLV Change 2m56s 450ms 39 17 router1.00-00 Area Address TLV Change 3m27s 450ms 39 13 router1.00-00 Area Address TLV Change 3m57s 450ms 39 18 router1.00-00 Area Address TLV Change > > > >Brand new 7500 hardware? Where? ;-) By new I mean just purchased from somewhere, right out of the box in that new (never been crinkled) static wrap and never used by us before =) > > > > >A shot in the dark, but you wouldn't happen to have another box with the > >same NET on your network? > > I thought of that as well, But I compared all of the other NET address's > and they are pretty unique. And correct me if i'm wrong, but if there was > another router running ISIS with the same NET address wouldn't it come up > with an error like.. %CLNS-4-BADPACKET: ISIS: LAN L2 hello, Duplicate system ID detected from (duplicate NET address) I forget if there is a command to view all NET address's in the database Thanks again for all of the help From luan at netcraftsmen.net Thu Nov 6 09:56:30 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 09:56:30 -0500 Subject: [c-nsp] Cisco 881 3G Router Experiences In-Reply-To: References: <4912A53C.4050609@packetfault.org> Message-ID: <073c01c9401f$da103970$8e30ac50$@net> Basically just another DHCP interface IP-wise. Here's a sample configuration for DMVPN/IPSEC I used for 1841 3G-EVDO. I used it as a primary connection as well as backup connection. interface Dialer1 ip address negotiated ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer string cdma dialer persistent dialer-group 1 ! interface Cellular0/1/0 ip address negotiated ip virtual-reassembly encapsulation ppp dialer in-band dialer pool-member 1 dialer-group 1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key test address x.x.x.x crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set cisco esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile cisco set transform-set cisco set pfs group5 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 ip nhrp authentication donttell ip nhrp map 10.0.0.1 x.x.x.x ip nhrp map multicast x.x.x.x ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 100 tunnel source dialer1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco You could use IPSEC tunnel mode without DMVPN as well, just make sure the other side configured for dynamic crypto map. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anton.Schweitzer at o2.com Sent: Thursday, November 06, 2008 3:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 881 3G Router Experiences Hi, is anybody here using a Cisco 881 3G Router with IPSEC and can share his experiences/config with me ? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at netcraftsmen.net Thu Nov 6 10:05:59 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 10:05:59 -0500 Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? In-Reply-To: References: Message-ID: <073d01c94021$2d2d4610$8787d230$@net> Just change your A end to use dynamic map. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a0080094680.shtml Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of William Sent: Thursday, November 06, 2008 6:04 AM To: cisco-nsp Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? Hi Chaps, I use to have a VPN tunnel running between two sites using Cisco Pix 6.x, the B end now has a dynamic IP address every time the router reloads which means the tunnel has gone down and to get it back up we have to reconfigure a ISAKMP key and change our config here on the A end. Is there a way I can get round this? the router infront of our B-end PIX is not Cisco nor is it under our control. My client downgraded their Internet Service package which also meant that they now have a dynamic IP address :( Thanks for your time. W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ross at kallisti.us Thu Nov 6 11:00:13 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Thu, 6 Nov 2008 11:00:13 -0500 Subject: [c-nsp] ip cef optimize neighbor resolution In-Reply-To: <4912BDA7.2000605@cisco.com> References: <20081105165146.GA8842@kallisti.us> <4912BDA7.2000605@cisco.com> Message-ID: <20081106160013.GA20669@kallisti.us> On Thu, Nov 06, 2008 at 08:49:27PM +1100, Lincoln Dale wrote: > the feature is essentially an enhancement for how CEF Gleans and the > like are handled. > if you're familiar with how those kinds of things work, they would > typically need to punt to software to resolve a (not yet available) > adjacency through ARP or similar. > > the enhancement/optimization here is that it can do it with fewer CPU > cycles. Well that always sounds like a good idea! > as to whether this would help in your scenario, its certainly a > possibility. but unless what you're seeing is a relatively short period > of higher CPU during ARP / IP to MAC discovery, me thinks you may want > to look into what your ARP aging timers are relative to your MAC aging > timers. Hmmm, we do see ARP Input spikes, but the symptoms are a pretty constantly elevated CPU utilization. Sounds like a win but not a panacea. Do you know if a change is service impacting? Our MAC aging timers are 300 seconds and ARP is 4 hours. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From csirek at cooler.hu Thu Nov 6 11:24:38 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Thu, 06 Nov 2008 17:24:38 +0100 Subject: [c-nsp] service policy + SYN flood vs. periodic high cpu load Message-ID: <49131A46.7030801@cooler.hu> Hi all, I'm testing the control plane policy in my lab. Now i found a very interesting event. I have a 6500/sup720 whit different IOS (SXF6, SXF10a, SXH3a). I send a very big SYN flood to this router. I'm doing this test in clear config. (erase startup, reload :) ) I made a policy: class-map match-all synfloodgeprol match access-group 199 ! policy-map synflood-in class synfloodgeprol police cir 128000 bc 4000 be 4000 conform-action transmit exceed-action drop violate-action drop ! access-list 199 remark DEFAULT access-list 199 permit tcp any any access-list 199 permit udp any any access-list 199 permit icmp any any access-list 199 permit ip any any ! interface GigabitEthernet5/2 ip address 10.0.0.1 255.255.255.0 load-interval 30 media-type rj45 service-policy input synflood-in I tried to put the service-policy to the control-plane but no difference: The input interface traffic is: 30 second input rate 155775000 bits/sec, 304249 packets/sec 30 second output rate 128000 bits/sec, 250 packets/sec The output rate is good, the cpu receive 128K SYN and answer 128K ACK/RST packets because my policy is working. That is the goal in this case. Under this flood the CPU load: Router#cpu CPU utilization for five seconds: 0%/0%; one minute: 3%; five minutes:6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 1368 1378 992 0.55% 0.07% 0.06% 0 Exec 5 3868 263 14707 0.00% 0.33% 0.25% 0 Check hea 20 2624 34446 76 0.00% 0.09% 0.06% 0 IPC Seat 43 652 27 24148 0.00% 0.02% 0.00% 0 Per-minu 155 57572 310276 185 0.00% 1.57% 3.56% 0 IP Input 230 368 2206 166 0.00% 0.01% 0.00% 0 CEF: IPv4 240 528 703 751 0.07% 0.03% 0.02% 0 HIDDEN VL The policy is working great. But. In every 4. minutes the cpu load goes up: Router#cpu CPU utilization for five seconds: 79%/68%; one minute: 8%; five minutes: 6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2012 1617 1244 0.31% 0.61% 0.22% 0 Exec 5 4072 278 14647 0.00% 0.20% 0.22% 0 Check hea 20 2812 37348 75 0.00% 0.04% 0.05% 0 IPC Seat 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minut 155 59732 336634 177 10.47% 1.13% 2.68% 0 IP Input 230 400 2373 168 0.00% 0.01% 0.00% 0 CEF: IPv4 240 568 756 751 0.00% 0.03% 0.02% 0 HIDDEN VL some second later: Router#cpu CPU utilization for five seconds: 99%/7%; one minute: 15%; five minutes: 7% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2100 1637 1282 1.11% 0.65% 0.23% 0 Exec 5 4072 278 14647 0.00% 0.19% 0.22% 0 Check he 20 2812 37348 75 0.00% 0.03% 0.05% 0 IPC Seat 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minu 77 252 1539 163 0.07% 0.00% 0.00% 0 Heartbeat 155 66192 338269 195 90.71% 8.30% 4.14% 0 IP Input 230 400 2382 167 0.07% 0.02% 0.00% 0 CEF: IPv4 240 572 759 753 0.00% 0.03% 0.01% 0 HIDDEN VL and again some second later: Router#cpu CPU utilization for five seconds: 0%/0%; one minute: 2%; five minutes: 6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2320 1730 1341 0.23% 0.08% 0.17% 0 Exec 5 4552 308 14779 0.00% 0.25% 0.24% 0 Check hea 20 3008 40249 74 0.00% 0.04% 0.04% 0 IPC Seat 43 792 32 24750 0.00% 0.04% 0.00% 0 Per-minu 77 316 1702 185 0.00% 0.01% 0.00% 0 Heartbeat 155 68644 378964 181 0.00% 1.03% 3.26% 0 IP Input 230 444 2639 168 0.07% 0.02% 0.00% 0 CEF: IPv4 240 636 841 756 0.00% 0.03% 0.02% 0 HIDDEN VL This is the history of cpu: 55555999999999944444 333330000099999666667777711111 2222211111 100 ********** 90 ********** 80 ********** 70 ********** 60 ********** 50 ******************** 40 ******************** 30 ******************** 20 ******************** 10 ******************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 1 0 9 9 12 460444944394439 100 * * * 90 * * * 80 * * * 70 * * * 60 * * * 50 * * * 40 * * * 30 * * * * 20 # # # * 10 # # # ** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% If i increase the 128K to 256K in the policy, the big CPU load comes in every 2. minutes. If i set it on 64K, the load is stay in every 4. minutes, but is ~40-50% instead 100%. Any idea? Thanks Laszlo From techconfig at yahoo.com Thu Nov 6 11:38:49 2008 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 6 Nov 2008 08:38:49 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden Message-ID: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark From jml at packetpimp.org Thu Nov 6 10:58:39 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 06 Nov 2008 10:58:39 -0500 Subject: [c-nsp] sup1a -> sup32 image questions Message-ID: <4913142F.1070604@packetpimp.org> Hi all, I'm about to begin upgrading our old sup1a/msfc1 switches from both native and hybrid ios to sup32 native. My main requirements are simple, bgp and ios slb. The new download layout and new hardware are causing me some problems. Am I going to need both sp and rp images or a single image? Jason From rakeshh at gmail.com Thu Nov 6 11:58:56 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Thu, 6 Nov 2008 10:58:56 -0600 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> Message-ID: <8a4649bb0811060858j3ea11ea0ja104d0c8d8a172a1@mail.gmail.com> Thanks for the input. -Rakesh On Wed, Nov 5, 2008 at 4:27 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Tim Franklin wrote on Wednesday, November 05, > 2008 10:03: > > > On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > > > >> if I recall correctly, we can't filter/drop routes in VRF export-maps > >> (we can in import-maps).. you could set "no-advertise" or a bogus > >> route-target extcommunity to prevent it from being advertised to your > >> RRs/remote PEs or from being imported into other VRFs. > >> If you don't want to export a certain VRF prefix, just don't > >> redistribute it into BGP (if it's a non-BGP route to begin with). > > > > Or don't set the export-target that should only be on *some* routes > > in the VRF config, just set on the matching routes in the export-map. > > > ack, this would work as well. > > > I'm > > not sure, off the top of my head, what happens if you have a VRF with > *no* > > export-target defined in the VRF config, but an rt ext-community set > > on some routes in the export map - does the redist from 'local' BGP > into > > MP-BGP still happen? > > yes, and if you don't set an rt-extcomm in the export-map, the prefix is > left without a RT. > > > I know there are some gotchas in the other > > direction; even if you're matching an RT in the import map, you still > > need it as an import target, or the prefix is dropped before it gets > as > > far as the map. > > right, this is due to the automatic route-target filter which only > examines the "route-target import" statements in the VRF, not the > route-maps. > > oli > From gert at greenie.muc.de Thu Nov 6 12:03:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 6 Nov 2008 18:03:24 +0100 Subject: [c-nsp] sup1a -> sup32 image questions In-Reply-To: <4913142F.1070604@packetpimp.org> References: <4913142F.1070604@packetpimp.org> Message-ID: <20081106170324.GP8535@greenie.muc.de> Hi, On Thu, Nov 06, 2008 at 10:58:39AM -0500, Jason LeBlanc wrote: > Am I going to need both sp and rp images or a single image? For native, it's a single image. We run "s3223-advipservicesk9_wan-mz.122-18.SXF7.bin" and yours should be similarily named (starting with "s3223-..."). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From david.freedman at uk.clara.net Thu Nov 6 12:15:26 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 06 Nov 2008 17:15:26 +0000 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <880615.45377.qm@web44811.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: control plane overloaded by traffic? are you doing control plane policing? Mark Tech wrote: > Hi > I have a couple of GSR's and 7600'2 running ldp in an an MPLS test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success > > Here is an brief output of some ldp commands: > > > ---------here the LDP suddenly dropped-------- > Nov 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) > Nov 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending > Nov 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) > Nov 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending > Nov 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) > Nov 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending > > rt-lon-12#sh mpls ldp neighbor > > rt-lon-12#sh mpls ldp discovery > Local LDP Identifier: > 5.14.95.246:0 > Discovery Sources: > Interfaces: > Port-channel1 (ldp): xmit/recv > LDP Id: 5.14.95.243:0 > Port-channel2 (ldp): xmit/recv > LDP Id: 5.14.95.244:0 > Port-channel3 (ldp): xmit/recv > LDP Id: 5.14.95.245:0 > > rt-lon-12#sh mpls interfaces > Interface IP Tunnel Operational > GigabitEthernet0/0/0 Yes No Yes > GigabitEthernet0/0/1 Yes No Yes > GigabitEthernet0/0/2 Yes No Yes > GigabitEthernet0/0/3 Yes No Yes > GigabitEthernet0/0/4 Yes No Yes > GigabitEthernet0/0/5 Yes No Yes > Port-channel1 Yes (ldp) No Yes > Port-channel2 Yes (ldp) No Yes > Port-channel3 Yes (ldp) No Yes > > Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar IP addresses > > Regards > > Mark > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Thu Nov 6 12:23:52 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 6 Nov 2008 18:23:52 +0100 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <880615.45377.qm@web44811.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: I would start with what was done here ? Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: gioved? 6 novembre 2008 17.39 To: cisco-nsp at puck.nether.net Subject: [c-nsp] GSR no ldp all of a sudden Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From linkconnect at googlemail.com Thu Nov 6 12:51:27 2008 From: linkconnect at googlemail.com (Wayne Lee) Date: Thu, 6 Nov 2008 17:51:27 +0000 Subject: [c-nsp] vrf-lite and pppoA interfaces Message-ID: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> Hello List I have a dedicated LNS for what we call our pwan customers, all connections are ADSL PPPoA and they all use private IP ranges as there is currently no internet access. We have about 150 connections spread over 8 customers, these are currently grouped by customer and then separated from other pwans using access-lists which are applied via radius. We want to allow internet access to these pwans and move them into a vrf-lite setup with one vrf per pwan so this also gives us the abillty to allow over-lapping IP space. My vrf knowledge is (very) limited and I'm struggling to understand the best way to make this work. I have tested a basic vrf setup (with success) in the lab but this was with 3 routers and no PPPoA/virtual-access interfaces. My confusion is about the ip vrf forwarding, in the lab I put this on each ethernet on the main router but in the PPPoA setup there will not be a dedicated ethernet per vrf, also I'll not need traffic between vrf's so do I just need to export the routes to the rib so the customers can get internet traffic? Help, clue sticks and any advice will be very welcome. Thanks Wayne From jml at packetpimp.org Thu Nov 6 13:08:02 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 06 Nov 2008 13:08:02 -0500 Subject: [c-nsp] sup1a -> sup32 image questions In-Reply-To: <20081106170324.GP8535@greenie.muc.de> References: <4913142F.1070604@packetpimp.org> <20081106170324.GP8535@greenie.muc.de> Message-ID: <49133282.7080408@packetpimp.org> Great, thanks for simplifying this for me. ;) Gert Doering wrote: > Hi, > > On Thu, Nov 06, 2008 at 10:58:39AM -0500, Jason LeBlanc wrote: > >> Am I going to need both sp and rp images or a single image? >> > > For native, it's a single image. We run > > "s3223-advipservicesk9_wan-mz.122-18.SXF7.bin" > > and yours should be similarily named (starting with "s3223-..."). > > gert > From rechew at ucsc.edu Thu Nov 6 12:11:35 2008 From: rechew at ucsc.edu (Richard Chew) Date: Thu, 06 Nov 2008 09:11:35 -0800 Subject: [c-nsp] Slave Supervisor for Sup 720 10G Crashing on 6500's Message-ID: <49132547.3090403@ucsc.edu> Hi All, We have recently deployed 17, 6500's on campus, and about two months in we have already had 5 supervisors fail for no apparent reason. When we call TAC they just RMA us a new Sup, but I suspect (cannot prove) that something else is causing this problem. At first I thought it was SXH2, but we have recently seen the problem on SXH3, so any help would be appreciated. Thanks. BTW : Nov 5 14:38:55.405 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:39:55.437 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:40:55.533 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:41:55.633 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:10 Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=8% RP=3% Traffic=0% netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:10 Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=8% RP=3% Traffic=0% netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] Nov 5 14:42:55.765 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD Nov 5 14:43:55.837 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:44:55.925 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:45:55.965 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:20 Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=2% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, fail=20], 3[IPv4, fail=20], 4[IPv6, fail=20] Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:20 Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=14% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, fail=20], 3[IPv4, fail=20], 4[IPv6, fai=20] Nov 5 14:46:56.077 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:47:03.241 PST: %PFREDUN-SP-6-ACTIVE: Standby supervisor removed or reloaded, changing to Simplex mode Nov 5 14:47:03.261 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (RF request) Nov 5 14:47:13.470 PST: %LINK-3-UPDOWN: Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.470 PST: %OSPF-5-ADJCHG: Process 5739, Nbr 128.114.0.4 on GigabitEthernet6/1 from FULL to DOWN, Neighbor Down: Interface down or detached Nov 5 14:47:13.494 PST: %PIM-5-NBRCHG: neighbor 128.114.1.157 DOWN on interface GigabitEthernet6/1 non DR Nov 5 14:47:13.494 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.606 PST: %SNMP-5-MODULETRAP: Module 6 [Down] Trap Nov 5 14:47:13.461 PST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.593 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (Slot disabled) Nov 5 14:47:13.597 PST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet6/1, changed state to down From pavel.skovajsa at gmail.com Thu Nov 6 13:40:07 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Thu, 6 Nov 2008 19:40:07 +0100 Subject: [c-nsp] Slave Supervisor for Sup 720 10G Crashing on 6500's In-Reply-To: <49132547.3090403@ucsc.edu> References: <49132547.3090403@ucsc.edu> Message-ID: <323aca890811061040w6fab55b3jb3fe48633d422792@mail.gmail.com> I will at least give it a try and upgrade to SXH3a or wait couple weeks for SXH4. SXH2 is really buggy. pavel On Thu, Nov 6, 2008 at 6:11 PM, Richard Chew wrote: > Hi All, > > We have recently deployed 17, 6500's on campus, and about two months in we > have already had 5 supervisors fail for no apparent reason. When we call > TAC they just RMA us a new Sup, but I suspect (cannot prove) that something > else is causing this problem. At first I thought it was SXH2, but we have > recently seen the problem on SXH3, so any help would be appreciated. > Thanks. > > BTW : > > Nov 5 14:38:55.405 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:39:55.437 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:40:55.533 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:41:55.633 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD > Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:10 > Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=8% RP=3% Traffic=0% > netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, > fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] > Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:10 > Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=8% RP=3% Traffic=0% > netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, > fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] > Nov 5 14:42:55.765 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD > Nov 5 14:43:55.837 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:44:55.925 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:45:55.965 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:20 > Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=2% RP=0% Traffic=0% > netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, > fail=20], 3[IPv4, fail=20], 4[IPv6, fail=20] > Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:20 > Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=14% RP=0% Traffic=0% > netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, > fail=20], 3[IPv4, fail=20], 4[IPv6, fai=20] > Nov 5 14:46:56.077 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:47:03.241 PST: %PFREDUN-SP-6-ACTIVE: Standby supervisor removed or > reloaded, changing to Simplex mode > Nov 5 14:47:03.261 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being > power-cycled (RF request) > Nov 5 14:47:13.470 PST: %LINK-3-UPDOWN: Interface GigabitEthernet6/1, > changed state to down > Nov 5 14:47:13.470 PST: %OSPF-5-ADJCHG: Process 5739, Nbr 128.114.0.4 on > GigabitEthernet6/1 from FULL to DOWN, Neighbor Down: Interface down or > detached > Nov 5 14:47:13.494 PST: %PIM-5-NBRCHG: neighbor 128.114.1.157 DOWN on > interface GigabitEthernet6/1 non DR > Nov 5 14:47:13.494 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface > GigabitEthernet6/1, changed state to down > Nov 5 14:47:13.606 PST: %SNMP-5-MODULETRAP: Module 6 [Down] Trap > Nov 5 14:47:13.461 PST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet6/1, > changed state to down > Nov 5 14:47:13.593 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being > power-cycled (Slot disabled) > Nov 5 14:47:13.597 PST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet6/1, changed state to down > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From howard at leadmon.net Thu Nov 6 14:24:15 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 14:24:15 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... Message-ID: <021101c94045$45120620$cf361260$@net> Hello to all, I thought this would be easy to find, and maybe I haven't looked in the right place, but figured I'd ask. I have a Cat6509 switch, and on a couple of the interfaces I have feeding from some servers, I keep seeing input errors, as shown below: FastEthernet9/48 is up, line protocol is up (connected) Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia 0004.de66.8f73) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 24/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:43, output hang never Last clearing of "show interface" counters 00:12:47 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 1 minute input rate 9759000 bits/sec, 1396 packets/sec 1 minute output rate 1505000 bits/sec, 1110 packets/sec 1067610 packets input, 920823086 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 839374 packets output, 146203703 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Notice that in less than 15 min I have almost 1000 input errors, but the other more detailed counters show nothing. I have had the cable swapped, and the LAN card in the PC swapped, still the same results. What is just an input error? Is this bad hardware, something I should just expect on some interfaces to PC's, or what? I have googled around a bit, looked on Cisco's site, and everything says that the input error counter is just the combined count of the other counters like CRC, overrun, and so on, but they are all 0 for me.. Any clues on where to look or what would cause this??? --- Howard Leadmon From rodunn at cisco.com Thu Nov 6 14:43:26 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 6 Nov 2008 14:43:26 -0500 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? In-Reply-To: <20081105122448.GK93039@ronin.4ever.de> References: <20081105122448.GK93039@ronin.4ever.de> Message-ID: <20081106194326.GI5059@rtp-cse-489.cisco.com> Let me ask around about this. Interesting observation. I don't know the answer. Rodney On Wed, Nov 05, 2008 at 01:24:48PM +0100, Elmar K. Bins wrote: > Re again, > > I am running into trouble with the CEF load sharing algorithm > on the ASR / IOS-XE platform. We've had this kind of setup > with 7301s for four years now, and it's never given us any > trouble. Distributed traffic pretty evenly (whenever it was > not only one or two top-talkers hitting us). > > With the new ASR / IOS-XE (1.1.2 currently, but I have found > nothing in the release notes of later versions) traffic > distribution has become in favour of the server with the > lowest IP address - very much so. It's getting 85% of all > packets. > > The setup in brief (all IPv4): > > z.z.z.z = Service address > > a.a.a.a, a.a.a.b, a.a.a.c = Interface addresses of three servers, > a a.a.a.d = Interface address of the ASR > > External routing gets z.z.z.z to the ASR. > > +--------+ ----(a.a.a.a)-[srv1] > (Internet) --- | Router |-(a.a.a.d)---+---(a.a.a.b)-[srv2] > +--------+ ----(a.a.a.c)-[srv3] > > > z.z.z.z is the only target address, all external traffic goes there, > and it does go to a specific port. This is a DNS setup, so we can > also assume that 99.9% of the protocols seen is UDP/53. > > Routing on the Router is as follows: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > > > rt#sh run | i cef > ip cef load-sharing algorithm tunnel 000FFEED > > > On 7301s, typical distribution is 3:4:3 or something like that. > On the ASR I see 10:1:2 (on srv1:srv2:srv3). > > This did change immediately through the replacement of the 7301 by the ASR. > My colleague tells me, we have not one but several (like a dozen) top > talkers (out of several million), just like before the router swap. > > What could cause this phenomenon? > > 1. Traffic pattern has changed. > -> my colleague denies this > > 2. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) has been altered. > > 3. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) is now buggy. > > > Experiment 1 > > Changing the algorithm to "include-ports source". > > Did not change the traffic pattern a bit. I didn't expect a > change, since AFAIK it would do the same as the "tunnel" algorithm. > > > Experiment 2 > > I added a.a.a.d to srv1, a.a.a.e to srv2 and a.a.a.f to srv3 and > the appropriate routes: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > ip route z.z.z.z 255.255.255.255 a.a.a.d > ip route z.z.z.z 255.255.255.255 a.a.a.e > ip route z.z.z.z 255.255.255.255 a.a.a.f > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > nexthop a.a.a.d GigabitEthernet0/0/3 > nexthop a.a.a.e GigabitEthernet0/0/3 > nexthop a.a.a.f GigabitEthernet0/0/3 > > > This changed the distribution pattern from 10:1:2 to a somewhat > better 5:1:2. > > It still shows a strong favouring of the server with the smallest > IP address. > > > Experiment 3 > > I removed the z.z.z.z -> a.a.a.d route, so that Server 1 would > only have 1/5 of the routing table pointing to it, while Servers > 2 and 3 get twice as many slots in routing and forwarding table. > I'll spare you the cef output here. > > This changed the distribution pattern - not at all, at least not > noticeably. > > > I wonder what I have stumbled onto here, and whether someone around > or at Cisco knows about a change in the algorithms that would lead > to such an effect. > > I would also be very interested in some paper that really explained > the load-sharing algorithms, since everything one can find about the > tunnel algorithm is: > > "The tunnel keyword sets the load-balancing algorithm to one > that can be used in tunnel environments or in environments > where there are only a few IP source and destination address > pairs. " > > > I appreciate any help - the server is still holding, but it's > really bad Karma, and I'd like to find a way to do my L3 poor > man's load balancing in a working fashion. > > Elmar. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Nov 6 15:40:49 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Nov 2008 21:40:49 +0100 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: References: <1225905544.13955.6.camel@abehat> Message-ID: <1226004049.8786.19.camel@abehat> On Thu, 2008-11-06 at 09:48 -0500, David Jacobs wrote: > When I do a "sh spf-log" this is the message I keep seeing > > On Cisco > > 00:24:50 72 109 8 router1.00-00 TLVCONTENT > 00:24:20 72 109 8 router1.00-00 TLVCONTENT > 00:23:50 76 109 8 router1.00-00 TLVCONTENT > 00:23:20 64 109 8 router1.00-00 TLVCONTENT > 00:22:50 76 109 8 router1.00-00 TLVCONTENT > 00:22:20 72 109 8 router1.00-00 TLVCONTENT > 00:21:50 72 109 8 router1.00-00 TLVCONTENT > 00:21:20 72 109 8 router1.00-00 TLVCONTENT > 00:20:50 72 109 8 router1.00-00 TLVCONTENT > 00:20:19 72 108 7 router1.00-00 TLVCONTENT > 00:19:49 72 108 8 router1.00-00 TLVCONTENT > 00:19:19 68 108 8 router1.00-00 TLVCONTENT This is from a neighboring router, right? It seems the router is sending out LSP TLV changes, and rather many of them. In each 30 second interval the router sent 8 TLV changes, about one every four seconds. What does "show isis lsp-log" say on "router1"? > and on Foundry > > 1m55s 450ms 78 6 router1.00-00 Area Address TLV Change > 2m26s 450ms 39 17 router1.00-00 Area Address TLV Change > 2m56s 450ms 39 17 router1.00-00 Area Address TLV Change > 3m27s 450ms 39 13 router1.00-00 Area Address TLV Change > 3m57s 450ms 39 18 router1.00-00 Area Address TLV Change I don't know Foundry, but I could be tempted to read this as "Area ID changed". > > A shot in the dark, but you wouldn't happen to have another box with > > the same NET on your network? > > I thought of that as well, But I compared all of the other NET > address's and they are pretty unique. And correct me if i'm wrong, but > if there was another router running ISIS with the same NET address > wouldn't it come up with an error like.. > > %CLNS-4-BADPACKET: ISIS: LAN L2 hello, Duplicate system > ID detected from (duplicate NET address) That sounds reasonable. > I forget if there is a command to view all NET address's in the database That would be "show isis hostname". Regards, Peter From raa at opusnet.com Thu Nov 6 16:03:30 2008 From: raa at opusnet.com (Ruben Alvarez) Date: Thu, 6 Nov 2008 13:03:30 -0800 Subject: [c-nsp] Cisco IOS for broadband aggregation Message-ID: <000001c94053$1fb18280$5f148780$@com> Hi All, I'm upgrading IOS on my c7206VXR with an npe-300 and: UBR7200-I/O-2FE/E PA-A3-T3= PA-IMA-T1= PA-4E= I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't seen much about it. I assume it's got the same features as (28)? If anyone has any feedback let me know. Thanks. From roddy.strachan at staff.netspace.net.au Thu Nov 6 16:10:40 2008 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Fri, 07 Nov 2008 08:10:40 +1100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> Message-ID: Ruben, Funny you mention it. I've just finished an upgrade of a mixture of 7301 and 7206vxr to 12.2(31)SB13. Had a 7301 running in production for 1 week, no issues, the LNS seems a lot more stable if you ask me. Don't know how the 7206 will go as they have been in production less than an hour :). So far so good, no real issues to report. On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the > 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't > seen much about it. I assume it's got the same features as (28)? If anyone > has any feedback let me know. > > Thanks. > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From rinse.kloek at isp.solcon.nl Thu Nov 6 16:11:43 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Thu, 06 Nov 2008 22:11:43 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> References: <000001c94053$1fb18280$5f148780$@com> Message-ID: <49135D8F.8090803@isp.solcon.nl> Ruben, We are using the 12.2.(31)SB on one of our routers. We saw some problems with policy routing with VRF's with the SB6 release, but we expect this be fixed in the SB12+. For a full list of software/hardware features/caveats, see http://www.cisco.com/en/US/docs/ios/12_2sb/release/notes/122SB.html Be aware that the SB train will be superseded by the 12.2.33SRC. regards Rinse Kloek Ruben Alvarez schreef: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the > 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't > seen much about it. I assume it's got the same features as (28)? If anyone > has any feedback let me know. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rinse.kloek at isp.solcon.nl Thu Nov 6 16:14:25 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Thu, 06 Nov 2008 22:14:25 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: References: Message-ID: <49135E31.8010102@isp.solcon.nl> What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Thu Nov 6 16:20:17 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Nov 2008 22:20:17 +0100 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <021101c94045$45120620$cf361260$@net> References: <021101c94045$45120620$cf361260$@net> Message-ID: <1226006417.8786.34.camel@abehat> On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > FastEthernet9/48 is up, line protocol is up (connected) > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > 0004.de66.8f73) > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > reliability 255/255, txload 3/255, rxload 24/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s > input flow-control is off, output flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output 00:00:43, output hang never > Last clearing of "show interface" counters 00:12:47 > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > 1067610 packets input, 920823086 bytes, 0 no buffer > Received 0 broadcasts (0 multicasts) > 0 runts, 0 giants, 0 throttles > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 839374 packets output, 146203703 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > Notice that in less than 15 min I have almost 1000 input errors, but > the other more detailed counters show nothing. I have had the cable > swapped, and the LAN card in the PC swapped, still the same results. Well, a thousand errors may sound like much, but it's less than 0.1% of the total number of packets received. > What is just an input error? Is this bad hardware, something I should > just expect on some interfaces to PC's, or what? > > I have googled around a bit, looked on Cisco's site, and everything > says that the input error counter is just the combined count of the > other counters like CRC, overrun, and so on, but they are all 0 for > me.. > > Any clues on where to look or what would cause this??? What type of card is it? If you have an oversubscribed path to the backplane the switch might drops packets there. AFAIK there's no surefire way to find out though. Input flow control might help reducing lost packets if they're caused by oversubscription / too small buffers. This assumes the server NICs know flow-control of course. Do you have any interface on a similar module with similar traffic/load patterns that is not experiencing these errors? Regards, Peter From raa at opusnet.com Thu Nov 6 16:29:25 2008 From: raa at opusnet.com (Ruben Alvarez) Date: Thu, 6 Nov 2008 13:29:25 -0800 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> Message-ID: <000101c94056$c0378940$40a69bc0$@com> That's a great Cisco doc, thanks. I haven't been able to find anything on Google, but we are having issues with static IP configuration with the new Actiontec M1000 modem firmware (v2.) I can assign static IP addresses to the modem via radius, but cannot with the IP unnumbered mode feature in the Actiontec CPE. I figured I'd give the newer IOS a try before I start debugging PPP or radius. Thanks. -----Original Message----- From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] Sent: Thursday, November 06, 2008 1:14 PM To: Roddy Strachan Cc: Ruben Alvarez; Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Curtis at GreenKey.net Thu Nov 6 17:11:42 2008 From: Curtis at GreenKey.net (Curtis Doty) Date: Thu, 6 Nov 2008 14:11:42 -0800 (PST) Subject: [c-nsp] watchdog timeout - nmi reset In-Reply-To: <200811061055.12235.mtinka@globaltransit.net> References: <200811061055.12235.mtinka@globaltransit.net> Message-ID: <20081106221142.49BA76F073@alopias.GreenKey.net> 10:55am Mark Tinka said: > Hi all. > > We've had a bit of bad luck lately with a couple of NPE-G1's > suddenly reloading due watchdog timeouts. WAG: The pseudo-preemption gets tangled by something like BFD? http://puck.nether.net/pipermail/cisco-nsp/2008-October/055734.html ../C From roddy.strachan at staff.netspace.net.au Thu Nov 6 17:29:50 2008 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Fri, 07 Nov 2008 09:29:50 +1100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> Message-ID: No real special features. MQOS to allow QOS policies on the fly as well as POD radius disconnects. Other than that its a plan vanilla PPP/LNS termination device. On 7/11/08 8:14 AM, "Rinse Kloek" wrote: > What kind of features do you use with the 7206VXR box ? We are also > looking to upgrade to 12.2.31SB13 because we have some problems with > 12.2(31)SB6. > > regards Rinse > > Roddy Strachan schreef: >> Ruben, >> >> Funny you mention it. >> >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to >> 12.2(31)SB13. >> >> Had a 7301 running in production for 1 week, no issues, the LNS seems a lot >> more stable if you ask me. >> >> Don't know how the 7206 will go as they have been in production less than an >> hour :). >> >> So far so good, no real issues to report. >> >> >> >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: >> >> >>> Hi All, >>> >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: >>> UBR7200-I/O-2FE/E >>> PA-A3-T3= >>> PA-IMA-T1= >>> PA-4E= >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >>> seen much about it. I assume it's got the same features as (28)? If anyone >>> has any feedback let me know. >>> >>> Thanks. >>> >>> >> >> >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are addressed. >> Please notify the sender immediately by email if you have received this >> email by mistake and delete this email from your system. Please note that >> any views or opinions presented in this email are solely those of the >> author and do not necessarily represent those of the organisation. >> Finally, the recipient should check this email and any attachments for >> the presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ -- Regards, Roddy Strachan Sysadmin Team Leader Netspace Online Systems Ph : 03-9811-0016 Mob : 0416-116-291 Fax : 03-9811-0044 Email: roddy.strachan at staff.netspace.net.au From peter at rathlev.dk Thu Nov 6 18:30:32 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Nov 2008 00:30:32 +0100 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226006417.8786.34.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> Message-ID: <1226014232.8786.49.camel@abehat> On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? Also "show interface Fa9/48 counters errors" gives you a couple more counters to gaze at. :-) Regards, Peter From paul at paulstewart.org Thu Nov 6 19:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 6 Nov 2008 19:23:17 -0500 Subject: [c-nsp] Limiting upstream paths to downstream customer - BGP Message-ID: <00c201c9406f$0e5db6e0$2b1924a0$@org> Hi there. I'm looking for a Cisco doc or a quick guide to *best practice* for the following scenario: Provider A gets 5 upstream BGP feeds via two core routers. Provider B wants to purchase transit from Provider A but does not want to send/receive any traffic via one of Provider A's upstreams (Provider X in this case). Provider A also uses BGP communities to mark their downstream customers, their upstream connections etc. Obviously Provider A can simply not announce Provider B to Provider X solving this issue in one direction. but what about traffic coming into Provider A from Provider B that prefers Provider X outbound? I'm thinking that you could use route-maps on Provider A (which would already be in place anyways most likely) and local-pref Provider X's routes specific to Provider B's community? If this is the best practice, anyone have a config snippet they could share or is there is a better way? Thanks in advance, hopefully I'm explaining this well. Paul From phila at cascopoint.com Thu Nov 6 19:49:27 2008 From: phila at cascopoint.com (Anton Yurchenko) Date: Thu, 06 Nov 2008 16:49:27 -0800 Subject: [c-nsp] Link level compression Message-ID: <49139097.4070005@cascopoint.com> Hi All, I am researching if there is a possibility to save some money on links by using link compression. I am not talking WAN acceleration, but something that will basically zip packets on one end and unzip on another. Link bandwidths are 10Gig and up. Any recommendations/experiences are very much welcome. Thanks, Anton Yurchenko From howard at leadmon.net Thu Nov 6 21:05:12 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 21:05:12 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226006417.8786.34.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> Message-ID: <024001c9407d$484e7200$d8eb5600$@net> > On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > > FastEthernet9/48 is up, line protocol is up (connected) > > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > > 0004.de66.8f73) > > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > > reliability 255/255, txload 3/255, rxload 24/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Full-duplex, 100Mb/s > > input flow-control is off, output flow-control is unsupported > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output 00:00:43, output hang never > > Last clearing of "show interface" counters 00:12:47 > > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > > drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 watchdog, 0 multicast, 0 pause input > > 0 input packets with dribble condition detected > > 839374 packets output, 146203703 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier, 0 PAUSE output > > 0 output buffer failures, 0 output buffers swapped out > > > > Notice that in less than 15 min I have almost 1000 input errors, but > > the other more detailed counters show nothing. I have had the cable > > swapped, and the LAN card in the PC swapped, still the same results. > > Well, a thousand errors may sound like much, but it's less than 0.1% of > the total number of packets received. Understood, and I think the clients network is working OK, but when all the other interfaces are running without a constant stream of errors, it has to make you wonder! > > What is just an input error? Is this bad hardware, something I > should > > just expect on some interfaces to PC's, or what? > > > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? > > What type of card is it? If you have an oversubscribed path to the > backplane the switch might drops packets there. AFAIK there's no > surefire way to find out though. Basically it's a BSDi based firewall (they need to replace at some point), that has a pair of Intel Pro/100B adapters installed in it for the in/out paths. Both are running 100/FDX, verified with ifconfig, and of course as you could see from my original posting the switch ports are also 100/FDX. Just FYI, cables and network cards replaced on the server, but same thing. > Input flow control might help reducing lost packets if they're caused > by > oversubscription / too small buffers. This assumes the server NICs know > flow-control of course. > > Do you have any interface on a similar module with similar traffic/load > patterns that is not experiencing these errors? As stated above, it's the two PRO/100 cards generating errors to the switch. There are other machines/devices plugged in to the various ports that seem to be working fine, why at first I figured maybe some wonky hardware. On the issue of traffic loading, and oversubscription. I don't know what the max on a WS-X6348-RJ-45 board is, I know it's not the star champ of the 6500 line, but if you look at the data flows the sucker only sees 6-10 meg of traffic, in fact nothing on that board is pounding the heck out of it, so I wouldn't think a couple meg of traffic (it was only running 3meg when I took the samples with the increasing errors) would blow out any port on a switch like that, but maybe I am wrong.. > Regards, > Peter --- Howard Leadmon From howard at leadmon.net Thu Nov 6 21:08:26 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 21:08:26 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226014232.8786.49.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> <1226014232.8786.49.camel@abehat> Message-ID: <024301c9407d$bb5417f0$31fc47d0$@net> > On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > > 1067610 packets input, 920823086 bytes, 0 no buffer > > > Received 0 broadcasts (0 multicasts) > > > 0 runts, 0 giants, 0 throttles > > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > > > I have googled around a bit, looked on Cisco's site, and everything > > > says that the input error counter is just the combined count of the > > > other counters like CRC, overrun, and so on, but they are all 0 for > > > me.. > > > > > > Any clues on where to look or what would cause this??? > > Also "show interface Fa9/48 counters errors" gives you a couple more > counters to gaze at. :-) > > Regards, > Peter Thanks Peter, I knew I had looked at show interface Fa9/48 counters, but not the show interface Fa9/48 counters errors command. Actually doing that shows me: #show interface Fa9/48 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa9/48 42994 0 0 42994 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa9/48 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa9/48 0 0 0 0 0 So Align-Err is the issue, of course a quick look for that seems to indicate a hardware issue, but heck we replaced the various components and still have the issue. So still stumped at this point.. --- Howard Leadmon From Jamie.Stephens at chartercom.com Thu Nov 6 21:40:59 2008 From: Jamie.Stephens at chartercom.com (Stephens, Jamie A) Date: Thu, 6 Nov 2008 20:40:59 -0600 Subject: [c-nsp] Catalyst LAN Input Errors Query... References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> <1226014232.8786.49.camel@abehat> <024301c9407d$bb5417f0$31fc47d0$@net> Message-ID: I know this seems minor but I see this all the time with a duplex mismatch Jamie Stephens Network Sales Engineer 2 Digital Place Simpsonville, SC 29681 Cell 864-505-9879 ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Howard Leadmon Sent: Thu 11/6/2008 9:08 PM To: 'Peter Rathlev' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst LAN Input Errors Query... > On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > > 1067610 packets input, 920823086 bytes, 0 no buffer > > > Received 0 broadcasts (0 multicasts) > > > 0 runts, 0 giants, 0 throttles > > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > > > I have googled around a bit, looked on Cisco's site, and everything > > > says that the input error counter is just the combined count of the > > > other counters like CRC, overrun, and so on, but they are all 0 for > > > me.. > > > > > > Any clues on where to look or what would cause this??? > > Also "show interface Fa9/48 counters errors" gives you a couple more > counters to gaze at. :-) > > Regards, > Peter Thanks Peter, I knew I had looked at show interface Fa9/48 counters, but not the show interface Fa9/48 counters errors command. Actually doing that shows me: #show interface Fa9/48 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa9/48 42994 0 0 42994 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa9/48 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa9/48 0 0 0 0 0 So Align-Err is the issue, of course a quick look for that seems to indicate a hardware issue, but heck we replaced the various components and still have the issue. So still stumped at this point.. --- Howard Leadmon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. From ariemer at wesenergy.com.au Thu Nov 6 21:46:16 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 7 Nov 2008 11:46:16 +0900 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <024001c9407d$484e7200$d8eb5600$@net> References: <021101c94045$45120620$cf361260$@net><1226006417.8786.34.camel@abehat> <024001c9407d$484e7200$d8eb5600$@net> Message-ID: <0867622C64B50C4B878AB45C95F43F11063E95F8@MAILWA01.wesenergy.local> Hi, That module is limited to 32Gbps which is split up into 4 ASIC's that handle 12 ports each. Quoting Cisco's website -> http://www.cisco.com/en/US/products/hw/switches/ps700/products_configura tion_example09186a0080118a5c.shtml You can also take a look at the counters that indicate if the ASIC is being oversubscribed. Refer here -> http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note 09186a00801751d7.shtml#ASIC Cheers, Aaron Riemer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon Sent: Friday, 7 November 2008 11:05 AM To: 'Peter Rathlev' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst LAN Input Errors Query... > On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > > FastEthernet9/48 is up, line protocol is up (connected) > > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > > 0004.de66.8f73) > > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > > reliability 255/255, txload 3/255, rxload 24/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Full-duplex, 100Mb/s > > input flow-control is off, output flow-control is unsupported > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output 00:00:43, output hang never > > Last clearing of "show interface" counters 00:12:47 > > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > > drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 watchdog, 0 multicast, 0 pause input > > 0 input packets with dribble condition detected > > 839374 packets output, 146203703 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier, 0 PAUSE output > > 0 output buffer failures, 0 output buffers swapped out > > > > Notice that in less than 15 min I have almost 1000 input errors, but > > the other more detailed counters show nothing. I have had the cable > > swapped, and the LAN card in the PC swapped, still the same results. > > Well, a thousand errors may sound like much, but it's less than 0.1% of > the total number of packets received. Understood, and I think the clients network is working OK, but when all the other interfaces are running without a constant stream of errors, it has to make you wonder! > > What is just an input error? Is this bad hardware, something I > should > > just expect on some interfaces to PC's, or what? > > > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? > > What type of card is it? If you have an oversubscribed path to the > backplane the switch might drops packets there. AFAIK there's no > surefire way to find out though. Basically it's a BSDi based firewall (they need to replace at some point), that has a pair of Intel Pro/100B adapters installed in it for the in/out paths. Both are running 100/FDX, verified with ifconfig, and of course as you could see from my original posting the switch ports are also 100/FDX. Just FYI, cables and network cards replaced on the server, but same thing. > Input flow control might help reducing lost packets if they're caused > by > oversubscription / too small buffers. This assumes the server NICs know > flow-control of course. > > Do you have any interface on a similar module with similar traffic/load > patterns that is not experiencing these errors? As stated above, it's the two PRO/100 cards generating errors to the switch. There are other machines/devices plugged in to the various ports that seem to be working fine, why at first I figured maybe some wonky hardware. On the issue of traffic loading, and oversubscription. I don't know what the max on a WS-X6348-RJ-45 board is, I know it's not the star champ of the 6500 line, but if you look at the data flows the sucker only sees 6-10 meg of traffic, in fact nothing on that board is pounding the heck out of it, so I wouldn't think a couple meg of traffic (it was only running 3meg when I took the samples with the increasing errors) would blow out any port on a switch like that, but maybe I am wrong.. > Regards, > Peter --- Howard Leadmon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From mtinka at globaltransit.net Thu Nov 6 23:13:13 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 7 Nov 2008 12:13:13 +0800 Subject: [c-nsp] watchdog timeout - nmi reset In-Reply-To: <20081106221142.49BA76F073@alopias.GreenKey.net> References: <200811061055.12235.mtinka@globaltransit.net> <20081106221142.49BA76F073@alopias.GreenKey.net> Message-ID: <200811071213.18100.mtinka@globaltransit.net> On Friday 07 November 2008 06:11:42 Curtis Doty wrote: > WAG: The pseudo-preemption gets tangled by something like > BFD? > http://puck.nether.net/pipermail/cisco-nsp/2008-October/0 >55734.html Yep, I recalled this e-mail you sent about your BFD woes after the TAC engineer came back to say it's software-related. The first time we logged this case with TAC, they were sure it was a hardware issue. The second time around - and I must say this TAC engineer was very impressive in identifying this issue quickly and decisively - it took less than a day and turned out to be the code. Let's hope SRC3 comes out as scheduled. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rvelnara at cisco.com Fri Nov 7 00:11:57 2008 From: rvelnara at cisco.com (Ramnath Velnarayanan) Date: Fri, 7 Nov 2008 10:41:57 +0530 Subject: [c-nsp] Need help in V6MCAST Group count Message-ID: <000001c94097$5ccfc750$e5064d0a@cisco.com> Hi All, I am facing an issue with Ipv6-multicast. Here I am seeing variance in route entries with different command outputs 1) sh ipv mld groups summary MLD Route Summary No. of (*,G) routes = 16 No. of (S,G) routes = 0 2) sh ipv6 mfib summary IPv6 MFIB summary: 64 total entries [4 (S,G), 13 (*,G), 47 (*,G/m)] 40 total MFIB interfaces I need to find how many groups been added .So which " (*,G) " count to take as Group count. s/w version - 12.2(32.8.11)SX209 H/w - ME6523 Please help in this issue. Thanks in advance Ram From jeremy at mojohost.com Thu Nov 6 23:38:09 2008 From: jeremy at mojohost.com (Jeremy Reid) Date: Fri, 07 Nov 2008 04:38:09 GMT Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... Message-ID: <200811062338406.SM03088@[64.59.94.34]> Hi, I'm wondering if anyone else on the list here has seen this issue we've been struggling to pin down: We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, currently running SXH3a) to aggregate data from (3) different 10G interfaces into a 10G output port for use with a BGP route control product. The three input interfaces have a *combined* peak traffic rate of around 8Gbps. The SPAN destination interface, however, is only indicating that we are sending around 5Gbps at peak. This does not appear to be a counters problem, as we can confirm from the destination device on the other end of the SPAN port that it is indeed only seeing 5Gbps worth of traffic. Doing a little 'deconstructuve' unit testing -- we have tried eliminating the 'aggregation angle' and picked a single source 10G interface that only had about 1Gbps worth of traffic to span. Looking at the destination interface, it was consistantly only reporting about 600mbps. We have tried various such tests and we always seem to get simillar results in that the destination interface traffic is always significantly (between 20 and 40%) LESS than the whatever the source interface is actually carrying -- at least on the egress side of things (our ingress traffic is not sizable enough to gauge accurately). There are no physical errors/malformed frames/drops (including queue drops) being reported on either the SPAN source interface(s) or the destination. Jumbos aren't allowed on either interface, so its not related to that either. The only plus to this (from a troubleshooting perspective, anyway) is that it is consistantly 'broke' -- which should make finding the solution easier, but so far, it has proved rather ellusive. We have replicated this scenario on both our current code (SXH3a) as well as SXF14 (previous code until very recently). Further, we can replicate it on multiple independant 65k platforms (all equipped simmillarly). We have also verified there is no bus/proc oversubscription or anything of the sort going on -- but even went to the extent of moving two test interfaces containing both the SPAN source and destination to the same physical linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good measure (even though we saw no reason to do so from a numbers point of view). No change in the behavior with the DFC. Anyone seen anything along these lines? Couldn't find anything publically on the bug toolkit that seemed relevant... (big surprise). Just thought I'd try the list here before getting on the TAC merry-go-round. Thoughts? -Jeremy Jeremy Reid Network Engineer Mojohost From ivan at ig.sk Fri Nov 7 02:36:02 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Fri, 7 Nov 2008 08:36:02 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> References: <000001c94053$1fb18280$5f148780$@com> Message-ID: <200811070836.02950.ivan@ig.sk> Hi, be careful with your NPE-300, which has already reached End-of-everything and is not supported with 12.2SB train. As far as I know the last supported S-based train for NPE-300 is 12.2S. You might notice the warning message at bootup of the router or if issuing of show version command. Ivan On Thursday 06 November 2008, Ruben Alvarez wrote: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone > using the 12.2(31)SB instead of the 12.2(28)SB? I've been looking > online and haven't seen much about it. I assume it's got the same > features as (28)? If anyone has any feedback let me know. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Fri Nov 7 03:46:01 2008 From: techconfig at yahoo.com (Mark Tech) Date: Fri, 7 Nov 2008 00:46:01 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: <641393.84470.qm@web44804.mail.sp1.yahoo.com> Got it. OSPF was removed from loopback interface Got it working now ----- Original Message ---- From: Brian Turnbow To: Mark Tech ; cisco-nsp at puck.nether.net Sent: Thursday, November 6, 2008 5:23:52 PM Subject: RE: [c-nsp] GSR no ldp all of a sudden I would start with? what was done here ? Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: gioved? 6 novembre 2008 17.39 To: cisco-nsp at puck.nether.net Subject: [c-nsp] GSR no ldp all of a sudden Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95..244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark ? ? ? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 03:48:35 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 09:48:35 +0100 Subject: [c-nsp] vrf-lite and pppoA interfaces In-Reply-To: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> References: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> Message-ID: Hi Wayne, Take a look into assigning via radius the vrf for the ppoa sessions. If you google on the list you will find several discussions on the issue. You can then use vrf aware firewall features (like vrf aware nat ecc) for internet access. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_vrfaw.html Other options are listed here http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee Sent: gioved? 6 novembre 2008 18.51 To: cisco-nsp at puck.nether.net Subject: [c-nsp] vrf-lite and pppoA interfaces Hello List I have a dedicated LNS for what we call our pwan customers, all connections are ADSL PPPoA and they all use private IP ranges as there is currently no internet access. We have about 150 connections spread over 8 customers, these are currently grouped by customer and then separated from other pwans using access-lists which are applied via radius. We want to allow internet access to these pwans and move them into a vrf-lite setup with one vrf per pwan so this also gives us the abillty to allow over-lapping IP space. My vrf knowledge is (very) limited and I'm struggling to understand the best way to make this work. I have tested a basic vrf setup (with success) in the lab but this was with 3 routers and no PPPoA/virtual-access interfaces. My confusion is about the ip vrf forwarding, in the lab I put this on each ethernet on the main router but in the PPPoA setup there will not be a dedicated ethernet per vrf, also I'll not need traffic between vrf's so do I just need to export the routes to the rib so the customers can get internet traffic? Help, clue sticks and any advice will be very welcome. Thanks Wayne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Fri Nov 7 03:52:45 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 7 Nov 2008 16:52:45 +0800 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <641393.84470.qm@web44804.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> <641393.84470.qm@web44804.mail.sp1.yahoo.com> Message-ID: <200811071652.49889.mtinka@globaltransit.net> On Friday 07 November 2008 16:46:01 Mark Tech wrote: > Got it. OSPF was removed from loopback interface Just wondering if you have RANCID configured so you can learn, more quickly, what changes the router has undergone. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From techconfig at yahoo.com Fri Nov 7 05:44:09 2008 From: techconfig at yahoo.com (Mark Tech) Date: Fri, 7 Nov 2008 02:44:09 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> <641393.84470.qm@web44804.mail.sp1.yahoo.com> <200811071652.49889.mtinka@globaltransit.net> Message-ID: <788694.67680.qm@web44806.mail.sp1.yahoo.com> Hi Actually we do run RANCID in the production network, however these boxes are still on test :) Cheers Mark ----- Original Message ---- From: Mark Tinka To: cisco-nsp at puck.nether.net Cc: Mark Tech ; Brian Turnbow Sent: Friday, November 7, 2008 8:52:45 AM Subject: Re: [c-nsp] GSR no ldp all of a sudden On Friday 07 November 2008 16:46:01 Mark Tech wrote: > Got it. OSPF was removed from loopback interface Just wondering if you have RANCID configured so you can learn, more quickly, what changes the router has undergone. Cheers, Mark. From hank at efes.iucc.ac.il Fri Nov 7 05:57:40 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 7 Nov 2008 12:57:40 +0200 (IST) Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... In-Reply-To: <200811062338406.SM03088@[64.59.94.34]> References: <200811062338406.SM03088@[64.59.94.34]> Message-ID: On Fri, 7 Nov 2008, Jeremy Reid wrote: Do you have an ACL on the source ports? I hit this years ago: CSCsb21148 Rx SPAN may not work when outbound ACL is applied to source interface A Catalyst 6500 switch running with SUP720 IOS version 12.2(18)SXE1 or greater may drop Rx SPAN packets if there is an outbound ACL applied on the source interface of the SPAN session. Workaround: - remove outbound ACL from source interface - downgrade to 12.2(18)SXD6 or lower The fix for this bug only applies to WS-X67xx line cards (SPAN source port on 67xx line cards ). The fix for 65xx line cards went in through another DDTS CSCse41963 in 12.2(18)SXF5 and higher codes. -Hank > Hi, > > I'm wondering if anyone else on the list here has seen this issue we've been struggling to pin down: > > We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, currently running SXH3a) to aggregate data from (3) different 10G interfaces into a 10G output port for use with a BGP route control product. The three input interfaces have a *combined* peak traffic rate of around 8Gbps. The SPAN destination interface, however, is only indicating that we are sending around 5Gbps at peak. This does not appear to be a counters problem, as we can confirm from the destination device on the other end of the SPAN port that it is indeed only seeing 5Gbps worth of traffic. > > Doing a little 'deconstructuve' unit testing -- we have tried eliminating the 'aggregation angle' and picked a single source 10G interface that only had about 1Gbps worth of traffic to span. Looking at the destination interface, it was consistantly only reporting about 600mbps. We have tried various such tests and we always seem to get simillar results in that the destination interface traffic is always significantly (between 20 and 40%) LESS than the whatever the source interface is actually carrying -- at least on the egress side of things (our ingress traffic is not sizable enough to gauge accurately). > > There are no physical errors/malformed frames/drops (including queue drops) being reported on either the SPAN source interface(s) or the destination. Jumbos aren't allowed on either interface, so its not related to that either. The only plus to this (from a troubleshooting perspective, anyway) is that it is consistantly 'broke' -- which should make finding the solution easier, but so far, it has proved rather ellusive. > > We have replicated this scenario on both our current code (SXH3a) as well as SXF14 (previous code until very recently). Further, we can replicate it on multiple independant 65k platforms (all equipped simmillarly). We have also verified there is no bus/proc oversubscription or anything of the sort going on -- but even went to the extent of moving two test interfaces containing both the SPAN source and destination to the same physical linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good measure (even though we saw no reason to do so from a numbers point of view). No change in the behavior with the DFC. > > Anyone seen anything along these lines? Couldn't find anything publically on the bug toolkit that seemed relevant... (big surprise). Just thought I'd try the list here before getting on the TAC merry-go-round. > > Thoughts? > > -Jeremy > > Jeremy Reid > Network Engineer > Mojohost From adriankok2000 at yahoo.com.hk Fri Nov 7 07:52:04 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Fri, 7 Nov 2008 20:52:04 +0800 (CST) Subject: [c-nsp] help: copy run tftp Message-ID: <579826.60286.qm@web33303.mail.mud.yahoo.com> Hi I install tftp server in linux and it is running router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? ..... %Error opening tftp://192.168.0.3/router-confg (Timed out) After checking tftp server in 192.168.0.3, I fix it to allow the router connect. but when I run command in second time, it is another error it shows the file not found! why? router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? TFTP: error code 1 received - File not found Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From gkg at gmx.de Fri Nov 7 08:06:35 2008 From: gkg at gmx.de (Garry) Date: Fri, 07 Nov 2008 14:06:35 +0100 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <49143D5B.4080007@gmx.de> adrian kok wrote: > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > Did you allow the TFTP-Clients to create new files? If not, you will have to create the file first with sufficient rights for the TFTP-Server to overwrite, than copy again. -garry From drew.weaver at thenap.com Fri Nov 7 08:28:35 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 7 Nov 2008 08:28:35 -0500 Subject: [c-nsp] IP Cef load sharing, quick question Message-ID: Hi there. We have a Simple L3 switch (I think it's a 2960G) that we need to do some even simpler fault tolerance and load sharing on. We were going to connect this switch to 3x switches upstream and then do something like this: ip route 0.0.0.0 0.0.0.0 g0/32 gwip ip route 0.0.0.0 0.0.0.0 g0/33 gwip ip route 0.0.0.0 0.0.0.0 g0/34 gwip When we were testing we noticed some (well, quite a bit) of strangeness with traceroutes and the like (many multiple hops for the same, hop.. etc) is there a better way to do what we're trying to achieve? We were thinking about maybe doing VRRP on the 3 switches upstream but then we would only be using 1Gbps and the goal is to be able to use "a little more than" 1Gbps. Normally we'd just let routing protocols handle all of this fun, but this isn't our 'regular' slice of equipment. Any advice is swell, -Drew From paul at paulstewart.org Fri Nov 7 08:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 08:23:17 -0500 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> Message-ID: <000001c940dc$02301c60$06905520$@org> We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very brave and ran some 12.4T code for a while and had a major issue every 3-4 weeks that required a reboot (inbound sessions would just stop coming in pretty much via l2tp tunnels). On the NPE-1G's we're running same release with no issue neither.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek Sent: Thursday, November 06, 2008 4:14 PM To: Roddy Strachan Cc: Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 08:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 08:23:17 -0500 Subject: [c-nsp] Config Length Limit? 7600 Message-ID: <001001c940dc$1678fb60$436af220$@org> Hi there... Is there any limits we need to be aware of on a Sup720-3BXL 7600 in regards to size of configuration files? One of our core routers is hitting about 35k lines of config currently and we may need to add upwards of 50k more to the configuration in the near future.... this is mainly prefix-lists etc. Thanks, Paul From csirek at cooler.hu Fri Nov 7 08:46:09 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Fri, 07 Nov 2008 14:46:09 +0100 Subject: [c-nsp] service policy + SYN flood vs. periodic high cpu load In-Reply-To: <49131A46.7030801@cooler.hu> References: <49131A46.7030801@cooler.hu> Message-ID: <491446A1.7050204@cooler.hu> Hi all, I made a RP and SP monitor session. Under the SYN flood i saw the router got 250 SYN packages before sent back the first ACK,RST packet. It's normal? When cames the cpu load wave again got more (not much) SYN without ACK,RST. I no idea what is this periodic CPU load wave, but i see it only under SYN flood. If i sent only ICMP (size 1400) flood, i didn't see this wawes. Laszlo Nemeth Laszlo wrote: > Hi all, > > I'm testing the control plane policy in my lab. Now i found a very > interesting event. > > I have a 6500/sup720 whit different IOS (SXF6, SXF10a, SXH3a). I send a > very big SYN flood to this router. > > I'm doing this test in clear config. (erase startup, reload :) ) > > I made a policy: > > class-map match-all synfloodgeprol > match access-group 199 > ! > policy-map synflood-in > class synfloodgeprol > police cir 128000 bc 4000 be 4000 conform-action transmit > exceed-action drop violate-action drop > ! > access-list 199 remark DEFAULT > access-list 199 permit tcp any any > access-list 199 permit udp any any > access-list 199 permit icmp any any > access-list 199 permit ip any any > ! > interface GigabitEthernet5/2 > ip address 10.0.0.1 255.255.255.0 > load-interval 30 > media-type rj45 > service-policy input synflood-in > > I tried to put the service-policy to the control-plane but no difference: > > The input interface traffic is: > > 30 second input rate 155775000 bits/sec, 304249 packets/sec > 30 second output rate 128000 bits/sec, 250 packets/sec > > The output rate is good, the cpu receive 128K SYN and answer 128K > ACK/RST packets because my policy is working. That is the goal in this > case. > > Under this flood the CPU load: > > Router#cpu > CPU utilization for five seconds: 0%/0%; one minute: 3%; five minutes:6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 1368 1378 992 0.55% 0.07% 0.06% 0 Exec > 5 3868 263 14707 0.00% 0.33% 0.25% 0 Check hea > 20 2624 34446 76 0.00% 0.09% 0.06% 0 IPC Seat > 43 652 27 24148 0.00% 0.02% 0.00% 0 Per-minu > 155 57572 310276 185 0.00% 1.57% 3.56% 0 IP Input > 230 368 2206 166 0.00% 0.01% 0.00% 0 CEF: IPv4 > 240 528 703 751 0.07% 0.03% 0.02% 0 HIDDEN VL > > The policy is working great. > > But. In every 4. minutes the cpu load goes up: > > Router#cpu > CPU utilization for five seconds: 79%/68%; one minute: 8%; five minutes: 6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2012 1617 1244 0.31% 0.61% 0.22% 0 Exec > 5 4072 278 14647 0.00% 0.20% 0.22% 0 Check hea > 20 2812 37348 75 0.00% 0.04% 0.05% 0 IPC Seat > 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon > 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minut > 155 59732 336634 177 10.47% 1.13% 2.68% 0 IP Input > 230 400 2373 168 0.00% 0.01% 0.00% 0 CEF: IPv4 > 240 568 756 751 0.00% 0.03% 0.02% 0 HIDDEN VL > > some second later: > > Router#cpu > CPU utilization for five seconds: 99%/7%; one minute: 15%; five minutes: 7% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2100 1637 1282 1.11% 0.65% 0.23% 0 Exec > 5 4072 278 14647 0.00% 0.19% 0.22% 0 Check he > 20 2812 37348 75 0.00% 0.03% 0.05% 0 IPC Seat > 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon > 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minu > 77 252 1539 163 0.07% 0.00% 0.00% 0 Heartbeat > 155 66192 338269 195 90.71% 8.30% 4.14% 0 IP Input > 230 400 2382 167 0.07% 0.02% 0.00% 0 CEF: IPv4 > 240 572 759 753 0.00% 0.03% 0.01% 0 HIDDEN VL > > and again some second later: > > Router#cpu > CPU utilization for five seconds: 0%/0%; one minute: 2%; five minutes: 6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2320 1730 1341 0.23% 0.08% 0.17% 0 Exec > 5 4552 308 14779 0.00% 0.25% 0.24% 0 Check hea > 20 3008 40249 74 0.00% 0.04% 0.04% 0 IPC Seat > 43 792 32 24750 0.00% 0.04% 0.00% 0 Per-minu > 77 316 1702 185 0.00% 0.01% 0.00% 0 Heartbeat > 155 68644 378964 181 0.00% 1.03% 3.26% 0 IP Input > 230 444 2639 168 0.07% 0.02% 0.00% 0 CEF: IPv4 > 240 636 841 756 0.00% 0.03% 0.02% 0 HIDDEN VL > > > > This is the history of cpu: > > 55555999999999944444 > 333330000099999666667777711111 2222211111 > 100 ********** > 90 ********** > 80 ********** > 70 ********** > 60 ********** > 50 ******************** > 40 ******************** > 30 ******************** > 20 ******************** > 10 ******************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > CPU% per second (last 60 seconds) > > 1 > 0 9 9 12 > 460444944394439 > 100 * * * > 90 * * * > 80 * * * > 70 * * * > 60 * * * > 50 * * * > 40 * * * > 30 * * * * > 20 # # # * > 10 # # # ** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > > If i increase the 128K to 256K in the policy, the big CPU load comes in > every 2. minutes. > > If i set it on 64K, the load is stay in every 4. minutes, but is ~40-50% > instead 100%. > > Any idea? > > Thanks > > Laszlo > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 08:56:02 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 14:56:02 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c940dc$02301c60$06905520$@org> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> Message-ID: We're stil on 12.2.31SB13 with g2s mainly due to an issue we found with tcp header compression with SRC We have some small vbr connections for voip with header compression enabled and found that a telnet session over the link would cause the router to crash in SRC. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: venerd? 7 novembre 2008 14.23 To: 'Rinse Kloek'; 'Roddy Strachan' Cc: 'Cisco-nsp' Subject: Re: [c-nsp] Cisco IOS for broadband aggregation We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very brave and ran some 12.4T code for a while and had a major issue every 3-4 weeks that required a reboot (inbound sessions would just stop coming in pretty much via l2tp tunnels). On the NPE-1G's we're running same release with no issue neither.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek Sent: Thursday, November 06, 2008 4:14 PM To: Roddy Strachan Cc: Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Fri Nov 7 09:00:34 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 7 Nov 2008 09:00:34 -0500 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <001001c940dc$1678fb60$436af220$@org> References: <001001c940dc$1678fb60$436af220$@org> Message-ID: <003301c940e1$36833ec0$a389bc40$@com> NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 09:18:49 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 09:18:49 -0500 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <003301c940e1$36833ec0$a389bc40$@com> References: <001001c940dc$1678fb60$436af220$@org> <003301c940e1$36833ec0$a389bc40$@com> Message-ID: <001901c940e3$c2837a00$478a6e00$@org> Thanks... confirmed what I was wondering .... we have lots of free space there which takes the concern out the the equation today...;) Cheers! Paul -----Original Message----- From: David Prall [mailto:dcp at dcptech.com] Sent: Friday, November 07, 2008 9:01 AM To: 'Paul Stewart'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Config Length Limit? 7600 NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 11:30:51 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 17:30:51 +0100 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <003301c940e1$36833ec0$a389bc40$@com> References: <001001c940dc$1678fb60$436af220$@org> <003301c940e1$36833ec0$a389bc40$@com> Message-ID: You can always save /boot to/from a copy saved to disk Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall Sent: venerd? 7 novembre 2008 15.01 To: 'Paul Stewart'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Config Length Limit? 7600 NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sthaug at nethelp.no Fri Nov 7 11:50:06 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 07 Nov 2008 17:50:06 +0100 (CET) Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: Message-ID: <20081107.175006.74682859.sthaug@nethelp.no> > We have a Simple L3 switch (I think it's a 2960G) that we need to do some even simpler fault tolerance and load sharing on. > > We were going to connect this switch to 3x switches upstream and then do something like this: > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > ip route 0.0.0.0 0.0.0.0 g0/34 gwip You are of course aware that not specifying an IP nexthop means you'll get lots of unnecessary ARPing here, and that the upstream routers have to support proxy ARP? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From peter at rathlev.dk Fri Nov 7 12:32:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Nov 2008 18:32:31 +0100 Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: Message-ID: <1226079151.3474.8.camel@abehat> On Fri, 2008-11-07 at 08:28 -0500, Drew Weaver wrote: > We have a Simple L3 switch (I think it's a 2960G) that we need to do > some even simpler fault tolerance and load sharing on. They're not 2960s, since those are L2 only. Maybe 3560s? > We were going to connect this switch to 3x switches upstream and then > do something like this: > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > ip route 0.0.0.0 0.0.0.0 g0/34 gwip As Steinar mentions, you should use a specific next hop address. I assume that the three interfaces are routed ports, or that they use seperate VLANs. What's upstream? > When we were testing we noticed some (well, quite a bit) of strangeness > with traceroutes and the like (many multiple hops for the same, hop.. > etc) What exactly do you mean with "many multiple hops"? Different answers for multiple requests with the same TTL (same hop in traceroute) is not all that unnormal for multiple paths -- each path is elegible for the traffic, so each next hop router can answer. The L3 switches (i.e. not software based routers) typically use a hashed load sharing algorithm, resulting in per destination or per source (or a combination) load sharing. They could also include the ports in the hashing, meaning that a traceroute using a different source port per probe would result in different next hops. If this is unwanted, you can change the algorithm to something that doesn't include L4 ports. > is there a better way to do what we're trying to achieve? > > We were thinking about maybe doing VRRP on the 3 switches upstream but > then we would only be using 1Gbps and the goal is to be able to use "a > little more than" 1Gbps. You _could_ use GLBP as a load sharing enabled equivalent of VRRP. Don't know is your hardware/software supports it though. And equal cost multipath (ECMP) would be my preferred choice if possible. Regards, Peter From daniel_p_lacey at yahoo.com Fri Nov 7 13:30:23 2008 From: daniel_p_lacey at yahoo.com (Daniel Lacey) Date: Fri, 07 Nov 2008 10:30:23 -0800 Subject: [c-nsp] Multiple Ethernet links for redundancy Message-ID: <4914893F.7050806@yahoo.com> Hi all, I have a 7206 with two fastethernet port adapters. I would like to have both of these run to the 6506 switch. I need a scenario that would allow one of the links to work if the other goes down. This is for redundancy and not for bandwidth issues. I was wondering if it is possible (or desirable) to make them a Multilink bundle? Any other suggestions? Thanks, Dan Lacey From rinse.kloek at isp.solcon.nl Fri Nov 7 13:47:35 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Fri, 07 Nov 2008 19:47:35 +0100 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <49148D47.3000808@isp.solcon.nl> One option is to configure bot interfaces with the same IP adresses and settings and use the following command on the primary interface: interface GigabitEthernet0/1 backup interface GigabitEthernet0/2 ip address 10.10.10.1 255.255.255.0 interface GigabitEthernet0/2 ip address 10.10.10.1 255.255.255.0 The GigabitEthernet 0/1 will be up and the GigabitEthernet 0/2 will be standby. If the link on Gi0/1 is going down, Gi0/2 will get up. regards Rinse Daniel Lacey schreef: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the > other goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a > Multilink bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rinse.kloek at isp.solcon.nl Fri Nov 7 13:51:58 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Fri, 07 Nov 2008 19:51:58 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c940dc$02301c60$06905520$@org> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> Message-ID: <49148E4E.1070001@isp.solcon.nl> Do you use 12.2(33)SRC2 in a box as Aggregation Router ? One bug we discovered was a Netflow bug wich resulted in crashes (CSCsu87248) kind regards Rinse Paul Stewart schreef: > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > brave and ran some 12.4T code for a while and had a major issue every 3-4 > weeks that required a reboot (inbound sessions would just stop coming in > pretty much via l2tp tunnels). > > On the NPE-1G's we're running same release with no issue neither.... > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek > Sent: Thursday, November 06, 2008 4:14 PM > To: Roddy Strachan > Cc: Cisco-nsp > Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > > What kind of features do you use with the 7206VXR box ? We are also > looking to upgrade to 12.2.31SB13 because we have some problems with > 12.2(31)SB6. > > regards Rinse > > Roddy Strachan schreef: > >> Ruben, >> >> Funny you mention it. >> >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to >> 12.2(31)SB13. >> >> Had a 7301 running in production for 1 week, no issues, the LNS seems a >> > lot > >> more stable if you ask me. >> >> Don't know how the 7206 will go as they have been in production less than >> > an > >> hour :). >> >> So far so good, no real issues to report. >> >> >> >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: >> >> >> >>> Hi All, >>> >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: >>> UBR7200-I/O-2FE/E >>> PA-A3-T3= >>> PA-IMA-T1= >>> PA-4E= >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using >>> > the > >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and >>> > haven't > >>> seen much about it. I assume it's got the same features as (28)? If >>> > anyone > >>> has any feedback let me know. >>> >>> Thanks. >>> >>> >>> >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are >> > addressed. > >> Please notify the sender immediately by email if you have received this >> email by mistake and delete this email from your system. Please note that >> any views or opinions presented in this email are solely those of the >> author and do not necessarily represent those of the organisation. >> Finally, the recipient should check this email and any attachments for >> the presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From pshuleski at gmail.com Fri Nov 7 13:56:21 2008 From: pshuleski at gmail.com (Pete S.) Date: Fri, 7 Nov 2008 13:56:21 -0500 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <50f158990811071056i485be057sb4809519cfbce6c5@mail.gmail.com> You can make each port a routed interface(/30 or /31) to the 6500. Control the failover/load balancing with your IGP. --Pete On Fri, Nov 7, 2008 at 1:30 PM, Daniel Lacey wrote: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the other > goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a Multilink > bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asadh at comcast.net Fri Nov 7 14:00:49 2008 From: asadh at comcast.net (Asad) Date: Fri, 7 Nov 2008 19:00:49 +0000 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <623938200-1226084442-cardhu_decombobulator_blackberry.rim.net-1922886597-@bxe125.bisx.prod.on.blackberry> You can try a port-channel and add both interfaces to bundle. This would provide redundancy + more BW. Asad Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Daniel Lacey Date: Fri, 07 Nov 2008 10:30:23 To: Subject: [c-nsp] Multiple Ethernet links for redundancy Hi all, I have a 7206 with two fastethernet port adapters. I would like to have both of these run to the 6506 switch. I need a scenario that would allow one of the links to work if the other goes down. This is for redundancy and not for bandwidth issues. I was wondering if it is possible (or desirable) to make them a Multilink bundle? Any other suggestions? Thanks, Dan Lacey _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 14:09:18 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 14:09:18 -0500 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49148E4E.1070001@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> <49148E4E.1070001@isp.solcon.nl> Message-ID: <000001c9410c$569d9270$03d8b750$@org> Yes, that's correct - LAC/LNS We don't run Netflow off that box in particular (we do in our core 7600's though) so haven't come across that bug yet ;) Paul -----Original Message----- From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] Sent: Friday, November 07, 2008 1:52 PM To: Paul Stewart Cc: 'Roddy Strachan'; 'Cisco-nsp' Subject: Re: [c-nsp] Cisco IOS for broadband aggregation Do you use 12.2(33)SRC2 in a box as Aggregation Router ? One bug we discovered was a Netflow bug wich resulted in crashes (CSCsu87248) kind regards Rinse Paul Stewart schreef: > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > brave and ran some 12.4T code for a while and had a major issue every 3-4 > weeks that required a reboot (inbound sessions would just stop coming in > pretty much via l2tp tunnels). > > On the NPE-1G's we're running same release with no issue neither.... > > Paul From dudepron at gmail.com Fri Nov 7 15:57:05 2008 From: dudepron at gmail.com (Aaron) Date: Fri, 7 Nov 2008 15:57:05 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <49143D5B.4080007@gmx.de> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> <49143D5B.4080007@gmx.de> Message-ID: <480dad640811071257k761564e0n26f9066903048f7c@mail.gmail.com> Create the file in your tftp dir using touch... touch then chmod 777 Then you will should be good to go Note that this file is world readable and writable.. Aaron On Fri, Nov 7, 2008 at 8:06 AM, Garry wrote: > adrian kok wrote: > > router#copy running-config tftp > > Address or name of remote host []? 192.168.0.3 > > Destination filename [router-confg]? > > TFTP: error code 1 received - File not found > > > Did you allow the TFTP-Clients to create new files? If not, you will > have to create the file first with sufficient rights for the TFTP-Server > to overwrite, than copy again. > > > -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aaron at wsc.ma.edu Fri Nov 7 16:54:59 2008 From: aaron at wsc.ma.edu (Childs, Aaron) Date: Fri, 7 Nov 2008 16:54:59 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> Hi Adrian, Add -c to the server_args. This will allow the tftp clients create the file. Aaron ----------- Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] Sent: Friday, November 07, 2008 7:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] help: copy run tftp Hi I install tftp server in linux and it is running router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? ..... %Error opening tftp://192.168.0.3/router-confg (Timed out) After checking tftp server in 192.168.0.3, I fix it to allow the router connect. but when I run command in second time, it is another error it shows the file not found! why? router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? TFTP: error code 1 received - File not found Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danvoyer at gmail.com Fri Nov 7 18:22:44 2008 From: danvoyer at gmail.com (Dan Voyer) Date: Fri, 7 Nov 2008 18:22:44 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <6c66c78d0811071522n5c5f50a3h6abf7ef341a94842@mail.gmail.com> tftp doest allow to actually "create" a file. So create that exact same file on your tftp server then restart your stuff in your router. On Fri, Nov 7, 2008 at 7:52 AM, adrian kok wrote: > Hi > > I install tftp server in linux and it is running > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > ..... > %Error opening tftp://192.168.0.3/router-confg (Timed > out) > > After checking tftp server in 192.168.0.3, I fix it to > allow the router connect. > > but when I run command in second time, it is another > error > > it shows the file not found! why? > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Fri Nov 7 20:56:37 2008 From: dudepron at gmail.com (Aaron) Date: Fri, 7 Nov 2008 20:56:37 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> Message-ID: <480dad640811071756l6b26aec4u688892434a93e644@mail.gmail.com> That doesn't look like a valid arg for freebsd. -c sets the root dir. Aaron On Fri, Nov 7, 2008 at 4:54 PM, Childs, Aaron wrote: > Hi Adrian, > Add -c to the server_args. This will allow the tftp clients create the > file. > > Aaron > ----------- > Aaron Childs > Assistant Director, Networking > Westfield State College > http://www.wsc.ma.edu/it/ > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] > Sent: Friday, November 07, 2008 7:52 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] help: copy run tftp > > Hi > > I install tftp server in linux and it is running > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > ..... > %Error opening tftp://192.168.0.3/router-confg (Timed > out) > > After checking tftp server in 192.168.0.3, I fix it to > allow the router connect. > > but when I run command in second time, it is another > error > > it shows the file not found! why? > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From spinthiras.mario at gmail.com Fri Nov 7 21:26:09 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sat, 8 Nov 2008 04:26:09 +0200 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> Most beneficial is to port-channel the interfaces. This is clever in many ways. Handling the interface redundancy any other way complicates things IMHO. With a port-channel interface you have more bandwidth and redundancy. Regards, Mario http://www.spinthiras.net/ On Fri, Nov 7, 2008 at 8:30 PM, Daniel Lacey wrote: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the other > goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a Multilink > bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nicklinn at nurro.net Sat Nov 8 10:49:53 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Sat, 8 Nov 2008 10:49:53 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs Message-ID: <000001c941b9$a7b93da0$6a01a8c0@nurronetworks.com> Hello, I just bought myself a c3661 to play around with and experiment on. At any rate the machine is running bootstrap version 12.0(5r) to which I want to upgrade to 12.0(6r)T or whatever the latest version is. I have looked around and seem to be only able to find the upgrades for the 3620-3640. Does anyone know who sells this or has a digital image that I can burn myself to a flash chip? Thanks, Nick From rbf+cisco-nsp at panix.com Sat Nov 8 12:51:40 2008 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Sat, 8 Nov 2008 11:51:40 -0600 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> Message-ID: <20081108175140.GA12497@panix.com> On Sat, Nov 08, 2008 at 04:26:09AM +0200, Mario Spinthiras wrote: > Most beneficial is to port-channel the interfaces. This is clever in many > ways. Handling the interface redundancy any other way complicates things > IMHO. With a port-channel interface you have more bandwidth and redundancy. And you also have exposure to any failure that puts one of the links into a DOWN state on end of the link but not on the other and any failure that prevents traffic from flowing over a link but doesn't put the interfaces into a DOWN state. On the other hand, having two Layer 3 links and running a routing protocol protects against most such failures -- if the OSPF hellos aren't being received bidirectionally, the link won't get used. -- Brett From spinthiras.mario at gmail.com Sat Nov 8 14:13:01 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sat, 8 Nov 2008 21:13:01 +0200 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <20081108175140.GA12497@panix.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> Message-ID: <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> thats very true. If you rely on etherchanneling then you are effectively relying on lower layer redundancy. If you go higher , then you rely on the normal operation of L3 , etc... Regards, Mario A. Spinthiras http://www.spinthiras.net/ From nicklinn at nurro.net Sat Nov 8 14:18:45 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Sat, 8 Nov 2008 14:18:45 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941b9$a7b93da0$6a01a8c0@nurronetworks.com> Message-ID: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Ted, Oh I have an image and it runs fine, to a degree. I had upgraded the flash memory in the unit and since I am working on a bit of a budget I got cheaper after market stuff. The problem is that my boot rom doesn't see the flash properly. So in order to run the correct image, I have to first boot a smaller image from a PCMCIA card, at which point the flash can now be seen, from there I need to do a "reload warm file xxxxxxxxx.bin" in order to boot the image I really want. In the end I am wasting about 12 megs on the PCMCIA card for the second image, that could be put to far better use. I have been assured by the seller that the latest boot rom will see the flash properly also having a tftp client from rommon would be nice too which I understand some of the newer versions have. I can find the boot-3600= (for the 3620 and 3640) in many places so I don't think my question is unreasonable. Thanks, Nick -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Saturday, November 08, 2008 1:15 PM To: Nicholas Linn Subject: RE: [c-nsp] c3660: Utterly baffled by ROMs Hi Nick, You don't ever upgrade the roms, at least, you don't unless you like flushing money down the crapper for no reason. The unit is supposed to run from flash, the boot rom is only used to tell the unit where the flash code is, then once the flash code is loaded the unit never touches the rom again. If your saying that your unit boots and shows it's running from rom, if you login to it and do a show ver, then that means that whoever sold you the router wiped the flash - as they are supposed to do if they sell one of these. Just like people are supposed to wipe off any copy of Windows that is on an old computer that they sell. Or, perhaps yours had a flash card originally that someone removed. You need to contact Cisco and get a referral to a Cisco reseller who will sell you a service contract for your unit. Once you have that then you can call Cisco and get the firmware you need. Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Nicholas Linn > Sent: Saturday, November 08, 2008 7:50 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] c3660: Utterly baffled by ROMs > > > Hello, > > > > I just bought myself a c3661 to play around with and > experiment > on. At any rate the machine is running bootstrap version > 12.0(5r) to which > I want to upgrade to 12.0(6r)T or whatever the latest version is. I have > looked around and seem to be only able to find the upgrades for the > 3620-3640. Does anyone know who sells this or has a digital image that I > can burn myself to a flash chip? > > > > Thanks, > > Nick > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gwendel at gmail.com Sat Nov 8 17:51:13 2008 From: gwendel at gmail.com (Greg Wendel) Date: Sat, 8 Nov 2008 17:51:13 -0500 Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... In-Reply-To: References: <200811062338406.SM03088@64.59.94.34> Message-ID: <8dfae3430811081451n7d10d908i1af26e9471bbc8fe@mail.gmail.com> The latest Spirent and Ixia test gear have 10 gig interfaces so you could use these to send 10 gigs of traffic with good reporting. Ixia allows you to rent their test gear so you could likely use them without spending too much money. Good luck, Greg, #20179(R&S) On Fri, Nov 7, 2008 at 5:57 AM, Hank Nussbacher wrote: > On Fri, 7 Nov 2008, Jeremy Reid wrote: > > Do you have an ACL on the source ports? I hit this years ago: > CSCsb21148 > > Rx SPAN may not work when outbound ACL is applied to source interface A > Catalyst 6500 switch running with SUP720 IOS version 12.2(18)SXE1 or greater > may drop Rx SPAN packets if there is an outbound ACL applied on the source > interface of the SPAN session. > > Workaround: > - remove outbound ACL from source interface > - downgrade to 12.2(18)SXD6 or lower > > The fix for this bug only applies to WS-X67xx line cards (SPAN source port > on 67xx line cards ). The fix for 65xx line cards went in through another > DDTS CSCse41963 in 12.2(18)SXF5 and higher codes. > > -Hank > > > > Hi, >> >> I'm wondering if anyone else on the list here has seen this issue we've >> been struggling to pin down: >> >> We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, >> currently running SXH3a) to aggregate data from (3) different 10G interfaces >> into a 10G output port for use with a BGP route control product. The three >> input interfaces have a *combined* peak traffic rate of around 8Gbps. The >> SPAN destination interface, however, is only indicating that we are sending >> around 5Gbps at peak. This does not appear to be a counters problem, as we >> can confirm from the destination device on the other end of the SPAN port >> that it is indeed only seeing 5Gbps worth of traffic. >> >> Doing a little 'deconstructuve' unit testing -- we have tried eliminating >> the 'aggregation angle' and picked a single source 10G interface that only >> had about 1Gbps worth of traffic to span. Looking at the destination >> interface, it was consistantly only reporting about 600mbps. We have tried >> various such tests and we always seem to get simillar results in that the >> destination interface traffic is always significantly (between 20 and 40%) >> LESS than the whatever the source interface is actually carrying -- at least >> on the egress side of things (our ingress traffic is not sizable enough to >> gauge accurately). >> >> There are no physical errors/malformed frames/drops (including queue >> drops) being reported on either the SPAN source interface(s) or the >> destination. Jumbos aren't allowed on either interface, so its not related >> to that either. The only plus to this (from a troubleshooting perspective, >> anyway) is that it is consistantly 'broke' -- which should make finding the >> solution easier, but so far, it has proved rather ellusive. >> >> We have replicated this scenario on both our current code (SXH3a) as well >> as SXF14 (previous code until very recently). Further, we can replicate it >> on multiple independant 65k platforms (all equipped simmillarly). We have >> also verified there is no bus/proc oversubscription or anything of the sort >> going on -- but even went to the extent of moving two test interfaces >> containing both the SPAN source and destination to the same physical >> linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good >> measure (even though we saw no reason to do so from a numbers point of >> view). No change in the behavior with the DFC. >> >> Anyone seen anything along these lines? Couldn't find anything publically >> on the bug toolkit that seemed relevant... (big surprise). Just thought I'd >> try the list here before getting on the TAC merry-go-round. >> >> Thoughts? >> >> -Jeremy >> >> Jeremy Reid >> Network Engineer >> Mojohost >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From danletkeman at gmail.com Sat Nov 8 19:48:28 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 8 Nov 2008 18:48:28 -0600 Subject: [c-nsp] ips usbflash Message-ID: Hello, I have configured IPS on a 2821 running the firewall ios. I have the configuration and signature files on a usbflash card. It all works fine until the router reloads, then the usbflash does not mount. Is there a command load it? If I do a "show usb device 1" it show the device, and all the details, but I cannot do a dir on the device, and I cannot write to it. Dan. From christian at broknrobot.com Sat Nov 8 19:56:54 2008 From: christian at broknrobot.com (Christian Koch) Date: Sat, 8 Nov 2008 19:56:54 -0500 Subject: [c-nsp] ips usbflash In-Reply-To: References: Message-ID: do you have the signature location configured properly? ie: ip ips config location flash:(directory) On Sat, Nov 8, 2008 at 7:48 PM, Dan Letkeman wrote: > Hello, > > I have configured IPS on a 2821 running the firewall ios. I have the > configuration and signature files on a usbflash card. It all works > fine until the router reloads, then the usbflash does not mount. Is > there a command load it? > > If I do a "show usb device 1" it show the device, and all the details, > but I cannot do a dir on the device, and I cannot write to it. > > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Sun Nov 9 00:18:46 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 8 Nov 2008 23:18:46 -0600 Subject: [c-nsp] ips usbflash In-Reply-To: References: Message-ID: I booted up our test router with a different usb flash card and it shows up after a reload. Must be something with the usb flash card. Dan. On Sat, Nov 8, 2008 at 7:26 PM, Christian Koch wrote: > hmm i cant think of anything else, that is odd..you do have the public > key configured right? > > also how did you copy the sigs to the usb drive, from a pc? or ftp > through the router? > > On Sat, Nov 8, 2008 at 8:04 PM, Dan Letkeman wrote: >> As far as I know yes. >> >> ip ips config location usbflash1:/ retries 5 timeout 10 >> >> Dan. >> >> On Sat, Nov 8, 2008 at 6:56 PM, Christian Koch wrote: >>> do you have the signature location configured properly? >>> >>> ie: ip ips config location flash:(directory) >>> >>> On Sat, Nov 8, 2008 at 7:48 PM, Dan Letkeman wrote: >>>> Hello, >>>> >>>> I have configured IPS on a 2821 running the firewall ios. I have the >>>> configuration and signature files on a usbflash card. It all works >>>> fine until the router reloads, then the usbflash does not mount. Is >>>> there a command load it? >>>> >>>> If I do a "show usb device 1" it show the device, and all the details, >>>> but I cannot do a dir on the device, and I cannot write to it. >>>> >>>> Dan. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >> > From tt_745 at yahoo.co.uk Sun Nov 9 09:24:21 2008 From: tt_745 at yahoo.co.uk (tt tt) Date: Sun, 9 Nov 2008 14:24:21 +0000 (GMT) Subject: [c-nsp] Configuring a channelized STM-1/OC3 SPA as a full STM-1 Message-ID: <606542.55093.qm@web26701.mail.ukl.yahoo.com> Hi All, Does anyone know if the channelized SPA-1XCHSTM1/OC3 can be configured as a full STM-1 (SDH)? We need to terminate a full STM-1 for around 6 months and then hope to reuse the card for channelized E1 services. Thanks Dave From dudepron at gmail.com Sun Nov 9 12:00:42 2008 From: dudepron at gmail.com (Aaron) Date: Sun, 9 Nov 2008 12:00:42 -0500 Subject: [c-nsp] Configuring a channelized STM-1/OC3 SPA as a full STM-1 In-Reply-To: <606542.55093.qm@web26701.mail.ukl.yahoo.com> References: <606542.55093.qm@web26701.mail.ukl.yahoo.com> Message-ID: <480dad640811090900q630f6386x79780b39f9f89dec@mail.gmail.com> Nope. http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd80350c53.html On Sun, Nov 9, 2008 at 9:24 AM, tt tt wrote: > Hi All, > > Does anyone know if the channelized SPA-1XCHSTM1/OC3 can be configured as a > full STM-1 (SDH)? We need to terminate a full STM-1 for around 6 months and > then hope to reuse the card for channelized E1 services. > > Thanks > > Dave > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Sun Nov 9 22:57:29 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 10 Nov 2008 14:27:29 +1030 Subject: [c-nsp] ASA IPS Module - logging sent to email Message-ID: <000c01c942e8$73eeb740$5bcc25c0$@steele@internode.on.net> Has anybody setup an IPS module in an ASA to send an email on a triggered event? Just briefly looking through there is no obvious function for it, right now the only way I can think of doing it is by setting it to generate a log based on an event action and then setting up a logging class on the ASA to pick that up and email to the specified address. Would be interested to hear from anyone currently doing it - Note I don't want everything, I just want to be able to select specific events (ie if I make the action to generate a log for the events concerned to do it then thats fine.) Cheers Ben From p_ambedkar at rediffmail.com Sun Nov 9 23:24:22 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 10 Nov 2008 04:24:22 -0000 Subject: [c-nsp] help: copy run tftp Message-ID: <20081110042422.23797.qmail@f4mail-235-239.rediffmail.com> ? Hi, First create a file in the linux. cd /tftp/ touch xyz(filename) chmod 777 xyz -------------- in the router: copy run tftp://ipaddress/xyz try it. On Sat, 08 Nov 2008 cisco-nsp-request at puck.nether.net wrote : >Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > >To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp >or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > >You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of cisco-nsp digest..." > > >Today's Topics: > > 1. Re: IP Cef load sharing, quick question (Peter Rathlev) > 2. Multiple Ethernet links for redundancy (Daniel Lacey) > 3. Re: Multiple Ethernet links for redundancy (Rinse Kloek) > 4. Re: Cisco IOS for broadband aggregation (Rinse Kloek) > 5. Re: Multiple Ethernet links for redundancy (Pete S.) > 6. Re: Multiple Ethernet links for redundancy (Asad) > 7. Re: Cisco IOS for broadband aggregation (Paul Stewart) > 8. Re: help: copy run tftp (Aaron) > 9. Re: help: copy run tftp (Childs, Aaron) > > >--------------------------------------------------------------------- - > >Message: 1 >Date: Fri, 07 Nov 2008 18:32:31 +0100 > From: Peter Rathlev >Subject: Re: [c-nsp] IP Cef load sharing, quick question >To: Drew Weaver >Cc: "'cisco-nsp at puck.nether.net'" >Message-ID: <1226079151.3474.8.camel at abehat> >Content-Type: text/plain > >On Fri, 2008-11-07 at 08:28 -0500, Drew Weaver wrote: > > We have a Simple L3 switch (I think it's a 2960G) that we need to do > > some even simpler fault tolerance and load sharing on. > >They're not 2960s, since those are L2 only. Maybe 3560s? > > > We were going to connect this switch to 3x switches upstream and then > > do something like this: > > > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > > ip route 0.0.0.0 0.0.0.0 g0/34 gwip > >As Steinar mentions, you should use a specific next hop address. I >assume that the three interfaces are routed ports, or that they use >seperate VLANs. What's upstream? > > > When we were testing we noticed some (well, quite a bit) of strangeness > > with traceroutes and the like (many multiple hops for the same, hop.. > > etc) > >What exactly do you mean with "many multiple hops"? Different answers >for multiple requests with the same TTL (same hop in traceroute) is not >all that unnormal for multiple paths -- each path is elegible for the >traffic, so each next hop router can answer. > >The L3 switches (i.e. not software based routers) typically use a hashed >load sharing algorithm, resulting in per destination or per source (or a >combination) load sharing. They could also include the ports in the >hashing, meaning that a traceroute using a different source port per >probe would result in different next hops. If this is unwanted, you can >change the algorithm to something that doesn't include L4 ports. > > > is there a better way to do what we're trying to achieve? > > > > We were thinking about maybe doing VRRP on the 3 switches upstream but > > then we would only be using 1Gbps and the goal is to be able to use "a > > little more than" 1Gbps. > >You _could_ use GLBP as a load sharing enabled equivalent of VRRP. Don't >know is your hardware/software supports it though. And equal cost >multipath (ECMP) would be my preferred choice if possible. > >Regards, >Peter > > > > >------------------------------ > >Message: 2 >Date: Fri, 07 Nov 2008 10:30:23 -0800 > From: Daniel Lacey >Subject: [c-nsp] Multiple Ethernet links for redundancy >To: cisco-nsp at puck.nether.net >Message-ID: <4914893F.7050806 at yahoo.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Hi all, > >I have a 7206 with two fastethernet port adapters. >I would like to have both of these run to the 6506 switch. > >I need a scenario that would allow one of the links to work if the other >goes down. >This is for redundancy and not for bandwidth issues. > >I was wondering if it is possible (or desirable) to make them a >Multilink bundle? > >Any other suggestions? > >Thanks, >Dan Lacey > > > > > > >------------------------------ > >Message: 3 >Date: Fri, 07 Nov 2008 19:47:35 +0100 > From: Rinse Kloek >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: Daniel Lacey >Cc: Cisco-nsp >Message-ID: <49148D47.3000808 at isp.solcon.nl> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >One option is to configure bot interfaces with the same IP adresses and >settings and use the following command on the primary interface: > >interface GigabitEthernet0/1 > backup interface GigabitEthernet0/2 > ip address 10.10.10.1 255.255.255.0 > >interface GigabitEthernet0/2 > ip address 10.10.10.1 255.255.255.0 > >The GigabitEthernet 0/1 will be up and the GigabitEthernet 0/2 will be >standby. If the link on Gi0/1 is going down, Gi0/2 will get up. > >regards Rinse > >Daniel Lacey schreef: > > Hi all, > > > > I have a 7206 with two fastethernet port adapters. > > I would like to have both of these run to the 6506 switch. > > > > I need a scenario that would allow one of the links to work if the > > other goes down. > > This is for redundancy and not for bandwidth issues. > > > > I was wondering if it is possible (or desirable) to make them a > > Multilink bundle? > > > > Any other suggestions? > > > > Thanks, > > Dan Lacey > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > >------------------------------ > >Message: 4 >Date: Fri, 07 Nov 2008 19:51:58 +0100 > From: Rinse Kloek >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation >To: Paul Stewart >Cc: 'Cisco-nsp' >Message-ID: <49148E4E.1070001 at isp.solcon.nl> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Do you use 12.2(33)SRC2 in a box as Aggregation Router ? >One bug we discovered was a Netflow bug wich resulted in crashes >(CSCsu87248) > >kind regards Rinse >Paul Stewart schreef: > > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > > brave and ran some 12.4T code for a while and had a major issue every 3-4 > > weeks that required a reboot (inbound sessions would just stop coming in > > pretty much via l2tp tunnels). > > > > On the NPE-1G's we're running same release with no issue neither.... > > > > Paul > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek > > Sent: Thursday, November 06, 2008 4:14 PM > > To: Roddy Strachan > > Cc: Cisco-nsp > > Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > > > > What kind of features do you use with the 7206VXR box ? We are also > > looking to upgrade to 12.2.31SB13 because we have some problems with > > 12.2(31)SB6. > > > > regards Rinse > > > > Roddy Strachan schreef: > > > >> Ruben, > >> > >> Funny you mention it. > >> > >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to > >> 12.2(31)SB13. > >> > >> Had a 7301 running in production for 1 week, no issues, the LNS seems a > >> > > lot > > > >> more stable if you ask me. > >> > >> Don't know how the 7206 will go as they have been in production less than > >> > > an > > > >> hour :). > >> > >> So far so good, no real issues to report. > >> > >> > >> > >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > >> > >> > >> > >>> Hi All, > >>> > >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: > >>> UBR7200-I/O-2FE/E > >>> PA-A3-T3= > >>> PA-IMA-T1= > >>> PA-4E= > >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using > >>> > > the > > > >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and > >>> > > haven't > > > >>> seen much about it. I assume it's got the same features as (28)? If > >>> > > anyone > > > >>> has any feedback let me know. > >>> > >>> Thanks. > >>> > >>> > >>> > >> This email and any files transmitted with it are confidential and intended > >> solely for the use of the individual or entity to whom they are > >> > > addressed. > > > >> Please notify the sender immediately by email if you have received this > >> email by mistake and delete this email from your system. Please note that > >> any views or opinions presented in this email are solely those of the > >> author and do not necessarily represent those of the organisation. > >> Finally, the recipient should check this email and any attachments for > >> the presence of viruses. The organisation accepts no liability for any > >> damage caused by any virus transmitted by this email. > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > >------------------------------ > >Message: 5 >Date: Fri, 7 Nov 2008 13:56:21 -0500 > From: "Pete S." >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: "Daniel Lacey" >Cc: cisco-nsp at puck.nether.net >Message-ID: > <50f158990811071056i485be057sb4809519cfbce6c5 at mail.gmail.com> >Content-Type: text/plain; charset=ISO-8859-1 > >You can make each port a routed interface(/30 or /31) to the 6500. Control >the failover/load balancing with your IGP. > >--Pete > >On Fri, Nov 7, 2008 at 1:30 PM, Daniel Lacey wrote: > > > Hi all, > > > > I have a 7206 with two fastethernet port adapters. > > I would like to have both of these run to the 6506 switch. > > > > I need a scenario that would allow one of the links to work if the other > > goes down. > > This is for redundancy and not for bandwidth issues. > > > > I was wondering if it is possible (or desirable) to make them a Multilink > > bundle? > > > > Any other suggestions? > > > > Thanks, > > Dan Lacey > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > >------------------------------ > >Message: 6 >Date: Fri, 7 Nov 2008 19:00:49 +0000 > From: "Asad" >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: "Daniel Lacey" , > cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net >Message-ID: > <623938200-1226084442- cardhu_decombobulator_blackberry.rim.net-1922886597- @bxe125.bisx.prod.on.blackberry> > >Content-Type: text/plain > >You can try a port-channel and add both interfaces to bundle. This would provide redundancy + more BW. > >Asad >Sent from my Verizon Wireless BlackBerry > >-----Original Message----- > From: Daniel Lacey > >Date: Fri, 07 Nov 2008 10:30:23 >To: >Subject: [c-nsp] Multiple Ethernet links for redundancy > > >Hi all, > >I have a 7206 with two fastethernet port adapters. >I would like to have both of these run to the 6506 switch. > >I need a scenario that would allow one of the links to work if the other >goes down. >This is for redundancy and not for bandwidth issues. > >I was wondering if it is possible (or desirable) to make them a >Multilink bundle? > >Any other suggestions? > >Thanks, >Dan Lacey > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >------------------------------ > >Message: 7 >Date: Fri, 7 Nov 2008 14:09:18 -0500 > From: "Paul Stewart" >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation >To: "'Rinse Kloek'" >Cc: 'Cisco-nsp' >Message-ID: <000001c9410c$569d9270$03d8b750$@org> >Content-Type: text/plain; charset="us-ascii" > >Yes, that's correct - LAC/LNS > >We don't run Netflow off that box in particular (we do in our core 7600's >though) so haven't come across that bug yet ;) > >Paul > > >-----Original Message----- > From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] >Sent: Friday, November 07, 2008 1:52 PM >To: Paul Stewart >Cc: 'Roddy Strachan'; 'Cisco-nsp' >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > >Do you use 12.2(33)SRC2 in a box as Aggregation Router ? >One bug we discovered was a Netflow bug wich resulted in crashes >(CSCsu87248) > >kind regards Rinse >Paul Stewart schreef: > > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > > brave and ran some 12.4T code for a while and had a major issue every 3-4 > > weeks that required a reboot (inbound sessions would just stop coming in > > pretty much via l2tp tunnels). > > > > On the NPE-1G's we're running same release with no issue neither.... > > > > Paul > > > >------------------------------ > >Message: 8 >Date: Fri, 7 Nov 2008 15:57:05 -0500 > From: Aaron >Subject: Re: [c-nsp] help: copy run tftp >To: Garry >Cc: cisco-nsp at puck.nether.net >Message-ID: > <480dad640811071257k761564e0n26f9066903048f7c at mail.gmail.com> >Content-Type: text/plain; charset=ISO-8859-1 > >Create the file in your tftp dir using touch... >touch >then >chmod 777 >Then you will should be good to go > >Note that this file is world readable and writable.. > >Aaron > >On Fri, Nov 7, 2008 at 8:06 AM, Garry wrote: > > > adrian kok wrote: > > > router#copy running-config tftp > > > Address or name of remote host []? 192.168.0.3 > > > Destination filename [router-confg]? > > > TFTP: error code 1 received - File not found > > > > > Did you allow the TFTP-Clients to create new files? If not, you will > > have to create the file first with sufficient rights for the TFTP- Server > > to overwrite, than copy again. > > > > > > -garry > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > >------------------------------ > >Message: 9 >Date: Fri, 7 Nov 2008 16:54:59 -0500 > From: "Childs, Aaron" >Subject: Re: [c-nsp] help: copy run tftp >To: adrian kok , > "cisco-nsp at puck.nether.net" >Message-ID: > <3760B7E1B344364AA0384B231FE7BA6915787FC7 at ex- be1.ads.wsc.ma.edu> >Content-Type: text/plain; charset="us-ascii" > >Hi Adrian, > Add -c to the server_args. This will allow the tftp clients create the file. > >Aaron >----------- >Aaron Childs >Assistant Director, Networking >Westfield State College >http://www.wsc.ma.edu/it/ >________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp- bounces at puck.nether.net] On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] >Sent: Friday, November 07, 2008 7:52 AM >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] help: copy run tftp > >Hi > >I install tftp server in linux and it is running > >router#copy running-config tftp >Address or name of remote host []? 192.168.0.3 >Destination filename [router-confg]? >..... >%Error opening tftp://192.168.0.3/router-confg (Timed >out) > >After checking tftp server in 192.168.0.3, I fix it to >allow the router connect. > >but when I run command in second time, it is another >error > >it shows the file not found! why? > >router#copy running-config tftp >Address or name of remote host []? 192.168.0.3 >Destination filename [router-confg]? >TFTP: error code 1 received - File not found > >Thank you > >Send instant messages to your online friends http://uk.messenger.yahoo.com >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >------------------------------ > >_______________________________________________ >cisco-nsp mailing list >cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp > >End of cisco-nsp Digest, Vol 72, Issue 31 >***************************************** From vikassharmas at gmail.com Sun Nov 9 23:35:12 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Mon, 10 Nov 2008 10:05:12 +0530 Subject: [c-nsp] same mac address on two linecards on 7600 Message-ID: Hi, in 7600 and 6500 router I can see both interfaces have the sme mac address. Ideally it should be different. Can anyone explain me? Or can I use (hardcode) different mac address? what will be the impact? rtr1# GigabitEthernet7/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is* 0021.5693.b800 (bia 0021.5693.b800) * Description: MPS GE CR2.ZRH ZRH/ZRH/LE-089348 // Uplink to sw10.ZRH Gi1/0/12 Internet address is 212.74.70.7/31 MTU 1512 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Carrier delay is 8 msec Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 00:20:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/87/87 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 351000 bits/sec, 207 packets/sec 5 minute output rate 844000 bits/sec, 483 packets/sec L2 Switched: ucast: 28994052 pkt, 4799234912 bytes - mcast: 8010577 pkt, 3281624827 bytes L3 in Switched: ucast: 630901927 pkt, 136197265827 bytes - mcast: 0 pkt, 0 bytes mcast rtr2#sh inter gi7/13 GigabitEthernet7/13 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is* 0021.5693.b800 (bia 0021.5693.b800)* Description: MCL GE mas1.ZRH // x-link Internet address is 212.74.70.205/31 MTU 1512 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Carrier delay is 8 msec Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 5000 bits/sec, 1 packets/sec 5 minute output rate 6000 bits/sec, 1 packets/sec L2 Switched: ucast: 189399 pkt, 14697171 bytes - mcast: 6751962 pkt, 1745903975 bytes L3 in Switched: ucast: 1174 pkt, 189859 bytes - mcast: 0 pkt, 0 bytes mcast Regards, Vikas Sharma From oboehmer at cisco.com Mon Nov 10 00:52:10 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 10 Nov 2008 06:52:10 +0100 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Vikas Sharma wrote on Monday, November 10, 2008 05:35: > Hi, > > in 7600 and 6500 router I can see both interfaces have the sme mac > address. Ideally it should be different. Can anyone explain me? Or > can I use (hardcode) different mac address? what will be the impact? All L3 interfaces (both routed ports and SVIs) use the same MAC address on this platform, see http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note 09186a00801c9b4e.shtml. There is nothing wrong with this, all of the interfaces are (by definition) in different broadcast domains. You can change the mac if you want/need (using mac-address interface command) on the Sup720.. oli From md at bts.sk Mon Nov 10 03:36:33 2008 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Mon, 10 Nov 2008 09:36:33 +0100 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Message-ID: <20081110082924.M63572@bts.sk> On Mon, 10 Nov 2008 06:52:10 +0100, Oliver Boehmer (oboehmer) wrote > All L3 interfaces (both routed ports and SVIs) use the same MAC address > on this platform. > There is nothing wrong with this, all of the interfaces are (by definition) in > different broadcast domains. You can change the mac if you want/need (using > mac-address interface command) on the Sup720.. Suprisingly, some IOS features still can't cope with this design. As an example: #traceroute mac ip a.b.c.d u.v.x.y Source ip a.b.c.d error. Mac found on multiple vlans. Layer2 trace aborted. With kind regards, M. From wyatt.eliasson at gmail.com Mon Nov 10 03:55:45 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Gyllenvarg) Date: Mon, 10 Nov 2008 09:55:45 +0100 Subject: [c-nsp] Ip unnumbered on 3750 Message-ID: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> Hi All I was playing around with an ip unnumbered config for our Dist-layer. I got a working config on a 3560 ie int loopback 10 ip address x.x.x.x y.y.y.y Vlan x ip unnumbered loopback 10 Vlan x1 ip unnumbered loopback 10 Vlan x2 ip unnumbered loopback 10 The same wont work on 3750 which gives the following when inputing the "ip unnumbered" command. Point-to-point (non-multi-access) interfaces only My question is, is there a work around for this or will 3750 never support "ip unnumbered" on multi-access interfaces? Best regards Mattias Gyllenvarg Omnitron From vinzoda.hitesh at gmail.com Mon Nov 10 05:13:16 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 02:13:16 -0800 Subject: [c-nsp] Multicast issue Message-ID: Hi all, I had configured multicast in my lan using sparse-dense mode. RP and group is defined statically on each L3 switches. I'm receiving the multicast beyond all L3's except ones running HSRP. Any ideas guyz Regards Hitesh Vinzoda From tedm at toybox.placo.com Mon Nov 10 05:18:32 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 10 Nov 2008 02:18:32 -0800 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Nicholas Linn > Sent: Saturday, November 08, 2008 11:19 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] c3660: Utterly baffled by ROMs > > > Ted, > > Oh I have an image and it runs fine, to a degree. I had upgraded > the flash memory in the unit and since I am working on a bit of a budget I > got cheaper after market stuff. The problem is that my boot rom > doesn't see > the flash properly. So in order to run the correct image, I have to first > boot a smaller image from a PCMCIA card, at which point the flash > can now be > seen, from there I need to do a "reload warm file xxxxxxxxx.bin" > in order to > boot the image I really want. In the end I am wasting about 12 > megs on the > PCMCIA card for the second image, that could be put to far better use. I > have been assured by the seller that the latest boot rom will see > the flash > properly also having a tftp client from rommon would be nice too which I > understand some of the newer versions have. > > I can find the boot-3600= (for the 3620 and 3640) in many places so > I don't think my question is unreasonable. > OK I understand now. What you want is a "rommon" upgrade. Unfortunately it's rather brutal on COO to find these after Cisco reorganized things. The "textbook" way to find it would be to go to: http://www.cisco.com click Support->Download Software->Router Software-> then go down to Cisco 3600 Series Multiservice Platforms, click the + to the left to expand, then click Cisco 3661 Multiservice Platform. IF a rommon upgrade was available, it would show as "IOS ROMMON Software" To do this as I mentioned you must have a login which you get when you buy that service contract. If an IOS ROMMON Software link does NOT show - which incidentally is the case for the majority of Cisco routers - then you CANNOT download rommon code. You -must- open a TAC case and if your rommon has the capability of being flashed then TAC will send it to you. BUT, many of the older Cisco routers DID NOT have this capability, you HAD to buy the rom chips from Cisco. Unfortunately, as I have NOT had experience with the 3661 I cannot tell you if it's rommon chip is user-flashable. You will have to contact TAC at Cisco to proceed further. Ted From fropert at packetfault.org Mon Nov 10 05:30:19 2008 From: fropert at packetfault.org (Francois ROPERT) Date: Mon, 10 Nov 2008 11:30:19 +0100 Subject: [c-nsp] Multicast issue In-Reply-To: References: Message-ID: <49180D3B.4090206@packetfault.org> Hitesh Vinzoda a ?crit : > Hi all, Hi Hitesh > > I had configured multicast in my lan using sparse-dense mode. RP and group > is defined statically on each L3 switches. I'm receiving the multicast > beyond all L3's except ones running HSRP. > > Any ideas guyz http://www.cisco.com/en/US/tech/tk828/technologies_tech_note09186a0080094aab.shtml Regards, -- Francois http://blog.packetfault.org From vinzoda.hitesh at gmail.com Mon Nov 10 06:39:37 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 03:39:37 -0800 Subject: [c-nsp] Fwd: Delivery Status Notification (Failure) In-Reply-To: <000e0cd2bd28cfc82a045b52d9a2@googlemail.com> References: <000e0cd2bd28cfc82a045b52d9a2@googlemail.com> Message-ID: ---------- Forwarded message ---------- From: Mail Delivery Subsystem Date: Nov 10, 2008 2:01 AM Subject: Delivery Status Notification (Failure) To: vinzoda.hitesh at gmail.com This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: ciso-nsp at puck.nether.net Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 ... User unknown (state 14). ----- Original message ----- Received: by 10.141.115.6 with SMTP id s6mr3480514rvm.58.1226311300539; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Received: by 10.141.198.17 with HTTP; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Message-ID: Date: Mon, 10 Nov 2008 02:01:40 -0800 From: "Hitesh Vinzoda" To: ciso-nsp at puck.nether.net Subject: Cisco ASA 5510 VPN problem MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_47910_25183294.1226311300543" ------=_Part_47910_25183294.1226311300543 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline i have a cisco ASA 5510 and i had configured remote access VPN on it. but for some reason i m not able to ping inside interface from VPN although i get connected everytime i tried. please advice. Also, ----- Message truncated ----- From achatz at forthnet.gr Mon Nov 10 08:41:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 15:41:28 +0200 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Message-ID: <49183A08.20209@forthnet.gr> If i understand correctly, i think Vikas is referring to two linecards (on different chassis) sharing a common mac. -- Tassos Oliver Boehmer (oboehmer) wrote on 10/11/2008 07:52: > Vikas Sharma wrote on Monday, November > 10, 2008 05:35: > >> Hi, >> >> in 7600 and 6500 router I can see both interfaces have the sme mac >> address. Ideally it should be different. Can anyone explain me? Or >> can I use (hardcode) different mac address? what will be the impact? > > All L3 interfaces (both routed ports and SVIs) use the same MAC address > on this platform, see > http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note > 09186a00801c9b4e.shtml. There is nothing wrong with this, all of the > interfaces are (by definition) in different broadcast domains. You can > change the mac if you want/need (using mac-address interface command) on > the Sup720.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Nov 10 09:09:00 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 14:09:00 +0000 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <49183A08.20209@forthnet.gr> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> Message-ID: <4918407C.9010105@imperial.ac.uk> Tassos Chatzithomaoglou wrote: > If i understand correctly, i think Vikas is referring to two linecards > (on different chassis) sharing a common mac. Yes, but look what he pasted as the output: GigabitEthernet7/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0021.5693.b800 Internet address is 212.74.70.7/31 GigabitEthernet7/13 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0021.5693.b800 Internet address is 212.74.70.205/31 i.e. they're in layer3 routed mode, and thus they inherit the MAC address of the MSFC (as the MSFC might have to receive packets, and the MSFC has a limited-size MAC filter) If you set them back to be "switchport" they'll go back to having a per-port MAC address; I've just done this on our test chassis: core-spare#sh int g9/10 | inc address Hardware is C6k 1000Mb 802.3, address is 0015.2cbf.1000 (bia 0015.2cbf.1000) core-spare#conf t Enter configuration commands, one per line. End with CNTL/Z. core-spare(config)#int g9/10 core-spare(config-if)#sw core-spare(config-if)#switchport core-spare(config-if)#^Z core-spare#sh int g9/10 | inc address Hardware is C6k 1000Mb 802.3, address is 0021.55d7.558d (bia 0021.55d7.558d) From p.mayers at imperial.ac.uk Mon Nov 10 09:10:36 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 14:10:36 +0000 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <4918407C.9010105@imperial.ac.uk> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> <4918407C.9010105@imperial.ac.uk> Message-ID: <491840DC.8040400@imperial.ac.uk> Phil Mayers wrote: > Tassos Chatzithomaoglou wrote: >> If i understand correctly, i think Vikas is referring to two linecards >> (on different chassis) sharing a common mac. Oops sorry for the noise - yes you're right: rtr1# GigabitEthernet7/1 ... rtr2# GigabitEthernet7/13 ... I don't know why that would happen unless the MSFCs have the same MAC address. From achatz at forthnet.gr Mon Nov 10 10:14:45 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 17:14:45 +0200 Subject: [c-nsp] Ip unnumbered on 3750 In-Reply-To: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> References: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> Message-ID: <49184FE5.80101@forthnet.gr> According to http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml: "remember that the ip unnumbered command works on point-to-point interfaces only" On latest IOS it works on ethernet subifs too. So the above statement is not totally correct In your case, it's strange that 3560 accepts it, while 3750 rejects it. Are they using the same IOS? Under 12.2(44)SE2, it gets accepted, but you get the following warning: Warning: dynamic routing protocols will not work on non-point-to-point interfaces with IP unnumbered configured. -- Tassos Wyatt Mattias Gyllenvarg wrote on 10/11/2008 10:55: > Hi All > > I was playing around with an ip unnumbered config for our Dist-layer. > > I got a working config on a 3560 ie > > int loopback 10 > ip address x.x.x.x y.y.y.y > > Vlan x > ip unnumbered loopback 10 > > Vlan x1 > ip unnumbered loopback 10 > > Vlan x2 > ip unnumbered loopback 10 > > The same wont work on 3750 which gives the following when inputing the > "ip unnumbered" command. > > Point-to-point (non-multi-access) interfaces only > > My question is, is there a work around for this or will 3750 never > support "ip unnumbered" on multi-access interfaces? > > Best regards > Mattias Gyllenvarg > Omnitron > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rakeshh at gmail.com Mon Nov 10 10:44:31 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Mon, 10 Nov 2008 09:44:31 -0600 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <491840DC.8040400@imperial.ac.uk> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> <4918407C.9010105@imperial.ac.uk> <491840DC.8040400@imperial.ac.uk> Message-ID: <8a4649bb0811100744s52d6946dt683b91c48556f46c@mail.gmail.com> One of the scenarios where you would change the MAC address is when connecting two vrfs using a transparent firewall. -Rakesh. On Mon, Nov 10, 2008 at 8:10 AM, Phil Mayers wrote: > Phil Mayers wrote: > >> Tassos Chatzithomaoglou wrote: >> >>> If i understand correctly, i think Vikas is referring to two linecards >>> (on different chassis) sharing a common mac. >>> >> > Oops sorry for the noise - yes you're right: > > rtr1# > GigabitEthernet7/1 ... > rtr2# > GigabitEthernet7/13 ... > > I don't know why that would happen unless the MSFCs have the same MAC > address. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pete at bytemark.co.uk Mon Nov 10 10:04:28 2008 From: pete at bytemark.co.uk (Peter Taphouse) Date: Mon, 10 Nov 2008 15:04:28 +0000 Subject: [c-nsp] OIR in 6500/7600 Message-ID: <49184D7C.4010109@bytemark.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've got a couple of new line cards that I would like to stick in a production 7606. When these were in the lab I tried OIR with decent success, but now the routers are production I'm a bit nervous of doing an OIR on these. - From what I've read there are the three pins that cause the bus stall and recovery, and fairly frequently the reload. If I were to "no power enable module X" for the appropriate slot, will this allow me to insert the card without having to worry about the bus stall and potential reload, or are those pins powered/effective regardless of the state of power to a particular slot? Does anyone have any useful advice/experience with adding new modules to 6500/7600s? Cheers, - -- Peter Taphouse Bytemark Hosting http://www.bytemark.co.uk/ tel. +44 (0) 845 004 3 004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJGE18IAZ7OKeBB58RAqmPAKCjTnuvqdtkmjyrb6ov+MaEsg06vgCeKBdp dGZ6DwIOXO5C2c9LkbDbI90= =xECC -----END PGP SIGNATURE----- From gert at greenie.muc.de Mon Nov 10 11:04:01 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 10 Nov 2008 17:04:01 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <49184D7C.4010109@bytemark.co.uk> References: <49184D7C.4010109@bytemark.co.uk> Message-ID: <20081110160401.GM8535@greenie.muc.de> Hi, On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > - From what I've read there are the three pins that cause the bus stall > and recovery, and fairly frequently the reload. Sounds more like 7500 to me. I've never had any issues OIRing modules into a 6500/7600. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peter at rathlev.dk Mon Nov 10 11:24:57 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 17:24:57 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <1226334297.21668.78.camel@abehat> On Mon, 2008-11-10 at 17:04 +0100, Gert Doering wrote: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. > > I've never had any issues OIRing modules into a 6500/7600. We recently removed some LAN cards from two 6500s running SXF and it wasn't totally without issues. We removed the cards from the two boxes at the same time, and strangely they lost their IS-IS adjacency (with each other) because of BFD timeouts. (The interfaces are configured with "bfd interval 100 min_rx 100 multiplier 3".) Furthermore, one of them made all iBGP neighbors say: %TCP-6-BADAUTH: Invalid MD5 digest from (22964) to (179) (RST) several times, though no BGP sessions were torn down by this. (?) This was a POP currently not in production, so I don't know if any traffic forwarding would be disturbed by this. Regards, Peter From rakeshh at gmail.com Mon Nov 10 11:41:25 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Mon, 10 Nov 2008 10:41:25 -0600 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> Message-ID: <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> AFAIK, 720x doesn't support PAGP/LACP. It relies on ethenet keepalives (type 0x9000) sent every 10 secs to add/remove interfaces to the bundle. Does anybody know what kind of ethercahnnel load sharing algorithm 720xs use ? -Rakesh. On Sat, Nov 8, 2008 at 1:13 PM, Mario Spinthiras wrote: > thats very true. If you rely on etherchanneling then you are effectively > relying on lower layer redundancy. If you go higher , then you rely on the > normal operation of L3 , etc... > > Regards, > Mario A. Spinthiras > http://www.spinthiras.net/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cmadams at hiwaay.net Mon Nov 10 11:45:46 2008 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 10 Nov 2008 10:45:46 -0600 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <20081110164546.GD1450261@hiwaay.net> Once upon a time, Gert Doering said: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. Yeah, on the 7500 OIR = "Online Insert and Reboot". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From damin at nacs.net Mon Nov 10 11:05:03 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Nov 2008 11:05:03 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness Message-ID: <091101c9434e$17309620$4591c260$@net> Hello, Over the weekend, we updated one of our 7513s from 12.2.25S12 to the 12.2.25S15. The driver behind this was service policies used for LLQ dropping from interfaces, causing all sorts of havoc w/ our voice prioritization. The thought was that moving to the more current issue would address this. It did not. We also noticed something else odd. We have three multilink bundles on this router, and have had them configured to use "ip route-cache distributed" for over a year. We haven't had any problems w/ this until rebooting into the S15 image. Of the three bundles, Mu1 is the only one that seems to work w/ dcef. Mu2 and Mu3 have had to be set w/ CEF disabled to route properly. The symptoms are that from the router you can ping the other sides of Mu2 and Mu3, but no external routing is possible. The interface stats show packets being dropped on the output buffer.. which is weird, until we disable CEF for those interfaces.. then everything starts working properly, and the stats show Processor Switching. Am I missing something? Or is there an issue w/ S15 / Dcef / Multilink and IP Unnumbered to a loopback? core-ar1#show interfaces mu1 stats Multilink1 Switch path Pkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 377309 104869674 0 0 Distributed cache 0 0 459932 500579863 Total 377309 104869674 459932 500579863 core-ar1#show interfaces mu2 stats Multilink2 Switch path Pkts In Chars In Pkts Out Chars Out Processor 212 12247 1339852 487984693 Route cache 1837532 2064076461 0 0 Distributed cache 0 0 0 0 Total 1837744 2064088708 1339852 487984693 core-ar1#show interfaces mu3 stats Multilink3 Switch path Pkts In Chars In Pkts Out Chars Out Processor 18 1640 1068371 1264449182 Route cache 701359 67160511 0 0 Distributed cache 0 0 0 0 Total 701377 67162151 1068371 1264449182 interface Multilink1 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 2 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 1 no clns route-cache end interface Multilink2 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 3 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 2 no clns route-cache end interface Multilink3 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 2 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 3 no clns route-cache end From swmike at swm.pp.se Mon Nov 10 11:47:21 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 17:47:21 +0100 (CET) Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <1226334297.21668.78.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> Message-ID: On Mon, 10 Nov 2008, Peter Rathlev wrote: > We recently removed some LAN cards from two 6500s running SXF and it > wasn't totally without issues. > > We removed the cards from the two boxes at the same time, and strangely > they lost their IS-IS adjacency (with each other) because of BFD > timeouts. (The interfaces are configured with "bfd interval 100 min_rx > 100 multiplier 3".) As far as I know, bfd timers so low aren't supported in SXF, you have to go to SRB to get those. -- Mikael Abrahamsson email: swmike at swm.pp.se From swmike at swm.pp.se Mon Nov 10 11:49:08 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 17:49:08 +0100 (CET) Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> Message-ID: On Mon, 10 Nov 2008, Rakesh Hegde wrote: > Does anybody know what kind of ethercahnnel load sharing algorithm 720xs > use ? It uses some kind of destination IP algorithm or alike, it doesn't do L4 anyway. I have a document somewhere that I received after a prolonged TAC case regarding etherchannel load sharing on 7200 and 7500. If it's of interest, email me offline and I'll look into it tomorrow. -- Mikael Abrahamsson email: swmike at swm.pp.se From paul at paulstewart.org Mon Nov 10 11:49:07 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Nov 2008 11:49:07 -0500 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110164546.GD1450261@hiwaay.net> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <20081110164546.GD1450261@hiwaay.net> Message-ID: <002a01c94354$3fce7a60$bf6b6f20$@org> Heheehe.... that's quite true on the 7500's.. For the 6500/7600 the only issue we've ever had is "bus stalls" when the card isn't quite seeded quickly enough or not seeded correctly and still making contact. Don't be afraid to push those cards in with a *little* bit of force to ensure they are seeded..;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams Sent: November 10, 2008 11:46 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OIR in 6500/7600 Once upon a time, Gert Doering said: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. Yeah, on the 7500 OIR = "Online Insert and Reboot". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Mon Nov 10 11:50:34 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 18:50:34 +0200 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <49184D7C.4010109@bytemark.co.uk> References: <49184D7C.4010109@bytemark.co.uk> Message-ID: <4918665A.2070101@forthnet.gr> The 6500/7600 chassis has three pins in each slot that during insertion get connected one by one (larger to smaller) to the module. The first one starts the bus stall and the last one stops the bus stall. I had problems when inserting too slowly the modules (the bus stall was lasting for more time). You just need to find the right speed. Keep in mimd that DFC equipped modules do not have this problem. According to Cisco: "The addition of a DFC module effectively disconnects a module from the Data Bus. As such, a DFC-enabled module is not subject to the bus stall mechanism that occurs when a module is inserted or removed from the chassis. Throughout these Online Insertion and Removal (OIR) events, the Data Bus is temporarily paused for just enough time to ensure that the insertion/removal process does not cause any data corruption on the backplane. This protection mechanism causes a very brief amount of packet loss (sub-second, but dependent on the time it takes to fully insert a module). A module with a DFC onboard is not directly affected by this stall mechanism and does not have any packet loss on OIR." -- Tassos Peter Taphouse wrote on 10/11/2008 17:04: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I've got a couple of new line cards that I would like to stick in a > production 7606. When these were in the lab I tried OIR with decent > success, but now the routers are production I'm a bit nervous of doing > an OIR on these. > > - From what I've read there are the three pins that cause the bus stall > and recovery, and fairly frequently the reload. If I were to "no power > enable module X" for the appropriate slot, will this allow me to insert > the card without having to worry about the bus stall and potential > reload, or are those pins powered/effective regardless of the state of > power to a particular slot? > > Does anyone have any useful advice/experience with adding new modules to > 6500/7600s? > > Cheers, > > - -- > Peter Taphouse > > Bytemark Hosting > http://www.bytemark.co.uk/ > tel. +44 (0) 845 004 3 004 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJGE18IAZ7OKeBB58RAqmPAKCjTnuvqdtkmjyrb6ov+MaEsg06vgCeKBdp > dGZ6DwIOXO5C2c9LkbDbI90= > =xECC > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Nov 10 11:57:58 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 16:57:58 +0000 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <49186816.4070203@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: >> - From what I've read there are the three pins that cause the bus stall >> and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. > > I've never had any issues OIRing modules into a 6500/7600. Likewise, we've had no problems. From peter at rathlev.dk Mon Nov 10 12:03:06 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 18:03:06 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> Message-ID: <1226336586.26527.2.camel@abehat> On Mon, 2008-11-10 at 17:47 +0100, Mikael Abrahamsson wrote: > As far as I know, bfd timers so low aren't supported in SXF, you have to > go to SRB to get those. Hmm... can you point to where this would be stated? The "IP Routing Protocol-Independent Commands" doesn't state any minimum for 12.2SX, just the 50 msec configurable minimum. Regards, Peter From swmike at swm.pp.se Mon Nov 10 12:18:14 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 18:18:14 +0100 (CET) Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <1226336586.26527.2.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: On Mon, 10 Nov 2008, Peter Rathlev wrote: > Hmm... can you point to where this would be stated? The "IP Routing > Protocol-Independent Commands" doesn't state any minimum for 12.2SX, > just the 50 msec configurable minimum. I don't remember exactly, I just remember that Cisco engineer said that SXF doesn't support nearly as agressive timers as SRB, from the top of my head it was around second failure time (300x3), lower than that wasn't supported. Let's see if someone else here has more information, I don't have it in writing easily accessable. -- Mikael Abrahamsson email: swmike at swm.pp.se From p.mayers at imperial.ac.uk Mon Nov 10 12:37:46 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 17:37:46 +0000 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: <4918716A.8030502@imperial.ac.uk> Mikael Abrahamsson wrote: > On Mon, 10 Nov 2008, Peter Rathlev wrote: > >> Hmm... can you point to where this would be stated? The "IP Routing >> Protocol-Independent Commands" doesn't state any minimum for 12.2SX, >> just the 50 msec configurable minimum. > > I don't remember exactly, I just remember that Cisco engineer said that > SXF doesn't support nearly as agressive timers as SRB, from the top of > my head it was around second failure time (300x3), lower than that > wasn't supported. > > Let's see if someone else here has more information, I don't have it in > writing easily accessable. > I can certainly state from experience that SXF BFD is highly unreliable with short timers (making it more or less useless). Does SRB support BFD on SVIs? From gtb at slac.stanford.edu Mon Nov 10 12:46:02 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 10 Nov 2008 09:46:02 -0800 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: > ... BUT, many > of the older Cisco routers DID NOT have this capability, > you HAD to buy the rom chips from Cisco. Actually, some of the older rommon images could be downloaded from Cisco by "partners" and they could write them to PROMs for their direct customers. (And, of course, if you were of the mindset, and you had a working rommon, you could put same into the programmer and duplicate it; at least with all of the programmers I ever owned you could do that with ROM/PROM/EEPROMs, although sometimes it was a multi-step procedure since there was only one zif socket.) Gary From nicklinn at nurro.net Mon Nov 10 13:25:01 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Mon, 10 Nov 2008 13:25:01 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: <006f01c94361$a8ec31b0$6a01a8c0@nurronetworks.com> Gary, That is true for the 3660 it's just a standard 4mbit socketed PLCC flash. As a matter of fact one of the first things I did (as I do with most of my electronics) was download the image from the flash rom as a backup in the case of corruption or failure. Nick -----Original Message----- From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu] Sent: Monday, November 10, 2008 12:46 PM To: Ted Mittelstaedt; Nicholas Linn; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] c3660: Utterly baffled by ROMs > ... BUT, many > of the older Cisco routers DID NOT have this capability, > you HAD to buy the rom chips from Cisco. Actually, some of the older rommon images could be downloaded from Cisco by "partners" and they could write them to PROMs for their direct customers. (And, of course, if you were of the mindset, and you had a working rommon, you could put same into the programmer and duplicate it; at least with all of the programmers I ever owned you could do that with ROM/PROM/EEPROMs, although sometimes it was a multi-step procedure since there was only one zif socket.) Gary From damin at nacs.net Mon Nov 10 14:30:50 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Nov 2008 14:30:50 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <3e4b8fe10811101050i40e4912bxd7e3ed9d3795d2c2@mail.gmail.com> References: <091101c9434e$17309620$4591c260$@net> <3e4b8fe10811101050i40e4912bxd7e3ed9d3795d2c2@mail.gmail.com> Message-ID: <0a1401c9436a$d6c55220$844ff660$@net> >What about if you do "show cef linecard" does it show cef as being active for the linecards that support the physical interfaces that you are binding to >a MLPPP group? > >I noticed alot of cef oddities on the 75xx platform with vip's not having sufficient memory (usually needed 128MB to maintain a normal cef table). core-ar1#show diagbus | inc Mem Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 4096 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 Kbytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Looks good to me. The card in Slot 4 reporting 4096 SRAM is a Fast Ethernet card. core-ar1#show cef linecard Slot XDRSent Flags 5 291330 up 0 291342 up 9 291512 up 11 291965 up 12 291530 up 4 291519 up *7 288598 up VRF IPv4:Default-IP-Routing-Table, 112874 routes Slot I/Fs State Flags 5 5 Active sync, table-up 0 8 Active sync, table-up 9 5 Active sync, table-up 11 32 Active sync, table-up 12 9 Active sync, table-up 4 6 Active sync, table-up 7 5 Active sync, table-up From peter at rathlev.dk Mon Nov 10 14:32:38 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 20:32:38 +0100 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: <1226345558.27769.20.camel@abehat> On Mon, 2008-11-10 at 18:18 +0100, Mikael Abrahamsson wrote: > On Mon, 10 Nov 2008, Peter Rathlev wrote: > > Hmm... can you point to where this would be stated? The "IP Routing > > Protocol-Independent Commands" doesn't state any minimum for 12.2SX, > > just the 50 msec configurable minimum. > > I don't remember exactly, I just remember that Cisco engineer said that > SXF doesn't support nearly as agressive timers as SRB, from the top of my > head it was around second failure time (300x3), lower than that wasn't > supported. Well, I can as well get used to not using BFD anyway, seeing as this "swiss army knife" of fast failover has its quirks on different software versions. :-) Can anybody say how BFD behaves on SXH? Apart from the SVI thingy of course. :-| Regards, Peter From rubensk at gmail.com Mon Nov 10 15:27:53 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 10 Nov 2008 18:27:53 -0200 Subject: [c-nsp] OER/PfR, 7600, DFZ Message-ID: <6bb5f5b10811101227o7b7441bdq749a83cfb7809dd7@mail.gmail.com> What are the current xSP impressions on using Performance Routing (formerly known as Optimized Edge Routing) on the current Internet Default-Free-Zone, manipulating inbound traffic by BGP route control ? Does it add availability and quality or troubles ? Platform is 7600, PFC3BXL. Rubens From gert at greenie.muc.de Mon Nov 10 16:45:02 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 10 Nov 2008 22:45:02 +0100 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: <1226345558.27769.20.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> <1226345558.27769.20.camel@abehat> Message-ID: <20081110214502.GP8535@greenie.muc.de> Hi, On Mon, Nov 10, 2008 at 08:32:38PM +0100, Peter Rathlev wrote: > Can anybody say how BFD behaves on SXH? Apart from the SVI thingy of > course. :-| Can't say. Right now, all our interfaces that would benefit from having BFD are SVIs :( (Did anyone ever get an answer from Cisco on why it was removed, and whether it will be back eventually?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From rlcwlist at gmail.com Mon Nov 10 18:26:20 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Tue, 11 Nov 2008 07:26:20 +0800 Subject: [c-nsp] VRF on BGP Message-ID: <53fb3cbd0811101526s25b3d3a8p72c4269236a21eb4@mail.gmail.com> Dear All : I'm seeking for a comment on my VRF configuration with BGP configuration Details BGP Graph there : http://i13.photobucket.com/albums/a279/rlcw/bgp.jpg --------- --------- | 7206 | | 7206 | --------- --------- | | | | --------- --------- | 6509 | | 6509 | --------- --------- \ / \ / \ / \ / ------------ | eXchange | ------------ 3 of VRF were created on 6509 ip vrf GLOBAL rd 65500:23 route-target export 65500:23 route-target import 65500:23 route-target import 65500:22 route-target import 65500:21 ! ip vrf HKIX rd 65500:22 route-target export 65500:22 route-target import 65500:22 ! ip vrf OVERSEAS rd 65500:21 route-target export 65500:21 route-target import 65500:21 In my 6509 , I'll provide the service of Broadband , IP Transit ... etc Hence I want to provide the IP transit service with using VRF , in order to select which kind of routes I'm going to sent to my customer , with differnet service using different routing table in order to make use of those upstream (7206) providers Sample output of sh ip route vrf GLOBAL B 210.34.240.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 202.119.189.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 199.254.56.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 B 202.49.249.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 Do you think I should work the VRF GLOBAL to the global routing table ? Or do you suggest the whole 6509's port default mapping to a VRF ? How can I import those route from VRF to Global routing table as well ? Thanks From rlcwlist at gmail.com Mon Nov 10 18:29:46 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Tue, 11 Nov 2008 07:29:46 +0800 Subject: [c-nsp] VRF on BGP (New) Message-ID: <53fb3cbd0811101529o7ea16120pfc468943cf9f64a7@mail.gmail.com> Dear All : I'm seeking for a comment on my VRF configuration with BGP configuration Details BGP Graph there : http://i13.photobucket.com/albums/a279/rlcw/bgp.jpg --------- --------- | 7206 | | 7206 | --------- --------- | | | | --------- --------- | 6509 | | 6509 | --------- --------- \ / \ / \ / \ / ------------ | eXchange | ------------ 3 of VRF were created on 6509 ip vrf GLOBAL rd 65500:23 route-target export 65500:23 route-target import 65500:23 route-target import 65500:22 route-target import 65500:21 ! ip vrf HKIX rd 65500:22 route-target export 65500:22 route-target import 65500:22 ! ip vrf OVERSEAS rd 65500:21 route-target export 65500:21 route-target import 65500:21 In my 6509 , I'll provide the service of Broadband , IP Transit ... etc Hence I want to provide the IP transit service with using VRF , in order to select which kind of routes I'm going to sent to my customer , with differnet service using different routing table in order to make use of those upstream (7206) providers Sample output of sh ip route vrf GLOBAL B 210.34.240.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 202.119.189.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 199.254.56.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 B 202.49.249.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 Do you think I should work the VRF GLOBAL to the global routing table ? Or do you suggest the whole 6509's port default mapping to a VRF ? How can I import those route from VRF to Global routing table as well ? Thanks From linkconnect at googlemail.com Mon Nov 10 18:40:37 2008 From: linkconnect at googlemail.com (Wayne Lee) Date: Mon, 10 Nov 2008 23:40:37 +0000 Subject: [c-nsp] vrf-lite question Message-ID: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1-------R0-------R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne From ben.steele at internode.on.net Mon Nov 10 19:02:45 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 10:32:45 +1030 Subject: [c-nsp] vrf-lite question In-Reply-To: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> References: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> Message-ID: <000001c94390$d4709770$7d51c650$@steele@internode.on.net> Use an export map on the GW to only export the routes for GW and not the other custs. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee Sent: Tuesday, 11 November 2008 10:11 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vrf-lite question Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1-------R0-------R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Mon Nov 10 21:13:12 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 11 Nov 2008 10:13:12 +0800 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: <20081110214502.GP8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <1226345558.27769.20.camel@abehat> <20081110214502.GP8535@greenie.muc.de> Message-ID: <200811111013.13097.mtinka@globaltransit.net> On Tuesday 11 November 2008 05:45:02 Gert Doering wrote: > (Did anyone ever get an answer from Cisco on why it was > removed, and whether it will be back eventually?) The last time I asked our SE, he didn't have any feedback but was checking. I've just sent him a reminder. Side note: I also asked him why BFD wasn't supported on 802.3ad bundles, and he said that's now in the plan, but no clear indication in which release it will ship. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From eng_mssk at hotmail.com Tue Nov 11 00:52:21 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 07:52:21 +0200 Subject: [c-nsp] test mail Message-ID: hey anyone rcvs my mail reply with an empty mail so i can make sure that my mails are rcvd by u thanks in advance _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE From eng_mssk at hotmail.com Tue Nov 11 01:02:42 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 08:02:42 +0200 Subject: [c-nsp] L2VPN Interworking Message-ID: Dears i have the following setup: CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122-33.SRD.bin PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122-33.SRC1.bin CE1 --> PE1 is ATM connection CE2 --> PE2 Vlan connection (Sub interface) i have established xconnect between the 2 sides the xconnect is up and there is a ping between the 2 sides but the problem is in the size when i issue the command ping x.x.x.x repeat 1000 size 1500 i face remarkable packet drop !! any ideas ?? knowing that there is no congestion at all in my links nor through the MPLS cloud _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From p_ambedkar at rediffmail.com Tue Nov 11 01:15:39 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 11 Nov 2008 06:15:39 -0000 Subject: [c-nsp] 6500-sup-stdby Message-ID: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> ? Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 is standby. The problem is sup2 is not booting automatically when the system is switched ON. it is going to rommon mode, where we have to type boot command so that it will boot. after booting, boot variable is missing. if we set the boot variable,it will show the boot variable but it is temporary. Again we switched OFF and ON, The same situation is there. i tried lot, please help me. some details are here... Before sup2: CAT_1> (enable) sh mod Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- ----- --- 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok After sup2: CAT_1> (enable) sh mod Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- ----- --- 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes standby 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok bye. From vinzoda.hitesh at gmail.com Tue Nov 11 01:23:33 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 22:23:33 -0800 Subject: [c-nsp] FWSM Access-control lists Message-ID: Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue "sh access-list" command. it shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 & 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda From vinzoda.hitesh at gmail.com Tue Nov 11 01:27:50 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 22:27:50 -0800 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: Check for MTU size on interfaces. Regards Hitesh Vinzoda On 11/10/08, Mohammad Khalil wrote: > > > Dears > i have the following setup: > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > PE1 is 7609 and has the IOS image > c7600rsp72043-advipservices-mz.122-33.SRD.bin > PE2 is a VXR G2 and has the IOS image > c7200p-spservicesk9-mz.122-33.SRC1.bin > CE1 --> PE1 is ATM connection > CE2 --> PE2 Vlan connection (Sub interface) > > i have established xconnect between the 2 sides > the xconnect is up and there is a ping between the 2 sides > but the problem is in the size > when i issue the command ping x.x.x.x repeat 1000 size 1500 > i face remarkable packet drop !! > any ideas ?? > knowing that there is no congestion at all in my links nor through the MPLS > cloud > > _________________________________________________________________ > News, entertainment and everything you care about at Live.com. Get it now! > http://www.live.com/getstarted.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From r.tahina at moov.mg Tue Nov 11 01:31:25 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Tue, 11 Nov 2008 09:31:25 +0300 Subject: [c-nsp] lacp on serial Message-ID: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> Dear All, I 'm looking for implementation of lacp on serial, docs only show on ethernet, is that possible? Kind regards. From eng_mssk at hotmail.com Tue Nov 11 01:33:10 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 08:33:10 +0200 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: i checked it and it configured to be 1500 (in face if u keep the mtu size on the atm sub interface the default 4470 , the xconnect will never come up) Date: Mon, 10 Nov 2008 22:27:50 -0800 From: vinzoda.hitesh at gmail.com To: eng_mssk at hotmail.com Subject: Re: [c-nsp] L2VPN Interworking CC: cisco-nsp at puck.nether.net Check for MTU size on interfaces. Regards Hitesh Vinzoda On 11/10/08, Mohammad Khalil wrote: Dears i have the following setup: CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122-33.SRD.bin PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122-33.SRC1.bin CE1 --> PE1 is ATM connection CE2 --> PE2 Vlan connection (Sub interface) i have established xconnect between the 2 sides the xconnect is up and there is a ping between the 2 sides but the problem is in the size when i issue the command ping x.x.x.x repeat 1000 size 1500 i face remarkable packet drop !! any ideas ?? knowing that there is no congestion at all in my links nor through the MPLS cloud _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From oboehmer at cisco.com Tue Nov 11 01:51:13 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 11 Nov 2008 07:51:13 +0100 Subject: [c-nsp] lacp on serial In-Reply-To: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> References: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea.cisco.com> RAZAFINDRATSIFA Rivo Tahina <> wrote on Tuesday, November 11, 2008 07:31: > Dear All, > > I 'm looking for implementation of lacp on serial, docs only show on > ethernet, is that possible? nope, you need to use multilink ppp to bundle serials on Layer 2.. oli From ben.steele at internode.on.net Tue Nov 11 02:40:04 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 18:10:04 +1030 Subject: [c-nsp] FWSM Access-control lists In-Reply-To: References: Message-ID: <000c01c943d0$b6857d30$23907790$@steele@internode.on.net> If you just add all your line numbers the same it will automatically bump the one its replacing up one. Ie say your permit ip any any is at line 4, if you just insert all your rules as line 4 you will find they bump each other up all the way to whatever line number you get too with the original line 4 statement at the very end. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, 11 November 2008 4:54 PM To: Cisco Mailing list Subject: [c-nsp] FWSM Access-control lists Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue "sh access-list" command. it shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 & 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM From tomas at soitron.com Tue Nov 11 03:11:42 2008 From: tomas at soitron.com (Tomas Daniska) Date: Tue, 11 Nov 2008 09:11:42 +0100 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> What does it mean - remarkable? If it's 100% then it *might* be related to MTU. If it's <100% (at least a few packets pass) then it's *not* MTU related. Check links, queues, ATM... ? -- deejay > > Dears > i have the following setup: > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122- > 33.SRD.bin > PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122- > 33.SRC1.bin > CE1 --> PE1 is ATM connection > CE2 --> PE2 Vlan connection (Sub interface) > > i have established xconnect between the 2 sides > the xconnect is up and there is a ping between the 2 sides > but the problem is in the size > when i issue the command ping x.x.x.x repeat 1000 size 1500 > i face remarkable packet drop !! > any ideas ?? > knowing that there is no congestion at all in my links nor through the > MPLS cloud > From eng_mssk at hotmail.com Tue Nov 11 03:27:02 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 10:27:02 +0200 Subject: [c-nsp] L2VPN Interworking In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> References: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> Message-ID: the success rate is about (930/1000) and as i told u the MTU is configured on the ATM link to be 1500 the physical links are not congested what else can i add or modify to solve this issue ?? > Subject: RE: [c-nsp] L2VPN Interworking > Date: Tue, 11 Nov 2008 09:11:42 +0100 > From: tomas at soitron.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > What does it mean - remarkable? > > If it's 100% then it *might* be related to MTU. > > If it's <100% (at least a few packets pass) then it's *not* MTU related. > Check links, queues, ATM... ? > > -- > > deejay > > > > > Dears > > i have the following setup: > > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > > PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122- > > 33.SRD.bin > > PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122- > > 33.SRC1.bin > > CE1 --> PE1 is ATM connection > > CE2 --> PE2 Vlan connection (Sub interface) > > > > i have established xconnect between the 2 sides > > the xconnect is up and there is a ping between the 2 sides > > but the problem is in the size > > when i issue the command ping x.x.x.x repeat 1000 size 1500 > > i face remarkable packet drop !! > > any ideas ?? > > knowing that there is no congestion at all in my links nor through the > > MPLS cloud > > _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From pete at bytemark.co.uk Tue Nov 11 03:31:05 2008 From: pete at bytemark.co.uk (Peter Taphouse) Date: Tue, 11 Nov 2008 08:31:05 +0000 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> Message-ID: <491942C9.6020505@bytemark.co.uk> ambedkar wrote: > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > is standby. The problem is sup2 is not booting automatically when the > system is switched ON. it is going to rommon mode, where we have to > type boot command so that it will boot. after booting, boot variable > is missing. if we set the boot variable,it will show the boot variable > but it is temporary. > > Again we switched OFF and ON, The same situation is there. i tried > lot, please help me. some details are here... I had that on a sup720 once, it turned out that the onboard battery was dead. -- Peter Taphouse Bytemark Hosting http://www.bytemark-hosting.co.uk tel. +44 (0) 845 004 3 004 From affanzbasalamah at gmail.com Tue Nov 11 05:49:27 2008 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Tue, 11 Nov 2008 17:49:27 +0700 Subject: [c-nsp] Upgrading edge router Message-ID: Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan From ben.steele at internode.on.net Tue Nov 11 06:08:40 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 21:38:40 +1030 Subject: [c-nsp] Upgrading edge router In-Reply-To: References: Message-ID: <001501c943ed$da89bda0$8f9d38e0$@steele@internode.on.net> I'd try and go the ASR1002 option, it shouldn't be too far off your 35k budget without smartnet, although i'd recommend maintenance on the software as you will want access to TAC for bugs, also if you can option in the HA feature so you can get ISSU. With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room for expansion it's good bang for buck, the ASR is really aimed as the next generation 7200 swiss army knife, being a software based feature platform rather than a hardware(ie 7600/6500) it's a welcome new product and you should see good life out of it, it has some limitations in its current form, the only one that may concern you with your list that I can think of is lack of AToM MPLS support, but that is due out in upcoming software release. Put the quagga to rest! :) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah Sent: Tuesday, 11 November 2008 9:19 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Upgrading edge router Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM From affanzbasalamah at gmail.com Tue Nov 11 06:55:10 2008 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Tue, 11 Nov 2008 18:55:10 +0700 Subject: [c-nsp] Upgrading edge router In-Reply-To: <4213440380134758766@unknownmsgid> References: <4213440380134758766@unknownmsgid> Message-ID: Thank you for your prompt response, I would like to know a thing about ASR1000 software components : - It says on ASR1000 software ordering guide (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html) that there is a FPM (flexible packet matching) service license and Firewall service license. I would like to know the difference between two license, since the latter cost the double from the former. - What version of IOS-XE is integrated in ASR1000 bundle ? Is it IP Base or Advanced IP Services ? I would like to run IPv6 on the router, so the router will need Advanced IP Services IOS. Regards, -affan On Tue, Nov 11, 2008 at 6:08 PM, Ben Steele wrote: > I'd try and go the ASR1002 option, it shouldn't be too far off your 35k > budget without smartnet, although i'd recommend maintenance on the software > as you will want access to TAC for bugs, also if you can option in the HA > feature so you can get ISSU. > > With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room > for expansion it's good bang for buck, the ASR is really aimed as the next > generation 7200 swiss army knife, being a software based feature platform > rather than a hardware(ie 7600/6500) it's a welcome new product and you > should see good life out of it, it has some limitations in its current form, > the only one that may concern you with your list that I can think of is lack > of AToM MPLS support, but that is due out in upcoming software release. > > Put the quagga to rest! :) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah > Sent: Tuesday, 11 November 2008 9:19 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Upgrading edge router > > Hi all, > > I am network admin in university that have a UNIX PC that functions as > core router and firewall to accomodate : > - 2 x 45 Mb link to research education network (REN) > - 100Mb link to local exchange point > - 10Mb link to Internet > Currently we accept partial route from Internet, and aggregated with > REN prefixes, we have at least 30k prefixes. > > We would like to upgrade our router to accomodate : > - new STM-1 link (physical connector is not STM1 port, but it is > converted to Gigeth by our telco) > - at least 4 1000BaseT port > - firewall feature (packet filter and inspection) would be nice > - IPv6 multicast and MPLS feature > - can keep up the load at least for 5 years > - budget around $35k > > I have done some research, and our choice could come to : > - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 > port gigabit ethernet, but I don't know whether it could handle the > load. I also see it as integrated packet inspection with PISA > daughterboard, but I don't have any experience with that. The > supervisor is a bit old compared to ASR1000. > - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet > inspection, but I don't know whether it can suit the budget. > - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't > compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit > ports, and separate AS module can cost you too much. I don't know > whether it suits the budget. > - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had > experience with this box, but the specs looks promising, and maybe it > suits the budget. > > I would like your suggestion about my plan above, perhaps I can come > out with better plan. > > Thank you, > Regards, > > -affan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 > 7:53 AM > > From eng_mssk at hotmail.com Tue Nov 11 07:31:28 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 14:31:28 +0200 Subject: [c-nsp] PPPoE over VRF Message-ID: I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From chloekcy2000 at yahoo.ca Tue Nov 11 07:57:46 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Tue, 11 Nov 2008 07:57:46 -0500 (EST) Subject: [c-nsp] not understand some command Message-ID: <802016.76480.qm@web57416.mail.re1.yahoo.com> Hi I am in new cisco I don't understand the different between ip classless and ip classful and why don't need those commands no network-clock-participate slot 1 no network-clock-participate slot 2 no network-clock-participate wic 0 no network-clock-participate wic 1 no network-clock-participate wic 2 no network-clock-participate aim 0 no network-clock-participate aim 1 and What is ip proxy-arp? why don't need it? Thank you --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. From eng_mssk at hotmail.com Tue Nov 11 08:15:19 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 15:15:19 +0200 Subject: [c-nsp] not understand some command In-Reply-To: <802016.76480.qm@web57416.mail.re1.yahoo.com> References: <802016.76480.qm@web57416.mail.re1.yahoo.com> Message-ID: ip classless , This command allows the software to forward packets that are destined for unrecognized subnets of directly connected networks. The packets are forwarded to the best supernet route. ip proxy-arp , Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. network-clock-participate , To allow the ports on a specified network module or voice/WAN interface card (VWIC) to use the network clock for timing, use the network-clock-participate command in global configuration mode. To restrict the device to use only its own clock signals, use the no form of this command. > Date: Tue, 11 Nov 2008 07:57:46 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] not understand some command > > Hi > > I am in new cisco > > I don't understand the different between ip classless and ip classful > > and why don't need those commands > > no network-clock-participate slot 1 > no network-clock-participate slot 2 > no network-clock-participate wic 0 > no network-clock-participate wic 1 > no network-clock-participate wic 2 > no network-clock-participate aim 0 > no network-clock-participate aim 1 > > and > > What is ip proxy-arp? > why don't need it? > > Thank you > > > > > > --------------------------------- > Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Connect to the next generation of MSN Messenger? http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline From jmenendez at mecon.gov.ar Tue Nov 11 09:49:41 2008 From: jmenendez at mecon.gov.ar (Juan Angel Menendez) Date: Tue, 11 Nov 2008 11:49:41 -0300 Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. Message-ID: <200811111449.mABEnfOu030925@racing2.mecon.ar> Hello list, We're interested in the Nexus 7000 platform but we're wondering if fiber 1GBit linecard is going to be available anytime soon ? Thanks in advance. Regards Juan From lowen at pari.edu Tue Nov 11 09:09:31 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 09:09:31 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <091101c9434e$17309620$4591c260$@net> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811110909.31890.lowen@pari.edu> On Monday 10 November 2008 11:05:03 Gregory Boehnlein wrote: > Hello, > Over the weekend, we updated one of our 7513s from 12.2.25S12 to the > 12.2.25S15. The driver behind this was service policies used for LLQ > dropping from interfaces, causing all sorts of havoc w/ our voice > prioritization. The thought was that moving to the more current issue would > address this. It did not. Isn't 12.2(25)S really really not recommended on 7500? I seem to remember several exchanges where this was mentioned by cisco people here. From rshughes at gmail.com Tue Nov 11 09:12:55 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Tue, 11 Nov 2008 09:12:55 -0500 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <491942C9.6020505@bytemark.co.uk> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> <491942C9.6020505@bytemark.co.uk> Message-ID: Check to make sure the exact same image is on the bootflash of both supervisors. I've seen it where the primary sup boots up and when it tries to boot the second, the image is not available and it will sit in rommon. The boot variable from the primary is passed to the second and if it can't find the exact same image file, it will not boot. On Tue, Nov 11, 2008 at 3:31 AM, Peter Taphouse wrote: > ambedkar wrote: > > > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > > is standby. The problem is sup2 is not booting automatically when the > > system is switched ON. it is going to rommon mode, where we have to > > type boot command so that it will boot. after booting, boot variable > > is missing. if we set the boot variable,it will show the boot variable > > but it is temporary. > > > > Again we switched OFF and ON, The same situation is there. i tried > > lot, please help me. some details are here... > > I had that on a sup720 once, it turned out that the onboard battery was > dead. > > -- > Peter Taphouse > > Bytemark Hosting > http://www.bytemark-hosting.co.uk > tel. +44 (0) 845 004 3 004 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From damin at nacs.net Tue Nov 11 09:24:33 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Nov 2008 09:24:33 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811110909.31890.lowen@pari.edu> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> Message-ID: <0bff01c94409$37b67a70$a7236f50$@net> > Isn't 12.2(25)S really really not recommended on 7500? I seem to > remember several exchanges where this was mentioned by cisco people here. I'm going to look through the list archives and see if I can find those references. Everything that I've seen revolves around earlier iterations of the code, not the S15 release that has been out for a year. I'm happy to consider upgrading to a different IOS version.. just looking for recommendations on what I should be looking at for a 7515 w/ Dual RSP 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. From jlewis at lewis.org Tue Nov 11 09:37:21 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 11 Nov 2008 09:37:21 -0500 (EST) Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> Message-ID: On Tue, 11 Nov 2008, Gregory Boehnlein wrote: >> Isn't 12.2(25)S really really not recommended on 7500? I seem to >> remember several exchanges where this was mentioned by cisco people here. > > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. > > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. My recommendation would be whatever number of 7206's are necessary to handle the interfaces you're running on those 5 VIPs :) I used to run somewhat earlier 12.2S on a couple of dual-RSP4 7500s, and they weren't quite stable (periodic dCEF bugs). IIRC, the cisco guys on-list used to recommend sticking with 12.0S on the 7500. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From pshuleski at gmail.com Tue Nov 11 10:14:41 2008 From: pshuleski at gmail.com (Pete S.) Date: Tue, 11 Nov 2008 10:14:41 -0500 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> Message-ID: <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> Also, make sure the flash was formatted by the chassis its currently in. There was an issue where, if formatted in another chassis, the flash could be read, but not booted from, resulting in a boot to rommon where you have to manually enter the boot command. --Pete On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > is standby. The problem is sup2 is not booting automatically when the > system is switched ON. it is going to rommon mode, where we have to > type boot command so that it will boot. after booting, boot variable > is missing. if we set the boot variable,it will show the boot variable > but it is temporary. > > Again we switched OFF and ON, The same situation is there. i tried > lot, please help me. some details are here... > > Before sup2: > > CAT_1> (enable) sh mod > Mod Slot Ports Module-Type Model Sub > Status > --- ---- ----- ------------------------- ------------------- --- ----- > --- > 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > > > After sup2: > > CAT_1> (enable) sh mod > Mod Slot Ports Module-Type Model Sub > Status > --- ---- ----- ------------------------- ------------------- --- ----- > --- > 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes > standby > 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > > > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lowen at pari.edu Tue Nov 11 10:19:39 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 10:19:39 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811111019.39463.lowen@pari.edu> On Tuesday 11 November 2008 09:24:33 Gregory Boehnlein wrote: > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. Hmm, is there a better search for the archives than using Marc.info or similar? > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. See http://marc.info/?l=cisco-nsp&m=113154141708694&w=2 for Rodney's take on it a while back. Recent releases of 12.0S support SSO HA. Whether they support the other features you need, I don't know, and I don't particularly trust Feature Navigator for 12.xS releases (especially since some of the latest releases, at least when I checked a while back, don't even show up in FN). From petelists at templin.org Tue Nov 11 10:33:15 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 11 Nov 2008 09:33:15 -0600 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> Message-ID: <4919A5BB.3080405@templin.org> Gregory Boehnlein wrote: >> Isn't 12.2(25)S really really not recommended on 7500? I seem to >> remember several exchanges where this was mentioned by cisco people here. > > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. > > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. I've been very happy with 12.0(27)S5 for MLPPP, LLQ, OSPF, BGP, MPLS. VLANs could be an issue - we had problems with subinterfaces not being fully CEF-switched in earlier 12.0(27)S releases and abandoned that configuration. SSO is quite good. It'd be 100% stable if it weren't for VIP2-50s having memory issues and bombing out occasionally, but that's not a code issue. Lucky guess, the first two routers I checked have uptimes of 2y13w. I've been somewhat happy with 12.0(32)S[7,8,10] for "simple" core routing. MPLS Traffic Engineering is garbage, at least when talking to GSRs, and we've now officially abandoned MPLS TE on 7507s entirely. That said, I like Jon Lewis' suggestion to switch to enough 7206s to carry the PAs you're using. Single forwarding engine on a clean, very well baked architecture means simple and reliable. We're moving to 7206s for CT3 aggregation, GSRs for DS3 and OCx, and 6500/7600/Sup720-3BXL for Ethernet. pt From lowen at pari.edu Tue Nov 11 11:10:02 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 11:10:02 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811111019.39463.lowen@pari.edu> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811111110.02440.lowen@pari.edu> On Tuesday 11 November 2008 10:19:39 Lamar Owen wrote: > See http://marc.info/?l=cisco-nsp&m=113154141708694&w=2 for Rodney's take > on it a while back. Also see http://marc.info/?l=cisco-nsp&m=116645064330255&w=2 and http://marc.info/?l=cisco-nsp&m=113340513407711&w=2 and http://marc.info/?l=cisco-nsp&m=113145616327633&w=2 In essence: plain 12.2S isn't recommended (on any platform, unless I'm misunderstanding things, not just 7500); 12.2SB and others (SX, SR, etc) perhaps. From justin at justinshore.com Tue Nov 11 11:18:25 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 10:18:25 -0600 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <4918716A.8030502@imperial.ac.uk> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> <4918716A.8030502@imperial.ac.uk> Message-ID: <4919B051.3080803@justinshore.com> Phil Mayers wrote: > I can certainly state from experience that SXF BFD is highly unreliable > with short timers (making it more or less useless). I have a particular 2821 dual-homed to 2 7600s that has a BFD event 6-8 times a day. I can't correlate it to high CPU on either side or a noticeable increase in traffic. The settings were 50/50x3. I raised them to 50/500x3 yesterday and haven't seen any more hiccups. > Does SRB support BFD on SVIs? SRB and SRB1 both support BFD on SVIs. My understanding is that anything later removes that working feature. (see past posts about it from Gert and myself... :-( ). Email your account team weekly if you want to ever see that feature again. Justin From drew.weaver at thenap.com Tue Nov 11 11:34:46 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 11 Nov 2008 11:34:46 -0500 Subject: [c-nsp] Best practices/security feature mix for host ports Message-ID: Hello, I have been recently doing some random research on mixes of security features (Well, not specifically security features, I suppose) but I guess port configurations. Such as setting the switchport type to host, enabling bpdufilter/bpduguard, loopguard, storm-control, etc. Does anyone have any anecdotal tales about what has worked for you, what hasn't worked for you, etc. (this is for the access layer, where hosts are connecting to switches but we don't necessarily have control over what these hosts do.) Any thoughts would be great. -Drew From nicotine at warningg.com Tue Nov 11 11:11:28 2008 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 11 Nov 2008 10:11:28 -0600 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811111019.39463.lowen@pari.edu> References: <0bff01c94409$37b67a70$a7236f50$@net> <200811111019.39463.lowen@pari.edu> Message-ID: <20081111161128.GG31816@biological.warningg.com> On Tue, Nov 11, 2008 at 10:19:39AM -0500, Lamar Owen wrote: > On Tuesday 11 November 2008 09:24:33 Gregory Boehnlein wrote: > > I'm going to look through the list archives and see if I can find those > > references. Everything that I've seen revolves around earlier iterations of > > the code, not the S15 release that has been out for a year. > > Hmm, is there a better search for the archives than using Marc.info or > similar? Markmail (www.markmail.org) is a recent addition to mailing list archiving that recently started archiving puck.nether.net's lists, nanog-l, and a large number of other technical lists. It supports a very google-like search syntax, allowing one to specify searching specific groups of lists, searching for patch attachments, etc. I'm still waffling between primarily using it, or pointing google.com at a pipermail archive of a list, to find specific information from mailing lists. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From berni at birkenwald.de Tue Nov 11 12:04:32 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Tue, 11 Nov 2008 17:04:32 +0000 (UTC) Subject: [c-nsp] 2821 voice configuration Message-ID: Hello everyone, we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch for a slow migration from an old PBX to a VoIP PBX (Asterisk) | E1 carrier +------+-------+ | Cisco 2821 +---- IP/SIP to Asterisk +------+-------+ | E1 old PBX Required key feature is forwarding of calls between all three legs, especially transparent E1-E1 (using dial-peer statements). We have this setup running for more than three years on AS5350XM with a lot more E1 lines so I'm pretty sure how to configure that, but I have never done this with 2800 series and I don't want to buy anything we can't use afterwards. We want to use CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 PVDM2-32 32-Channel Packet Voice/Fax DSP Module can anyone see any reason why this might not work? Thanks, Bernhard From mrz at velvet.org Tue Nov 11 12:05:56 2008 From: mrz at velvet.org (matthew zeier) Date: Tue, 11 Nov 2008 09:05:56 -0800 Subject: [c-nsp] Standby FWSM not responding to mgmt ssh Message-ID: <4919BB74.2070102@velvet.org> My standby FWSM all of a sudden stopped accepting inbound ssh (so says RANCID, which is no complaining incessantly). Short of a reboot, is there a quick fix for this? From vijay.ramcharan at verizonbusiness.com Tue Nov 11 12:33:09 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 11 Nov 2008 17:33:09 +0000 Subject: [c-nsp] Standby FWSM not responding to mgmt ssh In-Reply-To: <4919BB74.2070102@velvet.org> References: <4919BB74.2070102@velvet.org> Message-ID: I believe we have run into a similar issue in the past. I think it was something to do with the FWSM not releasing prior sessions and eventually being unable to support additional mgmt sessions. I think the bug is CSCsd67334. At least that's what it looks like from what I remember. I do remember that the FWSM had to be reloaded to clear the sessions. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier Sent: November 11, 2008 12:06 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Standby FWSM not responding to mgmt ssh My standby FWSM all of a sudden stopped accepting inbound ssh (so says RANCID, which is no complaining incessantly). Short of a reboot, is there a quick fix for this? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From rodunn at cisco.com Tue Nov 11 13:35:35 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Nov 2008 13:35:35 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <4919A5BB.3080405@templin.org> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> <4919A5BB.3080405@templin.org> Message-ID: <20081111183535.GL19607@rtp-cse-489.cisco.com> The two games in town for 75xx will be: 12.0(32)S(x) rebuild -- more HA features 12.4(latest) mainline until full EoS for the platform. I wouldn't recommned any other train at this point for the platform even if the code is available. Rodney On Tue, Nov 11, 2008 at 09:33:15AM -0600, Pete Templin wrote: > Gregory Boehnlein wrote: > >>Isn't 12.2(25)S really really not recommended on 7500? I seem to > >>remember several exchanges where this was mentioned by cisco people here. > > > >I'm going to look through the list archives and see if I can find those > >references. Everything that I've seen revolves around earlier iterations of > >the code, not the S15 release that has been out for a year. > > > >I'm happy to consider upgrading to a different IOS version.. just looking > >for recommendations on what I should be looking at for a 7515 w/ Dual RSP > >4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. > > I've been very happy with 12.0(27)S5 for MLPPP, LLQ, OSPF, BGP, MPLS. > VLANs could be an issue - we had problems with subinterfaces not being > fully CEF-switched in earlier 12.0(27)S releases and abandoned that > configuration. SSO is quite good. It'd be 100% stable if it weren't > for VIP2-50s having memory issues and bombing out occasionally, but > that's not a code issue. Lucky guess, the first two routers I checked > have uptimes of 2y13w. > > I've been somewhat happy with 12.0(32)S[7,8,10] for "simple" core > routing. MPLS Traffic Engineering is garbage, at least when talking to > GSRs, and we've now officially abandoned MPLS TE on 7507s entirely. > > That said, I like Jon Lewis' suggestion to switch to enough 7206s to > carry the PAs you're using. Single forwarding engine on a clean, very > well baked architecture means simple and reliable. We're moving to > 7206s for CT3 aggregation, GSRs for DS3 and OCx, and > 6500/7600/Sup720-3BXL for Ethernet. > > pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Tue Nov 11 13:46:39 2008 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 11 Nov 2008 13:46:39 -0500 Subject: [c-nsp] ISIS / NSF IOS XR Message-ID: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> I configured NSF under ISIS initially them removed it. Still shows NSF 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing This is IOS XR 3.6.1 and 3.6.0 both same condition. RP/0/9/CPU0:P1#sh isis adjacency IS-IS NP Level-2 adjacencies: System Id Interface SNPA State Hold Changed NSF BFD P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes None PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes None PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes None P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes None router isis NP set-overload-bit on-startup 300 is-type level-2-only net 49.0001.1921.1813.6001.00 log adjacency changes address-family ipv4 unicast metric-style wide ! interface Loopback0 passive address-family ipv4 unicast ! ! interface GigabitEthernet0/1/1/0 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 ! ! interface GigabitEthernet0/1/1/1 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 ! ! interface GigabitEthernet0/1/1/8 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 mpls ldp sync ! ! interface POS0/0/0/0 hello-password keychain NP-ISIS address-family ipv4 unicast metric 100 ! ! ! From guru6111 at gmail.com Tue Nov 11 13:58:52 2008 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 11 Nov 2008 13:58:52 -0500 Subject: [c-nsp] HA / SSO - IOS XR 3.6.1 Message-ID: <766b203d0811111058j1254feb8n773ad3f34c9ccb0d@mail.gmail.com> Q. SSO on GSR IOS XR is default? I have *not configured* LDP GR, NSF IETF on my IOS XR router; when RP failover occurs it does not see any packet loss; puzzled. LAB : PE1 (7606) --> P1 (GSR XR) --> P2 --> (GSR XR) --> PE3 (7606) PE1#sh mpls ld graceful-restart LDP Graceful Restart is disabled Neighbor Liveness Timer: 120 seconds Max Recovery Time: 120 seconds Forwarding State Holding Time: 600 seconds I reloaded the RP on P1; traffic goes through no packet loss. good but how? RP/0/9/CPU0:P1#sh mpls ldp graceful-restart RP/0/9/CPU0:P1# RP/0/8/CPU0:P2#sh mpls ldp graceful-restart RP/0/8/CPU0:P2# RP/0/9/CPU0:P1#sh mpls ldp neighbor br Peer GR Up Time Discovery Address ----------------- -- --------------- --------- ------- 10.10.136.128:0 N 02:21:26 3 10 10.10.136.2:0 N 02:21:04 2 6 10.10.136.3:0 N 02:21:00 2 9 RP/0/9/CPU0:P1# RP/0/9/CPU0:P1#sh isis neighbors IS-IS NRP neighbors: System Id Interface SNPA State Holdtime Type IETF-NSF P2 Gi0/1/1/8 *PtoP* Up 25 L2 Capable PE1 Gi0/1/1/0 *PtoP* Up 24 L2 Capable PE1 Gi0/1/1/1 *PtoP* Up 27 L2 Capable P3 PO0/0/0/0 *PtoP* Up 25 L2 Capable PE1#ping Protocol [ip]: Target IP address: pe3 Repeat count [5]: 50000 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 50000, 100-byte ICMP Echos to 10.10.136.130, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (50000/50000), round-trip min/avg/max = 1/1/92 ms From tkacprzynski at SpencerStuart.com Tue Nov 11 16:29:23 2008 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Tue, 11 Nov 2008 15:29:23 -0600 Subject: [c-nsp] RPSL Popularity and Usage Message-ID: Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom From paul at paulstewart.org Tue Nov 11 16:38:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 11 Nov 2008 16:38:36 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: Message-ID: <00a901c94445$da9ca160$8fd5e420$@org> We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tkacprzynski at SpencerStuart.com Tue Nov 11 16:41:53 2008 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Tue, 11 Nov 2008 15:41:53 -0600 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: <00a901c94445$da9ca160$8fd5e420$@org> Message-ID: What are your thoughts on how much routing detail to put in there in terms of security? Thanks Tom -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Tuesday, November 11, 2008 3:39 PM To: Kacprzynski, Tomasz; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Tue Nov 11 16:49:39 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 11 Nov 2008 16:49:39 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: <00a901c94445$da9ca160$8fd5e420$@org> Message-ID: <00aa01c94447$65d53c50$317fb4f0$@org> Anything that someone with a bit of BGP knowledge can figure out would be ok to include - does that answer your actual question? ;) We're a service provider so anything you can find out about us with RADB would be the same (if not less) than you can figure out from us with some BGP tables... -----Original Message----- From: tkacprzynski at SpencerStuart.com [mailto:tkacprzynski at SpencerStuart.com] Sent: November 11, 2008 4:42 PM To: paul at paulstewart.org; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage What are your thoughts on how much routing detail to put in there in terms of security? Thanks Tom -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Tuesday, November 11, 2008 3:39 PM To: Kacprzynski, Tomasz; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Tue Nov 11 16:51:00 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 12 Nov 2008 08:51:00 +1100 Subject: [c-nsp] PPPoE over VRF Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654A34@vic-cr-ex1.staff.netspace.net.au> We use Radius to place the PPPoX connection into the appropriate VRF. Your Radius config will look something similar to this. mplstest Password = "network" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = A.B.C.D, Framed-Netmask = 255.255.255.255, cisco-avpair="ip:vrf-id=NSTEST", cisco-avpair="ip:ip-unnumbered=lo100" cisco-avpair="ip:route=vrf NSTEST 192.168.1.0 255.255.255.0 203.17.103.50" Here I've set up Radius to accept the username of mplstest and place it into the VRF of NSTEST. Cheers. Andy -----Original Message----- Date: Tue, 11 Nov 2008 14:31:28 +0200 From: Mohammad Khalil eng_mssk at hotmail.com Subject: [c-nsp] PPPoE over VRF To: cisco-nsp at puck.nether.net Message-ID: BLU102-W58CAA1995B956EA0F08292FA150 at phx.gbl Content-Type: text/plain; charset="windows-1256" I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From charlieb at cot.net Tue Nov 11 17:16:05 2008 From: charlieb at cot.net (Charles Boening) Date: Tue, 11 Nov 2008 14:16:05 -0800 Subject: [c-nsp] PPPoE over VRF In-Reply-To: text/plain; charset=utf-8 References: Message-ID: <4FB2938B89459C41860C4DB9B1821D6FAC0BB5720B@exchange.calore.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could use the virtual template for your PPPoE connections. interface Virtual-Template1 ip vrf forwarding vrf_pppoe - -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 11, 2008 4:31 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPoE over VRF I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFJGgQlcGGHuFdGSWARAqO4AKCGeXS4zKvnSt+HDfNcWeECS0kbyACeIAD/ 9DBt9NQxswZURlrqYF6DnQ8= =bIhb -----END PGP SIGNATURE----- From justin at justinshore.com Tue Nov 11 17:42:03 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 16:42:03 -0600 Subject: [c-nsp] ASR 9000 Message-ID: <491A0A3B.3080809@justinshore.com> Did anyone else miss an announcement for the ASR 9000 series? http://www.cisco.com/en/US/products/ps9853/index.html How did I miss that bad boy? Anyone have any details? Justin From petelists at templin.org Tue Nov 11 17:55:20 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 11 Nov 2008 16:55:20 -0600 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0A3B.3080809@justinshore.com> References: <491A0A3B.3080809@justinshore.com> Message-ID: <491A0D58.1090503@templin.org> Justin Shore wrote: > Did anyone else miss an announcement for the ASR 9000 series? > > http://www.cisco.com/en/US/products/ps9853/index.html > > How did I miss that bad boy? Anyone have any details? Side to back airflow? Who thought that'd work well? Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency would be nice. Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. However, adding CE (hundred-gig Ethernet) support on the initial datasheet is impressive, along with XE and GE. Skipping LXE is interesting though. pt From justin at justinshore.com Tue Nov 11 18:56:03 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 17:56:03 -0600 Subject: [c-nsp] (1|2)800 series hardware-based encryption Message-ID: <491A1B93.7090402@justinshore.com> The data sheets for the 1800 series all mention hardware-based encryption being built into the units. The 1841 mentions AIM support as well for "two to three times the performance of embedded encryption capabilities." No mention of AIM support for the 1861 but it too says hardware-based encryption. Does anyone have any performance numbers for IPSec-encrypted GRE on the 1800 series or the 800 series? I'm looking for an inexpensive platform for originating IPSec-encrypted GRE tunnels. Throughput will be reasonably low. OSPF and EIGRP support is required. It looks like the most cost-effective solution is the 881 with the Adv IP code which replaces the 871 (same price). The 1811, 1841 and 1861 all require DRAM and flash upgrades to support their respective image that has IPSec and IGP support (Adv IP for the 1811 and Adv Sec for the 1841 and 1861). That seriously jacks up the price compared to the turnkey 881. Any other recommendations? Thanks Justin From zhassan at gmx.net Tue Nov 11 19:06:31 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Wed, 12 Nov 2008 00:06:31 -0000 Subject: [c-nsp] L2TP errors on LNS and no PPP sessions from CPE Message-ID: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> Dear All, I manage a LNS on which there are multiple L2TP tunnels. >From one of the L2TP tunnels, I am not getting any PPP sessions. Unfortunately, I do not have access to the LAC. Below is what I am seeing on the LNS and the CPE : LNS# debug vpdn l2x-errors Nov 11 23:51:53.998 GMT: L2TP tnl 0BE86:000041EC: Control connection authentication skipped/passed. Nov 11 23:51:54.618 GMT: L2TP tnl 05E82:0000C4DC: Control connection authentication skipped/passed. Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: Create session Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: Using ICRQ FSM Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: remote ip set to 22.7.101.23 Nov 11 23:51:54.622 GMT: L2TP _____:_____:________: local ip set to 22.7.114.212 Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC ev Session-Conn Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC in established Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC do Session-Conn-Est Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: Session count now 2 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn ev CC-Up Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn in Idle Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn do CC-Up-Ignore0-1 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Session attached Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: no cookies enabled Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn ev Rx-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn Idle->Proc-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn do Rx-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Chose application VPDN Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: App type set to VPDN Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: VPDN Session count now 2 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: VPDN: process AVPs Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Local AC is now UP Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Remote AC is now UP Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Shutting down session Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Result Code Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Reserved (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Error Code Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: No error (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Vendor Error Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: None (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Optional Message Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: "No disconnect reason given" LNS# debug vpdn l2x-events Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC ev Session-Conn Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC in established Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC do Session-Conn-Est Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: Session count now 3 Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev CC-Up Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn in Idle Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do CC-Up-Ignore0-1 Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: Session attached Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: no cookies enabled Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev Rx-ICRQ Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn Idle->Proc-ICRQ Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Rx-ICRQ Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Chose application VPDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: App type set to VPDN Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: VPDN Session count now 3 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: VPDN: process AVPs Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Local AC is now UP Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Remote AC is now UP Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Nov 11 23:54:54.975 GMT: L2TUN APP: handle/451345shutdown app session Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Shutting down session Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Result Code Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Reserved (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Error Code Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: No error (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Vendor Error Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: None (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Optional Message Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: "No disconnect reason given" Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev ICRQ-ERR Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn Proc-ICRQ->Idle Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Tx-CDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: No L2TUN socket VPDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Open sock 22.4.14.22:1701->22.4.1.4:1701 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev Sock-Ready Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn in Idle Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Ignore-Sock-Up Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Session down Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: 22.4.14.22:1701->22.4.1.4:1701 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Destroying session Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC ev Session-Disc Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC in established Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC do Session-Disc-Est Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: Session count now 2 Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: VPDN Session count now 2 Nov 11 23:54:54.975 GMT: L2TP _____:_____:________: Session detached Nov 11 23:54:54.975 GMT: L2X _____:_____:________: Destroying logical session CPE#debug ppp authentication *Mar 12 22:37:39.500: Vi2 CHAP: I CHALLENGE id 1 len 30 from "lon-0-dsl" *Mar 12 22:37:39.500: Vi2 CHAP: Using hostname from interface CHAP *Mar 12 22:37:39.500: Vi2 CHAP: Using password from interface CHAP *Mar 12 22:37:39.500: Vi2 CHAP: O RESPONSE id 1 len 48 from "testuser at bis-internet.co.uk" *Mar 12 22:37:39.540: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication failure" *Mar 12 22:37:39.540: Vi2 LCP: I TERMREQ [Open] id 3 len 4 *Mar 12 22:37:39.544: Vi2 LCP: O TERMACK [Open] id 3 len 4 *Mar 12 22:37:39.544: Vi2 PPP: Sending Acct Event[Down] id[99C] *Mar 12 22:37:39.548: Vi2 PPP: Phase is TERMINATING *Mar 12 22:37:39.576: Vi2 LCP: I CONFREQ [TERMsent] id 1 len 15 *Mar 12 22:37:39.576: Vi2 LCP: AuthProto CHAP (0x0305C22305) *Mar 12 22:37:39.576: Vi2 LCP: MagicNumber 0xDE87DF9D (0x0506DE87DF9D) *Mar 12 22:37:39.580: Vi2 LCP: Dropping packet, state is TERMsent *Mar 12 22:37:41.532: Vi2 LCP: TIMEout: State TERMsent *Mar 12 22:37:41.532: Vi2 LCP: State is Closed *Mar 12 22:37:41.532: Vi2 PPP: Phase is DOWN *Mar 12 22:37:41.532: Vi2 PPP: Phase is ESTABLISHING, Passive Open *Mar 12 22:37:41.536: Vi2 LCP: State is Listen *Mar 12 22:37:43.544: Vi2 LCP: TIMEout: State Listen Is it possible to tell where the problem could be ? I am not even seeing the CPE session hitting the LNS. Thanks in advance. Regards, Zahid From ben.steele at internode.on.net Tue Nov 11 19:50:14 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 12 Nov 2008 11:20:14 +1030 Subject: [c-nsp] Upgrading edge router In-Reply-To: References: <4213440380134758766@unknownmsgid> Message-ID: <000001c94460$a0ef5b40$e2ce11c0$@steele@internode.on.net> Without looking at the article (don't have time right now) "flexible packet matching" and firewalling are definitely 2 different things, i'd say packet matching is referring more to something like NBAR with some additional features, remember it only says packet matching(not blocking), the latter is the full stateful firewall feature set, so if you aren't wanting it to do proper firewalling then you want that one. As for licenses this one is a little weird, basically adv enterprise is cheaper than adv ip even though it has all the features of adv ip, seems to be purely based on ppl not wanting features they will never use available on an image and Cisco making them pay more for that feature, my advice is buy the cheaper adv enterprise, it will do IPv6. -----Original Message----- From: Affan Basalamah [mailto:affanzbasalamah at gmail.com] Sent: Tuesday, 11 November 2008 10:25 PM To: Ben Steele Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Upgrading edge router Thank you for your prompt response, I would like to know a thing about ASR1000 software components : - It says on ASR1000 software ordering guide (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_ c07-448862.html) that there is a FPM (flexible packet matching) service license and Firewall service license. I would like to know the difference between two license, since the latter cost the double from the former. - What version of IOS-XE is integrated in ASR1000 bundle ? Is it IP Base or Advanced IP Services ? I would like to run IPv6 on the router, so the router will need Advanced IP Services IOS. Regards, -affan On Tue, Nov 11, 2008 at 6:08 PM, Ben Steele wrote: > I'd try and go the ASR1002 option, it shouldn't be too far off your 35k > budget without smartnet, although i'd recommend maintenance on the software > as you will want access to TAC for bugs, also if you can option in the HA > feature so you can get ISSU. > > With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room > for expansion it's good bang for buck, the ASR is really aimed as the next > generation 7200 swiss army knife, being a software based feature platform > rather than a hardware(ie 7600/6500) it's a welcome new product and you > should see good life out of it, it has some limitations in its current form, > the only one that may concern you with your list that I can think of is lack > of AToM MPLS support, but that is due out in upcoming software release. > > Put the quagga to rest! :) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah > Sent: Tuesday, 11 November 2008 9:19 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Upgrading edge router > > Hi all, > > I am network admin in university that have a UNIX PC that functions as > core router and firewall to accomodate : > - 2 x 45 Mb link to research education network (REN) > - 100Mb link to local exchange point > - 10Mb link to Internet > Currently we accept partial route from Internet, and aggregated with > REN prefixes, we have at least 30k prefixes. > > We would like to upgrade our router to accomodate : > - new STM-1 link (physical connector is not STM1 port, but it is > converted to Gigeth by our telco) > - at least 4 1000BaseT port > - firewall feature (packet filter and inspection) would be nice > - IPv6 multicast and MPLS feature > - can keep up the load at least for 5 years > - budget around $35k > > I have done some research, and our choice could come to : > - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 > port gigabit ethernet, but I don't know whether it could handle the > load. I also see it as integrated packet inspection with PISA > daughterboard, but I don't have any experience with that. The > supervisor is a bit old compared to ASR1000. > - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet > inspection, but I don't know whether it can suit the budget. > - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't > compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit > ports, and separate AS module can cost you too much. I don't know > whether it suits the budget. > - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had > experience with this box, but the specs looks promising, and maybe it > suits the budget. > > I would like your suggestion about my plan above, perhaps I can come > out with better plan. > > Thank you, > Regards, > > -affan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 > 7:53 AM > > From mtinka at globaltransit.net Tue Nov 11 21:19:46 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 12 Nov 2008 10:19:46 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <200811121019.47368.mtinka@globaltransit.net> On Wednesday 12 November 2008 06:55:20 Pete Templin wrote: > Runs IOS XR, while the recent ASR 1000 series runs IOS > XE? Consistency would be nice. I do like the fact that Cisco are "starting" to work on more consistent releases for their service provider platforms (SR, XE, XR). I just hope XR does not suffer too much from lack of features as compared to SR, especially when used in the edge. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rubensk at gmail.com Tue Nov 11 21:21:34 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 12 Nov 2008 00:21:34 -0200 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <6bb5f5b10811111821t4cd7c5e1k1af47235aa7b0af9@mail.gmail.com> I think ASR is just the cool name of the moment. The new ASRs could be called CRS-0.5, CRS-0.1, Edge-CRS... Rubens On Tue, Nov 11, 2008 at 8:55 PM, Pete Templin wrote: > Justin Shore wrote: >> >> Did anyone else miss an announcement for the ASR 9000 series? >> >> http://www.cisco.com/en/US/products/ps9853/index.html >> >> How did I miss that bad boy? Anyone have any details? > > Side to back airflow? Who thought that'd work well? > > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. > > Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. > > However, adding CE (hundred-gig Ethernet) support on the initial datasheet > is impressive, along with XE and GE. Skipping LXE is interesting though. > > pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kgraham at industrial-marshmallow.com Tue Nov 11 21:38:53 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 11 Nov 2008 18:38:53 -0800 (PST) Subject: [c-nsp] ASR 9000 Message-ID: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. ...or atleast call this a CRS-2 or something. I'm still crossing my fingers that there's a master plan for consistency (or alternatively, clear differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. Nope, 7600 already revived it (RSP720). I don't see reference to line cards, but the photos look like ES40's, which finally gives some credibility to the 6500/7600 split (where new linecards are shared between ASR9000 and 7600). From christian at broknrobot.com Tue Nov 11 21:44:08 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 11 Nov 2008 21:44:08 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: Message-ID: http://nanog.org/meetings/nanog44/presentations/Tuesday/RAS_irrdata_N44.pdf On Tue, Nov 11, 2008 at 4:29 PM, wrote: > Hello > Just wanted to ask how must is Internet Routing Registry used with RPSL > currently on the Internet? Do a lot of providers still rely on that to > create configurations or is that just more of a documentation process > that doesn't get updated after the first use? > > Thank you for your input. > > > Tom > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From braaen at zcorum.com Tue Nov 11 23:27:01 2008 From: braaen at zcorum.com (Brian Raaen) Date: Tue, 11 Nov 2008 23:27:01 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access Message-ID: <200811112327.01891.braaen@zcorum.com> I am trying to set up a Cisco 1811 for ppp dial-in access for a client and am having difficulty finding configuration information. Most of the documentation I find is about using the router to dial out to support the network, but I am trying to do the opposite. I am trying to set up the router to provide access to the local network through a ppp dial in connection. Thank you for your help. ---------------------- Brian Raaen Network Engineer braaen at zcorum.com From ariemer at wesenergy.com.au Tue Nov 11 23:39:40 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 12 Nov 2008 13:39:40 +0900 Subject: [c-nsp] Setting up Cisco 1811 for dial in access In-Reply-To: <200811112327.01891.braaen@zcorum.com> References: <200811112327.01891.braaen@zcorum.com> Message-ID: <0867622C64B50C4B878AB45C95F43F110646D532@MAILWA01.wesenergy.local> Hi Brian, You need to configure the async interface on your 1811. Take a look here http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/config uration/guide/dialbkup.html#wp1031537 Aaron Riemer Network Engineer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen Sent: Wednesday, 12 November 2008 1:27 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Setting up Cisco 1811 for dial in access I am trying to set up a Cisco 1811 for ppp dial-in access for a client and am having difficulty finding configuration information. Most of the documentation I find is about using the router to dial out to support the network, but I am trying to do the opposite. I am trying to set up the router to provide access to the local network through a ppp dial in connection. Thank you for your help. ---------------------- Brian Raaen Network Engineer braaen at zcorum.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From dcp at dcptech.com Tue Nov 11 23:47:35 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 11 Nov 2008 23:47:35 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access In-Reply-To: <200811112327.01891.braaen@zcorum.com> References: <200811112327.01891.braaen@zcorum.com> Message-ID: <004401c94481$cd0c5fe0$67251fa0$@com> Brian, This should be a good start. It has been a long time since I did this. -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Brian Raaen > Sent: Tuesday, November 11, 2008 11:27 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Setting up Cisco 1811 for dial in access > > I am trying to set up a Cisco 1811 for ppp dial-in access for a client > and am > having difficulty finding configuration information. Most of the > documentation I find is about using the router to dial out to support > the > network, but I am trying to do the opposite. I am trying to set up the > router to provide access to the local network through a ppp dial in > connection. Thank you for your help. > > > ---------------------- > > Brian Raaen > Network Engineer > braaen at zcorum.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Tue Nov 11 23:48:24 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 11 Nov 2008 23:48:24 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access References: <200811112327.01891.braaen@zcorum.com> Message-ID: <004501c94481$e6ee32d0$b4ca9870$@com> This should help. http://www.cisco.com/en/US/docs/ios/12_2/dial/configuration/guide/dafmodmg.h tml -- http://dcp.dcptech.com > -----Original Message----- > From: David Prall [mailto:dcp at dcptech.com] > Sent: Tuesday, November 11, 2008 11:48 PM > To: 'Brian Raaen'; 'cisco-nsp at puck.nether.net' > Subject: RE: [c-nsp] Setting up Cisco 1811 for dial in access > > Brian, > This should be a good start. It has been a long time since I did this. > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Brian Raaen > > Sent: Tuesday, November 11, 2008 11:27 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Setting up Cisco 1811 for dial in access > > > > I am trying to set up a Cisco 1811 for ppp dial-in access for a > client > > and am > > having difficulty finding configuration information. Most of the > > documentation I find is about using the router to dial out to support > > the > > network, but I am trying to do the opposite. I am trying to set up > the > > router to provide access to the local network through a ppp dial in > > connection. Thank you for your help. > > > > > > ---------------------- > > > > Brian Raaen > > Network Engineer > > braaen at zcorum.com > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.tahina at moov.mg Wed Nov 12 01:21:12 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Wed, 12 Nov 2008 09:21:12 +0300 Subject: [c-nsp] lacp on serial In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea. cisco.com> References: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea.cisco.com> Message-ID: <7.0.1.0.2.20081112092032.0577e0c0@moov.mg> Thank you Oliver, Kind Regards. At 09:51 11/11/2008, Oliver Boehmer (oboehmer) wrote: >RAZAFINDRATSIFA Rivo Tahina <> wrote on Tuesday, November 11, 2008 >07:31: > > > Dear All, > > > > I 'm looking for implementation of lacp on serial, docs only show on > > ethernet, is that possible? > >nope, you need to use multilink ppp to bundle serials on Layer 2.. > > oli From achatz at forthnet.gr Wed Nov 12 03:12:33 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 12 Nov 2008 10:12:33 +0200 Subject: [c-nsp] L2TP errors on LNS and no PPP sessions from CPE In-Reply-To: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> References: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> Message-ID: <491A8FF1.10606@forthnet.gr> It seems you have an authentication problem. -- Tassos Zahid Hassan wrote on 12/11/2008 02:06: > > CPE#debug ppp authentication > > *Mar 12 22:37:39.500: Vi2 CHAP: I CHALLENGE id 1 len 30 from "lon-0-dsl" > *Mar 12 22:37:39.500: Vi2 CHAP: Using hostname from interface CHAP > *Mar 12 22:37:39.500: Vi2 CHAP: Using password from interface CHAP > *Mar 12 22:37:39.500: Vi2 CHAP: O RESPONSE id 1 len 48 from > "testuser at bis-internet.co.uk" > *Mar 12 22:37:39.540: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication > failure" > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Wed Nov 12 04:27:57 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 12 Nov 2008 09:27:57 +0000 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <491AA19D.6040207@imperial.ac.uk> > > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. Ha ha IOS consistency From zhqasmi at cyber.net.pk Wed Nov 12 05:42:40 2008 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Wed, 12 Nov 2008 15:42:40 +0500 Subject: [c-nsp] PPPoE over VRF In-Reply-To: References: Message-ID: <000401c944b3$63a14d40$2ae3e7c0$@net.pk> You can configure your radius server to push Cisco AVpair "lcp:interface-config#1=ip vrf forwarding (vrf_name)". -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 11, 2008 5:31 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPoE over VRF I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx& mkt=en-us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frederic.loui at renater.fr Wed Nov 12 05:14:16 2008 From: frederic.loui at renater.fr (Frederic LOUI) Date: Wed, 12 Nov 2008 11:14:16 +0100 Subject: [c-nsp] ISIS / NSF IOS XR In-Reply-To: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> References: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> Message-ID: <491AAC78.3010708@renater.fr> Hi, What state the section related to ISIS with the command "show ip protocols" output ? By default, NSF is disabled. It seems like the output of the "show isis adjacency" display if the ISIS neighbors are "NSF capable or not". IS-IS Router: ... Non-stop forwarding: Disabled Most recent startup mode: Cold Restart Topologies supported by IS-IS: IPv4 Unicast Level-1 Metric style (generate/accept): Wide/Wide ISPF status: Disabled No protocols redistributed Distance: 115 IPv6 Unicast Level-1 ISPF status: Disabled No protocols redistributed Distance: 115 ... Maybe, just try to enable NSF and re-check the "show ip protocols" output. Regards, Frederic -- Frederic LOUI / GIP RENATER Service de Suivi Operationnel / Metrologie & QoS Network Operations Service / Metrology & QoS Tel: +33 1 53 94 20 82 / Fax: +33 1 53 94 20 31 frederic.loui at renater.fr http://www.renater.fr Atif Sid a ?crit : > I configured NSF under ISIS initially them removed it. Still shows NSF > 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing > > This is IOS XR 3.6.1 and 3.6.0 both same condition. > > RP/0/9/CPU0:P1#sh isis adjacency > IS-IS NP Level-2 adjacencies: > System Id Interface SNPA State Hold Changed NSF BFD > P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes None > PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes None > PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes None > P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes None > > router isis NP > set-overload-bit on-startup 300 > is-type level-2-only > net 49.0001.1921.1813.6001.00 > log adjacency changes > address-family ipv4 unicast > metric-style wide > ! > interface Loopback0 > passive > address-family ipv4 unicast > ! > ! > interface GigabitEthernet0/1/1/0 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > ! > ! > interface GigabitEthernet0/1/1/1 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > ! > ! > interface GigabitEthernet0/1/1/8 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > mpls ldp sync > ! > ! > interface POS0/0/0/0 > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 100 > ! > ! > ! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From willay at gmail.com Wed Nov 12 06:15:11 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:15:11 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS Message-ID: Hi List, We currently have a 3750G-E in our network which is experiencing a high CPU load and I'm trying to understand why, the CPU is over 50% all the time and at peak traffic times we are seeing around 85% on Cacti using 5 minute averages. When running a show proc cpu sorted I can see that IP Input is taking up most of the CPU time with Spanning Tree coming second however ST is only using a fraction of what IP Input is using. The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the image is IPSERVICES, the configuration has one routed port to another site (with sparse-dense-mode on), has one EIGRP process, 19 static routes, access lists which are only used for SNMP/VTY and it has two VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode enabled and a igmp join-group command. It pushes a lot of multicast traffic (around 10Mbits) which is probably the problem but I thought the 3750 would have been able to handle it without an issue. Any help is appreciated, I'd like to have a good understanding of what is causing the issue. Thank you for your time, W From achatz at forthnet.gr Wed Nov 12 06:34:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 12 Nov 2008 13:34:28 +0200 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: Message-ID: <491ABF44.3030508@forthnet.gr> You can start with "sh controllers cpu-interface" and "sh platform tcam utilization" -- Tassos William wrote on 12/11/2008 13:15: > Hi List, > > We currently have a 3750G-E in our network which is experiencing a > high CPU load and I'm trying to understand why, the CPU is over 50% > all the time and at peak traffic times we are seeing around 85% on > Cacti using 5 minute averages. > > When running a show proc cpu sorted I can see that IP Input is taking > up most of the CPU time with Spanning Tree coming second however ST is > only using a fraction of what IP Input is using. > > The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the > image is IPSERVICES, the configuration has one routed port to another > site (with sparse-dense-mode on), has one EIGRP process, 19 static > routes, access lists which are only used for SNMP/VTY and it has two > VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode > enabled and a igmp join-group command. It pushes a lot of multicast > traffic (around 10Mbits) which is probably the problem but I thought > the 3750 would have been able to handle it without an issue. > > Any help is appreciated, I'd like to have a good understanding of what > is causing the issue. > > Thank you for your time, > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gulerozgur at yahoo.co.uk Wed Nov 12 06:41:18 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Wed, 12 Nov 2008 11:41:18 +0000 (GMT) Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: Message-ID: <845941.14812.qm@web25502.mail.ukl.yahoo.com> As far as i remember ip igmp static-group forces the packets to be process switched on the switch/router. You might need to replace it with ip igmp static-group which will do the same job (put the interface permanently into OIF). --- On Wed, 12/11/08, William wrote: From: William Subject: [c-nsp] High CPU on 3750G-24-TS To: "cisco-nsp" Date: Wednesday, 12 November, 2008, 11:15 AM Hi List, We currently have a 3750G-E in our network which is experiencing a high CPU load and I'm trying to understand why, the CPU is over 50% all the time and at peak traffic times we are seeing around 85% on Cacti using 5 minute averages. When running a show proc cpu sorted I can see that IP Input is taking up most of the CPU time with Spanning Tree coming second however ST is only using a fraction of what IP Input is using. The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the image is IPSERVICES, the configuration has one routed port to another site (with sparse-dense-mode on), has one EIGRP process, 19 static routes, access lists which are only used for SNMP/VTY and it has two VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode enabled and a igmp join-group command. It pushes a lot of multicast traffic (around 10Mbits) which is probably the problem but I thought the 3750 would have been able to handle it without an issue. Any help is appreciated, I'd like to have a good understanding of what is causing the issue. Thank you for your time, W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From willay at gmail.com Wed Nov 12 06:48:00 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:48:00 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <845941.14812.qm@web25502.mail.ukl.yahoo.com> References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: We currently use ip igmp join-group x.x.x.x under the vlan interface. Cheers. W 2008/11/12 Ozgur Guler : > As far as i remember ip igmp static-group forces the packets to be process > switched on the switch/router. You might need to replace it with ip igmp > static-group which will do the same job (put the interface permanently into > OIF). > > > > --- On Wed, 12/11/08, William wrote: > > From: William > Subject: [c-nsp] High CPU on 3750G-24-TS > To: "cisco-nsp" > Date: Wednesday, 12 November, 2008, 11:15 AM > > Hi List, > > We currently have a 3750G-E in our network which is experiencing a > high CPU load and I'm trying to understand why, the CPU is over 50% > all the time and at peak traffic times we are seeing around 85% on > Cacti using 5 minute > averages. > > When running a show proc cpu sorted I can see that IP Input is taking > up most of the CPU time with Spanning Tree coming second however ST is > only using a fraction of what IP Input is using. > > The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the > image is IPSERVICES, the configuration has one routed port to another > site (with sparse-dense-mode on), has one EIGRP process, 19 static > routes, access lists which are only used for SNMP/VTY and it has two > VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode > enabled and a igmp join-group command. It pushes a lot of multicast > traffic (around 10Mbits) which is probably the problem but I thought > the 3750 would have been able to handle it without an issue. > > Any help is appreciated, I'd like to have a good understanding of what > is causing the issue. > > Thank you for your > time, > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From willay at gmail.com Wed Nov 12 06:52:25 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:52:25 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <491ABF44.3030508@forthnet.gr> References: <491ABF44.3030508@forthnet.gr> Message-ID: sh controllers cpu-interface: ASIC Rxbiterr Rxunder Fwdctfix Txbuflos Rxbufloc Rxbufdrain ------------------------------------------------------------------------- ASIC0 0 0 0 0 0 0 ASIC1 0 0 0 0 0 0 ASIC2 0 0 0 0 0 0 ASIC3 0 0 0 0 0 0 ASIC4 0 0 0 0 0 0 ASIC5 0 0 0 0 0 0 ASIC6 0 0 0 0 0 0 cpu-queue-frames retrieved dropped invalid hol-block stray ----------------- ---------- ---------- ---------- ---------- ---------- rpc 6978024 0 0 0 0 stp 75955900 0 0 0 0 ipc 757544 0 0 0 0 routing protocol 72189954 0 0 0 0 L2 protocol 206785 0 0 0 0 remote console 0 0 0 0 0 sw forwarding 757525900 0 0 0 0 host 2351100 0 0 0 0 broadcast 6883919 0 0 0 0 cbt-to-spt 3050 0 0 0 0 igmp snooping 70408141 0 0 0 0 icmp 1947383 0 0 0 0 logging 0 0 0 0 0 rpf-fail 281 0 0 0 0 queue14 0 0 0 0 0 cpu heartbeat 18351455 0 0 0 0 Supervisor ASIC receive-queue parameters ---------------------------------------- queue 0 maxrecevsize 7E0 pakhead 23C49A0 paktail 23B28E0 queue 1 maxrecevsize 7E0 pakhead 257E620 paktail 257C550 queue 2 maxrecevsize 7E0 pakhead 24432E8 paktail 2442C58 queue 3 maxrecevsize 7E0 pakhead 2955418 paktail 294FEC8 queue 4 maxrecevsize 7E0 pakhead 2588838 paktail 25884F0 queue 5 maxrecevsize 7E0 pakhead 2873240 paktail 28800F8 queue 6 maxrecevsize 7E0 pakhead 293E000 paktail 2944270 queue 7 maxrecevsize 7E0 pakhead 28ADC08 paktail 2898038 queue 8 maxrecevsize 7E0 pakhead 28B6A70 paktail 28B6098 queue 9 maxrecevsize 7E0 pakhead 275E410 paktail 275E410 queue A maxrecevsize 7E0 pakhead 2729DF0 paktail 272D270 queue B maxrecevsize 7E0 pakhead 28871D8 paktail 2889C80 queue C maxrecevsize 7E0 pakhead 2765818 paktail 2778FD0 queue D maxrecevsize 7E0 pakhead 275C538 paktail 275C1F0 queue E maxrecevsize 0 pakhead 0 paktail 0 queue F maxrecevsize 7E0 pakhead 2721B78 paktail 2721830 Supervisor ASIC exception status -------------------------------- Receive overrun 00000000 Transmit overrun 00000000 FrameSignatureErr 00000000 MicInitialize 00000000 BadFrameErr 00000000 LenExceededErr 00000000 BadJumboSegments 00000000 Supervisor ASIC Mic Registers ------------------------------ MicDirectPollInfo 80000800 MicIndicationsReceived 00000000 MicInterruptsReceived 00000000 MicPcsInfo 0006001F MicPlbMasterConfiguration 00000000 MicRxFifosAvailable 00000000 MicRxFifosReady 0000BFFF MicTimeOutPeriod: FrameTOPeriod: 00000EA6 DirectTOPeriod: 00004000 MicTransmFramesCopied 00000003 MicTxFifosAvailable 0000007F MicConfiguration: Conf flag: 00000110 Interrupt Flag: 0000000A MicReceiveFifoAssignmen Queue 0 - 7: 00000000 Queue 8 - 15:00000000 MicReceiveFramesReady: FrameAvailable: 00000041 frameAvaiMask: 00000000 MicException: Exception_flag 00000000 Message-1 00000000 Message-2 00000000 Message-3 00000000 MicIntRxFifo: ReadPtr 00000E98 WritePtr 00000E98 WHeadPtr 00000E98 TxFifoDepth C0000800 MicIntTxFifo: ReadPtr 00000AF0 WritePtr 00000AF0 WHeadPtr 00000AF0 TxFifoDepth C0000800 MicDecodeInfo: Fifo0: address: 03FF4000 asic_num: 00000100 Fifo1: address: 03FF4400 asic_num: 00000101 MicTransmitFifoInfo: Fifo0: StartPtrs: 07758000 ReadPtr: 077587C0 WritePtrs: 077587C0 Fifo_Flag: 8A800800 Weights: 001E001E Fifo1: StartPtrs: 0776A800 ReadPtr: 0776A930 WritePtrs: 0776A930 Fifo_Flag: 89800400 Weights: 000A000A MicReceiveFifoInfo: Fifo0: StartPtr: 0776C000 ReadPtr: 0776CEE0 WritePtrs: 0776CF40 Fifo_Flag: 8B000FA0 writeHeaderPtr: 0776CF40 Fifo1: StartPtr: 07A2CC00 ReadPtr: 07A2CDF8 WritePtrs: 07A2CDF8 Fifo_Flag: 89800400 writeHeaderPtr: 07A2CDF8 Fifo2: StartPtr: 0776DA00 ReadPtr: 0776DB40 WritePtrs: 0776DB40 Fifo_Flag: 88800200 writeHeaderPtr: 0776DB40 Fifo3: StartPtr: 07C46000 ReadPtr: 07C46010 WritePtrs: 07C46010 Fifo_Flag: 89800400 writeHeaderPtr: 07C46010 Fifo4: StartPtr: 07A77000 ReadPtr: 07A77208 WritePtrs: 07A77208 Fifo_Flag: 89800400 writeHeaderPtr: 07A77208 Fifo5: StartPtr: 07B2BA00 ReadPtr: 07B2BA00 WritePtrs: 07B2BA00 Fifo_Flag: 88800200 writeHeaderPtr: 07B2BA00 Fifo6: StartPtr: 07BFE000 ReadPtr: 07BFE040 WritePtrs: 07BFE080 Fifo_Flag: 890003C0 writeHeaderPtr: 07BFE080 Fifo7: StartPtr: 07B6C800 ReadPtr: 07B6CBE0 WritePtrs: 07B6CBE0 Fifo_Flag: 89800400 writeHeaderPtr: 07B6CBE0 Fifo8: StartPtr: 07BD7A00 ReadPtr: 07BD7A78 WritePtrs: 07BD7A78 Fifo_Flag: 88800200 writeHeaderPtr: 07BD7A78 Fifo9: StartPtr: 07758838 ReadPtr: 07758838 WritePtrs: 07758838 Fifo_Flag: 82800008 writeHeaderPtr: 07758838 Fifo10: StartPtr: 07AC3600 ReadPtr: 07AC3668 WritePtrs: 07AC3668 Fifo_Flag: 88800200 writeHeaderPtr: 07AC3668 Fifo11: StartPtr: 07B2B880 ReadPtr: 07B2B8B8 WritePtrs: 07B2B8B8 Fifo_Flag: 86800080 writeHeaderPtr: 07B2B8B8 Fifo12: StartPtr: 07AF3000 ReadPtr: 07AF3300 WritePtrs: 07AF3000 Fifo_Flag: 89000100 writeHeaderPtr: 07AF3000 Fifo13: StartPtr: 07757E00 ReadPtr: 07757E48 WritePtrs: 07757E48 Fifo_Flag: 86800080 writeHeaderPtr: 07757E48 Fifo14: StartPtr: 00000000 ReadPtr: 00000000 WritePtrs: 00000000 Fifo_Flag: 00800000 writeHeaderPtr: 00000000 Fifo15: StartPtr: 0776D960 ReadPtr: 0776D978 WritePtrs: 0776D978 Fifo_Flag: 84800020 writeHeaderPtr: 0776D978 =========================================================== Complete Board Id:0x0002 =========================================================== Theres no sh platform tcam utili but there is a usage instead: sh platform tcam usage ============================================================================= TCAM Table TCAM / SSRAM Table TCAM SSRAM Start Size X Start Size Y ============================================================================= Local Forwarding Table: 0 1D00 1 0 1D00 4 Local Learning Table: 0 1D00 1 7400 1D00 2 Secondary Forwarding Table: 1880 D00 1 AE00 D00 8 QoS Table: 2580 1000 1 11600 1000 4 ACL Table: 3580 2000 1 15600 2000 4 IPV6 Secondary Forwarding Tabl 7E40 C0 2 1D600 60 8 IPV6 Classification Table: 7F00 80 2 1D900 40 4 IPV6 ACL Table: 7F80 70 2 1DA00 38 4 Station Table: 0 0 0 1DB00 1D00 4 MAC Address Table: 0 0 0 24F00 1800 8 Multicast Expansion Table: 0 0 0 30F00 420 8 VLAN List Table: 0 0 0 34000 400 10 Equal Cost Route Table: 0 0 0 33000 80 20 X - Number of 144-bit TCAM entries per descriptor Y - Number of bytes per descriptor ============================================================================= 2008/11/12 Tassos Chatzithomaoglou : > You can start with "sh controllers cpu-interface" and "sh platform tcam > utilization" > > -- > Tassos > > William wrote on 12/11/2008 13:15: >> >> Hi List, >> >> We currently have a 3750G-E in our network which is experiencing a >> high CPU load and I'm trying to understand why, the CPU is over 50% >> all the time and at peak traffic times we are seeing around 85% on >> Cacti using 5 minute averages. >> >> When running a show proc cpu sorted I can see that IP Input is taking >> up most of the CPU time with Spanning Tree coming second however ST is >> only using a fraction of what IP Input is using. >> >> The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the >> image is IPSERVICES, the configuration has one routed port to another >> site (with sparse-dense-mode on), has one EIGRP process, 19 static >> routes, access lists which are only used for SNMP/VTY and it has two >> VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode >> enabled and a igmp join-group command. It pushes a lot of multicast >> traffic (around 10Mbits) which is probably the problem but I thought >> the 3750 would have been able to handle it without an issue. >> >> Any help is appreciated, I'd like to have a good understanding of what >> is causing the issue. >> >> Thank you for your time, >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From paul.cosgrove at heanet.ie Wed Nov 12 07:17:51 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Wed, 12 Nov 2008 12:17:51 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: <491AC96F.80104@heanet.ie> Hi William, I would agree with Ozgur that you would be better off loosing the ip igmp join-group command. Also limit the number of register messages which can be created per second; it is only needed if you have sources attached, but personally I would apply this on every L3 multicast device: "ip pim register-rate-limit 5" Have seen a case where register stop messages were lost whilst being sent to a 3750. Debugs on the adjacent device indicated they were all being transmitted to the switch, debugs & SPAN on the 3750 indicated the switch was receiving very few of these. Paul. William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. > > Cheers. > > W > > 2008/11/12 Ozgur Guler : > >> As far as i remember ip igmp static-group forces the packets to be process >> switched on the switch/router. You might need to replace it with ip igmp >> static-group which will do the same job (put the interface permanently into >> OIF). >> >> >> >> --- On Wed, 12/11/08, William wrote: >> >> From: William >> Subject: [c-nsp] High CPU on 3750G-24-TS >> To: "cisco-nsp" >> Date: Wednesday, 12 November, 2008, 11:15 AM >> >> Hi List, >> >> We currently have a 3750G-E in our network which is experiencing a >> high CPU load and I'm trying to understand why, the CPU is over 50% >> all the time and at peak traffic times we are seeing around 85% on >> Cacti using 5 minute >> averages. >> >> When running a show proc cpu sorted I can see that IP Input is taking >> up most of the CPU time with Spanning Tree coming second however ST is >> only using a fraction of what IP Input is using. >> >> The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the >> image is IPSERVICES, the configuration has one routed port to another >> site (with sparse-dense-mode on), has one EIGRP process, 19 static >> routes, access lists which are only used for SNMP/VTY and it has two >> VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode >> enabled and a igmp join-group command. It pushes a lot of multicast >> traffic (around 10Mbits) which is probably the problem but I thought >> the 3750 would have been able to handle it without an issue. >> >> Any help is appreciated, I'd like to have a good understanding of what >> is causing the issue. >> >> Thank you for your >> time, >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From chloekcy2000 at yahoo.ca Wed Nov 12 07:57:15 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Wed, 12 Nov 2008 07:57:15 -0500 (EST) Subject: [c-nsp] log failure logon Message-ID: <100284.92361.qm@web57409.mail.re1.yahoo.com> Hi I see there is command autheniticate failure rate but can't find my router Now. how I can log the failure logon Thank you --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From md at bts.sk Wed Nov 12 08:19:49 2008 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Wed, 12 Nov 2008 14:19:49 +0100 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: <20081112131949.GA9101@bts.sk> On Wed, Nov 12, 2008 at 11:48:00AM +0000, William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. This is exactly the problem. "ip igmp join-group" causes all multicast packets for this group to be forwarded also to the CPU. You need to use "ip igmp static-group" instead - then the packets are only forwared to the specified interface, but not copied to the CPU. With kind regards, M. From ross at kallisti.us Wed Nov 12 09:19:11 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 12 Nov 2008 09:19:11 -0500 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <4918665A.2070101@forthnet.gr> References: <49184D7C.4010109@bytemark.co.uk> <4918665A.2070101@forthnet.gr> Message-ID: <20081112141911.GA7237@kallisti.us> On Mon, Nov 10, 2008 at 06:50:34PM +0200, Tassos Chatzithomaoglou wrote: > Keep in mimd that DFC equipped modules do not have this problem. According > to Cisco: > > "The addition of a DFC module effectively disconnects a module from the > Data Bus. As such, a DFC-enabled module is not subject to the bus stall > mechanism that occurs when a module is inserted or removed from the > chassis. Throughout these Online Insertion and Removal (OIR) events, the > Data Bus is temporarily paused for just enough time to ensure that the > insertion/removal process does not cause any data corruption on the > backplane. This protection mechanism causes a very brief amount of packet > loss (sub-second, but dependent on the time it takes to fully insert a > module). A module with a DFC onboard is not directly affected by this stall > mechanism and does not have any packet loss on OIR." This is correct, but it can be complicated. DFC enabled cards still stall the bus, but since they fabric switch, they won't experience drops. Be more careful if your chassis is running in mixed mode for fabric and bus mode switching - in that case, you have some cards that do need the bus (for example, the CSM). I've OIRed lots of cards on production 6500s and never had a problem with a bus-stall causing problems, even on systems that are fabric-enabled and have to do some bus switching. I agree with the previous poster that suggested not being afraid to use a little bit of force to make sure they seat quickly :) Of course, don't use so much force that a caught cable gets snapped off... This page from UCAR has pretty good descriptions of the bus and fabric basics, as well as info on some of the bizarre names that Cisco uses to refer to pieces that arbitrate backplane traffic: http://www.cisl.ucar.edu/nets/devices/eswitches/6500-backplane.html Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From denyipanyany at gmail.com Wed Nov 12 09:32:05 2008 From: denyipanyany at gmail.com (Deny IP Any Any) Date: Wed, 12 Nov 2008 09:32:05 -0500 Subject: [c-nsp] PIX515E: time to upgrade? Message-ID: I've got an Active/Standby set of PIX515Es that I am trying to squeeze some more life out of (we are planning on replacing them next spring with a pair of ASA5520s, most likely). What is the best way to monitor how close to we are pushing these PIXes to their limit? Does the PIX (running 7.2) have something similar to 'show platform tcam utilization', or should I just watch CPU usage and interface counters? -- deny ip any any (4423143293 matches) From petelists at templin.org Wed Nov 12 09:41:07 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 12 Nov 2008 08:41:07 -0600 Subject: [c-nsp] ASR 9000 In-Reply-To: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> References: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> Message-ID: <491AEB03.5060808@templin.org> Jim Devane wrote: > I heard the 9010 will be front to back and the 9006 is side to back. The flashy product intro said 'side to back'. If the 9010 is front to back, I'm happy with that choice. What vendor would think that operators would _want_ side to back? pt From jarruda-cnsp at jarruda.com Wed Nov 12 09:35:26 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 12 Nov 2008 09:35:26 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <491AE9AE.7050806@jarruda.com> Kevin Graham wrote: > >> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency >> > > >> would be nice. >> > > ...or atleast call this a CRS-2 or something. I'm still crossing my fingers > that there's a master plan for consistency (or alternatively, clear > differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > > >> Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. >> > > Nope, 7600 already revived it (RSP720). I don't see reference to line cards, > but the photos look like ES40's, which finally gives some credibility to the > 6500/7600 split (where new linecards are shared between ASR9000 and 7600). > I somewhat doubt this is the case..at least from what I can imagine... This would imply in the ASR9k cards being able to talk with the 7600 backplane, that I understand, is quite distinct from the CRS-1 ? Isn't the ASR9000 based of the CRS-1 hardware ? Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, while the packet crunching on the 7600 is based of the EARL, and on the ASR 1000 is based on the QFP ? I can't seem to find details on the cards on the ASR 9000, but, just making some wild guess here.. (of course, Cisco has been quite effective in getting a clear separation from control plane to forwarding plane, and IOS-XR sure already runs on another completely distinct box, the 12K-XR, so, maybe the 7600 will gain from the ASR 9000 'revamp'). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ghostonthewire at gmail.com Wed Nov 12 11:15:00 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Wed, 12 Nov 2008 19:15:00 +0300 Subject: [c-nsp] log failure logon In-Reply-To: <100284.92361.qm@web57409.mail.re1.yahoo.com> References: <100284.92361.qm@web57409.mail.re1.yahoo.com> Message-ID: <491B0104.7040708@gmail.com> Hi! Try to use "login on-failure log" command (Cisco IOS Login Enhancements feature, for futher details look through http://b23.ru/6f5). Also use feature navigator to find if this feauture supported by your software image (surely doesn't work on releases prior to 12.4(19), dunno about 12.2S trains). chloe K wrote: > Hi > > I see there is command autheniticate failure rate but can't find my router > > Now. how I can log the failure logon > > Thank you > > > --------------------------------- > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Wed Nov 12 11:40:26 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 12 Nov 2008 08:40:26 -0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AE9AE.7050806@jarruda.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: Am I the only one that's getting a bit wary of Cisco crowding their own product space? I guess it looks like they're trying to draw complete distinctions between their enterprise space and their carrier space, but who's ever really respected that distinction? Even if they do, the carrier I guess is doing ok by getting XR everywhere, but the typical enterprise is going to run a combination of 3500/3750, 2800/3800, 6500, 7600 and ASR1000s, right? So five different groups of platforms with five distinct feature sets and code bases. Not to mention any 'legacy' stuff you're running out there. God help anybody who deployed 7300s. On Wed, Nov 12, 2008 at 6:35 AM, Julio Arruda wrote: > Kevin Graham wrote: > >> >> >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency >>> >>> >> >> >> >>> would be nice. >>> >>> >> >> ...or atleast call this a CRS-2 or something. I'm still crossing my >> fingers >> that there's a master plan for consistency (or alternatively, clear >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. >> >> >> >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 >>> series. >>> >>> >> >> Nope, 7600 already revived it (RSP720). I don't see reference to line >> cards, >> but the photos look like ES40's, which finally gives some credibility to >> the >> 6500/7600 split (where new linecards are shared between ASR9000 and 7600). >> >> > I somewhat doubt this is the case..at least from what I can imagine... > This would imply in the ASR9k cards being able to talk with the 7600 > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > the ASR9000 based of the CRS-1 hardware ? > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > while the packet crunching on the 7600 is based of the EARL, and on the > ASR 1000 is based on the QFP ? > I can't seem to find details on the cards on the ASR 9000, but, just > making some wild guess here.. > (of course, Cisco has been quite effective in getting a clear separation > from control plane to forwarding plane, and IOS-XR sure already runs on > another completely distinct box, the 12K-XR, so, maybe the 7600 will > gain from the ASR 9000 'revamp'). > > _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ross at kallisti.us Wed Nov 12 12:20:35 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 12 Nov 2008 12:20:35 -0500 Subject: [c-nsp] SNMP-related IOS crashes Message-ID: <20081112172035.GA8395@kallisti.us> Hi everyone, I've been bitten numerous times by IOS crashes caused by bugs in SNMP. I'd like to start getting proactive about this and just blocking any problematic MIBs on our switches. I've seen two seperate issues crash IOS: 1) Polling SLB-MIB objects while the status of the object changes (see Bug ID CSCsi91875 - it's not fixed even though it says it is) 2) Polling the OSPF link-state database (TAC is still researching this one) As a result, we're excluding the OSPF-MIB and SLB-MIB from our views. Anyone else know any baddies I should tack onto the list? -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From christian.macnevin at gmail.com Wed Nov 12 12:36:07 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 12 Nov 2008 09:36:07 -0800 Subject: [c-nsp] God help anybody who deployed 7300s In-Reply-To: <90AA60B8-658B-469D-83D8-6E7670FBFBFF@mac.com> References: <90AA60B8-658B-469D-83D8-6E7670FBFBFF@mac.com> Message-ID: I forgot to add 10ks :) On Wed, Nov 12, 2008 at 8:56 AM, Darrell Root wrote: > > Thanks for your prayers ;-) > > Darrell > > From tdurack at gmail.com Wed Nov 12 13:01:55 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 12 Nov 2008 13:01:55 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> I think this is the result of competing BUs - no cohesive product strategy, instead lots of groups trying to maximize profit out of existing/new products. That's why you have IOS/ION/IOS-XE/IOS-XR/NX-OS... Tim:> On Wed, Nov 12, 2008 at 11:40 AM, Christian MacNevin < christian.macnevin at gmail.com> wrote: > Am I the only one that's getting a bit wary of Cisco crowding their own > product space? > > I guess it looks like they're trying to draw complete distinctions between > their enterprise space and their carrier > space, but who's ever really respected that distinction? Even if they do, > the carrier I guess is doing ok by getting > XR everywhere, but the typical enterprise is going to run a combination of > 3500/3750, 2800/3800, 6500, 7600 > and ASR1000s, right? So five different groups of platforms with five > distinct feature sets and code bases. Not to > mention any 'legacy' stuff you're running out there. > > God help anybody who deployed 7300s. > > > > On Wed, Nov 12, 2008 at 6:35 AM, Julio Arruda >wrote: > > > Kevin Graham wrote: > > > >> > >> > >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > >>> > >>> > >> > >> > >> > >>> would be nice. > >>> > >>> > >> > >> ...or atleast call this a CRS-2 or something. I'm still crossing my > >> fingers > >> that there's a master plan for consistency (or alternatively, clear > >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > >> > >> > >> > >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 > >>> series. > >>> > >>> > >> > >> Nope, 7600 already revived it (RSP720). I don't see reference to line > >> cards, > >> but the photos look like ES40's, which finally gives some credibility to > >> the > >> 6500/7600 split (where new linecards are shared between ASR9000 and > 7600). > >> > >> > > I somewhat doubt this is the case..at least from what I can imagine... > > This would imply in the ASR9k cards being able to talk with the 7600 > > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > > the ASR9000 based of the CRS-1 hardware ? > > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > > while the packet crunching on the 7600 is based of the EARL, and on the > > ASR 1000 is based on the QFP ? > > I can't seem to find details on the cards on the ASR 9000, but, just > > making some wild guess here.. > > (of course, Cisco has been quite effective in getting a clear separation > > from control plane to forwarding plane, and IOS-XR sure already runs on > > another completely distinct box, the 12K-XR, so, maybe the 7600 will > > gain from the ASR 9000 'revamp'). > > > > _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From benny+usenet at amorsen.dk Wed Nov 12 12:12:27 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Wed, 12 Nov 2008 18:12:27 +0100 Subject: [c-nsp] Upgrading edge router In-Reply-To: <38938.5776049041$1226451212@news.gmane.org> (Ben Steele's message of "Wed\, 12 Nov 2008 11\:20\:14 +1030") References: <4213440380134758766@unknownmsgid> <38938.5776049041$1226451212@news.gmane.org> Message-ID: "Ben Steele" writes: > As for licenses this one is a little weird, basically adv enterprise is > cheaper than adv ip even though it has all the features of adv ip, seems to > be purely based on ppl not wanting features they will never use available on > an image and Cisco making them pay more for that feature, my advice is buy > the cheaper adv enterprise, it will do IPv6. It is a bit weird that an edge router in 2008 doesn't ship with IPv6 in its base image. It's also a bit weird that the price of the base image is separate from the price of the router. You can't just grab a random Linux distribution and install that... /Benny From pdavis at i2k.com Wed Nov 12 14:23:47 2008 From: pdavis at i2k.com (Phil Davis) Date: Wed, 12 Nov 2008 14:23:47 -0500 Subject: [c-nsp] rate-limit on subinterfaces Message-ID: <491B2D43.7010304@i2k.com> Hello, Are there any caveats on using rate-limit command on 802.1q subinterfaces? Thanks, Phil From brandon at sterling.net Wed Nov 12 17:21:25 2008 From: brandon at sterling.net (Brandon Price) Date: Wed, 12 Nov 2008 14:21:25 -0800 Subject: [c-nsp] Policy Based Routing on PE Message-ID: I have a PE with 2 interfaces going to the same CE in vrf CUSTA. I would like packets with a certain SOURCE ip to take interface 2 and all other packets to follow normal routing in the vrf (interface 1). Where on the PE would I set up the route-map ? Any configuration examples? Brandon From brett at looney.id.au Wed Nov 12 17:28:12 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 07:28:12 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: Message-ID: <021801c94515$f81b2c90$e85185b0$@id.au> > we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch > for a slow migration from an old PBX to a VoIP PBX (Asterisk) > CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D > VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 > PVDM2-32 32-Channel Packet Voice/Fax DSP Module > > can anyone see any reason why this might not work? Depending on how the calls are terminated you may need significantly more DSP resources than you have right now. You might need double or triple that depending on the number of calls. Also, be aware that you may not be able to independently clock the two E1 interfaces. B. From jared at puck.nether.net Wed Nov 12 19:53:18 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 12 Nov 2008 19:53:18 -0500 Subject: [c-nsp] SXI out Message-ID: <20081113005318.GA76126@puck.nether.net> It appears cisco released SXI already. http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From mtinka at globaltransit.net Wed Nov 12 20:04:15 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:04:15 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <200811130904.20213.mtinka@globaltransit.net> On Thursday 13 November 2008 00:40:26 Christian MacNevin wrote: > Am I the only one that's getting a bit wary of Cisco > crowding their own product space? Personally, I don't see why providers won't consider using the ASR9000 as a Metro-E router, even though Cisco are adamant that that's not what it's intended for, and that the 7600 still has a significant role to play in this area for a long time to come. I think the only reason folk wouldn't look at the ASR9000 for Metro-E P/PE deployments, at least in the short to medium term, is because IOS XR might be anaemic when compared to regular IOS. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 12 20:07:25 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:07:25 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> Message-ID: <200811130907.26435.mtinka@globaltransit.net> On Thursday 13 November 2008 02:01:55 Tim Durack wrote: > I think this is the result of competing BUs - no cohesive > product strategy, instead lots of groups trying to > maximize profit out of existing/new products. I've always thought that classifying products into Enterprise, Service Provider, SOHO, e.t.c., is a waste of time - and that goes for all vendors. If it feels right, and cuts it, I'll deploy it. We use a bunch of "desktop" switches for real customer production traffic. The 6500 is what Cisco recommend for service providers, but it doesn't make sense for some areas of our network when compared to, say, the 3560. We use 2800's where Cisco say we should use a 7200, e.t.c., you get the point. I guess that kind of distinction is necessary from the point-of-view of a vendor, but in practice, that area is very, very grey. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 12 20:09:36 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:09:36 +0800 Subject: [c-nsp] rate-limit on subinterfaces In-Reply-To: <491B2D43.7010304@i2k.com> References: <491B2D43.7010304@i2k.com> Message-ID: <200811130909.37591.mtinka@globaltransit.net> On Thursday 13 November 2008 03:23:47 Phil Davis wrote: > Are there any caveats on using rate-limit command on > 802.1q subinterfaces? It, generally, should work, although I'd consider using MQC instead. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From pwu828 at gmail.com Wed Nov 12 20:10:38 2008 From: pwu828 at gmail.com (Patrick Wu) Date: Thu, 13 Nov 2008 12:10:38 +1100 Subject: [c-nsp] Intermittent 100% backplane utilisation on Cisco 6500 Message-ID: Hi, I'm currently having issues with one of the Cisco 6506 in the network, it is running HSRP with another 6506 and also running OSPF/BGP. Recently, I this 6506 is having intermittent 100% backplane utilisation, which caused everything to stop responding for a couple of seconds. As a result, spanning tree recalculation and HSRP failover kicked in, and caused interruptions in many parts of the network. What I don't understand is what caused the 100% utilisation, googling reveals that it could be caused by spanning tree loops and broadcast storms. But I have already tuned down the storm-control on broadcast on all ports into the 6506, and I don't think there are any loops in the network. Unlike an DDoS attack where the 100% utilisation is continuous, it just peaks at 100% for 1 or 2 seconds and comes back down... the logs don't seem to show much Any one have similar experience or is able to point me in the right direction would be greatly appreciated! Thanks. Here's the show version and show module: show version Cisco Internetwork Operating System Software IOS (tm) c6sup1_rp Software (c6sup1_rp-PSV-M), Version 12.1(22)E1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Fri 16-Apr-04 10:13 by pwade Image text-base: 0x60020F90, data-base: 0x616EA000 ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE BOOTLDR: MSFC Software (C6MSFC-BOOT-M), Version 12.1(3a)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) xxxxxxxx uptime is 23 weeks, 5 days, 27 minutes Time since xxxxxxxx switched to active is 23 weeks, 5 days, 29 minutes System returned to ROM by power-on (SP by reload) System restarted at 09:34:31 AEST Sat May 31 2008 System image file is "slot0:c6sup11-psv-mz.121-22.E1" cisco WS-C6506 (R5000) processor (revision 3.0) with 114688K/16384K bytes of memory. Processor board ID TBA05290886 R5000 CPU at 200Mhz, Implementation 35, Rev 2.1 Last reset from power-on X.25 software, Version 3.0.0. Bridging software. 146 Virtual Ethernet/IEEE 802.3 interface(s) 48 FastEthernet/IEEE 802.3 interface(s) 10 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 4096K bytes of packet SRAM memory. 16384K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102 show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 2 Cat 6k sup 1 Enhanced QoS (Active) WS-X6K-SUP1A-2GE SAD03414219 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03430896 5 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAD05040L5K Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 00d0.bcee.59a8 to 00d0.bcee.59a9 3.2 5.3(1) 12.1(22)E1 Ok 3 0030.9613.f314 to 0030.9613.f343 1.1 4.2(0.24)VAI 8.3(0.111)TF Ok 5 0002.fc25.3224 to 0002.fc25.322b 1.6 5.4(2) 8.3(0.111)TF Ok Mod Sub-Module Model Serial Hw Status --- --------------------------- --------------- --------------- ------- ------- 1 Policy Feature Card WS-F6K-PFC SAD03424981 1.0 Ok 1 MSFC Cat6k daughterboard WS-F6K-MSFC SAD03427635 1.4 Ok Mod Online Diag Status --- ------------------- From berni at birkenwald.de Wed Nov 12 21:27:22 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 02:27:22 +0000 (UTC) Subject: [c-nsp] 2821 voice configuration References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: Brett Looney wrote: >> we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch >> for a slow migration from an old PBX to a VoIP PBX (Asterisk) > >> CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D >> VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 >> PVDM2-32 32-Channel Packet Voice/Fax DSP Module >> can anyone see any reason why this might not work? > Depending on how the calls are terminated you may need significantly more > DSP resources than you have right now. You might need double or triple that > depending on the number of calls. Also, be aware that you may not be able to > independently clock the two E1 interfaces. Thanks for the answer. >95% of the calls should be G.711, so that leaves me with 64 channels. So in theory I should be able to fully utilize both E1s with calls originating from SIP, right? What about E1-to-E1 calls that are just switched in the box? Do they take any DSP resources at all? Regards, Bernhard From brett at looney.id.au Wed Nov 12 21:51:37 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 11:51:37 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: <024d01c9453a$c1768700$44639500$@id.au> > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? I'm unsure on that - best to check with Cisco. My guess is that they do take DSP resources and you'll be looking at two per call - one for the "incoming" E1 call leg and one for the "outgoing" E1 call leg. I could be wrong though - I would budget for worst-case in any event. B. From ATolstykh at integrysgroup.com Wed Nov 12 21:59:46 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Wed, 12 Nov 2008 20:59:46 -0600 Subject: [c-nsp] SXI out In-Reply-To: <20081113005318.GA76126@puck.nether.net> Message-ID: <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Link to the release notes / new features etc. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel ease/notes/ol_14271.html#wp4208036 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Wednesday, November 12, 2008 6:53 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SXI out It appears cisco released SXI already. http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner .cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deplo yment -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From ianh at chime.net.au Wed Nov 12 22:31:25 2008 From: ianh at chime.net.au (Ian Henderson) Date: Thu, 13 Nov 2008 12:31:25 +0900 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AEB03.5060808@templin.org> References: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> <491AEB03.5060808@templin.org> Message-ID: <100362309621454DAA534950B17E55DB0111FC199184@isp-per-exc01.win2k.iinet.net.au> Pete Templin wrote on 2008-11-12: > What vendor would think that operators would _want_ side to back? One that wants operators to purchase the larger, more expensive chassis? :) - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From brett at looney.id.au Wed Nov 12 21:52:52 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 11:52:52 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: <024e01c9453a$ee2a9e80$ca7fdb80$@id.au> > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? Oh, and I forgot - you'll need 64 DSP resources in any case if you're doing the whole 30 channels on both E1s. You need one DSP resource per E1 call terminated with G.711. B. From vikassharmas at gmail.com Thu Nov 13 00:44:21 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 13 Nov 2008 11:14:21 +0530 Subject: [c-nsp] number of vlan 16k Message-ID: Hi, I could see few of the vendors support 16k /128 k vlans on BRAS devices. I was wondering how can it be integrated with other devices which only support 4095 vlan !!! any help is appreciated.. Regards, Vikas Sharma From sthaug at nethelp.no Thu Nov 13 01:41:40 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 13 Nov 2008 07:41:40 +0100 (CET) Subject: [c-nsp] number of vlan 16k In-Reply-To: References: Message-ID: <20081113.074140.74748459.sthaug@nethelp.no> > I could see few of the vendors support 16k /128 k vlans on BRAS devices. I > was wondering how can it be integrated with other devices which only support > 4095 vlan !!! This will typically depend on either stacked (dual tagged) VLANs, or VLANs per port (not global to the box), or both. It all depends on your requirements. If you want to IP terminate 30k customers, for instance, you would typically need both. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From b.turnbow at twt.it Thu Nov 13 03:01:43 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 13 Nov 2008 09:01:43 +0100 Subject: [c-nsp] 2821 voice configuration In-Reply-To: <024d01c9453a$c1768700$44639500$@id.au> References: <021801c94515$f81b2c90$e85185b0$@id.au> <024d01c9453a$c1768700$44639500$@id.au> Message-ID: The vwic-2 cards can do voip or cross connect (no dsp used) but a channel can not do both at the same time. It is done on the controller creating a ds0 group or tdm group. In one E1 you can have both but the channels are dedicated. At least AFAIK. With 2 pvdm-32s you can do 64 channels of g711 , but any other codecs, fax/modem relay will be a medium or high complexity codec and will lower your channels considerably. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney Sent: gioved? 13 novembre 2008 3.52 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2821 voice configuration > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? I'm unsure on that - best to check with Cisco. My guess is that they do take DSP resources and you'll be looking at two per call - one for the "incoming" E1 call leg and one for the "outgoing" E1 call leg. I could be wrong though - I would budget for worst-case in any event. B. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From maureen.schaar at gmail.com Thu Nov 13 03:32:05 2008 From: maureen.schaar at gmail.com (maureen schaar) Date: Thu, 13 Nov 2008 09:32:05 +0100 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> Message-ID: <2475c97c0811130032r1fe97016re4defd097b68e1ef@mail.gmail.com> If you still have the problem, maybe you can try something, since I once had a similar problem. There may a discrepancy between the confreg on the RP and the SP. You need to set the confreg again. Even though the remote command switch show bootvar command displayed the right confreg in the SP in my situation, I was still returned to rommon. After setting the confreg in the RP, the problem was resolved. See also http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008072c406.shtml#sup_sub_3 Hope this helps. Maureen On Tue, Nov 11, 2008 at 4:14 PM, Pete S. wrote: > Also, make sure the flash was formatted by the chassis its currently in. > There was an issue where, if formatted in another chassis, the flash could > be read, but not booted from, resulting in a boot to rommon where you have > to manually enter the boot command. > > > --Pete > > > On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > >> >> Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 >> is standby. The problem is sup2 is not booting automatically when the >> system is switched ON. it is going to rommon mode, where we have to >> type boot command so that it will boot. after booting, boot variable >> is missing. if we set the boot variable,it will show the boot variable >> but it is temporary. >> >> Again we switched OFF and ON, The same situation is there. i tried >> lot, please help me. some details are here... >> >> Before sup2: >> >> CAT_1> (enable) sh mod >> Mod Slot Ports Module-Type Model Sub >> Status >> --- ---- ----- ------------------------- ------------------- --- ----- >> --- >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok >> >> >> After sup2: >> >> CAT_1> (enable) sh mod >> Mod Slot Ports Module-Type Model Sub >> Status >> --- ---- ----- ------------------------- ------------------- --- ----- >> --- >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes >> standby >> 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok >> >> >> bye. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From janasamit at wlink.com.np Thu Nov 13 03:36:24 2008 From: janasamit at wlink.com.np (Samit) Date: Thu, 13 Nov 2008 14:21:24 +0545 Subject: [c-nsp] interface packets/sec MIB Message-ID: <491BE708.50608@wlink.com.np> Hi list, I want to graph the in/out pps counter of every individual interface of my routers, but I could not find the MIB for it. Anyone knows the MIB for this? Regards, Samit From gert at greenie.muc.de Thu Nov 13 04:14:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 13 Nov 2008 10:14:23 +0100 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <20081113091423.GD8535@greenie.muc.de> Hi, On Wed, Nov 12, 2008 at 08:40:26AM -0800, Christian MacNevin wrote: > Am I the only one that's getting a bit wary of Cisco crowding their own > product space? "Different BUs fighting for revenue" > God help anybody who deployed 7300s. Or 7120, 7140, 7400, RSFC, or ... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From b.turnbow at twt.it Thu Nov 13 05:22:52 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 13 Nov 2008 11:22:52 +0100 Subject: [c-nsp] interface packets/sec MIB In-Reply-To: <491BE708.50608@wlink.com.np> References: <491BE708.50608@wlink.com.np> Message-ID: RFC 1213 .1.3.6.1.2.1.2.2.1 Inside you may find unicast packets and non unicast packets Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Samit Sent: gioved? 13 novembre 2008 9.36 To: cisco-nsp at puck.nether.net Subject: [c-nsp] interface packets/sec MIB Hi list, I want to graph the in/out pps counter of every individual interface of my routers, but I could not find the MIB for it. Anyone knows the MIB for this? Regards, Samit _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From berni at birkenwald.de Thu Nov 13 05:35:54 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 10:35:54 +0000 (UTC) Subject: [c-nsp] SXI out References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: Tolstykh, Andrew wrote: > Link to the release notes / new features etc. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > ease/notes/ol_14271.html#wp4208036 Cisco promised us a lot of new IPv6-related features for SXI, including IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on VSS. None of that is listed in the release notes. Did anyone test already? Bernhard From manafo at hotmail.com Thu Nov 13 05:46:06 2008 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 13 Nov 2008 12:46:06 +0200 Subject: [c-nsp] MAC Address Table Count Message-ID: Hi, I have a strange behavior on my mac-address table count. we are running L2 wimax network using Cisco 3750ME switches distributed on 60 sites and aggregated on 2 Cisco 7600 routers. the mac address table should be the same for all switches, since we are using the same traffic VLAN for all clients. the usual mac address table count is about 1600 which is the average number of clients concurrent sessions and shared between all switches and aggregated router, but intermittently the count decreased on all switches to be around 200-300 although the number of clients are still the same. any explanation for this behavior? AGG1 AGG2 | | ----------------------------------------------------------------------------------- | | | | SW1 SW2 SW3 ............... SW60 / |wimax| / / Client Thank you, Manaf From packetlss at gmail.com Thu Nov 13 05:52:29 2008 From: packetlss at gmail.com (Magnus Eriksson) Date: Thu, 13 Nov 2008 11:52:29 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? Message-ID: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> I'm looking for some pointers on what are the smallest recommeded Cisco boxes to use for a small multihoming solution. 2 full BGP views (approx 260k routes each) 100 Mbps bandwidth requirement. The setup currently uses 2 Juniper M5 but those are in dire need of refresh. What is the appropiate Cisco boxes to go for? Do I need any memory upgrades etc? Any suggestions are welcome. Regards Magnus From onechama at yahoo.com Thu Nov 13 06:48:57 2008 From: onechama at yahoo.com (Eslon BAchama) Date: Thu, 13 Nov 2008 03:48:57 -0800 (PST) Subject: [c-nsp] Burning switch ports on model 3750 Message-ID: <603777.63324.qm@web39506.mail.mud.yahoo.com> Hi Members, i have a cisco switch model 3750 series but the switch ports stops working one by one. any help. one end its connect to a trendNet switch( all ports on trend net are fine). Chama From gabbarsingh9009 at yahoo.com Thu Nov 13 06:58:11 2008 From: gabbarsingh9009 at yahoo.com (Gabby) Date: Thu, 13 Nov 2008 03:58:11 -0800 (PST) Subject: [c-nsp] packet capture on 6509....?? Message-ID: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Hello, Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... Gabby. Find your perfect match today at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151&pid=1012 From hroi at asdf.dk Thu Nov 13 07:23:27 2008 From: hroi at asdf.dk (Hroi Sigurdsson) Date: Thu, 13 Nov 2008 13:23:27 +0100 Subject: [c-nsp] SXI out In-Reply-To: <20081113005318.GA76126@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> Message-ID: <491C1C3F.405@asdf.dk> Jared Mauch wrote: > It appears cisco released SXI already. > > http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or just a tease? From p.mayers at imperial.ac.uk Thu Nov 13 07:41:30 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 12:41:30 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C1C3F.405@asdf.dk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> Message-ID: <491C207A.1010200@imperial.ac.uk> Hroi Sigurdsson wrote: > Jared Mauch wrote: >> It appears cisco released SXI already. >> >> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >> > > It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or > just a tease? The CLI is listed, not necessarily the support for 6vPE. I'm loading it onto a box now and will test it. From benny+usenet at amorsen.dk Thu Nov 13 07:43:09 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Thu, 13 Nov 2008 13:43:09 +0100 Subject: [c-nsp] ASR 9000 In-Reply-To: <200811130904.20213.mtinka@globaltransit.net> (Mark Tinka's message of "Thu\, 13 Nov 2008 09\:04\:15 +0800") References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> <200811130904.20213.mtinka@globaltransit.net> Message-ID: Mark Tinka writes: > I think the only reason folk wouldn't look at the ASR9000 > for Metro-E P/PE deployments, at least in the short to > medium term, is because IOS XR might be anaemic when > compared to regular IOS. Isn't the 7600 likely to be cheaper than the ASR9000 for the same number of ports? I think the ASR9000 looks good for P/PE duty from what little information is out, but some price information would be nice. /Benny From sidney.boumendil at gmail.com Thu Nov 13 07:44:24 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Thu, 13 Nov 2008 13:44:24 +0100 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <41522e900811130444u47c83fa0kd0976e3bf2430814@mail.gmail.com> On Thu, Nov 13, 2008 at 12:58 PM, Gabby wrote: > > Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... It looks like a new feature in the SXI release. Sidney From gulerozgur at yahoo.co.uk Thu Nov 13 07:47:19 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 13 Nov 2008 12:47:19 +0000 (GMT) Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <22242.6601.qm@web25503.mail.ukl.yahoo.com> You can do packet captures with ELAM functionality. That is generally used for hw forwarding troubleshooting though. --- On Thu, 13/11/08, Gabby wrote: From: Gabby Subject: [c-nsp] packet capture on 6509....?? To: cisco-nsp at puck.nether.net Date: Thursday, 13 November, 2008, 11:58 AM Hello, Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... Gabby. Find your perfect match today at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151&pid=1012 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Thu Nov 13 07:52:47 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Thu, 13 Nov 2008 20:52:47 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> You may want to consider getting either part # CISCO7201 (PSU included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite cheap). Both the part # for the box, shouldn't be much of a difference or same. --raymondh On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > I'm looking for some pointers on what are the smallest recommeded > Cisco > boxes to use for a small multihoming solution. > > 2 full BGP views (approx 260k routes each) > 100 Mbps bandwidth requirement. > > The setup currently uses 2 Juniper M5 but those are in dire need of > refresh. > > > What is the appropiate Cisco boxes to go for? Do I need any memory > upgrades > etc? > > Any suggestions are welcome. > > Regards Magnus > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gideon at adept.co.za Thu Nov 13 07:19:39 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Thu, 13 Nov 2008 14:19:39 +0200 Subject: [c-nsp] Burning switch ports on model 3750 In-Reply-To: <603777.63324.qm@web39506.mail.mud.yahoo.com> References: <603777.63324.qm@web39506.mail.mud.yahoo.com> Message-ID: <5CF12851-E38D-4CEA-B5AA-293ADD3FD67A@adept.co.za> On 13 Nov 2008, at 1:48 PM, Eslon BAchama wrote: > i have a cisco switch model 3750 series but the switch ports stops > working one by one. > Does it log anything to the console? Are any of the ports marked as being in an error state? G From tdurack at gmail.com Thu Nov 13 08:15:53 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 13 Nov 2008 08:15:53 -0500 Subject: [c-nsp] SXI out In-Reply-To: References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Fiosswrel%2Fps8802%2Fps6970%2Fps6017%2Fps9673%2Fproduct_bulletin_c25-503086.html&pos=1&strqueryid=1&websessionid=m7dr3yFygHTz5Rv3D5SKdLV "The DHCPv6 Relay component is enhanced to support a stateless Relay. Remote Id and Interface Id options insertion is performed. DHCPv6 Relay now works in conjunction with Prefix Delegation for adding or removing corresponding routes in the Relay agent routing table." http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html "Software Features With some exceptions, the virtual switching system has feature parity with the standalone Catalyst 6500 series switch. Major exceptions include: ?The virtual switching system does not support MPLS or IPv6. ?In software releases earlier than Cisco IOS Release 12.2(33)SXI, port-based QoS and port ACLs (PACLs) are supported only on Layer 2 single-chassis or multichassis EtherChannel (MEC) links. Beginning with Cisco IOS Release 12.2(33)SXI, port-based QoS and PACLs can be applied to any physical port in the VSS, excluding ports in the VSL. PACLs can be applied to no more than 2046 ports in the VSS. ?The virtual switching system does not support supervisor engine redundancy within a chassis. ?The virtual switching system does not support Lawful Intercept." Got to wonder whether VSS is going to make it or not... Tim:> On Thu, Nov 13, 2008 at 5:35 AM, Bernhard Schmidt wrote: > Tolstykh, Andrew wrote: > > > Link to the release notes / new features etc. > > > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > > ease/notes/ol_14271.html#wp4208036 > > Cisco promised us a lot of new IPv6-related features for SXI, including > IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on > VSS. None of that is listed in the release notes. > > Did anyone test already? > > Bernhard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rlcwlist at gmail.com Thu Nov 13 08:23:46 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Thu, 13 Nov 2008 21:23:46 +0800 Subject: [c-nsp] QOS CBWFQ Problems Message-ID: <53fb3cbd0811130523y3cad3a08of02af7e4ed92564@mail.gmail.com> Dear Sirs : I'm seeking for your expert supporting on my 6509 3CXL Before , I've deployed an ACL for all IP running through VLAN800 with 36000000 However , I've checked my CACTI shown me it's just 4Mb traffic on the limitation ! Right now , I've deployed the rule to transit for all including the violated On the following information , you can check out my interface were just running 50817000 , however the CBWFQ shown it's 75474008 Do you have any ideas on that ? Thanks for your supporting ! AGC-C6509-2>sh int vl800 Vlan800 is up, line protocol is up Hardware is EtherSVI, address is 1234.5678.90c0 (bia 1234.5678.90c0) Description: For AGC-C6509-72 segment Internet address is 192.168.92.4/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 11/255, rxload 12/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/241/39 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 50817000 bits/sec, 12350 packets/sec 5 minute output rate 44609000 bits/sec, 10111 packets/sec L2 Switched: ucast: 858465873 pkt, 481650114649 bytes - mcast: 45143 pkt, 4578874 bytes L3 in Switched: ucast: 538560259 pkt, 294422484717 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 427084531 pkt, 232344575218 bytes mcast: 0 pkt, 0 bytes 538730837 packets input, 294446452281 bytes, 0 no buffer Received 44949 broadcasts (0 IP multicasts) 0 runts, 0 giants, 7 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 427341594 packets output, 230684282878 bytes, 0 underruns 0 output errors, 0 interface resets 0 output buffer failures, 0 output buffers swapped out AGC-C6509-2>sh pol int Vlan800 Service-policy input: inbound-policy-test class-map: ACL165-in (match-all) Match: access-group 165 police : 36000000 bps 6750000 limit 13500000 extended limit Earl in slot 4 : 13005001476 bytes 5 minute offered rate 75474008 bps aggregate-forwarded 13005001476 bytes action: transmit exceeded 0 bytes action: transmit violated 0 bytes action: transmit aggregate-forward 77773744 bps exceed 0 bps violate 0 bps Earl in slot 5 : 0 bytes 5 minute offered rate 0 bps aggregate-forwarded 0 bytes action: transmit exceeded 0 bytes action: transmit violated 0 bytes action: transmit aggregate-forward 0 bps exceed 0 bps violate 0 bps Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 5 minute rate 0 bps AGC-C6509-2> AGC-C6509-2>sh ip access 165 Extended IP access list 165 10 permit ip any any (99540 matches) From p.mayers at imperial.ac.uk Thu Nov 13 08:24:51 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 13:24:51 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C1C3F.405@asdf.dk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> Message-ID: <491C2AA3.6070808@imperial.ac.uk> Hroi Sigurdsson wrote: > Jared Mauch wrote: >> It appears cisco released SXI already. >> >> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >> > > It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or > just a tease? It would appear not: core-spare(config)#vrf definition PROD core-spare(config-vrf)#address-family ipv6 % VRF address family ipv6 is not supported or not enabled % Can't activate address-family 'ipv6' ...likewise in global config mode: core-spare(config)#ipv6 unicast-routing ? i.e. no "vrf" argument option. Various bits of fiddling indicate it has the CLI, but not the 6vPE support yet (maybe next release) From blahu77 at gmail.com Thu Nov 13 08:34:54 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 13 Nov 2008 13:34:54 +0000 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: Message-ID: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brandon, 2008/11/12 Brandon Price > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > I would like packets with a certain SOURCE ip to take interface 2 and > all other packets to follow normal routing in the vrf (interface 1). How about GRE tunnel between SOURCE and CE in question, with PBR on SOURCE side if needed to direct traffic towards the tunnel? > Where on the PE would I set up the route-map ? Any configuration > examples? Unless there is some special feature I don't know about, it seems there is no way. Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV 3W4XMbcKq05a0vlCfpc+hdE= =fLim -----END PGP SIGNATURE----- From berni at birkenwald.de Thu Nov 13 08:37:04 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 14:37:04 +0100 Subject: [c-nsp] SXI out In-Reply-To: <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> Message-ID: <491C2D80.1090009@birkenwald.de> Tim Durack wrote: Hi, I was hoping that > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html > > "Software Features > > With some exceptions, the virtual switching system has feature parity > with the standalone Catalyst 6500 series switch. Major exceptions include: > > ?The virtual switching system does not support MPLS or IPv6. was bogus and old information. But a VSS cluster with 12.2(33)SXI does not accept any IPv6 commands, so it's basically useless to us. Let's see what our account manager has to say about that, I'm very disappointed right now. SXI runs two months late and then misses most of the features we were promised. Regards, Bernhard From Fernando.Correa at tivit.com.br Thu Nov 13 09:02:08 2008 From: Fernando.Correa at tivit.com.br (=?iso-8859-1?Q?Fernando_de_Aquilino_Corr=EAa?=) Date: Thu, 13 Nov 2008 12:02:08 -0200 Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. In-Reply-To: <200811111449.mABEnfOu030925@racing2.mecon.ar> Message-ID: Hello, According to a Sales Engineer at Cisco, this is going to be available some time in H1 2009. It'll be a 48 port SFP line card if I remember correctly. I'd love to have their roadmap for this switch. Att, Fernando -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan Angel Menendez Sent: ter?a-feira, 11 de novembro de 2008 12:50 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. Hello list, We're interested in the Nexus 7000 platform but we're wondering if fiber 1GBit linecard is going to be available anytime soon ? Thanks in advance. Regards Juan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Nov 13 09:14:23 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 14:14:23 +0000 Subject: [c-nsp] SXI out In-Reply-To: References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <491C363F.5050409@imperial.ac.uk> Bernhard Schmidt wrote: > Tolstykh, Andrew wrote: > >> Link to the release notes / new features etc. >> >> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel >> ease/notes/ol_14271.html#wp4208036 > > Cisco promised us a lot of new IPv6-related features for SXI, including > IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on v6 relay and v6 HSRP are there: ip vrf forwarding PROD ip address 192.168.60.254 255.255.255.0 ipv6 address 2001:DB8:500::1/64 ipv6 dhcp relay destination 2001:DB8:502::3 ipv6 dhcp relay destination 2001:DB8:502::4 standby version 2 standby 0 ipv6 autoconfig ...I'll spin up a DHCPv6 server later and see if it works. From guru6111 at gmail.com Thu Nov 13 09:14:31 2008 From: guru6111 at gmail.com (Atif Sid) Date: Thu, 13 Nov 2008 09:14:31 -0500 Subject: [c-nsp] ISIS / NSF IOS XR In-Reply-To: <491AAC78.3010708@renater.fr> References: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> <491AAC78.3010708@renater.fr> Message-ID: <766b203d0811130614wb1bd1a6q481959eff6993833@mail.gmail.com> yes correct ! NSF is disabled but if you look closely 'sh isis neig' command says capabale 'yes' ; but ISIS adj command say NSF 'yes' which is misleading ! I have LDP GR also disabled. but when I failover RP's i do not see any traffic loss. have you tested ! On Wed, Nov 12, 2008 at 5:14 AM, Frederic LOUI wrote: > Hi, > > What state the section related to ISIS with the command "show ip protocols" > output ? > > By default, NSF is disabled. It seems like the output of the "show isis > adjacency" display if the ISIS neighbors are "NSF capable or not". > > IS-IS Router: > > ... > Non-stop forwarding: Disabled > Most recent startup mode: Cold Restart > Topologies supported by IS-IS: > IPv4 Unicast > Level-1 > Metric style (generate/accept): Wide/Wide > ISPF status: Disabled > No protocols redistributed > Distance: 115 > IPv6 Unicast > Level-1 > ISPF status: Disabled > No protocols redistributed > Distance: 115 > ... > > Maybe, just try to enable NSF and re-check the "show ip protocols" output. > > Regards, > Frederic > -- > Frederic LOUI / GIP RENATER > > Service de Suivi Operationnel / Metrologie & QoS > Network Operations Service / Metrology & QoS > > Tel: +33 1 53 94 20 82 / Fax: +33 1 53 94 20 31 > frederic.loui at renater.fr http://www.renater.fr > > > Atif Sid a ?crit : > >> I configured NSF under ISIS initially them removed it. Still shows NSF >> 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing >> >> This is IOS XR 3.6.1 and 3.6.0 both same condition. >> >> RP/0/9/CPU0:P1#sh isis adjacency >> IS-IS NP Level-2 adjacencies: >> System Id Interface SNPA State Hold Changed NSF BFD >> P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes >> None >> PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes >> None >> PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes >> None >> P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes >> None >> >> router isis NP >> set-overload-bit on-startup 300 >> is-type level-2-only >> net 49.0001.1921.1813.6001.00 >> log adjacency changes >> address-family ipv4 unicast >> metric-style wide >> ! >> interface Loopback0 >> passive >> address-family ipv4 unicast >> ! >> ! >> interface GigabitEthernet0/1/1/0 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> ! >> ! >> interface GigabitEthernet0/1/1/1 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> ! >> ! >> interface GigabitEthernet0/1/1/8 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> mpls ldp sync >> ! >> ! >> interface POS0/0/0/0 >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 100 >> ! >> ! >> ! >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From rodunn at cisco.com Thu Nov 13 09:21:39 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:21:39 -0500 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> Message-ID: <20081113142139.GD4897@rtp-cse-489.cisco.com> hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Nov 13 09:25:08 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:25:08 -0500 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> Message-ID: <20081113142508.GE4897@rtp-cse-489.cisco.com> I haven't looked at the price list. How does an ASR1002 compare to a G2 combo? >From a growth perspective the ASR1002 would be what I would consider giving a potential migration to GigE. Rodney On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: > You may want to consider getting either part # CISCO7201 (PSU > included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite > cheap). > Both the part # for the box, shouldn't be much of a difference or same. > > > --raymondh > > On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > > >I'm looking for some pointers on what are the smallest recommeded > >Cisco > >boxes to use for a small multihoming solution. > > > >2 full BGP views (approx 260k routes each) > >100 Mbps bandwidth requirement. > > > >The setup currently uses 2 Juniper M5 but those are in dire need of > >refresh. > > > > > >What is the appropiate Cisco boxes to go for? Do I need any memory > >upgrades > >etc? > > > >Any suggestions are welcome. > > > >Regards Magnus > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From elmi at 4ever.de Thu Nov 13 09:29:34 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 13 Nov 2008 15:29:34 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <20081113142934.GI93039@ronin.4ever.de> rodunn at cisco.com (Rodney Dunn) wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? In real-life prices in Germany the ASR1002/AdvEntSvc is some EUR 3K-5K more expensive than a 7201/AdvIPSvc. No idea about a "real" combo. Elmar. From rodunn at cisco.com Thu Nov 13 09:32:55 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:32:55 -0500 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <22242.6601.qm@web25503.mail.ukl.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> <22242.6601.qm@web25503.mail.ukl.yahoo.com> Message-ID: <20081113143255.GF4897@rtp-cse-489.cisco.com> When we developed the Embedded Packet Capture for IOS there was a project in the works to do something similar for CAT6k to make elam type captures easier. Seems it shipped with SXI per this: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mpa.html and you can dump the buffer to pcap. Rodney On Thu, Nov 13, 2008 at 12:47:19PM +0000, Ozgur Guler wrote: > You can do packet captures with ELAM functionality. > That is generally used for hw forwarding troubleshooting though. > > > --- On Thu, 13/11/08, Gabby wrote: > From: Gabby > Subject: [c-nsp] packet capture on 6509....?? > To: cisco-nsp at puck.nether.net > Date: Thursday, 13 November, 2008, 11:58 AM > > Hello, > > Is it possible to do packet capture or the like on a 6509 (or similar platform) > that doesn't have a FW module. I know I could do span port, but I'm > interested in knowing if there's any other method.... > > > Gabby. > > > > Find your perfect match today at the new Yahoo!7 Dating. Get Started > http://au.dating.yahoo.com/?cid=53151&pid=1012 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gulerozgur at yahoo.co.uk Thu Nov 13 10:03:51 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 13 Nov 2008 15:03:51 +0000 (GMT) Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <501096.94021.qm@web25507.mail.ukl.yahoo.com> Well, that's not the most elegant one but here you go... If you configure vrf-aware NAT to policy NAT your CE addresses so that they are translated into a new address space for that specific source and on the PE route this new translation range out of the link you like it should work. (Obviously your remote site will need to use this new translation range to communicate to your CE network.) --- On Thu, 13/11/08, Rodney Dunn wrote: From: Rodney Dunn Subject: Re: [c-nsp] Policy Based Routing on PE To: "Mateusz B?aszczyk" Cc: "cisco-nsp" Date: Thursday, 13 November, 2008, 2:21 PM hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Thu Nov 13 10:44:43 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 13 Nov 2008 13:44:43 -0200 Subject: [c-nsp] SXI out In-Reply-To: <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Making the same file for release notes of SXH and SXI makes /me think that SXH4 won't see the light... what do people have heard about it ? About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? (may be too soon to tell, I know) One thing we noticed about promised features lacking is REP(Resilient Ethernet) on Cat6K. Rubens On Thu, Nov 13, 2008 at 12:59 AM, Tolstykh, Andrew wrote: > Link to the release notes / new features etc. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > ease/notes/ol_14271.html#wp4208036 > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch > Sent: Wednesday, November 12, 2008 6:53 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SXI out > > > It appears cisco released SXI already. > > http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner > .cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deplo > yment > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only > mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Thu Nov 13 10:47:32 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 10:47:32 -0500 Subject: [c-nsp] SXI out In-Reply-To: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Message-ID: <20081113154732.GA57592@puck.nether.net> On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: > Making the same file for release notes of SXH and SXI makes /me think > that SXH4 won't see the light... what do people have heard about it ? > > About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? > (may be too soon to tell, I know) I suspect SXI is highly deployable. :) It also appears that they now have ssh+ipv6 back in regular ipservices and you can get the lan only image too for those, meaning lots of flash savings. I've done some basic testing in the past ~12 hours of the image and it seems to perform on par with our SXF counterparts. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From dwcarder at wisc.edu Thu Nov 13 11:04:08 2008 From: dwcarder at wisc.edu (Dale W. Carder) Date: Thu, 13 Nov 2008 10:04:08 -0600 Subject: [c-nsp] SXI out In-Reply-To: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Message-ID: On Nov 13, 2008, at 9:44 AM, Rubens Kuhl Jr. wrote: > > About SXI, does it look deployable or SXI3 or SXI4 is the version to > look for ? I encourage my competitors to deploy SXI. Now. ;-) Really though, I couldn't imagine touching this stuff before safe-harbor does or at least waiting for SXI attempt 2 or SXI attempt 3. The ipv6 feature set could be compelling for those of us still parked on SXF. DHCPv6 relay should be in there, maybe v6 for HSRP, too. There could be some better v6 mib support (comparable to J?), but I haven't looked yet. Dale From gert at greenie.muc.de Thu Nov 13 11:14:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 13 Nov 2008 17:14:23 +0100 Subject: [c-nsp] SXI out In-Reply-To: <20081113154732.GA57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> Message-ID: <20081113161423.GJ8535@greenie.muc.de> Hi, On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote: > It also appears that they now have ssh+ipv6 back in regular ipservices > and you can get the lan only image too for those, meaning lots of flash > savings. Is there a reasonable IPv6 <-> IOS image package feature matrix somewhere (for SXI)? Jared, have you tried modular SXI as well? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jared at puck.nether.net Thu Nov 13 11:49:56 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 11:49:56 -0500 Subject: [c-nsp] SXI out In-Reply-To: <20081113161423.GJ8535@greenie.muc.de> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <20081113161423.GJ8535@greenie.muc.de> Message-ID: <20081113164956.GC57592@puck.nether.net> On Thu, Nov 13, 2008 at 05:14:23PM +0100, Gert Doering wrote: > Hi, > > On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote: > > It also appears that they now have ssh+ipv6 back in regular ipservices > > and you can get the lan only image too for those, meaning lots of flash > > savings. > > Is there a reasonable IPv6 <-> IOS image package feature matrix somewhere > (for SXI)? > > Jared, have you tried modular SXI as well? Yes I have, but I would recommend doing testing in your environment to determine the exact cpu impact of the modular vs non-modular image set on your configuration. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From mksmith at adhost.com Thu Nov 13 12:04:40 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 13 Nov 2008 09:04:40 -0800 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? Message-ID: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> Hello All: Has anyone ever gotten trunking working between a 3560 and Dell 6248 or similar? The Dell seems only to support GVRP in comparison to Cisco's VTP. Since the 3560 doesn't support GVRP I think I'm out of luck, but I'm hoping someone here has figured out a kludge to get this working. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Nov 13 12:05:37 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 17:05:37 +0000 Subject: [c-nsp] SXI out In-Reply-To: <20081113154732.GA57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> Message-ID: <491C5E61.3020704@imperial.ac.uk> Jared Mauch wrote: > On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: >> Making the same file for release notes of SXH and SXI makes /me think >> that SXH4 won't see the light... what do people have heard about it ? >> >> About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? >> (may be too soon to tell, I know) > > I suspect SXI is highly deployable. :) Did you mean "deployable" or "deplorable" ;o) Rubens, A briefing we had 18 months or so ago basically said: * SXH - initial release, to be released shortly (hahaha) some 12.2(33) features, each "version" will have 12 months support * SXI - major release, to be released later (hohoho) most features, will have the "extended" 24 months support that some SXF releases had Information is scanty (non-existent?) but I suspect something like the following happened: * Work starts on SXH *and* SXI more or less simultaneously * Problems start in SXH train e.g. they start to slip, finding VSS, sup720-10g and 6708/6716 linecard hardware support are harder * SXH train gets even later - cisco add more manpower making it later still - eventually gets released in a pretty shabby state * Meanwhile all this time SXI has been working on the "other" features and ironically since it's had a later deadline, has been going slower and is more on-track I personally doubt we will see much more of SXH. We'll probably see an SXH4, since there are known crash bugs in SXH3a, but I'd be surprised to see anything beyond that. > > It also appears that they now have ssh+ipv6 back in regular ipservices > and you can get the lan only image too for those, meaning lots of flash > savings. > > I've done some basic testing in the past ~12 hours of the > image and it seems to perform on par with our SXF counterparts. I wonder if people are interested in coordinating their testing and pooling results? From justin at justinshore.com Thu Nov 13 12:37:26 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 13 Nov 2008 11:37:26 -0600 Subject: [c-nsp] AP1131 crashing Message-ID: <491C65D6.4030600@justinshore.com> This isn't SP related so please forgive the noise. RANCID tipped me off just now that one of my APs had been rebooted. I logged in and found a cryptic error: System returned to ROM by unknown reload cause - reason ptr 0xF, PC 0x4F6768, address 0x0 The code I'm running is c1130-k9w7-mx.124-10b.JA3. I checked all my other APs. I have 2 others running that 12.4 code and 1 of them was rebooted with an identical error several weeks ago. The other 1131AG appears to be fine. All the rest of my APs are 1231s and run 12.3(8)JEC1. It looks like this has been going on for a while and I somehow missed it. I have 3 crashinfo files on 1 AP and 1 on the other. Before I upgrade to the new JDA release (or downgrade to 12.3) does anyone have any thoughts? Thanks Justin From tdurack at gmail.com Thu Nov 13 12:43:23 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 13 Nov 2008 12:43:23 -0500 Subject: [c-nsp] SXI out In-Reply-To: <491C5E61.3020704@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> Message-ID: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> On Thu, Nov 13, 2008 at 12:05 PM, Phil Mayers wrote: > Jared Mauch wrote: > >> On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: >> >>> Making the same file for release notes of SXH and SXI makes /me think >>> that SXH4 won't see the light... what do people have heard about it ? >>> >>> About SXI, does it look deployable or SXI3 or SXI4 is the version to look >>> for ? >>> (may be too soon to tell, I know) >>> >> >> I suspect SXI is highly deployable. :) >> > > Did you mean "deployable" or "deplorable" ;o) > > Rubens, > > A briefing we had 18 months or so ago basically said: > > * SXH - initial release, to be released shortly (hahaha) some 12.2(33) > features, each "version" will have 12 months support > > * SXI - major release, to be released later (hohoho) most features, will > have the "extended" 24 months support that some SXF releases had > > Information is scanty (non-existent?) but I suspect something like the > following happened: > > * Work starts on SXH *and* SXI more or less simultaneously > > * Problems start in SXH train e.g. they start to slip, finding VSS, > sup720-10g and 6708/6716 linecard hardware support are harder > > * SXH train gets even later - cisco add more manpower making it later > still - eventually gets released in a pretty shabby state > > * Meanwhile all this time SXI has been working on the "other" features and > ironically since it's had a later deadline, has been going slower and is > more on-track > > I personally doubt we will see much more of SXH. We'll probably see an > SXH4, since there are known crash bugs in SXH3a, but I'd be surprised to see > anything beyond that. > > > > >> It also appears that they now have ssh+ipv6 back in regular >> ipservices >> and you can get the lan only image too for those, meaning lots of flash >> savings. >> >> I've done some basic testing in the past ~12 hours of the >> image and it seems to perform on par with our SXF counterparts. >> > > I wonder if people are interested in coordinating their testing and pooling > results? > Sounds like a good idea. I have four chassis running SXI modular, waiting to go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and working, no load on them at this point though. Survived a bad experience with SXH2 this week, so I'm looking for something better... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Thu Nov 13 12:46:25 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 12:46:25 -0500 Subject: [c-nsp] SXI out In-Reply-To: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> Message-ID: <20081113174625.GD57592@puck.nether.net> On Thu, Nov 13, 2008 at 12:43:23PM -0500, Tim Durack wrote: > > I wonder if people are interested in coordinating their testing and pooling > > results? > > > > Sounds like a good idea. I have four chassis running SXI modular, waiting to > go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and > working, no load on them at this point though. > > Survived a bad experience with SXH2 this week, so I'm looking for something > better... If people want to, I can set up a wiki where you can post test cases, results, configurations, feature data, etc.. Would that be of value? - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From p.mayers at imperial.ac.uk Thu Nov 13 12:58:00 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 17:58:00 +0000 Subject: [c-nsp] SXI out In-Reply-To: <20081113174625.GD57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113174625.GD57592@puck.nether.net> Message-ID: <491C6AA8.702@imperial.ac.uk> Jared Mauch wrote: > On Thu, Nov 13, 2008 at 12:43:23PM -0500, Tim Durack wrote: >>> I wonder if people are interested in coordinating their testing and pooling >>> results? >>> >> Sounds like a good idea. I have four chassis running SXI modular, waiting to >> go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and >> working, no load on them at this point though. >> >> Survived a bad experience with SXH2 this week, so I'm looking for something >> better... > > If people want to, I can set up a wiki where you can post > test cases, results, configurations, feature data, etc.. I already started to whack some stuff in cluepon: http://cisco.cluepon.net/index.php/Ios_sxi ...but we could move it if people want (I'm not a big MediaWiki fan personally) Hmm. Something seems to be up with the mac aging timer default. From p.mayers at imperial.ac.uk Thu Nov 13 13:14:29 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 18:14:29 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C2AA3.6070808@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> <491C2AA3.6070808@imperial.ac.uk> Message-ID: <491C6E85.7060102@imperial.ac.uk> Phil Mayers wrote: > Hroi Sigurdsson wrote: >> Jared Mauch wrote: >>> It appears cisco released SXI already. >>> >>> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >>> >> >> It looks like there is support for multi-AF (v4/v6) VRFs. Is it real >> or just a tease? > > It would appear not: Oh wait - no, it would in fact appear so: mls ipv6 vrf ...sneaky command you have to type in, then the IPv6 vrf commands become available. Neat-o! From raymondh.nsp at gmail.com Thu Nov 13 13:59:18 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 14 Nov 2008 02:59:18 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <70C6A033-934F-4DB1-A2A5-467F8A87391C@gmail.com> If I didn't remember wrongly based on the list price, it's still cheaper to get the G2 combo either on the 7201 or 7206 w/ the bundle and the difference in cost is quite significant for some. Unless Magnus sees that there's a need for the central forwarding engine/esp or he sees that there's a need for him to scale to a few G then the ASR would be a good choice which I'll second to your suggestion. --raymondh at zzz On Nov 13, 2008, at 10:25 PM, Rodney Dunn wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > > From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >> You may want to consider getting either part # CISCO7201 (PSU >> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >> cheap). >> Both the part # for the box, shouldn't be much of a difference or >> same. >> >> >> --raymondh >> >> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >> >>> I'm looking for some pointers on what are the smallest recommeded >>> Cisco >>> boxes to use for a small multihoming solution. >>> >>> 2 full BGP views (approx 260k routes each) >>> 100 Mbps bandwidth requirement. >>> >>> The setup currently uses 2 Juniper M5 but those are in dire need of >>> refresh. >>> >>> >>> What is the appropiate Cisco boxes to go for? Do I need any memory >>> upgrades >>> etc? >>> >>> Any suggestions are welcome. >>> >>> Regards Magnus >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Thu Nov 13 14:03:30 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 13 Nov 2008 21:03:30 +0200 Subject: [c-nsp] SXI out In-Reply-To: <20081113174625.GD57592@puck.nether.net> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> Message-ID: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> At 12:46 PM 13-11-08 -0500, Jared Mauch wrote: > If people want to, I can set up a wiki where you can post >test cases, results, configurations, feature data, etc.. > > Would that be of value? I can't wait for the black T-shirt: "I have SXI - do you?" -Hank > - Jared > >-- >Jared Mauch | pgp key available via finger from jared at puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Thu Nov 13 14:13:42 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 13 Nov 2008 21:13:42 +0200 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <70C6A033-934F-4DB1-A2A5-467F8A87391C@gmail.com> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> >I'm looking for some pointers on what are the smallest recommeded >Cisco >boxes to use for a small multihoming solution. > >2 full BGP views (approx 260k routes each) >100 Mbps bandwidth requirement. > >The setup currently uses 2 Juniper M5 but those are in dire need of >refresh. > > >What is the appropiate Cisco boxes to go for? Do I need any memory >upgrades >etc? > >Any suggestions are welcome. If you don't have a lot of traffic go with an 2821. It is the smallest router that can support 1GB (so it can therefore take full RIBs): http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf According to Cisco it can do 87Mb/sec of thruput: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Knock off 30-50% due to ACLs and other crud and if you only need 50Mb/sec total then a 2821 might be your answer. But if you really need 100Mb/sec then a 3845 which can handle 256Mb/sec of thruput would be the next one that can handle 1GB. -Hank From brandon at sterling.net Thu Nov 13 14:26:52 2008 From: brandon at sterling.net (Brandon Price) Date: Thu, 13 Nov 2008 11:26:52 -0800 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <20081113142139.GD4897@rtp-cse-489.cisco.com> References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: The tunnel option could work the problem is the SOURCE is behind a Juniper netscreen and I don't think they support gre tunnel termination.. Also I don't want this active all the time, I want it to switch dynamically. Maybe there is something else that would accomplish what I am trying to do. I tried to make a little ASCII diagram, hopefully it comes through ok: SOURCE Voip LAN 206.72.96.0 | FW (juniper) | PE2-------PE1 | | | dsl1| |dsl2 | | | |T1 | | | | +------- | +--------CE1 (cisco) | | CUST LAN 10.10.10.0 Basically My customers primary link to me is a T1 to PE1 with QOS enabled for VOICE traffic to my voip servers and switches at 206.72.96.0. these are accessed via FW (juniper netscreen). In normal operation the route for the CUST LAN through the t1 has the most favourable weight, and traffic never hits PE2. Now if the T1 goes down, dsl1 to PE2 will now have the most favorable route to the lan, HOWEVER at this point I want traffic with a SOURCE of the voip netblock to take dsl2 to get to the lan. This is where I am stuck. How to use PBR on the ingress to PE2.... Brandon -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Thursday, November 13, 2008 6:22 AM To: Mateusz B?aszczyk Cc: Brandon Price; cisco-nsp Subject: Re: [c-nsp] Policy Based Routing on PE hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lsawyer at gci.com Thu Nov 13 14:34:22 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 10:34:22 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> All - I've got two 3750's acting in an HSRP failover environment for some critical services. HSRP is running on a vlan interface. We have a number of appliances that are dual-homed across the switches, living on the particular VLAN. We've been experiencing an issue with one of our appliances, and the vendor has come back and asked us to filter out HSRP messages on the physical interfaces connected to their appliance. Is there a way to filter the HSRP messages from going out a switchport? They're currently configured with portfast and bpdufiltering enabled. Thanks. From gkg at gmx.de Thu Nov 13 14:46:14 2008 From: gkg at gmx.de (Garry) Date: Thu, 13 Nov 2008 20:46:14 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> Message-ID: <491C8406.9000501@gmx.de> Hank Nussbacher wrote: > > But if you really need 100Mb/sec then a 3845 which can handle > 256Mb/sec of thruput would be the next one that can handle 1GB. Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 are nice, too with their dual GigE onboard ... we use a couple of them for DSL L2TP LAC and as Firewall ... running very nicely ... -garry From billf at mu.org Thu Nov 13 14:46:28 2008 From: billf at mu.org (bill fumerola) Date: Thu, 13 Nov 2008 11:46:28 -0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <20081113194628.GV29895@elvis.mu.org> On Thu, Nov 13, 2008 at 11:52:29AM +0100, Magnus Eriksson wrote: > The setup currently uses 2 Juniper M5 but those are in dire need of refresh. i realize this is a cisco list, but the reason i make this suggestion is that it'd be easier to copy your configuration to what's already junos than port to IOS: look into the juniper j-series: http://www.juniper.net/products_and_services/j_series_services_routers/index.html even the lowest end device (w/ 1GB of memory from crucial.com or others) can do what you're asking and w/ discount will be well below the other solutions mentioned in this thread. even if your M5s have service PICs, those are emulated in software on that platform. > What is the appropiate Cisco boxes to go for? Do I need any memory upgrades > etc? others have mentioned the 7301/7201/7200-NPE-G2/ASR100x and those are fine choices as well. i don't know if i'd go for the 28xx/38xx models mentioned unless my budget was severely constrained or if i knew traffic was never going to grow. -- bill From mksmith at adhost.com Thu Nov 13 15:10:35 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 13 Nov 2008 12:10:35 -0800 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031604F28705@ad-exh01.adhost.lan> Hello Leif: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Leif Sawyer > Sent: Thursday, November 13, 2008 11:34 AM > To: cisco-nsp > Subject: [c-nsp] 3750 HSRP question > > All - > > I've got two 3750's acting in an HSRP failover environment for some > critical services. > > HSRP is running on a vlan interface. > > We have a number of appliances that are dual-homed across the switches, > living on the particular VLAN. > > We've been experiencing an issue with one of our appliances, and the > vendor > has come back and asked us to filter out HSRP messages on the physical > interfaces > connected to their appliance. > > > Is there a way to filter the HSRP messages from going out a switchport? > > They're currently configured with portfast and bpdufiltering enabled. > HSRP uses multicast address 224.0.0.2 so you could filter out that IP on the appliance-facing ports. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From booloo at ucsc.edu Thu Nov 13 14:30:03 2008 From: booloo at ucsc.edu (Mark Boolootian) Date: Thu, 13 Nov 2008 11:30:03 -0800 Subject: [c-nsp] SXI out In-Reply-To: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> Message-ID: <20081113193003.GA68285@root.ucsc.edu> > I can't wait for the black T-shirt: > > "I have SXI - do you?" "I'm SXI - are you?" From lsawyer at gci.com Thu Nov 13 16:32:18 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 12:32:18 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604F28705@ad-exh01.adhost.lan> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E94265@FNB1EX01.gci.com> Michael K. Smith writes: > HSRP uses multicast address 224.0.0.2 so you could filter out > that IP on the appliance-facing ports. > if that was an option, we'd be doing that. :-( From achatz at forthnet.gr Thu Nov 13 17:03:42 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 00:03:42 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> Message-ID: <491CA43E.4030308@forthnet.gr> If blocking egress multicast doesn't cause any issues in your appliances, you could give "switchport block multicast" a try on their ports. -- Tassos Leif Sawyer wrote on 13/11/2008 21:34: > All - > > I've got two 3750's acting in an HSRP failover environment for some > critical services. > > HSRP is running on a vlan interface. > > We have a number of appliances that are dual-homed across the switches, > living on the particular VLAN. > > We've been experiencing an issue with one of our appliances, and the > vendor > has come back and asked us to filter out HSRP messages on the physical > interfaces > connected to their appliance. > > > Is there a way to filter the HSRP messages from going out a switchport? > > They're currently configured with portfast and bpdufiltering enabled. > > > Thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Thu Nov 13 17:06:18 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Thu, 13 Nov 2008 23:06:18 +0100 Subject: [c-nsp] 4507R-E loosing config Message-ID: <491CA4DA.6050704@buelow-masiak.de> Hi List, we've got two 4507R-E with redundant Supervisor Engine 6-E. To connect these two switches, we're using a X2 Module on each Supervisor Engine. On both switches the Interfaces Te3/1 and Te4/1 are configured as Port-Channel. Config on both Switches: interface Te3/1 description Link1 switchport switchport mode trunk switchport trunk allowed vlans 100 channel-group 1 mode on interface Te4/1 description Link2 switchport switchport mode trunk switchport trunk allowed vlans 100 channel-group 1 mode on interface Po1 descripton Bundled-Link switchport mode trunk switchport trunk allowed vlans 100 If a remove one Supervisor Engine in the first 4507, the Port-Channel only contains interface Te4/1. If I put the removed Engine back, Interface Te3/1 comes back without any configuration. As a result, all vlans are send over this Link, the other switch detects an configuration mismatch an both interfaces are in err-disabled mode. Any thougts on this? Thanks in advance. Regards Sebastian From lsawyer at gci.com Thu Nov 13 17:18:31 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 13:18:31 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <491CA43E.4030308@forthnet.gr> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> Tassos Chatzithomaoglou writes: > If blocking egress multicast doesn't cause any issues in your > appliances, you could give "switchport block multicast" a try > on their ports. > unfortunately, this command only blocks "unknown" m/c addresses. HSRP uses a well-known address, and is not subject to this filtering. I've also looked at vlan access-maps, but as that applies to the whole vlan, that would break HSRP connectivity to the other switch. From ploopster at gmail.com Thu Nov 13 16:34:49 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Thu, 13 Nov 2008 16:34:49 -0500 Subject: [c-nsp] GEIP or PA-GE Message-ID: <491C9D79.50800@gmail.com> Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? I'm running a 7505 at home, and I'm not made of money. 8-) Peace... Sridhar From ltd at cisco.com Thu Nov 13 17:41:21 2008 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Nov 2008 09:41:21 +1100 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <491CAD11.1050604@cisco.com> Gabby wrote: > Hello, > > Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... > on Nexus 7000, you can do packet-capture of data-plane traffic today. you can create an access-list with 'log' keyword, e.g. "permit tcp host a.b.c.d host e.f.g.h log", apply that as a Port, VLAN or Routed ACL. N7K will forward the packet in hardware (always does), and send a rate-limited copy to the Supervisor for logging. that rate-limiting is tunable, but by default is at a rate that won't ever cause excessive CPU (default is 100 packet/sec for ACL-copy). NX-OS has ethereal/wireshark built in, you can then run that on the inband Sup port, create a .cap file or view the ethereal parsing on the CLI if you wish. cheers, lincoln. From achatz at forthnet.gr Thu Nov 13 17:45:06 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 00:45:06 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> Message-ID: <491CADF2.8090205@forthnet.gr> What about the following? mac address-table static 0100.5e00.0002 vlan X int A B ... Just don't include the 2 appliance interfaces into the interface list (or include only the 2 hsrp ports). -- Tassos Leif Sawyer wrote on 14/11/2008 00:18: > Tassos Chatzithomaoglou writes: >> If blocking egress multicast doesn't cause any issues in your >> appliances, you could give "switchport block multicast" a try >> on their ports. >> > > unfortunately, this command only blocks "unknown" m/c addresses. > > HSRP uses a well-known address, and is not subject to this filtering. > > I've also looked at vlan access-maps, but as that applies to the > whole vlan, that would break HSRP connectivity to the other switch. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tt_745 at yahoo.co.uk Thu Nov 13 17:53:55 2008 From: tt_745 at yahoo.co.uk (tt tt) Date: Thu, 13 Nov 2008 22:53:55 +0000 (GMT) Subject: [c-nsp] Cisco and Extreme Message-ID: <988818.16250.qm@web26703.mail.ukl.yahoo.com> We are currently looking to deploy a number of metro rings (mostly layer 2) with a requirement for basic QOS and rate limiting in 1Mbps increments. The ME3400 looks ideal if only it had decent granularity for policing / shaping. The Metro 3750 and 4900's (for dual 10Gbps uplinks) look more capable but at a significant increse in $$/port. This is leading us towards Extreme switches and linking EAPS rings back to our existing Cisco 7600's. Does anyone have any experience with a similar setup and can comment on compatability between Cisco and Extreme? Looking back over the lists there are many horror stories when venturing to layer 3 on Extreme a few years back but nothing since around 2006. Has any one had any success running OSPF on the currenty X250e / X450 ranges or has everyone been avoiding them lately? Thanks Dave From lsawyer at gci.com Thu Nov 13 17:57:37 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 13:57:37 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <491CADF2.8090205@forthnet.gr> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Tassos Chatzithomaoglou writes: > > What about the following? > > mac address-table static 0100.5e00.0002 vlan X int A B ... > > Just don't include the 2 appliance interfaces into the > interface list (or include only the 2 hsrp ports). Nope. That doesn't seem to do anything -- I'm still seeing the HSRP packets in my sniffer. Sigh. Cisco sure doesn't want to perform outbound MAC-layer filtering on it's interfaces, no matter what the security implications might be. It sure would be nice if they'd figure out that allowing this traffic to be restricted to known/allowed ports, the network would be just a little bit safer. From Moens at carrier2carrier.com Thu Nov 13 17:58:53 2008 From: Moens at carrier2carrier.com (Martin Moens) Date: Thu, 13 Nov 2008 23:58:53 +0100 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491C9D79.50800@gmail.com> Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> Tried Ebay? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Sridhar Ayengar > Sent: Thursday, 13 November, 2008 22:35 > To: Cisco NSPs > Subject: [c-nsp] GEIP or PA-GE > > > Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? > I'm running a > 7505 at home, and I'm not made of money. 8-) > > Peace... Sridhar > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Marques.Johnson at LTSCompany.com Thu Nov 13 17:29:16 2008 From: Marques.Johnson at LTSCompany.com (Marques Johnson) Date: Thu, 13 Nov 2008 14:29:16 -0800 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? Message-ID: I was wondering why there are local IP address in my BGP table? *> 192.100.146.0 207.162.208.221 0 0 26689 3356 i I am trying to figure out the best way to utilize multihomed routing between our two DS3 providors. I am new to the NSP world and trying to get a grasp on what we have. The overall problem stems from one of our DS3's flapping and customers being down for a few minutes while the tables converge and routes update. I would like it to be quicker if possible. Thanks From pwu828 at gmail.com Thu Nov 13 18:01:40 2008 From: pwu828 at gmail.com (Patrick Wu) Date: Fri, 14 Nov 2008 10:01:40 +1100 Subject: [c-nsp] Intermittent 100% backplane utilisation on Cisco 6500 In-Reply-To: <6d72a2a10811122315u731ede53h1c327f9ebc8f0fff@mail.gmail.com> References: <6d72a2a10811122315u731ede53h1c327f9ebc8f0fff@mail.gmail.com> Message-ID: Thanks, so was the SUP module or the GE module that was faulty? On Thu, Nov 13, 2008 at 6:15 PM, Nitzan Tzelniker < nitzan.tzelniker at gmail.com> wrote: > I see this issue in the past on sup720 it was probably faulty module (we > replace some of them and the spikes stop ) > > Nitzan > > On Thu, Nov 13, 2008 at 03:10, Patrick Wu wrote: > >> Hi, >> >> >> >> I'm currently having issues with one of the Cisco 6506 in the network, it >> is >> running HSRP with another 6506 and also running OSPF/BGP. Recently, I this >> 6506 is having intermittent 100% backplane utilisation, which caused >> everything to stop responding for a couple of seconds. >> >> >> >> As a result, spanning tree recalculation and HSRP failover kicked in, and >> caused interruptions in many parts of the network. >> >> >> >> What I don't understand is what caused the 100% utilisation, googling >> reveals that it could be caused by spanning tree loops and broadcast >> storms. >> But I have already tuned down the storm-control on broadcast on all ports >> into the 6506, and I don't think there are any loops in the network. >> >> >> >> Unlike an DDoS attack where the 100% utilisation is continuous, it just >> peaks at 100% for 1 or 2 seconds and comes back down... the logs don't >> seem >> to show much >> >> >> >> Any one have similar experience or is able to point me in the right >> direction would be greatly appreciated! Thanks. >> >> >> >> Here's the show version and show module: >> >> >> >> show version >> >> Cisco Internetwork Operating System Software >> >> IOS (tm) c6sup1_rp Software (c6sup1_rp-PSV-M), Version 12.1(22)E1, EARLY >> DEPLOYMENT RELEASE SOFTWARE (fc1) >> >> Technical Support: >> http://www.cisco.com/techsupport< >> http://www.cisco.com/techsupport%5B/url%5D> >> >> >> Copyright (c) 1986-2004 by cisco Systems, Inc. >> >> Compiled Fri 16-Apr-04 10:13 by pwade >> >> Image text-base: 0x60020F90, data-base: 0x616EA000 >> >> >> >> ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE >> >> BOOTLDR: MSFC Software (C6MSFC-BOOT-M), Version 12.1(3a)E4, EARLY >> DEPLOYMENT >> RELEASE SOFTWARE (fc1) >> >> >> >> xxxxxxxx uptime is 23 weeks, 5 days, 27 minutes >> >> Time since xxxxxxxx switched to active is 23 weeks, 5 days, 29 minutes >> >> System returned to ROM by power-on (SP by reload) >> >> System restarted at 09:34:31 AEST Sat May 31 2008 >> >> System image file is "slot0:c6sup11-psv-mz.121-22.E1" >> >> >> >> cisco WS-C6506 (R5000) processor (revision 3.0) with 114688K/16384K bytes >> of >> memory. >> >> Processor board ID TBA05290886 >> >> R5000 CPU at 200Mhz, Implementation 35, Rev 2.1 >> >> Last reset from power-on >> >> X.25 software, Version 3.0.0. >> >> Bridging software. >> >> 146 Virtual Ethernet/IEEE 802.3 interface(s) >> >> 48 FastEthernet/IEEE 802.3 interface(s) >> >> 10 Gigabit Ethernet/IEEE 802.3 interface(s) >> >> 381K bytes of non-volatile configuration memory. >> >> 4096K bytes of packet SRAM memory. >> >> >> >> 16384K bytes of Flash internal SIMM (Sector size 256K). >> >> Configuration register is 0x2102 >> >> >> >> >> >> show module >> >> Mod Ports Card Type Model Serial >> No. >> >> --- ----- -------------------------------------- ------------------ >> ----------- >> >> 1 2 Cat 6k sup 1 Enhanced QoS (Active) WS-X6K-SUP1A-2GE >> SAD03414219 >> >> 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 >> SAD03430896 >> >> 5 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC >> SAD05040L5K >> >> >> >> Mod MAC addresses Hw Fw Sw >> Status >> >> --- ---------------------------------- ------ ------------ ------------ >> ------- >> >> 1 00d0.bcee.59a8 to 00d0.bcee.59a9 3.2 5.3(1) 12.1(22)E1 Ok >> >> 3 0030.9613.f314 to 0030.9613.f343 1.1 4.2(0.24)VAI 8.3(0.111)TF Ok >> >> 5 0002.fc25.3224 to 0002.fc25.322b 1.6 5.4(2) 8.3(0.111)TF Ok >> >> >> >> Mod Sub-Module Model Serial Hw >> Status >> >> --- --------------------------- --------------- --------------- ------- >> ------- >> >> 1 Policy Feature Card WS-F6K-PFC SAD03424981 1.0 Ok >> >> 1 MSFC Cat6k daughterboard WS-F6K-MSFC SAD03427635 1.4 Ok >> >> >> >> Mod Online Diag Status >> >> --- ------------------- >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From streiner at cluebyfour.org Thu Nov 13 18:07:37 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 13 Nov 2008 18:07:37 -0500 (EST) Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491C9D79.50800@gmail.com> References: <491C9D79.50800@gmail.com> Message-ID: On Thu, 13 Nov 2008, Sridhar Ayengar wrote: > Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? I'm running a 7505 > at home, and I'm not made of money. 8-) That would depend on how you define cheap :) Your best bet would probably be to check with one of the many places that deal in used Cisco parts. I haven't priced or looked at volumes on the secondary market them in a long time, but I'd think 7500 blades like the GEIP and GEIP+ would be pretty reasonably priced since the 7500 series is end of life. If the resellers know they can sell them (2511s, for example), they'll more expensive, but if the parts aren't in high demand, then you migt have a little more room to haggle on the price. jms From sthaug at nethelp.no Thu Nov 13 18:12:21 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 14 Nov 2008 00:12:21 +0100 (CET) Subject: [c-nsp] Cisco and Extreme In-Reply-To: <988818.16250.qm@web26703.mail.ukl.yahoo.com> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> Message-ID: <20081114.001221.74679519.sthaug@nethelp.no> > We are currently looking to deploy a number of metro rings (mostly > layer 2) with a requirement for basic QOS and rate limiting in 1Mbps > increments. The ME3400 looks ideal if only it had decent granularity > for policing / shaping. We have looked at the ME3400 for a similar role. Our biggest concerns have been the rather limited MAC table size (8K entries), no 24xSFP model, and somewhat unpalatable licensing (QinQ requires an extra license, using more than 4 NNI ports requires yet another license). > The Metro 3750 and 4900's (for dual 10Gbps > uplinks) look more capable but at a significant increse in > $$/port. This is leading us towards Extreme switches and linking > EAPS rings back to our existing Cisco 7600's. > > Does anyone have any experience with a similar setup and can comment > on compatability between Cisco and Extreme? We have quite a few metro rings built on Extreme switches and EAPS. These are uplinked either directly to MPLS routers or to other switches, often Cisco. No specific Cisco/Extreme problems, it basically just works. Note that we do *not* depend on any kind of spanning tree interoperability. > Looking back over the lists there are many horror stories when > venturing to layer 3 on Extreme a few years back but nothing since > around 2006. Has any one had any success running OSPF on the > currenty X250e / X450 ranges or has everyone been avoiding them > lately? I'd still stay away from L3 on the Extreme boxes... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ddunkin at netos.net Thu Nov 13 18:15:17 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Thu, 13 Nov 2008 15:15:17 -0800 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? References: Message-ID: <56F5BC5F404CF84896C447397A1AAF20A0FE79@MAIL.nosi.netos.com> Do you mean local as in private? It is 192.168.0.0/16 that is private not 192.0.0.0/8. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marques Johnson Sent: Thursday, November 13, 2008 14:29 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Why would there be local ip address in my BGP routing table? I was wondering why there are local IP address in my BGP table? *> 192.100.146.0 207.162.208.221 0 0 26689 3356 i I am trying to figure out the best way to utilize multihomed routing between our two DS3 providors. I am new to the NSP world and trying to get a grasp on what we have. The overall problem stems from one of our DS3's flapping and customers being down for a few minutes while the tables converge and routes update. I would like it to be quicker if possible. Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariemer at wesenergy.com.au Thu Nov 13 18:42:01 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 14 Nov 2008 08:42:01 +0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> References: <491CADF2.8090205@forthnet.gr> <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Message-ID: <0867622C64B50C4B878AB45C95F43F110646DB98@MAILWA01.wesenergy.local> Yes it would be nice if you could control where the HSRP advertisements are sent out. Something similar to the passive-interface command with EIGRP would be nice. Let me know if you work this one out. I don't like the idea of HSRP spamming our Ethernet VLAN's either. Aaron Riemer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leif Sawyer Sent: Friday, 14 November 2008 7:58 AM To: cisco-nsp Subject: Re: [c-nsp] 3750 HSRP question Tassos Chatzithomaoglou writes: > > What about the following? > > mac address-table static 0100.5e00.0002 vlan X int A B ... > > Just don't include the 2 appliance interfaces into the > interface list (or include only the 2 hsrp ports). Nope. That doesn't seem to do anything -- I'm still seeing the HSRP packets in my sniffer. Sigh. Cisco sure doesn't want to perform outbound MAC-layer filtering on it's interfaces, no matter what the security implications might be. It sure would be nice if they'd figure out that allowing this traffic to be restricted to known/allowed ports, the network would be just a little bit safer. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From peter at rathlev.dk Thu Nov 13 19:17:47 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 01:17:47 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491CA4DA.6050704@buelow-masiak.de> References: <491CA4DA.6050704@buelow-masiak.de> Message-ID: <1226621867.3501.14.camel@abehat> On Thu, 2008-11-13 at 23:06 +0100, Sebastian Ganschow wrote: > If a remove one Supervisor Engine in the first 4507, the Port-Channel > only contains interface Te4/1. > > If I put the removed Engine back, Interface Te3/1 comes back without > any configuration. > > As a result, all vlans are send over this Link, the other switch > detects an configuration mismatch an both interfaces are in > err-disabled mode. > > Any thougts on this? Maybe running LACP on the link ("channel-group 1 mode active") could help avoid the err-disable part. As far as I understand, you would end up with a one-member port-channel on each side, and then a standalone "I" port (independent) on the unchanged side facing a regular switchport on the "supervisor challenged" side. Spanning tree blocks one of the paths. I haven't tested this, just guessing. This doesn't solve the interface config going missing of course. Regards, Peter From peter at rathlev.dk Thu Nov 13 19:42:30 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 01:42:30 +0100 Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: <1226079151.3474.8.camel@abehat> Message-ID: <1226623350.3501.26.camel@abehat> On Thu, 2008-11-13 at 11:50 -0500, Drew Weaver wrote: > GWIP was substituted for the ip of the 'gateway' or other end of that > interface. > > Sorry, of course the IP would be in the route. I was just > 'obfusticating the output' for the list, as they say ;-) That explains a lot. Overlooked that one. :-) > As far as the GLBP goes, this solution isn't for any particular L4 > application it is just for all network traffic from any server on this > switch to the rest of the network. AFAIK, GLBP would require one L2 segment shared between the three links. In that case you might not be able to take advantage of it at all. If you have redundant paths, e.g. if the three destinations in the other end of the links have L2 connectivity (for this VLAN) other than through your gateway, then spanning tree or an equivalent might block all but one link, thus rendering the load sharing part of GLBP less effective. Making your gateway the STP root would mitigate this, but that might not be desirable/possible. I'd keep the ECMP with static routes and no L2 connectivity between the links and then let CEF do the load-sharing, per destination. Regards, Peter From brett at looney.id.au Thu Nov 13 20:50:04 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 14 Nov 2008 10:50:04 +0900 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> Message-ID: <034e01c945fb$52df6610$f89e3230$@id.au> > Has anyone ever gotten trunking working between a > 3560 and Dell 6248 or similar? The Dell seems only > to support GVRP in comparison to Cisco's VTP. > Since the 3560 doesn't support GVRP I think I'm out > of luck, but I'm hoping someone here has figured out > a kludge to get this working. I've had trunking working between Cisco and Dell switches before. You can configure trunking manually on either end - you don't need VTP/GVRP to build a trunk. For example: interface GigabitEthernet 1/0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk vlan allowed 1-50 Obviously you'd need to define the VLANs manually on each end for this to work. Or am I missing something in your question? B. From ben.steele at internode.on.net Thu Nov 13 22:14:22 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 14 Nov 2008 13:44:22 +1030 Subject: [c-nsp] SXI out In-Reply-To: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> Message-ID: <003301c94607$17bc94c0$4735be40$@steele@internode.on.net> You'll have to beat all the girls off with your linecards with a t-shirt that cool! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Friday, 14 November 2008 5:34 AM To: Jared Mauch; Tim Durack Cc: cisco-nsp at puck.nether.net; Jared Mauch Subject: Re: [c-nsp] SXI out At 12:46 PM 13-11-08 -0500, Jared Mauch wrote: > If people want to, I can set up a wiki where you can post >test cases, results, configurations, feature data, etc.. > > Would that be of value? I can't wait for the black T-shirt: "I have SXI - do you?" -Hank > - Jared > >-- >Jared Mauch | pgp key available via finger from jared at puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ploopster at gmail.com Thu Nov 13 22:27:24 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Thu, 13 Nov 2008 22:27:24 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> Message-ID: <491CF01C.7080104@gmail.com> Martin Moens wrote: > Tried Ebay? Yup. Very expensive. More than some dealer prices. Peace... Sridhar From risnaini at indo.net.id Thu Nov 13 22:33:53 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Fri, 14 Nov 2008 10:33:53 +0700 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? In-Reply-To: References: Message-ID: <491CF1A1.701@indo.net.id> It's not local block.. actually it's public ip address block & belong to US Dept. of Agriculture. OrgName: U.S. Dept. of Agriculture - ARS OrgID: UDAA-2 Address: Agricultural Research Service Address: Plant Sciences Institute Address: Alternate Crops and Systems Laboratory Address: Bldg.001 Room 342 Address: 10300 Baltimore Avenue City: Beltsville StateProv: MD PostalCode: 20707 Country: US NetRange: 192.100.146.0 - 192.100.146.255 CIDR: 192.100.146.0/24 NetName: ARS-GRIN NetHandle: NET-192-100-146-0-1 Parent: NET-192-0-0-0-0 NetType: Direct Assignment NameServer: SUN.ARS-GRIN.GOV NameServer: KNOCK.SER.BBNPLANET.COM Comment: RegDate: 1991-04-17 Updated: 1996-09-12 a. r. isnaini rangkayo sutan Facebook : http://www.facebook.com/home.php?ref=home#/profile.php?v=feed&id=1476655470 Marques Johnson wrote: > I was wondering why there are local IP address in my BGP table? > > > > *> 192.100.146.0 207.162.208.221 0 0 26689 3356 > i > > > > > > I am trying to figure out the best way to utilize multihomed routing > between our two DS3 providors. I am new to the NSP world and trying to > get a grasp on what we have. > > > > The overall problem stems from one of our DS3's flapping and customers > being down for a few minutes while the tables converge and routes > update. I would like it to be quicker if possible. > > > > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From risnaini at indo.net.id Thu Nov 13 22:36:41 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Fri, 14 Nov 2008 10:36:41 +0700 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <491CF249.5090809@indo.net.id> IMHO, since we are now running both of Juniper & Cisco, for handling huge of traffic (e.g Flooding) M5 still much better compared to 7206 VXR a. r. isnaini rangkayo sutan Rodney Dunn wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > >>From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >> You may want to consider getting either part # CISCO7201 (PSU >> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >> cheap). >> Both the part # for the box, shouldn't be much of a difference or same. >> >> >> --raymondh >> >> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >> >>> I'm looking for some pointers on what are the smallest recommeded >>> Cisco >>> boxes to use for a small multihoming solution. >>> >>> 2 full BGP views (approx 260k routes each) >>> 100 Mbps bandwidth requirement. >>> >>> The setup currently uses 2 Juniper M5 but those are in dire need of >>> refresh. >>> >>> >>> What is the appropiate Cisco boxes to go for? Do I need any memory >>> upgrades >>> etc? >>> >>> Any suggestions are welcome. >>> >>> Regards Magnus >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From mtinka at globaltransit.net Thu Nov 13 22:43:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 11:43:03 +0800 Subject: [c-nsp] =?iso-8859-1?q?Recommended_Cisco_boxes_for_a_small_multih?= =?iso-8859-1?q?oming=09solution=3F?= In-Reply-To: <491CF249.5090809@indo.net.id> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <491CF249.5090809@indo.net.id> Message-ID: <200811141143.15672.mtinka@globaltransit.net> On Friday 14 November 2008 11:36:41 a. rahman isnaini r.sutan wrote: > IMHO, since we are now running both of Juniper & Cisco, > for handling huge of traffic (e.g Flooding) M5 still much > better compared to 7206 VXR To be fair, it's a different architecture - so an apple-to-apple comparison isn't really possible. One should compare the entry-level M-series to Cisco's ASR1000 series, or the 7200's to Juniper's J-series. Granted, Cisco have finally started playing ball in this hardware forwarding scope for this class of routers (as have Juniper in the software forwarding arena), so no operator can be blamed for past comparisons. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From bandwidth.user at gmail.com Thu Nov 13 22:46:56 2008 From: bandwidth.user at gmail.com (roy) Date: Fri, 14 Nov 2008 11:46:56 +0800 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <491CF4B0.7050006@gmail.com> Brandon Price wrote: > The tunnel option could work the problem is the SOURCE is behind a > Juniper netscreen and I don't think they support gre tunnel > termination.. > Also I don't want this active all the time, I want it to switch > dynamically. > > Maybe there is something else that would accomplish what I am trying to > do. > > I tried to make a little ASCII diagram, hopefully it comes through ok: > > > SOURCE Voip LAN 206.72.96.0 > | > FW (juniper) > | > PE2-------PE1 > | | | > dsl1| |dsl2 | > | | |T1 > | | | > | +------- | > +--------CE1 (cisco) > | > | > CUST LAN 10.10.10.0 > > > Basically My customers primary link to me is a T1 to PE1 with QOS > enabled for VOICE traffic to my voip servers and switches at > 206.72.96.0. these are accessed via FW (juniper netscreen). In normal > operation the route for the CUST LAN through the t1 has the most > favourable weight, and traffic never hits PE2. > > > Now if the T1 goes down, dsl1 to PE2 will now have the most favorable > route to the lan, HOWEVER at this point I want traffic with a SOURCE of > the voip netblock to take dsl2 to get to the lan. This is where I am > stuck. How to use PBR on the ingress to PE2.... With PHP, wouldn't PBR work on PE2? roy From hank at efes.iucc.ac.il Thu Nov 13 23:56:02 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 06:56:02 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <491C8406.9000501@gmx.de> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: On Thu, 13 Nov 2008, Garry wrote: The 3825 can take 1GB? The Cisco ISR link doesn't show that. -Hank > Hank Nussbacher wrote: >> >> But if you really need 100Mb/sec then a 3845 which can handle >> 256Mb/sec of thruput would be the next one that can handle 1GB. > Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 > are nice, too with their dual GigE onboard ... we use a couple of them > for DSL L2TP LAC and as Firewall ... running very nicely ... > > -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ecables at gmail.com Fri Nov 14 00:09:58 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 13 Nov 2008 21:09:58 -0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: If you look at the interactive model ( http://www.cisco.com/en/US/prod/collateral/routers/ps5855/ps5857/prod_presentation0900aecd80543db9.html) you can see GE0/0 and GE0/1 interfaces. In addition, the data sheet for both the 3825 and 3845 indicates 2 10/100/1000 interfaces: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html -- Eric Cables On Thu, Nov 13, 2008 at 8:56 PM, Hank Nussbacher wrote: > On Thu, 13 Nov 2008, Garry wrote: > > The 3825 can take 1GB? The Cisco ISR link doesn't show that. > > -Hank > > > Hank Nussbacher wrote: >> >>> >>> But if you really need 100Mb/sec then a 3845 which can handle >>> 256Mb/sec of thruput would be the next one that can handle 1GB. >>> >> Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 >> are nice, too with their dual GigE onboard ... we use a couple of them >> for DSL L2TP LAC and as Firewall ... running very nicely ... >> >> -garry >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Fri Nov 14 00:18:27 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 13:18:27 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <200811141318.31251.mtinka@globaltransit.net> On Friday 14 November 2008 13:09:58 Eric Cables wrote: > If you look at the interactive model ( > http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >/ps5857/prod_presentation0900aecd80543db9.html) you can > see GE0/0 and GE0/1 interfaces. > > In addition, the data sheet for both the 3825 and 3845 > indicates 2 10/100/1000 interfaces: > http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >/product_data_sheet0900aecd8016a8e8.html I think just to avoid any confusion; 1GB as in RAM/flash, and 1Gbps as in bandwidth/interface :-). Oooh, this "B" and "b" thing... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From hank at efes.iucc.ac.il Fri Nov 14 00:56:43 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 07:56:43 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <200811141318.31251.mtinka@globaltransit.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> Message-ID: And to repeat - to the best of my knowledge the 3825 can't take 1GB of RAM and therefore is not an optimal solution for small multihoming. -Hank On Fri, 14 Nov 2008, Mark Tinka wrote: > On Friday 14 November 2008 13:09:58 Eric Cables wrote: > >> If you look at the interactive model ( >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /ps5857/prod_presentation0900aecd80543db9.html) you can >> see GE0/0 and GE0/1 interfaces. >> >> In addition, the data sheet for both the 3825 and 3845 >> indicates 2 10/100/1000 interfaces: >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /product_data_sheet0900aecd8016a8e8.html > > I think just to avoid any confusion; 1GB as in RAM/flash, > and 1Gbps as in bandwidth/interface :-). > > Oooh, this "B" and "b" thing... > > Mark. > From s.ganschow at buelow-masiak.de Fri Nov 14 02:19:20 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 08:19:20 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <1226621867.3501.14.camel@abehat> References: <491CA4DA.6050704@buelow-masiak.de> <1226621867.3501.14.camel@abehat> Message-ID: <491D2678.6040303@buelow-masiak.de> Peter Rathlev schrieb: > > Maybe running LACP on the link ("channel-group 1 mode active") could > help avoid the err-disable part. As far as I understand, you would end > up with a one-member port-channel on each side, and then a standalone > "I" port (independent) on the unchanged side facing a regular switchport > on the "supervisor challenged" side. Spanning tree blocks one of the > paths. > > I haven't tested this, just guessing. > > This doesn't solve the interface config going missing of course. It wouldn't be the worst, if the interface starts without any config. This would only happen, if one of the Sup's has a defect and is going to be replaced. In this case, we could paste the config. But if the Interface is acting the way described, the whole link is useless. Sebastian From r.tahina at moov.mg Fri Nov 14 02:44:08 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Fri, 14 Nov 2008 10:44:08 +0300 Subject: [c-nsp] log PPPoE session on router Message-ID: <7.0.1.0.2.20081114103908.0036ca20@moov.mg> Hi all, I use a 3825 for PPPoE termination, with local authententication, how can I log user session on the router's log? Kind regards. From s.ganschow at buelow-masiak.de Fri Nov 14 03:02:20 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 09:02:20 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491D2678.6040303@buelow-masiak.de> Message-ID: We've just tested it with channel-group 1 mode active. The Sup comes back with no config on the Te Interface. But the other 4507 got no err-disabled state. Works for us. Thanks Sebastian > -----Urspr?ngliche Nachricht----- > Peter Rathlev schrieb: > > > > > Maybe running LACP on the link ("channel-group 1 mode active") could > > help avoid the err-disable part. As far as I understand, you would > end > > up with a one-member port-channel on each side, and then a standalone > > "I" port (independent) on the unchanged side facing a regular > switchport > > on the "supervisor challenged" side. Spanning tree blocks one of the > > paths. > > > > I haven't tested this, just guessing. > > > > This doesn't solve the interface config going missing of course. > > > It wouldn't be the worst, if the interface starts without any config. > This > would only happen, if one of the Sup's has a defect and is going to be > replaced. In this case, we could paste the config. > But if the Interface is acting the way described, the whole link is > useless. > > Sebastian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tomas at soitron.com Fri Nov 14 03:09:34 2008 From: tomas at soitron.com (Tomas Daniska) Date: Fri, 14 Nov 2008 09:09:34 +0100 Subject: [c-nsp] Cisco and Extreme In-Reply-To: <20081114.001221.74679519.sthaug@nethelp.no> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> <20081114.001221.74679519.sthaug@nethelp.no> Message-ID: <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> > > > > Does anyone have any experience with a similar setup and can comment > > on compatability between Cisco and Extreme? > one of our customers had repeated significant problems with running OSPF (from L3 Cisco boxes) over Extreme Summit based L2 infrastructure. The switches were multiplicating OSPF hellos, wreaking havoc to OSPF adjacencies often. The hellos were replicated even in VLANs that were pure L2 on the Extremes. -- deejay From achatz at forthnet.gr Fri Nov 14 03:36:37 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 10:36:37 +0200 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: References: Message-ID: <491D3895.6020102@forthnet.gr> Can you post the errdisable message? You could possibly (if loops aren't the problem) disable the reason regarding it. Also, do you have errdisable recovery turned on? -- Tassos Sebastian Ganschow wrote on 14/11/2008 10:02: > We've just tested it with channel-group 1 mode active. > > The Sup comes back with no config on the Te Interface. But the other > 4507 got no err-disabled state. > > Works for us. > > Thanks > Sebastian > >> -----Urspru"ngliche Nachricht----- >> Peter Rathlev schrieb: >> >>> Maybe running LACP on the link ("channel-group 1 mode active") could >>> help avoid the err-disable part. As far as I understand, you would >> end >>> up with a one-member port-channel on each side, and then a > standalone >>> "I" port (independent) on the unchanged side facing a regular >> switchport >>> on the "supervisor challenged" side. Spanning tree blocks one of the >>> paths. >>> >>> I haven't tested this, just guessing. >>> >>> This doesn't solve the interface config going missing of course. >> >> It wouldn't be the worst, if the interface starts without any config. >> This >> would only happen, if one of the Sup's has a defect and is going to be >> replaced. In this case, we could paste the config. >> But if the Interface is acting the way described, the whole link is >> useless. >> >> Sebastian >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From packetlss at gmail.com Fri Nov 14 04:14:00 2008 From: packetlss at gmail.com (Magnus Eriksson) Date: Fri, 14 Nov 2008 10:14:00 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> First of all, thank you all for your insights. If we were to go with the ASR track I guess I'd need both the 1002 chassis item (18k USD list price) and the 5k USD IP BASE license aswell. Am I understanding that correctly? Also, I'm a bit hesitant regarding IOS XE, which today only seems to be used for ASRs. Is IOS XE something that is gonna be built upon by Cisco moving ahead? I don't wanna be stuck with a "dead" OS. //Magnus 2008/11/13 Rodney Dunn > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > > From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: > > You may want to consider getting either part # CISCO7201 (PSU > > included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite > > cheap). > > Both the part # for the box, shouldn't be much of a difference or same. > > > > > > --raymondh > > > > On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > > > > >I'm looking for some pointers on what are the smallest recommeded > > >Cisco > > >boxes to use for a small multihoming solution. > > > > > >2 full BGP views (approx 260k routes each) > > >100 Mbps bandwidth requirement. > > > > > >The setup currently uses 2 Juniper M5 but those are in dire need of > > >refresh. > > > > > > > > >What is the appropiate Cisco boxes to go for? Do I need any memory > > >upgrades > > >etc? > > > > > >Any suggestions are welcome. > > > > > >Regards Magnus > > >_______________________________________________ > > >cisco-nsp mailing list cisco-nsp at puck.nether.net > > >https://puck.nether.net/mailman/listinfo/cisco-nsp > > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Fri Nov 14 04:14:05 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 10:14:05 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491D3895.6020102@forthnet.gr> Message-ID: > Can you post the errdisable message? 00:16:09: %EC-5-BUNDLE: Interface TenGigabitEthernet3/1 joined port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Te3/1 in err-disable state 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet3/1 left the port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Te4/1 in err-disable state 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet4/1 left the port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Po1 in err-disable state Sebastian From gideon at adept.co.za Fri Nov 14 04:19:38 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Fri, 14 Nov 2008 11:19:38 +0200 Subject: [c-nsp] 2610 High CPU Load Message-ID: Good day I have a CPU load problem on a 2610. The router has a X21 Serial interface and Ethernet, and does simple WAN routing. As the amount of traffic increases, the CPU load increases as well, and when the throughput is around 1.2Mbit at about 2000 packet/s, the CPU is running so high that the box becomes unresponsive. This router is theory supposed to be capable of doing 7.68Mbps at 15,000 pps. I've checked that the router isn't doing processor switching, and as far as I can see the vast majority of the traffic is being fast switched, yet I seem to be hitting the documented performance limits for process switching. If I have to replace the router I can, but would like to know why I'm running into trouble when the current router is supposedly well within it's limits. The box is running 12.3(9), but I've had the same issue on a 12.1 version. Below is the output of 'show interfaces stat' and 'show interface switching' . Any ideas/help is appreciated. --- # sh int stat Ethernet0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 97 10200 219 17650 Route cache 760678 57144419 626362 47003211 Total 760775 57154619 626581 47020861 Serial0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 467 37390 337 43569 Route cache 626497 40745693 760817 49520393 Total 626964 40783083 761154 49563962 ----- #sh int switching Ethernet0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 3524 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 3577 283416 3699 340458 Cache misses 96 - - - Fast 20283972 1524355199 16554208 1236628784 Auton/SSE 0 0 0 0 Protocol ARP Switching path Pkts In Chars In Pkts Out Chars Out Process 44 2640 4328 259680 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 435 178350 435 133110 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 869 46926 2601 156060 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. Serial0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 5209 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 17620 1589429 13114 1548222 Cache misses 14327 - - - Fast 16555485 1071171389 20287359 1321039479 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 429 137280 437 122797 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 1 14 238 3784 Cache misses 0 - - - Fast 2750 44000 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. From achatz at forthnet.gr Fri Nov 14 04:30:03 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 11:30:03 +0200 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: References: Message-ID: <491D451B.3050300@forthnet.gr> ok, that was what i was guessing too. lacp/active (as peter said) or pagp/desirable should probably solve the problem. Otherwise you could write an eem applet (if your switch supports it) that shuts down the single port whenever this message appears. btw, is the whole config lost from the sup or only the one under the specific interface? If it's the later, you should probably open a tac case. -- Tassos Sebastian Ganschow wrote on 14/11/2008 11:14: >> Can you post the errdisable message? > > 00:16:09: %EC-5-BUNDLE: Interface TenGigabitEthernet3/1 joined > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Te3/1 in err-disable state > 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet3/1 left the > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Te4/1 in err-disable state > 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet4/1 left the > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Po1 in err-disable state > > Sebastian > > From rekordmeister at gmail.com Fri Nov 14 05:13:44 2008 From: rekordmeister at gmail.com (MKS) Date: Fri, 14 Nov 2008 10:13:44 +0000 Subject: [c-nsp] supervisor reload trap/log Message-ID: Hi We have a few cisco 7600 with dual sup-720s. I would like to get notified somehow when a supervisor failover occurs. Is there a snmp trap for this type of behavior or should I watch the syslog? Regards //MKS From waduloh at gmail.com Fri Nov 14 05:37:15 2008 From: waduloh at gmail.com (herb wadulo) Date: Fri, 14 Nov 2008 05:37:15 -0500 Subject: [c-nsp] Cisco and Extreme In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> <20081114.001221.74679519.sthaug@nethelp.no> <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> Message-ID: <76baa9fb0811140237w718d7711p9fc6126439ddbba0@mail.gmail.com> Extreme running EW 7.6 on the older hardware i think resolved some of the issues that existed when running protocols over a multivendor environment. The X250, X450 devices running XOS dont seem to have any issues yet. Cisco and extreme in L2/L3 redundancy runs well when you consider the strengths of each vendor plus a couple of "keystrokes". Herb On Fri, Nov 14, 2008 at 3:09 AM, Tomas Daniska wrote: > > > > > > > Does anyone have any experience with a similar setup and can comment > > > on compatability between Cisco and Extreme? > > > > one of our customers had repeated significant problems with running OSPF > (from L3 Cisco boxes) over Extreme Summit based L2 infrastructure. The > switches were multiplicating OSPF hellos, wreaking havoc to OSPF > adjacencies often. The hellos were replicated even in VLANs that were > pure L2 on the Extremes. > > -- > > deejay > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Fri Nov 14 05:56:29 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 12:56:29 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Message-ID: <491D595D.9070403@forthnet.gr> If you use HSRP v2 (which uses 224.0.0.102), will the appliances still have a problem? PS: You need 12.2(46)SE for this. Leif Sawyer wrote on 14/11/2008 00:57: > Tassos Chatzithomaoglou writes: >> What about the following? >> >> mac address-table static 0100.5e00.0002 vlan X int A B ... >> >> Just don't include the 2 appliance interfaces into the >> interface list (or include only the 2 hsrp ports). > > Nope. That doesn't seem to do anything -- I'm still seeing > the HSRP packets in my sniffer. > > Sigh. > > Cisco sure doesn't want to perform outbound MAC-layer filtering > on it's interfaces, no matter what the security implications might be. > It sure would be nice if they'd figure out that allowing this traffic > to be restricted to known/allowed ports, the network would be just a > little bit safer. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tassos From eric at atlantech.net Fri Nov 14 06:20:25 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 14 Nov 2008 06:20:25 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491CF01C.7080104@gmail.com> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Sridhar Ayengar > Sent: Thursday, November 13, 2008 10:27 PM > To: Martin Moens > Cc: Cisco NSPs > Subject: Re: [c-nsp] GEIP or PA-GE > > Martin Moens wrote: > > Tried Ebay? > > Yup. Very expensive. More than some dealer prices. > I'd have to agree that ebay prices for 7500 gear are absolutely insane. I recently sold a couple of 7507s (one w/ a GEIP) and looked on ebay for "market prices". One person wanted $35K for their 7507 chassis with no cards?! I put them both up for $5 - one sold for 5 and the other (with the GEIP), sold for $125. I'd keep checking ebay for non-delusional sellers, or contact one of the reputable grey market vendors like NHR. Their prices may be a bit higher than you would expect, but the equipment will come with a 1 year warranty. -evt From j.varaillon at cosmoline.com Fri Nov 14 06:30:24 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 13:30:24 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue Message-ID: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> Hi, The FWSM is set-up with 4 contexts. In this context a "show memory" shows 4 times more used memory than the total amount, is this a known bug? FWSM/context1# show memory Used memory: 4294809328 bytes (400%) ------------- ---------------- Total memory: 1073741824 bytes (100%) About the CPU, I issued both following commands just one after the other. Why the CPU usage of the system context has different values in both output (0.% vs 3%? The CPU of context2 is never changing (stack at 62%) and this does not reflect at all the pattern of traffic/connection/translation that we get during a wotrking day. Why What would keep the CPU so busy given that the amount of traffic is not the issue here? FWSM# sho cpu usage context all 5 sec 1 min 5 min Context Name 0.0% 0.0% 0.0% system 0.2% 0.3% 0.2% context1 62.9% 62.5% 62.6% context2 0.0% 0.0% 0.0% context3 0.0% 0.0% 0.0% context4 FWSM# sho cpu usage CPU utilization for 5 seconds = 3%; 1 minute: 3%; 5 minutes: 2% FWSM# Thank you for your time. Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From gkg at gmx.de Fri Nov 14 06:44:59 2008 From: gkg at gmx.de (Garry) Date: Fri, 14 Nov 2008 12:44:59 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: <491D64BB.9040200@gmx.de> Hank Nussbacher wrote: > On Thu, 13 Nov 2008, Garry wrote: > > The 3825 can take 1GB? The Cisco ISR link doesn't show that. Just checked again - I thought I had put 1GB in our FW-Router, but it's "only" 768 at the moment (added a 512 to the stock 256) ... Anyway, IIRC, the 3825 has two slots, physically identical ... also, Cisco GPL has this item: MEM3800-256U1024D 256 to 1024MB DDR DRAM factory upgrade for Cisco 3800 So I assume that 1GB should also work in 3825, otherwise it should be listed as 3845 only ... As for Flash, just stick in any Name-Brand or No-Name CF card, we've put in 1GB flash to replace the stock 64M cards ... -garry From mtinka at globaltransit.net Fri Nov 14 06:17:14 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 19:17:14 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <200811141917.15330.mtinka@globaltransit.net> On Friday 14 November 2008 17:14:00 Magnus Eriksson wrote: > Also, I'm a bit hesitant regarding IOS XE, which today > only seems to be used for ASRs. Is IOS XE something that > is gonna be built upon by Cisco moving ahead? I don't > wanna be stuck with a "dead" OS. AFAIK, IOS XE was based on the 12.2SR train. Perhaps Cisco folk on the list can confirm, but I guess that'd mean it'll be actively maintained, as SR is currently where Cisco seem to be going for service provider code, particularly with the 7200 and 7600. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From j.varaillon at cosmoline.com Fri Nov 14 07:06:46 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 14:06:46 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue In-Reply-To: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> References: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> Message-ID: <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> >The CPU of context2 is never changing (stack at 62%) and this does not >reflect at all the pattern of traffic/connection/translation that we get >during a wotrking day. Why What would keep the CPU so busy given that the >amount of traffic is not the issue here? This output shows clearly that the traffic is almost null but still it has 60% of CPU. What could justify such a value? FWSM/context2# show cpu usage CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4% FWSM/context2# show perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 279/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s TCP Intercept 0/s 0/s Thanks, Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From swmike at swm.pp.se Fri Nov 14 07:22:46 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 14 Nov 2008 13:22:46 +0100 (CET) Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> Message-ID: On Fri, 14 Nov 2008, Eric Van Tol wrote: > I'd have to agree that ebay prices for 7500 gear are absolutely insane. > I recently sold a couple of 7507s (one w/ a GEIP) and looked on ebay for > "market prices". One person wanted $35K for their 7507 chassis with no > cards?! I put them both up for $5 - one sold for 5 and the other (with > the GEIP), sold for $125. I'd keep checking ebay for non-delusional > sellers, or contact one of the reputable grey market vendors like NHR. > Their prices may be a bit higher than you would expect, but the > equipment will come with a 1 year warranty. You sold a GEIP (with PA-GE) for $125? I'd say street value of that is more like $500-$600. That's at least what the auctions went for a few months back when I last checked. -- Mikael Abrahamsson email: swmike at swm.pp.se From hank at efes.iucc.ac.il Fri Nov 14 08:06:11 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 15:06:11 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <491D64BB.9040200@gmx.de> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> <491D64BB.9040200@gmx.de> Message-ID: On Fri, 14 Nov 2008, Garry wrote: > Hank Nussbacher wrote: >> On Thu, 13 Nov 2008, Garry wrote: >> >> The 3825 can take 1GB? The Cisco ISR link doesn't show that. > Just checked again - I thought I had put 1GB in our FW-Router, but it's > "only" 768 at the moment (added a 512 to the stock 256) ... Anyway, > IIRC, the 3825 has two slots, physically identical ... also, Cisco GPL > has this item: > > MEM3800-256U1024D 256 to 1024MB DDR DRAM factory upgrade for Cisco 3800 > > So I assume that 1GB should also work in 3825, otherwise it should be > listed as 3845 only ... The Data Sheet agrees with you: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html Am I losing it but the quickref guide: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf shows 1GB for the 3825 now. Was it listed as 1GB a few days ago or am I losing it? I had tried emailing to the address listed a number of other questions - but ask-quickref at cisco.com don't respond and the URL mailto: of quickref at cisco.com doesn't exist. Just par for the course these days with Cisco :-) Thank G-d we have each other to help advance their sales. -Hank > > As for Flash, just stick in any Name-Brand or No-Name CF card, we've put > in 1GB flash to replace the stock 64M cards ... > > -garry > From j.varaillon at cosmoline.com Fri Nov 14 08:07:08 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 15:07:08 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: Message-ID: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> A "sho proc cpu sorted" would display which process(es) is actually eating your resources. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gideon le Grange Sent: Friday, November 14, 2008 11:20 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2610 High CPU Load Good day I have a CPU load problem on a 2610. The router has a X21 Serial interface and Ethernet, and does simple WAN routing. As the amount of traffic increases, the CPU load increases as well, and when the throughput is around 1.2Mbit at about 2000 packet/s, the CPU is running so high that the box becomes unresponsive. This router is theory supposed to be capable of doing 7.68Mbps at 15,000 pps. I've checked that the router isn't doing processor switching, and as far as I can see the vast majority of the traffic is being fast switched, yet I seem to be hitting the documented performance limits for process switching. If I have to replace the router I can, but would like to know why I'm running into trouble when the current router is supposedly well within it's limits. The box is running 12.3(9), but I've had the same issue on a 12.1 version. Below is the output of 'show interfaces stat' and 'show interface switching' . Any ideas/help is appreciated. --- # sh int stat Ethernet0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 97 10200 219 17650 Route cache 760678 57144419 626362 47003211 Total 760775 57154619 626581 47020861 Serial0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 467 37390 337 43569 Route cache 626497 40745693 760817 49520393 Total 626964 40783083 761154 49563962 ----- #sh int switching Ethernet0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 3524 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 3577 283416 3699 340458 Cache misses 96 - - - Fast 20283972 1524355199 16554208 1236628784 Auton/SSE 0 0 0 0 Protocol ARP Switching path Pkts In Chars In Pkts Out Chars Out Process 44 2640 4328 259680 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 435 178350 435 133110 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 869 46926 2601 156060 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. Serial0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 5209 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 17620 1589429 13114 1548222 Cache misses 14327 - - - Fast 16555485 1071171389 20287359 1321039479 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 429 137280 437 122797 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 1 14 238 3784 Cache misses 0 - - - Fast 2750 44000 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Fri Nov 14 08:32:54 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 14 Nov 2008 21:32:54 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <9AC8C703-0293-4C65-9CA3-912E34652CFC@gmail.com> You'll need the ESP either the 5/10G too. *thinks* IOS consistency it's something which most of us are keeping our fingers crossed even though there're consistent releases for the SR, XE and XR codes. :) I believe there're lots of folks wanting to knock ITD's door down and the various BUs. --raymondh On Nov 14, 2008, at 5:14 PM, Magnus Eriksson wrote: > First of all, thank you all for your insights. > > If we were to go with the ASR track I guess I'd need both the 1002 > chassis > item (18k USD list price) and the 5k USD IP BASE license aswell. Am I > understanding that correctly? > > Also, I'm a bit hesitant regarding IOS XE, which today only seems to > be used > for ASRs. Is IOS XE something that is gonna be built upon by Cisco > moving > ahead? I don't wanna be stuck with a "dead" OS. > > //Magnus > > 2008/11/13 Rodney Dunn > >> I haven't looked at the price list. >> >> How does an ASR1002 compare to a G2 combo? >> >> From a growth perspective the ASR1002 would be what I would >> consider giving a potential migration to GigE. >> >> Rodney >> >> On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >>> You may want to consider getting either part # CISCO7201 (PSU >>> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >>> cheap). >>> Both the part # for the box, shouldn't be much of a difference or >>> same. >>> >>> >>> --raymondh >>> >>> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >>> >>>> I'm looking for some pointers on what are the smallest recommeded >>>> Cisco >>>> boxes to use for a small multihoming solution. >>>> >>>> 2 full BGP views (approx 260k routes each) >>>> 100 Mbps bandwidth requirement. >>>> >>>> The setup currently uses 2 Juniper M5 but those are in dire need of >>>> refresh. >>>> >>>> >>>> What is the appropiate Cisco boxes to go for? Do I need any memory >>>> upgrades >>>> etc? >>>> >>>> Any suggestions are welcome. >>>> >>>> Regards Magnus >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Curtis at GreenKey.net Fri Nov 14 08:39:27 2008 From: Curtis at GreenKey.net (Curtis Doty) Date: Fri, 14 Nov 2008 05:39:27 -0800 (PST) Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <034e01c945fb$52df6610$f89e3230$@id.au> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> <034e01c945fb$52df6610$f89e3230$@id.au> Message-ID: <20081114133928.3C7816F064@alopias.GreenKey.net> 10:50am Brett Looney said: >> Has anyone ever gotten trunking working between a >> 3560 and Dell 6248 or similar? The Dell seems only >> to support GVRP in comparison to Cisco's VTP. >> Since the 3560 doesn't support GVRP I think I'm out >> of luck, but I'm hoping someone here has figured out >> a kludge to get this working. > > I've had trunking working between Cisco and Dell switches before. You can configure trunking manually on either end - you don't need VTP/GVRP to build a trunk. For example: > > interface GigabitEthernet 1/0/1 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk vlan allowed 1-50 > > Obviously you'd need to define the VLANs manually on each end for this to work. Since explicit settings are better in this situation, don't forget to disable DTP grunge... switchport nonegotiate However, the kicker will be properly connecting your spanning trees. Since Cisco prefers a separate spanning tree per-vlan, and the Dell prefers one spanning tree for all vlans. The way out of this mess is to use MST. From eric at atlantech.net Fri Nov 14 08:41:09 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 14 Nov 2008 08:41:09 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350E894F2D@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson > Sent: Friday, November 14, 2008 7:23 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] GEIP or PA-GE > > You sold a GEIP (with PA-GE) for $125? I'd say street value of that is > more like $500-$600. That's at least what the auctions went for a few > months back when I last checked. > Yup, they got a very good deal - 2 7507s with dual RSP4+, 4 VIP2-50s, and a GEIP for $130. I just wanted the hardware out of here and other avenues I took to get rid of them didn't pan out. -evt From achatz at forthnet.gr Fri Nov 14 08:43:00 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 15:43:00 +0200 Subject: [c-nsp] supervisor reload trap/log In-Reply-To: References: Message-ID: <491D8064.1030807@forthnet.gr> Although i haven't tested them, you can try these two: snmp-server enable traps chassis snmp-server enable traps module Keep in mind that you can use "snmp-server enable traps syslog" to get ALL syslog messages as snmp traps. -- Tassos MKS wrote on 14/11/2008 12:13: > Hi > > We have a few cisco 7600 with dual sup-720s. I would like to get > notified somehow when a supervisor failover occurs. > > Is there a snmp trap for this type of behavior or should I watch the syslog? > > Regards > //MKS > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Fri Nov 14 08:59:25 2008 From: petelists at templin.org (Pete Templin) Date: Fri, 14 Nov 2008 07:59:25 -0600 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <491D843D.8010101@templin.org> Magnus Eriksson wrote: > Also, I'm a bit hesitant regarding IOS XE, which today only seems to be used > for ASRs. Is IOS XE something that is gonna be built upon by Cisco moving > ahead? I don't wanna be stuck with a "dead" OS. Clarification: from what I can see, IOS XE is only used on the ASR 1000 series. XR is used on the new ASR 9k series. I can see some logic in that, as the 1k platform is a fresh attempt at the parallel processing theory, formerly a flop in the PXF platforms. However, being able to start from the ground up in that architecture is probably a much safer start. pt From gideon at adept.co.za Fri Nov 14 09:22:48 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Fri, 14 Nov 2008 16:22:48 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> References: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> Message-ID: On 14 Nov 2008, at 3:07 PM, Varaillon Jean Christophe wrote: > A "sho proc cpu sorted" would display which process(es) is actually > eating > your resources. > > I know, but it doesn't show anything useful. Nothing seems to be taking a noticeable amount of CPU. G From rodunn at cisco.com Fri Nov 14 09:39:14 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Nov 2008 09:39:14 -0500 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <200811141917.15330.mtinka@globaltransit.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> <200811141917.15330.mtinka@globaltransit.net> Message-ID: <20081114143914.GD14907@rtp-cse-489.cisco.com> On Fri, Nov 14, 2008 at 07:17:14PM +0800, Mark Tinka wrote: > On Friday 14 November 2008 17:14:00 Magnus Eriksson wrote: > > > Also, I'm a bit hesitant regarding IOS XE, which today > > only seems to be used for ASRs. Is IOS XE something that > > is gonna be built upon by Cisco moving ahead? I don't > > wanna be stuck with a "dead" OS. > > AFAIK, IOS XE was based on the 12.2SR train. Yes from an IOS feature set perspective. > > Perhaps Cisco folk on the list can confirm, but I guess > that'd mean it'll be actively maintained, as SR is > currently where Cisco seem to be going for service provider > code, particularly with the 7200 and 7600. It will be maintained for a long time for sure so no need to worry on that. The entire product line just shipped a few months back and a lot of focus is on it. Rodney > > Cheers, > > Mark. From rodunn at cisco.com Fri Nov 14 09:58:27 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Nov 2008 09:58:27 -0500 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: Message-ID: <20081114145827.GE14907@rtp-cse-489.cisco.com> It's interrupt probably due to the packet switching. The numbers referenced are almost always FE2FE no features for raw NDR (no drop rate) test. For serial it's going to be less. Add features and it's less also. Rodney On Fri, Nov 14, 2008 at 11:19:38AM +0200, Gideon le Grange wrote: > Good day > > I have a CPU load problem on a 2610. The router has a X21 Serial > interface and Ethernet, and does simple WAN routing. As the amount of > traffic increases, the CPU load increases as well, and when the > throughput is around 1.2Mbit at about 2000 packet/s, the CPU is > running so high that the box becomes unresponsive. This router is > theory supposed to be capable of doing 7.68Mbps at 15,000 pps. > > I've checked that the router isn't doing processor switching, and as > far as I can see the vast majority of the traffic is being fast > switched, yet I seem to be hitting the documented performance limits > for process switching. > > If I have to replace the router I can, but would like to know why I'm > running into trouble when the current router is supposedly well within > it's limits. > > The box is running 12.3(9), but I've had the same issue on a 12.1 > version. Below is the output of 'show interfaces stat' and 'show > interface switching' . > > Any ideas/help is appreciated. > > --- > > > > # sh int stat > > > Ethernet0/0 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 97 10200 219 17650 > Route cache 760678 57144419 626362 47003211 > Total 760775 57154619 626581 47020861 > Serial0/0 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 467 37390 337 43569 > Route cache 626497 40745693 760817 49520393 > Total 626964 40783083 761154 49563962 > > ----- > > #sh int switching > > > Ethernet0/0 > Throttle count 0 > Drops RP 0 SP 0 > SPD Flushes Fast 0 SSE 0 > SPD Aggress Fast 0 > SPD Priority Inputs 3524 Drops 0 > > Protocol IP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 3577 283416 3699 340458 > Cache misses 96 - - - > Fast 20283972 1524355199 16554208 1236628784 > Auton/SSE 0 0 0 0 > > Protocol ARP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 44 2640 4328 259680 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol CDP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 435 178350 435 133110 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol Other > Switching path Pkts In Chars In Pkts Out Chars Out > Process 869 46926 2601 156060 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > NOTE: all counts are cumulative and reset only after a reload. > Serial0/0 > Throttle count 0 > Drops RP 0 SP 0 > SPD Flushes Fast 0 SSE 0 > SPD Aggress Fast 0 > SPD Priority Inputs 5209 Drops 0 > > Protocol IP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 17620 1589429 13114 1548222 > Cache misses 14327 - - - > Fast 16555485 1071171389 20287359 1321039479 > Auton/SSE 0 0 0 0 > > Protocol CDP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 429 137280 437 122797 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol Other > Switching path Pkts In Chars In Pkts Out Chars Out > Process 1 14 238 3784 > Cache misses 0 - - - > Fast 2750 44000 0 0 > Auton/SSE 0 0 0 0 > > NOTE: all counts are cumulative and reset only after a reload. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From j.varaillon at cosmoline.com Fri Nov 14 10:31:06 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 17:31:06 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> Message-ID: <002a01c9466e$044e5880$0ceb0980$%varaillon@cosmoline.com> I suppose that: -cef is enabled -no QoS are in place (including nbar...) -no ACL with 'log' keyword (matching packets would be cpu switched) -no "logging debug" and debugging commands are used (flood of syslog messages) -only necessary routing protocols are used (if you have a stub area, a default route is enough) -no heavy routing protocol (e.g BGP) -if the link is between 2 ciscos, you could use HDLC rather than PPP. (I saw it lighter from a cpu point of view) You can always send us your configuration, removing all your passwords and replacing your public IP addresses by private ones. Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gideon le Grange Sent: Friday, November 14, 2008 4:23 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2610 High CPU Load On 14 Nov 2008, at 3:07 PM, Varaillon Jean Christophe wrote: > A "sho proc cpu sorted" would display which process(es) is actually > eating > your resources. > > I know, but it doesn't show anything useful. Nothing seems to be taking a noticeable amount of CPU. G _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3614 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3614 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From jarruda-cnsp at jarruda.com Fri Nov 14 11:41:18 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Fri, 14 Nov 2008 11:41:18 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AE9AE.7050806@jarruda.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <491DAA2E.8010605@jarruda.com> Julio Arruda wrote: > Kevin Graham wrote: >> >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? >>> Consistency >> >> >>> would be nice. >>> >> >> ...or atleast call this a CRS-2 or something. I'm still crossing my >> fingers >> that there's a master plan for consistency (or alternatively, clear >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. >> >> >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 >>> series. >>> >> >> Nope, 7600 already revived it (RSP720). I don't see reference to line >> cards, >> but the photos look like ES40's, which finally gives some credibility >> to the >> 6500/7600 split (where new linecards are shared between ASR9000 and >> 7600). >> > I somewhat doubt this is the case..at least from what I can imagine... > This would imply in the ASR9k cards being able to talk with the 7600 > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > the ASR9000 based of the CRS-1 hardware ? > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > while the packet crunching on the 7600 is based of the EARL, and on the > ASR 1000 is based on the QFP ? > I can't seem to find details on the cards on the ASR 9000, but, just > making some wild guess here.. > (of course, Cisco has been quite effective in getting a clear separation > from control plane to forwarding plane, and IOS-XR sure already runs on > another completely distinct box, the 12K-XR, so, maybe the 7600 will > gain from the ASR 9000 'revamp'). So, eating my own words, seems like the ASR9000 would use the same kind of fwd muscles as the ES (ezchip based) cards in the 7600, not the EARL. Would seems they have the ASR14000 using the SPP, still making the 9k and the 14k 'close', both would run IOS-XR. And I assume this would mean Cisco has now a box that could replace the 7600, running IOS-XR. Not sure about edge features, but I understand the 9k flavor of XR has this covered... Stil can't find details on the 9k on the website, but... From dale.shaw+cisco-nsp at gmail.com Fri Nov 14 13:19:36 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Fri, 14 Nov 2008 10:19:36 -0800 Subject: [c-nsp] Catalyst 3750 stacks with many members Message-ID: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Hi all, We have a few large (>6 member) cat3750 stacks in our environment, most in L2 edge/access roles, and most providing PoE to cisco IP phones. Does anyone have any tips as to how to make large stacks more reliable? We're seeing really high CPU and have found you need to be really careful doing anything that has the potential to swamp the CPU -- the other day I crashed a stack master by clearing the CDP neighbour table (a bit silly in hindsight, given the number of CDP table entries [phones], but I was troubleshooting a stale neighbour problem). Does changing to the 'VLANs' SDM template for switch stacks in this role make any difference? These stacks don't do any routing, or traffic ACLs. We've tried 12.2(40)SE, 12.2(44)SE2 and 12.2(44)SE3. Our biggest stack is 7 members. You're supposed to be able to stack 9 of these things (and I don't recall reading about any caveats), so it's a bit concerning. Disabling certain functionality (e.g. CDP) to stabilise is one thing, but long term it would be nice if it 'just worked'. cheers, Dale From everton at lab.ipaccess.diveo.net.br Fri Nov 14 13:02:40 2008 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Fri, 14 Nov 2008 16:02:40 -0200 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? Message-ID: <20081114180240.GA4941@diveo.net.br> Hi, While trying to load-share between routes with same administrative distance from distinct routing protocols, I found this: What if I configure the administrative distance to be the same for two routing protocols? Will the router install routes from each routing protocol and allow me to load balance traffic? ... The answer is NO. ... When there is a tie of configured administrative distance settings the router will use the *default* administrative distance to make the decision. Reference: Two routing protocols, Same administrative distance? http://www.internetworkexpert.org/2007/12/31/two-routing-protocols-same-administrative-distance/ I am wondering: any hint on how to work-around such a behavior (if at all possible) ? Thanks, Everton From cchurc05 at harris.com Fri Nov 14 13:47:42 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 14 Nov 2008 12:47:42 -0600 Subject: [c-nsp] Recommended Cisco boxes for a small multihomingsolution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com><200811141318.31251.mtinka@globaltransit.net> Message-ID: When did a gig of RAM be the new requirement for a full table, with a couple views only? It seems 512 on an ISR will still have 150MB free with a full table. Our 2821 with 12.4(21) with 768MB has 400MB free almost all the time. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Thursday, November 13, 2008 9:57 PM To: Mark Tinka Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Recommended Cisco boxes for a small multihomingsolution? And to repeat - to the best of my knowledge the 3825 can't take 1GB of RAM and therefore is not an optimal solution for small multihoming. -Hank On Fri, 14 Nov 2008, Mark Tinka wrote: > On Friday 14 November 2008 13:09:58 Eric Cables wrote: > >> If you look at the interactive model ( >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /ps5857/prod_presentation0900aecd80543db9.html) you can >> see GE0/0 and GE0/1 interfaces. >> >> In addition, the data sheet for both the 3825 and 3845 >> indicates 2 10/100/1000 interfaces: >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /product_data_sheet0900aecd8016a8e8.html > > I think just to avoid any confusion; 1GB as in RAM/flash, > and 1Gbps as in bandwidth/interface :-). > > Oooh, this "B" and "b" thing... > > Mark. > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From David.Lima at alphasys.com.bo Fri Nov 14 14:01:46 2008 From: David.Lima at alphasys.com.bo (David Lima) Date: Fri, 14 Nov 2008 15:01:46 -0400 Subject: [c-nsp] The results of your email commands In-Reply-To: Message-ID: Hi friends, I Have a Catalyst 6509 with a SUP720-3B running Cisco IOS. I have not enough space on my flash card. Is it possible to boot other IOS using TFTP? What could be the correct commands? I tried the command: boot system tftp FILE IP And tried to boot from ROMMON but I don't have the tftpdnld option. Please any suggestion. Thanks in advance. David From j at arpa.com Fri Nov 14 14:54:33 2008 From: j at arpa.com (jamie rishaw) Date: Fri, 14 Nov 2008 13:54:33 -0600 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: Yeah.. Replace them. With Chassis(es). Stacks are just a bad idea. Failure of one part of the stack is a failure of the stack. A 65xx serves just as well, better even; cheaper, more reliably, and with less BS.. I'm in the middle of tossing (however many letters are, inclusive, between a and s) stacks, moving to 65xx chassis(es) with 10/100 // triplespeed blades... moving to paired '09's. Cue the happy singing birds and obama 'yes we chassis' glory in 3.. 2.. 1.. -j On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw > wrote: > Hi all, > > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. -- ..!google!arpa.com!j From billf at mu.org Fri Nov 14 14:57:05 2008 From: billf at mu.org (bill fumerola) Date: Fri, 14 Nov 2008 11:57:05 -0800 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? In-Reply-To: <20081114180240.GA4941@diveo.net.br> References: <20081114180240.GA4941@diveo.net.br> Message-ID: <20081114195705.GC29895@elvis.mu.org> On Fri, Nov 14, 2008 at 04:02:40PM -0200, Everton da Silva Marques wrote: > Two routing protocols, Same administrative distance? > http://www.internetworkexpert.org/2007/12/31/two-routing-protocols-same-administrative-distance/ > > I am wondering: any hint on how to work-around such > a behavior (if at all possible) ? redistribute routes from one protocol into another and use route-maps to change the metrics and route 'type' (protocol dependent) such that the protocol considers them equal cost. the usual warnings about route redistribution apply: using tags so loops don't occur and taking care not to redistribute too many routes. -- bill From bluffmaster4hearts at gmail.com Fri Nov 14 15:10:11 2008 From: bluffmaster4hearts at gmail.com (bharath kondi) Date: Sat, 15 Nov 2008 04:10:11 +0800 Subject: [c-nsp] Non-zero CAN jam reset counter in slot Message-ID: <82957ce50811141210v573f3037v62cd38adb7f4c0e2@mail.gmail.com> Hello, I am getting this type of errors when I restart the GSR, while loading the IOS the alarm on GSR is not shown, once the whole GSR is loaded then I am seeing this error. The led on clock shedular module showing major alarm. Please help me with this errors why i am getting major alarm on last module and these errors in GSR. WARNING: Non-zero CAN jam reset counter in slot 17 WARNING: Non-zero CAN jam reset counter in slot 18 WARNING: Non-zero CAN jam reset counter in slot 20 WARNING: Non-zero CAN jam reset counter in slot 24 WARNING: Non-zero CAN jam reset counter in slot 26 WARNING: Non-zero CAN jam reset counter in slot 28 WARNING: Non-zero CAN jam reset counter in slot 29 thanks alot ... Bharath From peter at rathlev.dk Fri Nov 14 16:19:57 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 22:19:57 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <1226697597.4569.5.camel@abehat> On Fri, 2008-11-14 at 10:19 -0800, Dale Shaw wrote: > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. > > Does anyone have any tips as to how to make large stacks more > reliable? The largest we've used was a 6 member stack. No CPU wise. No large number of CDP neighbors though. Probably no help, but we've started moving away from stacking. Having to manage X or 2*X switches isn't that different for a non small X -- you need some tools to manage several switches concurrently anyway. The failure scenarios are more clean using stand alone units and regular RSTP for us. It would be very sweet if one could use the stack ports as regular interfaces between switches. That would be a cheap high bandwidth connection in a U topology. Regards, Peter From MLouis at nwnit.com Fri Nov 14 17:01:21 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 14 Nov 2008 17:01:21 -0500 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: split the stacks into smaller groups ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale Shaw [dale.shaw+cisco-nsp at gmail.com] Sent: Friday, November 14, 2008 1:19 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Catalyst 3750 stacks with many members Hi all, We have a few large (>6 member) cat3750 stacks in our environment, most in L2 edge/access roles, and most providing PoE to cisco IP phones. Does anyone have any tips as to how to make large stacks more reliable? We're seeing really high CPU and have found you need to be really careful doing anything that has the potential to swamp the CPU -- the other day I crashed a stack master by clearing the CDP neighbour table (a bit silly in hindsight, given the number of CDP table entries [phones], but I was troubleshooting a stale neighbour problem). Does changing to the 'VLANs' SDM template for switch stacks in this role make any difference? These stacks don't do any routing, or traffic ACLs. We've tried 12.2(40)SE, 12.2(44)SE2 and 12.2(44)SE3. Our biggest stack is 7 members. You're supposed to be able to stack 9 of these things (and I don't recall reading about any caveats), so it's a bit concerning. Disabling certain functionality (e.g. CDP) to stabilise is one thing, but long term it would be nice if it 'just worked'. cheers, Dale _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From blahu77 at gmail.com Fri Nov 14 17:04:27 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 14 Nov 2008 22:04:27 +0000 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <383357750811141404m35a5865fn1181cb7cf3f7e5c2@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/13 Brandon Price : > The tunnel option could work the problem is the SOURCE is behind a > Juniper netscreen and I don't think they support gre tunnel > termination.. > Also I don't want this active all the time, I want it to switch > dynamically. > > Maybe there is something else that would accomplish what I am trying to > do. > > I tried to make a little ASCII diagram, hopefully it comes through ok: > > > SOURCE Voip LAN 206.72.96.0 > | > FW (juniper) > | > PE2-------PE1 > | | | > dsl1| |dsl2 | > | | |T1 > | | | > | +------- | > +--------CE1 (cisco) > | > | > CUST LAN 10.10.10.0 > > > Basically My customers primary link to me is a T1 to PE1 with QOS > enabled for VOICE traffic to my voip servers and switches at > 206.72.96.0. these are accessed via FW (juniper netscreen). In normal > operation the route for the CUST LAN through the t1 has the most > favourable weight, and traffic never hits PE2. > > > Now if the T1 goes down, dsl1 to PE2 will now have the most favorable > route to the lan, HOWEVER at this point I want traffic with a SOURCE of > the voip netblock to take dsl2 to get to the lan. This is where I am > stuck. How to use PBR on the ingress to PE2.... > I don't see any other solution but to prioritize (QoS) SOURCE traffic on BOTH dsl links. Best Regards, - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkd9eoACgkQIvBv0k5esR4q3wCgrQI7UpuTyDHGg/Nmy0Z9gEos sl4AoKHHsYWqLe/L28q915orGoDHHj/z =/rgz -----END PGP SIGNATURE----- From wberg at swip.net Fri Nov 14 18:15:42 2008 From: wberg at swip.net (=?ISO-8859-1?Q?Alex_W=E5gberg?=) Date: Sat, 15 Nov 2008 00:15:42 +0100 Subject: [c-nsp] Locked VTY sessions on ME3400 Message-ID: <491E069E.2020902@swip.net> Hello! I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, running hsrp and BGP, works good, except I cant access it telnet. And rebooting it is not on the list. When I try to telnet to the switch I get "telnet: Unable to connect to remote host: Connection refused". I've checked the backup-config from this night, and it clearly states that incoming acl's a corrent and snmp-configuration is correct aswell. Running snmpwalk work, I've tried just to be sure to get it to download a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt that, but with no luck. I end up with: No Response from . My guess is that it's hanged VTY sessions, how can I clear them with SNMP ? Thanks! -- Alex W. From bep at whack.org Fri Nov 14 18:27:20 2008 From: bep at whack.org (Bruce Pinsky) Date: Fri, 14 Nov 2008 15:27:20 -0800 Subject: [c-nsp] Locked VTY sessions on ME3400 In-Reply-To: <491E069E.2020902@swip.net> References: <491E069E.2020902@swip.net> Message-ID: <491E0958.30501@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex W?gberg wrote: > Hello! > > I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, > running hsrp and BGP, works good, except I cant access it telnet. And > rebooting it is not on the list. > > When I try to telnet to the switch I get "telnet: Unable to connect to > remote host: Connection refused". > > I've checked the backup-config from this night, and it clearly states > that incoming acl's a corrent and snmp-configuration is correct aswell. > > Running snmpwalk work, I've tried just to be sure to get it to download > a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt that, > but with no luck. I end up with: No Response from . > > My guess is that it's hanged VTY sessions, how can I clear them with SNMP ? > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_problem_troubleshooting09186a00802b93ef.shtml - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkeCVgACgkQE1XcgMgrtybGkACghTLh3ifzA6EoE+6FMnxAKuae Y0QAnRFIeq0gglSGLY4RiEFGTYOQPP8i =JM5i -----END PGP SIGNATURE----- From dcp at dcptech.com Fri Nov 14 18:34:11 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 14 Nov 2008 18:34:11 -0500 Subject: [c-nsp] Locked VTY sessions on ME3400 In-Reply-To: <491E0958.30501@whack.org> References: <491E069E.2020902@swip.net> <491E0958.30501@whack.org> Message-ID: <001a01c946b1$808a9010$819fb030$@com> And once your back in, don't forget to enable service tcp-keepalives-in/out, so it doesn't happen again. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Bruce Pinsky > Sent: Friday, November 14, 2008 6:27 PM > To: Alex W?gberg > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Locked VTY sessions on ME3400 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex W?gberg wrote: > > Hello! > > > > I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, > > running hsrp and BGP, works good, except I cant access it telnet. And > > rebooting it is not on the list. > > > > When I try to telnet to the switch I get "telnet: Unable to connect > to > > remote host: Connection refused". > > > > I've checked the backup-config from this night, and it clearly states > > that incoming acl's a corrent and snmp-configuration is correct > aswell. > > > > Running snmpwalk work, I've tried just to be sure to get it to > download > > a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt > that, > > but with no luck. I end up with: No Response from . > > > > My guess is that it's hanged VTY sessions, how can I clear them with > SNMP ? > > > > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_problem_troubl > eshooting09186a00802b93ef.shtml > > - -- > ========= > bep > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkkeCVgACgkQE1XcgMgrtybGkACghTLh3ifzA6EoE+6FMnxAKuae > Y0QAnRFIeq0gglSGLY4RiEFGTYOQPP8i > =JM5i > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From patrick.viet at gmail.com Fri Nov 14 19:57:19 2008 From: patrick.viet at gmail.com (Patrick Viet) Date: Sat, 15 Nov 2008 01:57:19 +0100 Subject: [c-nsp] sampled netflow on 6500 Message-ID: <947d497f0811141657r48097eabh3fcd8aeabf60978e@mail.gmail.com> Hello everybody, First of all, I'll introduce myself. I'm Patrick, responsible for a small French hosting network. It was formely Foundry-based and now it has been upgraded to Cisco 6500 / SUP720-3BXL routers. I had been using sflow up to now. It's very simplistic - and worked well for me with our in-house analysis software. This is how it works : the headers (source+destination ip/port + packet size + protocol...) of one packet in N packets is sent to the sflow collector. The sflow collector uses this sampled data to get a big picture about what happens in the network. I like this system. It's not super accurate but accurate enough in my case, it's simple, and my software knows how to use it. I have been reading a lot of documentation about Cisco sampled netflow, and trying out a few config parameters. But it doesn't seem to be able to work in the same way as sflow. Is this operating mode available on Cisco ? Do you have any understandable pointers about this ? Up to now, all I found that looked like what I want up to now is outdated stuff about Cisco 12000 and IOS 12.0.x BTW I'm running 12.2(18)SXF15 Thanks, Patrick From lukasz at bromirski.net Fri Nov 14 20:22:51 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 15 Nov 2008 02:22:51 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> Message-ID: <491E246B.6060306@bromirski.net> Hank Nussbacher wrote: > And to repeat - to the best of my knowledge the 3825 can't take 1GB of > RAM and therefore is not an optimal solution for small multihoming. -Hank Yes it can, table 2 here: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html or in the hardware installation guide here: http://www.cisco.com/en/US/docs/routers/access/3800/hardware/installation/guide/38comp.html#wp1008551 Also, 'been there done that - works'. Separate idea is why you need 1GB of RAM to do multihoming, if 512MB of RAM will do even with soft-reconfig. Of course, if You're not running a lot of other things on the box, which You shouldn't. To get to the point - ASR1002 would be the box. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From mathew.cameron at soulaustralia.com.au Fri Nov 14 20:35:00 2008 From: mathew.cameron at soulaustralia.com.au (Mathew Cameron) Date: Sat, 15 Nov 2008 12:35:00 +1100 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 Message-ID: Guys I am trying to design a failsafe solution for a large amount of customers. The solution is plain ethernet and i was plannning to use 3750-12s switches as a router. However I read the Data Sheet from cisco and found out that it only support 32 HSRP links. I have tried to get the same information regarding the NPE-G1 and have turned up empty. Does anyone know what the maximum amount of HSRP links are on the G1? I think 32 might be a little too restrictive. Many Thanks Mat From mksmith at adhost.com Fri Nov 14 21:26:06 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Fri, 14 Nov 2008 18:26:06 -0800 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 In-Reply-To: Message-ID: Hello Matthew: On 11/14/08 5:35 PM, "Mathew Cameron" wrote: > Guys > > I am trying to design a failsafe solution for a large amount of customers. The > solution is plain ethernet and i was plannning to use 3750-12s switches as a > router. However I read the Data Sheet from cisco and found out that it only > support 32 HSRP links. I have tried to get the same information regarding the > NPE-G1 and have turned up empty. Does anyone know what the maximum amount of > HSRP links are on the G1? I think 32 might be a little too restrictive. This is a YMMV answer, but I think the only limitation is 255 per each interface. By the way, you can do secondary IP addresses on the 32 HSRP ranges to your heart's content. Regards, Mike From MLouis at nwnit.com Fri Nov 14 22:23:29 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 14 Nov 2008 22:23:29 -0500 Subject: [c-nsp] sampled netflow on 6500 Message-ID: You can use sampled netflow to accomplish the same thing as sflow. Netflow v9 is based on the ipix std so it will offer many of its features -----Original Message----- From: Patrick Viet Sent: Friday, November 14, 2008 8:00 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] sampled netflow on 6500 Hello everybody, First of all, I'll introduce myself. I'm Patrick, responsible for a small French hosting network. It was formely Foundry-based and now it has been upgraded to Cisco 6500 / SUP720-3BXL routers. I had been using sflow up to now. It's very simplistic - and worked well for me with our in-house analysis software. This is how it works : the headers (source+destination ip/port + packet size + protocol...) of one packet in N packets is sent to the sflow collector. The sflow collector uses this sampled data to get a big picture about what happens in the network. I like this system. It's not super accurate but accurate enough in my case, it's simple, and my software knows how to use it. I have been reading a lot of documentation about Cisco sampled netflow, and trying out a few config parameters. But it doesn't seem to be able to work in the same way as sflow. Is this operating mode available on Cisco ? Do you have any understandable pointers about this ? Up to now, all I found that looked like what I want up to now is outdated stuff about Cisco 12000 and IOS 12.0.x BTW I'm running 12.2(18)SXF15 Thanks, Patrick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From sf at lists.esoteric.ca Fri Nov 14 23:16:05 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Fri, 14 Nov 2008 23:16:05 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. Message-ID: <491E4D05.8020100@lists.esoteric.ca> I've got an EoMPLS VC between two devices. Device A is a Cisco 3750 Metro, Device B is a ME6524. There are some intermediary devices in between. The VC is up on the 3750M. The VC is down on the ME6524. There is a targeted LDP session configured on both sides, both are up. Both hosts are in OSPF Area 0, and each's /32 Loopback is seen in both the FIB and RIB. I'm curious why the VC would be seen as up on the 3750M, but down on the ME6524. The only clue I have found is in the following snippet, the Next hop is listed as an Invalid ADDR. ME6524#sh mpls l2transport vc 655 detail Local interface: Vl655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: none, imposed label stack {1491 69} Preferred path: not configured Default path: active Next hop: Invalid ADDR <---- ?? Create time: 00:39:19, last status change time: 00:19:19 Signaling protocol: LDP, peer 10.200.20.1:0 up MPLS VC labels: local 311, remote 69 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: *Redacted* Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 1130, send 0 byte totals: receive 76832, send 0 packet drops: receive 0, send 0 However, the 3750M's /32 is listed in the proper CEF adjacency, pointing to the correct cross-connect VLAN. The RIB entry is fine. The ME6524 is running SXH 3a, the 3750M is running 12.2(44)SE2. Ideas? -- Stephen From ray at oneunified.net Sat Nov 15 00:09:06 2008 From: ray at oneunified.net (Ray Burkholder) Date: Sat, 15 Nov 2008 01:09:06 -0400 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: <491E246B.6060306@bromirski.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> Message-ID: > > Hank Nussbacher wrote: > > And to repeat - to the best of my knowledge the 3825 can't > take 1GB of > > RAM and therefore is not an optimal solution for small > multihoming. > > -Hank In Cisco's Dynamic configurator, you can upgrade from 256M to 1024M. > > To get to the point - ASR1002 would be the box. > > -- Are ASR1002's actually worth 3x the price of something like a 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can become 5x to 10x the price. Does it push that many extra packets that much faster? Also, in using Cisco's Feature Navigator to compare feature sets, say ADV IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. Sometimes Juniper's supposedly unified feature set across all devices seems like it might have benefits for easing product selection in terms of hardware rather than fighting for software / hardware combinations. Or is that actually a strategy? -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From mtinka at globaltransit.net Sat Nov 15 00:32:34 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 15 Nov 2008 13:32:34 +0800 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <491E246B.6060306@bromirski.net> Message-ID: <200811151332.39563.mtinka@globaltransit.net> On Saturday 15 November 2008 13:09:06 Ray Burkholder wrote: > Sometimes Juniper's supposedly unified feature set across > all devices seems like it might have benefits for easing > product selection in terms of hardware rather than > fighting for software / hardware combinations. Or is > that actually a strategy? It does make life easier. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Sat Nov 15 03:40:10 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 15 Nov 2008 09:40:10 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491E4D05.8020100@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> > I've got an EoMPLS VC between two devices. Device A is a Cisco 3750 > Metro, Device B is a ME6524. There are some intermediary devices in > between. > > The VC is up on the 3750M. The VC is down on the ME6524. There is a > targeted LDP session configured on both sides, both are up. > > Both hosts are in OSPF Area 0, and each's /32 Loopback is seen in > both the FIB and RIB. > > I'm curious why the VC would be seen as up on the 3750M, but down on > the ME6524. The only clue I have found is in the following snippet, > the Next hop is listed as an Invalid ADDR. > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Vl655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: none, imposed label stack {1491 69} > Preferred path: not configured > Default path: active > Next hop: Invalid ADDR <---- ?? you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing linecard, something which isn't possible on the fixed-configuration ME6524.. So you need to move xconnect to the physical port. oli From christian at qunec.net Sat Nov 15 04:09:53 2008 From: christian at qunec.net (Christian Meutes) Date: Sat, 15 Nov 2008 10:09:53 +0100 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? In-Reply-To: <20081114195705.GC29895@elvis.mu.org> References: <20081114180240.GA4941@diveo.net.br> <20081114195705.GC29895@elvis.mu.org> Message-ID: <480A78E89D2F8BC514E48321@tok> Hi, --On Friday, 14. November 2008 11:57 -0800 bill fumerola wrote: > redistribute routes from one protocol into another and use route-maps > to change the metrics and route 'type' (protocol dependent) such that > the protocol considers them equal cost. > > the usual warnings about route redistribution apply: using tags so loops > don't occur and taking care not to redistribute too many routes. wont work in most cases. Routes redistributed from IGP to BGP are better than routes learned from eBGP or iBGP - vice versa routes redistributed from BGP to IGP (OSPF, EIGRP ie.) are seen as external and will loose in route decission if the IGP prefix is native/internal (will work if route is first learned with IGP because local redistributed routes in BGP are better). In the second case you can change metric and metric-type on redistribution to IGP and ecmp could take place then but if the prefix is first learned from BGP and then from IGP - BGP wins and the OSPF prefix can't be used for load-sharing inside of the ASBR. Route selection in these cases is higly depending on timeing and is something I wouldnt recommend. Cheers, christian From oboehmer at cisco.com Sat Nov 15 04:32:30 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 15 Nov 2008 10:32:30 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5BE@xmb-ams-333.emea.cisco.com> Christoph Loibl wrote on Saturday, November 15, 2008 10:24: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In >> order for this to work on Cat65xx/Sup720, you need OSM/SIP as >> core-facing linecard, something which isn't possible on the >> fixed-configuration ME6524.. So you need to move xconnect to the >> physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI- > based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with VLAN- > based (on ME6524) should work. Correct, sorry for ambigous terminology.. oli From c at tix.at Sat Nov 15 04:24:00 2008 From: c at tix.at (Christoph Loibl) Date: Sat, 15 Nov 2008 10:24:00 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: Hi, On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: > > you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In > order > for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing > linecard, something which isn't possible on the fixed-configuration > ME6524.. > So you need to move xconnect to the physical port. Hm. What is the cisco-speak "correct" name now (which in fact is not very intuitive): Vlan-based or SVI-based? Vlan-based is interface gigabitethernet 1/interface.subinterface encapsulation dot1q vlan_id xconnect peer_router_id vcid encapsulation mpls ! This is possible on sup720 even without any fancy linecards. But SVI- based interface vlan 10 xconnect peer_router_id vcid encapsulation mpls ! requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but works fine on ME3750. Thus SVI-based (on ME3750) together with VLAN- based (on ME6524) should work. When configuring SVI-based EoMPLS on the ME6524 usually some kind of warning is logged ("Config not supported", or "MPLS configured on LAN interfaces" as far as I remember). Stoffi -- CHRISTOPH LOIBL ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mailto:c at tix.at |No trees were killed in the creation of this message. http://www.sil.at |However, many electrons were terrible inconvenienced. CL8-RIPE ++++++++++++++++++++++++++++++++++++ PGP-Key-ID: 0x4B2C0055 +++ From chloekcy2000 at yahoo.ca Sat Nov 15 06:57:18 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 06:57:18 -0500 (EST) Subject: [c-nsp] tftp Message-ID: <275687.78482.qm@web57415.mail.re1.yahoo.com> Hi How to copy the falsh to tftp? Can you help? thank you --------------------------------- Looking for the perfect gift? Give the gift of Flickr! From chloekcy2000 at yahoo.ca Sat Nov 15 07:03:30 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 07:03:30 -0500 (EST) Subject: [c-nsp] log failure logon In-Reply-To: <491B0104.7040708@gmail.com> Message-ID: <17285.65927.qm@web57404.mail.re1.yahoo.com> Thank you But I can't find this command ! I am using IOS (tm) 3700 Software (C3725-I-M), Version 12.3(6e), router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#line vty 0 4 router(config-line)#login ? local Local password checking tacacs Use tacacs server for password checking router(config-line)#exit router(config)#login ? % Unrecognized command router(config)#login ghostonthewire wrote: Hi! Try to use "login on-failure log" command (Cisco IOS Login Enhancements feature, for futher details look through http://b23.ru/6f5). Also use feature navigator to find if this feauture supported by your software image (surely doesn't work on releases prior to 12.4(19), dunno about 12.2S trains). chloe K wrote: > Hi > > I see there is command autheniticate failure rate but can't find my router > > Now. how I can log the failure logon > > Thank you > > > --------------------------------- > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. From lukasz at bromirski.net Sat Nov 15 08:03:41 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 15 Nov 2008 14:03:41 +0100 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> Message-ID: <491EC8AD.2000407@bromirski.net> Ray Burkholder wrote: >> To get to the point - ASR1002 would be the box. > Are ASR1002's actually worth 3x the price of something like a > 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can > become 5x to 10x the price. Does it push that many extra packets that much > faster? NPE-G2 is CPU (or - software) router. It does have capability to push 2Mpps in theory, now with new features (even with optimized CEF feature tree) it will grind down to 1.2~1.8Mpps. ASR1002 does switch traffic in hardware (via QFP on ESPs) and adding 'services' doesn't cost either any or significant slowdown in forwarding the traffic. It can push up to 7Mpps (ESP-5) or 15Mpps (ESP-10) without features like IP Multicast QoS, ACLs, QoS, uRPF, and goes down to 'only' around 4Mpps or 8Mpps respectively if those features are configured in switching path. That's a difference. ASR1002-5G/K9, bundle with Advanced Enterprise Services and 4GB of RAM, and 4xGE ports (SFP that is) is 40k$ in GPL, and 7206VXR bundled with NPE-G2 and the same software to have IPv6/etc is 27k$. Which is 13k$ difference, not '5x to 10x the price'. And with NPE-G2 you're limited to 2GB of RAM and software packet processing which of course isn't that bad considering the fact what kind of traffic and how much of the traffic the box has to push through - it's 100Mbit/s as Magnus said on the beginning of the thread. > Also, in using Cisco's Feature Navigator to compare feature sets, say ADV > IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say > SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. Apart from some fancier designs, what for do you need MPLS TE on BGP peering box? It has to push packets fast, store millions of forwarding entries and have ability to protect control plane. Shouldn't that be the priority? -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From pviet at azuria.net Sat Nov 15 09:09:24 2008 From: pviet at azuria.net (Patrick Viet) Date: Sat, 15 Nov 2008 15:09:24 +0100 Subject: [c-nsp] sampled netflow on 6500 In-Reply-To: References: Message-ID: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> On Sat, Nov 15, 2008 at 4:23 AM, Mike Louis wrote: > You can use sampled netflow to accomplish the same thing as sflow. Netflow > v9 is based on the ipix std so it will offer many of its features > > Hi ; are you sure about this ? From what I've read it's the opposite : IPFIX has based its frame format on Netflow v9. Any ideas about how to configure this on SUP720-3BXL with SXF15 ? Or do I need another IOS (SXH?) Thanks, Patrick From MLouis at nwnit.com Sat Nov 15 09:12:13 2008 From: MLouis at nwnit.com (Mike Louis) Date: Sat, 15 Nov 2008 09:12:13 -0500 Subject: [c-nsp] sampled netflow on 6500 In-Reply-To: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> References: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> Message-ID: Sounds like I got that backwards. Here is a link to configuring netflow sampling. I don't see a lot of options in the SXH configuration guide at the moment. I will keep looking. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/nde.html#wp1143262 From: patrick.viet at gmail.com [mailto:patrick.viet at gmail.com] On Behalf Of Patrick Viet Sent: Saturday, November 15, 2008 9:09 AM To: Mike Louis Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] sampled netflow on 6500 On Sat, Nov 15, 2008 at 4:23 AM, Mike Louis > wrote: You can use sampled netflow to accomplish the same thing as sflow. Netflow v9 is based on the ipix std so it will offer many of its features Hi ; are you sure about this ? From what I've read it's the opposite : IPFIX has based its frame format on Netflow v9. Any ideas about how to configure this on SUP720-3BXL with SXF15 ? Or do I need another IOS (SXH?) Thanks, Patrick No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1789 - Release Date: 11/14/2008 7:32 PM ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From eduardo at intron.com.br Sat Nov 15 11:56:16 2008 From: eduardo at intron.com.br (=?ISO-8859-1?Q?Eduardo_Ascen=E7o_Reis?=) Date: Sat, 15 Nov 2008 14:56:16 -0200 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 In-Reply-To: References: Message-ID: <45e3c45f0811150856t63d9633dk61e1b534ceca2512@mail.gmail.com> Hi Mathew, 2008/11/14 Mathew Cameron : > Does anyone know what the maximum amount of HSRP links are on the G1? I think 32 might be a little too restrictive. It depends on HSRP version. Version 1 uses 8 bits to address group numbers (0 to 255) and version 2 extends it to 12 bits allowing you to use group number range from 0 to 4095. This extension also helps your life during provisioning and troubleshooting tasks because you can use the same ID for VLAN and HSRP v2 group. For additional information about HSRP v2 take a look in the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthsrpv2.html Regards, -- Eduardo Ascen?o Reis From sf at lists.esoteric.ca Sat Nov 15 11:58:07 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 11:58:07 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: <491EFF9F.6070201@lists.esoteric.ca> Thanks Stoffi, Oli.. The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached to the outgoing interface.. The VC is not coming up, so I've included a snippet below, in case I've missed anything. Also, there is a name Cisco refers to adding a sub-interface for xconnect statements, while the main interface can be trunked for passing standard VLAN's. For the life of me I cannot remember what it is. Any ideas there? ME6524#sh run int Gi1/10 Building configuration... Current configuration : 464 bytes ! interface GigabitEthernet1/10 description Trunk to Edge device switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,305,330 switchport mode trunk switchport nonegotiate mtu 9000 logging event link-status logging event trunk-status logging event spanning-tree status logging event subif-link-status ignore-bulk speed 1000 duplex full spanning-tree portfast trunk spanning-tree guard none end ME6524#sh run int gi1/10.655 Building configuration... Current configuration : 112 bytes ! interface GigabitEthernet1/10.655 encapsulation dot1Q 655 xconnect 10.200.1.8 655 encapsulation mpls end ME6524#sh mpls l2transport vc 655 detail Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:05:18, last status change time: 00:05:18 Signaling protocol: LDP, peer 10.200.1.8:0 up MPLS VC labels: local 330, remote 69 Group ID: local 0, remote 0 MTU: local 9000, remote 1500 Remote interface description: MPLS Test VLAN Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Thoughts? -- Stephen Christoph Loibl wrote: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order >> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >> linecard, something which isn't possible on the fixed-configuration >> ME6524.. >> So you need to move xconnect to the physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI-based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with > VLAN-based (on ME6524) should work. > > When configuring SVI-based EoMPLS on the ME6524 usually some kind of > warning is logged ("Config not supported", or "MPLS configured on LAN > interfaces" as far as I remember). > > Stoffi > From michel.renfer at finecom.ch Sat Nov 15 12:09:34 2008 From: michel.renfer at finecom.ch (Michel Renfer) Date: Sat, 15 Nov 2008 18:09:34 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca><70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> Hi Stephen What IOS version do you run on your 6524? Muxed UNI is supported from 12.2SR on 7600. You have to check the availability on the 6524ME Plattform... http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu ide/pfc3mpls.html#wp1406020 cheers, michel -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton Sent: Saturday, November 15, 2008 5:58 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] EoMPLS VC up on one side, not on the other. Thanks Stoffi, Oli.. The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached to the outgoing interface.. The VC is not coming up, so I've included a snippet below, in case I've missed anything. Also, there is a name Cisco refers to adding a sub-interface for xconnect statements, while the main interface can be trunked for passing standard VLAN's. For the life of me I cannot remember what it is. Any ideas there? ME6524#sh run int Gi1/10 Building configuration... Current configuration : 464 bytes ! interface GigabitEthernet1/10 description Trunk to Edge device switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,305,330 switchport mode trunk switchport nonegotiate mtu 9000 logging event link-status logging event trunk-status logging event spanning-tree status logging event subif-link-status ignore-bulk speed 1000 duplex full spanning-tree portfast trunk spanning-tree guard none end ME6524#sh run int gi1/10.655 Building configuration... Current configuration : 112 bytes ! interface GigabitEthernet1/10.655 encapsulation dot1Q 655 xconnect 10.200.1.8 655 encapsulation mpls end ME6524#sh mpls l2transport vc 655 detail Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:05:18, last status change time: 00:05:18 Signaling protocol: LDP, peer 10.200.1.8:0 up MPLS VC labels: local 330, remote 69 Group ID: local 0, remote 0 MTU: local 9000, remote 1500 Remote interface description: MPLS Test VLAN Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Thoughts? -- Stephen Christoph Loibl wrote: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order >> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >> linecard, something which isn't possible on the fixed-configuration >> ME6524.. >> So you need to move xconnect to the physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI-based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with > VLAN-based (on ME6524) should work. > > When configuring SVI-based EoMPLS on the ME6524 usually some kind of > warning is logged ("Config not supported", or "MPLS configured on LAN > interfaces" as far as I remember). > > Stoffi > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sf at lists.esoteric.ca Sat Nov 15 12:18:50 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 12:18:50 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> References: <491E4D05.8020100@lists.esoteric.ca><70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> Message-ID: <491F047A.4000008@lists.esoteric.ca> Michael, Thanks for the term, and yes it is supported according to the documentation on SXH. -- Stephen Michel Renfer wrote: > Hi Stephen > > What IOS version do you run on your 6524? Muxed UNI is supported from > 12.2SR on 7600. You have to > check the availability on the 6524ME Plattform... > > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu > ide/pfc3mpls.html#wp1406020 > > cheers, > michel > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton > Sent: Saturday, November 15, 2008 5:58 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] EoMPLS VC up on one side, not on the other. > > Thanks Stoffi, Oli.. > > The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, > attached to > the outgoing interface.. The VC is not coming up, so I've included a > snippet > below, in case I've missed anything. Also, there is a name Cisco refers > to > adding a sub-interface for xconnect statements, while the main interface > can be > trunked for passing standard VLAN's. For the life of me I cannot > remember what > it is. Any ideas there? > > ME6524#sh run int Gi1/10 > Building configuration... > > Current configuration : 464 bytes > ! > interface GigabitEthernet1/10 > description Trunk to Edge device > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 16,305,330 > switchport mode trunk > switchport nonegotiate > mtu 9000 > logging event link-status > logging event trunk-status > logging event spanning-tree status > logging event subif-link-status ignore-bulk > speed 1000 > duplex full > spanning-tree portfast trunk > spanning-tree guard none > end > > ME6524#sh run int gi1/10.655 > Building configuration... > > Current configuration : 112 bytes > ! > interface GigabitEthernet1/10.655 > encapsulation dot1Q 655 > xconnect 10.200.1.8 655 encapsulation mpls > end > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: if-?(0), imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:05:18, last status change time: 00:05:18 > Signaling protocol: LDP, peer 10.200.1.8:0 up > MPLS VC labels: local 330, remote 69 > Group ID: local 0, remote 0 > MTU: local 9000, remote 1500 > Remote interface description: MPLS Test VLAN > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, send 0 > > Thoughts? > > -- Stephen > > > Christoph Loibl wrote: >> Hi, >> >> On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >>> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In > order >>> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >>> linecard, something which isn't possible on the fixed-configuration >>> ME6524.. >>> So you need to move xconnect to the physical port. >> Hm. What is the cisco-speak "correct" name now (which in fact is not >> very intuitive): Vlan-based or SVI-based? Vlan-based is >> >> interface gigabitethernet 1/interface.subinterface >> encapsulation dot1q vlan_id >> xconnect peer_router_id vcid encapsulation mpls >> ! >> >> This is possible on sup720 even without any fancy linecards. But > SVI-based >> interface vlan 10 >> xconnect peer_router_id vcid encapsulation mpls >> ! >> >> requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but >> works fine on ME3750. Thus SVI-based (on ME3750) together with >> VLAN-based (on ME6524) should work. >> >> When configuring SVI-based EoMPLS on the ME6524 usually some kind of >> warning is logged ("Config not supported", or "MPLS configured on LAN >> interfaces" as far as I remember). >> >> Stoffi >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Sat Nov 15 12:34:17 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 15 Nov 2008 17:34:17 +0000 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <383357750811150934j575c936aw9ce53cf9a6620020@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/15 Stephen Fulton : > Thanks Stoffi, Oli.. > > The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached > to the outgoing interface.. The VC is not coming up, so I've included a > snippet below, in case I've missed anything. [...] > ME6524#sh run int gi1/10.655 > Building configuration... > > Current configuration : 112 bytes > ! > interface GigabitEthernet1/10.655 > encapsulation dot1Q 655 > xconnect 10.200.1.8 655 encapsulation mpls > end > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: if-?(0), imposed label stack {} Can you do "show ip route 10.200.1.8"? Also "sh run int X" to which above route resolves? Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJHwgh+BuaDRxlXKsRAt/rAKCUuo7AK0TeFq5rorDt58Its2nBAACeNxjj SeyH0vlXCFzRA06ecHzUM8o= =Z15+ -----END PGP SIGNATURE----- From marcus at gangusinternet.com Sat Nov 15 14:23:25 2008 From: marcus at gangusinternet.com (Marcus Marinelli) Date: Sat, 15 Nov 2008 11:23:25 -0800 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: <491EC8AD.2000407@bromirski.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> <491EC8AD.2000407@bromirski.net> Message-ID: ?ukasz, I'm not trying to argue that the ASR is not the "better" box in the "Edge Router" category, but I just want to remind everyone that Magnus originally was looking for: "smallest recommeded[sic] Cisco boxes to use for a small multihoming solution" With the requirements of: - 2 full BGP views (approx 260k routes each) - 100 Mbps bandwidth requirement. (do you have any idea of PPS?) I think we would all agree that for the most part, an ASR 1002 is very likely be overkill in this situation. Sure, the VXR will slow down as you add more features, but as you were alluding to at the end of your email, not a whole lot of features are really likely to be necessary in this case. The VXR route has something going for it in this case that the ASR doesn't - it's been around for a while, and people know them [and 'classic' IOS] very well. You can also pick up a used 7200VXR chassis and NPE-G1 or G2 for super cheap (<$10k for a G1 + chassis + power), and have that as a spare. Marcus 2008/11/15 ?ukasz Bromirski > Ray Burkholder wrote: > > To get to the point - ASR1002 would be the box. >>> >> Are ASR1002's actually worth 3x the price of something like a >> 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can >> become 5x to 10x the price. Does it push that many extra packets that >> much >> faster? >> > > NPE-G2 is CPU (or - software) router. It does have capability to > push 2Mpps in theory, now with new features (even with optimized CEF > feature tree) it will grind down to 1.2~1.8Mpps. ASR1002 does switch > traffic in hardware (via QFP on ESPs) and adding 'services' doesn't > cost either any or significant slowdown in forwarding the traffic. > It can push up to 7Mpps (ESP-5) or 15Mpps (ESP-10) without features > like IP Multicast QoS, ACLs, QoS, uRPF, and goes down to 'only' > around 4Mpps or 8Mpps respectively if those features are configured > in switching path. That's a difference. > > ASR1002-5G/K9, bundle with Advanced Enterprise Services and 4GB of RAM, > and 4xGE ports (SFP that is) is 40k$ in GPL, and 7206VXR bundled with > NPE-G2 and the same software to have IPv6/etc is 27k$. Which is 13k$ > difference, not '5x to 10x the price'. And with NPE-G2 you're limited to > 2GB of RAM and software packet processing which of course isn't that > bad considering the fact what kind of traffic and how much of the > traffic the box has to push through - it's 100Mbit/s as Magnus said > on the beginning of the thread. > > Also, in using Cisco's Feature Navigator to compare feature sets, say ADV >> IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say >> SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. >> > > Apart from some fancier designs, what for do you need MPLS TE on BGP > peering box? It has to push packets fast, store millions of forwarding > entries and have ability to protect control plane. Shouldn't that > be the priority? > > -- > "Don't expect me to cry for all the | ?ukasz Bromirski > reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chloekcy2000 at yahoo.ca Sat Nov 15 15:33:51 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 15:33:51 -0500 (EST) Subject: [c-nsp] tftp In-Reply-To: <200811152253.14374.mtinka@globaltransit.net> Message-ID: <770379.30691.qm@web57402.mail.re1.yahoo.com> yes. it works how can I verify the flash? Thank you Mark Tinka wrote: On Saturday 15 November 2008 19:57:18 chloe K wrote: > Hi > > How to copy the falsh to tftp? #copy flash: tftp: Cheers, Mark. --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail From eng_mssk at hotmail.com Sat Nov 15 15:38:59 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sat, 15 Nov 2008 22:38:59 +0200 Subject: [c-nsp] tftp In-Reply-To: <275687.78482.qm@web57415.mail.re1.yahoo.com> References: <275687.78482.qm@web57415.mail.re1.yahoo.com> Message-ID: You have to install TFTP server on your PC (solarwinds or any other ) and issue the command copy flash: tftp: u have to issue the command dir or show version to take the IOS image u want to copy and make sure of the connectivity between ur pc and the router (disable windows firewall and if u have ASA or PIX or any other firewalls make sure to allow the TFTP UDP Port) Thanks > Date: Sat, 15 Nov 2008 06:57:18 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] tftp > > Hi > > How to copy the falsh to tftp? > > Can you help? > > thank you > > > --------------------------------- > Looking for the perfect gift? Give the gift of Flickr! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From chloekcy2000 at yahoo.ca Sat Nov 15 15:46:48 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 15:46:48 -0500 (EST) Subject: [c-nsp] tftp In-Reply-To: Message-ID: <308621.39554.qm@web57412.mail.re1.yahoo.com> Thank you but I can verify the flash is good thank you Mohammad Khalil wrote: .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Verdana } You have to install TFTP server on your PC (solarwinds or any other ) and issue the command copy flash: tftp: u have to issue the command dir or show version to take the IOS image u want to copy and make sure of the connectivity between ur pc and the router (disable windows firewall and if u have ASA or PIX or any other firewalls make sure to allow the TFTP UDP Port) Thanks > Date: Sat, 15 Nov 2008 06:57:18 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] tftp > > Hi > > How to copy the falsh to tftp? > > Can you help? > > thank you > > > --------------------------------- > Looking for the perfect gift? Give the gift of Flickr! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------- Get news, entertainment and everything you care about at Live.com. Check it out! --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From rubensk at gmail.com Sat Nov 15 16:30:19 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sat, 15 Nov 2008 19:30:19 -0200 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> > Signaling protocol: LDP, peer 10.200.1.8:0 up > MPLS VC labels: local 330, remote 69 > Group ID: local 0, remote 0 > MTU: local 9000, remote 1500 Try matching the MTU of both ends. Be aware that 3750 has both global and local MTU, and global MTU change on the 3750 require reload. Rubens From sf at lists.esoteric.ca Sat Nov 15 16:36:03 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 16:36:03 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> Message-ID: <491F40C3.50805@lists.esoteric.ca> Thanks Rubens, I totally missed that when I reconfigured for mux uni. The VC is now up, and I can pass traffic each way. Thanks :) -- Stephen Rubens Kuhl Jr. wrote: >> Signaling protocol: LDP, peer 10.200.1.8:0 up >> MPLS VC labels: local 330, remote 69 >> Group ID: local 0, remote 0 >> MTU: local 9000, remote 1500 > > Try matching the MTU of both ends. Be aware that 3750 has both global > and local MTU, and global MTU change on the 3750 require reload. > > > Rubens From gert at greenie.muc.de Sat Nov 15 17:09:12 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 15 Nov 2008 23:09:12 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <20081115220912.GA8535@greenie.muc.de> Hi, On Sat, Nov 15, 2008 at 11:58:07AM -0500, Stephen Fulton wrote: > MTU: local 9000, remote 1500 Welcome to EoMPLS hell. If MTUs do not match, the VC won't come up. And you can't change the "raw" MTU on a dot1q subinterface. I seem to remember that there is a knob in recent SR* IOS trains that permits you to ignore MTU mismatches, but I have forgot the details - Ytti will know all the details (how to configure it plus availability). Workaround: make sure the "base interface" MTU is the same on both sides ("gig 0/1", with no ".123"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sf at lists.esoteric.ca Sat Nov 15 17:53:42 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 17:53:42 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <20081115220912.GA8535@greenie.muc.de> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> Message-ID: <491F52F6.1010200@lists.esoteric.ca> Gert, When I decided to get into the networking field, I knew that MTU was the bane of the industry, I just did not realize I'd still be dealing with it years later :) EoMPLS hell, indeed. If Ytti's reading, I'd like to know what those details are too. Right now I have 7600/RSP720's in the core, not the edge, so it is of limited use to me right now, but it's worth knowing, especially when I roll out VPLS. I *do* wish that I could change the MTU of SVI's on the 3750 Metro, like I can do on the 7600/RSP7200 SR train. *hint hint*.. Anyway, thanks all :) -- Stephen Gert Doering wrote: > Hi, > > On Sat, Nov 15, 2008 at 11:58:07AM -0500, Stephen Fulton wrote: >> MTU: local 9000, remote 1500 > > Welcome to EoMPLS hell. > > If MTUs do not match, the VC won't come up. And you can't change the > "raw" MTU on a dot1q subinterface. > > I seem to remember that there is a knob in recent SR* IOS trains that > permits you to ignore MTU mismatches, but I have forgot the details - Ytti > will know all the details (how to configure it plus availability). > > Workaround: make sure the "base interface" MTU is the same on both sides > ("gig 0/1", with no ".123"). > > gert From blahu77 at gmail.com Sat Nov 15 18:22:52 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 15 Nov 2008 23:22:52 +0000 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> Message-ID: <383357750811151522x329525b0i8c26245e6e8ff1be@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/15 Rubens Kuhl Jr. : >> Signaling protocol: LDP, peer 10.200.1.8:0 up >> MPLS VC labels: local 330, remote 69 >> Group ID: local 0, remote 0 >> MTU: local 9000, remote 1500 > > Try matching the MTU of both ends. Be aware that 3750 has both global > and local MTU, and global MTU change on the 3750 require reload. Right, I missed that - as the OP listing had the MTU correct. Sometimes you look but you don't see. Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJH1nV+BuaDRxlXKsRAhKpAKCJquum/DtIJ1lsomSjIZdAJD1KmACeJ9ib fZr1H8MPRs8aXimLz1m3ALw= =ef80 -----END PGP SIGNATURE----- From mtinka at globaltransit.net Sat Nov 15 09:53:09 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 15 Nov 2008 22:53:09 +0800 Subject: [c-nsp] tftp In-Reply-To: <275687.78482.qm@web57415.mail.re1.yahoo.com> References: <275687.78482.qm@web57415.mail.re1.yahoo.com> Message-ID: <200811152253.14374.mtinka@globaltransit.net> On Saturday 15 November 2008 19:57:18 chloe K wrote: > Hi > > How to copy the falsh to tftp? #copy flash: tftp: Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sat Nov 15 18:39:28 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 16 Nov 2008 07:39:28 +0800 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <20081115220912.GA8535@greenie.muc.de> References: <491E4D05.8020100@lists.esoteric.ca> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> Message-ID: <200811160739.33412.mtinka@globaltransit.net> On Sunday 16 November 2008 06:09:12 Gert Doering wrote: > I seem to remember that there is a knob in recent SR* IOS > trains that permits you to ignore MTU mismatches, but I > have forgot the details - Ytti will know all the details > (how to configure it plus availability). You might want to check this out: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From frnkblk at iname.com Sat Nov 15 21:53:44 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 15 Nov 2008 20:53:44 -0600 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <20081112131949.GA9101@bts.sk> References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> <20081112131949.GA9101@bts.sk> Message-ID: We did this on a Cisco 7206VXR running 12.2(26) to regain several percentage points of CPU....definitely worth it. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marian Durkovic Sent: Wednesday, November 12, 2008 7:20 AM To: William Cc: cisco-nsp Subject: Re: [c-nsp] High CPU on 3750G-24-TS On Wed, Nov 12, 2008 at 11:48:00AM +0000, William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. This is exactly the problem. "ip igmp join-group" causes all multicast packets for this group to be forwarded also to the CPU. You need to use "ip igmp static-group" instead - then the packets are only forwared to the specified interface, but not copied to the CPU. With kind regards, M. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From spinthiras.mario at gmail.com Sun Nov 16 00:00:06 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sun, 16 Nov 2008 07:00:06 +0200 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <20081114133928.3C7816F064@alopias.GreenKey.net> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> <034e01c945fb$52df6610$f89e3230$@id.au> <20081114133928.3C7816F064@alopias.GreenKey.net> Message-ID: <4f890e580811152100s36e3c525habfee1387624a728@mail.gmail.com> Do you want to do trunking or manage vlans automatically over a trunk? Dot1Q should take care of the trunk part. I could have sworn Ive used GVRP on a 3560 before but I am not sure , it could have been a 3570 or something. Regards, Mario. From sammw70 at hotmail.com Sun Nov 16 04:05:31 2008 From: sammw70 at hotmail.com (Sim Meng Wai) Date: Sun, 16 Nov 2008 17:05:31 +0800 Subject: [c-nsp] log failure logon In-Reply-To: <17285.65927.qm@web57404.mail.re1.yahoo.com> References: <491B0104.7040708@gmail.com> <17285.65927.qm@web57404.mail.re1.yahoo.com> Message-ID: Hi, I believe you require version 12.4. Rack1R1(config)#login ? block-for Set quiet-mode active time period delay Set delay between successive fail login on-failure Set options for failed login attempt on-success Set options for successful login attempt quiet-mode Set quiet-mode options Rack1R1#sh verCisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(10a), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Wed 11-Oct-06 20:52 by prod_rel_team ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Rack1R1 uptime is 2 weeks, 5 days, 10 hours, 7 minutesSystem returned to ROM by reloadSystem image file is "flash:c3640-jk9o3s-mz[1].124-10a.bin" This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email toexport at cisco.com. Cisco 3640 (R4700) processor (revision 0x00) with 122880K/8192K bytes of memory. Rgds,Sam > Date: Sat, 15 Nov 2008 07:03:30 -0500> From: chloekcy2000 at yahoo.ca> To: ghostonthewire at gmail.com> CC: cisco-nsp at puck.nether.net> Subject: Re: [c-nsp] log failure logon> > Thank you> > But I can't find this command !> > I am using IOS (tm) 3700 Software (C3725-I-M), Version 12.3(6e),> > router#config t> Enter configuration commands, one per line. End with CNTL/Z.> router(config)#line vty 0 4> router(config-line)#login ?> local Local password checking> tacacs Use tacacs server for password checking> > router(config-line)#exit > router(config)#login ?> % Unrecognized command> router(config)#login > > ghostonthewire wrote:> Hi!> > Try to use "login on-failure log" command (Cisco IOS Login Enhancements > feature, for futher details look through http://b23.ru/6f5). Also use > feature navigator to find if this feauture supported by your software > image (surely doesn't work on releases prior to 12.4(19), dunno about > 12.2S trains).> > chloe K wrote:> > Hi> > > > I see there is command autheniticate failure rate but can't find my router> > > > Now. how I can log the failure logon> > > > Thank you > > > > > > ---------------------------------> > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger> > _______________________________________________> > cisco-nsp mailing list cisco-nsp at puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp> > archive at http://puck.nether.net/pipermail/cisco-nsp/> > > > > > > ---------------------------------> > > Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! > > > ---------------------------------> Ask a question on any topic and get answers from real people. Go to Yahoo! Answers.> _______________________________________________> cisco-nsp mailing list cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp> archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Easily edit your photos like a pro with Photo Gallery. http://get.live.com/photogallery/overview From jabley at hopcount.ca Sun Nov 16 09:36:33 2008 From: jabley at hopcount.ca (Joe Abley) Date: Sun, 16 Nov 2008 09:36:33 -0500 Subject: [c-nsp] c2924XL fail Message-ID: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> Hi all, I have an old, slightly nasty c2924XL switch in my basement. It has been sitting there unplugged for some time, and just got pulled out of the cupboard and powered up because the switch I was using failed. Every hour or so, the switch is rebooting. The following are examples of what I see on the console. Is this switch toast, or is there some software/configuration remedy to whatever is causing this reload? It seems to happen every hour or so that the switch is under any kind of load. Joe isco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino %Software-forced reload Preparing to dump core... Buffered messages: 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Queued messages: 00:19:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Exception (8192)! Debug Exception (Could be NULL pointer dereference) CPU Register Context: Vector = 0x00002000 PC = 0x001E4220 MSR = 0x00029200 CR = 0x22000020 LR = 0x001E4214 CTR = 0x0016057C XER = 0x20000000 R0 = 0x001E4214 R1 = 0x0053CB08 R2 = 0x00000000 R3 = 0x00000000 R4 = 0x0000002F R5 = 0x000003E8 R6 = 0x0053C768 R7 = 0x00000000 R8 = 0x00480000 R9 = 0x00450000 R10 = 0x001200BB R11 = 0x00029200 R12 = 0x001200EA R13 = 0x00000000 R14 = 0x00000000 R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x00000000 R23 = 0x00000000 R24 = 0x00000000 R25 = 0x00000000 R26 = 0x00000000 R27 = 0x00000000 R28 = 0x00000000 R29 = 0x00450000 R30 = 0x00000002 R31 = 0x00000000 Stack trace: PC = 0x001E4220, SP = 0x0053CB08 Frame 00: SP = 0x0053CB18 PC = 0x001E4214 Frame 01: SP = 0x0053CB38 PC = 0x001061DC Frame 02: SP = 0x0053CB58 PC = 0x000E9B64 Frame 03: SP = 0x00000000 PC = 0x001EB510 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino s1.yxu1 uptime is 19 minutes, 40 seconds cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. C2900XL Boot Loader (C2900-HBOOT-M) Version 11.2(8.2)SA6, MAINTENANCE INTERIM SOFTWARE Compiled Wed 23-Jun-99 18:03 by boba starting... Base ethernet MAC Address: 00:30:94:e4:73:40 Xmodem file system is available. Initializing Flash... flashfs[0]: 7 files, 1 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 1827328 flashfs[0]: Bytes available: 1785344 flashfs[0]: flashfs fsck took 4 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:c2900xl-c3h2s-mz. 1205 .WC17 .bin "...##################################################################################################################################################################################### File "flash:c2900xl-c3h2s-mz.120-5.WC17.bin" uncompressed and installed, entry point: 0x3000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino Image text-base: 0x00003000, data-base: 0x00352924 Initializing C2900XL flash... flashfs[1]: 7 files, 1 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 3612672 flashfs[1]: Bytes used: 1827328 flashfs[1]: Bytes available: 1785344 flashfs[1]: flashfs fsck took 6 seconds. flashfs[1]: Initialization complete. ...done Initializing C2900XL flash. C2900XL POST: System Board Test: Passed C2900XL POST: Daughter Card Test: Passed C2900XL POST: CPU Buffer Test: Passed C2900XL POST: CPU Notify RAM Test: Passed C2900XL POST: CPU Interface Test: Passed C2900XL POST: Testing Switch Core: Passed C2900XL POST: Testing Buffer Table: Passed C2900XL POST: Data Buffer Test: Passed C2900XL POST: Configuring Switch Parameters: Passed C2900XL POST: Ethernet Controller Test: Passed C2900XL POST: MII Test: Passed cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. Processor board ID FAA0350H0NF, with hardware revision 0x03 Last reset from warm-reset Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:30:94:E4:73:40 Motherboard assembly number: 73-3425-10 Power supply part number: 34-0920-01 Motherboard serial number: FAA03479HEM Power supply serial number: PAC03460090 Model revision number: A0 Model number: WS-C2924M-XL-EN System serial number: FAA0350H0NF^G Press RETURN to get started! C2900XL INIT: Complete 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino From paul at paulstewart.org Sun Nov 16 11:20:28 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 16 Nov 2008 11:20:28 -0500 Subject: [c-nsp] c2924XL fail In-Reply-To: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> Message-ID: <000001c94807$43fa5520$cbeeff60$@org> Hi Joe ;) Anytime we've ran across this on 2924's we have replaced them. Have seen a couple of instances over time with IOS bugs on them but mainly memory leaks due to SNMP. See you're running the latest code and we have that same code on a couple dozen 2924's at remote sites with no issues. Sorry, sounds like time to replace in my opinion.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Abley Sent: November 16, 2008 9:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] c2924XL fail Hi all, I have an old, slightly nasty c2924XL switch in my basement. It has been sitting there unplugged for some time, and just got pulled out of the cupboard and powered up because the switch I was using failed. Every hour or so, the switch is rebooting. The following are examples of what I see on the console. Is this switch toast, or is there some software/configuration remedy to whatever is causing this reload? It seems to happen every hour or so that the switch is under any kind of load. Joe isco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino %Software-forced reload Preparing to dump core... Buffered messages: 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Queued messages: 00:19:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Exception (8192)! Debug Exception (Could be NULL pointer dereference) CPU Register Context: Vector = 0x00002000 PC = 0x001E4220 MSR = 0x00029200 CR = 0x22000020 LR = 0x001E4214 CTR = 0x0016057C XER = 0x20000000 R0 = 0x001E4214 R1 = 0x0053CB08 R2 = 0x00000000 R3 = 0x00000000 R4 = 0x0000002F R5 = 0x000003E8 R6 = 0x0053C768 R7 = 0x00000000 R8 = 0x00480000 R9 = 0x00450000 R10 = 0x001200BB R11 = 0x00029200 R12 = 0x001200EA R13 = 0x00000000 R14 = 0x00000000 R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x00000000 R23 = 0x00000000 R24 = 0x00000000 R25 = 0x00000000 R26 = 0x00000000 R27 = 0x00000000 R28 = 0x00000000 R29 = 0x00450000 R30 = 0x00000002 R31 = 0x00000000 Stack trace: PC = 0x001E4220, SP = 0x0053CB08 Frame 00: SP = 0x0053CB18 PC = 0x001E4214 Frame 01: SP = 0x0053CB38 PC = 0x001061DC Frame 02: SP = 0x0053CB58 PC = 0x000E9B64 Frame 03: SP = 0x00000000 PC = 0x001EB510 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino s1.yxu1 uptime is 19 minutes, 40 seconds cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. C2900XL Boot Loader (C2900-HBOOT-M) Version 11.2(8.2)SA6, MAINTENANCE INTERIM SOFTWARE Compiled Wed 23-Jun-99 18:03 by boba starting... Base ethernet MAC Address: 00:30:94:e4:73:40 Xmodem file system is available. Initializing Flash... flashfs[0]: 7 files, 1 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 1827328 flashfs[0]: Bytes available: 1785344 flashfs[0]: flashfs fsck took 4 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:c2900xl-c3h2s-mz. 1205 .WC17 .bin "...######################################################################## ############################################################################ ################################# File "flash:c2900xl-c3h2s-mz.120-5.WC17.bin" uncompressed and installed, entry point: 0x3000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino Image text-base: 0x00003000, data-base: 0x00352924 Initializing C2900XL flash... flashfs[1]: 7 files, 1 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 3612672 flashfs[1]: Bytes used: 1827328 flashfs[1]: Bytes available: 1785344 flashfs[1]: flashfs fsck took 6 seconds. flashfs[1]: Initialization complete. ...done Initializing C2900XL flash. C2900XL POST: System Board Test: Passed C2900XL POST: Daughter Card Test: Passed C2900XL POST: CPU Buffer Test: Passed C2900XL POST: CPU Notify RAM Test: Passed C2900XL POST: CPU Interface Test: Passed C2900XL POST: Testing Switch Core: Passed C2900XL POST: Testing Buffer Table: Passed C2900XL POST: Data Buffer Test: Passed C2900XL POST: Configuring Switch Parameters: Passed C2900XL POST: Ethernet Controller Test: Passed C2900XL POST: MII Test: Passed cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. Processor board ID FAA0350H0NF, with hardware revision 0x03 Last reset from warm-reset Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:30:94:E4:73:40 Motherboard assembly number: 73-3425-10 Power supply part number: 34-0920-01 Motherboard serial number: FAA03479HEM Power supply serial number: PAC03460090 Model revision number: A0 Model number: WS-C2924M-XL-EN System serial number: FAA0350H0NF^G Press RETURN to get started! C2900XL INIT: Complete 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From snar at snar.spb.ru Sun Nov 16 12:05:06 2008 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Sun, 16 Nov 2008 20:05:06 +0300 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <200811160739.33412.mtinka@globaltransit.net> References: <491E4D05.8020100@lists.esoteric.ca> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> <200811160739.33412.mtinka@globaltransit.net> Message-ID: <20081116170506.GA55178@snar.spb.ru> On Sun, Nov 16, 2008 at 07:39:28AM +0800, Mark Tinka wrote: > > > I seem to remember that there is a knob in recent SR* IOS > > trains that permits you to ignore MTU mismatches, but I > > have forgot the details - Ytti will know all the details > > (how to configure it plus availability). > > You might want to check this out: > > http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 Cisco IOS Release 12.2(33)SRC introduces the ability to specify MTU values in xconnect subinterface configuration mode. So, that's for 12.2(33)SRC, and SRC is incompatible with 65xx, mentioned in original question... Welcome to Cisco BU split hell :) From wim.holemans at ua.ac.be Sun Nov 16 13:17:55 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Sun, 16 Nov 2008 19:17:55 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Could you/someone elaborate on 'failure of one part is a failure of the stack' ? I thought Cisco just pushed this construction to get more redundancy/uptime in the network ? We were planning to replace some single switches with a lot of dual-line channels with a cluster of 2 of these 36xx or 37xx switches so we could split the channels over 2 switches and have still connection when one of the switches failed. Reading the recent negative comments on switch stacking I start wondering if this is a wise decision... Wim Holemans Network Services University of Antwerp -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jamie rishaw Sent: vrijdag 14 november 2008 20:55 To: Dale Shaw Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members Yeah.. Replace them. With Chassis(es). Stacks are just a bad idea. Failure of one part of the stack is a failure of the stack. A 65xx serves just as well, better even; cheaper, more reliably, and with less BS.. I'm in the middle of tossing (however many letters are, inclusive, between a and s) stacks, moving to 65xx chassis(es) with 10/100 // triplespeed blades... moving to paired '09's. Cue the happy singing birds and obama 'yes we chassis' glory in 3.. 2.. 1.. -j On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw > wrote: > Hi all, > > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. -- ..!google!arpa.com!j _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pshem.k at gmail.com Sun Nov 16 16:20:25 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Mon, 17 Nov 2008 10:20:25 +1300 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Message-ID: <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> Hi, 2008/11/17 Holemans Wim : > Could you/someone elaborate on 'failure of one part is a failure of the > stack' ? Usually it means that if a single device falls over the whole stack goes. > I thought Cisco just pushed this construction to get more > redundancy/uptime in the network ? I believe that despite the idea being quite good the implementation was always troubled with issues and never actually lived up to the expectations. > We were planning to replace some single switches with a lot of dual-line > channels with a cluster of 2 of these 36xx or 37xx switches so we could > split the channels over 2 switches and have still connection when one of > the switches failed. Reading the recent negative comments on switch > stacking I start wondering if this is a wise decision... Over the years we've seen multiple issues with stacked switches: 1. Random reloads of the stack (usually snmp would report a high CPU use just before, but not always) 2. Unidirectional forwarding through vlans spanning multiple elements of the stack. 3. Mac address issues - stale mac not timing out properly, inability to learn a new mac. 4. Master election issues when the stack boots. Whether it was a race condition or wrong alignment of the planets - every now and then we would get a stack with multiple master switches that would refuse to talk to the rest of the stack. As a result of that we do not put stacks any more. If we need more ports we simply join them using ethernet cables (and etherchannels) and manage independently of each other. kind regards Pshem From mtinka at globaltransit.net Sun Nov 16 20:09:48 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 17 Nov 2008 09:09:48 +0800 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> Message-ID: <200811170909.49193.mtinka@globaltransit.net> On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > As a result of that we do not put stacks any more. If we > need more ports we simply join them using ethernet cables > (and etherchannels) and manage independently of each > other. It has always been my personal opinion that inter-switch trunking or migrating to a small, single-chassis, multi-line-card based platform (e.g., 6504-E) would offer far less headache than Stacking, and keep things simple. Given the feedback from folk on this thread so far, I think we did well to avoid stacks. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From patrick.viet at gmail.com Sun Nov 16 20:23:16 2008 From: patrick.viet at gmail.com (Patrick Viet) Date: Mon, 17 Nov 2008 02:23:16 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Message-ID: <947d497f0811161723u3ce6d8eq96b85a7684cd631d@mail.gmail.com> 3750 Stacks work pretty well for me. But CDP is definitely crap. I remember forgetting to disable it once on a 6500 ; and the BGP wouldn't work anymore. The problem is not the stack ; the problem is CDP... Patrick From mtinka at globaltransit.net Sun Nov 16 20:40:19 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 17 Nov 2008 09:40:19 +0800 Subject: [c-nsp] c2924XL fail In-Reply-To: <000001c94807$43fa5520$cbeeff60$@org> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> <000001c94807$43fa5520$cbeeff60$@org> Message-ID: <200811170940.24217.mtinka@globaltransit.net> On Monday 17 November 2008 00:20:28 Paul Stewart wrote: > See you're running the latest code and we have that same > code on a couple dozen 2924's at remote sites with no > issues. Sorry, sounds like time to replace in my > opinion.... The 2924XL's have also been notoriously known for losing ports more often that anyone would like (ESD). However, this is a known issue: * CSCdm13915 Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From risnaini at indo.net.id Sun Nov 16 21:41:51 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Mon, 17 Nov 2008 09:41:51 +0700 Subject: [c-nsp] c2924XL fail In-Reply-To: <200811170940.24217.mtinka@globaltransit.net> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> <000001c94807$43fa5520$cbeeff60$@org> <200811170940.24217.mtinka@globaltransit.net> Message-ID: <4920D9EF.7000602@indo.net.id> Other thing, 2924XL is more fragile against power source failure compared to 3508/3524 IOS crash or port will not function normally. a. r. isnaini rangkayo sutan Mark Tinka wrote: > On Monday 17 November 2008 00:20:28 Paul Stewart wrote: > >> See you're running the latest code and we have that same >> code on a couple dozen 2924's at remote sites with no >> issues. Sorry, sounds like time to replace in my >> opinion.... > > The 2924XL's have also been notoriously known for losing > ports more often that anyone would like (ESD). > > However, this is a known issue: > > * CSCdm13915 > > Mark. > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.549 / Virus Database: 270.9.2/1782 - Release Date: 11/11/2008 7:32 PM From ianh at chime.net.au Sun Nov 16 22:30:44 2008 From: ianh at chime.net.au (Ian Henderson) Date: Mon, 17 Nov 2008 12:30:44 +0900 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> jamie rishaw wrote on 2008-11-15: > Replace them. With Chassis(es). > > Stacks are just a bad idea. Can not agree more. The problems we've seen with stacks seem mostly related to a master crash. If the master disappears, the slaves wouldn't perform a re-election. Also, the stacking cables seem very fragile - even if they are screwed in properly, a bump can cause the stack to go haywire. As many others have said, use the chassis individually. If you really need more bandwidth between devices than an Etherchannel of two to four GigE can give you, the 3750 is probably not the platform you're after. If you're looking for ease of management, use RANCID's 'clogin' and some crafty bash. For example, create a new VLAN on ten switches (I'll ignore the fact VTP can do this for you): for switch in `seq 1 10` do clogin -C 'conf t; vlan 123; name new_vlan; end; copy run start' sw-$switch.foobar.com done -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From bbasler at cisco.com Sun Nov 16 22:56:54 2008 From: bbasler at cisco.com (Ben Basler (bbasler)) Date: Sun, 16 Nov 2008 19:56:54 -0800 Subject: [c-nsp] SXI out In-Reply-To: <491C6E85.7060102@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk><491C2AA3.6070808@imperial.ac.uk> <491C6E85.7060102@imperial.ac.uk> Message-ID: 6VPE configuration (6VPE support IS listed in the release notes): http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls _6vpe.html#wp1056143 IPv6 feature support overview (to be updated with SXI information): http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap .html Maintenance support policy SXH/SXI: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_bu lletin0900aecd804f0694.html Cheers, Ben > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Phil Mayers > Sent: Thursday, November 13, 2008 10:14 AM > To: Hroi Sigurdsson > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SXI out > > Phil Mayers wrote: > > Hroi Sigurdsson wrote: > >> Jared Mauch wrote: > >>> It appears cisco released SXI already. > >>> > >>> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner- > tool/iosplanner.cgi?release_name=12.2.33- > SXI&majorRel=12.2&state=:RL&type=Early%20Deployment > >>> > >> > >> It looks like there is support for multi-AF (v4/v6) VRFs. Is it real > >> or just a tease? > > > > It would appear not: > > Oh wait - no, it would in fact appear so: > > mls ipv6 vrf > > ...sneaky command you have to type in, then the IPv6 vrf commands > become > available. > > Neat-o! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sun Nov 16 23:02:16 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 16 Nov 2008 22:02:16 -0600 Subject: [c-nsp] routing email domain Message-ID: Hello, Is there any way to route different email traffic by each domain name? eg: make email from @domain1.com go out route 1.1.1.1 and email from @domain2.com go out route 2.2.2.2 All of this email traffic is coming from the same email server. Dan. From p_ambedkar at rediffmail.com Sun Nov 16 23:40:26 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 17 Nov 2008 04:40:26 -0000 Subject: [c-nsp] 6500-sup-stdby Message-ID: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> ? Hi, I am using the following confregs, SP RP Main 0x2102 0x2102 Standby 0x102 0x2102 According to 6509 Doc the above confregs are recommended. one more thing, one of our member given the solution to FORMAT the flash. but i am little bit confused with the following... format <[m/]device1:> CAT_1> (enable) sh flash -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. ffffffff b0b70a41 cd1ec0 26 12918336 Mar 23 2004 16:48:55 cat6000-sup2cvk9.8-1-3.bin 19063104 bytes available (12918464 bytes used) can anybody guide me, how to format the flash. On Thu, 13 Nov 2008 maureen schaar wrote : >If you still have the problem, maybe you can try something, since I >once had a similar problem. There may a discrepancy between the >confreg on the RP and the SP. You need to set the confreg again. Even >though the remote command switch show bootvar command displayed the >right confreg in the SP in my situation, I was still returned to >rommon. After setting the confreg in the RP, the problem was resolved. >See also http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_no te09186a008072c406.shtml#sup_sub_3 > >Hope this helps. > >Maureen > > >On Tue, Nov 11, 2008 at 4:14 PM, Pete S. wrote: > > Also, make sure the flash was formatted by the chassis its currently in. > > There was an issue where, if formatted in another chassis, the flash could > > be read, but not booted from, resulting in a boot to rommon where you have > > to manually enter the boot command. > > > > > > --Pete > > > > > > On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > > > >> > >> Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > >> is standby. The problem is sup2 is not booting automatically when the > >> system is switched ON. it is going to rommon mode, where we have to > >> type boot command so that it will boot. after booting, boot variable > >> is missing. if we set the boot variable,it will show the boot variable > >> but it is temporary. > >> > >> Again we switched OFF and ON, The same situation is there. i tried > >> lot, please help me. some details are here... > >> > >> Before sup2: > >> > >> CAT_1> (enable) sh mod > >> Mod Slot Ports Module-Type Model Sub > >> Status > >> --- ---- ----- ------------------------- ------------------- --- ----- > >> --- > >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > >> > >> > >> After sup2: > >> > >> CAT_1> (enable) sh mod > >> Mod Slot Ports Module-Type Model Sub > >> Status > >> --- ---- ----- ------------------------- ------------------- --- ----- > >> --- > >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes > >> standby > >> 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > >> > >> > >> bye. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From sethm at rollernet.us Mon Nov 17 02:35:54 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 16 Nov 2008 23:35:54 -0800 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <200811170909.49193.mtinka@globaltransit.net> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> <200811170909.49193.mtinka@globaltransit.net> Message-ID: <49211EDA.7020506@rollernet.us> Mark Tinka wrote: > On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > >> As a result of that we do not put stacks any more. If we >> need more ports we simply join them using ethernet cables >> (and etherchannels) and manage independently of each >> other. > > It has always been my personal opinion that inter-switch > trunking or migrating to a small, single-chassis, > multi-line-card based platform (e.g., 6504-E) would offer > far less headache than Stacking, and keep things simple. > > Given the feedback from folk on this thread so far, I think > we did well to avoid stacks. > Out of curiosity, I never see the 4500 chassis mentioned; why is that? ~Seth From elmi at 4ever.de Mon Nov 17 03:10:58 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 17 Nov 2008 09:10:58 +0100 Subject: [c-nsp] routing email domain In-Reply-To: References: Message-ID: <20081117081057.GH93039@ronin.4ever.de> Re Dan, danletkeman at gmail.com (Dan Letkeman) wrote: > Is there any way to route different email traffic by each domain name? eg: This is off-topic on this list, so a brief answer: Yes, modern MTAs give you the opportunity to match header fields and envelope info and select a smarthost accordingly. You may want to check out the documentation to, e.g., exim. Elmar. From p_ambedkar at rediffmail.com Mon Nov 17 03:20:47 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 17 Nov 2008 08:20:47 -0000 Subject: [c-nsp] Network Magazine Message-ID: <20081117082047.26415.qmail@f4mail-235-149.rediffmail.com> ? Hi, i want to subscribe to magazine related to NETWORKING. Can anybody tell me which is better and it should be economical also. please suggest me. bye. From wim.holemans at ua.ac.be Mon Nov 17 03:31:19 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 17 Nov 2008 09:31:19 +0100 Subject: [c-nsp] Virtual Routers Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen From wim.holemans at ua.ac.be Mon Nov 17 03:34:55 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 17 Nov 2008 09:34:55 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com><2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be><20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> <200811170909.49193.mtinka@globaltransit.net> Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> Got some personal mails all in support of the stacking, saw only negative mails on the list, interesting... Price difference between 2x 3750 and a 6504 is not so small and a 6504 with one supervisor is still a single point of failure where a cluster of 2 switches would give me redundancy. Everyone thanks for the answer, still not sure what we are going to do. Wim Holemans -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: maandag 17 november 2008 2:10 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > As a result of that we do not put stacks any more. If we need more > ports we simply join them using ethernet cables (and etherchannels) > and manage independently of each other. It has always been my personal opinion that inter-switch trunking or migrating to a small, single-chassis, multi-line-card based platform (e.g., 6504-E) would offer far less headache than Stacking, and keep things simple. Given the feedback from folk on this thread so far, I think we did well to avoid stacks. Mark. From tseveendorj at gmail.com Mon Nov 17 03:53:42 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Mon, 17 Nov 2008 16:53:42 +0800 Subject: [c-nsp] ISDN Q.931 related question Message-ID: <62c908120811170053x3bb4652bjc003f0ee5a312280@mail.gmail.com> Hi I found a lot of messages from AS5350 gateway. Call awarded and being delivered in an established channel The reason: The user is assigned an incoming call that is being connected to an already-established call channel. Question: 1. Why the call being connected to an established channel ? 3. How to solve? is there any configuration on AS5350XM ? Thanks any help. From erey at ernw.de Mon Nov 17 03:56:41 2008 From: erey at ernw.de (Enno Rey) Date: Mon, 17 Nov 2008 09:56:41 +0100 Subject: [c-nsp] Virtual Routers In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Message-ID: <20081117085641.GE82503@ws25.ernw.de> Hi, you can use Multi-VRF in whatever context, so no need for some "remote/central scenario". BUT: what you want to achieve will most probably mean working with virtual contexts on the FWSM and/or IPS module. Should be doable but presumably not by means of Multi-VRF. can't say more here without understanding of your exact traffic flow. thanks, Enno On Mon, Nov 17, 2008 at 09:31:19AM +0100, Holemans Wim wrote: > Is there a way to divide a 6500 into multiple 'Virtual Routers' with > different routing tables ? I've read about VRF-Lite but it is always > mentioned in a VPN environment with remote and central devices. I need > to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and > back into the same 6500. Maybe PBR would do the trick but I'm still > looking for some good and clear info on virtual routing in a LAN > environment (if existing). > > > > Thanks, > > > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey From hans at beolink.com Mon Nov 17 04:25:36 2008 From: hans at beolink.com (hans) Date: Mon, 17 Nov 2008 10:25:36 +0100 Subject: [c-nsp] Dear Sender, Message-ID: <10811171025.AA05088@beolink.com> Dear Sender, Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd. Should you need immediate assistance, please call our office at +34 952 817 250. Best regards, Hans-Georg Luna Oesterreich From ben.steele at internode.on.net Mon Nov 17 06:08:33 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 17 Nov 2008 21:38:33 +1030 Subject: [c-nsp] Virtual Routers In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Message-ID: <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM From j.varaillon at cosmoline.com Mon Nov 17 06:11:47 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Mon, 17 Nov 2008 13:11:47 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue In-Reply-To: <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> References: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> Message-ID: <000301c948a5$4bec2260$e3c46720$%varaillon@cosmoline.com> Replying to my own post. Concerning the CPU, this is a known issue: CSCsi63155 "the CPU usage of one of the context goes up to 60% and it stays there " (http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/release/notes/fwsmrn31 .html#wp161596) Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Varaillon Jean Christophe Sent: Friday, November 14, 2008 2:07 PM To: 'Cisco-nsp' Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue >The CPU of context2 is never changing (stack at 62%) and this does not >reflect at all the pattern of traffic/connection/translation that we get >during a wotrking day. Why What would keep the CPU so busy given that the >amount of traffic is not the issue here? This output shows clearly that the traffic is almost null but still it has 60% of CPU. What could justify such a value? FWSM/context2# show cpu usage CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4% FWSM/context2# show perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 279/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s TCP Intercept 0/s 0/s Thanks, Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com From p.mayers at imperial.ac.uk Mon Nov 17 04:57:42 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 17 Nov 2008 09:57:42 +0000 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> References: <200811170909.49193.mtinka@globaltransit.net> <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> Message-ID: <20081117095742.GA30401@wildfire.net.ic.ac.uk> On Mon, Nov 17, 2008 at 09:34:55AM +0100, Holemans Wim wrote: >Got some personal mails all in support of the stacking, saw only >negative mails on the list, interesting... >Price difference between 2x 3750 and a 6504 is not so small and a 6504 Sure, but you were talking about stacks of 7. We've run stacks of 2 for years without trouble. From ben.steele at internode.on.net Mon Nov 17 06:24:20 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 17 Nov 2008 21:54:20 +1030 Subject: [c-nsp] Virtual Routers In-Reply-To: <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> Message-ID: <000c01c948a7$08fc4aa0$1af4dfe0$@steele@internode.on.net> Actually I just realised after I sent this that you will need to PBR the last hop in the 6500 before the inside host too if you haven't brought it into a vrf otherwise the intial route will take hold and loop you back into the FWSM again. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Monday, 17 November 2008 9:39 PM To: 'Holemans Wim'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Virtual Routers You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM From dudepron at gmail.com Mon Nov 17 09:51:01 2008 From: dudepron at gmail.com (Aaron) Date: Mon, 17 Nov 2008 09:51:01 -0500 Subject: [c-nsp] tftp In-Reply-To: <770379.30691.qm@web57402.mail.re1.yahoo.com> References: <200811152253.14374.mtinka@globaltransit.net> <770379.30691.qm@web57402.mail.re1.yahoo.com> Message-ID: <480dad640811170651o8f101cfy2ea6af511e11536d@mail.gmail.com> What do you mean verify? Assuming you mean verify the image was copied correctly, you can look at the MD5 signature via the verify command. To verify the checksum of a file on a flash memory file system or compute a Message Digest 5 (MD5) signature for a file, use the *verify* command in privileged EXEC mode. *verify *[*/md5* [*md5-value*]]* filesystem*:[*file-url*] Cisco 7600 Series Router *verify* {*/md5** **flash-filesystem* [*expected-md5-signature*] | */ios ** flash-filesystem* | *flash-filesystem*} On Sat, Nov 15, 2008 at 3:33 PM, chloe K wrote: > yes. it works > > how can I verify the flash? > > Thank you > > Mark Tinka wrote: > On Saturday 15 November 2008 19:57:18 chloe K wrote: > > > Hi > > > > How to copy the falsh to tftp? > > #copy flash: tftp: > > Cheers, > > Mark. > > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ib_cims at yahoo.com Mon Nov 17 09:51:23 2008 From: ib_cims at yahoo.com (Ibrahim Alsharif) Date: Mon, 17 Nov 2008 06:51:23 -0800 (PST) Subject: [c-nsp] Cisco ASA ASDM Message-ID: <584081.58404.qm@web63805.mail.re1.yahoo.com> Hello Dears, I'm working on Single ASA 5540 device I've configured it with two security context (C-A) & (C-B) when I accessed the ASA through ASDM it shows only (C-A) Context only one context appear in the ASDM. what I want to know how I can administer the two security contexts from ASDM. Thank you, Ibrahim Alsharif, From pavel.skovajsa at gmail.com Mon Nov 17 10:23:43 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 17 Nov 2008 16:23:43 +0100 Subject: [c-nsp] VSS SRND Message-ID: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: "" Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. "" This has been there for almost 6 months now, and still no VSS SRND.... Thanks, Pavel Skovajsa From MLouis at nwnit.com Mon Nov 17 10:47:31 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 10:47:31 -0500 Subject: [c-nsp] BGP Distribute List Message-ID: I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From hans at beolink.com Mon Nov 17 10:52:23 2008 From: hans at beolink.com (hans) Date: Mon, 17 Nov 2008 16:52:23 +0100 Subject: [c-nsp] Dear Sender, Message-ID: <10811171652.AA07388@beolink.com> Dear Sender, Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd. Should you need immediate assistance, please call our office at +34 952 817 250. Best regards, Hans-Georg Luna Oesterreich From luan at netcraftsmen.net Mon Nov 17 10:54:11 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 17 Nov 2008 10:54:11 -0500 Subject: [c-nsp] VSS SRND In-Reply-To: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> References: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> Message-ID: <001d01c948cc$bb6beb30$3243c190$@net> Have you looked at the Data Center Design Guide? http://www.cisco.com/en/US/netsol/ns743/networking_solutions_program_home.ht ml There's this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dc_servchas /service-chassis_design.html And this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5 /DCI_SRND.pdf Which give lots of design guides on VSS. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pavel Skovajsa Sent: Monday, November 17, 2008 10:24 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VSS SRND Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: "" Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. "" This has been there for almost 6 months now, and still no VSS SRND.... Thanks, Pavel Skovajsa _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ped_dk at hotmail.com Mon Nov 17 11:01:09 2008 From: ped_dk at hotmail.com (Peter Danielsen) Date: Mon, 17 Nov 2008 17:01:09 +0100 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs Message-ID: Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From RYAN.BRAULT at illinois.gov Mon Nov 17 11:04:30 2008 From: RYAN.BRAULT at illinois.gov (Brault, Ryan) Date: Mon, 17 Nov 2008 10:04:30 -0600 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: router bgp 100 neighbor x.x.230.161 prefix-list routeout out neighbor 172.x.255.252 prefix-list routeout out I think that's what you're looking for... Ryan Brault -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis Sent: Monday, November 17, 2008 9:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP Distribute List I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MLouis at nwnit.com Mon Nov 17 11:14:33 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 11:14:33 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: Its working fine in other configurations with the Distribute List. Distribute list with prefix-list is supported in IOS. I wonder what the limiting factor is here? -----Original Message----- From: Brault, Ryan [mailto:RYAN.BRAULT at Illinois.gov] Sent: Monday, November 17, 2008 11:05 AM To: Mike Louis; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] BGP Distribute List router bgp 100 neighbor x.x.230.161 prefix-list routeout out neighbor 172.x.255.252 prefix-list routeout out I think that's what you're looking for... Ryan Brault -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis Sent: Monday, November 17, 2008 9:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP Distribute List I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1792 - Release Date: 11/16/2008 10:04 AM Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From peter at rathlev.dk Mon Nov 17 11:30:24 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 17 Nov 2008 17:30:24 +0100 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: <1226939424.10572.4.camel@abehat> On Mon, 2008-11-17 at 10:47 -0500, Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I > have reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but > still no luck. The router is receiving all routes from neighbors and > relaying them to the other EBGP router. I am not worried about > inbound received routes, just outbound filtering based on a specific > prefix list. > > Any ideas? It _might_ be: - An incorrectly configured route-map - An incorrectly configured access-list used in the route-map - A bug in IOS (probably unlikely, but who knows :-]) The problem is that no one can make any guesses, since you didn't include any information to help determine the cause. And no example of the not-filtered prefix seen from the neighbor. Regards, Peter From luan at netcraftsmen.net Mon Nov 17 11:38:02 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 17 Nov 2008 11:38:02 -0500 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs In-Reply-To: References: Message-ID: <004a01c948d2$dbe17e10$93a47a30$@net> Usually, when I use VRF-Lite with hub site DMVPN, it's because I need to backhaul all spokes traffic (send them a default route through the tunnel) and don't want to use policy base routing at the spoke sites. I have to put the LAN(s) and tunnel interface(s) on the spoke into a VRF and leave the WAN in the global so the spoke could have 2 default routes, one for the global to establish DMVPN/IPSEC connection to hubs and other spokes, and one in the VRF to send all LAN traffic to the hub for say...central Internet access. Hubs' tunnels would usually be put into a VRF. If you have a few customers and want to consolidate them into a single hub router, then I would just add the tunnels into their own VRFs, the spokes can be left alone. Depends on the routing protocol you use, and what access you want to give, you need to route inter/intra VRFs accordingly at the hub. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Danielsen Sent: Monday, November 17, 2008 11:01 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kratzers at pa.net Mon Nov 17 12:35:23 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Mon, 17 Nov 2008 12:35:23 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: <200811171235.24723.kratzers@pa.net> Probably a mucked up distribute/filter/prefix list. Check 'show ip prefix-list detail' and 'show ip access-list'. It's also possible that the peers don't support route refresh. Can check this with 'show ip bgp neighbor'. On Monday 17 November 2008 10:47:31 Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I have > reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but still > no luck. The router is receiving all routes from neighbors and relaying > them to the other EBGP router. I am not worried about inbound received > routes, just outbound filtering based on a specific prefix list. > > Any ideas? > > ________________________________ > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Mon Nov 17 12:59:58 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 17 Nov 2008 11:59:58 -0600 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs In-Reply-To: References: Message-ID: <4921B11E.8080601@justinshore.com> Peter Danielsen wrote: > Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk This doc has some great examples. I'm working through some of them myself. I'm trying to use VRFs with MPLS VPN at the hub to connect spokes to our data center downstream. Customers are in their own VRFs. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6922_TSD_Products_Configuration_Guide_Chapter.html Justin From MLouis at nwnit.com Mon Nov 17 13:05:05 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 13:05:05 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: <200811171235.24723.kratzers@pa.net> References: <200811171235.24723.kratzers@pa.net> Message-ID: Thanks for all your help. I will try and lab it up and post the results. Mike -----Original Message----- From: Stephen Kratzer [mailto:kratzers at pa.net] Sent: Monday, November 17, 2008 12:35 PM To: cisco-nsp at puck.nether.net Cc: Mike Louis Subject: Re: [c-nsp] BGP Distribute List Probably a mucked up distribute/filter/prefix list. Check 'show ip prefix-list detail' and 'show ip access-list'. It's also possible that the peers don't support route refresh. Can check this with 'show ip bgp neighbor'. On Monday 17 November 2008 10:47:31 Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I have > reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but still > no luck. The router is receiving all routes from neighbors and relaying > them to the other EBGP router. I am not worried about inbound received > routes, just outbound filtering based on a specific prefix list. > > Any ideas? > > ________________________________ > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1792 - Release Date: 11/16/2008 10:04 AM Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From ross at kallisti.us Mon Nov 17 13:26:09 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 17 Nov 2008 13:26:09 -0500 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> Message-ID: <20081117182609.GC29082@kallisti.us> On Mon, Nov 17, 2008 at 12:30:44PM +0900, Ian Henderson wrote: > Also, the stacking cables seem very fragile - even if they are > screwed in properly, a bump can cause the stack to go haywire. This is very true. The connectors that Cisco uses for the backplane interconnection are unusually fragile. We only have two switch 3750 stacks and they work great when the stacking cables work. The one foot cables that come with the switches are great. They are short and light enough that the crappy connectors don't cause a problem. However, I've had at least four pairs of the three meter cables for switches located in adjacent racks. Of those four, only one pair ever worked correctly. On the other hand, Juniper's EX-4200 is awesome. The cables use PCI-Express connectors that are far sturdier than Cisco's proprietary connectors. We've using them in production, have hot-extended the chassis, and tested stacking cable failure. Works great. We're only using them for ethernet layer 2 - no layer 3 or MPLS. Lots of 802.3ad aggregation groups and some crazy MSTP mappings. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From kgraham at industrial-marshmallow.com Mon Nov 17 15:53:46 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 17 Nov 2008 12:53:46 -0800 (PST) Subject: [c-nsp] Catalyst 3750 stacks with many members Message-ID: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> > The one foot cables that come with the switches are great. They are > short and light enough that the crappy connectors don't cause a > problem. I have a suspicion that Cisco wanted to fix this. The 3750E's were initially a "3780", and were renamed late enough that several product photos had the original name. Note that all of the CBS31xx's use a much different, and simpler connector. This may have been a simple matter of form-factor (certainly the BladeCenter version doesn't have the physical real estate). The different name and different connector suggest that compatibility with StackWise/"3750" was a late-stage change that also necessitated reverting to the older cable. ...with regard to SP CPU, really crude test suggest that the PPC405 on 3750E's is about half of the speed of the MPC8245 common on 4500 sups, so yes, if you're running very large stacks, presumably this will be an issue. (Furthest I've taken them is 6 w/ no CDP/LLDP and simple IGP). Being able to redeploy these into so many different configurations makes these far, far more useful than any of the modular chassis (where you end up having to eat chassis+sup, or chassis+dual-sup to get equivalent sparing). I still regret the places I put in 4506's instead of 3750's. My biggest single gripe is Cisco's own internal games with them with product handicapping such as the lack of a 3750E equivalent to the 3650E-12D and a higher-densitity or 'E' version of the 3750G-12S). (It would also be really nice to see an ISSU equivalent for these...) From c.spurgeon at mail.utexas.edu Mon Nov 17 16:14:47 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Mon, 17 Nov 2008 15:14:47 -0600 Subject: [c-nsp] SXI out In-Reply-To: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Message-ID: <20081117211447.GB24655@argus.gw.utexas.edu> On Thu, Nov 13, 2008 at 01:44:20PM -0200, Rubens Kuhl Jr. wrote: > Making the same file for release notes of SXH and SXI makes /me think > that SXH4 won't see the light... what do people have heard about it ? I found SXH4 on the download site, but not in the old software tree I usually use. Instead, I found it in the endless set of folders of the new software tree, which I have taken to calling "Zork for Downloads" ("you are in a maze of twisty folders, all alike"): http://tools.cisco.com/support/downloads/go/IOSPlatform.x?sftType=IOS+Software&mdfid=280357772&treeName=Routers&mdfLevel=SERIES&url=null&modelName=Cisco+Catalyst+6509-E+Switch&isPlatform=N&treeMdfId=268437717&relmdfid=279308101&hybrid=Y&modifmdfid=280829702&imname=Cisco+Catalyst+6500+Series+Supervisor+Engine+720+%2F+MSFC3 So far all I have done with it is to boot it into a lab router. -Charles From ross at kallisti.us Mon Nov 17 16:21:57 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 17 Nov 2008 16:21:57 -0500 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> References: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> Message-ID: <20081117212157.GE29082@kallisti.us> On Mon, Nov 17, 2008 at 12:53:46PM -0800, Kevin Graham wrote: > Being able to redeploy these into so many different configurations makes > these far, far more useful than any of the modular chassis (where you > end up having to eat chassis+sup, or chassis+dual-sup to get equivalent > sparing). I still regret the places I put in 4506's instead of 3750's. And forget eating a slot with sups - call me when a chassis based switch can be physically split into multiple parts and located in different locations... -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From rshughes at gmail.com Mon Nov 17 17:02:31 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Mon, 17 Nov 2008 17:02:31 -0500 Subject: [c-nsp] Cisco ASA ASDM In-Reply-To: <584081.58404.qm@web63805.mail.re1.yahoo.com> References: <584081.58404.qm@web63805.mail.re1.yahoo.com> Message-ID: You need to connect to the management instance in order for admin both contexts through ASDM. Typically this is over the management interface or sub vlan interface allocated to the management instance. From there you should be able to see/admin all 3 contexts. On Mon, Nov 17, 2008 at 9:51 AM, Ibrahim Alsharif wrote: > Hello Dears, > > I'm working on Single ASA 5540 device I've configured it with two security > context (C-A) & (C-B) when I accessed the ASA through ASDM it shows only > (C-A) Context > only one context appear in the ASDM. > what I want to know how I can administer the two security contexts from > ASDM. > > Thank you, > > Ibrahim Alsharif, > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Mon Nov 17 18:05:42 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 17 Nov 2008 17:05:42 -0600 Subject: [c-nsp] route problem Message-ID: Hello, I have setup a guest vlan for internet access. When the users connect to the guest network they get only internet access and no access to any of the servers on the rest of the network. The problem I'm having now is that the users on the guest network cannot access our internal web servers. I'm wondering if this is a simple access list problem or is it a route problem? topology is a follows: normal user----------vlan 500--------------3560 switch----------2801 router------------internet | | guest users---------vlan 167--------------------- There is an access list on vlan 167 on the 3560 switch that only allows the guest users access to the internet. So when I do a trace route from the guest network to the internal web address I get a timeout at the router. The internal web server resolves with our external ip address because the guest users are not using our internal dns servers. Any ideas where I should start? Dan. From rodunn at cisco.com Mon Nov 17 18:48:44 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 17 Nov 2008 18:48:44 -0500 Subject: [c-nsp] route problem In-Reply-To: References: Message-ID: <20081117234844.GB25107@rtp-cse-489.cisco.com> I'm assuming your diagram was: normal user----vlan 500---3560 switch---2801router---internet gusest users---vlan 167--/ such that inter vlan routing would happen on the 3560. Just follow the packet via 'sh ip route'. So a norma user goes to a webserver..what is the address? When the packet leaves the normal user does it make it in the 3560 ACL on the ingress interface? If so, what does 'sh ip route' say for the destination of the packet? Go to next hop...etc.. Rodney On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote: > Hello, > > I have setup a guest vlan for internet access. When the users connect > to the guest network they get only internet access and no access to > any of the servers on the rest of the network. The problem I'm having > now is that the users on the guest network cannot access our internal > web servers. I'm wondering if this is a simple access list problem or > is it a route problem? > > topology is a follows: > > > normal user----------vlan 500--------------3560 switch----------2801 > router------------internet > | > | > guest users---------vlan 167--------------------- > > > There is an access list on vlan 167 on the 3560 switch that only > allows the guest users access to the internet. So when I do a trace > route from the guest network to the internal web address I get a > timeout at the router. The internal web server resolves with our > external ip address because the guest users are not using our internal > dns servers. > > Any ideas where I should start? > > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jbehl at estalea.com Mon Nov 17 20:43:22 2008 From: jbehl at estalea.com (Jeff Behl) Date: Mon, 17 Nov 2008 17:43:22 -0800 Subject: [c-nsp] NAT out via loopback Message-ID: <49221DBA.2040104@estalea.com> i've got two 3560s, each with a privately addressed point-to-point link to a 2851 (a trunked gig interface for each) and both connected to an ISP: ISP---3560----p2p----- 2851 ISP---3560----p2p----- The 3560s are connected to the ISP and have a public /25 routed to them via p2p links. They also have a number of private networks that contain numerous hosts that they act as the gateway for (HSRP). The 3560s advertise a default route via ospf which is picked up by the 2851. They also have a static default pointing to the ISP. The 2851 has a couple public /32 addresses on loopbacks which are advertised via ospf and picked up by the 3560s (i've split the /25 into a few different blocks). One of them acts as a static IPSEC/GRE VPN tunnel endpoint, and I'd like the other to be an external NAT interface. The reason for this setup was to be able to maintain the VPN link during the loss of one of the switches. To this end everything is working as expected, at least in terms of the VPN tunnel. But now the trickier part...I'd like some of the hosts on the private networks for which the 3560s are doing the routing to be able to get to the internet via NAT. As the 3560s don't do NAT, it has to be the 2851 that does it. I'm looking for suggestions on the most elegant solution for doing this?? Basically, one of the loopbacks on the 2851 would be the outgoing IP address for NAT translations. Though I've not used VRFs before, I'm getting inklings they could be used in a scenario such as this? The other solution seems to be some sort of policy based routing. I've used policy based routing in the past to direct traffic that needs to be NATd from a switch to a router but it was as little simpler in that the router's outgoing NAT address was just a normal sub-interface and not a loopback. Thanks for any help. jeff From kgraham at industrial-marshmallow.com Mon Nov 17 21:25:13 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 17 Nov 2008 18:25:13 -0800 (PST) Subject: [c-nsp] FHRP's and STP Message-ID: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> Is there a way to (safely) force any of the FHRP's into a multiple-active setup such that the first router to see a packet can route it? Namely, I'm frustrated by instances w/ L3 switches where the L2 topology (via STP) doesn't match the L3 topology (via a FHRP) resulting in cases where traffic gets L2 switched by a FHRP standby on its way to the active router only to get punted back again. A tracking object based on STP state would probably be sufficient, though being able to assign multiple routers to an active forwarding group seems ideal. Am I missing something obviously? From paul at paulstewart.org Mon Nov 17 21:44:00 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 17 Nov 2008 21:44:00 -0500 Subject: [c-nsp] DualStack IPv4/IPv6 for access? Message-ID: <000001c94927$892008e0$9b601aa0$@org> Hi there.. I've been reading http://www.cisco.com/en/US/products/ps6553/products_data_sheet09186a008011b6 8d.html which references several ways to assign IPv6 address to a client. What I'm after (and posed this question to Cisco in the summer at Networkers) is to assign IPv4 address via PPPOE as is done today and also assign an IPv6 address as well? Is there such a method? Specially, customers who are served today via PPPOE get an IPv4 address dynamically assigned from an IP POOL after authenticating against Radius. I'd like to extend that and offer dynamic IPv6 space as well. For my testing I have a Cisco 1811 doing PPPOE over a wireless bridge to another 1811 acting as a client - is there a way to get dualstack running in a setup like this? Thanks, Paul From risnaini at indo.net.id Mon Nov 17 22:44:02 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Tue, 18 Nov 2008 10:44:02 +0700 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <000001c94927$892008e0$9b601aa0$@org> References: <000001c94927$892008e0$9b601aa0$@org> Message-ID: <49223A02.40004@indo.net.id> Yes possible, Paul. As long as your IOS version support. Below is my example which had been running fine. ipv6 unicast-routing ipv6 dhcp pool ipv6-dual-stack prefix-delegation 2404:170:DEAD:DEAD::/64 0005000400F1A4D07003 prefix-delegation pool prefix-pool lifetime 1800 60 dns-server 2404:170:32::2 domain-name ipv6.indo.net.id a. rahman isnaini rangkayo sutan Paul Stewart wrote: > Hi there.. > > For my testing I have a Cisco 1811 doing PPPOE over a wireless bridge to > another 1811 acting as a client - is there a way to get dualstack running in > a setup like this? > > > > Thanks, > > > > Paul > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From danletkeman at gmail.com Mon Nov 17 23:12:25 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Mon, 17 Nov 2008 22:12:25 -0600 Subject: [c-nsp] route problem In-Reply-To: <20081117234844.GB25107@rtp-cse-489.cisco.com> References: <20081117234844.GB25107@rtp-cse-489.cisco.com> Message-ID: Sorry for the poor diagram. The vlan's are both on the 3560 and the 3560 is in routing mode. It's default route is the 2801 router which does the nat for the internet connection. Normal users are fine because they use are internal dns servers and have access to our internal web server. What is happening on the guest vlan is when someone goes to www.ourwebsite.com (this being our internal web server) they are resolving our external ip address for the site, but they are trying to access the site via the external ip address from the inside of the router. I'm sure it's just an access list problem. Not sure I quite understand how show ip route will help... Dan. On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn wrote: > I'm assuming your diagram was: > > normal user----vlan 500---3560 switch---2801router---internet > gusest users---vlan 167--/ > > such that inter vlan routing would happen on the 3560. > > Just follow the packet via 'sh ip route'. > > So a norma user goes to a webserver..what is the address? > > When the packet leaves the normal user does it make it in the > 3560 ACL on the ingress interface? > If so, what does 'sh ip route' say for the destination of the packet? > Go to next hop...etc.. > > Rodney > > > On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote: >> Hello, >> >> I have setup a guest vlan for internet access. When the users connect >> to the guest network they get only internet access and no access to >> any of the servers on the rest of the network. The problem I'm having >> now is that the users on the guest network cannot access our internal >> web servers. I'm wondering if this is a simple access list problem or >> is it a route problem? >> >> topology is a follows: >> >> >> normal user----------vlan 500--------------3560 switch----------2801 >> router------------internet >> | >> | >> guest users---------vlan 167--------------------- >> >> >> There is an access list on vlan 167 on the 3560 switch that only >> allows the guest users access to the internet. So when I do a trace >> route from the guest network to the internal web address I get a >> timeout at the router. The internal web server resolves with our >> external ip address because the guest users are not using our internal >> dns servers. >> >> Any ideas where I should start? >> >> Dan. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jlewis at lewis.org Tue Nov 18 00:25:13 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 18 Nov 2008 00:25:13 -0500 (EST) Subject: [c-nsp] 7200 AC & DC Message-ID: cisco.com has this to say about mixing AC and DC power supplies in the 7206: Caution Do not mix power supplies in the Cisco 7206. In dual power supply router configurations, both power supplies must be of the same type (two AC-input power supplies or two DC-input power supplies). I've seen posts from people saying that they have mixed AC & DC in 7206's with both types powered up at the same time...and nothing bad happening. Can anyone say why cisco cautions against doing this? Is it just a grounding issue (possibly very different grounds provided by the AC power and rack's ground (used when using DC power)? If it's just that, I would think that if the measured voltage between AC ground and rack ground is close to 0v, then this might be safe to do, especially as a short term situation while migrating from one type of power to the other. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From p.mayers at imperial.ac.uk Tue Nov 18 02:40:47 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 18 Nov 2008 07:40:47 +0000 Subject: [c-nsp] FHRP's and STP In-Reply-To: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> References: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> Message-ID: <4922717F.4080009@imperial.ac.uk> Kevin Graham wrote: > Is there a way to (safely) force any of the FHRP's into a multiple-active setup > such that the first router to see a packet can route it? Namely, I'm frustrated > by instances w/ L3 switches where the L2 topology (via STP) doesn't match the > L3 topology (via a FHRP) resulting in cases where traffic gets L2 switched by a > FHRP standby on its way to the active router only to get punted back again. This is an annoying outcome, but would you not be better concentrating on ensuring the STP topology matches the desired FHRP topo? > > A tracking object based on STP state would probably be sufficient, though being > able to assign multiple routers to an active forwarding group seems ideal. Am I > missing something obviously? I don't believe any of the FHRPs can do what you want - even GLBP works (as I understand it) by answering ARP requests for the gateway with different vmacs, and a router will only route vmacs it owns locally. From p.mayers at imperial.ac.uk Tue Nov 18 02:42:22 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 18 Nov 2008 07:42:22 +0000 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <20081117212157.GE29082@kallisti.us> References: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> <20081117212157.GE29082@kallisti.us> Message-ID: <492271DE.2070207@imperial.ac.uk> Ross Vandegrift wrote: > On Mon, Nov 17, 2008 at 12:53:46PM -0800, Kevin Graham wrote: >> Being able to redeploy these into so many different configurations makes >> these far, far more useful than any of the modular chassis (where you >> end up having to eat chassis+sup, or chassis+dual-sup to get equivalent >> sparing). I still regret the places I put in 4506's instead of 3750's. > > And forget eating a slot with sups - call me when a chassis based > switch can be physically split into multiple parts and located in > different locations... > VSS: http://www.cisco.com/en/US/products/ps9336/index.html From benny+usenet at amorsen.dk Tue Nov 18 04:58:42 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Tue, 18 Nov 2008 10:58:42 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> (Kevin Graham's message of "Mon\, 17 Nov 2008 12\:53\:46 -0800 \(PST\)") References: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> Message-ID: Kevin Graham writes: > My biggest single gripe is Cisco's own internal games with them with > product handicapping such as the lack of a 3750E equivalent to the > 3650E-12D and a higher-densitity or 'E' version of the 3750G-12S). > (It would also be really nice to see an ISSU equivalent for these...) Indeed, Cisco seems to be completely out of the loop when it comes to non-modular fiber switches. Competing vendors can do 48 1Gbps SFP in one rack unit, and the best Cisco can do is 12... /Benny From pigsign.pykota at gmail.com Tue Nov 18 05:22:37 2008 From: pigsign.pykota at gmail.com (Darren Yang) Date: Tue, 18 Nov 2008 18:22:37 +0800 Subject: [c-nsp] Tunnel keepalive in NAT environment problem Message-ID: Hi All, Because Cisco GRE tunnel keepalive mechanism that must have public IP on both site. But I have one Router in NAT environment that it's ip address is private IP address and another outside Router is public IP address, so when I configure "keepalive" on tunnel interface, the tuneel interface would show "line protocol down" message directly.... If anyone have idea about this ? Thanks :) pigsign From j.varaillon at cosmoline.com Tue Nov 18 05:35:10 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Tue, 18 Nov 2008 12:35:10 +0200 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: References: Message-ID: <000c01c94969$553b6780$ffb23680$%varaillon@cosmoline.com> Hi For the tunnel to be operational, each router should be able to reach the destination IP of the tunnel from the source IP of the tunnel (extended ping command will help you). When this is done, meaning, ping from IP source of the tunnel to IP destination of the tunnel works, then you can set-up your keepalive functionality. Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang Sent: Tuesday, November 18, 2008 12:23 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Tunnel keepalive in NAT environment problem Hi All, Because Cisco GRE tunnel keepalive mechanism that must have public IP on both site. But I have one Router in NAT environment that it's ip address is private IP address and another outside Router is public IP address, so when I configure "keepalive" on tunnel interface, the tuneel interface would show "line protocol down" message directly.... If anyone have idea about this ? Thanks :) pigsign _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3620 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3620 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com From j.varaillon at cosmoline.com Tue Nov 18 05:49:46 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Tue, 18 Nov 2008 12:49:46 +0200 Subject: [c-nsp] NAT out via loopback In-Reply-To: <49221DBA.2040104@estalea.com> References: <49221DBA.2040104@estalea.com> Message-ID: <001601c9496b$5f703fd0$1e50bf70$%varaillon@cosmoline.com> Hi, This might be far from answering your question but why the 3560 are not behind the 2851? Why is the 2851 not directly connected to the ISP? Wouldn't this be simpler to set-up your NAT? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Behl Sent: Tuesday, November 18, 2008 3:43 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT out via loopback i've got two 3560s, each with a privately addressed point-to-point link to a 2851 (a trunked gig interface for each) and both connected to an ISP: ISP---3560----p2p----- 2851 ISP---3560----p2p----- The 3560s are connected to the ISP and have a public /25 routed to them via p2p links. They also have a number of private networks that contain numerous hosts that they act as the gateway for (HSRP). The 3560s advertise a default route via ospf which is picked up by the 2851. They also have a static default pointing to the ISP. The 2851 has a couple public /32 addresses on loopbacks which are advertised via ospf and picked up by the 3560s (i've split the /25 into a few different blocks). One of them acts as a static IPSEC/GRE VPN tunnel endpoint, and I'd like the other to be an external NAT interface. The reason for this setup was to be able to maintain the VPN link during the loss of one of the switches. To this end everything is working as expected, at least in terms of the VPN tunnel. But now the trickier part...I'd like some of the hosts on the private networks for which the 3560s are doing the routing to be able to get to the internet via NAT. As the 3560s don't do NAT, it has to be the 2851 that does it. I'm looking for suggestions on the most elegant solution for doing this?? Basically, one of the loopbacks on the 2851 would be the outgoing IP address for NAT translations. Though I've not used VRFs before, I'm getting inklings they could be used in a scenario such as this? The other solution seems to be some sort of policy based routing. I've used policy based routing in the past to direct traffic that needs to be NATd from a switch to a router but it was as little simpler in that the router's outgoing NAT address was just a normal sub-interface and not a loopback. Thanks for any help. jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3620 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3620 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com From pigsign.pykota at gmail.com Tue Nov 18 06:10:40 2008 From: pigsign.pykota at gmail.com (Darren Yang) Date: Tue, 18 Nov 2008 19:10:40 +0800 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: References: <000c01c94969$553b6780$ffb23680$%varaillon@cosmoline.com> Message-ID: Hi, The routers can ping reachable each other. But I saw the cisco tunnel keepalive document like this.. http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml#backinfo And my lab like this.. Router01(172.16.1.1)------Linux Firewall(NAT)-----Router02(1.1.1.1) the Router01 tunnel keepalive mechanism will encapsulate "src:1.1.1.1,dst:172.16.1.1" packet to Router02, then Router02 will decapsulate packet and send "src:1.1.1.1,dst:172.16.1.1" packet to Router01 to assure tunnel alive. But problem is Router01's ip address is private(172.16.1.1) and Router02 will not reply packet correctly. So tunnel interface would always appear "line protocol down" when I configure keepalive. Thanks pigsign 2008/11/18 Varaillon Jean Christophe : > Hi > > For the tunnel to be operational, each router should be able to reach the > destination IP of the tunnel from the source IP of the tunnel (extended ping > command will help you). > > When this is done, meaning, ping from IP source of the tunnel to IP > destination of the tunnel works, then you can set-up your keepalive > functionality. > > Christophe > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang > Sent: Tuesday, November 18, 2008 12:23 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Tunnel keepalive in NAT environment problem > > Hi All, > > Because Cisco GRE tunnel keepalive mechanism that must have public IP > on both site. > But I have one Router in NAT environment that it's ip address is > private IP address and another outside Router is public IP address, so > when I configure "keepalive" on tunnel interface, the tuneel interface > would show "line protocol down" message directly.... > > If anyone have idea about this ? > > Thanks :) > > pigsign > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > From j.varaillon at cosmoline.com Tue Nov 18 07:10:20 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Tue, 18 Nov 2008 14:10:20 +0200 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: References: <000c01c94969$553b6780$ffb23680$%varaillon@cosmoline.com> Message-ID: <003301c94976$a0bbf190$e233d4b0$%varaillon@cosmoline.com> Hi, >The routers can ping reachable each other. So the routing between the 172.16.1.1 and 1.1.1.1 is working. > But problem is Router01's ip address is private(172.16.1.1) and Router02 will not reply packet correctly. Is your firewall allowing GRE traffic to flow between both routers? Did you configure your translation statement in your firewall so that GRE traffic can be initiated from both sides? Christophe 2008/11/18 Varaillon Jean Christophe : > Hi > > For the tunnel to be operational, each router should be able to reach the > destination IP of the tunnel from the source IP of the tunnel (extended ping > command will help you). > > When this is done, meaning, ping from IP source of the tunnel to IP > destination of the tunnel works, then you can set-up your keepalive > functionality. > > Christophe > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang > Sent: Tuesday, November 18, 2008 12:23 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Tunnel keepalive in NAT environment problem > > Hi All, > > Because Cisco GRE tunnel keepalive mechanism that must have public IP > on both site. > But I have one Router in NAT environment that it's ip address is > private IP address and another outside Router is public IP address, so > when I configure "keepalive" on tunnel interface, the tuneel interface > would show "line protocol down" message directly.... > > If anyone have idea about this ? > > Thanks :) > > pigsign > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3621 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3621 (20081118) __________ The message was checked by ESET Smart Security. http://www.eset.com From brun0_filipe at yahoo.com Tue Nov 18 07:31:50 2008 From: brun0_filipe at yahoo.com (Bruno Filipe) Date: Tue, 18 Nov 2008 04:31:50 -0800 (PST) Subject: [c-nsp] IP arp VRF weird issue Message-ID: <169806.53199.qm@web39702.mail.mud.yahoo.com> Hi there,... I'm facing a problem between a CE to PE that I'm not really sure the reason for this behavior... The link to the customer is perfect (NO PROBLEMS AT ALL) but the Service is going up and down (from times to times). I suspect that there must be something preventing the arp counters to increase which might be the reason for the counters to get stuck. # Here's the relevant Configuration from the PE router# ! ip vrf customerXYZ-vpn rd 100:244100 route-target export 100:244100 route-target import 100:244100 route-target import 100:20 ! interface FastEthernet0/1.357 encapsulation dot1Q 357 ip vrf forwarding customerXYZ-vpn ip address 192.168.61.81 255.255.255.252 ip verify unicast source reachable-via rx no ip redirects no ip unreachables no ip proxy-arp no snmp trap link-status no cdp enable service-policy output reg1024 # Here's some show commands PE-ROUTER#sh ip vrf customerXYZ-vpn Name Default RD Interfaces customerXYZ-vpn 100:244100 Fa0/0.355 Fa0/0.580 Fa0/0.702 Fa0/0.706 Fa0/1.356 Fa0/1.357 Fa0/1.361 Fa0/0.44 Fa0/1.312 Fa0/0.719 Fa0/0.718 PE-ROUTER#sh ip arp vrf customerXYZ-vpn Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.41.190 114 001b.7858.2ef7 ARPA FastEthernet0/0.355 Internet 192.168.61.37 - 0014.698c.3bfc ARPA FastEthernet0/0.718 Internet 192.168.61.39 - 0014.698c.3bfc ARPA FastEthernet0/0.719 Internet 192.168.61.38 0 Incomplete ARPA Internet 192.168.60.121 - 0014.698c.3bfc ARPA FastEthernet0/0.44 Internet 192.168.60.122 0 0008.da56.7300 ARPA FastEthernet0/0.44 Internet 192.168.61.65 - 0014.698c.3bfc ARPA FastEthernet0/0.355 Internet 192.168.61.66 0 001b.7858.2ef7 ARPA FastEthernet0/0.355 Internet 192.168.61.69 - 0014.698c.3bfc ARPA FastEthernet0/0.580 Internet 192.168.61.70 0 0008.da54.7ff2 ARPA FastEthernet0/0.580 Internet 192.168.61.73 - 0014.698c.3bfc ARPA FastEthernet0/0.702 Internet 192.168.61.74 0 0008.da54.7fbf ARPA FastEthernet0/0.702 Internet 192.168.61.77 - 0014.698c.3bfd ARPA FastEthernet0/1.356 Internet 192.168.61.78 0 0008.da54.7f7a ARPA FastEthernet0/1.356 Internet 192.168.61.81 - 0014.698c.3bfd ARPA FastEthernet0/1.357 Internet 192.168.61.82 0 0008.da54.7f92 ARPA FastEthernet0/1.357 Internet 192.168.61.85 - 0014.698c.3bfd ARPA FastEthernet0/1.361 Internet 192.168.61.86 0 Incomplete ARPA Internet 192.168.61.89 - 0014.698c.3bfc ARPA FastEthernet0/0.706 Internet 192.168.61.90 0 001b.785d.74ef ARPA FastEthernet0/0.706 Internet 192.168.61.93 - 0014.698c.3bfd ARPA FastEthernet0/1.312 Internet 192.168.61.94 0 Incomplete ARPA PE-ROUTER# # Here's the debug output PE-ROUTER#debug arp ARP packet debugging is on PE-ROUTER# Nov 18 13:16:38.273 GMT+1: IP ARP: rcvd req src 196.216.60.122 0008.da56.7300, dst 196.216.60.121 FastEthernet0/0.44 Nov 18 13:16:38.273 GMT+1: IP ARP: sent rep src 196.216.60.121 0014.698c.3bfc, dst 196.216.60.122 0008.da56.7300 FastEthernet0/0.44 Nov 18 13:21:11.705 GMT+1: IP ARP: rcvd req src 196.216.61.66 001b.7858.2ef7, dst 196.216.61.65 FastEthernet0/0.355 Nov 18 13:21:11.705 GMT+1: IP ARP: sent rep src 196.216.61.65 0014.698c.3bfc, dst 196.216.61.66 001b.7858.2ef7 FastEthernet0/0.355 Nov 18 13:24:18.564 GMT+1: IP ARP: rcvd req src 196.216.61.82 0008.da54.7f92, dst 196.216.61.81 FastEthernet0/1.357 Nov 18 13:24:18.564 GMT+1: IP ARP: sent rep src 196.216.61.81 0014.698c.3bfd, dst 196.216.61.82 0008.da54.7f92 FastEthernet0/1.357 PE-ROUTER#ping vrf customerXYZ-vpn 196.216.61.82 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 196.216.61.82, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) PE-ROUTER# PE-ROUTER#sh vlans dot1q fastEthernet 0/1.357 FastEthernet0/1.357 (0) 121420932 packets, 21505176184 bytes input 193767899 packets, 237095028833 bytes output PE-ROUTER# From pigsign.pykota at gmail.com Tue Nov 18 07:39:08 2008 From: pigsign.pykota at gmail.com (Darren Yang) Date: Tue, 18 Nov 2008 20:39:08 +0800 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: <003301c94976$a0bbf190$e233d4b0$%varaillon@cosmoline.com> References: <000c01c94969$553b6780$ffb23680$%varaillon@cosmoline.com> <003301c94976$a0bbf190$e233d4b0$%varaillon@cosmoline.com> Message-ID: Hi, You said right, the linux firewall already did NAT translate. The GRE tunnel worked ok when I did not configure "keepalive" command in tunnel interface. But when I configure "keepalive" that the tunnel would soon appear down status.... Thanks pigsign 2008/11/18 Varaillon Jean Christophe : > Hi, > >>The routers can ping reachable each other. > > So the routing between the 172.16.1.1 and 1.1.1.1 is working. > >> But problem is Router01's ip address is private(172.16.1.1) and Router02 > will not reply packet correctly. > > Is your firewall allowing GRE traffic to flow between both routers? > Did you configure your translation statement in your firewall so that GRE > traffic can be initiated from both sides? > > Christophe > > > 2008/11/18 Varaillon Jean Christophe : >> Hi >> >> For the tunnel to be operational, each router should be able to reach the >> destination IP of the tunnel from the source IP of the tunnel (extended > ping >> command will help you). >> >> When this is done, meaning, ping from IP source of the tunnel to IP >> destination of the tunnel works, then you can set-up your keepalive >> functionality. >> >> Christophe >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang >> Sent: Tuesday, November 18, 2008 12:23 PM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Tunnel keepalive in NAT environment problem >> >> Hi All, >> >> Because Cisco GRE tunnel keepalive mechanism that must have public IP >> on both site. >> But I have one Router in NAT environment that it's ip address is >> private IP address and another outside Router is public IP address, so >> when I configure "keepalive" on tunnel interface, the tuneel interface >> would show "line protocol down" message directly.... >> >> If anyone have idea about this ? >> >> Thanks :) >> >> pigsign >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> __________ Information from ESET Smart Security, version of virus > signature >> database 3620 (20081118) __________ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> >> __________ Information from ESET Smart Security, version of virus > signature >> database 3620 (20081118) __________ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Information from ESET Smart Security, version of virus signature > database 3621 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > __________ Information from ESET Smart Security, version of virus signature > database 3621 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > From ib_cims at yahoo.com Tue Nov 18 07:45:01 2008 From: ib_cims at yahoo.com (Ibrahim Alsharif) Date: Tue, 18 Nov 2008 04:45:01 -0800 (PST) Subject: [c-nsp] Cisco ASA ASDM References: Message-ID: <483583.71734.qm@web63804.mail.re1.yahoo.com> Hello Guys, Thank you Jeff & Ryan, I've solved the problem, all I need to do was from one of the two context I should issue this command: admin-context C-A C-A is one of the two contexts I have in addition to the admin context. Thanks Ibrahim Alsharif ________________________________ From: "cisco-nsp-request at puck.nether.net" To: cisco-nsp at puck.nether.net Sent: Monday, November 17, 2008 5:47:54 PM Subject: cisco-nsp Digest, Vol 72, Issue 72 Send cisco-nsp mailing list submissions to ??? cisco-nsp at puck.nether.net To subscribe or unsubscribe via the World Wide Web, visit ??? https://puck.nether.net/mailman/listinfo/cisco-nsp or, via email, send a message with subject or body 'help' to ??? cisco-nsp-request at puck.nether.net You can reach the person managing the list at ??? cisco-nsp-owner at puck.nether.net When replying, please edit your Subject line so it is more specific than "Re: Contents of cisco-nsp digest..." Today's Topics: ? 1. Dear Sender, (hans) ? 2. Re: Virtual Routers (Ben Steele) ? 3. Re: FWSM (3.1) - Memory and CPU issue (Varaillon Jean Christophe) ? 4. Re: Catalyst 3750 stacks with many members (Phil Mayers) ? 5. Re: Virtual Routers (Ben Steele) ? 6. Re: tftp (Aaron) ? 7. Cisco ASA ASDM (Ibrahim Alsharif) ? 8. VSS SRND (Pavel Skovajsa) ? 9. BGP Distribute List (Mike Louis) ---------------------------------------------------------------------- Message: 1 Date: Mon, 17 Nov 2008 10:25:36 +0100 From: "hans" Subject: [c-nsp] Dear Sender, To: cisco-nsp at puck.nether.net Message-ID: <10811171025.AA05088 at beolink.com> Dear Sender, Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd. Should you need immediate assistance, please call our office at +34 952 817 250. Best regards, Hans-Georg Luna Oesterreich ------------------------------ Message: 2 Date: Mon, 17 Nov 2008 21:38:33 +1030 From: "Ben Steele" Subject: Re: [c-nsp] Virtual Routers To: "'Holemans Wim'" , ??? Message-ID: <000901c948a4$d4c7f380$7e57da80$@steele at internode.on.net> Content-Type: text/plain;??? charset="us-ascii" You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ------------------------------ Message: 3 Date: Mon, 17 Nov 2008 13:11:47 +0200 From: Varaillon Jean Christophe Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue To: "'Cisco-nsp'" Message-ID: <000301c948a5$4bec2260$e3c46720$%varaillon at cosmoline.com> Content-Type: text/plain; charset=us-ascii Replying to my own post. Concerning the CPU, this is a known issue: CSCsi63155? "the CPU usage of one of the context goes up to 60% and it stays there " (http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/release/notes/fwsmrn31 .html#wp161596) Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Varaillon Jean Christophe Sent: Friday, November 14, 2008 2:07 PM To: 'Cisco-nsp' Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue >The CPU of context2 is never changing (stack at 62%) and this does not >reflect at all the pattern of traffic/connection/translation that we get >during a wotrking day. Why What would keep the CPU so busy given that the >amount of traffic is not the issue here? This output shows clearly that the traffic is almost null but still it has 60% of CPU. What could justify such a value? FWSM/context2# show cpu usage CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4% FWSM/context2# show perfmon PERFMON STATS:? ? Current? ? ? Average Xlates? ? ? ? ? ? ? 0/s? ? ? ? ? 0/s Connections? ? ? ? ? 0/s? ? ? ? ? 0/s TCP Conns? ? ? ? ? ? 0/s? ? ? ? ? 0/s UDP Conns? ? ? ? ? ? 0/s? ? ? ? ? 0/s URL Access? ? ? ? ? 0/s? ? ? ? ? 0/s URL Server Req? ? ? 0/s? ? ? ? ? 0/s TCP Fixup? ? ? ? ? 279/s? ? ? ? ? 0/s HTTP Fixup? ? ? ? ? 0/s? ? ? ? ? 0/s FTP Fixup? ? ? ? ? ? 0/s? ? ? ? ? 0/s AAA Authen? ? ? ? ? 0/s? ? ? ? ? 0/s AAA Author? ? ? ? ? 0/s? ? ? ? ? 0/s AAA Account? ? ? ? ? 0/s? ? ? ? ? 0/s TCP Intercept? ? ? ? 0/s? ? ? ? ? 0/s Thanks, Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com ------------------------------ Message: 4 Date: Mon, 17 Nov 2008 09:57:42 +0000 From: Phil Mayers Subject: Re: [c-nsp] Catalyst 3750 stacks with many members To: Holemans Wim Cc: cisco-nsp at puck.nether.net Message-ID: <20081117095742.GA30401 at wildfire.net.ic.ac.uk> Content-Type: text/plain; charset=us-ascii; format=flowed On Mon, Nov 17, 2008 at 09:34:55AM +0100, Holemans Wim wrote: >Got some personal mails all in support of the stacking, saw only >negative mails on the list, interesting... >Price difference between 2x 3750 and a 6504 is not so small and a 6504 Sure, but you were talking about stacks of 7. We've run stacks of 2 for years without trouble. ------------------------------ Message: 5 Date: Mon, 17 Nov 2008 21:54:20 +1030 From: "Ben Steele" Subject: Re: [c-nsp] Virtual Routers To: "'Ben Steele'" ,??? "'Holemans Wim'" ??? , Message-ID: <000c01c948a7$08fc4aa0$1af4dfe0$@steele at internode.on.net> Content-Type: text/plain;??? charset="us-ascii" Actually I just realised after I sent this that you will need to PBR the last hop in the 6500 before the inside host too if you haven't brought it into a vrf otherwise the intial route will take hold and loop you back into the FWSM again. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Monday, 17 November 2008 9:39 PM To: 'Holemans Wim'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Virtual Routers You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM ------------------------------ Message: 6 Date: Mon, 17 Nov 2008 09:51:01 -0500 From: Aaron Subject: Re: [c-nsp] tftp To: "chloe K" Cc: cisco-nsp at puck.nether.net Message-ID: ??? <480dad640811170651o8f101cfy2ea6af511e11536d at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 What do you mean verify? Assuming you mean verify the image was copied correctly, you can look at the MD5 signature via the verify command. To verify the checksum of a file on a flash memory file system or compute a Message Digest 5 (MD5) signature for a file, use the *verify* command in privileged EXEC mode. *verify *[*/md5* [*md5-value*]]* filesystem*:[*file-url*] Cisco 7600 Series Router *verify* {*/md5** **flash-filesystem* [*expected-md5-signature*] | */ios ** flash-filesystem* | *flash-filesystem*} On Sat, Nov 15, 2008 at 3:33 PM, chloe K wrote: > yes. it works > >? how can I verify the flash? > >? Thank you > > Mark Tinka wrote: >? On Saturday 15 November 2008 19:57:18 chloe K wrote: > > > Hi > > > > How to copy the falsh to tftp? > > #copy flash: tftp: > > Cheers, > > Mark. > > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------ Message: 7 Date: Mon, 17 Nov 2008 06:51:23 -0800 (PST) From: Ibrahim Alsharif Subject: [c-nsp] Cisco ASA ASDM To: cisco-nsp at puck.nether.net Message-ID: <584081.58404.qm at web63805.mail.re1.yahoo.com> Content-Type: text/plain; charset=us-ascii Hello Dears, I'm working on Single ASA 5540 device I've configured it with two security context (C-A) & (C-B) when I accessed the ASA through ASDM it shows only (C-A) Context only one context appear in the ASDM. what I want to know how I can administer the two security contexts from ASDM. Thank you, Ibrahim Alsharif, ? ? ? ------------------------------ Message: 8 Date: Mon, 17 Nov 2008 16:23:43 +0100 From: "Pavel Skovajsa" Subject: [c-nsp] VSS SRND To: cisco-nsp at puck.nether.net Message-ID: ??? <323aca890811170723l65655b92p38abd9eb8ecf0cba at mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1 Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: "" Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. "" This has been there for almost 6 months now, and still no VSS SRND.... Thanks, Pavel Skovajsa ------------------------------ Message: 9 Date: Mon, 17 Nov 2008 10:47:31 -0500 From: Mike Louis Subject: [c-nsp] BGP Distribute List To: "cisco-nsp at puck.nether.net" Message-ID: ??? Content-Type: text/plain; charset="us-ascii" I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router.? I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp End of cisco-nsp Digest, Vol 72, Issue 72 ***************************************** From oboehmer at cisco.com Tue Nov 18 08:03:08 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 18 Nov 2008 14:03:08 +0100 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: References: <000c01c94969$553b6780$ffb23680$%varaillon@cosmoline.com><003301c94976$a0bbf190$e233d4b0$%varaillon@cosmoline.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> Well, it looks like the linux NAT/firewall is not NAT'ing the keepalive GRE packets correctly, otherwise they would not arrive with the 172.16.1.1 src address on router2. Not sure what's happening there, but I would focus my attention on the NAT/firewall box.. I guess NAT for the "other" GRE packets work just fine? Maybe related to the different protocol type (0x0) or the lack of payload in the GRE keepalive packet? oli Darren Yang <> wrote on Tuesday, November 18, 2008 13:39: > Hi, > > You said right, the linux firewall already did NAT translate. > The GRE tunnel worked ok when I did not configure "keepalive" command > in tunnel interface. But when I configure "keepalive" that the tunnel > would soon appear down status.... > > Thanks > > pigsign > > > > 2008/11/18 Varaillon Jean Christophe : >> Hi, >> >>> The routers can ping reachable each other. >> >> So the routing between the 172.16.1.1 and 1.1.1.1 is working. >> >>> But problem is Router01's ip address is private(172.16.1.1) and >>> Router02 >> will not reply packet correctly. >> >> Is your firewall allowing GRE traffic to flow between both routers? >> Did you configure your translation statement in your firewall so >> that GRE traffic can be initiated from both sides? >> >> Christophe >> >> >> 2008/11/18 Varaillon Jean Christophe : >>> Hi >>> >>> For the tunnel to be operational, each router should be able to >>> reach the destination IP of the tunnel from the source IP of the >>> tunnel (extended ping command will help you). >>> >>> When this is done, meaning, ping from IP source of the tunnel to IP >>> destination of the tunnel works, then you can set-up your keepalive >>> functionality. >>> >>> Christophe >>> -----Original Message----- >>> From: cisco-nsp-bounces at puck.nether.net >>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Darren Yang >>> Sent: Tuesday, November 18, 2008 12:23 PM >>> To: cisco-nsp at puck.nether.net >>> Subject: [c-nsp] Tunnel keepalive in NAT environment problem >>> >>> Hi All, >>> >>> Because Cisco GRE tunnel keepalive mechanism that must have public >>> IP >>> on both site. >>> But I have one Router in NAT environment that it's ip address is >>> private IP address and another outside Router is public IP address, >>> so when I configure "keepalive" on tunnel interface, the tuneel >>> interface would show "line protocol down" message directly.... >>> >>> If anyone have idea about this ? >>> >>> Thanks :) >>> >>> pigsign >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> __________ Information from ESET Smart Security, version of virus >>> signature database 3620 (20081118) __________ >>> >>> The message was checked by ESET Smart Security. >>> >>> http://www.eset.com >>> >>> >>> >>> __________ Information from ESET Smart Security, version of virus >>> signature database 3620 (20081118) __________ >>> >>> The message was checked by ESET Smart Security. >>> >>> http://www.eset.com >>> >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> __________ Information from ESET Smart Security, version of virus >> signature database 3621 (20081118) __________ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> >> __________ Information from ESET Smart Security, version of virus >> signature database 3621 (20081118) __________ >> >> The message was checked by ESET Smart Security. >> >> http://www.eset.com >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From chloekcy2000 at yahoo.ca Tue Nov 18 08:23:15 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Tue, 18 Nov 2008 08:23:15 -0500 (EST) Subject: [c-nsp] how can kick out the users Message-ID: <236163.22909.qm@web57408.mail.re1.yahoo.com> Hi I have those idle connection. how can I kick out Line User Host(s) Idle Location 98 vty 0 idle 15w0d dslpiens.yhk.com 99 vty 1 idle 15w0d dslpiens.yhk.com Thank you --------------------------------- Looking for the perfect gift? Give the gift of Flickr! --------------------------------- Looking for the perfect gift? Give the gift of Flickr! From jmenendez at mecon.gov.ar Tue Nov 18 09:29:43 2008 From: jmenendez at mecon.gov.ar (Juan Angel Menendez) Date: Tue, 18 Nov 2008 11:29:43 -0300 Subject: [c-nsp] how can kick out the users In-Reply-To: <236163.22909.qm@web57408.mail.re1.yahoo.com> References: <236163.22909.qm@web57408.mail.re1.yahoo.com> Message-ID: <200811181429.mAIETgBa028487@racing2.mecon.ar> Clear line vty 0 Clear line vty 1 Regards Juan At 10:23 18/11/2008, chloe K wrote: >Hi > > I have those idle connection. how can I kick out > > Line User Host(s) Idle Location > 98 vty 0 idle 15w0d dslpiens.yhk.com > 99 vty 1 idle 15w0d dslpiens.yhk.com > > Thank you > > >--------------------------------- >Looking for the perfect gift? Give the gift of Flickr! > >--------------------------------- >Looking for the perfect gift? Give the gift of Flickr! >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Tue Nov 18 08:46:32 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Nov 2008 14:46:32 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <000001c94927$892008e0$9b601aa0$@org> References: <000001c94927$892008e0$9b601aa0$@org> Message-ID: <20081118134632.GT8535@greenie.muc.de> Hi, On Mon, Nov 17, 2008 at 09:44:00PM -0500, Paul Stewart wrote: > What I'm after (and posed this question to Cisco in the summer at > Networkers) is to assign IPv4 address via PPPOE as is done today and also > assign an IPv6 address as well? Is there such a method? It will "just work". You configure the IPv4 stuff as usual, and then add the IPv6 stuff to your interface/radius/... config. PPP will negotiate IPv4 (IPCP) and IPv6 (IPv6CP) independently, and you can run v4-only, v6-only or v4+v6. > Specially, customers who are served today via PPPOE get an IPv4 address > dynamically assigned from an IP POOL after authenticating against Radius. > I'd like to extend that and offer dynamic IPv6 space as well. "Will just work". (I have no configuration examples at hand right now, but our L2TP dial-in works just like this, except with static IPv6 assignments from Radius) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From newton at atdot.dotat.org Tue Nov 18 08:58:26 2008 From: newton at atdot.dotat.org (Mark Newton) Date: Wed, 19 Nov 2008 00:28:26 +1030 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <20081118134632.GT8535@greenie.muc.de> References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> Message-ID: <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> On 19/11/2008, at 12:16 AM, Gert Doering wrote: > > On Mon, Nov 17, 2008 at 09:44:00PM -0500, Paul Stewart wrote: >> What I'm after (and posed this question to Cisco in the summer at >> Networkers) is to assign IPv4 address via PPPOE as is done today >> and also >> assign an IPv6 address as well? Is there such a method? > > It will "just work". You configure the IPv4 stuff as usual, and then > add the IPv6 stuff to your interface/radius/... config. Very platform dependent. Don't expect it to do much useful stuff on a 10k, f'rinstance. It works fine on a 7200 (it's how I get IPv6 at home). But if your LNS/BRAS is a PXF platform you're kinda out of luck, and if it's an ASR1000-series you'll have to wait a while for the IP6CP feature support to be added. The next challenge is to find consumer-grade ADSL2+ CPE which does IPv6. Can't expect all my residential customers to run out and buy 877's, right? - mark -------------------------------------------------------------------- I tried an internal modem, newton at atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- From cayers at ena.com Tue Nov 18 08:39:47 2008 From: cayers at ena.com (Cory Ayers) Date: Tue, 18 Nov 2008 07:39:47 -0600 Subject: [c-nsp] how can kick out the users In-Reply-To: <236163.22909.qm@web57408.mail.re1.yahoo.com> References: <236163.22909.qm@web57408.mail.re1.yahoo.com> Message-ID: > I have those idle connection. how can I kick out > > Line User Host(s) Idle Location > 98 vty 0 idle 15w0d dslpiens.yhk.com > 99 vty 1 idle 15w0d dslpiens.yhk.com > > Thank you clear line 98 clear line 99 OR clear line vty 0 clear line vty 1 OR If the session is hung and the above fails, look at your TCP sessions and clear the TCB. Be careful not to clear the wrong session (BGP, LDP, etc.). show tcp brief | i \.23_ TCB Local Address Foreign Address (state) 2055F37C x.x.x.x.23 dslpiens.yhk.com.50000 ESTAB 64C1E884 x.x.x.x.23 dslpiens.yhk.com.50000 ESTAB clear tcp tcb 2055F37C clear tcp tcb 64C1E884 -Cory From oliver.eyre at cirruscomms.com.au Tue Nov 18 07:55:53 2008 From: oliver.eyre at cirruscomms.com.au (Oliver Eyre) Date: Tue, 18 Nov 2008 23:55:53 +1100 Subject: [c-nsp] NAT out via loopback In-Reply-To: <49221DBA.2040104@estalea.com> References: <49221DBA.2040104@estalea.com> Message-ID: <4922BB59.6000708@cirruscomms.com.au> Hi Jeff, Not sure if this is the best solution, but at my office we have a primary link and a backup link and we NAT out of the loopback so our telnet and SSH sessions don't crash on us if we ever switch links. Here are the relevant bits of config (on 1811) interface Loopback0 ip nat outside interface FastEthernet0 description Primary link ip nat outside interface FastEthernet1 description Backup link ip nat outside interface Vlan100 description Internal Network ip nat inside ip nat inside source list 11 interface Loopback0 overload Hope this helps. Oliver Jeff Behl wrote: > i've got two 3560s, each with a privately addressed point-to-point link > to a 2851 (a trunked gig interface for each) and both connected to an ISP: > > > ISP---3560----p2p----- > 2851 > ISP---3560----p2p----- > > The 3560s are connected to the ISP and have a public /25 routed to them > via p2p links. They also have a number of private networks that contain > numerous hosts that they act as the gateway for (HSRP). The 3560s > advertise a default route via ospf which is picked up by the 2851. They > also have a static default pointing to the ISP. > > The 2851 has a couple public /32 addresses on loopbacks which are > advertised via ospf and picked up by the 3560s (i've split the /25 into > a few different blocks). One of them acts as a static IPSEC/GRE VPN > tunnel endpoint, and I'd like the other to be an external NAT > interface. The reason for this setup was to be able to maintain the VPN > link during the loss of one of the switches. To this end everything is > working as expected, at least in terms of the VPN tunnel. > > But now the trickier part...I'd like some of the hosts on the private > networks for which the 3560s are doing the routing to be able to get to > the internet via NAT. As the 3560s don't do NAT, it has to be the 2851 > that does it. I'm looking for suggestions on the most elegant solution > for doing this?? Basically, one of the loopbacks on the 2851 would be > the outgoing IP address for NAT translations. Though I've not used VRFs > before, I'm getting inklings they could be used in a scenario such as > this? The other solution seems to be some sort of policy based > routing. I've used policy based routing in the past to direct traffic > that needs to be NATd from a switch to a router but it was as little > simpler in that the router's outgoing NAT address was just a normal > sub-interface and not a loopback. > > Thanks for any help. > jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From gert at greenie.muc.de Tue Nov 18 09:34:07 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Nov 2008 15:34:07 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> Message-ID: <20081118143406.GX8535@greenie.muc.de> Hi, On Wed, Nov 19, 2008 at 12:28:26AM +1030, Mark Newton wrote: > >It will "just work". You configure the IPv4 stuff as usual, and then > >add the IPv6 stuff to your interface/radius/... config. > > Very platform dependent. > > Don't expect it to do much useful stuff on a 10k, f'rinstance. > > It works fine on a 7200 (it's how I get IPv6 at home). But if your > LNS/BRAS is a PXF platform you're kinda out of luck, and if it's an > ASR1000-series you'll have to wait a while for the IP6CP feature > support to be added. Sorry, you're right. I should have mentioned it. (As far as I understand, support for the C10k is "in the works", though. No idea about ASR). > The next challenge is to find consumer-grade ADSL2+ CPE which > does IPv6. Can't expect all my residential customers to run out > and buy 877's, right? I run a Linksys WRT54GL with OpenWRT and an external ADSL2+ modem (bridging PPPoE to the WRT). Not a solution that's really suitable for large scale customer rollout - but it works *very* well... :) And yes, it would be nice if the Linksys products would get IPv6 support in their "as shipped" firmware. It's not that hard, there's Linux inside (oh wait, they moved to $somethingelse, for some weird internal reason...). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From paul at paulstewart.org Tue Nov 18 09:48:03 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 18 Nov 2008 09:48:03 -0500 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <20081118143406.GX8535@greenie.muc.de> References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118143406.GX8535@greenie.muc.de> Message-ID: <000c01c9498c$af818580$0e849080$@org> Thanks for the all the replies... this is mainly driven by having our access network "IPv6 ready" for clients.... we have our distribution and core all running dual-stack for quite a while now. Now it's time to take it to the access side of things or at least have it ready to go ;) The devices involved range from 2600's up to 7206VXR's so I'll just have to try and see what happens hehe... Appreciate it, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: November 18, 2008 9:34 AM To: Mark Newton Cc: Gert Doering; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] DualStack IPv4/IPv6 for access? Hi, On Wed, Nov 19, 2008 at 12:28:26AM +1030, Mark Newton wrote: > >It will "just work". You configure the IPv4 stuff as usual, and then > >add the IPv6 stuff to your interface/radius/... config. > > Very platform dependent. > > Don't expect it to do much useful stuff on a 10k, f'rinstance. > > It works fine on a 7200 (it's how I get IPv6 at home). But if your > LNS/BRAS is a PXF platform you're kinda out of luck, and if it's an > ASR1000-series you'll have to wait a while for the IP6CP feature > support to be added. Sorry, you're right. I should have mentioned it. (As far as I understand, support for the C10k is "in the works", though. No idea about ASR). > The next challenge is to find consumer-grade ADSL2+ CPE which does > IPv6. Can't expect all my residential customers to run out and buy > 877's, right? I run a Linksys WRT54GL with OpenWRT and an external ADSL2+ modem (bridging PPPoE to the WRT). Not a solution that's really suitable for large scale customer rollout - but it works *very* well... :) And yes, it would be nice if the Linksys products would get IPv6 support in their "as shipped" firmware. It's not that hard, there's Linux inside (oh wait, they moved to $somethingelse, for some weird internal reason...). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From risnaini at indo.net.id Tue Nov 18 10:24:09 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Tue, 18 Nov 2008 22:24:09 +0700 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <000c01c9498c$af818580$0e849080$@org> References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118143406.GX8535@greenie.muc.de> <000c01c9498c$af818580$0e849080$@org> Message-ID: <4922DE19.2060002@indo.net.id> IOS version I've implemented : 12.3 4T over 3600 router platform a. r. isnaini rangkayo sutan Paul Stewart wrote: > Thanks for the all the replies... this is mainly driven by having our access > network "IPv6 ready" for clients.... we have our distribution and core all > running dual-stack for quite a while now. Now it's time to take it to the > access side of things or at least have it ready to go ;) > > The devices involved range from 2600's up to 7206VXR's so I'll just have to > try and see what happens hehe... > > Appreciate it, > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering > Sent: November 18, 2008 9:34 AM > To: Mark Newton > Cc: Gert Doering; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] DualStack IPv4/IPv6 for access? > > Hi, > > On Wed, Nov 19, 2008 at 12:28:26AM +1030, Mark Newton wrote: >>> It will "just work". You configure the IPv4 stuff as usual, and then >>> add the IPv6 stuff to your interface/radius/... config. >> Very platform dependent. >> >> Don't expect it to do much useful stuff on a 10k, f'rinstance. >> >> It works fine on a 7200 (it's how I get IPv6 at home). But if your >> LNS/BRAS is a PXF platform you're kinda out of luck, and if it's an >> ASR1000-series you'll have to wait a while for the IP6CP feature >> support to be added. > > Sorry, you're right. I should have mentioned it. (As far as I understand, > support for the C10k is "in the works", though. No idea about ASR). > >> The next challenge is to find consumer-grade ADSL2+ CPE which does >> IPv6. Can't expect all my residential customers to run out and buy >> 877's, right? > > I run a Linksys WRT54GL with OpenWRT and an external ADSL2+ modem (bridging > PPPoE to the WRT). Not a solution that's really suitable for large scale > customer rollout - but it works *very* well... :) > > And yes, it would be nice if the Linksys products would get IPv6 support in > their "as shipped" firmware. It's not that hard, there's Linux inside (oh > wait, they moved to $somethingelse, for some weird internal reason...). > > gert > > -- > USENET is *not* the non-clickable part of WWW! > > //www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From tdurack at gmail.com Tue Nov 18 10:23:19 2008 From: tdurack at gmail.com (Tim Durack) Date: Tue, 18 Nov 2008 10:23:19 -0500 Subject: [c-nsp] FHRP's and STP In-Reply-To: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> References: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> Message-ID: <9e246b4d0811180723q5f6259a1tadfa2114cd3d8d1b@mail.gmail.com> That's an interesting idea - tying FHRP state to STP state. Would reduce config complexity, as FHRP would "inherit" state from STP, and could reduce FHRP load (which I'm most interested in.) Cisco have introduced HSRP group follow: int g1/1.10 encapsulation dot1q 10 ... standby 10 name VLAN10 ... int g1/1.20 encapsulation dot1q 20 ... standby 20 name VLAN20 standby 20 follow VLAN10 end Not what you are asking for, but potentially useful. Unfortunately it doesn't seem to work on VLAN interfaces on a 6500. Tim:> On Mon, Nov 17, 2008 at 9:25 PM, Kevin Graham < kgraham at industrial-marshmallow.com> wrote: > Is there a way to (safely) force any of the FHRP's into a multiple-active > setup > such that the first router to see a packet can route it? Namely, I'm > frustrated > by instances w/ L3 switches where the L2 topology (via STP) doesn't match > the > L3 topology (via a FHRP) resulting in cases where traffic gets L2 switched > by a > FHRP standby on its way to the active router only to get punted back again. > > A tracking object based on STP state would probably be sufficient, though > being > able to assign multiple routers to an active forwarding group seems ideal. > Am I > missing something obviously? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mailing-list at technicelixir.com Tue Nov 18 10:40:56 2008 From: mailing-list at technicelixir.com (David Rose) Date: Tue, 18 Nov 2008 09:40:56 -0600 Subject: [c-nsp] route problem In-Reply-To: References: <20081117234844.GB25107@rtp-cse-489.cisco.com> Message-ID: <4922E208.2000203@technicelixir.com> My best guess is that you have a NAT problem. Since your router is doing NAT, the outside interface is probably the one facing the internet. However, the guest users are coming from the inside of your network, so the router can't send them out the internet facing interface to come back into the external NAT address for your web servers. There are ways to address this, both with DNS and with reconfiguration, but the best approach would depend on your setup. David Dan Letkeman wrote: > Sorry for the poor diagram. > > The vlan's are both on the 3560 and the 3560 is in routing mode. It's > default route is the 2801 router which does the nat for the internet > connection. Normal users are fine because they use are internal dns > servers and have access to our internal web server. > > What is happening on the guest vlan is when someone goes to > www.ourwebsite.com (this being our internal web server) they are > resolving our external ip address for the site, but they are trying to > access the site via the external ip address from the inside of the > router. I'm sure it's just an access list problem. > > Not sure I quite understand how show ip route will help... > > Dan. > > On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn wrote: > >> I'm assuming your diagram was: >> >> normal user----vlan 500---3560 switch---2801router---internet >> gusest users---vlan 167--/ >> >> such that inter vlan routing would happen on the 3560. >> >> Just follow the packet via 'sh ip route'. >> >> So a norma user goes to a webserver..what is the address? >> >> When the packet leaves the normal user does it make it in the >> 3560 ACL on the ingress interface? >> If so, what does 'sh ip route' say for the destination of the packet? >> Go to next hop...etc.. >> >> Rodney >> >> >> On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote: >> >>> Hello, >>> >>> I have setup a guest vlan for internet access. When the users connect >>> to the guest network they get only internet access and no access to >>> any of the servers on the rest of the network. The problem I'm having >>> now is that the users on the guest network cannot access our internal >>> web servers. I'm wondering if this is a simple access list problem or >>> is it a route problem? >>> >>> topology is a follows: >>> >>> >>> normal user----------vlan 500--------------3560 switch----------2801 >>> router------------internet >>> | >>> | >>> guest users---------vlan 167--------------------- >>> >>> >>> There is an access list on vlan 167 on the 3560 switch that only >>> allows the guest users access to the internet. So when I do a trace >>> route from the guest network to the internal web address I get a >>> timeout at the router. The internal web server resolves with our >>> external ip address because the guest users are not using our internal >>> dns servers. >>> >>> Any ideas where I should start? >>> >>> Dan. >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From p.mayers at imperial.ac.uk Tue Nov 18 10:52:35 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 18 Nov 2008 15:52:35 +0000 Subject: [c-nsp] FHRP's and STP In-Reply-To: <9e246b4d0811180723q5f6259a1tadfa2114cd3d8d1b@mail.gmail.com> References: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> <9e246b4d0811180723q5f6259a1tadfa2114cd3d8d1b@mail.gmail.com> Message-ID: <4922E4C3.60604@imperial.ac.uk> Tim Durack wrote: > That's an interesting idea - tying FHRP state to STP state. Would reduce > config complexity, as FHRP would "inherit" state from STP, and could reduce > FHRP load (which I'm most interested in.) Variations on the STP/FHRP problem have been discussed a number of times on this list. It ought to be reasonably trivial to make FHRP follow STP - make the standby group follow a numbered track object: track 10 stub-object int VlanXX standby prio [100 for slave | 101 for master] standby track 10 10 standby preempt ...the write a pretty simple EEM applet triggered on the relevant STP syslog messages, to parse the root/not-root status from: sh spanning-tree vlan XX summary | inc ^Root ...and down/up the stub track object. The problem is that STP is a deeply sub-optimal solution to many of the cases where this matters. Other vendors (Extreme, Foundry) have other proprietary protocols (ESRP, FSRP) which use ethernet-level hellos to put an entire SVI into a forwarding (master) or non-forwarding (slave) status, at both layer2 and layer3. These are arguably "easier" to use for these cases. That kind of protocol is basically impossible to emulate on a Cisco platform - it really does require some way of shutting down layer2 forwarding. > > Cisco have introduced HSRP group follow: > > int g1/1.10 > encapsulation dot1q 10 > ... > standby 10 name VLAN10 > ... > int g1/1.20 > encapsulation dot1q 20 > ... > standby 20 name VLAN20 > standby 20 follow VLAN10 > end > > Not what you are asking for, but potentially useful. Unfortunately it > doesn't seem to work on VLAN interfaces on a 6500. Yeah: core-spare(config)#int vl2 core-spare(config-if)#standby name foo core-spare(config)#int vl3 core-spare(config-if)#standby follow foo % Warning: Named group "foo" is on a different major interface. "Different major interface" - well, duh, it's a switch. The follow groups would be useful, especially for those of us wanting to run fast hellos on many similar interfaces, but it looks like BFD all over again... "SVIs? Who uses *those* on a 6500!?!" From mailing-list at technicelixir.com Tue Nov 18 11:44:04 2008 From: mailing-list at technicelixir.com (David Rose) Date: Tue, 18 Nov 2008 10:44:04 -0600 Subject: [c-nsp] route problem In-Reply-To: References: <20081117234844.GB25107@rtp-cse-489.cisco.com> <4922E208.2000203@technicelixir.com> Message-ID: <4922F0D4.30905@technicelixir.com> Here are some options: 1. Grant access to DNS servers you control and do split-horizon. That way you can control what responses the guest users get for my internal resources. 2. Do the routing for the guest VLAN on the router and make the subinterface for the guest VLAN a NAT outside interface as well (I seem to remember this works, but you may want to test). Or if you have a spare interface on the router, you could dedicate a port to the guest VLAN. 3. Use NAT on a stick. Seem to remember seeing someone with this working once, but I wouldn't recommend it as it will degrade router performance (all packets are process switched). 4. Do NAT on the 3560 for the web server. Again, I wouldn't recommend this as NAT on switches tends to be far more CPU hungry than on routers/firewalls. Those are the options that come to mind quickly, but I know there are others if I were to look into it further. David Dan Letkeman wrote: > Nat problems makes sense. I thought about allowing access to the > local dns servers and local web servers via the access list on the > 3560 and then changing the guest users dhcp server so they use the > local dns servers. > > Any other ideas? > > Thanks, > Dan. > > On Tue, Nov 18, 2008 at 9:40 AM, David Rose > wrote: > >> My best guess is that you have a NAT problem. Since your router is >> doing NAT, the outside interface is probably the one facing the >> internet. However, the guest users are coming from the inside of your >> network, so the router can't send them out the internet facing interface >> to come back into the external NAT address for your web servers. >> >> There are ways to address this, both with DNS and with reconfiguration, >> but the best approach would depend on your setup. >> >> David >> >> >> >> >> >> Dan Letkeman wrote: >> >>> Sorry for the poor diagram. >>> >>> The vlan's are both on the 3560 and the 3560 is in routing mode. It's >>> default route is the 2801 router which does the nat for the internet >>> connection. Normal users are fine because they use are internal dns >>> servers and have access to our internal web server. >>> >>> What is happening on the guest vlan is when someone goes to >>> www.ourwebsite.com (this being our internal web server) they are >>> resolving our external ip address for the site, but they are trying to >>> access the site via the external ip address from the inside of the >>> router. I'm sure it's just an access list problem. >>> >>> Not sure I quite understand how show ip route will help... >>> >>> Dan. >>> >>> On Mon, Nov 17, 2008 at 5:48 PM, Rodney Dunn wrote: >>> >>> >>>> I'm assuming your diagram was: >>>> >>>> normal user----vlan 500---3560 switch---2801router---internet >>>> gusest users---vlan 167--/ >>>> >>>> such that inter vlan routing would happen on the 3560. >>>> >>>> Just follow the packet via 'sh ip route'. >>>> >>>> So a norma user goes to a webserver..what is the address? >>>> >>>> When the packet leaves the normal user does it make it in the >>>> 3560 ACL on the ingress interface? >>>> If so, what does 'sh ip route' say for the destination of the packet? >>>> Go to next hop...etc.. >>>> >>>> Rodney >>>> >>>> >>>> On Mon, Nov 17, 2008 at 05:05:42PM -0600, Dan Letkeman wrote: >>>> >>>> >>>>> Hello, >>>>> >>>>> I have setup a guest vlan for internet access. When the users connect >>>>> to the guest network they get only internet access and no access to >>>>> any of the servers on the rest of the network. The problem I'm having >>>>> now is that the users on the guest network cannot access our internal >>>>> web servers. I'm wondering if this is a simple access list problem or >>>>> is it a route problem? >>>>> >>>>> topology is a follows: >>>>> >>>>> >>>>> normal user----------vlan 500--------------3560 switch----------2801 >>>>> router------------internet >>>>> | >>>>> | >>>>> guest users---------vlan 167--------------------- >>>>> >>>>> >>>>> There is an access list on vlan 167 on the 3560 switch that only >>>>> allows the guest users access to the internet. So when I do a trace >>>>> route from the guest network to the internal web address I get a >>>>> timeout at the router. The internal web server resolves with our >>>>> external ip address because the guest users are not using our internal >>>>> dns servers. >>>>> >>>>> Any ideas where I should start? >>>>> >>>>> Dan. >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >>> >> > > From jared at puck.nether.net Tue Nov 18 11:47:04 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 11:47:04 -0500 Subject: [c-nsp] downloads broken? Message-ID: <20081118164704.GB91954@puck.nether.net> Anyone else getting internal server error while downloading IOS images today? Any clue when Cisco will make software available again? - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From peter at rathlev.dk Tue Nov 18 11:58:11 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 18 Nov 2008 17:58:11 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118164704.GB91954@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> Message-ID: <1227027491.3534.1.camel@abehat> On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: > Anyone else getting internal server error while downloading > IOS images today? Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I use the SPLENDID new software download interface. :-) > Any clue when Cisco will make software available again? Maybe they're working on introducing new stable IOS releases... ;-) Regards, Peter From jared at puck.nether.net Tue Nov 18 12:08:41 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 12:08:41 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <1227027491.3534.1.camel@abehat> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> Message-ID: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> I'm personally fed up with this crap from Cisco. They've broken so many things with software downloads over the years, including coded image access via FTP, crypto access via FTP, website requires cookies now to fetch the images, etc.. I'm not sure if the rest of you care about this stuff, or about downloading 100+ meg images to your desktop just to shift them around elsewhere from hotels, and other sites with crappy internet speeds, but someone there at cisco needs to be fired at this point. I'm fed up with them. - Jared On Nov 18, 2008, at 11:58 AM, Peter Rathlev wrote: > On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: >> Anyone else getting internal server error while downloading >> IOS images today? > > Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I > use the SPLENDID new software download interface. :-) > >> Any clue when Cisco will make software available again? > > Maybe they're working on introducing new stable IOS releases... ;-) > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Tue Nov 18 12:16:09 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 19 Nov 2008 01:16:09 +0800 Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> I think they're doing some migration. Use the new download area. I'm able to download the releases via the new Download area. I've managed to download the images via the new download area but not via the conventional web navigation for IOS downloads. Managed to use wget to fetch from the direct url http://download-sj.cisco.com/swc/esd/02/crypto/3DES/280829702/contract/s72033-adventerprisek9_wan-mz.122-33.SXI.bin (E.g.) It's quite crappy where you'll have to get the direct link and use some other boxes to do the fetching as well... it's extremely tiring. zzz. --raymondh On Nov 19, 2008, at 1:08 AM, Jared Mauch wrote: > I'm personally fed up with this crap from Cisco. > > They've broken so many things with software downloads over the > years, including coded image access via FTP, crypto access via FTP, > website requires cookies now to fetch the images, etc.. > > I'm not sure if the rest of you care about this stuff, or about > downloading 100+ meg images to your desktop just to shift them > around elsewhere from hotels, and other sites with crappy internet > speeds, but someone there at cisco needs to be fired at this point. > > I'm fed up with them. > > - Jared > > On Nov 18, 2008, at 11:58 AM, Peter Rathlev wrote: > >> On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: >>> Anyone else getting internal server error while downloading >>> IOS images today? >> >> Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I >> use the SPLENDID new software download interface. :-) >> >>> Any clue when Cisco will make software available again? >> >> Maybe they're working on introducing new stable IOS releases... ;-) >> >> Regards, >> Peter >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jared at puck.nether.net Tue Nov 18 12:21:00 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 12:21:00 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> Message-ID: <010889F4-5234-4732-BA20-EBFCDE264584@puck.nether.net> On Nov 18, 2008, at 12:16 PM, raymondh (NSP) wrote: > I think they're doing some migration. > Use the new download area. I'm able to download the releases via the > new Download area. > I've managed to download the images via the new download area but > not via the conventional web navigation for IOS downloads. > > Managed to use wget to fetch from the direct url http://download-sj.cisco.com/swc/esd/02/crypto/3DES/280829702/contract/s72033-adventerprisek9_wan-mz.122-33.SXI.bin > (E.g.) > > It's quite crappy where you'll have to get the direct link and use > some other boxes to do the fetching as well... it's extremely tiring. Nobody at cisco seems to understand this is the real process used by their customers despite repeated attempts to educate them. While I actually support the use of cookies on the website(finally!) to track that you're logged in to one component without having to force the auth 3,126,391 different times for different parts, the ongoing breakage of delivering software fixes to customers is a serious impediment to the ongoing use of Cisco devices in networks. Lynx doesn't understand ajax and can't even submit their 'Accept' form for the EULA. I've given up in hope that someone at cisco has clue of how a real network is operated, or at least anyone that can make a difference in customer experience. Perhaps we need to schedule a global scream at your SE/AM day to reinforce this. - Jared From peter at rathlev.dk Tue Nov 18 12:23:44 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 18 Nov 2008 18:23:44 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> Message-ID: <1227029024.3534.10.camel@abehat> On Wed, 2008-11-19 at 01:16 +0800, raymondh (NSP) wrote: > I think they're doing some migration. > Use the new download area. I'm able to download the releases via the > new Download area. > I've managed to download the images via the new download area but not > via the conventional web navigation for IOS downloads. Both seems to work again now. Neither worked before. It's still cumbersome as usual of course, but at least it works now. On Tue, 2008-11-18 at 12:08 -0500, Jared Mauch wrote: > I'm personally fed up with this crap from Cisco. > > They've broken so many things with software downloads over the years, > including coded image access via FTP, crypto access via FTP, website > requires cookies now to fetch the images, etc.. Does anyone know why Cisco started on this thing with the downloads? Did they see too many inappropriate downloads or what? I'm not sure what was wrong with the way it worked in the old days. For large-ish customers with the relevant contracts I really can't see why Cisco would limit software downloads. It would be fine with me if the made only some very specific families (according to contract) of software "easily". Right now I can also download software that we aren't entitled to use, and removing that option would make the interface faster and easier to navigate. Regards, Peter From sethm at rollernet.us Tue Nov 18 12:27:23 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 18 Nov 2008 09:27:23 -0800 Subject: [c-nsp] downloads broken? In-Reply-To: <1227029024.3534.10.camel@abehat> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> Message-ID: <4922FAFB.5020802@rollernet.us> Peter Rathlev wrote: > On Wed, 2008-11-19 at 01:16 +0800, raymondh (NSP) wrote: >> I think they're doing some migration. >> Use the new download area. I'm able to download the releases via the >> new Download area. >> I've managed to download the images via the new download area but not >> via the conventional web navigation for IOS downloads. > > Both seems to work again now. Neither worked before. It's still > cumbersome as usual of course, but at least it works now. > > On Tue, 2008-11-18 at 12:08 -0500, Jared Mauch wrote: >> I'm personally fed up with this crap from Cisco. >> >> They've broken so many things with software downloads over the years, >> including coded image access via FTP, crypto access via FTP, website >> requires cookies now to fetch the images, etc.. > > Does anyone know why Cisco started on this thing with the downloads? Did > they see too many inappropriate downloads or what? I'm not sure what was > wrong with the way it worked in the old days. > It wasn't pretty. I seriously can't think of any other reason. ~Seth From streiner at cluebyfour.org Tue Nov 18 12:36:14 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Tue, 18 Nov 2008 12:36:14 -0500 (EST) Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: On Tue, 18 Nov 2008, Jared Mauch wrote: > I'm personally fed up with this crap from Cisco. > > They've broken so many things with software downloads over the years, > including coded image access via FTP, crypto access via FTP, website requires > cookies now to fetch the images, etc.. I feel your pain. The main thing that really annoys me is Cisco's tendency to re-design their website every 6-12 months, which is usually just long enough to get used to navigating the changes from the previous re-design. Often, the redesigns seem to include a complete overhaul of the guts of the site, so links to documents suddenly become broken. I've voiced those concerns to my account team. You should too, if you haven't already. jms From sthaug at nethelp.no Tue Nov 18 12:36:57 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Tue, 18 Nov 2008 18:36:57 +0100 (CET) Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <20081118.183657.74672554.sthaug@nethelp.no> > I'm not sure if the rest of you care about this stuff, or about > downloading 100+ meg images to your desktop just to shift them around > elsewhere from hotels, and other sites with crappy internet speeds, > but someone there at cisco needs to be fired at this point. > > I'm fed up with them. I suspect the only that is going to fix this is voting with your wallet. And telling your Cisco rep about it. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jared at puck.nether.net Tue Nov 18 12:39:11 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 12:39:11 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <4922FAFB.5020802@rollernet.us> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> <4922FAFB.5020802@rollernet.us> Message-ID: <20081118173911.GB86391@puck.nether.net> On Tue, Nov 18, 2008 at 09:27:23AM -0800, Seth Mattinen wrote: > Peter Rathlev wrote: >> On Wed, 2008-11-19 at 01:16 +0800, raymondh (NSP) wrote: >>> I think they're doing some migration. >>> Use the new download area. I'm able to download the releases via the >>> new Download area. >>> I've managed to download the images via the new download area but not >>> via the conventional web navigation for IOS downloads. >> >> Both seems to work again now. Neither worked before. It's still >> cumbersome as usual of course, but at least it works now. >> >> On Tue, 2008-11-18 at 12:08 -0500, Jared Mauch wrote: >>> I'm personally fed up with this crap from Cisco. >>> >>> They've broken so many things with software downloads over the years, >>> including coded image access via FTP, crypto access via FTP, website >>> requires cookies now to fetch the images, etc.. >> >> Does anyone know why Cisco started on this thing with the downloads? Did >> they see too many inappropriate downloads or what? I'm not sure what was >> wrong with the way it worked in the old days. >> > > It wasn't pretty. I seriously can't think of any other reason. The old way was painful to navigate, I *much* prefered going the FTP method as a result. You could always get the same feature set as your old image and it would not have other dependencies eg: 3rd party cookie magic. It would also take a long time to render the webpage in most browsers. Older versions of MSIE were horrible in the speed of rendering tables. The webkit(Safari) and other engines are much faster. The clueless IT-centric customers likely blamed it on cisco instead of their crappy software on their desktop, including the firewall/NAT devices that broke their FTP. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From elmi at 4ever.de Tue Nov 18 12:39:32 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 18 Nov 2008 18:39:32 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <4922FAFB.5020802@rollernet.us> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> <4922FAFB.5020802@rollernet.us> Message-ID: <20081118173932.GO93039@ronin.4ever.de> sethm at rollernet.us (Seth Mattinen) wrote: > >>They've broken so many things with software downloads over the years, > >>including coded image access via FTP, crypto access via FTP, website > >>requires cookies now to fetch the images, etc.. > > > >Does anyone know why Cisco started on this thing with the downloads? Did > >they see too many inappropriate downloads or what? I'm not sure what was > >wrong with the way it worked in the old days. > > It wasn't pretty. I seriously can't think of any other reason. Crypto images are export-controlled. The legal guys probably told them "make sure that the customer reads the stuff and clicks ". Non-crypto images have been accessible by plain FTP at least until 2006 (after which we started using only images with ssh capability). I have been using wget for the "final URL" for a long time now. It does also help if you replace the FTP server name ;) Elmar. From jared at puck.nether.net Tue Nov 18 12:41:58 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 12:41:58 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118.183657.74672554.sthaug@nethelp.no> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <20081118.183657.74672554.sthaug@nethelp.no> Message-ID: <20081118174158.GC86391@puck.nether.net> On Tue, Nov 18, 2008 at 06:36:57PM +0100, sthaug at nethelp.no wrote: > > I'm not sure if the rest of you care about this stuff, or about > > downloading 100+ meg images to your desktop just to shift them around > > elsewhere from hotels, and other sites with crappy internet speeds, > > but someone there at cisco needs to be fired at this point. > > > > I'm fed up with them. > > I suspect the only that is going to fix this is voting with your wallet. > And telling your Cisco rep about it. That's the process I'm now engaged in. My SE thought it was a BU problem and not an IT problem, trying to forward the request to them instead of to someone in IT. I'm going to try once again to explain business process to Cisco and exact a real resolution to this challenge. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From benny+usenet at amorsen.dk Tue Nov 18 12:42:12 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Tue, 18 Nov 2008 18:42:12 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> (Mark Newton's message of "Wed\, 19 Nov 2008 00\:28\:26 +1030") References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> Message-ID: Mark Newton writes: > The next challenge is to find consumer-grade ADSL2+ CPE which > does IPv6. Can't expect all my residential customers to run out > and buy 877's, right? Mikrotik Routerboards will do it, admittedly in a prerelease (but hey, that shouldn't really scare Cisco customers...) They don't have the ADSL modem built-in though. That would have been handy. I doubt you'll find anything much cheaper. /Benny From jared at puck.nether.net Tue Nov 18 12:45:19 2008 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 18 Nov 2008 12:45:19 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118173932.GO93039@ronin.4ever.de> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> <4922FAFB.5020802@rollernet.us> <20081118173932.GO93039@ronin.4ever.de> Message-ID: <20081118174519.GD86391@puck.nether.net> On Tue, Nov 18, 2008 at 06:39:32PM +0100, Elmar K. Bins wrote: > I have been using wget for the "final URL" for a long time now. It > does also help if you replace the FTP server name ;) I've not had luck with this in recent months and had to resort to lynx as they did not honor the http auth creds sent and required the cookies. That happened back in August or so, perhaps they fixed it? - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From vijay.ramcharan at verizonbusiness.com Tue Nov 18 12:14:14 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 18 Nov 2008 17:14:14 +0000 Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: http://www.cisco.com/kobayashi/sw-center/sw-ios.shtml still works for me. Currently downloading a 3660 image as a test. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: November 18, 2008 12:09 To: Peter Rathlev Cc: cisco-nsp Subject: Re: [c-nsp] downloads broken? I'm personally fed up with this crap from Cisco. They've broken so many things with software downloads over the years, including coded image access via FTP, crypto access via FTP, website requires cookies now to fetch the images, etc.. I'm not sure if the rest of you care about this stuff, or about downloading 100+ meg images to your desktop just to shift them around elsewhere from hotels, and other sites with crappy internet speeds, but someone there at cisco needs to be fired at this point. I'm fed up with them. - Jared On Nov 18, 2008, at 11:58 AM, Peter Rathlev wrote: > On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: >> Anyone else getting internal server error while downloading >> IOS images today? > > Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I > use the SPLENDID new software download interface. :-) > >> Any clue when Cisco will make software available again? > > Maybe they're working on introducing new stable IOS releases... ;-) > > Regards, > Peter > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From achatz at forthnet.gr Tue Nov 18 13:20:40 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 18 Nov 2008 20:20:40 +0200 Subject: [c-nsp] netflow aggregation : as VS source-prefix Message-ID: <49230778.1010108@forthnet.gr> I'm experimenting with netflow aggregation based on AS numbers (i'm interested mainly for the downstream direction) on two boxes, a 7200/G2 and a 7600/RSP720. If i choose "as", then i have to run bgp on this box (although i don't need it). Also i don't know if the network=>as=>netflow "translation" will add any extra load to the netflow process. If i choose "source-prefix", then i have to get the network<=>AS pairs from a web page or from another router that runs bgp and process it together with the netflow data. Have you had any experiences with any of these two? Which one will produce the lowest volume of netflow data? Which one will have the lowest impact on cpu load? -- Tassos From raymondh.nsp at gmail.com Tue Nov 18 13:25:35 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 19 Nov 2008 02:25:35 +0800 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118174158.GC86391@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <20081118.183657.74672554.sthaug@nethelp.no> <20081118174158.GC86391@puck.nether.net> Message-ID: Time to bite on the local AM and global AM too; over at the same time to keep them busy to. --raymondh On Nov 19, 2008, at 1:41 AM, Jared Mauch wrote: > On Tue, Nov 18, 2008 at 06:36:57PM +0100, sthaug at nethelp.no wrote: >>> I'm not sure if the rest of you care about this stuff, or about >>> downloading 100+ meg images to your desktop just to shift them >>> around >>> elsewhere from hotels, and other sites with crappy internet speeds, >>> but someone there at cisco needs to be fired at this point. >>> >>> I'm fed up with them. >> >> I suspect the only that is going to fix this is voting with your >> wallet. >> And telling your Cisco rep about it. > > That's the process I'm now engaged in. My SE thought it was > a BU problem and not an IT problem, trying to forward the request to > them > instead of to someone in IT. > > I'm going to try once again to explain business process > to Cisco and exact a real resolution to this challenge. > > - Jared > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are > only mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Tue Nov 18 13:27:39 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 19 Nov 2008 02:27:39 +0800 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118174519.GD86391@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> <4922FAFB.5020802@rollernet.us> <20081118173932.GO93039@ronin.4ever.de> <20081118174519.GD86391@puck.nether.net> Message-ID: <43169E04-2A0A-4002-AF5C-944BAC378061@gmail.com> *shrugs* For the past few months, I haven't had any issues with the direct link which I've gotten from the browser just to get the exact path. It's definitely a pain in the ass to be going thru their site. --raymondh On Nov 19, 2008, at 1:45 AM, Jared Mauch wrote: > On Tue, Nov 18, 2008 at 06:39:32PM +0100, Elmar K. Bins wrote: >> I have been using wget for the "final URL" for a long time now. It >> does also help if you replace the FTP server name ;) > > I've not had luck with this in recent months and had to resort to > lynx as they did not honor the http auth creds sent and required the > cookies. > > That happened back in August or so, perhaps they fixed it? > > - Jared > > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are > only mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Tue Nov 18 13:29:22 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 18 Nov 2008 20:29:22 +0200 (IST) Subject: [c-nsp] downloads broken? In-Reply-To: <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> Message-ID: On Wed, 19 Nov 2008, raymondh (NSP) wrote: What would happen to me or you or any of us if we were to "migrate" such a critical system in the middle of the week, in the middle of the day (US time)? -Hank > I think they're doing some migration. > Use the new download area. I'm able to download the releases via the new > Download area. > I've managed to download the images via the new download area but not via the > conventional web navigation for IOS downloads. > > Managed to use wget to fetch from the direct url > http://download-sj.cisco.com/swc/esd/02/crypto/3DES/280829702/contract/s72033-adventerprisek9_wan-mz.122-33.SXI.bin > (E.g.) > > It's quite crappy where you'll have to get the direct link and use some other > boxes to do the fetching as well... it's extremely tiring. > > zzz. > > > --raymondh > > On Nov 19, 2008, at 1:08 AM, Jared Mauch wrote: > >> I'm personally fed up with this crap from Cisco. >> >> They've broken so many things with software downloads over the years, >> including coded image access via FTP, crypto access via FTP, website >> requires cookies now to fetch the images, etc.. >> >> I'm not sure if the rest of you care about this stuff, or about downloading >> 100+ meg images to your desktop just to shift them around elsewhere from >> hotels, and other sites with crappy internet speeds, but someone there at >> cisco needs to be fired at this point. >> >> I'm fed up with them. >> >> - Jared >> >> On Nov 18, 2008, at 11:58 AM, Peter Rathlev wrote: >> >>> On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: >>>> Anyone else getting internal server error while downloading >>>> IOS images today? >>> >>> Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I >>> use the SPLENDID new software download interface. :-) >>> >>>> Any clue when Cisco will make software available again? >>> >>> Maybe they're working on introducing new stable IOS releases... ;-) >>> >>> Regards, >>> Peter >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Tue Nov 18 13:40:05 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Tue, 18 Nov 2008 20:40:05 +0200 (IST) Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: On Tue, 18 Nov 2008, Jared Mauch wrote: They don't hear us, they don't see us unless we happen to be doing some 6 digit tender for equipment. With their stock having dropped from 29 to under 16 today all in the course of 12 months, do you really think any VP there cares whether Jared is having a bad download day? When a company loses $90B in market cap in a year, they are for sure cutting the "high expense, highly trained" workforce, and hiring newly minted temps and untrained newbies to reduce their payroll expenses. The results are all rather obvious. -Hank > I'm personally fed up with this crap from Cisco. > > They've broken so many things with software downloads over the years, > including coded image access via FTP, crypto access via FTP, website requires > cookies now to fetch the images, etc.. > > I'm not sure if the rest of you care about this stuff, or about downloading > 100+ meg images to your desktop just to shift them around elsewhere from > hotels, and other sites with crappy internet speeds, but someone there at > cisco needs to be fired at this point. > > I'm fed up with them. > > - Jared > > On Nov 18, 2008, at 11:58 AM, Peter Rathlev wrote: > >> On Tue, 2008-11-18 at 11:47 -0500, Jared Mauch wrote: >>> Anyone else getting internal server error while downloading >>> IOS images today? >> >> Yup, I'm redirected to http://www.cisco.com/msgs/500.html even when I >> use the SPLENDID new software download interface. :-) >> >>> Any clue when Cisco will make software available again? >> >> Maybe they're working on introducing new stable IOS releases... ;-) >> >> Regards, >> Peter >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rbf+cisco-nsp at panix.com Tue Nov 18 13:48:51 2008 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Tue, 18 Nov 2008 12:48:51 -0600 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> Message-ID: <20081118184851.GA19851@panix.com> On Tue, Nov 18, 2008 at 02:03:08PM +0100, Oliver Boehmer (oboehmer) wrote: > > Well, it looks like the linux NAT/firewall is not NAT'ing the > keepalive GRE packets correctly, otherwise they would not arrive with > the 172.16.1.1 src address on router2. Not sure what's happening > there, but I would focus my attention on the NAT/firewall box.. I > guess NAT for the "other" GRE packets work just fine? Maybe related > to the different protocol type (0x0) or the lack of payload in the > GRE keepalive packet? > > oli The issue is that a GRE keepalive packet has the originating tunnel endpoint IP address as the destination address of the encapsulated packet. That is, consider the following: interface tunnel1 tunnel source 10.0.0.1 tunnel destination 20.0.0.2 tunnel keepalive (Not sure I've got the syntax right, but you get the idea.) A keepalive packet generated by the router will look like the following: IP header: Source=10.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 The idea is that the router at the far end will received the packet, remove the outer header, and transmit the encapsulated packet. (The router at the far end will, then, not do any special processing all for a keepalive packet originating from the near end.) THe issue with keepalive is that the 10.0.0.1 appears in the encapsulated packet, so if that's being NAT'd somewhere, for keepalive to work, the NAT needs to translate the address on the encapsulated packet also. AFAIK, essentially no NATs will do that. So, anyway, suppose that 10.0.0.1 is being NAT'd to 30.0.0.1. The far end router then receives: IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 The far end router's normal GRE processing then involves removing the outer header, and attempting to send the following packer: IP Header: Source=? (Not Important) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 This fails because the far end router has no path to get to 10.0.0.1, because it should be sending to 30.0.0.1. The reason that isn't a problem for "other" GRE packets is that, in general, there's no requirement that the encapsulated packet be translated by the NAT, because, in general, the tunnel endpoint IP addresses don't appear as source or destination addresses on the encapsulated packet. More generally, GRE works fine through NAT as long as the expectation is that one or both of the tunnel endpoint addresses will be translated, but the packets flowing through the tunnel don't need NAT. However, once you enable keepalive, you effectively create a requirement that the encapsulated packets be translated, because Cisco GRE keepalive depends on using the tunnel origin/destination address in encapsulated packet. This also, in general, breaks keepalives when a tunnel interface has "ip forwarding vrf XXXX' and "tunnel vrf YYYY" where XXXX and YYYY aren't the same. (This is because the keepalive processing on the far end will result in a packet being send in vrf XXXX to a destination IP address that is reallyin vrf YYYY.) And, yes, I think this is horribly broken. A much better GRE keepalive implementation would be to just send IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=KeepaliveRequest and have the far end router generate a IP header: Source=20.0.0.2 Destination=30.0.0.1 Protocol=GRE GRE Header: Protocol=KeepaliveResponse This would work through NAT and through complicated VRF configurations. But that's not what Cisco implemented. -- Brett From jbehl at estalea.com Tue Nov 18 14:02:32 2008 From: jbehl at estalea.com (Jeff Behl) Date: Tue, 18 Nov 2008 11:02:32 -0800 Subject: [c-nsp] NAT out via loopback In-Reply-To: <001601c9496b$5f703fd0$1e50bf70$%varaillon@cosmoline.com> References: <49221DBA.2040104@estalea.com> <001601c9496b$5f703fd0$1e50bf70$%varaillon@cosmoline.com> Message-ID: <49231148.7060202@estalea.com> Redundancy. There is a hot/standby loadbalancer pair in the setup below, one connected to each switch, which sends traffic to the hosts connected to the 3560s. The hosts are dual homed to each 3560, using a bonded interface with ARP poling. With this setup I can lose the ISP or an entire switch and things keep on chugging...the site stays up. Losing the router just means the loss of the VPN link and outgoing NAT, which isn't essential. I actually managed to get things working last night through a serials of route-maps/policy routing. It's basically NAT on a stick as described: http://tinyurl.com/7ixb jeff Varaillon Jean Christophe wrote: > Hi, > > This might be far from answering your question but why the 3560 are not > behind the 2851? Why is the 2851 not directly connected to the ISP? Wouldn't > this be simpler to set-up your NAT? > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Behl > Sent: Tuesday, November 18, 2008 3:43 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] NAT out via loopback > > i've got two 3560s, each with a privately addressed point-to-point link > to a 2851 (a trunked gig interface for each) and both connected to an ISP: > > > ISP---3560----p2p----- > 2851 > ISP---3560----p2p----- > > The 3560s are connected to the ISP and have a public /25 routed to them > via p2p links. They also have a number of private networks that contain > numerous hosts that they act as the gateway for (HSRP). The 3560s > advertise a default route via ospf which is picked up by the 2851. They > also have a static default pointing to the ISP. > > The 2851 has a couple public /32 addresses on loopbacks which are > advertised via ospf and picked up by the 3560s (i've split the /25 into > a few different blocks). One of them acts as a static IPSEC/GRE VPN > tunnel endpoint, and I'd like the other to be an external NAT > interface. The reason for this setup was to be able to maintain the VPN > link during the loss of one of the switches. To this end everything is > working as expected, at least in terms of the VPN tunnel. > > But now the trickier part...I'd like some of the hosts on the private > networks for which the 3560s are doing the routing to be able to get to > the internet via NAT. As the 3560s don't do NAT, it has to be the 2851 > that does it. I'm looking for suggestions on the most elegant solution > for doing this?? Basically, one of the loopbacks on the 2851 would be > the outgoing IP address for NAT translations. Though I've not used VRFs > before, I'm getting inklings they could be used in a scenario such as > this? The other solution seems to be some sort of policy based > routing. I've used policy based routing in the past to direct traffic > that needs to be NATd from a switch to a router but it was as little > simpler in that the router's outgoing NAT address was just a normal > sub-interface and not a loopback. > > Thanks for any help. > jeff > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > > __________ Information from ESET Smart Security, version of virus signature > database 3620 (20081118) __________ > > The message was checked by ESET Smart Security. > > http://www.eset.com > > > From justin at justinshore.com Tue Nov 18 14:21:56 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 18 Nov 2008 13:21:56 -0600 Subject: [c-nsp] downloads broken? In-Reply-To: References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <492315D4.5010101@justinshore.com> Justin M. Streiner wrote: > On Tue, 18 Nov 2008, Jared Mauch wrote: > >> I'm personally fed up with this crap from Cisco. >> >> They've broken so many things with software downloads over the years, >> including coded image access via FTP, crypto access via FTP, website >> requires cookies now to fetch the images, etc.. > > I feel your pain. The main thing that really annoys me is Cisco's > tendency to re-design their website every 6-12 months, which is usually > just long enough to get used to navigating the changes from the previous > re-design. Often, the redesigns seem to include a complete overhaul of > the guts of the site, so links to documents suddenly become broken. The redesigns are murder on technical folks or anyone who uses their site constantly like pretty much everyone on this list. I can understand the need to make the sales/marketing side of the website fluffy with all the requisite eye-candy of a geek's porn store. Why do they have to hose up the technical support site at the same time? We already bought the product so we really don't need or want to see the marketing crap. They are constantly moving documents around or abandoning documents that contain tables of important, ever-changing data such as the routerperformance.pdf doc that hasn't been updated in 2 damn years. I ran across one yesterday while on the phone with TAC. I was searching for info on IPSec L2L to MPLS VPN configuration and IPSec HA. I knew that the doc "Cisco 7600 Series Router SIP, SSC, and SPA Software Configuration Guide" had most of what I was needing and dozens upon dozens of search results pointed me to it. Unfortunately it was no where to be found. Clicking any of the links pointing me to that doc dumped me back to the main page. I didn't get a 404 or a 'sorry this page has moved, redirecting you now'. All I got was dumped back to cisco.com and a big FU for my efforts. > I've voiced those concerns to my account team. You should too, if you > haven't already. I've got bigger fish to fry with my account team like trying to get them to process an order that I submitted to them 2.5 months prior before it finally got processed and put into the system (does Cisco not want my money?). Or trying to get our AM to process the return of hardware that doesn't work as advertised (IDSM2 on 7600s for example) that was purchased nearly 2 years ago and has been agreed to by the AM repeatedly. Or trying to get callbacks on major design questions that will ultimately result in more Cisco hardware being purchased. Or trying to get our AM to help fix a screwup in Cisco Returns with a RMAed router being lost in a warehouse somewhere even though I have 1) the signature of the Cisco person that signed for it (thanks UPS) and 2) a Telepan person acknowledging that the package had actually been received even through Cisco Returns doesn't agree, all before it gets sent to a collection agency AGAIN (long story). I don't get to complain to them about the state of the website. We don't get to talk about features we need like BFD support for SVIs. We have to focus all our efforts on the major problems that have monetary costs with Cisco or we'll never get anything done. Don't get me wrong. I like our Cisco guys. When they're here and standing in front of us they're great. However when they leave we're out of sight out of mind. I think they cover way to large of an area to really be an effective asset to us (possibly any of the customers in the area they serve). They spend hours on the road daily going between customer sites. They come through our neck of the woods once a month or so. I see them a couple times a year on average. I'm sure we're not a big fish in their area of the SP market, so put us in another smaller pond with other like-sized fish so we can get better service. I can't tell you how many hours have been consumed by the wide assortment of non-technical Cisco problems we've been plagued with over the course of the last 6 months. It would easily be an hour a day on average. Easily. I find it increasingly difficult defending Cisco against people that want Cisco out. No matter what the technical merit/value is of their products, the non-technical horseshit is getting really old. What can we do to help? Justin From ploopster at gmail.com Tue Nov 18 14:26:29 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Tue, 18 Nov 2008 14:26:29 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <492316E5.6020607@gmail.com> Hank Nussbacher wrote: > On Tue, 18 Nov 2008, Jared Mauch wrote: > > They don't hear us, they don't see us unless we happen to be doing some > 6 digit tender for equipment. > > With their stock having dropped from 29 to under 16 today all in the > course of 12 months, do you really think any VP there cares whether > Jared is having a bad download day? > > When a company loses $90B in market cap in a year, they are for sure > cutting the "high expense, highly trained" workforce, and hiring newly > minted temps and untrained newbies to reduce their payroll expenses. > > The results are all rather obvious. Yeah, more customers will get pissed off and they'll lose *another* 50% of their market cap. Peace... Sridhar From justin at justinshore.com Tue Nov 18 14:42:37 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 18 Nov 2008 13:42:37 -0600 Subject: [c-nsp] downloads broken? In-Reply-To: <20081118173932.GO93039@ronin.4ever.de> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <3B56F3E6-3A08-47F6-8830-A6A5BF316E94@gmail.com> <1227029024.3534.10.camel@abehat> <4922FAFB.5020802@rollernet.us> <20081118173932.GO93039@ronin.4ever.de> Message-ID: <49231AAD.3080205@justinshore.com> Elmar K. Bins wrote: > Crypto images are export-controlled. The legal guys probably told them > "make sure that the customer reads the stuff and clicks ". Yes, click the link every single damn time. ARGH. That's a PITA I wish they'd do away with. I've already been authorized to download crypto images. I'm already logged in with my authorized CCO to download the code. Put 2 and 2 together and stop asking me that question every single time I try to download an image. > I have been using wget for the "final URL" for a long time now. It > does also help if you replace the FTP server name ;) I've been using wget as well. It greatly helps. I don't know what you mean by replacing the FTP server name though. Could you explain? Justin From gert at greenie.muc.de Tue Nov 18 14:44:41 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Nov 2008 20:44:41 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> Message-ID: <20081118194441.GA8535@greenie.muc.de> Hi, On Tue, Nov 18, 2008 at 06:42:12PM +0100, Benny Amorsen wrote: > Mikrotik Routerboards will do it, admittedly in a prerelease (but hey, > that shouldn't really scare Cisco customers...) They don't have the > ADSL modem built-in though. That would have been handy. > > I doubt you'll find anything much cheaper. WRT54GL goes for 50 EUR or so. What does a Mikrotik cost? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From dan at beanfield.com Tue Nov 18 14:45:41 2008 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 18 Nov 2008 14:45:41 -0500 Subject: [c-nsp] ISDN to VoIP dial-peer Question Message-ID: <49231B65.5000601@beanfield.com> I'm trying to setup a seemingly simple application with an AS-5400XM as a PSTN gateway for a hosted VoIP service. Sip proxy & users on one side, PRI on the other side. I setup 2 dialpeers, one for each. I just want every call coming off the ISDN PRI to be sent to the SIP proxy, and vice versa. I (foolishly) used .T in both dial peer configurations, in hopes of accomplishing this without any major configuration: dial-peer voice 1 voip destination-pattern .T session protocol sipv2 session target sip-server codec g711ulaw ! dial-peer voice 70 pots destination-pattern .T direct-inward-dial port 7/0:1:D The problem is that the pots dial peer also matches itself much (most) of the time, and when a call comes in, it gets sent back out to the telco, who sends it back to me, and only then do we send it to the SIP server. This is causing almost every call from PSTN to use up 3 channels on the PRI! The recommended solution is to list all the DIDs on the SIP side in my dialpeer.... however there are thousands of DIDs, few of them are sequential. We're LNPing customer numbers onto the PRI all the time - to manually keep a list of the DIDs inside each AS-5400's dial-peer config is completely impractical. Surely I'm not the first person to encounter this? Is there a simple solution here? Can the 5400 consult an outside directory? Can it be told not to send a call back out a dial peer that it received it on? Is there some fancy prefixing method I haven't thought of? From gert at greenie.muc.de Tue Nov 18 15:02:04 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 18 Nov 2008 21:02:04 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <20081118200204.GB8535@greenie.muc.de> Hi, On Tue, Nov 18, 2008 at 12:08:41PM -0500, Jared Mauch wrote: > I'm not sure if the rest of you care about this stuff, or about > downloading 100+ meg images to your desktop just to shift them around > elsewhere from hotels, and other sites with crappy internet speeds, > but someone there at cisco needs to be fired at this point. Full ACK. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lowen at pari.edu Tue Nov 18 15:09:28 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 18 Nov 2008 15:09:28 -0500 Subject: [c-nsp] Odd APS error. Message-ID: <200811181509.28972.lowen@pari.edu> i just replaced a failing 7401ASR with a 7507 with RSP8's on an APS-protected OC3. The protect is a 7401ASR, and both are running 12.4 mainline. The 7507 is the working, and traffic is passing, but I get an odd message when I issue show aps: POS0/0/0 APS Group 2: working channel 1 (Active -linecard down) SONET framing; SONET APS signalling by default Protect at 10.250.2.252 Googling or searching on cisco.com for '-linecard down' doesn't enlighten me. Anyone seen this before? sh inv on the 7507 shows this for the OC3 hardware: NAME: "Line Card 0", DESCR: "Versatile Interface Processor (VIP4-80)" PID: VIP4-80 , VID: Hardware Version : 2.04 Board Revision : B0, SN: 28538056 NAME: "Card Slot 0, Bay 0", DESCR: "POS Port Adapter (SM)" PID: PA-POS-OC3-SM , VID: Hardware Version : 2.0 Board Revision : A0, SN: 21734501 NAME: "Card Slot 0, Bay 1", DESCR: "FastEthernet Port Adapter" PID: PA-FE-TX-NISL , VID: Hardware Version : 1.0 Board Revision : A0, SN: 07226333 Is this something coming from the ADM? From benny+usenet at amorsen.dk Tue Nov 18 15:30:25 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Tue, 18 Nov 2008 21:30:25 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: <20081118194441.GA8535@greenie.muc.de> (Gert Doering's message of "Tue\, 18 Nov 2008 20\:44\:41 +0100") References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118194441.GA8535@greenie.muc.de> Message-ID: Gert Doering writes: > WRT54GL goes for 50 EUR or so. What does a Mikrotik cost? List price is USD 97. Discounts for larger orders are available, not quite Cisco-level though. You can debate whether 50 EUR counts as much cheaper, of course, but the extra features offered by RouterOS are easily enough to convince us. Cisco unfortunately charges a comparative fortune for dynamic routing. /Benny From billf at mu.org Tue Nov 18 15:44:39 2008 From: billf at mu.org (bill fumerola) Date: Tue, 18 Nov 2008 12:44:39 -0800 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? In-Reply-To: <480A78E89D2F8BC514E48321@tok> References: <20081114180240.GA4941@diveo.net.br> <20081114195705.GC29895@elvis.mu.org> <480A78E89D2F8BC514E48321@tok> Message-ID: <20081118204439.GF29895@elvis.mu.org> On Sat, Nov 15, 2008 at 10:09:53AM +0100, Christian Meutes wrote: > >redistribute routes from one protocol into another and use route-maps > >to change the metrics and route 'type' (protocol dependent) such that > >the protocol considers them equal cost. > > > >the usual warnings about route redistribution apply: using tags so loops > >don't occur and taking care not to redistribute too many routes. > > wont work in most cases. Routes redistributed from IGP to BGP are better > than routes learned from eBGP or iBGP - vice versa routes redistributed > from BGP to IGP (OSPF, EIGRP ie.) are seen as external and will loose in > route decission if the IGP prefix is native/internal (will work if route is > first learned with IGP because local redistributed routes in BGP are > better). > > In the second case you can change metric and metric-type on redistribution > to IGP and ecmp could take place then but if the prefix is first learned > from BGP and then from IGP - BGP wins and the OSPF prefix can't be used for > load-sharing inside of the ASBR. > > Route selection in these cases is higly depending on timeing and is > something I wouldnt recommend. any method that tries to equate two different routes from different protocols is going to be messy and require tweaking of origins, metrics, and/or distances(!). i wouldn't recommend doing any of this, was just suggesting a way to do what the OP was asking. -- bill From christian.macnevin at gmail.com Tue Nov 18 15:51:23 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 19 Nov 2008 09:51:23 +1300 Subject: [c-nsp] sampled netflow on 6500 In-Reply-To: References: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> Message-ID: It's a bit more of a complex beast, as it lives in multiple physical locations on the 6500, depending on whether you have DFCs or not and whether you're routing the packets or not. Sflow I believe on a foundry is actually interface logic, which means any interface will send exactly what it sees. Be prepared for some more mickey-mousing around with netflow. ALso netflow v9 isn't supported on a 6500 is it? It's really going to be v5 you're using on a 3bxl. 7 is supported but nobody likes it. you need to look up mls netflow, netflow, and nde (netflow data export). ANd understand what happens when you have dfcs integrated into your line cards. Good luck christian On Nov 16, 2008, at 3:12 AM, Mike Louis wrote: Sounds like I got that backwards. Here is a link to configuring netflow sampling. I don't see a lot of options in the SXH configuration guide at the moment. I will keep looking. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/nde.html#wp1143262 From: patrick.viet at gmail.com [mailto:patrick.viet at gmail.com] On Behalf Of Patrick Viet Sent: Saturday, November 15, 2008 9:09 AM To: Mike Louis Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] sampled netflow on 6500 On Sat, Nov 15, 2008 at 4:23 AM, Mike Louis > wrote: You can use sampled netflow to accomplish the same thing as sflow. Netflow v9 is based on the ipix std so it will offer many of its features Hi ; are you sure about this ? From what I've read it's the opposite : IPFIX has based its frame format on Netflow v9. Any ideas about how to configure this on SUP720-3BXL with SXF15 ? Or do I need another IOS (SXH?) Thanks, Patrick No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1789 - Release Date: 11/14/2008 7:32 PM ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Tue Nov 18 16:06:18 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 19 Nov 2008 10:06:18 +1300 Subject: [c-nsp] Monitoring tools for MPLS VPN customers In-Reply-To: <006701c93b1e$d202b420$76081c60$@steele@internode.on.net> References: <56F211C5E3F24F47B103EA1B253822BE036549F4@vic-cr-ex1.staff.netspace.net.au> <006701c93b1e$d202b420$76081c60$@steele@internode.on.net> Message-ID: <8B99BFE9-B641-47A1-B7BC-56060A208862@gmail.com> The killer app for all monitoring in mpls that I found a few years back is SMARTS. Not super cheap, but it's possible to create instances that will monitor a given vpn from the inside and give a customer access to that. On Oct 31, 2008, at 7:06 PM, Ben Steele wrote: You definitely want a "Management vrf" that you leak into all your customer vrf's, from this you can use something like nagios or whatever your tool of choice is to alert to downed nodes, just remember not to overlap your CPE IP addressing even though they are in separate vrf's. As far as voip monitoring goes you can use ip sla on your routers to monitor jitter/loss/delay etc.. Check out - http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white _paper0900aecd8017531d.html and http://www.cisco.com/en/US/technologies/tk648/tk362/tk920/technologies_white _paper0900aecd801752ec.html For ideas on what ip sla can do for you, there are plenty of configuration examples around to look at too. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Andy Saykao Sent: Friday, 31 October 2008 4:25 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Monitoring tools for MPLS VPN customers Hi All, We have some MPLS VPN customers waiting to come on board and have asked us about what sort of monitoring we can provide for all their sites. By monitoring I can only guess that the customer is asking us to identify when a VPN site goes down. Other desirable features might be to implement some SLA to monitor latency and round trip time for those customer's who rely heavily on VoIP. Ideally, the IT person for the organization should be doing most of this monitoring, but Management have asked me to investigate what we sort of monitring we can provide to the customer to help bring them on baord. We are currently using Cisco's MPLS Diagnostics Expert but this doesn't seem to have any proactive monitoring tool via it's SLA feature. We could set up a management station within a management VRF and run some monitoring software on it which is another option. Just curious to know what software Service Providers are using to proactively monitor their VPN customers. Thanks. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ross at kallisti.us Tue Nov 18 16:42:07 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Tue, 18 Nov 2008 16:42:07 -0500 Subject: [c-nsp] FHRP's and STP In-Reply-To: <4922E4C3.60604@imperial.ac.uk> References: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> <9e246b4d0811180723q5f6259a1tadfa2114cd3d8d1b@mail.gmail.com> <4922E4C3.60604@imperial.ac.uk> Message-ID: <20081118214207.GC7396@kallisti.us> On Tue, Nov 18, 2008 at 03:52:35PM +0000, Phil Mayers wrote: > Variations on the STP/FHRP problem have been discussed a number of times > on this list. > > It ought to be reasonably trivial to make FHRP follow STP - make the > standby group follow a numbered track object: > > track 10 stub-object > int VlanXX > standby prio [100 for slave | 101 for master] > standby track 10 10 > standby preempt > > ...the write a pretty simple EEM applet triggered on the relevant STP > syslog messages, to parse the root/not-root status from: > > sh spanning-tree vlan XX summary | inc ^Root > > ...and down/up the stub track object. > > The problem is that STP is a deeply sub-optimal solution to many of the > cases where this matters. This seems awfully complicated, but I suppose could be the only way to do it if you don't use MSTP. It's really trivial to do with MSTP and HSRP. We have two gateway routers that run HSRP. Odd VLANs are mapped to MSTi 1, even to MSTi 2. Switch 1 is root bridge for MSTi 1 and HSRP active for odd VLANs. Switch 2 is root bridge for MSTi 2 and HSRP active for even VLANs. Works great if your gear supports MSTP correctly (which, admittedly, is not as much of a given as it should be these days...). -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From risnaini at indo.net.id Tue Nov 18 19:15:13 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 19 Nov 2008 07:15:13 +0700 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118194441.GA8535@greenie.muc.de> Message-ID: <49235A91.6010102@indo.net.id> USD 40 (software only), for 3.0 version with IPv6 enabled. rgs a. rahman isnaini r.sutan Benny Amorsen wrote: > Gert Doering writes: > >> WRT54GL goes for 50 EUR or so. What does a Mikrotik cost? > > List price is USD 97. Discounts for larger orders are available, not > quite Cisco-level though. You can debate whether 50 EUR counts as much > cheaper, of course, but the extra features offered by RouterOS are > easily enough to convince us. > > Cisco unfortunately charges a comparative fortune for dynamic routing. > > > /Benny > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From risnaini at indo.net.id Tue Nov 18 19:17:43 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 19 Nov 2008 07:17:43 +0700 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118194441.GA8535@greenie.muc.de> Message-ID: <49235B27.8070303@indo.net.id> USD 40 (software only), for 3.0 version with IPv6 enabled. rgs a. rahman isnaini r.sutan Benny Amorsen wrote: > Gert Doering writes: > >> WRT54GL goes for 50 EUR or so. What does a Mikrotik cost? > > List price is USD 97. Discounts for larger orders are available, not > quite Cisco-level though. You can debate whether 50 EUR counts as much > cheaper, of course, but the extra features offered by RouterOS are > easily enough to convince us. > > Cisco unfortunately charges a comparative fortune for dynamic routing. > > > /Benny > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From jeremy at mojohost.com Tue Nov 18 23:34:21 2008 From: jeremy at mojohost.com (Jeremy Reid) Date: Wed, 19 Nov 2008 04:34:21 GMT Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... Message-ID: <20081118233430.SM03328@[64.59.94.34]> Thanks for all the input guys. I found the root of my problem. It looks like adding the DFCs would have solved the issue immediately if we had added them in when we were still running the SXF train code. As it is, we had added the DFCs into the mix AFTER we had already upgraded our code to 12.2(33)SXH3a. It looks as if Cisco changed the default behavior of egress SPAN in SXH2a (and later releases) to centralized SPAN. More info on this here: http://www.cisco.com/en/US/docs/ios/fundamentals/command/reference/cf_m1.html#wp1087064 Simply adding a "monitor session egress replication-mode distributed" coupled with the DFCs we had already added and using our current 12.2(33)SXH3a code did the trick. Our SPAN output traffic is now spot on with the cumulative total of the three source interfaces in the session. One other thing of note: There was no indication that the PFC3BXL was overwhelmed at all by this session while we were still in centralized mode. All the data we looked at ('show platform hardware capacity looking at SP utilization on the 720 and fabric connections, etc.) never seemed to imply we were in any danger and had plenty of headroom. However, one can't argue with the end result that by tossing in the DFCs and changing the SPAN mode to leverage them (egress replication-mode distributed) -- the problem went away. ;) Just thought I'd follow up in case anyone else ever runs into this one. Cheers, -Jeremy From tdurack at gmail.com Wed Nov 19 00:03:28 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 19 Nov 2008 00:03:28 -0500 Subject: [c-nsp] Green Cisco Message-ID: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> Cisco, a Green company. So why does every SFP come packaged in an oversize plastic bag plus useless piece of paper? And why are X2 interfaces SC instead of LC? Lets hope fiber jumpers are bio-degradable. Tim:> From swmike at swm.pp.se Wed Nov 19 01:01:00 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Wed, 19 Nov 2008 07:01:00 +0100 (CET) Subject: [c-nsp] Green Cisco In-Reply-To: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> Message-ID: On Wed, 19 Nov 2008, Tim Durack wrote: > Cisco, a Green company. So why does every SFP come packaged in an oversize > plastic bag plus useless piece of paper? I know others who ship SFPs in a 20x20x5 cm cardboard box, so when you order 100 of them, you get a good part of a pallet of useless packing material. At least I've seen cisco ship 20+ of those "oversize plastic bags" in a single box that wasn't big at all. -- Mikael Abrahamsson email: swmike at swm.pp.se From sethm at rollernet.us Wed Nov 19 01:26:21 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Tue, 18 Nov 2008 22:26:21 -0800 Subject: [c-nsp] Green Cisco In-Reply-To: References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> Message-ID: <4923B18D.2000904@rollernet.us> Mikael Abrahamsson wrote: > On Wed, 19 Nov 2008, Tim Durack wrote: > >> Cisco, a Green company. So why does every SFP come packaged in an >> oversize >> plastic bag plus useless piece of paper? > > I know others who ship SFPs in a 20x20x5 cm cardboard box, so when you > order 100 of them, you get a good part of a pallet of useless packing > material. At least I've seen cisco ship 20+ of those "oversize plastic > bags" in a single box that wasn't big at all. > Don't forget "HP ships piece of paper in padded box". http://www.theregister.co.uk/2008/07/18/hp_packaging/ ~Seth From nimal at fnbs.net Wed Nov 19 02:27:17 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Wed, 19 Nov 2008 15:27:17 +0800 Subject: [c-nsp] Basic Load/Stress Test Tool Message-ID: <4923BFD5.2090904@fnbs.net> Hi guys, Am looking for a simple tool which i can use to load or stress test the network devices before we put them on a production network. For example, if my network device has a 100Mbps interface, i'd like to be able to load up to 100Mbps on to the interface and see what happens. Any suggestions? Thanks! Nimal D. Sirimanne From oboehmer at cisco.com Wed Nov 19 02:43:32 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 19 Nov 2008 08:43:32 +0100 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: <20081118184851.GA19851@panix.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> <20081118184851.GA19851@panix.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E8CE@xmb-ams-333.emea.cisco.com> Brett Frankenberger wrote on Tuesday, November 18, 2008 19:49: > On Tue, Nov 18, 2008 at 02:03:08PM +0100, Oliver Boehmer (oboehmer) > wrote: >> >> Well, it looks like the linux NAT/firewall is not NAT'ing the >> keepalive GRE packets correctly, otherwise they would not arrive with >> the 172.16.1.1 src address on router2. Not sure what's happening >> there, but I would focus my attention on the NAT/firewall box.. I >> guess NAT for the "other" GRE packets work just fine? Maybe related >> to the different protocol type (0x0) or the lack of payload in the >> GRE keepalive packet? >> >> oli > > The issue is that a GRE keepalive packet has the originating tunnel > endpoint IP address as the destination address of the encapsulated > packet. That is, consider the following: > interface tunnel1 > tunnel source 10.0.0.1 > tunnel destination 20.0.0.2 > tunnel keepalive > (Not sure I've got the syntax right, but you get the idea.) > > A keepalive packet generated by the router will look like the > following: IP header: Source=10.0.0.1 Destination=20.0.0.2 > Protocol=GRE GRE Header: Protocol=IP > Encapsulated Packet: > IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE > GRE Header: 0x0000 > > The idea is that the router at the far end will received the packet, > remove the outer header, and transmit the encapsulated packet. (The > router at the far end will, then, not do any special processing all > for > a keepalive packet originating from the near end.) THe issue with > keepalive is that the 10.0.0.1 appears in the encapsulated packet, so > if that's being NAT'd somewhere, for keepalive to work, the NAT needs > to translate the address on the encapsulated packet also. > > AFAIK, essentially no NATs will do that. agreed, I stand corrected.. was not aware of the encapsulated payload.. tx! oli From mtinka at globaltransit.net Wed Nov 19 02:51:35 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 19 Nov 2008 15:51:35 +0800 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <4923BFD5.2090904@fnbs.net> References: <4923BFD5.2090904@fnbs.net> Message-ID: <200811191551.36057.mtinka@globaltransit.net> On Wednesday 19 November 2008 15:27:17 Nimal David Sirimanne wrote: > Am looking for a simple tool which i can use to load or > stress test the network devices before we put them on a > production network. For example, if my network device has > a 100Mbps interface, i'd like to be able to load up to > 100Mbps on to the interface and see what happens. Any > suggestions? Do you want to test how well the device withstands the throughput, or do you want to test how well it fills up the interface. For the former, you're probably going to be worried about CPU utilization (if forwarding is done in software) and when the box starts dropping packets. For the latter, suggest Iperf. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From fropert at packetfault.org Wed Nov 19 03:48:31 2008 From: fropert at packetfault.org (Francois Ropert) Date: Wed, 19 Nov 2008 09:48:31 +0100 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <4923BFD5.2090904@fnbs.net> References: <4923BFD5.2090904@fnbs.net> Message-ID: <4923D2DF.7040102@packetfault.org> Nimal David Sirimanne a ?crit : > Hi guys, > Hi Nimal > Am looking for a simple tool which i can use to load or stress test the > network devices http://blog.packetfault.org/tools/network-bandwidth-and-latency-stress-tools-collection > > Thanks! > Francois Ropert From risnaini at indo.net.id Wed Nov 19 03:50:59 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 19 Nov 2008 15:50:59 +0700 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <4923BFD5.2090904@fnbs.net> References: <4923BFD5.2090904@fnbs.net> Message-ID: <4923D373.6050508@indo.net.id> Hi, Use TFGEN to flood huge of traffic in seconds. a. r. isnaini rangkayo sutan Nimal David Sirimanne wrote: > Hi guys, > > Am looking for a simple tool which i can use to load or stress test the > network devices before we put them on a production network. For example, > if my network device has a 100Mbps interface, i'd like to be able to > load up to 100Mbps on to the interface and see what happens. Any > suggestions? > > Thanks! > > Nimal D. Sirimanne > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From ibrahim.abozaid at gmail.com Wed Nov 19 05:00:14 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Wed, 19 Nov 2008 12:00:14 +0200 Subject: [c-nsp] IOS Message-ID: Dear All I have a question about a IOS Command and i can't find alot of documentation around about it , the command is *service internal* from global configuration mode , i can see it provides extra show and debug commands but like what ? when it should be used ? thanks for help --Ibrahim Abo Zaid From gert at greenie.muc.de Wed Nov 19 05:01:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 19 Nov 2008 11:01:39 +0100 Subject: [c-nsp] DualStack IPv4/IPv6 for access? In-Reply-To: References: <000001c94927$892008e0$9b601aa0$@org> <20081118134632.GT8535@greenie.muc.de> <47012BCD-D4D6-420F-8BE0-4C8016180D2A@atdot.dotat.org> <20081118194441.GA8535@greenie.muc.de> Message-ID: <20081119100139.GF8535@greenie.muc.de> Hi, On Tue, Nov 18, 2008 at 09:30:25PM +0100, Benny Amorsen wrote: > Gert Doering writes: > > > WRT54GL goes for 50 EUR or so. What does a Mikrotik cost? > > List price is USD 97. Discounts for larger orders are available, not > quite Cisco-level though. You can debate whether 50 EUR counts as much > cheaper, of course, but the extra features offered by RouterOS are > easily enough to convince us. Indeed, 97 USD (which is currently about 80 EUR) is quite a good price - and having larger flash + RAM would be a plus, of course. Need to check more closely what these devices offer, and how to get them in Germany. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From blahu77 at gmail.com Wed Nov 19 05:15:25 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 19 Nov 2008 10:15:25 +0000 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <4923D373.6050508@indo.net.id> References: <4923BFD5.2090904@fnbs.net> <4923D373.6050508@indo.net.id> Message-ID: <383357750811190215n2b18622cgf3ae35f9d852a01d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > Use TFGEN to flood huge of traffic in seconds. > > a. r. isnaini rangkayo sutan > or "hping3 --flood" will take what you pc can offer Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJI+c8+BuaDRxlXKsRAveBAJ4jify+w46ZA4sWn/yI/1Mc13oqjQCfTPKA VByeIedQwN+jAL25cSkV94E= =aDLs -----END PGP SIGNATURE----- From p.mayers at imperial.ac.uk Wed Nov 19 05:46:28 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 19 Nov 2008 10:46:28 +0000 Subject: [c-nsp] FHRP's and STP In-Reply-To: <20081118214207.GC7396@kallisti.us> References: <702283.53895.qm@web902.biz.mail.mud.yahoo.com> <9e246b4d0811180723q5f6259a1tadfa2114cd3d8d1b@mail.gmail.com> <4922E4C3.60604@imperial.ac.uk> <20081118214207.GC7396@kallisti.us> Message-ID: <4923EE84.1020505@imperial.ac.uk> Ross Vandegrift wrote: > On Tue, Nov 18, 2008 at 03:52:35PM +0000, Phil Mayers wrote: >> Variations on the STP/FHRP problem have been discussed a number of times >> on this list. >> >> It ought to be reasonably trivial to make FHRP follow STP - make the >> standby group follow a numbered track object: >> >> track 10 stub-object >> int VlanXX >> standby prio [100 for slave | 101 for master] >> standby track 10 10 >> standby preempt >> >> ...the write a pretty simple EEM applet triggered on the relevant STP >> syslog messages, to parse the root/not-root status from: >> >> sh spanning-tree vlan XX summary | inc ^Root >> >> ...and down/up the stub track object. >> >> The problem is that STP is a deeply sub-optimal solution to many of the >> cases where this matters. > > This seems awfully complicated, but I suppose could be the only way to > do it if you don't use MSTP. > > It's really trivial to do with MSTP and HSRP. We have two gateway > routers that run HSRP. Odd VLANs are mapped to MSTi 1, even to MSTi 2. > Switch 1 is root bridge for MSTi 1 and HSRP active for odd VLANs. > Switch 2 is root bridge for MSTi 2 and HSRP active for even VLANs. > > Works great if your gear supports MSTP correctly (which, admittedly, is > not as much of a given as it should be these days...). I don't really see what MSTP has to do with it. You can (and we do) do this with PVST, which has the added advantage of working through equipment that doesn't support PVST. The discussion was about protecting against mis-configuration i.e. this is good: master: spanning-tree vlan 2 root primary int Vlan2 standby prio 103 slave: spanning-tree vlan 2 root secondary int Vlan2 standby prio 100 ...but getting the STP roots the wrong way round (or the standby prio) is sub-optimal. The other way of looking at it, is that by following the STP state, you can ignore setting the HSRP prio completely - it just tracks the STP root status (which is often what you want) Of course there are a number of other unrelated issues e.g. forcing correct selection of an IGMP querier and PIM designated forwarder, DHCP relays, return path asymmetry etc. which make the Extreme/Foundry alternatives more attractive - the standby just doesn't route the network. From sthaug at nethelp.no Wed Nov 19 06:32:13 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Wed, 19 Nov 2008 12:32:13 +0100 (CET) Subject: [c-nsp] Green Cisco In-Reply-To: References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> Message-ID: <20081119.123213.41681084.sthaug@nethelp.no> > > Cisco, a Green company. So why does every SFP come packaged in an oversize > > plastic bag plus useless piece of paper? > > I know others who ship SFPs in a 20x20x5 cm cardboard box, so when you > order 100 of them, you get a good part of a pallet of useless packing > material. At least I've seen cisco ship 20+ of those "oversize plastic > bags" in a single box that wasn't big at all. Much better to purchase SFPs in larger quantities from a company that can sell you nice flat trays of 20 SFPs or more. No individual packaging per SFP. Price is better too :-) Steinar Haug, Nethelp consulting, sthaug at nethelp.no From jcovini at free.fr Wed Nov 19 07:25:41 2008 From: jcovini at free.fr (Jerome Covini) Date: Wed, 19 Nov 2008 13:25:41 +0100 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <4923BFD5.2090904@fnbs.net> References: <4923BFD5.2090904@fnbs.net> Message-ID: <492405C5.90300@free.fr> Iperf, ttcp. The advantage of ttcp is that it's featured in ios (as a hidden command). And for both don't forget to maximize the mss when choosing tcp... Else you'll stress nothing :). jc Nimal David Sirimanne a ?crit : > Hi guys, > > Am looking for a simple tool which i can use to load or stress test > the network devices before we put them on a production network. For > example, if my network device has a 100Mbps interface, i'd like to be > able to load up to 100Mbps on to the interface and see what happens. > Any suggestions? > > Thanks! > > Nimal D. Sirimanne > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From b.turnbow at twt.it Wed Nov 19 09:02:46 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 19 Nov 2008 15:02:46 +0100 Subject: [c-nsp] R: ISDN to VoIP dial-peer Question References: <49231B65.5000601@beanfield.com> Message-ID: use translation rules. add a prefix inbound on each side and use that for routing. i.e add 111 from pots and 222 from ip outgoing on pots the destination pattern 222T will strip the 222 and sendit out clean on the ip side 111T , you will need to traslate outgoing to remove the 111 as voip perrs do not digt strip regards Brian ________________________________ Da: cisco-nsp-bounces at puck.nether.net per conto di Dan Armstrong Inviato: mar 18/11/2008 20.45 A: Cisco-nsp Oggetto: [c-nsp] ISDN to VoIP dial-peer Question I'm trying to setup a seemingly simple application with an AS-5400XM as a PSTN gateway for a hosted VoIP service. Sip proxy & users on one side, PRI on the other side. I setup 2 dialpeers, one for each. I just want every call coming off the ISDN PRI to be sent to the SIP proxy, and vice versa. I (foolishly) used .T in both dial peer configurations, in hopes of accomplishing this without any major configuration: dial-peer voice 1 voip destination-pattern .T session protocol sipv2 session target sip-server codec g711ulaw ! dial-peer voice 70 pots destination-pattern .T direct-inward-dial port 7/0:1:D The problem is that the pots dial peer also matches itself much (most) of the time, and when a call comes in, it gets sent back out to the telco, who sends it back to me, and only then do we send it to the SIP server. This is causing almost every call from PSTN to use up 3 channels on the PRI! The recommended solution is to list all the DIDs on the SIP side in my dialpeer.... however there are thousands of DIDs, few of them are sequential. We're LNPing customer numbers onto the PRI all the time - to manually keep a list of the DIDs inside each AS-5400's dial-peer config is completely impractical. Surely I'm not the first person to encounter this? Is there a simple solution here? Can the 5400 consult an outside directory? Can it be told not to send a call back out a dial peer that it received it on? Is there some fancy prefixing method I haven't thought of? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Wed Nov 19 09:06:56 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 19 Nov 2008 15:06:56 +0100 Subject: [c-nsp] R: Tunnel keepalive in NAT environment problem References: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> <20081118184851.GA19851@panix.com> Message-ID: why not set up saa to "ping" through the tunnel on each router? It will keep the tunnel up without having to set up keepalive. Brian ________________________________ Da: cisco-nsp-bounces at puck.nether.net per conto di Brett Frankenberger Inviato: mar 18/11/2008 19.48 A: Oliver Boehmer (oboehmer) Cc: cisco-nsp at puck.nether.net Oggetto: Re: [c-nsp] Tunnel keepalive in NAT environment problem On Tue, Nov 18, 2008 at 02:03:08PM +0100, Oliver Boehmer (oboehmer) wrote: > > Well, it looks like the linux NAT/firewall is not NAT'ing the > keepalive GRE packets correctly, otherwise they would not arrive with > the 172.16.1.1 src address on router2. Not sure what's happening > there, but I would focus my attention on the NAT/firewall box.. I > guess NAT for the "other" GRE packets work just fine? Maybe related > to the different protocol type (0x0) or the lack of payload in the > GRE keepalive packet? > > oli The issue is that a GRE keepalive packet has the originating tunnel endpoint IP address as the destination address of the encapsulated packet. That is, consider the following: interface tunnel1 tunnel source 10.0.0.1 tunnel destination 20.0.0.2 tunnel keepalive (Not sure I've got the syntax right, but you get the idea.) A keepalive packet generated by the router will look like the following: IP header: Source=10.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 The idea is that the router at the far end will received the packet, remove the outer header, and transmit the encapsulated packet. (The router at the far end will, then, not do any special processing all for a keepalive packet originating from the near end.) THe issue with keepalive is that the 10.0.0.1 appears in the encapsulated packet, so if that's being NAT'd somewhere, for keepalive to work, the NAT needs to translate the address on the encapsulated packet also. AFAIK, essentially no NATs will do that. So, anyway, suppose that 10.0.0.1 is being NAT'd to 30.0.0.1. The far end router then receives: IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=IP Encapsulated Packet: IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 The far end router's normal GRE processing then involves removing the outer header, and attempting to send the following packer: IP Header: Source=? (Not Important) Dest=10.0.0.1 Proto=GRE GRE Header: 0x0000 This fails because the far end router has no path to get to 10.0.0.1, because it should be sending to 30.0.0.1. The reason that isn't a problem for "other" GRE packets is that, in general, there's no requirement that the encapsulated packet be translated by the NAT, because, in general, the tunnel endpoint IP addresses don't appear as source or destination addresses on the encapsulated packet. More generally, GRE works fine through NAT as long as the expectation is that one or both of the tunnel endpoint addresses will be translated, but the packets flowing through the tunnel don't need NAT. However, once you enable keepalive, you effectively create a requirement that the encapsulated packets be translated, because Cisco GRE keepalive depends on using the tunnel origin/destination address in encapsulated packet. This also, in general, breaks keepalives when a tunnel interface has "ip forwarding vrf XXXX' and "tunnel vrf YYYY" where XXXX and YYYY aren't the same. (This is because the keepalive processing on the far end will result in a packet being send in vrf XXXX to a destination IP address that is reallyin vrf YYYY.) And, yes, I think this is horribly broken. A much better GRE keepalive implementation would be to just send IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE GRE Header: Protocol=KeepaliveRequest and have the far end router generate a IP header: Source=20.0.0.2 Destination=30.0.0.1 Protocol=GRE GRE Header: Protocol=KeepaliveResponse This would work through NAT and through complicated VRF configurations. But that's not what Cisco implemented. -- Brett _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Nov 19 09:19:08 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 19 Nov 2008 09:19:08 -0500 Subject: [c-nsp] IOS In-Reply-To: References: Message-ID: <20081119141908.GB10201@rtp-cse-489.cisco.com> On Wed, Nov 19, 2008 at 12:00:14PM +0200, Ibrahim Abo Zaid wrote: > Dear All > > I have a question about a IOS Command and i can't find alot of documentation > around about it , the command is *service internal* from global > configuration mode , i can see it provides extra show and debug commands but > like what ? when it should be used ? Poor man way of hiding commands that we don't recommend be used without some TAC/DE supervision. Rodney > > > thanks for help > > --Ibrahim Abo Zaid > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Nov 19 09:24:05 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 19 Nov 2008 09:24:05 -0500 Subject: [c-nsp] IP arp VRF weird issue In-Reply-To: <169806.53199.qm@web39702.mail.mud.yahoo.com> References: <169806.53199.qm@web39702.mail.mud.yahoo.com> Message-ID: <20081119142405.GC10201@rtp-cse-489.cisco.com> We will update the arp timer when you receive a request for an arp source/mac combination. That appears to be why your timers stay at 0 because you have arp's coming in from those sources frequently. That is not a real issue that would cause a forwarding problem normally, although you should look at those end stations to see why they are arping so much. You did a ping to this station: > Internet 192.168.61.82 0 0008.da54.7f92 ARPA FastEthernet0/1.3 so if you check 'sh adj detail' you should see the corresponding CEF adjacency to forward the frame. You would need a sniffer to prove the router sent the packet out. If it's a software forwarding box that has this you could use it: http://supportwiki.cisco.com/ViewWiki/index.php/Tech_Insights:Utilizing_the_New_Packet_Capture_Feature Or do a 'debug ip packet detail' to show the router generating the packet and forwarding it. But the only 100% way to know is a sniffer on the wire. Rodney On Tue, Nov 18, 2008 at 04:31:50AM -0800, Bruno Filipe wrote: > Hi there,... > > I'm facing a problem between a CE to PE that I'm not really sure the reason for this behavior... > > The link to the customer is perfect (NO PROBLEMS AT ALL) but the Service is going up and down (from times to times). > > I suspect that there must be something preventing the arp counters to increase which might be the reason for the counters to get stuck. > > > # Here's the relevant Configuration from the PE router# > ! > ip vrf customerXYZ-vpn > rd 100:244100 > route-target export 100:244100 > route-target import 100:244100 > route-target import 100:20 > ! > interface FastEthernet0/1.357 > encapsulation dot1Q 357 > ip vrf forwarding customerXYZ-vpn > ip address 192.168.61.81 255.255.255.252 > ip verify unicast source reachable-via rx > no ip redirects > no ip unreachables > no ip proxy-arp > no snmp trap link-status > no cdp enable > service-policy output reg1024 > > # Here's some show commands > > PE-ROUTER#sh ip vrf customerXYZ-vpn > Name Default RD Interfaces > customerXYZ-vpn 100:244100 Fa0/0.355 > Fa0/0.580 > Fa0/0.702 > Fa0/0.706 > Fa0/1.356 > Fa0/1.357 > Fa0/1.361 > Fa0/0.44 > Fa0/1.312 > Fa0/0.719 > Fa0/0.718 > PE-ROUTER#sh ip arp vrf customerXYZ-vpn > Protocol Address Age (min) Hardware Addr Type Interface > Internet 172.16.41.190 114 001b.7858.2ef7 ARPA FastEthernet0/0.355 > Internet 192.168.61.37 - 0014.698c.3bfc ARPA FastEthernet0/0.718 > Internet 192.168.61.39 - 0014.698c.3bfc ARPA FastEthernet0/0.719 > Internet 192.168.61.38 0 Incomplete ARPA > Internet 192.168.60.121 - 0014.698c.3bfc ARPA FastEthernet0/0.44 > Internet 192.168.60.122 0 0008.da56.7300 ARPA FastEthernet0/0.44 > Internet 192.168.61.65 - 0014.698c.3bfc ARPA FastEthernet0/0.355 > Internet 192.168.61.66 0 001b.7858.2ef7 ARPA FastEthernet0/0.355 > Internet 192.168.61.69 - 0014.698c.3bfc ARPA FastEthernet0/0.580 > Internet 192.168.61.70 0 0008.da54.7ff2 ARPA FastEthernet0/0.580 > Internet 192.168.61.73 - 0014.698c.3bfc ARPA FastEthernet0/0.702 > Internet 192.168.61.74 0 0008.da54.7fbf ARPA FastEthernet0/0.702 > Internet 192.168.61.77 - 0014.698c.3bfd ARPA FastEthernet0/1.356 > Internet 192.168.61.78 0 0008.da54.7f7a ARPA FastEthernet0/1.356 > Internet 192.168.61.81 - 0014.698c.3bfd ARPA FastEthernet0/1.357 > Internet 192.168.61.82 0 0008.da54.7f92 ARPA FastEthernet0/1.357 > Internet 192.168.61.85 - 0014.698c.3bfd ARPA FastEthernet0/1.361 > Internet 192.168.61.86 0 Incomplete ARPA > Internet 192.168.61.89 - 0014.698c.3bfc ARPA FastEthernet0/0.706 > Internet 192.168.61.90 0 001b.785d.74ef ARPA FastEthernet0/0.706 > Internet 192.168.61.93 - 0014.698c.3bfd ARPA FastEthernet0/1.312 > Internet 192.168.61.94 0 Incomplete ARPA > PE-ROUTER# > > > # Here's the debug output > PE-ROUTER#debug arp > ARP packet debugging is on > PE-ROUTER# > > Nov 18 13:16:38.273 GMT+1: IP ARP: rcvd req src 196.216.60.122 0008.da56.7300, dst 196.216.60.121 FastEthernet0/0.44 > Nov 18 13:16:38.273 GMT+1: IP ARP: sent rep src 196.216.60.121 0014.698c.3bfc, > dst 196.216.60.122 0008.da56.7300 FastEthernet0/0.44 > Nov 18 13:21:11.705 GMT+1: IP ARP: rcvd req src 196.216.61.66 001b.7858.2ef7, dst 196.216.61.65 FastEthernet0/0.355 > Nov 18 13:21:11.705 GMT+1: IP ARP: sent rep src 196.216.61.65 0014.698c.3bfc, > dst 196.216.61.66 001b.7858.2ef7 FastEthernet0/0.355 > Nov 18 13:24:18.564 GMT+1: IP ARP: rcvd req src 196.216.61.82 0008.da54.7f92, dst 196.216.61.81 FastEthernet0/1.357 > Nov 18 13:24:18.564 GMT+1: IP ARP: sent rep src 196.216.61.81 0014.698c.3bfd, > dst 196.216.61.82 0008.da54.7f92 FastEthernet0/1.357 > > PE-ROUTER#ping vrf customerXYZ-vpn 196.216.61.82 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 196.216.61.82, timeout is 2 seconds: > ..... > Success rate is 0 percent (0/5) > PE-ROUTER# > PE-ROUTER#sh vlans dot1q fastEthernet 0/1.357 > FastEthernet0/1.357 (0) > 121420932 packets, 21505176184 bytes input > 193767899 packets, 237095028833 bytes output > PE-ROUTER# > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Wed Nov 19 10:26:29 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 19 Nov 2008 16:26:29 +0100 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> Message-ID: <20081119152629.GK8535@greenie.muc.de> Hi, On Mon, Nov 17, 2008 at 04:40:26AM -0000, ambedkar wrote: > Hi, I am using the following confregs, > > SP RP > Main 0x2102 0x2102 > Standby 0x102 0x2102 > > According to 6509 Doc the above confregs are recommended. This doesn't look right. The SP confreg should also be 0x2102. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From twelcome at mobileemail.vodafonesa.co.za Wed Nov 19 11:46:49 2008 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Wed, 19 Nov 2008 16:46:49 +0000 Subject: [c-nsp] Snmp queries against the bgpPeerTable Message-ID: <1557831359-1227113215-cardhu_decombobulator_blackberry.rim.net-1227321091-@bxe064.bisx.produk.on.blackberry> Sent via my BlackBerry from Vodacom - let your email find you! From twelcome at mobileemail.vodafonesa.co.za Wed Nov 19 11:50:53 2008 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Wed, 19 Nov 2008 16:50:53 +0000 Subject: [c-nsp] Snmp queries against the bgpPeerTable Message-ID: <481251146-1227113459-cardhu_decombobulator_blackberry.rim.net-1565954683-@bxe064.bisx.produk.on.blackberry> Hi list Would there be any load impact in performing a regular 5 minute poll of the bgpPeertable on 7200 router in order to monitor the state of bgp peers? A list of approximately 50 peers is returned, on average. Thanks, Traiano Sent via my BlackBerry from Vodacom - let your email find you! From ptchuba at live.com Wed Nov 19 12:36:19 2008 From: ptchuba at live.com (Peter Chuba) Date: Wed, 19 Nov 2008 18:36:19 +0100 Subject: [c-nsp] HWIC-4ESW In-Reply-To: <20081119152629.GK8535@greenie.muc.de> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> Message-ID: Hi, I've got a 2801 whose built-in ports are damaged. I was wondering if I could add an HWIC-4ESW module and use this to connect to both the provider and LAN. And will I be able to do NAT with this setup? Will I also be able to do PPPOE on the vlan interface? I think it should work but want to be sure before buying the card. Thanks From peter at rathlev.dk Wed Nov 19 14:33:04 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 19 Nov 2008 20:33:04 +0100 Subject: [c-nsp] Basic Load/Stress Test Tool In-Reply-To: <492405C5.90300@free.fr> References: <4923BFD5.2090904@fnbs.net> <492405C5.90300@free.fr> Message-ID: <1227123184.3449.7.camel@abehat> On Wed, 2008-11-19 at 13:25 +0100, Jerome Covini wrote: > And for both don't forget to maximize the mss when choosing tcp... Else > you'll stress nothing :). If I may say so: "Au contraire". :-) Many small packets will stress the forwarding performance of the router more than (relatively) fewer larger packets. Many routers and L3 switches have a more or less fixed maximum pps rate, with the only limit for the bandwidth being some backplane or bus limit. Adjusting the MTU/MSS upwards increases throughput (bps) but not the pps performance. Regards, Peter From risnaini at indo.net.id Wed Nov 19 18:24:05 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 20 Nov 2008 06:24:05 +0700 Subject: [c-nsp] Snmp queries against the bgpPeerTable In-Reply-To: <481251146-1227113459-cardhu_decombobulator_blackberry.rim.net-1565954683-@bxe064.bisx.produk.on.blackberry> References: <481251146-1227113459-cardhu_decombobulator_blackberry.rim.net-1565954683-@bxe064.bisx.produk.on.blackberry> Message-ID: <4924A015.9090101@indo.net.id> Nope, it just retrieving the number I believe. a. r. isnaini rangkayo sutan 2404:170:253::10 twelcome at mobileemail.vodafonesa.co.za wrote: > Hi list > > Would there be any load impact in performing a regular 5 minute poll of the bgpPeertable on 7200 router in order to monitor the state of bgp peers? A list of approximately 50 peers is returned, on average. > > Thanks, > Traiano > Sent via my BlackBerry from Vodacom - let your email find you! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From karim.adel at gmail.com Wed Nov 19 19:05:07 2008 From: karim.adel at gmail.com (Kim Onnel) Date: Thu, 20 Nov 2008 02:05:07 +0200 Subject: [c-nsp] Blocking youtube through dtunnel.com Message-ID: Hello, How do i block Youtube from being proxied by dtunnel.com and similar websites? other than just blocking dtunnel.com itself Can i do it with only a router? Does it need IP Firewall image? Do i need an IDS or ASA? Thanks, Kim From sethm at rollernet.us Wed Nov 19 19:15:22 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Wed, 19 Nov 2008 16:15:22 -0800 Subject: [c-nsp] HWIC-4ESW In-Reply-To: References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> Message-ID: <4924AC1A.70803@rollernet.us> Peter Chuba wrote: > Hi, > > I've got a 2801 whose built-in ports are damaged. I was wondering if I could > add an HWIC-4ESW module and use this to connect to both the provider and > LAN. And will I be able to do NAT with this setup? Will I also be able to do > PPPOE on the vlan interface? I think it should work but want to be sure > before buying the card. > They are switch ports, not routed ports, but you can use SVI with them for routing. Never tried PPPoE. Have done NAT, works fine. Think of it like putting a switch into your router rather than adding router ports. You might have to go with an HWIC-1FE for PPPoE. ~Seth From risnaini at indo.net.id Wed Nov 19 19:46:15 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 20 Nov 2008 07:46:15 +0700 Subject: [c-nsp] Blocking youtube through dtunnel.com In-Reply-To: References: Message-ID: <4924B357.7020101@indo.net.id> Use NBAR, depend on IOS version of your router a. r. isnaini rangkayo sutan Kim Onnel wrote: > Hello, > How do i block Youtube from being proxied by dtunnel.com and similar > websites? other than just blocking dtunnel.com itself > > Can i do it with only a router? > > Does it need IP Firewall image? > > Do i need an IDS or ASA? > > Thanks, > Kim > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From brett at looney.id.au Wed Nov 19 18:30:05 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 20 Nov 2008 08:30:05 +0900 Subject: [c-nsp] HWIC-4ESW In-Reply-To: References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> Message-ID: <0a7b01c94a9e$c5033620$4f09a260$@id.au> > I've got a 2801 whose built-in ports are damaged. Maintenance contract? Probably cheaper than the HWIC-4ESW. > I was wondering if I could add an HWIC-4ESW module > and use this to connect to both the provider and > LAN. Yes. > And will I be able to do NAT with this setup? Yes. > Will I also be able to do PPPOE on the vlan interface? I'm 90% sure you can do this but you will not be able to set the MAC address on the VLAN interface. And any QoS policies you have will also probably not work. B. From pigsign.pykota at gmail.com Wed Nov 19 20:41:20 2008 From: pigsign.pykota at gmail.com (Darren Yang) Date: Thu, 20 Nov 2008 09:41:20 +0800 Subject: [c-nsp] Tunnel keepalive in NAT environment problem In-Reply-To: <20081118184851.GA19851@panix.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED7840666E4B8@xmb-ams-333.emea.cisco.com> <20081118184851.GA19851@panix.com> Message-ID: Thanks for Brett explained this issue perfectly :) As far as I did not saw any solution from cisco, so I decided to focus attatension on Linux Firewall/NAT,search whether netfilter can decapsulate keepalive GRE packet and NAT it's destination address.... if anyone have better idea ? Thanks :) Pigsign > The issue is that a GRE keepalive packet has the originating tunnel > endpoint IP address as the destination address of the encapsulated > packet. That is, consider the following: > interface tunnel1 > tunnel source 10.0.0.1 > tunnel destination 20.0.0.2 > tunnel keepalive > (Not sure I've got the syntax right, but you get the idea.) > > A keepalive packet generated by the router will look like the following: > IP header: Source=10.0.0.1 Destination=20.0.0.2 Protocol=GRE > GRE Header: Protocol=IP > Encapsulated Packet: > IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE > GRE Header: 0x0000 > > The idea is that the router at the far end will received the packet, > remove the outer header, and transmit the encapsulated packet. (The > router at the far end will, then, not do any special processing all for > a keepalive packet originating from the near end.) THe issue with > keepalive is that the 10.0.0.1 appears in the encapsulated packet, so > if that's being NAT'd somewhere, for keepalive to work, the NAT needs > to translate the address on the encapsulated packet also. > > AFAIK, essentially no NATs will do that. > > So, anyway, suppose that 10.0.0.1 is being NAT'd to 30.0.0.1. The far > end router then receives: > IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE > GRE Header: Protocol=IP > Encapsulated Packet: > IP Header: Source=? (Not Inportant) Dest=10.0.0.1 Proto=GRE > GRE Header: 0x0000 > > The far end router's normal GRE processing then involves removing the > outer header, and attempting to send the following packer: > IP Header: Source=? (Not Important) Dest=10.0.0.1 Proto=GRE > GRE Header: 0x0000 > This fails because the far end router has no path to get to 10.0.0.1, > because it should be sending to 30.0.0.1. > > The reason that isn't a problem for "other" GRE packets is that, in > general, there's no requirement that the encapsulated packet be > translated by the NAT, because, in general, the tunnel endpoint IP > addresses don't appear as source or destination addresses on the > encapsulated packet. > > More generally, GRE works fine through NAT as long as the expectation > is that one or both of the tunnel endpoint addresses will be > translated, but the packets flowing through the tunnel don't need NAT. > However, once you enable keepalive, you effectively create a > requirement that the encapsulated packets be translated, because Cisco > GRE keepalive depends on using the tunnel origin/destination address in > encapsulated packet. > > This also, in general, breaks keepalives when a tunnel interface has > "ip forwarding vrf XXXX' and "tunnel vrf YYYY" where XXXX and YYYY > aren't the same. (This is because the keepalive processing on the far > end will result in a packet being send in vrf XXXX to a destination IP > address that is reallyin vrf YYYY.) > > And, yes, I think this is horribly broken. A much better GRE keepalive > implementation would be to just send > IP header: Source=30.0.0.1 Destination=20.0.0.2 Protocol=GRE > GRE Header: Protocol=KeepaliveRequest > and have the far end router generate a > IP header: Source=20.0.0.2 Destination=30.0.0.1 Protocol=GRE > GRE Header: Protocol=KeepaliveResponse > This would work through NAT and through complicated VRF configurations. > But that's not what Cisco implemented. > > -- Brett > From zhuifeng0426 at gmail.com Wed Nov 19 20:52:17 2008 From: zhuifeng0426 at gmail.com (zhuifeng0426) Date: Thu, 20 Nov 2008 09:52:17 +0800 Subject: [c-nsp] HWIC-4ESW References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com>, <20081119152629.GK8535@greenie.muc.de>, , <0a7b01c94a9e$c5033620$4f09a260$@id.au> Message-ID: <200811200952148280284@gmail.com> HWIC-4ESW is only layer 2 device, you can use SVI to make it likes layer 3 ports, but can never connect to WAN 2008-11-20 Best regards? YiFeng Zhou Mail:zhuifeng0426 at gmail.com MSN:zhuifeng0426 at hotmail.com Mobile:+86 (0)15905171724 ???? Brett Looney ????? 2008-11-20 08:56:00 ???? cisco-nsp at puck.nether.net ??? ??? Re: [c-nsp] HWIC-4ESW > I've got a 2801 whose built-in ports are damaged. Maintenance contract? Probably cheaper than the HWIC-4ESW. > I was wondering if I could add an HWIC-4ESW module > and use this to connect to both the provider and > LAN. Yes. > And will I be able to do NAT with this setup? Yes. > Will I also be able to do PPPOE on the vlan interface? I'm 90% sure you can do this but you will not be able to set the MAC address on the VLAN interface. And any QoS policies you have will also probably not work. B. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nic.passmore at gmail.com Wed Nov 19 21:11:03 2008 From: nic.passmore at gmail.com (Nic Passmore) Date: Thu, 20 Nov 2008 15:11:03 +1300 Subject: [c-nsp] HWIC-4ESW In-Reply-To: References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> Message-ID: <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> On Thu, Nov 20, 2008 at 6:36 AM, Peter Chuba wrote: > Hi, > > I've got a 2801 whose built-in ports are damaged. I was wondering if I could > add an HWIC-4ESW module and use this to connect to both the provider and > LAN. And will I be able to do NAT with this setup? Will I also be able to do > PPPOE on the vlan interface? I think it should work but want to be sure > before buying the card. > > Thanks Cisco says: Q. Can I assign each switch port to a unique VLAN? If so, are there any limitations? A. Each switch port can be assigned to its own VLAN, effectively providing four additional routed ports. However, there are serious performance and feature limitations to doing this. The VLAN interfaces are truly Layer 3 switching interfaces and are treated uniquely among interface types on the router. Many features are not supported or tested on these interfaces, including Point-to-Point Protocol over Ethernet (PPPOE) termination, Layer 2 Tunneling Protocol Version 3 (L2TPv3) termination, MAC address assignment, Layer 3 QoS, and others. You should carefully test any desired feature and solution prior to deploying it. http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd8016c026_ps5854_Products_Q_and_A_Item.html Is this something that will be used in a production environment? If thats the case, then its probably not a good idea.. -Nic From brett at looney.id.au Wed Nov 19 21:35:09 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 20 Nov 2008 11:35:09 +0900 Subject: [c-nsp] HWIC-4ESW In-Reply-To: <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> Message-ID: <0af401c94ab8$9dbd8150$d93883f0$@id.au> > Many features are not supported or tested on these > interfaces, including Point-to-Point Protocol over > Ethernet (PPPOE) termination, Interesting. I'm sure I've done this (somewhere in the dark, distant past) or at least tried to do this. But nice to know it isn't supported. B. From danletkeman at gmail.com Thu Nov 20 00:06:40 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Wed, 19 Nov 2008 23:06:40 -0600 Subject: [c-nsp] HWIC-4ESW In-Reply-To: References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> Message-ID: It was a while ago, but If I remember correctly, it did not work on the hwic, only on the integrated ports. You could pickup a cheap 827 or 837 router on ebay to do the pppoe. Dan. On Wed, Nov 19, 2008 at 11:36 AM, Peter Chuba wrote: > Hi, > > I've got a 2801 whose built-in ports are damaged. I was wondering if I could > add an HWIC-4ESW module and use this to connect to both the provider and > LAN. And will I be able to do NAT with this setup? Will I also be able to do > PPPOE on the vlan interface? I think it should work but want to be sure > before buying the card. > > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From twelcome at mobileemail.vodafonesa.co.za Thu Nov 20 02:04:39 2008 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Thu, 20 Nov 2008 07:04:39 +0000 Subject: [c-nsp] Snmp queries against the bgpPeerTable Message-ID: <1754060648-1227164686-cardhu_decombobulator_blackberry.rim.net-1909456807-@bxe064.bisx.produk.on.blackberry> Thanks. Do you think it's safe to assume that all the information in the bgp4 mib is stored as a ready-to-read form, so that querying all itks information at one time places no load on the traffic processors in the router? ------Original Message------ From: a. rahman isnaini r.sutan To: twelcome at mobileemail.vodafonesa.co.za Cc: cisco_nsp Sent: Nov 20, 2008 1:24 AM Subject: Re: [c-nsp] Snmp queries against the bgpPeerTable Nope, it just retrieving the number I believe. a. r. isnaini rangkayo sutan 2404:170:253::10 twelcome at mobileemail.vodafonesa.co.za wrote: > Hi list > > Would there be any load impact in performing a regular 5 minute poll of the bgpPeertable on 7200 router in order to monitor the state of bgp peers? A list of approximately 50 peers is returned, on average. > > Thanks, > Traiano > Sent via my BlackBerry from Vodacom - let your email find you! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Sent via my BlackBerry from Vodacom - let your email find you! From risnaini at indo.net.id Thu Nov 20 02:13:15 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 20 Nov 2008 14:13:15 +0700 Subject: [c-nsp] Snmp queries against the bgpPeerTable In-Reply-To: <1754060648-1227164686-cardhu_decombobulator_blackberry.rim.net-1909456807-@bxe064.bisx.produk.on.blackberry> References: <1754060648-1227164686-cardhu_decombobulator_blackberry.rim.net-1909456807-@bxe064.bisx.produk.on.blackberry> Message-ID: <49250E0B.4000107@indo.net.id> Yap. We've done this for several bgp peers in one router. a. r.isnaini rangkayo sutan twelcome at mobileemail.vodafonesa.co.za wrote: > Thanks. Do you think it's safe to assume that all the information in the bgp4 mib is stored as a ready-to-read form, so that querying all itks information at one time places no load on the traffic processors in the router? > > > > > ------Original Message------ > From: a. rahman isnaini r.sutan > To: twelcome at mobileemail.vodafonesa.co.za > Cc: cisco_nsp > Sent: Nov 20, 2008 1:24 AM > Subject: Re: [c-nsp] Snmp queries against the bgpPeerTable > > Nope, it just retrieving the number I believe. > > a. r. isnaini rangkayo sutan > 2404:170:253::10 > > twelcome at mobileemail.vodafonesa.co.za wrote: >> Hi list >> >> Would there be any load impact in performing a regular 5 minute poll of the bgpPeertable on 7200 router in order to monitor the state of bgp peers? A list of approximately 50 peers is returned, on average. >> >> Thanks, >> Traiano >> Sent via my BlackBerry from Vodacom - let your email find you! >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > > > Sent via my BlackBerry from Vodacom - let your email find you! > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.549 / Virus Database: 270.9.8/1800 - Release Date: 11/19/2008 6:55 PM From ptchuba at live.com Thu Nov 20 02:20:45 2008 From: ptchuba at live.com (Peter Chuba) Date: Thu, 20 Nov 2008 08:20:45 +0100 Subject: [c-nsp] HWIC-4ESW In-Reply-To: <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> Message-ID: Thank you Nic and all the others who threw some light on the issue. I would have loved using the HWIC-1FE but I'm in Cameroon and have searched everywhere for it without success. Getting it shipped in might cost as much as buying a new router. Anyway, thank you guys for the information. Peter -----Original Message----- From: Nic Passmore [mailto:nic.passmore at gmail.com] Sent: Thursday, November 20, 2008 3:11 AM To: Peter Chuba; cisco_nsp Subject: Re: [c-nsp] HWIC-4ESW On Thu, Nov 20, 2008 at 6:36 AM, Peter Chuba wrote: > Hi, > > I've got a 2801 whose built-in ports are damaged. I was wondering if I could > add an HWIC-4ESW module and use this to connect to both the provider and > LAN. And will I be able to do NAT with this setup? Will I also be able to do > PPPOE on the vlan interface? I think it should work but want to be sure > before buying the card. > > Thanks Cisco says: Q. Can I assign each switch port to a unique VLAN? If so, are there any limitations? A. Each switch port can be assigned to its own VLAN, effectively providing four additional routed ports. However, there are serious performance and feature limitations to doing this. The VLAN interfaces are truly Layer 3 switching interfaces and are treated uniquely among interface types on the router. Many features are not supported or tested on these interfaces, including Point-to-Point Protocol over Ethernet (PPPOE) termination, Layer 2 Tunneling Protocol Version 3 (L2TPv3) termination, MAC address assignment, Layer 3 QoS, and others. You should carefully test any desired feature and solution prior to deploying it. http://www.cisco.com/en/US/prod/collateral/routers/ps5853/prod_qas0900aecd80 16c026_ps5854_Products_Q_and_A_Item.html Is this something that will be used in a production environment? If thats the case, then its probably not a good idea.. -Nic From twelcome at mobileemail.vodafonesa.co.za Thu Nov 20 02:23:28 2008 From: twelcome at mobileemail.vodafonesa.co.za (twelcome at mobileemail.vodafonesa.co.za) Date: Thu, 20 Nov 2008 07:23:28 +0000 Subject: [c-nsp] Snmp queries against the bgpPeerTable Message-ID: <480247352-1227165815-cardhu_decombobulator_blackberry.rim.net-830509228-@bxe064.bisx.produk.on.blackberry> Thanks a lot :-) that clears things up for me. Regards, Traiano Welcome ------Original Message------ From: a. rahman isnaini r.sutan To: twelcome at mobileemail.vodafonesa.co.za Cc: cisco_nsp Sent: Nov 20, 2008 9:13 AM Subject: Re: [c-nsp] Snmp queries against the bgpPeerTable Yap. We've done this for several bgp peers in one router. a. r.isnaini rangkayo sutan twelcome at mobileemail.vodafonesa.co.za wrote: > Thanks. Do you think it's safe to assume that all the information in the bgp4 mib is stored as a ready-to-read form, so that querying all itks information at one time places no load on the traffic processors in the router? > > > > > ------Original Message------ > From: a. rahman isnaini r.sutan > To: twelcome at mobileemail.vodafonesa.co.za > Cc: cisco_nsp > Sent: Nov 20, 2008 1:24 AM > Subject: Re: [c-nsp] Snmp queries against the bgpPeerTable > > Nope, it just retrieving the number I believe. > > a. r. isnaini rangkayo sutan > 2404:170:253::10 > > twelcome at mobileemail.vodafonesa.co.za wrote: >> Hi list >> >> Would there be any load impact in performing a regular 5 minute poll of the bgpPeertable on 7200 router in order to monitor the state of bgp peers? A list of approximately 50 peers is returned, on average. >> >> Thanks, >> Traiano >> Sent via my BlackBerry from Vodacom - let your email find you! >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > > > Sent via my BlackBerry from Vodacom - let your email find you! > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.549 / Virus Database: 270.9.8/1800 - Release Date: 11/19/2008 6:55 PM Sent via my BlackBerry from Vodacom - let your email find you! From achatz at forthnet.gr Thu Nov 20 04:01:56 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 20 Nov 2008 11:01:56 +0200 Subject: [c-nsp] HWIC-4ESW In-Reply-To: <0af401c94ab8$9dbd8150$d93883f0$@id.au> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> <0af401c94ab8$9dbd8150$d93883f0$@id.au> Message-ID: <49252784.2010307@forthnet.gr> I think Peter wants to make the 2801 act as a PPPoE client, not a PPPoE termination router. -- Tassos Brett Looney wrote on 20/11/2008 04:35: >> Many features are not supported or tested on these >> interfaces, including Point-to-Point Protocol over >> Ethernet (PPPOE) termination, > > > > Interesting. I'm sure I've done this (somewhere in the dark, distant past) > or at least tried to do this. But nice to know it isn't supported. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ptchuba at live.com Thu Nov 20 04:56:48 2008 From: ptchuba at live.com (Peter Chuba) Date: Thu, 20 Nov 2008 10:56:48 +0100 Subject: [c-nsp] HWIC-4ESW In-Reply-To: <49252784.2010307@forthnet.gr> References: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> <20081119152629.GK8535@greenie.muc.de> <3d794efd0811191811h74e42e81w7bc28cd2a3b5a42b@mail.gmail.com> <0af401c94ab8$9dbd8150$d93883f0$@id.au> <49252784.2010307@forthnet.gr> Message-ID: Yeah that's what I want to do. Sorry if I wasn't very clear. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tassos Chatzithomaoglou Sent: Thursday, November 20, 2008 10:02 AM To: 'cisco_nsp' Subject: Re: [c-nsp] HWIC-4ESW I think Peter wants to make the 2801 act as a PPPoE client, not a PPPoE termination router. -- Tassos Brett Looney wrote on 20/11/2008 04:35: >> Many features are not supported or tested on these >> interfaces, including Point-to-Point Protocol over >> Ethernet (PPPOE) termination, > > > > Interesting. I'm sure I've done this (somewhere in the dark, distant past) > or at least tried to do this. But nice to know it isn't supported. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From hroi at asdf.dk Thu Nov 20 05:21:15 2008 From: hroi at asdf.dk (Hroi Sigurdsson) Date: Thu, 20 Nov 2008 11:21:15 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> Message-ID: <49253A1B.9030303@asdf.dk> Jared Mauch wrote: > I'm personally fed up with this crap from Cisco. Hear, hear. There is a feedback form on the final download page where you can rate your experience and leave a comment. Hopefully enough people will use it so they will consider changing the behaviour back. From elmi at 4ever.de Thu Nov 20 05:37:08 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 20 Nov 2008 11:37:08 +0100 Subject: [c-nsp] downloads broken? In-Reply-To: <49253A1B.9030303@asdf.dk> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <49253A1B.9030303@asdf.dk> Message-ID: <20081120103707.GI93039@ronin.4ever.de> hroi at asdf.dk (Hroi Sigurdsson) wrote: > There is a feedback form on the final download page where you can rate > your experience and leave a comment. Hopefully enough people will use it > so they will consider changing the behaviour back. I always use that, I never got anything back. Elmar. From chloekcy2000 at yahoo.ca Thu Nov 20 06:51:48 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Thu, 20 Nov 2008 06:51:48 -0500 (EST) Subject: [c-nsp] any terminal suggest and strange chars Message-ID: <732559.26478.qm@web57404.mail.re1.yahoo.com> Hi I only know to use hyper termianl to do console any suggestion about terminal? I also have problem to capture the terminal to text file there is strange chars in text file Can you help? Thank you --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. From blahu77 at gmail.com Thu Nov 20 07:09:51 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 20 Nov 2008 12:09:51 +0000 Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <732559.26478.qm@web57404.mail.re1.yahoo.com> References: <732559.26478.qm@web57404.mail.re1.yahoo.com> Message-ID: <383357750811200409v59079dc0ua2cb04aaf1cd11a3@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Chloe > I only know to use hyper termianl to do console > any suggestion about terminal? > > I also have problem to capture the terminal to text file > > there is strange chars in text file > > Can you help? > http://www.angelfire.com/mac/gregor49032/Files/winxptcr/winsock/1.htm BRs, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJJVOO+BuaDRxlXKsRAgz+AJ9NPN5isoCsrlUqOH97HqiX6NxPvACePqoY 7BC2g8OMWJTgq1ZDzi5WcFU= =yGmb -----END PGP SIGNATURE----- From risnaini at indo.net.id Thu Nov 20 07:19:25 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 20 Nov 2008 19:19:25 +0700 Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <732559.26478.qm@web57404.mail.re1.yahoo.com> References: <732559.26478.qm@web57404.mail.re1.yahoo.com> Message-ID: <492555CD.2020807@indo.net.id> Secure CRT will give you 32k line scrollable. Version 5.x support IPv6 rgs a. r. isnaini rangkayo sutan chloe K wrote: > Hi > > I only know to use hyper termianl to do console > any suggestion about terminal? > > I also have problem to capture the terminal to text file > > there is strange chars in text file > > Can you help? > > Thank you > > > --------------------------------- > Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From eng_mssk at hotmail.com Thu Nov 20 07:28:56 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 20 Nov 2008 14:28:56 +0200 Subject: [c-nsp] RADIUS Message-ID: Dears i need help here !! i want to test an attribute on RADIUS server but i dont know where to configure cisco av-pair (i mean what requirement do i need) and what type of server (free RADIUS is required as its for testing) _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From eng_mssk at hotmail.com Thu Nov 20 07:30:05 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Thu, 20 Nov 2008 14:30:05 +0200 Subject: [c-nsp] CACHE Message-ID: Dears i need a device that operate in a similar fashion as the cache (you send it a request and it replies back) could it be done on a router?? thanks _________________________________________________________________ Connect to the next generation of MSN Messenger? http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline From chloekcy2000 at yahoo.ca Thu Nov 20 07:56:43 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Thu, 20 Nov 2008 07:56:43 -0500 (EST) Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <492555CD.2020807@indo.net.id> Message-ID: <578970.12775.qm@web57405.mail.re1.yahoo.com> Thank you. but this one is not free Hyper terminal is fine. but don't know how to avoid the strange char Do I need to set any command in cisco to avoid strange char in capture file? Thank you "a. rahman isnaini r.sutan" wrote: Secure CRT will give you 32k line scrollable. Version 5.x support IPv6 rgs a. r. isnaini rangkayo sutan chloe K wrote: > Hi > > I only know to use hyper termianl to do console > any suggestion about terminal? > > I also have problem to capture the terminal to text file > > there is strange chars in text file > > Can you help? > > Thank you > > > --------------------------------- > Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail From risnaini at indo.net.id Thu Nov 20 07:58:45 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 20 Nov 2008 19:58:45 +0700 Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <578970.12775.qm@web57405.mail.re1.yahoo.com> References: <578970.12775.qm@web57405.mail.re1.yahoo.com> Message-ID: <49255F05.9020008@indo.net.id> Putty is Free. But not as good as CRT, beware of right click & auto paste :) a. r. isnaini rangkayo sutan chloe K wrote: > Thank you. but this one is not free > > Hyper terminal is fine. but don't know how to avoid the strange char > > Do I need to set any command in cisco to avoid strange char in capture file? > > Thank you > > */"a. rahman isnaini r.sutan" /* wrote: > > Secure CRT will give you 32k line scrollable. > Version 5.x support IPv6 > > rgs > a. r. isnaini rangkayo sutan > > chloe K wrote: > > Hi > > > > I only know to use hyper termianl to do console > > any suggestion about terminal? > > > > I also have problem to capture the terminal to text file > > > > there is strange chars in text file > > > > Can you help? > > > > Thank you > > > > > > --------------------------------- > > Ask a question on any topic and get answers from real people. Go > to Yahoo! Answers. > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > > Be smarter than spam. See how smart SpamGuard is at giving junk email > the boot with the *All-new Yahoo! Mail * > From adriankok2000 at yahoo.com.hk Thu Nov 20 08:01:46 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Thu, 20 Nov 2008 21:01:46 +0800 (CST) Subject: [c-nsp] console connection issue? Message-ID: <517208.41113.qm@web33307.mail.mud.yahoo.com> Hi All I use the USB to serial and serial to console to cisco switch It have to reboot switch to have signal but not good Any help for it? Thank You Send instant messages to your online friends http://uk.messenger.yahoo.com From justin at justinshore.com Thu Nov 20 08:01:59 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 20 Nov 2008 07:01:59 -0600 Subject: [c-nsp] Green Cisco In-Reply-To: <4923B18D.2000904@rollernet.us> References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> <4923B18D.2000904@rollernet.us> Message-ID: <49255FC7.1010506@justinshore.com> Seth Mattinen wrote: > Don't forget "HP ships piece of paper in padded box". > > http://www.theregister.co.uk/2008/07/18/hp_packaging/ So does Cisco. When we placed a large order 2 years ago I received to identical packages from Singapore (some sort of Air parcel company). Inside each box was 2 layers of pink foam padding. Between the foam was 2 sheets of legalese license disclaimer crap. It wasn't a serial #, license key, PAK, etc. It was just more crap to throw away. The other box had identical contents. They were shipped out on the same day. In fact if memory serves me correctly they had consecutive tracking and way bill numbers. I felt special. We bought a large quantity of Champion SFPs for a non-Cisco project. They were shipped packed in sheets of molded anti-static plastic that contains spots for about a dozen SFPs. These were packed in anti-static boxes of 4-5 layers of plastic. No paper crap to through away. No static bags to cut open and then trash. Nice and neat. Other vendors I won't name here place them in a padded cardboard box the size of a typical pocket knife. When I bought several dozen Cisco SFPs a few years back each SFP was in a static bag. The static bag was in a large Ziploc of sorts that also contained several sheets of paper (install info, legalese crap). For a short time I actually bothered to open each plastic bag and remove each static bag and paper. The paper went into one recycling pile and the plastic bag into another. That didn't last long. I gave up on that waste of time and started slicing the plastic bags open with my knife to get to the static bag. Then tossed the rest in the trash. Same goes for switches and routers. I trash every piece of paper in the box. Their shipping and packing methodologies are less than green. The least they could do is give us a part number to exclude the crap. We have the "=" part numbers for spares. How about a "-" part number for green packing? One would think that it would save Cisco reasonable sums of money too which I'm sure they'd like to do in these rougher times. Justin From gkg at gmx.de Thu Nov 20 08:05:50 2008 From: gkg at gmx.de (Garry) Date: Thu, 20 Nov 2008 14:05:50 +0100 Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <732559.26478.qm@web57404.mail.re1.yahoo.com> References: <732559.26478.qm@web57404.mail.re1.yahoo.com> Message-ID: <492560AE.7050600@gmx.de> chloe K wrote: > Hi > > I only know to use hyper termianl to do console > any suggestion about terminal? > > I also have problem to capture the terminal to text file > > there is strange chars in text file Dunno which strange chars you mean, I suppose it's the chars that are displayed from the pager ... you can avoid them by setting the term length to 0 ... Apart from that, use Putty ... IPv4/v6, serial support, adjustable scrollback history, and direct logging to a file ... can't believe anybody is actually using Hyperterm ;))) -garry From blahu77 at gmail.com Thu Nov 20 08:15:07 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 20 Nov 2008 13:15:07 +0000 Subject: [c-nsp] any terminal suggest and strange chars In-Reply-To: <492560AE.7050600@gmx.de> References: <732559.26478.qm@web57404.mail.re1.yahoo.com> <492560AE.7050600@gmx.de> Message-ID: <383357750811200515o38484448wac879f40459df43f@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garry, > . can't believe > anybody is actually using Hyperterm ;))) > I actually use it only for the zmodem, which is needed to reflash some non-cisco equipment. And neither minicom nor putty works with this hw. Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJJWLb+BuaDRxlXKsRAjNHAKCUUyvY7qlXcYXqeQllD9Qz3v9f/ACfc6tc ip6r1oefXW6F0GsNkFaSjjg= =vFYV -----END PGP SIGNATURE----- From hank at efes.iucc.ac.il Thu Nov 20 08:24:14 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 20 Nov 2008 15:24:14 +0200 (IST) Subject: [c-nsp] Green Cisco In-Reply-To: <49255FC7.1010506@justinshore.com> References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com> <4923B18D.2000904@rollernet.us> <49255FC7.1010506@justinshore.com> Message-ID: On Thu, 20 Nov 2008, Justin Shore wrote: > So does Cisco. When we placed a large order 2 years ago I received to > identical packages from Singapore (some sort of Air parcel company). Inside > each box was 2 layers of pink foam padding. Between the foam was 2 sheets of > legalese license disclaimer crap. It wasn't a serial #, license key, PAK, > etc. It was just more crap to throw away. The other box had identical > contents. They were shipped out on the same day. In fact if memory serves > me correctly they had consecutive tracking and way bill numbers. I felt > special. > > We bought a large quantity of Champion SFPs for a non-Cisco project. They > were shipped packed in sheets of molded anti-static plastic that contains > spots for about a dozen SFPs. These were packed in anti-static boxes of 4-5 > layers of plastic. No paper crap to through away. No static bags to cut > open and then trash. Nice and neat. Other vendors I won't name here place > them in a padded cardboard box the size of a typical pocket knife. When I > bought several dozen Cisco SFPs a few years back each SFP was in a static > bag. The static bag was in a large Ziploc of sorts that also contained > several sheets of paper (install info, legalese crap). For a short time I > actually bothered to open each plastic bag and remove each static bag and > paper. The paper went into one recycling pile and the plastic bag into > another. That didn't last long. I gave up on that waste of time and started > slicing the plastic bags open with my knife to get to the static bag. Then > tossed the rest in the trash. Same goes for switches and routers. I trash > every piece of paper in the box. > > Their shipping and packing methodologies are less than green. The least they > could do is give us a part number to exclude the crap. We have the "=" part > numbers for spares. How about a "-" part number for green packing? One > would think that it would save Cisco reasonable sums of money too which I'm > sure they'd like to do in these rougher times. > > Justin The guy who would be best to approach is Executive VP of Operations and Process - Randy Pound (or Pond). But since he exercised $15.8M of stock options this year and $28.5M last year - chances are he has one foot out the door by now: http://biz.yahoo.com/t/61/4033.html I guess he knew what was gonna happen to the Cisco stock :-) -Hank From jared at puck.nether.net Thu Nov 20 08:31:48 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 20 Nov 2008 08:31:48 -0500 Subject: [c-nsp] downloads broken? In-Reply-To: <20081120103707.GI93039@ronin.4ever.de> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <49253A1B.9030303@asdf.dk> <20081120103707.GI93039@ronin.4ever.de> Message-ID: <20081120133148.GA3500@puck.nether.net> On Thu, Nov 20, 2008 at 11:37:08AM +0100, Elmar K. Bins wrote: > hroi at asdf.dk (Hroi Sigurdsson) wrote: > > > There is a feedback form on the final download page where you can rate > > your experience and leave a comment. Hopefully enough people will use it > > so they will consider changing the behaviour back. > > I always use that, I never got anything back. I'm told that sometimes when they compile the results of those feedback that they really want to contact users back but don't, even when they have serious gripes. the only luck I usually get is when I point out that the documentation is wrong, then i get a canned reply saying we "we're gonna fix it". Doesn't help me much since I don't know which one of the parts of the docs are being corrected. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From gk at ax.tc Thu Nov 20 08:40:03 2008 From: gk at ax.tc (Gerald Krause) Date: Thu, 20 Nov 2008 14:40:03 +0100 Subject: [c-nsp] RADIUS In-Reply-To: References: Message-ID: <492568B3.9050208@ax.tc> On 20.11.2008 13:28, Mohammad Khalil wrote: > Dears > i need help here !! > i want to test an attribute on RADIUS server > but i dont know where to configure cisco av-pair (i mean what requirement do i need) > and what type of server (free RADIUS is required as its for testing) Just an example how to use Cisco-AVPair's with a freeRADIUS/users file: testuser Password == "test123" Cisco-AVPair += "lcp:interface-config#2=ip unnumbered Loopback1", Cisco-AVPair += "lcp:interface-config#1=ip vrf forwarding TESTVRF", Cisco-AVPair += "ip:addr-pool=1" -- Gerald (ax/tc) From markom at markom.info Thu Nov 20 09:30:52 2008 From: markom at markom.info (Marko Milivojevic) Date: Thu, 20 Nov 2008 14:30:52 +0000 Subject: [c-nsp] downloads broken? In-Reply-To: <20081120133148.GA3500@puck.nether.net> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <49253A1B.9030303@asdf.dk> <20081120103707.GI93039@ronin.4ever.de> <20081120133148.GA3500@puck.nether.net> Message-ID: <1fb747910811200630hc8982ecy8161146aea560888@mail.gmail.com> > the only luck I usually get is when I point out that the documentation > is wrong, then i get a canned reply saying we "we're gonna fix it". Doesn't > help me much since I don't know which one of the parts of the docs are being > corrected. Oh, you mean something like trying to interpret: http://cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/qos.html#wp1234827 and http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/command/reference/int_sess.html#wp1978612 as "does not always work on trunk ports"? ;-) Marko. From raymondh.nsp at gmail.com Thu Nov 20 11:04:06 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 21 Nov 2008 00:04:06 +0800 Subject: [c-nsp] downloads broken? In-Reply-To: <1fb747910811200630hc8982ecy8161146aea560888@mail.gmail.com> References: <20081118164704.GB91954@puck.nether.net> <1227027491.3534.1.camel@abehat> <15EC35A5-692F-4ABE-A493-EE7CF00C6CEA@puck.nether.net> <49253A1B.9030303@asdf.dk> <20081120103707.GI93039@ronin.4ever.de> <20081120133148.GA3500@puck.nether.net> <1fb747910811200630hc8982ecy8161146aea560888@mail.gmail.com> Message-ID: They seriously need to buck up big time and get a few folks to take the slightest effort to maintain the integrity of their online documentations or even guides. Especially towards their "features" docs. Crap. Zzz... --raymondh On Nov 20, 2008, at 10:30 PM, Marko Milivojevic wrote: >> the only luck I usually get is when I point out that the >> documentation >> is wrong, then i get a canned reply saying we "we're gonna fix >> it". Doesn't >> help me much since I don't know which one of the parts of the docs >> are being >> corrected. > > Oh, you mean something like trying to interpret: > > http://cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/qos.html#wp1234827 > and > http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/command/reference/int_sess.html#wp1978612 > > as "does not always work on trunk ports"? ;-) > > > Marko. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From simon at pitwood.org Thu Nov 20 10:34:07 2008 From: simon at pitwood.org (simon at pitwood.org) Date: Thu, 20 Nov 2008 15:34:07 -0000 (GMT) Subject: [c-nsp] CACHE In-Reply-To: References: Message-ID: <12279.195.27.217.250.1227195247.squirrel@webmail.daily.co.uk> yes, using the proxy arp > Dears > i need a device that operate in a similar fashion as the cache (you send > it a request and it replies back) > could it be done on a router?? > thanks > > _________________________________________________________________ > Connect to the next generation of MSN Messenger? > http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Thu Nov 20 11:47:48 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 20 Nov 2008 17:47:48 +0100 Subject: [c-nsp] Green Cisco In-Reply-To: References: <9e246b4d0811182103o41948244q6ce6063e57749964@mail.gmail.com><4923B18D.2000904@rollernet.us> <49255FC7.1010506@justinshore.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50233F4E3@xmb-ams-331.emea.cisco.com> Actually, Looking at http://www.cisco.com/web/about/ac227/ac228/ac233/about_cisco_environment al_management.html, the right contact email is there. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Thursday, November 20, 2008 15:24 PM To: Justin Shore Cc: Cisco Nsp Subject: Re: [c-nsp] Green Cisco On Thu, 20 Nov 2008, Justin Shore wrote: > So does Cisco. When we placed a large order 2 years ago I received to > identical packages from Singapore (some sort of Air parcel company). Inside > each box was 2 layers of pink foam padding. Between the foam was 2 sheets of > legalese license disclaimer crap. It wasn't a serial #, license key, PAK, > etc. It was just more crap to throw away. The other box had identical > contents. They were shipped out on the same day. In fact if memory serves > me correctly they had consecutive tracking and way bill numbers. I felt > special. > > We bought a large quantity of Champion SFPs for a non-Cisco project. They > were shipped packed in sheets of molded anti-static plastic that contains > spots for about a dozen SFPs. These were packed in anti-static boxes of 4-5 > layers of plastic. No paper crap to through away. No static bags to cut > open and then trash. Nice and neat. Other vendors I won't name here place > them in a padded cardboard box the size of a typical pocket knife. When I > bought several dozen Cisco SFPs a few years back each SFP was in a static > bag. The static bag was in a large Ziploc of sorts that also contained > several sheets of paper (install info, legalese crap). For a short time I > actually bothered to open each plastic bag and remove each static bag and > paper. The paper went into one recycling pile and the plastic bag into > another. That didn't last long. I gave up on that waste of time and started > slicing the plastic bags open with my knife to get to the static bag. Then > tossed the rest in the trash. Same goes for switches and routers. I trash > every piece of paper in the box. > > Their shipping and packing methodologies are less than green. The least they > could do is give us a part number to exclude the crap. We have the "=" part > numbers for spares. How about a "-" part number for green packing? One > would think that it would save Cisco reasonable sums of money too which I'm > sure they'd like to do in these rougher times. > > Justin The guy who would be best to approach is Executive VP of Operations and Process - Randy Pound (or Pond). But since he exercised $15.8M of stock options this year and $28.5M last year - chances are he has one foot out the door by now: http://biz.yahoo.com/t/61/4033.html I guess he knew what was gonna happen to the Cisco stock :-) -Hank _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Nov 20 11:53:25 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 20 Nov 2008 16:53:25 +0000 Subject: [c-nsp] SXI testing Message-ID: <49259605.4030601@imperial.ac.uk> All, In case people are interested, I have tested a load of stuff as working on 12.2(33)SXI. http://cisco.cluepon.net/index.php/Ios_sxi Basically, the only thing I've found that *doesn't* work as expected is DHCP relay inside a VRF - it appears to get the next-hop lookup wrong. I've opened a TAC case for the issue. From tech at technovoid.com Thu Nov 20 12:03:42 2008 From: tech at technovoid.com (Ivor Coons) Date: Thu, 20 Nov 2008 11:03:42 -0600 Subject: [c-nsp] Downloadable ACLs without using ACS Message-ID: <4925986E.3070701@technovoid.com> Does anyone here have experience configuring downloadable ACLs on an ASA/PIX using freeradius or some other free AAA server? Every search I have done references Cisco's TACACS server as the AAA option. Is it even possible to use a third party server? Thanks, Ivor From simestd at netexpress.com Thu Nov 20 12:30:17 2008 From: simestd at netexpress.com (Tom Simes) Date: Thu, 20 Nov 2008 08:30:17 -0900 Subject: [c-nsp] Alternatives to Cisco's TACACS server? Message-ID: <20081120083017.17c4050e.simestd@netexpress.com> Hi all, We've got an aging Cisco Secure ACS install on the Windows platform and we're looking for alternatives. We're only using TACACS+ for admin authentication into our Cisco gear (not RADIUS), but we do have a variety of groups defined with differing access to commands and equipment and our user store is LDAP so we need at least that level of functionality. What are folks using these days for a TACACS+ server that they're happy with? TIA! Tom ====================================================================== "Z-80 system stack overflow. Shut 'er down Scotty, the system's sucking mud" - Error message on TRS 80 Model-16B Tom Simes simestd at netexpress.com ====================================================================== From ghostonthewire at gmail.com Thu Nov 20 12:31:29 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Thu, 20 Nov 2008 20:31:29 +0300 Subject: [c-nsp] Downloadable ACLs without using ACS In-Reply-To: <4925986E.3070701@technovoid.com> References: <4925986E.3070701@technovoid.com> Message-ID: <49259EF1.40006@gmail.com> hi, Ivor Coons wrote: > Does anyone here have experience configuring downloadable ACLs on an > ASA/PIX using freeradius or some other free AAA server? Every search I > have done references Cisco's TACACS server as the AAA option. Is it even > possible to use a third party server? Not sure about downloadable ACLs, but passing "ip:inacl..." via Cisco-AVPair does the trick for sure. Couple years ago I've successed using PIX with FreeRADIUS for teleworkers' VPN access. Anyway, look through http://tinyurl.com/5gx3qp and try. From lgeyer at gmail.com Thu Nov 20 12:41:34 2008 From: lgeyer at gmail.com (Laurent Geyer) Date: Thu, 20 Nov 2008 12:41:34 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <20081120083017.17c4050e.simestd@netexpress.com> References: <20081120083017.17c4050e.simestd@netexpress.com> Message-ID: <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> On Thu, Nov 20, 2008 at 12:30 PM, Tom Simes wrote: > > What are folks using these days for a TACACS+ server that they're happy > with? > TIA! > > Tom The fork based on Cisco's code over at shrubbery has worked out well for me. http://www.shrubbery.net/tac_plus/ Cheers, Laurent From mark at noc.mainstreet.net Thu Nov 20 12:32:10 2008 From: mark at noc.mainstreet.net (Mark Kent) Date: Thu, 20 Nov 2008 09:32:10 -0800 (PST) Subject: [c-nsp] Green Cisco In-Reply-To: (cisco-nsp-request@puck.nether.net) References: Message-ID: <200811201732.mAKHWAfe080506@mainstreet.net> >> When I bought several dozen Cisco SFPs a few years back each SFP was >> in a static bag. The static bag was in a large Ziploc of sorts [snip] >> I [snip] started slicing the plastic bags open with my knife But, but... those are the best ziplocs on the planet! They are especially useful to hold passports, papers, toiletries, cables, chargers, relatively thin electronic devices, etc. when travelling. You get ten of those bags and you are set for life. You get more, help out your friends. -mark From lists.james.edwards at gmail.com Thu Nov 20 13:46:54 2008 From: lists.james.edwards at gmail.com (james edwards) Date: Thu, 20 Nov 2008 11:46:54 -0700 Subject: [c-nsp] shape withing policy map Message-ID: I am trying to do this: Enter configuration commands, one per line. End with CNTL/Z. JID_CORE_Router(config)#policy-map CMS JID_CORE_Route(config-pmap-c)#shape average 1000000 JID_CORE_Route(config-pmap-c)# It takes the command just fine. But I get this, the shape command does not show; class-map match-all CMS match access-group 126 ! policy-map CMS class CMS class class-default fair-queue 128 ! ! JID_CORE_Router#sho policy-map interface ATM3/0.103 ATM3/0.103: VC 1/103 - Service-policy output: CMS Class-map: CMS (match-all) 40728 packets, 40021117 bytes 5 minute offered rate 183000 bps Match: access-group 126 Class-map: class-default (match-any) 62387 packets, 64868775 bytes 5 minute offered rate 163000 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 128 (total queued/total drops/no-buffer drops) 0/28/0 JID_CORE_Router# How can I shape within a class map ? Thanks, -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From cmarlatt at rxsec.com Thu Nov 20 12:48:18 2008 From: cmarlatt at rxsec.com (Chris Marlatt) Date: Thu, 20 Nov 2008 12:48:18 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> Message-ID: <4925A2E2.4000703@rxsec.com> Laurent Geyer wrote: > On Thu, Nov 20, 2008 at 12:30 PM, Tom Simes wrote: > >> What are folks using these days for a TACACS+ server that they're happy >> with? >> TIA! >> >> Tom > > > The fork based on Cisco's code over at shrubbery has worked out well for me. > > > http://www.shrubbery.net/tac_plus/ > > Cheers, > > Laurent Do a search for "tac_plus pam". This will let you authenticate via your LDAP server. Been running in this manner for several years now with no problems. Regards, Chris From blahu77 at gmail.com Thu Nov 20 13:57:44 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 20 Nov 2008 18:57:44 +0000 Subject: [c-nsp] shape withing policy map In-Reply-To: References: Message-ID: <383357750811201057t4270d65ax34f103bc6993c1f2@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 James, I suggest to go through http://www.cisco.com/en/US/technologies/tk543/tk545/technologies_white_paper09186a0080123415.html at least. To reference child policy policy-map child class AAA policy-map parent class BBB service-policy child etc. Best Regards, - -mat 2008/11/20 james edwards : > I am trying to do this: > > > Enter configuration commands, one per line. End with CNTL/Z. > JID_CORE_Router(config)#policy-map CMS > JID_CORE_Route(config-pmap-c)#shape average 1000000 > JID_CORE_Route(config-pmap-c)# > > It takes the command just fine. > > > But I get this, the shape command does not show; > > class-map match-all CMS > match access-group 126 > ! > policy-map CMS > class CMS > class class-default > fair-queue 128 > > ! > ! > JID_CORE_Router#sho policy-map interface ATM3/0.103 > ATM3/0.103: VC 1/103 - > > Service-policy output: CMS > > Class-map: CMS (match-all) > 40728 packets, 40021117 bytes > 5 minute offered rate 183000 bps > Match: access-group 126 > > Class-map: class-default (match-any) > 62387 packets, 64868775 bytes > 5 minute offered rate 163000 bps, drop rate 0 bps > Match: any > Queueing > Flow Based Fair Queueing > Maximum Number of Hashed Queues 128 > (total queued/total drops/no-buffer drops) 0/28/0 > JID_CORE_Router# > > > How can I shape within a class map ? > - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJJbMo+BuaDRxlXKsRAjkIAJ9SMKQbarAvbfrN8pPiX1RjBlJwMACdHC5u iqJX6lFnEaQzH24ZdLVriGs= =3J2T -----END PGP SIGNATURE----- From James.Baker at chelmer.co.nz Thu Nov 20 14:00:17 2008 From: James.Baker at chelmer.co.nz (James Baker) Date: Fri, 21 Nov 2008 08:00:17 +1300 Subject: [c-nsp] Downloadable ACLs without using ACS In-Reply-To: <49259EF1.40006@gmail.com> References: <4925986E.3070701@technovoid.com> <49259EF1.40006@gmail.com> Message-ID: <64396C74FCE435468BE2AF5A73F9C2FD86967B@chmaexch.chelmer.co.nz> yep; I've used Cistron on BSD as well as MS IAS for AV Pairs with box PIX and ASA with zero problems. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ghostonthewire Sent: Friday, 21 November 2008 6:31 a.m. To: Ivor Coons Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Downloadable ACLs without using ACS hi, Ivor Coons wrote: > Does anyone here have experience configuring downloadable ACLs on an > ASA/PIX using freeradius or some other free AAA server? Every search I > have done references Cisco's TACACS server as the AAA option. Is it even > possible to use a third party server? Not sure about downloadable ACLs, but passing "ip:inacl..." via Cisco-AVPair does the trick for sure. Couple years ago I've successed using PIX with FreeRADIUS for teleworkers' VPN access. Anyway, look through http://tinyurl.com/5gx3qp and try. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ---------- The information contained in this e-mail and any attachments is confidential and is intended for the attention and use of the named addressee(s) only. Any views expressed in this message are those of the individual sender and may not necessarily reflect the views of Chelmer Limited. ##################################################################################### This e-mail message has been scanned for Viruses and Content and cleared by NetIQ MailMarshal ##################################################################################### From cisconsp at data102.com Thu Nov 20 14:24:31 2008 From: cisconsp at data102.com (randal k) Date: Thu, 20 Nov 2008 12:24:31 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec Message-ID: Hive Mind, I have a customer who started selling a landed a largish VPN contract for people all over the world. Since then, he pushes about 40mbps of IPSec traffic, which is growing steadily. Around the same time I noticed that CPU usage on the distribution 3550 that he is attached to started going up (has always been ~1%); it is now running between 20-35% depending on the time of day. My only guess is that 3550s switch IPSec packets in software. Is this the case? This Cisco document that I found agrees, but it extremely vague: http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml -Traffic that cannot be interrupt-switched arrives #IP packets with options #Packets that require protocol translation #Multilink Point-to-Point Protocol (supported in Cisco Express Forwarding switching) #Compressed traffic If there is no Compression Service Adapter (CSA) in the router, compressed packets must be process-switched. #Encrypted traffic If there is no Encryption Service Adapter (ESA) in the router, encrypted packets must be process-switched. I am concerned that when his traffic eventually gets large enough that it will cripple the switch. I know that the solution is to stick him on something with more guts - I am just looking to see if there is any anecdotes out there about this situation. Thanks, Randal From sgranger at randfinancial.com Thu Nov 20 14:42:19 2008 From: sgranger at randfinancial.com (Sean Granger) Date: Thu, 20 Nov 2008 13:42:19 -0600 Subject: [c-nsp] Green Cisco Message-ID: I'll take a dozen at the market price. >>> Mark Kent 11/20/08 11:32AM >>> >> When I bought several dozen Cisco SFPs a few years back each SFP was >> in a static bag. The static bag was in a large Ziploc of sorts [snip] >> I [snip] started slicing the plastic bags open with my knife But, but... those are the best ziplocs on the planet! They are especially useful to hold passports, papers, toiletries, cables, chargers, relatively thin electronic devices, etc. when travelling. You get ten of those bags and you are set for life. You get more, help out your friends. -mark _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Thu Nov 20 14:43:02 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 20 Nov 2008 19:43:02 +0000 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: Message-ID: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randal, > I have a customer who started selling a landed a largish VPN contract > for people all over the world. Since then, he pushes about 40mbps of > IPSec traffic, which is growing steadily. Around the same time I > noticed that CPU usage on the distribution 3550 that he is attached to > started going up (has always been ~1%); it is now running between > 20-35% depending on the time of day. what is the major cpu eater? show proc cpu sorted? > My only guess is that 3550s switch IPSec packets in software. Is this the case? > > This Cisco document that I found agrees, but it extremely vague: > > http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml > -Traffic that cannot be interrupt-switched arrives > #IP packets with options try denying packets with ip options... but 1) it may break customers vpn (I have no idea if it is needed for vpn) 2) it may have adverse effect - switch would have to process switch packets to find out which have ip options, essentially process switching everything... BRs, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJJb3F+BuaDRxlXKsRAhfQAJ0TUCuRNS9BnsVGpbmXz/8t64LawwCgku5m fF2/uaGpYQrtLrnwVGx5uno= =eu1X -----END PGP SIGNATURE----- From cisconsp at data102.com Thu Nov 20 16:15:15 2008 From: cisconsp at data102.com (randal k) Date: Thu, 20 Nov 2008 14:15:15 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> Message-ID: Mateusz, The process is always IP Input. I'm pretty confident that it is IPSec traffic, as this customer's traffic is overwhelmingly the VPN tunnels; my 3550's CPU graph is an exact copy of his interface's traffic graph. The adverse affects listed are not really doable in production, which is why the closest I've come to diagnosing is monitoring his port and verifying that 95% of his traffic is VPN-related (various types of tunnels). Thus the question as to whether or not it is general knowledge that encrypted traffic hurts 3550s. Thanks! Randal On Thu, Nov 20, 2008 at 12:43 PM, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Randal, > >> I have a customer who started selling a landed a largish VPN contract >> for people all over the world. Since then, he pushes about 40mbps of >> IPSec traffic, which is growing steadily. Around the same time I >> noticed that CPU usage on the distribution 3550 that he is attached to >> started going up (has always been ~1%); it is now running between >> 20-35% depending on the time of day. > > what is the major cpu eater? > show proc cpu sorted? > >> My only guess is that 3550s switch IPSec packets in software. Is this the case? >> >> This Cisco document that I found agrees, but it extremely vague: >> >> http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml >> -Traffic that cannot be interrupt-switched arrives >> #IP packets with options > > try denying packets with ip options... but > 1) it may break customers vpn (I have no idea if it is needed for vpn) > 2) it may have adverse effect - switch would have to process switch > packets to find out which have ip options, essentially process > switching everything... > > > BRs, > > - -mat > > - -- > pgp-key 0x1C655CAB > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJJb3F+BuaDRxlXKsRAhfQAJ0TUCuRNS9BnsVGpbmXz/8t64LawwCgku5m > fF2/uaGpYQrtLrnwVGx5uno= > =eu1X > -----END PGP SIGNATURE----- > From ecables at gmail.com Thu Nov 20 16:27:18 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 20 Nov 2008 13:27:18 -0800 Subject: [c-nsp] OSX app for console access Message-ID: Out of curiosity, what app are people using w/ OSX to console into Cisco gear? I've been using ZTerm, but thought I'd pose the question in case there was a better app out there that I hadn't tried. -- Eric Cables From booloo at ucsc.edu Thu Nov 20 16:30:52 2008 From: booloo at ucsc.edu (Mark Boolootian) Date: Thu, 20 Nov 2008 13:30:52 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: References: Message-ID: <20081120213052.GB90612@root.ucsc.edu> > Out of curiosity, what app are people using w/ OSX to console into > Cisco gear? I've been using ZTerm, but thought I'd pose the question > in case there was a better app out there that I hadn't tried. I've used cu and minicom, but I like ZTerm best. From mrz at velvet.org Thu Nov 20 16:43:01 2008 From: mrz at velvet.org (matthew zeier) Date: Thu, 20 Nov 2008 13:43:01 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: <20081120213052.GB90612@root.ucsc.edu> References: <20081120213052.GB90612@root.ucsc.edu> Message-ID: <4925D9E5.1080709@velvet.org> screen /dev/tty.KeySerial1 worsk well and doesn't require any additional software. Mark Boolootian wrote: >> Out of curiosity, what app are people using w/ OSX to console into >> Cisco gear? I've been using ZTerm, but thought I'd pose the question >> in case there was a better app out there that I hadn't tried. > > I've used cu and minicom, but I like ZTerm best. From tech at technovoid.com Thu Nov 20 16:44:43 2008 From: tech at technovoid.com (Ivor Coons) Date: Thu, 20 Nov 2008 15:44:43 -0600 Subject: [c-nsp] Downloadable ACLs without using ACS In-Reply-To: <64396C74FCE435468BE2AF5A73F9C2FD86967B@chmaexch.chelmer.co.nz> References: <4925986E.3070701@technovoid.com> <49259EF1.40006@gmail.com> <64396C74FCE435468BE2AF5A73F9C2FD86967B@chmaexch.chelmer.co.nz> Message-ID: <4925DA4B.5060200@technovoid.com> James Baker wrote: > yep; I've used Cistron on BSD as well as MS IAS for AV Pairs with box > PIX and ASA with zero problems. > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ghostonthewire > Sent: Friday, 21 November 2008 6:31 a.m. > To: Ivor Coons > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Downloadable ACLs without using ACS > > hi, > > Ivor Coons wrote: > >> Does anyone here have experience configuring downloadable ACLs on an >> ASA/PIX using freeradius or some other free AAA server? Every search I >> > > >> have done references Cisco's TACACS server as the AAA option. Is it >> > even > >> possible to use a third party server? >> > > Not sure about downloadable ACLs, but passing "ip:inacl..." via > Cisco-AVPair does the trick for sure. Couple years ago I've successed > using PIX with FreeRADIUS for teleworkers' VPN access. Anyway, look > through http://tinyurl.com/5gx3qp and try. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ---------- > > The information contained in this e-mail and any attachments is confidential > and is intended for the attention and use of the named addressee(s) only. > Any views expressed in this message are those of the individual sender and > may not necessarily reflect the views of Chelmer Limited. > > ##################################################################################### > This e-mail message has been scanned for Viruses and Content and cleared > by NetIQ MailMarshal > ##################################################################################### > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > Cool. MS IAS is probably what we will test with. Good to know it works. Ivor From gkg at gmx.de Thu Nov 20 16:47:27 2008 From: gkg at gmx.de (Garry) Date: Thu, 20 Nov 2008 22:47:27 +0100 Subject: [c-nsp] Preparing on ME rollout ... Message-ID: <4925DAEF.3090200@gmx.de> Hi, we're in the process of preparing for a small metro-ethernet rollout, with two 4507's, connected to each other in a dual 10G ring, with customer links using dual GigE fiber links (etherchannel to two separate line cards each), a.s.o ... Once the boxes show up at our place, we will be setting them up in our lab first to play with them a bit, trying out stuff like updating IOS on the Sups (redundant of course), ensuring we can take care of most anything than might happen during live operation later on without losing customer connectivity ... Are there any recommendations as to what all we should look out for, try out, learn, or specific hints in the configuration? Thanks, -garry From furry13 at gmail.com Thu Nov 20 16:53:31 2008 From: furry13 at gmail.com (Jen Linkova) Date: Fri, 21 Nov 2008 00:53:31 +0300 Subject: [c-nsp] OSX app for console access In-Reply-To: References: Message-ID: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> On Fri, Nov 21, 2008 at 12:27 AM, Eric Cables wrote: > Out of curiosity, what app are people using w/ OSX to console into > Cisco gear? I've been using ZTerm, but thought I'd pose the question > in case there was a better app out there that I hadn't tried. I usually use screen or cu. -- SY, Jen Linkova aka Furry From agristina+cisco-nsp at gmail.com Thu Nov 20 16:56:17 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Thu, 20 Nov 2008 13:56:17 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> Message-ID: <70bb1b8f0811201356i4e36cc70oc142810d6da0261e@mail.gmail.com> Minicom- although the prolific driver on OS X doesn't correctly send a break right now... serious problem. I've thought about moving to another usb-serial dongle, but instead I run linux in a vm. On Thu, Nov 20, 2008 at 1:53 PM, Jen Linkova wrote: > On Fri, Nov 21, 2008 at 12:27 AM, Eric Cables wrote: >> Out of curiosity, what app are people using w/ OSX to console into >> Cisco gear? I've been using ZTerm, but thought I'd pose the question >> in case there was a better app out there that I hadn't tried. > > I usually use screen or cu. > > -- > SY, Jen Linkova aka Furry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From martin.clifton at vu.edu.au Thu Nov 20 16:55:06 2008 From: martin.clifton at vu.edu.au (Martin Clifton) Date: Fri, 21 Nov 2008 08:55:06 +1100 Subject: [c-nsp] OSX app for console access In-Reply-To: Message-ID: Eric, To access the usb-serial adaptor within Terminal or iTerm: http://www.tigoe.net/pcomp/resources/archives/avr/000749.shtml On 21/11/08 8:27 AM, "Eric Cables" wrote: > Out of curiosity, what app are people using w/ OSX to console into > Cisco gear? I've been using ZTerm, but thought I'd pose the question > in case there was a better app out there that I hadn't tried. > > -- Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Regards, Martin --------------------------------- Martin Clifton ITS - Networks and Computing Victoria University Melbourne, Australia Phone: 03 9919 4579 --------------------------------- From mj at 204.net.nz Thu Nov 20 17:35:05 2008 From: mj at 204.net.nz (Michael Jager) Date: Fri, 21 Nov 2008 11:35:05 +1300 Subject: [c-nsp] HSRP and routing asymmetry Message-ID: <4925E619.6000407@204.net.nz> Hi all, I'm in the process of building a data-centre aggregation layer using a pair of 6500s with a single Sup32 in each. I intend to run HSRP for customer VLANs south of the agg pair, and announce the data-centre prefixes into our iBGP towards the core (which are also route-reflectors). A picture is worth a thousand words and all that, so ASCII art time: +--------------------+ | to core (each agg | /| box connects to |\ announce data-centre / | both core boxes | \ prefixes from agg to / +--------------------+ \ core / / \ \ ^ / / \ \ | +------+ +------+ | Layer 3 | | | | | - - - - - - - - -| agg1 | - - - - - - - - - -| agg2 | - - - - - - - - - Layer 2 | |....etherchannel....| | +------+ <---- HSRP ----> +------+ \ / \ / +--------------+ | to L2 access | | switches | +--------------+ To keep things simple, let's assume that I'm using 10.1.1.0/24 and 10.1.2.0/24 as data-centre prefixes, agg1 is the HSRP active router for 10.1.1.254, and the HSRP standby router for 10.1.2.254, and agg2 is the HSRP standby router for 10.1.1.254, and the HSRP active router for 10.1.2.254. I need to inject both 10.1.1.0/24 and 10.1.2.0/24 into my iBGP. At steady state, agg1 will forward packets from 10.1.1.0/24 into the core, and agg2 will forward packets from 10.1.2.0/24 into the core. To simplify troubleshooting, I'd like traffic flow between the access layer and the core to be as symmetric as possible. So, at steady state, the core will forward packets to 10.1.1.0/24 via agg1, and packet to 10.1.2.0/24 via agg2. However, the purpose of HSRP is obviously to take care of things at other-than steady state! This is where I'm running into trouble. I either need to: 1. announce both prefixes into the core from both agg devices, and have the core prefer the announcement from the agg device that is currently the HSRP active router for a given prefix, or: 2. announce the prefix only from the agg device that is currently the HSRP active router for that prefix. The latter option seems easy enough to do with conditional announcements, but that will track a route received from somewhere else (presumably the core). I could announce a dummy prefix from one agg device to the other; but I'd really like to inextricably link the announcement to the HSRP state somehow. This seems like it should be a not-uncommon scenario. I've scoured a couple of Cisco documents - the Data Center Infrastructure Design Guide looked promising, but its solution was to get a CSM to inject static routes into the MSFC, and then redistribute those routes into the IGP. This seems overkill (seems a bit of a waste of a CSM), and I'd like to avoid this option if at all possible. The other option I can see is to just not care about asymmetry from the core to the aggregation layer - but I'd also like to avoid this. Has anyone come across this before, and found a solution (or not!) similar to what I've described? -Mike From ltd at cisco.com Thu Nov 20 18:15:54 2008 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 21 Nov 2008 10:15:54 +1100 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4925E619.6000407@204.net.nz> References: <4925E619.6000407@204.net.nz> Message-ID: <4925EFAA.7050001@cisco.com> Michael Jager wrote: > 1. announce both prefixes into the core from both agg devices, and > have the core prefer the announcement from the agg device that is > currently the HSRP active router for a given prefix, or: > > 2. announce the prefix only from the agg device that is currently the > HSRP active router for that prefix. > > The latter option seems easy enough to do with conditional > announcements, but that will track a route received from somewhere > else (presumably the core). I could announce a dummy prefix from one > agg device to the other; but I'd really like to inextricably link the > announcement to the HSRP state somehow. my recommendation would be to advertise the subnet from both, but use EEM to make the HSRP active advertise it at a lower metric. as an alternative to that, use your c6k in the agg as an active/active pair with VSS then you can use all links active. would require Sup720 though, i believe. cheers, lincoln. From sforcejr at yahoo.com Thu Nov 20 17:35:55 2008 From: sforcejr at yahoo.com (JR Colmenares) Date: Thu, 20 Nov 2008 14:35:55 -0800 (PST) Subject: [c-nsp] VPN Concentrator 3000 and Windows IAS Message-ID: <89238.11862.qm@web110408.mail.gq1.yahoo.com> Cisco VPN concentrator 3000 Windows IAS 2000 I am trying to set up a RADIUS server for VPN users but I am having issues because I think I do not have a good grasp on how ithe authentication/authorization works from the COncentrator to the IAS server My goal is to configure the remote group to connect to the VPN, then authenticate thru the RADIUS server connect to the Active directory and in AD I can control the permissions and security in our network I followed the steps here: http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a0080094700.shtml and the IAS will reject it. (Event ID 2 in Event Viewer, Source IAS) I also went to configuration-System-Servers- Authentication and test it from there and I get the message: "Authentication Rejected: Unespecified" I also found this link: http://www.ciscosystems.com/en/US/docs/security/vpn3000/vpn3000_47/configuration/guide/ldapapp.html But I think that it does not apply to my case since I am configuring the groups as "Internal" If you could shed some light it would be very appreciated Thanks John From noah at enabled.com Thu Nov 20 18:10:02 2008 From: noah at enabled.com (Noah Garrett Wallach) Date: Thu, 20 Nov 2008 15:10:02 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> Message-ID: <4925EE4A.6010505@enabled.com> Try zterm http://homepage.mac.com/dalverson/zterm/ Jen Linkova wrote: > On Fri, Nov 21, 2008 at 12:27 AM, Eric Cables wrote: >> Out of curiosity, what app are people using w/ OSX to console into >> Cisco gear? I've been using ZTerm, but thought I'd pose the question >> in case there was a better app out there that I hadn't tried. > > I usually use screen or cu. > From tdurack at gmail.com Thu Nov 20 20:06:12 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 20 Nov 2008 20:06:12 -0500 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4925EFAA.7050001@cisco.com> References: <4925E619.6000407@204.net.nz> <4925EFAA.7050001@cisco.com> Message-ID: <9e246b4d0811201706g2b61ace4n8a7013ce5954cbf3@mail.gmail.com> On Thu, Nov 20, 2008 at 6:15 PM, Lincoln Dale wrote: > > > Michael Jager wrote: >> >> 1. announce both prefixes into the core from both agg devices, and have >> the core prefer the announcement from the agg device that is currently the >> HSRP active router for a given prefix, or: >> >> 2. announce the prefix only from the agg device that is currently the HSRP >> active router for that prefix. >> >> The latter option seems easy enough to do with conditional announcements, >> but that will track a route received from somewhere else (presumably the >> core). I could announce a dummy prefix from one agg device to the other; but >> I'd really like to inextricably link the announcement to the HSRP state >> somehow. > > my recommendation would be to advertise the subnet from both, but use EEM to > make the HSRP active advertise it at a lower metric. > > as an alternative to that, use your c6k in the agg as an active/active pair > with VSS then you can use all links active. would require Sup720 though, i > believe. VS-S720-10G for VSS. From chunt at reachone.com Thu Nov 20 20:56:26 2008 From: chunt at reachone.com (Christopher Hunt) Date: Thu, 20 Nov 2008 17:56:26 -0800 Subject: [c-nsp] TelcoSystems EdgeGate 282 and Cisco 3560 10Full Message-ID: <4926154A.3090908@reachone.com> I have a cisco 3560 switch connected to a TelcoSystems EdgeGate 282 CPE switch provided by a local FTTx provider. * Ethernet auto-negotiate works fine but, * when the CPE at is hard-coded at 10/Full, and the 3560 at auto-auto, I get 10/Half on the 3560 (that's to be expected). * Auto-auto on both gets me 100/Full on both (also expected). * 10/Full on both gets me nothing, link is down on both. We have put in a service case with Telco Systems to see if there is something we can do about it. Has anyone any experience with this hardware? -- Christopher Hunt ReachONE Internet, Inc. From bennetb at gmail.com Thu Nov 20 22:50:09 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Thu, 20 Nov 2008 20:50:09 -0700 Subject: [c-nsp] TelcoSystems EdgeGate 282 and Cisco 3560 10Full In-Reply-To: <4926154A.3090908@reachone.com> References: <4926154A.3090908@reachone.com> Message-ID: <8D62C53E-B27B-4644-97C7-FB6E8ACC209B@gmail.com> Auto-mdix is disabled when you hard code speed/duplex. Check to make sure cable is a crossover -Brandon Sent from my iPhone On Nov 20, 2008, at 6:56 PM, Christopher Hunt wrote: > I have a cisco 3560 switch connected to a TelcoSystems EdgeGate 282 > CPE switch provided by a local FTTx provider. > * Ethernet auto-negotiate works fine but, > * when the CPE at is hard-coded at 10/Full, and the 3560 at auto- > auto, I get 10/Half on the 3560 (that's to be expected). > * Auto-auto on both gets me 100/Full on both (also expected). > * 10/Full on both gets me nothing, link is down on both. > > We have put in a service case with Telco Systems to see if there is > something we can do about it. Has anyone any experience with this > hardware? > > -- > Christopher Hunt > ReachONE Internet, Inc. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From bennetb at gmail.com Thu Nov 20 23:21:17 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Thu, 20 Nov 2008 21:21:17 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: Message-ID: Sounds like maybe he is setting his VPN traffic with the DF bit off. This could cause your 3550s to process fragmentation duties in software. Check to see if it's the IP Input process on the router, this would mean the router is processing the fragmentation. -Brandon Sent from my iPhone On Nov 20, 2008, at 12:24 PM, "randal k" wrote: > Hive Mind, > I have a customer who started selling a landed a largish VPN contract > for people all over the world. Since then, he pushes about 40mbps of > IPSec traffic, which is growing steadily. Around the same time I > noticed that CPU usage on the distribution 3550 that he is attached to > started going up (has always been ~1%); it is now running between > 20-35% depending on the time of day. > > My only guess is that 3550s switch IPSec packets in software. Is > this the case? > > This Cisco document that I found agrees, but it extremely vague: > > http://www.cisco.com/en/US/products/hw/routers/ps359/products_tech_note09186a00801c2af3.shtml > -Traffic that cannot be interrupt-switched arrives > #IP packets with options > #Packets that require protocol translation > #Multilink Point-to-Point Protocol (supported in Cisco Express > Forwarding switching) > #Compressed traffic > If there is no Compression Service Adapter (CSA) in the router, > compressed packets must be process-switched. > #Encrypted traffic > If there is no Encryption Service Adapter (ESA) in the router, > encrypted packets must be process-switched. > > > I am concerned that when his traffic eventually gets large enough that > it will cripple the switch. I know that the solution is to stick him > on something with more guts - I am just looking to see if there is any > anecdotes out there about this situation. > > Thanks, > Randal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From michel.renfer at finecom.ch Fri Nov 21 02:58:57 2008 From: michel.renfer at finecom.ch (Michel Renfer) Date: Fri, 21 Nov 2008 08:58:57 +0100 Subject: [c-nsp] OSX app for console access In-Reply-To: <4925EE4A.6010505@enabled.com> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> <4925EE4A.6010505@enabled.com> Message-ID: <7ABEE57B986BDA429B535673CBE0C623035A97DF@xanthe.lan.intra> You can directly open your tty from the OS X terminal: screen /dev/tty. 9600 cheers, michel -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Noah Garrett Wallach Sent: Friday, November 21, 2008 12:10 AM To: Jen Linkova Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OSX app for console access Try zterm http://homepage.mac.com/dalverson/zterm/ Jen Linkova wrote: > On Fri, Nov 21, 2008 at 12:27 AM, Eric Cables wrote: >> Out of curiosity, what app are people using w/ OSX to console into >> Cisco gear? I've been using ZTerm, but thought I'd pose the question >> in case there was a better app out there that I hadn't tried. > > I usually use screen or cu. > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Fri Nov 21 06:11:58 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 21 Nov 2008 11:11:58 +0000 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4925E619.6000407@204.net.nz> References: <4925E619.6000407@204.net.nz> Message-ID: <4926977E.4080804@imperial.ac.uk> Michael Jager wrote: > > To simplify troubleshooting, I'd like traffic flow between the access > layer and the core to be as symmetric as possible. So, at steady state, > the core will forward packets to 10.1.1.0/24 via agg1, and packet to > 10.1.2.0/24 via agg2. You can achieve this to a limited degree, but I'd think very carefully - is the minimal gain worth the hassle? We run a similar topology, and we just ignore it - let the traffic return via either path. > > However, the purpose of HSRP is obviously to take care of things at > other-than steady state! This is where I'm running into trouble. I > either need to: > > 1. announce both prefixes into the core from both agg devices, and have > the core prefer the announcement from the agg device that is currently > the HSRP active router for a given prefix, or: > > 2. announce the prefix only from the agg device that is currently the > HSRP active router for that prefix. > > The latter option seems easy enough to do with conditional > announcements, but that will track a route received from somewhere else > (presumably the core). I could announce a dummy prefix from one agg > device to the other; but I'd really like to inextricably link the > announcement to the HSRP state somehow. You'd need to use something like an EEM applet; have the applet run when HSRP state changes (syslog match probably) and have it modify a prefix list (referenced from a route-map) and then run "clear ip bgp * out" > > This seems like it should be a not-uncommon scenario. I've scoured a It's very common. Most people either ignore it, or statically set route costs (since the HSRP active will, normally, be in the same place) > couple of Cisco documents - the Data Center Infrastructure Design Guide > looked promising, but its solution was to get a CSM to inject static > routes into the MSFC, and then redistribute those routes into the IGP. > This seems overkill (seems a bit of a waste of a CSM), and I'd like to > avoid this option if at all possible. > > The other option I can see is to just not care about asymmetry from the I would advise that personally. The symmetry is nice to have but there are all kinds of failure modes involved in tweaking the advertisements. The most obvious - if the link from agg1->core goes down. Also, bear in mind that if *any* traffic hits agg2, it *will* be routed out via agg2 because the local "connected" route always wins - for example if a client on 10.1.2.0/24 talks to a server on 10.1.1.0/24 the path will be: client into agg2 out of agg2 server into agg1 out of agg1 client > core to the aggregation layer - but I'd also like to avoid this. Has > anyone come across this before, and found a solution (or not!) similar > to what I've described? Buy an Extreme or Foundry and use ERSP or FSRP ;o) Seriously - HSRP can't really do this. You can force it to "sort of" do it, but there are non-obvious failure modes to most of the solutions. Cisco could solve the problem for us with just a little work by providing an option to remove the local connected route on HSRP slaves. From gert at greenie.muc.de Fri Nov 21 06:23:10 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 21 Nov 2008 12:23:10 +0100 Subject: [c-nsp] OSX app for console access In-Reply-To: References: Message-ID: <20081121112310.GT8535@greenie.muc.de> Hi, On Thu, Nov 20, 2008 at 01:27:18PM -0800, Eric Cables wrote: > Out of curiosity, what app are people using w/ OSX to console into > Cisco gear? screen (And yes, I didn't know that either, but you can do "screen /dev/ttyPL..." to get it to do serial console stuff for you) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Fri Nov 21 06:26:59 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 21 Nov 2008 11:26:59 +0000 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: Message-ID: <49269B03.8070604@imperial.ac.uk> randal k wrote: > Hive Mind, > I have a customer who started selling a landed a largish VPN contract > for people all over the world. Since then, he pushes about 40mbps of > IPSec traffic, which is growing steadily. Around the same time I > noticed that CPU usage on the distribution 3550 that he is attached to > started going up (has always been ~1%); it is now running between > 20-35% depending on the time of day. > > My only guess is that 3550s switch IPSec packets in software. Is this the case? Are we talking about the Cisco 3550 switch i.e. runs IOS 12.1 or 12.2S, has 24 10/100 ports and 2 gig etc? If so, yes, it does IPSec in software, and it's certainly not supported as a VPN platform/concentrator - I'm frankly surprised it works at all. From gert at greenie.muc.de Fri Nov 21 06:31:00 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 21 Nov 2008 12:31:00 +0100 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> Message-ID: <20081121113059.GU8535@greenie.muc.de> Hi, On Thu, Nov 20, 2008 at 02:15:15PM -0700, randal k wrote: > The process is always IP Input. I'm pretty confident that it is IPSec > traffic, as this customer's traffic is overwhelmingly the VPN tunnels; > my 3550's CPU graph is an exact copy of his interface's traffic graph. "something is weird". Normally, the 3550 shouldn't care at all what is inside those ISPEC packets, unless you have MTU issues and it needs to do fragmentation. Or are you running the IPSEC *on the 3550*? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p_ambedkar at rediffmail.com Fri Nov 21 06:55:46 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 21 Nov 2008 11:55:46 -0000 Subject: [c-nsp] IOS compatability Message-ID: <20081121115546.43071.qmail@f4mail-235-132.rediffmail.com> ? Hi, 1. Is it possible to use the IOS of Cisco-3845(ver 12.4) on Cisco-3600 that is currently running IOS ver 12.2 ??? 2. Is the Cisco IOS specific to the series or can be used across different models? Cheers, Ambi From gert at greenie.muc.de Fri Nov 21 07:02:19 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 21 Nov 2008 13:02:19 +0100 Subject: [c-nsp] IOS compatability In-Reply-To: <20081121115546.43071.qmail@f4mail-235-132.rediffmail.com> References: <20081121115546.43071.qmail@f4mail-235-132.rediffmail.com> Message-ID: <20081121120219.GV8535@greenie.muc.de> Hi, On Fri, Nov 21, 2008 at 11:55:46AM -0000, ambedkar wrote: > 1. Is it possible to use the IOS of Cisco-3845(ver 12.4) on > Cisco-3600 that is currently running IOS ver 12.2 ??? No. > 2. Is the Cisco IOS specific to the series or can be used > across different models? Yes, no. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From raymondh.nsp at gmail.com Fri Nov 21 07:06:07 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 21 Nov 2008 20:06:07 +0800 Subject: [c-nsp] IOS compatability In-Reply-To: <20081121115546.43071.qmail@f4mail-235-132.rediffmail.com> References: <20081121115546.43071.qmail@f4mail-235-132.rediffmail.com> Message-ID: See the in-lines. --raymondh On Nov 21, 2008, at 7:55 PM, ambedkar wrote: > > Hi, > > 1. Is it possible to use the IOS of Cisco-3845(ver 12.4) on > Cisco-3600 that is currently running IOS ver 12.2 ??? No. > > > 2. Is the Cisco IOS specific to the series or can be used > across different models? Subjective. > > > Cheers, > Ambi > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From suzan_ccie at yahoo.com Fri Nov 21 07:08:21 2008 From: suzan_ccie at yahoo.com (Suzan S.) Date: Fri, 21 Nov 2008 04:08:21 -0800 (PST) Subject: [c-nsp] DHCP ip helper-address , Advertising & Redistributing In-Reply-To: Message-ID: <568344.5850.qm@web35403.mail.mud.yahoo.com> Dears, ? If I need to advertise the ip address which I got from the remotly DHCP server(connected on another subnet) using the IP helper-address server IP. How to do the advertisement the client is on?a switchport interface with the interface vlan SVI enabled? Do I have to configure an IP address on the SVI from different address from the pool I got from the DHCP remote server? Do I have to redistribute?connected in IGP?to advertise the ip I got from the different Addrees or? to use IBGP redistribute static? ? Thank you Suzan ? From suzan_ccie at yahoo.com Fri Nov 21 07:15:33 2008 From: suzan_ccie at yahoo.com (Suzan S.) Date: Fri, 21 Nov 2008 04:15:33 -0800 (PST) Subject: [c-nsp] VPLS vfi down In-Reply-To: Message-ID: <249512.65614.qm@web35408.mail.mud.yahoo.com> Dears,Iam trying to configure VPLS on 6509 with SUP-720, is there a limitation on the modules which support VPLS. The xconnect is configured on interface vlan for the giagethernet port.IS there any solution to get the vfi UP?Thank you???? From md at bts.sk Fri Nov 21 07:25:06 2008 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Fri, 21 Nov 2008 13:25:06 +0100 Subject: [c-nsp] SXI testing In-Reply-To: <49259605.4030601@imperial.ac.uk> References: <49259605.4030601@imperial.ac.uk> Message-ID: <20081121122506.GA22547@bts.sk> On Thu, Nov 20, 2008 at 04:53:25PM +0000, Phil Mayers wrote: > All, > > In case people are interested, I have tested a load of stuff as working > on 12.2(33)SXI. > > http://cisco.cluepon.net/index.php/Ios_sxi Just tested DOM support on SXI. Here are the findings: 1) much more accurate static thresholds table for DOM-supported transceivers than in SXH4 - e.g. for XENPAK-ZR, SXH4 has strange temperature, TX Power & RX power static thresholds - which are now correct in SXI 2) laser current thresholds still "N/A" and the transceivers showing low alarm (--) High Alarm High Warn Low Warn Low Alarm Current Threshold Threshold Threshold Threshold Port (milliamperes) (mA) (mA) (mA) (mA) ---------- ----------------- ---------- --------- --------- --------- Te1/1 102.1 -- N/A N/A N/A N/A This is working fine in SXF which reads manufacturer's thresholds from the transceiver: High Alarm High Warn Low Warn Low Alarm Current Threshold Threshold Threshold Threshold Port (milliamperes) (mA) (mA) (mA) (mA) ------- ----------------- ---------- --------- --------- --------- Te1/4 101.5 152.4 142.3 61.0 50.8 3) for SFPs with external calibration IOS has reversed or broken threshold violation comparisions. This is also working fine in SXF. #sh inte transceiver threshold violations Gi5/1 0000:00:32:15 0000:00:02:03 Tx power high alarm -6.0 dBm > -1.0 dBm 0000:00:02:03 Tx bias high alarm 4.0 mA > 14.9 mA With kind regards, M. -------------------------------------------------------------------------- ---- ---- ---- Marian ?urkovi? network manager ---- ---- ---- ---- Slovak Technical University Tel: +421 2 571 041 81 ---- ---- Computer Centre, N?m. Slobody 17 Fax: +421 2 524 94 351 ---- ---- 812 43 Bratislava, Slovak Republic E-mail/sip: md at bts.sk ---- ---- ---- -------------------------------------------------------------------------- From p.mayers at imperial.ac.uk Fri Nov 21 08:39:50 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 21 Nov 2008 13:39:50 +0000 Subject: [c-nsp] VPLS vfi down In-Reply-To: <249512.65614.qm@web35408.mail.mud.yahoo.com> References: <249512.65614.qm@web35408.mail.mud.yahoo.com> Message-ID: <4926BA26.3040407@imperial.ac.uk> Suzan S. wrote: > Dears,Iam trying to configure VPLS on 6509 with SUP-720, is there a > limitation on the modules which support VPLS. The xconnect is > configured on interface vlan for the giagethernet port.IS there any > solution to get the vfi UP?Thank you VPLS requires WAN cards i.e. SIP-400. "Normal" 6500 linecards i.e. LAN cards can only do point-to-point EoMPLS From falk at fourecks.de Fri Nov 21 09:17:18 2008 From: falk at fourecks.de (Falk Stern) Date: Fri, 21 Nov 2008 15:17:18 +0100 Subject: [c-nsp] OSX app for console access In-Reply-To: <70bb1b8f0811201356i4e36cc70oc142810d6da0261e@mail.gmail.com> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> <70bb1b8f0811201356i4e36cc70oc142810d6da0261e@mail.gmail.com> Message-ID: <219F56E5-207C-4E6B-B3E5-A5CB88F46BC7@fourecks.de> Hi, On 20.11.2008, at 22:56, Andrew Gristina wrote: > Minicom- although the prolific driver on OS X doesn't correctly send a > break right now... > serious problem. I've thought about moving to another usb-serial > dongle, but instead I run linux in a vm. The solution is easy: use the pl2303-osx driver from sourceforge: http://sourceforge.net/projects/osx-pl2303/ Have a nice day, Falk From nvoth at estreet.com Fri Nov 21 10:56:12 2008 From: nvoth at estreet.com (Nick Voth) Date: Fri, 21 Nov 2008 08:56:12 -0700 Subject: [c-nsp] Cisco 3620 with WIC-1ADSL cards Message-ID: Hello guys, I am trying to get a 3620 configured with 4 of the WIC-1ADSL cards. I have gone through the "Software Adviser" on the Cisco site to see if it might give me any clues as to what carrier card, (NM-1E2W, NM-1FE2W, etc), would work. None of them seem to allow me to choose the ADSL WIC cards once I add them to the base 3620 configuration. I had heard that the NM-1FE2W and the NM-2W would work, but there too, I don't get the options to choose the ADSL WIC cards in the Software Adviser. Anyone have the WIC-1ADSL cards working in a 3620 chassis? Thanks, -Nick Voth From cisconsp at data102.com Fri Nov 21 12:56:17 2008 From: cisconsp at data102.com (randal k) Date: Fri, 21 Nov 2008 10:56:17 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: <20081121113059.GU8535@greenie.muc.de> References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> <20081121113059.GU8535@greenie.muc.de> Message-ID: Excuse my typo, my original answer of "IP Input" was completely wrong, since it's pretty easy to get them confused. I'm looking at it now and it's purely Interrupt traffic. dist03.cos01#show proc cpu CPU utilization for five seconds: 26%/24%; one minute: 25%; five minutes: 26% No, I'm not running anything on the 3550, it's purely a packet pusher. It is a 3550-12T, and hanging off of it is the customer's 3560g-24TS and VPN3000. All of the tunnels terminate on the Concentrator - the 3550 just does some basic layer3 forwarding and has no features. Net -- 7206edge -- 6509core --- 3550dist --- 3560customer/VPN3000customer That's why I find it a little bit odd that just forwarding IPSec packets (not originating/terminating them) is hitting the CPU. Randal On Fri, Nov 21, 2008 at 4:31 AM, Gert Doering wrote: > Hi, > > On Thu, Nov 20, 2008 at 02:15:15PM -0700, randal k wrote: >> The process is always IP Input. I'm pretty confident that it is IPSec >> traffic, as this customer's traffic is overwhelmingly the VPN tunnels; >> my 3550's CPU graph is an exact copy of his interface's traffic graph. > > "something is weird". Normally, the 3550 shouldn't care at all what > is inside those ISPEC packets, unless you have MTU issues and it needs > to do fragmentation. > > Or are you running the IPSEC *on the 3550*? > > gert > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > From mksmith at adhost.com Fri Nov 21 13:38:33 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Fri, 21 Nov 2008 10:38:33 -0800 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com><20081121113059.GU8535@greenie.muc.de> Message-ID: <17838240D9A5544AAA5FF95F8D520316050ECCBB@ad-exh01.adhost.lan> Hello Randal: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of randal k > Sent: Friday, November 21, 2008 9:56 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 3550 CPU Usage & IPSec > > Excuse my typo, my original answer of "IP Input" was completely wrong, > since it's pretty easy to get them confused. I'm looking at it now and > it's purely Interrupt traffic. > > dist03.cos01#show proc cpu > CPU utilization for five seconds: 26%/24%; one minute: 25%; five minutes: 26% > > No, I'm not running anything on the 3550, it's purely a packet pusher. > It is a 3550-12T, and hanging off of it is the customer's 3560g-24TS > and VPN3000. All of the tunnels terminate on the Concentrator - the > 3550 just does some basic layer3 forwarding and has no features. > > Net -- 7206edge -- 6509core --- 3550dist --- 3560customer/VPN3000customer > > That's why I find it a little bit odd that just forwarding IPSec > packets (not originating/terminating them) is hitting the CPU. > > Randal > Do you have 'ip cef' enabled in the global settings? Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From chunt at reachone.com Fri Nov 21 14:06:41 2008 From: chunt at reachone.com (Christopher Hunt) Date: Fri, 21 Nov 2008 11:06:41 -0800 Subject: [c-nsp] TelcoSystems EdgeGate 282 and Cisco 3560 10Full In-Reply-To: <8D62C53E-B27B-4644-97C7-FB6E8ACC209B@gmail.com> References: <4926154A.3090908@reachone.com> <8D62C53E-B27B-4644-97C7-FB6E8ACC209B@gmail.com> Message-ID: <492706C1.5090804@reachone.com> The cross-over fixed it. The 3560 must be doing auto-mdix even on 10/100 ports. Thanks to all for the quick replies and I've got a nasty bump from the clue stick... Christopher Hunt ReachONE Internet, Inc. Brandon Bennett wrote: > Auto-mdix is disabled when you hard code speed/duplex. Check to make > sure cable is a crossover > > -Brandon > > Sent from my iPhone > > On Nov 20, 2008, at 6:56 PM, Christopher Hunt wrote: > >> I have a cisco 3560 switch connected to a TelcoSystems EdgeGate 282 >> CPE switch provided by a local FTTx provider. >> * Ethernet auto-negotiate works fine but, >> * when the CPE at is hard-coded at 10/Full, and the 3560 at auto-auto, >> I get 10/Half on the 3560 (that's to be expected). >> * Auto-auto on both gets me 100/Full on both (also expected). >> * 10/Full on both gets me nothing, link is down on both. >> >> We have put in a service case with Telco Systems to see if there is >> something we can do about it. Has anyone any experience with this >> hardware? >> >> -- >> Christopher Hunt >> ReachONE Internet, Inc. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Fri Nov 21 14:09:10 2008 From: ecables at gmail.com (Eric Cables) Date: Fri, 21 Nov 2008 11:09:10 -0800 Subject: [c-nsp] DMVPN -- IP / Tunnel Source change on remote site problems Message-ID: Hopefully someone here can provide some insight into the problem I'm seeing.. I recently tried to migrate a remote site from one WAN interface to another (Serial0/0/0 -> Fast0/1 -- shared Eth handoff), and ran into problems where the NHRP mapping would never update. The remote router, an 1800, has a dual cloud configuration. I was going to migrate Tunnel1 first by adding a more specific route out the new Fast0/1 interface, establish the tunnel, then failover to it. I went through the steps of adding the new route, and updating the tunnel source from Serial0/0/0 to Fast0/1. Next I shut/no shut the Tunnel1 interface, hoping that everything would start fresh, using the new tunnel source. Unfortunately traffic was never able to function over Tunnel1, and when looking at the headend I did not see the new NHRP mapping show up, instead I only saw these messages: Nov 21 10:56:49.478 PST: NHRP: Setting cache expiry for x.x.x.x to 5000 Nov 21 10:58:40.097 PST: NHRP: MACADDR: if_in null netid-in 0 if_out Tunnel1 netid-out 25 The ISAKMP SA appeared functional: x.x.x.x x.x.x.x QM_IDLE 4083 0 ACTIVE I tried bouncing the remote site Tunnel1 interface multiple times, cleaing NHRP & ISAKMP SA IDs on both the headend & remote side, but nothing worked. Finally out of frustration I bounced the Tunnel interface on the headend, and sure enough everything started to function. The new NHRP mapping was created, and routing protocols re-established their adjacencies. Luckily this is a new DMVPN cloud, so I was able to bounce the headend Tunnel interface, but if I had multiple sites live this would not have been feasible. Can anyone provide any insight into what happened? What auxiliary command could I have typed, (other than shut/no shut on the headend tunnel), to have brought this up? Thanks.. -- Eric Cables From patrickg at layer8llc.com Fri Nov 21 15:49:10 2008 From: patrickg at layer8llc.com (Patrick J Greene) Date: Fri, 21 Nov 2008 15:49:10 -0500 Subject: [c-nsp] OT: RFP - SLA Discovery In-Reply-To: <219F56E5-207C-4E6B-B3E5-A5CB88F46BC7@fourecks.de> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> <70bb1b8f0811201356i4e36cc70oc142810d6da0261e@mail.gmail.com> <219F56E5-207C-4E6B-B3E5-A5CB88F46BC7@fourecks.de> Message-ID: <4716E5BFA7B2514D84F8F8885F37799F04EEAE5942@mse18be2.mse18.exchange.ms> Sorry for the Off-topic request. I am developing an RFP for a 600 MPLS circuit contract and I have the technical requirements and infrastructure discovery pieces covered however RFP discovery around the provider's SLA structure, tracking, credits, etc is lacking. Anybody have some rock solid RFP content they could share with me around SLA's. Please unicast me. BTW...Please don't contact me with any sales related conversations. Thanks in advance. Patrick Greene From nvoth at estreet.com Fri Nov 21 15:50:03 2008 From: nvoth at estreet.com (Nick Voth) Date: Fri, 21 Nov 2008 13:50:03 -0700 Subject: [c-nsp] Cisco 3620 with WIC-1ADSL cards In-Reply-To: <878wrcerx1.fsf@obelix.mork.no> Message-ID: >> I am trying to get a 3620 configured with 4 of the WIC-1ADSL cards. I have >> gone through the "Software Adviser" on the Cisco site to see if it might >> give me any clues as to what carrier card, (NM-1E2W, NM-1FE2W, etc), would >> work. None of them seem to allow me to choose the ADSL WIC cards once I add >> them to the base 3620 configuration. >> >> I had heard that the NM-1FE2W and the NM-2W would work, but there too, I >> don't get the options to choose the ADSL WIC cards in the Software Adviser. > > NM-1FE2W or NM-2W should work according to > http://www.cisco.com/en/US/prod/collateral/routers/ps221/product_data_sheet090 > 0aecd8028aa5a_ps3129_Products_Data_Sheet.html > > "All the WICs are supported both in onboard WIC/HWIC slots and in the > WIC carrier cards (NM-2W, NM-xFE2W, NM-xFE2W-V2, and NM-1FE1R2W) > slots." > > You may have problems finding the cards in the "Software Adviser" > because they are End-of-Sale, ref > http://www.cisco.com/en/US/prod/collateral/modules/ps3129/prod_end-of-life_not > ice0900aecd80710ce9.html > > > > Bj?rn Thanks Bjorn. I didn't even think about the End-of-Sale aspects. That would make sense. I was looking at the same page you referenced me to for the ADSL WIC and saw it was supported on the 3620 platform. Thus, my confusion with the "Software Adviser" tool. Thanks again for your help. -Nick Voth From jason at pins.net Fri Nov 21 15:59:22 2008 From: jason at pins.net (Jason Berenson) Date: Fri, 21 Nov 2008 15:59:22 -0500 Subject: [c-nsp] HSRP Message-ID: <4927212A.3010600@pins.net> Greetings, This is a quick question about HSRP. I have two 3560's that do HSRP for customers in VLANs. This is for public IP space. Is there a way to use another network to do the HSRP in the interest of preserving the public IPs? This network would presumably be an RFC1918 net. -Jason From bjorn at mork.no Fri Nov 21 15:38:02 2008 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Fri, 21 Nov 2008 21:38:02 +0100 Subject: [c-nsp] Cisco 3620 with WIC-1ADSL cards In-Reply-To: (Nick Voth's message of "Fri, 21 Nov 2008 08:56:12 -0700") References: Message-ID: <878wrcerx1.fsf@obelix.mork.no> Nick Voth writes: > I am trying to get a 3620 configured with 4 of the WIC-1ADSL cards. I have > gone through the "Software Adviser" on the Cisco site to see if it might > give me any clues as to what carrier card, (NM-1E2W, NM-1FE2W, etc), would > work. None of them seem to allow me to choose the ADSL WIC cards once I add > them to the base 3620 configuration. > > I had heard that the NM-1FE2W and the NM-2W would work, but there too, I > don't get the options to choose the ADSL WIC cards in the Software Adviser. NM-1FE2W or NM-2W should work according to http://www.cisco.com/en/US/prod/collateral/routers/ps221/product_data_sheet0900aecd8028aa5a_ps3129_Products_Data_Sheet.html "All the WICs are supported both in onboard WIC/HWIC slots and in the WIC carrier cards (NM-2W, NM-xFE2W, NM-xFE2W-V2, and NM-1FE1R2W) slots." You may have problems finding the cards in the "Software Adviser" because they are End-of-Sale, ref http://www.cisco.com/en/US/prod/collateral/modules/ps3129/prod_end-of-life_notice0900aecd80710ce9.html Bj?rn From cisconsp at data102.com Fri Nov 21 17:17:59 2008 From: cisconsp at data102.com (randal k) Date: Fri, 21 Nov 2008 15:17:59 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> <20081121113059.GU8535@greenie.muc.de> Message-ID: Burton, There is already ~150mbps of other traffic flowing through this switch, all of which generates approximately zero CPU, which is how it looks for 11 other active 3550s, all pushing hundreds of mbps; they're extremely good at high pps layer 3 with very little CPU usage. Yes, cef is on everywhere. The thing that draws the attention here is that it is the only 3550 in our network that has more than 1-2% CPU. Of all of the customers attached to this switch, his is the only port whose graph is an exact match for the CPU usage, and his traffic is overwhelmingly IPSec. I guess I could move him to a different 3550 distribution switch and see if the problem follows. Thanks for your continued input - Randal On Fri, Nov 21, 2008 at 11:17 AM, Burton Windle wrote: > I could be very wrong here, but I'm thought that if the usage is in the > interrupt, then the CPU usage is just because of the volume of traffic, not > the contents. But don't quote me on that. > > Easy way to test would be to push a similar volume of non-IPSec traffic and > see what the CPU does. > > > -- > Burton Windle bwindle at fint.org > > > On Fri, 21 Nov 2008, randal k wrote: > >> Excuse my typo, my original answer of "IP Input" was completely wrong, >> since it's pretty easy to get them confused. I'm looking at it now and >> it's purely Interrupt traffic. >> >> dist03.cos01#show proc cpu >> CPU utilization for five seconds: 26%/24%; one minute: 25%; five minutes: >> 26% >> >> No, I'm not running anything on the 3550, it's purely a packet pusher. >> It is a 3550-12T, and hanging off of it is the customer's 3560g-24TS >> and VPN3000. All of the tunnels terminate on the Concentrator - the >> 3550 just does some basic layer3 forwarding and has no features. >> >> Net -- 7206edge -- 6509core --- 3550dist --- 3560customer/VPN3000customer >> >> That's why I find it a little bit odd that just forwarding IPSec >> packets (not originating/terminating them) is hitting the CPU. >> >> Randal >> > From adriankok2000 at yahoo.com.hk Fri Nov 21 18:59:44 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Sat, 22 Nov 2008 07:59:44 +0800 (CST) Subject: [c-nsp] 4 948 Message-ID: <46004.56936.qm@web33308.mail.mud.yahoo.com> Hi Have you had experience port 45/46/47/48 not working? Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From dcp at dcptech.com Fri Nov 21 20:13:42 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 21 Nov 2008 20:13:42 -0500 Subject: [c-nsp] 4 948 In-Reply-To: <46004.56936.qm@web33308.mail.mud.yahoo.com> References: <46004.56936.qm@web33308.mail.mud.yahoo.com> Message-ID: <005201c94c3f$90546370$b0fd2a50$@com> On the 4948 the last four ports are mixed mode copper or SFP. You need to set media-type. http://www.cisco.com/en/US/docs/switches/lan/catalyst4900/4948/05modcfg.html #wp1031564 David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of adrian kok > Sent: Friday, November 21, 2008 7:00 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 4 948 > > Hi > > Have you had experience port 45/46/47/48 not working? > > Thank you > > Send instant messages to your online friends > http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From merlyn at Geeks.ORG Sat Nov 22 00:13:43 2008 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Fri, 21 Nov 2008 23:13:43 -0600 Subject: [c-nsp] console connection issue? In-Reply-To: <517208.41113.qm@web33307.mail.mud.yahoo.com> References: <517208.41113.qm@web33307.mail.mud.yahoo.com> Message-ID: <20081122051343.GB42884@geeks.org> On Thu, Nov 20, 2008 at 09:01:46PM +0800, adrian kok wrote: > Hi All > > I use the USB to serial and serial to console to cisco > switch > > It have to reboot switch to have signal but not good Sounds like your USB dongle is crud. Try a different one? Keyspan seems to be rock-solid and works just like you'd expect. I've never had a problem like that. From merlyn at Geeks.ORG Sat Nov 22 00:19:19 2008 From: merlyn at Geeks.ORG (Doug McIntyre) Date: Fri, 21 Nov 2008 23:19:19 -0600 Subject: [c-nsp] OSX app for console access In-Reply-To: References: Message-ID: <20081122051919.GC42884@geeks.org> On Thu, Nov 20, 2008 at 01:27:18PM -0800, Eric Cables wrote: > Out of curiosity, what app are people using w/ OSX to console into > Cisco gear? I've been using ZTerm, but thought I'd pose the question > in case there was a better app out there that I hadn't tried. I like kermit from within Terminal/iTerm, but mostly because I am used to it, and it works the exact same on every OS. You do have to install it seperately, doesn't come bundled. From gideon at adept.co.za Sat Nov 22 02:33:11 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Sat, 22 Nov 2008 09:33:11 +0200 Subject: [c-nsp] Cisco 3620 with WIC-1ADSL cards In-Reply-To: References: Message-ID: <84BC23C9-9F03-4539-9BD0-100230B9E585@adept.co.za> On 21 Nov 2008, at 5:56 PM, Nick Voth wrote: > I am trying to get a 3620 configured with 4 of the WIC-1ADSL cards. > I have > gone through the "Software Adviser" on the Cisco site to see if it > might > give me any clues as to what carrier card, (NM-1E2W, NM-1FE2W, etc), > would > work. None of them seem to allow me to choose the ADSL WIC cards > once I add > them to the base 3620 configuration. > > I had heard that the NM-1FE2W and the NM-2W would work, but there > too, I > don't get the options to choose the ADSL WIC cards in the Software > Adviser. You need to get two things right for this to work: 1. Does the IOS version you have support the card? Those cards are not supported in IP base on the 3600. 2. That card will not work in the NM-1E2W, it will work in one of the FE modules. Also, what does the chassis say on the console when you boot it? Does it mention the card at all? G From agristina+cisco-nsp at gmail.com Sat Nov 22 03:42:20 2008 From: agristina+cisco-nsp at gmail.com (Andrew Gristina) Date: Sat, 22 Nov 2008 00:42:20 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: <219F56E5-207C-4E6B-B3E5-A5CB88F46BC7@fourecks.de> References: <6b86f99d0811201353yb1be96arddbb2d950e0ff88b@mail.gmail.com> <70bb1b8f0811201356i4e36cc70oc142810d6da0261e@mail.gmail.com> <219F56E5-207C-4E6B-B3E5-A5CB88F46BC7@fourecks.de> Message-ID: <70bb1b8f0811220042j27a23834t50c8afa54f3a006d@mail.gmail.com> Does that finally work on 10.5? It goes back and forth between working and not depending on patch level. I tried at 10.4, and had to use the prolific driver, then again after 10.5. On Fri, Nov 21, 2008 at 6:17 AM, Falk Stern wrote: > Hi, > > On 20.11.2008, at 22:56, Andrew Gristina wrote: > >> Minicom- although the prolific driver on OS X doesn't correctly send a >> break right now... >> serious problem. I've thought about moving to another usb-serial >> dongle, but instead I run linux in a vm. > > The solution is easy: use the pl2303-osx driver from sourceforge: > > http://sourceforge.net/projects/osx-pl2303/ > > Have a nice day, > > Falk > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Sat Nov 22 09:02:55 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 22 Nov 2008 09:02:55 -0500 Subject: [c-nsp] scp running/startup config Message-ID: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> Does anyone know if it is possible to scp startup/running configs off a router? This doesn't seem to work: unix> scp manager at router:/nvram/running-config backup I can do this using tftp, but I'd quite like to migrate away from that. Tim:> From peter at rathlev.dk Sat Nov 22 07:50:07 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 22 Nov 2008 13:50:07 +0100 Subject: [c-nsp] HSRP In-Reply-To: <4927212A.3010600@pins.net> References: <4927212A.3010600@pins.net> Message-ID: <1227358207.3706.1.camel@abehat> On Fri, 2008-11-21 at 15:59 -0500, Jason Berenson wrote: > This is a quick question about HSRP. I have two 3560's that do HSRP > for customers in VLANs. This is for public IP space. Is there a way > to use another network to do the HSRP in the interest of preserving > the public IPs? This network would presumably be an RFC1918 net. Short answer is: Maybe. You can peruse a thread with the same topic here: https://puck.nether.net/pipermail/cisco-nsp/2007-November/045409.html Regards, Peter From bjorn at mork.no Sat Nov 22 09:55:16 2008 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Sat, 22 Nov 2008 15:55:16 +0100 Subject: [c-nsp] scp running/startup config In-Reply-To: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> (Tim Durack's message of "Sat, 22 Nov 2008 09:02:55 -0500") References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> Message-ID: <871vx3eror.fsf@obelix.mork.no> "Tim Durack" writes: > Does anyone know if it is possible to scp startup/running configs off > a router? This doesn't seem to work: > > unix> scp manager at router:/nvram/running-config backup c2612b#conf t Enter configuration commands, one per line. End with CNTL/Z. c2612b(config)#ip scp server enable bjorn at canardo:~$ scp c2612b.lab:running-config . bjorn at c2612b.lab's password: running-config 100% 6945 6.8KB/s 00:00 Bj?rn From nvoth at estreet.com Sat Nov 22 09:56:11 2008 From: nvoth at estreet.com (Nick Voth) Date: Sat, 22 Nov 2008 07:56:11 -0700 Subject: [c-nsp] Cisco 3620 with WIC-1ADSL cards In-Reply-To: <84BC23C9-9F03-4539-9BD0-100230B9E585@adept.co.za> Message-ID: >> I am trying to get a 3620 configured with 4 of the WIC-1ADSL cards. >> I have >> gone through the "Software Adviser" on the Cisco site to see if it >> might >> give me any clues as to what carrier card, (NM-1E2W, NM-1FE2W, etc), >> would >> work. None of them seem to allow me to choose the ADSL WIC cards >> once I add >> them to the base 3620 configuration. >> >> I had heard that the NM-1FE2W and the NM-2W would work, but there >> too, I >> don't get the options to choose the ADSL WIC cards in the Software >> Adviser. > > You need to get two things right for this to work: > 1. Does the IOS version you have support the card? Those cards are not > supported in IP base on the 3600. > 2. That card will not work in the NM-1E2W, it will work in one of the > FE modules. > > Also, what does the chassis say on the console when you boot it? Does > it mention the card at all? > > G Gideon, I think we found the issue. The chassis came with the NM-1E2W module. We're replacing that with one of the FE modules. Also, we're putting an IOS on there with the IP Plus feature set. It should work after that. Since those cards are older, it was tricky to find compatible Network Modules and IOS. I think we're on the right track now. Thanks very much for your advice. -Nick Voth From tdurack at gmail.com Sat Nov 22 10:48:14 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 22 Nov 2008 10:48:14 -0500 Subject: [c-nsp] scp running/startup config In-Reply-To: <871vx3eror.fsf@obelix.mork.no> References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> <871vx3eror.fsf@obelix.mork.no> Message-ID: <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> On Sat, Nov 22, 2008 at 9:55 AM, Bj?rn Mork wrote: > "Tim Durack" writes: > >> Does anyone know if it is possible to scp startup/running configs off >> a router? This doesn't seem to work: >> >> unix> scp manager at router:/nvram/running-config backup > > c2612b#conf t > Enter configuration commands, one per line. End with CNTL/Z. > c2612b(config)#ip scp server enable That was it. I'm still recovering from the SXH scp bug... > > bjorn at canardo:~$ scp c2612b.lab:running-config . > bjorn at c2612b.lab's password: > running-config 100% 6945 6.8KB/s 00:00 > > > > Bj?rn > From justin at justinshore.com Sat Nov 22 11:08:02 2008 From: justin at justinshore.com (Justin Shore) Date: Sat, 22 Nov 2008 10:08:02 -0600 Subject: [c-nsp] Troubleshooting a GRE tunnel terminated in a MPLS VPN Message-ID: <49282E62.1010300@justinshore.com> I'm testing a different method of terminating VPN tunnels in our data center. We're going to switch from IPSec L2L tunnels to GRE tunnels with IPSec protection. The big benefit is that it cuts our admin overhead significantly. It's also a hell of a lot easier to deploy. Instead of having to have 6 lines of config for each remote customer prefix I can simply set up an IGP in their VRF and let the customer drive. Much easier. So I have one of my 7600s with a Sup720-3BXL running SRB1 with a 2G IPSec SPA and 6700 series line cards. On the 7600 I've configured my VRF, GRE tunnel, OSPF vrf instance and set up iBGP to carry the VRF routes upstream to the data center. I'm holding off on the IPSec config for now. I want to get GRE working first. Upstream at the DC I've configured that router with the VRF, sub-int in the VRF facing the DC switch, and iBGP for the VRF's routes. LDP was configured with MPLS between the core and the DC and has been working for over a year so I doubt if that's a problem. Downstream across the ISP I've set up a test router to simulate the customer's CPE. I've configured it with the GRE tunnel, OSPF and the back-side network for a test laptop to test connectivity from the 192.168.0/24 subnet. Laptop---CPE router---(ISP)---7600----DC Router |--------------GRE Tunnel------------| |------VRF------| Here's my config: !!! 7600 ip vrf dc-gre-test description DC - GRE Test rd 100:2999 route-target export 100:2999 route-target import 100:2999 ! interface Tunnel2999 ip vrf forwarding dc-gre-test ip address 10.125.124.1 255.255.255.252 tunnel source aa.bb.cc.1 tunnel destination cc.dd.aa.2 ! router ospf 2999 vrf dc-gre-test ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 ! router bgp 65001 address-family ipv4 vrf dc-gre-test no synchronization redistribute connected redistribute static redistribute ospf 2999 vrf dc-gre-test exit-address-family !!! CPE Router interface Tunnel2999 ip address 10.125.124.2 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination aa.bb.cc.1 ! router ospf 1 ignore lsa mospf ispf log-adjacency-changes passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 192.168.0.0 0.0.0.255 area 0 !!! DC router ip vrf dc-gre-test description DC - GRE Test rd 100:2999 route-target export 100:2999 route-target import 100:2999 ! interface GigabitEthernet0/1.2999 description DC - GRE Test encapsulation dot1Q 2999 ip vrf forwarding dc-gre-test ip address 10.125.125.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp standby version 2 standby 2999 ip 10.125.125.1 standby 2999 timers msec 500 3 standby 2999 priority 255 standby 2999 preempt ! router bgp 65001 address-family ipv4 vrf dc-gre-test redistribute connected no synchronization exit-address-family OSPF is up on the CPE and 7600 and I'm getting the DC route on the CPE and the CPE route on the DC router (and everything on the 7600 in the middle). Currently I can ping within the VRF from the DC router to the tunnel interface on the 7600. From the CPE router I can ping across the tunnel to the tunnel interface on the 7600. For some reason though I can't ping from the DC to the CPE. Traceroutes from both sides get to the tunnel interface on the 7600 and then die. I can't figure out where the packets are going. The CEF table for that VRF looks ok. All adjacencies are pointing out the right interfaces. 7613-1.clr#sh ip cef vrf dc-gre-test detail IPv4 CEF is enabled for distributed and running VRF dc-gre-test 12 prefixes (12/0 fwd/non-fwd) Table id 0x8 Database epoch: 3 (12 entries at this epoch) 0.0.0.0/0, epoch 3, flags default route handler no route 0.0.0.0/32, epoch 3, flags receive Special source: receive receive 10.125.124.0/30, epoch 3, flags attached, connected, cover dependents, need deagg Covered dependent prefixes: 2 need deagg: 2 attached to Tunnel2999 10.125.124.0/32, epoch 3, flags receive Dependent covered prefix type cover need deagg cover 10.125.124.0/30 Interface source: Tunnel2999 receive for Tunnel2999 10.125.124.1/32, epoch 3, flags receive Interface source: Tunnel2999 receive for Tunnel2999 10.125.124.3/32, epoch 3, flags receive Dependent covered prefix type cover need deagg cover 10.125.124.0/30 Interface source: Tunnel2999 receive for Tunnel2999 10.125.125.0/24, epoch 3 recursive via 10.64.0.33 label 31 nexthop 10.64.0.176 GigabitEthernet9/1 192.168.0.0/24, epoch 3 local label info: other/138 nexthop 10.125.124.2 Tunnel2999 224.0.0.0/4, epoch 3 Special source: drop drop 224.0.0.0/24, epoch 3, flags receive Special source: receive receive 240.0.0.0/4, epoch 3 Special source: drop drop 255.255.255.255/32, epoch 3, flags receive Special source: receive receive The LFIB for that VRF on the 7600: 7613-1.clr#sh mpls forwarding-table vrf dc-gre-test detail Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 56 Pop Label IPv4 VRF[V] 1140 aggregate/dc-gre-test MAC/Encaps=0/0, MRU=0, Label Stack{} VPN route: dc-gre-test No output feature configured 138 No Label 192.168.0.0/24[V] 96080 Tu2999 point2point MAC/Encaps=24/24, MRU=1480, Label Stack{} 4500000000000000FF2F5D194ADDC00143D5100200000800 VPN route: dc-gre-test No output feature configured The RIB for that VRF on the 7600: Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks C 10.125.124.0/30 is directly connected, Tunnel2999 L 10.125.124.1/32 is directly connected, Tunnel2999 B 10.125.125.0/24 [200/0] via 10.64.0.33, 7w0d O 192.168.0.0/24 [110/11112] via 10.125.124.2, 7w0d, Tunnel2999 On the DC router: Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.125.125.0/24 is directly connected, GigabitEthernet0/1.2999 B 10.125.124.0/30 [200/0] via 10.64.0.10, 00:56:22 B 192.168.0.0/24 [200/11112] via 10.64.0.10, 00:56:07 On the CPE router: Gateway of last resort is cc.dd.aa.1 to network 0.0.0.0 cc.0.0.0/30 is subnetted, 1 subnets C cc.dd.aa.0 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O E2 10.125.125.0/24 [110/1] via 10.125.124.1, 12:05:31, Tunnel2999 C 10.125.124.0/30 is directly connected, Tunnel2999 C 192.168.0.0/24 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 67.213.16.1 I don't have remote access to the laptop at this time so I can't sniff on the wire to see what's coming in there. I'd have to place a device at the DC in that VRF to have something to ping out there other than the sub-int. I can do that next week. Any thoughts as to what might be going on? Nothing is jumping out at me. As a separate issue, my tunnel source on the 7600 is a SVI on a VLAN that spans 2 7600s. HSRP is configured between them already though I haven't set up HA for VPN yet. The 7600 we're working with is forced active with the priority setting. I tried to use define tunnel source as that SVI, vl192. It wouldn't work though. I had to explicitly define the IP. I used the HSRP floater and it worked. I ran into a problem recently with our IPSec L2Ls where I couldn't use the floater. I had to use the interface IP specifically. The IPSec packets originated from the interface IP and not the HSRP floater even though I had my crypto map local-address defined at that interface. Any ideas why that is? I need to do more research on IPSec and GRE HA. Thanks Justin From tdurack at gmail.com Sat Nov 22 11:33:43 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 22 Nov 2008 11:33:43 -0500 Subject: [c-nsp] scp running/startup config In-Reply-To: <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> <871vx3eror.fsf@obelix.mork.no> <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> Message-ID: <9e246b4d0811220833sde9fbf2w64ed3080cff91f3f@mail.gmail.com> On Sat, Nov 22, 2008 at 10:48 AM, Tim Durack wrote: > On Sat, Nov 22, 2008 at 9:55 AM, Bj?rn Mork wrote: >> "Tim Durack" writes: >> >>> Does anyone know if it is possible to scp startup/running configs off >>> a router? This doesn't seem to work: >>> >>> unix> scp manager at router:/nvram/running-config backup >> >> c2612b#conf t >> Enter configuration commands, one per line. End with CNTL/Z. >> c2612b(config)#ip scp server enable > > That was it. I'm still recovering from the SXH scp bug... > >> >> bjorn at canardo:~$ scp c2612b.lab:running-config . >> bjorn at c2612b.lab's password: >> running-config 100% 6945 6.8KB/s 00:00 Amazing: usziplab001:~/config/Core# !scp scp acl.txt tdurack at router:running-config Password: acl.txt 100% 1694 1.7KB/s 00:01 I can dump a bunch dumb expect scripts now. If Cisco supported ssh keys life would be even better... Tim:> From felixnkansah at gmail.com Sat Nov 22 12:04:26 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 22 Nov 2008 17:04:26 +0000 Subject: [c-nsp] E1 to Fiber POP Device? Message-ID: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> Hi, A network design I am working on would aggregate/terminate E1 connections at various sites or POPs and transfer the traffic over a fiber WAN. I am trying to figure out a device that would do a good job in taking incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM appliance does not have support for fiber connections. I should be glad if any of you could recommend some Cisco product(s) for accomplishing this task. Many Thanks, Felix From lists at hojmark.org Sat Nov 22 12:08:34 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Sat, 22 Nov 2008 18:08:34 +0100 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4925E619.6000407@204.net.nz> References: <4925E619.6000407@204.net.nz> Message-ID: <96F1F11C412E4F3FBEB3FCD56B3314BD@hojmark.net> > To keep things simple, let's assume that I'm using 10.1.1.0/24 > and 10.1.2.0/24 as data-centre prefixes, agg1 is the HSRP > active router for 10.1.1.254, and the HSRP standby router for > 10.1.2.254, and agg2 is the HSRP standby router for 10.1.1.254, > and the HSRP active router for 10.1.2.254. You could announce each /24 as two /25s on the primary agg, say 10.1.1.0/25 and 10.1.1.128/25, plus 10.1.1.0/24. Because of longest match routing, traffic would always flow via the active agg. Actually, even the secondary agg could use the longest match route and send traffic via the primary, even though it has a directly connected interface. (Longest match is used before the admin distance). -A PS: But, honestly, just ignore the asymmetry. From frnkblk at iname.com Sat Nov 22 14:13:24 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 22 Nov 2008 13:13:24 -0600 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> Message-ID: Are you looking to do E1 over Ethernet, or mux them into DS-3/OC-3? It's not clear what L2 you are going to do over the fiber. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Saturday, November 22, 2008 11:04 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] E1 to Fiber POP Device? Hi, A network design I am working on would aggregate/terminate E1 connections at various sites or POPs and transfer the traffic over a fiber WAN. I am trying to figure out a device that would do a good job in taking incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM appliance does not have support for fiber connections. I should be glad if any of you could recommend some Cisco product(s) for accomplishing this task. Many Thanks, Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Sat Nov 22 15:01:01 2008 From: ecables at gmail.com (Eric Cables) Date: Sat, 22 Nov 2008 12:01:01 -0800 Subject: [c-nsp] To VSS or not to VSS Message-ID: I'm working on a design which includes 2 pairs of 6509s w/ VS-S720-10G (one in each chassis). The VSS capable supervisor engines were chosen mainly for the 10G interfaces, but the more VSS documentation I read the more it seems like a great solution for added redundancy/bandwidth, while reducing complexity. As far as modules, all will be 6748s or 6724s, and the only service modules in the mix will be a pair of FWSMs in one of the VSS pairs. Can anyone provide any feedback on your VSS experiences? How have the FWSMs played with VSS? Any design considerations I should be aware of? Thanks, -- Eric Cables From peter at rathlev.dk Sat Nov 22 15:10:00 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 22 Nov 2008 21:10:00 +0100 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> Message-ID: <1227384600.8903.4.camel@abehat> On Sat, 2008-11-22 at 17:04 +0000, Felix Nkansah wrote: > I am trying to figure out a device that would do a good job in taking > incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM > appliance does not have support for fiber connections. > > I should be glad if any of you could recommend some Cisco product(s) for > accomplishing this task. Not Cisco, but we've used RADs FOM-E1/T1 modems for converting from G.703 to optical. They've worked like a charm for us. This would of course just convert the signal for hauling it longer distances. Regards, Peter From thomas at dupas.be Sat Nov 22 15:13:02 2008 From: thomas at dupas.be (Thomas Dupas) Date: Sat, 22 Nov 2008 21:13:02 +0100 Subject: [c-nsp] To VSS or not to VSS In-Reply-To: Message-ID: Hi Eric, The FWSM (or any service module) wasn't supported in a VSS setup until SXI. And I don't think that many people made the step yet to SXI on a production VSS system, but you never know. Overall I have had fairly good results with VSS in terms of throughput and stability, they were mostly used as distribution switches in the campus or "bookshelf" switches in the DC. The biggest flaw so far is the downtime when performing an upgrade, you fall back from SSO to RPR due to the IOS mismatches, and that means around 5 minutes downtime on failover. Same as you would have with supervisor redundancy in a single chassis They now have an "eFSU" (semi-ISSU?) in the SXI release, which should improve upgrade procedures (RPR+ in stead of RPR), but it's not really ISSU according to the specs. But I certainly want to try that (but then I need a next release to upgrade to :-)) Best Regards, Thomas Dupas On 22/11/08 21:01, "Eric Cables" wrote: I'm working on a design which includes 2 pairs of 6509s w/ VS-S720-10G (one in each chassis). The VSS capable supervisor engines were chosen mainly for the 10G interfaces, but the more VSS documentation I read the more it seems like a great solution for added redundancy/bandwidth, while reducing complexity. As far as modules, all will be 6748s or 6724s, and the only service modules in the mix will be a pair of FWSMs in one of the VSS pairs. Can anyone provide any feedback on your VSS experiences? How have the FWSMs played with VSS? Any design considerations I should be aware of? Thanks, -- Eric Cables _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From felixnkansah at gmail.com Sat Nov 22 15:39:24 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 22 Nov 2008 20:39:24 +0000 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> Message-ID: <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> Hi Frank, I am looking at Ethernet on the Fiber portion. Felix On Sat, Nov 22, 2008 at 7:13 PM, Frank Bulk wrote: > Are you looking to do E1 over Ethernet, or mux them into DS-3/OC-3? It's > not clear what L2 you are going to do over the fiber. > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah > Sent: Saturday, November 22, 2008 11:04 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] E1 to Fiber POP Device? > > Hi, > A network design I am working on would aggregate/terminate E1 connections > at > various sites or POPs and transfer the traffic over a fiber WAN. > > I am trying to figure out a device that would do a good job in taking > incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM > appliance does not have support for fiber connections. > > I should be glad if any of you could recommend some Cisco product(s) for > accomplishing this task. > > Many Thanks, > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ardabalkanay at gmail.com Sat Nov 22 15:50:55 2008 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Sat, 22 Nov 2008 22:50:55 +0200 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> Message-ID: <9af987420811221250q7831e477k4d5f3c31c8204666@mail.gmail.com> Hi do you need a multiplexing like sdh does ? If you do not terminates E1's at L2 or L3 you have to use a next generation SDH with Ethernet over Sonet (or sdh) EoS solution. Otherwise a 7200 with 8E1 modules (6 slots 48 E1) and 3 gigabit ethernet ports can be used. At that solution you have to terminate E1s at L2 or L3 with basic routing and/or ATOM configuration. please explain your scenario a little bit clear :) On Sat, Nov 22, 2008 at 10:39 PM, Felix Nkansah wrote: > Hi Frank, > I am looking at Ethernet on the Fiber portion. > > Felix > > On Sat, Nov 22, 2008 at 7:13 PM, Frank Bulk wrote: > > > Are you looking to do E1 over Ethernet, or mux them into DS-3/OC-3? It's > > not clear what L2 you are going to do over the fiber. > > > > Frank > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah > > Sent: Saturday, November 22, 2008 11:04 AM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] E1 to Fiber POP Device? > > > > Hi, > > A network design I am working on would aggregate/terminate E1 connections > > at > > various sites or POPs and transfer the traffic over a fiber WAN. > > > > I am trying to figure out a device that would do a good job in taking > > incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM > > appliance does not have support for fiber connections. > > > > I should be glad if any of you could recommend some Cisco product(s) for > > accomplishing this task. > > > > Many Thanks, > > > > Felix > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ardabalkanay at gmail.com Sat Nov 22 16:36:55 2008 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Sat, 22 Nov 2008 23:36:55 +0200 Subject: [c-nsp] VPLS vfi down In-Reply-To: <4926BA26.3040407@imperial.ac.uk> References: <249512.65614.qm@web35408.mail.mud.yahoo.com> <4926BA26.3040407@imperial.ac.uk> Message-ID: <9af987420811221336x329fb954mdc0ebde5fc89e18f@mail.gmail.com> AFAIK for VPLS you will need an ES20 card or SIP400 card. with 6500 and LAN cards you can only configure edge of H-VPLS with xconnects under physical interfaces (not under SVIs). On Fri, Nov 21, 2008 at 3:39 PM, Phil Mayers wrote: > Suzan S. wrote: > >> Dears,Iam trying to configure VPLS on 6509 with SUP-720, is there a >> limitation on the modules which support VPLS. The xconnect is >> configured on interface vlan for the giagethernet port.IS there any >> solution to get the vfi UP?Thank you >> > > VPLS requires WAN cards i.e. SIP-400. > > "Normal" 6500 linecards i.e. LAN cards can only do point-to-point EoMPLS > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tdurack at gmail.com Sat Nov 22 17:01:03 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 22 Nov 2008 17:01:03 -0500 Subject: [c-nsp] To VSS or not to VSS In-Reply-To: References: Message-ID: <9e246b4d0811221401h1cb02af3w3344f2370c47d0b9@mail.gmail.com> On Sat, Nov 22, 2008 at 3:01 PM, Eric Cables wrote: > I'm working on a design which includes 2 pairs of 6509s w/ VS-S720-10G > (one in each chassis). The VSS capable supervisor engines were chosen > mainly for the 10G interfaces, but the more VSS documentation I read > the more it seems like a great solution for added > redundancy/bandwidth, while reducing complexity. As far as modules, > all will be 6748s or 6724s, and the only service modules in the mix > will be a pair of FWSMs in one of the VSS pairs. > > Can anyone provide any feedback on your VSS experiences? How have the > FWSMs played with VSS? Any design considerations I should be aware > of? > No MPLS, no IPv6. Those are show-stoppers for us. Tim:> From jay at west.net Sat Nov 22 17:13:00 2008 From: jay at west.net (Jay Hennigan) Date: Sat, 22 Nov 2008 14:13:00 -0800 Subject: [c-nsp] OSX app for console access In-Reply-To: <4925D9E5.1080709@velvet.org> References: <20081120213052.GB90612@root.ucsc.edu> <4925D9E5.1080709@velvet.org> Message-ID: <492883EC.7000208@west.net> matthew zeier wrote: > screen /dev/tty.KeySerial1 > > worsk well and doesn't require any additional software. I've been using minicom with a Keyspan USB adapter. The screen command indeed seems to work well, cool tip! Is it possible to send a BREAK signal with screen ? -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From gert at greenie.muc.de Sat Nov 22 17:16:49 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 22 Nov 2008 23:16:49 +0100 Subject: [c-nsp] OSX app for console access In-Reply-To: <492883EC.7000208@west.net> References: <20081120213052.GB90612@root.ucsc.edu> <4925D9E5.1080709@velvet.org> <492883EC.7000208@west.net> Message-ID: <20081122221649.GI8535@greenie.muc.de> Hi, On Sat, Nov 22, 2008 at 02:13:00PM -0800, Jay Hennigan wrote: > Is it possible to send a BREAK signal with screen ? "^A ?" suggests that "^A b" should do so. Can't test right now (no mac+serial+screen around). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From felixnkansah at gmail.com Sat Nov 22 17:17:31 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Sat, 22 Nov 2008 22:17:31 +0000 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: <9af987420811221250q7831e477k4d5f3c31c8204666@mail.gmail.com> References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> <9af987420811221250q7831e477k4d5f3c31c8204666@mail.gmail.com> Message-ID: <18dba4e50811221417t6be84d0esf209086fe34b4ff5@mail.gmail.com> Hi All, There are 7 telcos in the customer country. The project involves setting up a central management centre for all the telcos. I do not have all the details yet, as I am yet to travel to meet the main project contractors in early December. All connections to the central MC would be via fiber. The project owners prefer the fiber WAN to be connected using basic L2/L3 Ethernet/IP connections. To the best of my understanding, the telcos have stated they prefer connecting to the MC WAN network with E1s. My duty is to come up with recommendations on what and how to connect the incoming E1 traffic from the telcos and send them over the L2/L3 Ethernet/IP fiber WAN. Another alternative given to me is to connect the WAN fiber to firewalls at all the location, and then the firewalls would connect via UTP to the E1 aggregation appliances. I guess I am not making sense here. I wish though. Let me know if you need further info from me. And thanks for your efforts and answers so far. Felix On Sat, Nov 22, 2008 at 8:50 PM, Arda Balkanay wrote: > Hi > do you need a multiplexing like sdh does ? > If you do not terminates E1's at L2 or L3 you have to use a next generation > SDH with Ethernet over Sonet (or sdh) EoS solution. > > Otherwise a 7200 with 8E1 modules (6 slots 48 E1) and 3 gigabit ethernet > ports can be used. At that solution you have to terminate E1s at L2 or L3 > with basic routing and/or ATOM configuration. > > please explain your scenario a little bit clear :) > > > > > On Sat, Nov 22, 2008 at 10:39 PM, Felix Nkansah wrote: > >> Hi Frank, >> I am looking at Ethernet on the Fiber portion. >> >> Felix >> >> On Sat, Nov 22, 2008 at 7:13 PM, Frank Bulk wrote: >> >> > Are you looking to do E1 over Ethernet, or mux them into DS-3/OC-3? >> It's >> > not clear what L2 you are going to do over the fiber. >> > >> > Frank >> > >> > -----Original Message----- >> > From: cisco-nsp-bounces at puck.nether.net >> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah >> > Sent: Saturday, November 22, 2008 11:04 AM >> > To: cisco-nsp at puck.nether.net >> > Subject: [c-nsp] E1 to Fiber POP Device? >> > >> > Hi, >> > A network design I am working on would aggregate/terminate E1 >> connections >> > at >> > various sites or POPs and transfer the traffic over a fiber WAN. >> > >> > I am trying to figure out a device that would do a good job in taking >> > incoming E1s and outgoing fiber. It appears to me that the Cisco >> AS5400XM >> > appliance does not have support for fiber connections. >> > >> > I should be glad if any of you could recommend some Cisco product(s) for >> > accomplishing this task. >> > >> > Many Thanks, >> > >> > Felix >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From mduksa at gmail.com Sat Nov 22 19:17:47 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Sat, 22 Nov 2008 16:17:47 -0800 Subject: [c-nsp] ldp-igp Message-ID: Hi - Does anyone know how LDP and IGP forwarding on 7600 series can be separated?I have OSPF as IGP and also LDP is advertising the same routes from the neighbors. It looks like that Cisco selects only MPLS (LDP based) forwarding path. How can I tell to use IP forwarding for some routes and MPLS for other. No RSVP (MPLS-TE) is enabled. When I run show ip route, only IP routes are shown. show mpls forwarding shows only MPLS routes. Is there any way that I can pick one vs the other for forwarding? How can I tell from a 'show ' command which one is used? Thanks, Marlon From danletkeman at gmail.com Sat Nov 22 21:36:14 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 22 Nov 2008 20:36:14 -0600 Subject: [c-nsp] 3560 TX Discards Message-ID: Hello, When our backups are running there are a few ports on the 3560 that are reporting discards via snmp: FastEthernet0/1 [ifIndex=10001] TX Discards = 1999/minute Would this cause any problems or is it basically reporting that the bandwidth is used and it can't transmit the data? Thanks, Dan. From ghostonthewire at gmail.com Sat Nov 22 21:46:55 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Sun, 23 Nov 2008 05:46:55 +0300 Subject: [c-nsp] scp running/startup config In-Reply-To: <9e246b4d0811220833sde9fbf2w64ed3080cff91f3f@mail.gmail.com> References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> <871vx3eror.fsf@obelix.mork.no> <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> <9e246b4d0811220833sde9fbf2w64ed3080cff91f3f@mail.gmail.com> Message-ID: <4928C41F.90708@gmail.com> Tim Durack wrote: > Amazing: > > usziplab001:~/config/Core# !scp > scp acl.txt tdurack at router:running-config > Password: > acl.txt 100% 1694 1.7KB/s 00:01 > > I can dump a bunch dumb expect scripts now. > Expect scripts can handle exceptions caused by erroneus input, and perform rollback action or just warn you that something went wrong, but copying just performs unpredictable merge. Or it discards entire acl.txt on syntax error? > If Cisco supported ssh keys life would be even better... > Holy truth. I wonder cisco guys ignoring such crucial feature. From tdurack at gmail.com Sat Nov 22 21:55:47 2008 From: tdurack at gmail.com (Tim Durack) Date: Sat, 22 Nov 2008 21:55:47 -0500 Subject: [c-nsp] scp running/startup config In-Reply-To: <4928C41F.90708@gmail.com> References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> <871vx3eror.fsf@obelix.mork.no> <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> <9e246b4d0811220833sde9fbf2w64ed3080cff91f3f@mail.gmail.com> <4928C41F.90708@gmail.com> Message-ID: <9e246b4d0811221855w1a141aa0v93f573e02a534761@mail.gmail.com> On Sat, Nov 22, 2008 at 9:46 PM, ghostonthewire wrote: > Tim Durack wrote: >> >> Amazing: >> >> usziplab001:~/config/Core# !scp >> scp acl.txt tdurack at router:running-config >> Password: >> acl.txt 100% 1694 1.7KB/s 00:01 >> >> I can dump a bunch dumb expect scripts now. >> > > Expect scripts can handle exceptions caused by erroneus input, and perform > rollback action or just warn you that something went wrong, but copying just > performs unpredictable merge. Or it discards entire acl.txt on syntax error? Not if the acl scripts are of the form: no ip access list extended acl_name ip access list extended acl_name ... end >> If Cisco supported ssh keys life would be even better... >> > > Holy truth. I wonder cisco guys ignoring such crucial feature. > From frnkblk at iname.com Sat Nov 22 21:56:27 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 22 Nov 2008 20:56:27 -0600 Subject: [c-nsp] E1 to Fiber POP Device? In-Reply-To: <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> References: <18dba4e50811220904g5eef41e1n7212d6775716c511@mail.gmail.com> <18dba4e50811221239j27eb7754l7eb235448a337f54@mail.gmail.com> Message-ID: Then you're looking at RAD's IPmux-14: http://www.ethernetaccess.com/Article/0,6583,36596-TDM_Pseudowire_Access_Gat eway,00.html I'm sure there are other TDM over Ethernet products, but this is the one that most readily comes to mind. Frank From: Felix Nkansah [mailto:felixnkansah at gmail.com] Sent: Saturday, November 22, 2008 2:39 PM To: frnkblk at iname.com Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] E1 to Fiber POP Device? Hi Frank, I am looking at Ethernet on the Fiber portion. Felix On Sat, Nov 22, 2008 at 7:13 PM, Frank Bulk wrote: Are you looking to do E1 over Ethernet, or mux them into DS-3/OC-3? It's not clear what L2 you are going to do over the fiber. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Felix Nkansah Sent: Saturday, November 22, 2008 11:04 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] E1 to Fiber POP Device? Hi, A network design I am working on would aggregate/terminate E1 connections at various sites or POPs and transfer the traffic over a fiber WAN. I am trying to figure out a device that would do a good job in taking incoming E1s and outgoing fiber. It appears to me that the Cisco AS5400XM appliance does not have support for fiber connections. I should be glad if any of you could recommend some Cisco product(s) for accomplishing this task. Many Thanks, Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lgeyer at gmail.com Sun Nov 23 01:27:58 2008 From: lgeyer at gmail.com (Laurent Geyer) Date: Sun, 23 Nov 2008 01:27:58 -0500 Subject: [c-nsp] scp running/startup config In-Reply-To: <9e246b4d0811221855w1a141aa0v93f573e02a534761@mail.gmail.com> References: <9e246b4d0811220602p3f421c6j97e9cc2a1612982@mail.gmail.com> <871vx3eror.fsf@obelix.mork.no> <9e246b4d0811220748q21cb9ba4k75704cd702f9db85@mail.gmail.com> <9e246b4d0811220833sde9fbf2w64ed3080cff91f3f@mail.gmail.com> <4928C41F.90708@gmail.com> <9e246b4d0811221855w1a141aa0v93f573e02a534761@mail.gmail.com> Message-ID: <39647f4d0811222227m322a3e19of7758be46e4aada1@mail.gmail.com> On Sat, Nov 22, 2008 at 9:55 PM, Tim Durack wrote: > On Sat, Nov 22, 2008 at 9:46 PM, ghostonthewire > wrote: > > Tim Durack wrote: > >> > >> Amazing: > >> > >> usziplab001:~/config/Core# !scp > >> scp acl.txt tdurack at router:running-config > >> Password: > >> acl.txt 100% 1694 1.7KB/s 00:01 > >> > >> I can dump a bunch dumb expect scripts now. > >> > > > > Expect scripts can handle exceptions caused by erroneus input, and > perform > > rollback action or just warn you that something went wrong, but copying > just > > performs unpredictable merge. Or it discards entire acl.txt on syntax > error? > > Not if the acl scripts are of the form: > > no ip access list extended acl_name > ip access list extended acl_name > ... > end Exactly how is scp going to save you? You have to handle the exceptions whether expect writes the commands to stdout or whether they get parsed after being copied to the running config via scp. - Laurent From blahu77 at gmail.com Sun Nov 23 05:19:56 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 23 Nov 2008 10:19:56 +0000 Subject: [c-nsp] ldp-igp In-Reply-To: References: Message-ID: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marlon, > Hi - Does anyone know how LDP and IGP forwarding on 7600 series can be > separated?I have OSPF as IGP and also LDP is advertising the same routes > from the neighbors. well, LDP advertises label to FEC bindings, not routes > It looks like that Cisco selects only MPLS (LDP based) forwarding path. How > can I tell to use IP forwarding for some routes and MPLS for other. > No RSVP (MPLS-TE) is enabled. The default behaviour is to advertice label to FEC bindings for ALL iGP learnt IPv4 prefixes. So: first disable the default behaviour R1(config)#no mpls ldp advertise-labels Then set for what PREFIXes advertise the labels to what PEERs R1(config)#mpls ldp advertise-labels ? for Access-list specifying controls on destination prefixes R1(config)#mpls ldp advertise-labels for ? WORD IP access-list for destination prefixes; name or number (1-99) R1(config)#mpls ldp advertise-labels for PREFIXes ? to Access-list specifying controls on LDP peers R1(config)#mpls ldp advertise-labels for PREFIXes to PEERs > When I run show ip route, only IP routes are shown. show mpls forwarding > shows only MPLS routes. Is there any way that I can pick one vs the other > for forwarding? How can I tell from a 'show ' command which one is used? "show ip cef PREFIX detail" will tell you if there are any MPLS labels attached to the IPv4 packet, when it will be send to the PREFIX destination. BRs, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJKS5R+BuaDRxlXKsRAnf7AJ9vFZRvWLtcyqciGycBgs9VqAiLeQCfRq9c WGeXQApGzTErB16stzca/Pg= =7LoB -----END PGP SIGNATURE----- From pavel.skovajsa at gmail.com Sun Nov 23 05:38:45 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Sun, 23 Nov 2008 11:38:45 +0100 Subject: [c-nsp] To VSS or not to VSS In-Reply-To: References: Message-ID: <323aca890811230238i6338e3fn6a0ef1f2e08d550f@mail.gmail.com> Hi Eric, We use it as a core and distribution switches in our campus, have about 5 VSS pairs, and so far it runs very fine and stable, have not had any issues with it. But we have fairly easy setup, no blades (FWSM, ACE) in the box, which makes things simple. Best Regards, Pavel Skovajsa On Sat, Nov 22, 2008 at 9:13 PM, Thomas Dupas wrote: > Hi Eric, > > The FWSM (or any service module) wasn't supported in a VSS setup until SXI. > And I don't think that many people made the step yet to SXI on a production VSS system, but you never know. > > Overall I have had fairly good results with VSS in terms of throughput and stability, they were mostly used as distribution switches in the campus or "bookshelf" switches in the DC. The biggest flaw so far is the downtime when performing an upgrade, you fall back from SSO to RPR due to the IOS mismatches, and that means around 5 minutes downtime on failover. Same as you would have with supervisor redundancy in a single chassis > They now have an "eFSU" (semi-ISSU?) in the SXI release, which should improve upgrade procedures (RPR+ in stead of RPR), but it's not really ISSU according to the specs. But I certainly want to try that (but then I need a next release to upgrade to :-)) > > Best Regards, > > Thomas Dupas > > > On 22/11/08 21:01, "Eric Cables" wrote: > > I'm working on a design which includes 2 pairs of 6509s w/ VS-S720-10G > (one in each chassis). The VSS capable supervisor engines were chosen > mainly for the 10G interfaces, but the more VSS documentation I read > the more it seems like a great solution for added > redundancy/bandwidth, while reducing complexity. As far as modules, > all will be 6748s or 6724s, and the only service modules in the mix > will be a pair of FWSMs in one of the VSS pairs. > > Can anyone provide any feedback on your VSS experiences? How have the > FWSMs played with VSS? Any design considerations I should be aware > of? > > Thanks, > > -- Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ibrahim.abozaid at gmail.com Sun Nov 23 06:42:55 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Sun, 23 Nov 2008 13:42:55 +0200 Subject: [c-nsp] VPLS Question Message-ID: Dear All i have a small question about VPLS , MAC address of remote CE hosts learned from remote PE are assigned the same VC label at local PE or each mac address has VC label assigned or each CE VLAN has the same VC label ? best regards --ibrahim From oboehmer at cisco.com Sun Nov 23 09:03:27 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sun, 23 Nov 2008 15:03:27 +0100 Subject: [c-nsp] VPLS Question In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784066BDE74@xmb-ams-333.emea.cisco.com> Ibrahim Abo Zaid <> wrote on Sunday, November 23, 2008 12:43: > Dear All > > i have a small question about VPLS , MAC address of remote CE hosts > learned from remote PE are assigned the same VC label at local PE or > each mac address has VC label assigned or each CE VLAN has the same > VC label ? labels are allocated/advertised for pseudowires, so all remote MACs sent over the same PW will use the same VC label.. oli From cisconsp at data102.com Sun Nov 23 11:52:59 2008 From: cisconsp at data102.com (randal k) Date: Sun, 23 Nov 2008 09:52:59 -0700 Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784066BDE73@xmb-ams-333.emea.cisco.com> References: <383357750811201143g4f3c08e2wecd09c71f759d10@mail.gmail.com> <20081121113059.GU8535@greenie.muc.de> <70B7A1CCBFA5C649BD562B6D9F7ED784066BDE73@xmb-ams-333.emea.cisco.com> Message-ID: Oli, Another good idea. This switch does some Q-in-Q service, and its MTU is 1530 everywhere; unfortunately it is virtually fragment free: IP statistics: Rcvd: 2218345267 total, 62765867 local destination 52 format errors, 33 checksum errors, 16655618 bad hop count 0 unknown protocol, 17690 not a gateway 0 security failures, 0 bad options, 58045 with options Opts: 329 end, 35 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 3 record route 0 stream ID, 0 strict source route, 57716 alert, 0 cipso, 0 ump 0 other Frags: 40 reassembled, 46 timeouts, 0 couldn't reassemble 78 fragmented, 0 couldn't fragment Bcast: 14256448 received, 40677 sent Mcast: 7140931 received, 817787 sent Sent: 57670558 generated, 1091620153 forwarded Drop: 41037866 encapsulation failed, 0 unresolved, 0 no adjacency 3872 no route, 0 unicast RPF, 706317 forced drop 0 options denied, 0 source IP address zero Since I'm plum out of ideas, I've already scheduled a time to switch this customer over to a different 3550 to see if the problem persists or follows him. I'll definitely post back with results. Cheers, Randal On Sun, Nov 23, 2008 at 6:59 AM, Oliver Boehmer (oboehmer) wrote: > I would check for fragmentation, as suggested by someone earlier in the > thread. I didn't check, but I would suspect the 3550 doing fragmentation > in "software" (i.e. within the interrupt context). How are your MTUs on > your core interface up to (and including) the 3550? > Check "show ip traffic", fragmentations should show up there.. > > oli > > randal k <> wrote on Friday, November 21, 2008 23:18: > >> Burton, >> There is already ~150mbps of other traffic flowing through this >> switch, all of which generates approximately zero CPU, which is how it >> looks for 11 other active 3550s, all pushing hundreds of mbps; they're >> extremely good at high pps layer 3 with very little CPU usage. Yes, >> cef is on everywhere. >> >> The thing that draws the attention here is that it is the only 3550 in >> our network that has more than 1-2% CPU. Of all of the customers >> attached to this switch, his is the only port whose graph is an exact >> match for the CPU usage, and his traffic is overwhelmingly IPSec. I >> guess I could move him to a different 3550 distribution switch and see >> if the problem follows. >> >> Thanks for your continued input - >> Randal >> >> >> >> >> On Fri, Nov 21, 2008 at 11:17 AM, Burton Windle >> wrote: >>> I could be very wrong here, but I'm thought that if the usage is in >>> the interrupt, then the CPU usage is just because of the volume of >>> traffic, not the contents. But don't quote me on that. >>> >>> Easy way to test would be to push a similar volume of non-IPSec >>> traffic and see what the CPU does. >>> >>> >>> -- >>> Burton Windle bwindle at fint.org >>> >>> >>> On Fri, 21 Nov 2008, randal k wrote: >>> >>>> Excuse my typo, my original answer of "IP Input" was completely >>>> wrong, since it's pretty easy to get them confused. I'm looking at >>>> it now and it's purely Interrupt traffic. >>>> >>>> dist03.cos01#show proc cpu >>>> CPU utilization for five seconds: 26%/24%; one minute: 25%; five >>>> minutes: 26% >>>> >>>> No, I'm not running anything on the 3550, it's purely a packet >>>> pusher. It is a 3550-12T, and hanging off of it is the customer's >>>> 3560g-24TS >>>> and VPN3000. All of the tunnels terminate on the Concentrator - the >>>> 3550 just does some basic layer3 forwarding and has no features. >>>> >>>> Net -- 7206edge -- 6509core --- 3550dist --- >>>> 3560customer/VPN3000customer >>>> >>>> That's why I find it a little bit odd that just forwarding IPSec >>>> packets (not originating/terminating them) is hitting the CPU. >>>> >>>> Randal >>>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mduksa at gmail.com Sun Nov 23 14:41:07 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Sun, 23 Nov 2008 11:41:07 -0800 Subject: [c-nsp] ldp-igp In-Reply-To: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> References: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> Message-ID: Thanks Mat. That helps a lot. But is there any way to select IP instead MPLS for forwarding witout ACLs. Say that route x.x.x.x is received by OSPF and LDP (FEC mapping). Is there any way to enable forwarding only on IP and not MPLS for that particular route without ACLs. For example, changing preference (or administrative cost) of OSPF to a lower value than LDP - something like that but on a per interface basis. Or changing preference of LDP to a higher value on a global basis. Juniper for example can change preference of LDP. Thanks again, Marlon On Sun, Nov 23, 2008 at 2:19 AM, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Marlon, > > > Hi - Does anyone know how LDP and IGP forwarding on 7600 series can be > > separated?I have OSPF as IGP and also LDP is advertising the same routes > > from the neighbors. > > well, LDP advertises label to FEC bindings, not routes > > > It looks like that Cisco selects only MPLS (LDP based) forwarding path. > How > > can I tell to use IP forwarding for some routes and MPLS for other. > > No RSVP (MPLS-TE) is enabled. > > The default behaviour is to advertice label to FEC bindings for ALL > iGP learnt IPv4 prefixes. So: > > first disable the default behaviour > > R1(config)#no mpls ldp advertise-labels > > Then set for what PREFIXes advertise the labels to what PEERs > > R1(config)#mpls ldp advertise-labels ? > for Access-list specifying controls on destination prefixes > > R1(config)#mpls ldp advertise-labels for ? > WORD IP access-list for destination prefixes; name or number (1-99) > > R1(config)#mpls ldp advertise-labels for PREFIXes ? > to Access-list specifying controls on LDP peers > > > R1(config)#mpls ldp advertise-labels for PREFIXes to PEERs > > > > When I run show ip route, only IP routes are shown. show mpls forwarding > > shows only MPLS routes. Is there any way that I can pick one vs the other > > for forwarding? How can I tell from a 'show ' command which one is used? > > "show ip cef PREFIX detail" will tell you if there are any MPLS labels > attached to the IPv4 packet, when it will be send to the PREFIX > destination. > > BRs, > > - -mat > > - -- > pgp-key 0x1C655CAB > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJKS5R+BuaDRxlXKsRAnf7AJ9vFZRvWLtcyqciGycBgs9VqAiLeQCfRq9c > WGeXQApGzTErB16stzca/Pg= > =7LoB > -----END PGP SIGNATURE----- > From blahu77 at gmail.com Sun Nov 23 15:06:52 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 23 Nov 2008 20:06:52 +0000 Subject: [c-nsp] ldp-igp In-Reply-To: References: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> Message-ID: <383357750811231206o45b1feecga532276f110ac4c5@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marlon, you have an option of 1) static labels 2) bgp advertised labels (neighbor X send-label) 3) TE (rsvp) advertised labels. or 4) LDP/TDP I don't know what Juniper can do for you. BRs, - -mat 2008/11/23 Marlon Duksa : > Thanks Mat. That helps a lot. > But is there any way to select IP instead MPLS for forwarding witout ACLs. > Say that route x.x.x.x is received by OSPF and LDP (FEC mapping). Is there > any way to enable forwarding only on IP and not MPLS for that particular > route without ACLs. For example, changing preference (or administrative > cost) of OSPF to a lower value than LDP - something like that but on a per > interface basis. Or changing preference of LDP to a higher value on a global > basis. Juniper for example can change preference of LDP. > Thanks again, > Marlon > > - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJKbfk+BuaDRxlXKsRAvOaAJ0bJwvt57kI4Cq+cFJUl7fZuLs4SwCeJfXb LNUrUxTjZ1tEGfSC6/PN6w0= =t14w -----END PGP SIGNATURE----- From David at Hughes.com.au Sun Nov 23 17:58:57 2008 From: David at Hughes.com.au (David J. Hughes) Date: Mon, 24 Nov 2008 08:58:57 +1000 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4926977E.4080804@imperial.ac.uk> References: <4925E619.6000407@204.net.nz> <4926977E.4080804@imperial.ac.uk> Message-ID: <956E95A3-0A98-4A3D-97B3-58292630F8CF@Hughes.com.au> On 21/11/2008, at 9:11 PM, Phil Mayers wrote: > > You can achieve this to a limited degree, but I'd think very > carefully - is the minimal gain worth the hassle? > > We run a similar topology, and we just ignore it - let the traffic > return via either path. Have to agree with Phil here - just ignore it. We run a dual 6500 agg layer as our standard DC deployment and having asymmetric traffic isn't an issue. David ... From mtinka at globaltransit.net Sun Nov 23 21:05:25 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 24 Nov 2008 10:05:25 +0800 Subject: [c-nsp] ldp-igp In-Reply-To: References: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> Message-ID: <200811241005.29744.mtinka@globaltransit.net> On Monday 24 November 2008 03:41:07 Marlon Duksa wrote: > Thanks Mat. That helps a lot. > But is there any way to select IP instead MPLS for > forwarding witout ACLs. Say that route x.x.x.x is > received by OSPF and LDP (FEC mapping). Is there any way > to enable forwarding only on IP and not MPLS for that > particular route without ACLs. For example, changing > preference (or administrative cost) of OSPF to a lower > value than LDP - something like that but on a per > interface basis. Or changing preference of LDP to a > higher value on a global basis. Juniper for example can > change preference of LDP. From your initial e-mail I could tell you were trying to do, in IOS, what JunOS does, i.e., treat LDP and RSVP as route sources and install forwarding entries into the routing table with preferences (administrative distance in IOS), e.g.,: [edit] tinka at lab# run show route table mpls mpls.0: 70 destinations, 70 routes (70 active, 0 holddown, 0 hidden) Restart Complete + = Active Route, - = Last Active, * = Both 0 *[MPLS/0] 2d 07:17:30, metric 1 Receive 1 *[MPLS/0] 2d 07:17:30, metric 1 Receive 2 *[MPLS/0] 2d 07:17:30, metric 1 Receive 299776 *[LDP/9] 09:32:41, metric 1 to x.x.x.193 via ge-0/0/0.0, Pop > to x.x.x.193 via ge-0/1/0.0, Pop 299776(S=0) *[LDP/9] 09:32:41, metric 1 to x.x.x.193 via ge-0/0/0.0, Pop > to x.x.x.193 via ge-0/1/0.0, Pop 299792 *[LDP/9] 09:32:41, metric 1 to x.x.x.193 via ge-0/0/0.0, Pop to x.x.x.194 via ge-0/0/0.0, Pop > to x.x.x.193 via ge-0/1/0.0, Pop to x.x.x.194 via ge-0/1/0.0, Pop 299792(S=0) *[LDP/9] 09:32:41, metric 1 > to x.x.x.193 via ge-0/0/0.0, Pop to x.x.x.194 via ge-0/0/0.0, Pop to x.x.x.193 via ge-0/1/0.0, Pop to x.x.x.194 via ge-0/1/0.0, Pop I haven't had to treat them as routing protocols in JunOS, and just use them for what they are intended - life is simpler. Aside from what others have already mentioned in this thread, I'm not sure IOS treats these label distribution protocols as routing protocols. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mj at 204.net.nz Mon Nov 24 00:48:18 2008 From: mj at 204.net.nz (Michael Jager) Date: Mon, 24 Nov 2008 18:48:18 +1300 Subject: [c-nsp] HSRP and routing asymmetry In-Reply-To: <4926977E.4080804@imperial.ac.uk> References: <4925E619.6000407@204.net.nz> <4926977E.4080804@imperial.ac.uk> Message-ID: <492A4022.5060506@204.net.nz> Phil Mayers wrote: > You can achieve this to a limited degree, but I'd think very carefully - > is the minimal gain worth the hassle? > > We run a similar topology, and we just ignore it - let the traffic > return via either path. This pretty much sums up the majority of the replies that I received both on and off-list. > It's very common. Most people either ignore it, or statically set route > costs (since the HSRP active will, normally, be in the same place) Statically modifying route costs seems to be the best solution other than ignoring the asymmetry. > Seriously - HSRP can't really do this. You can force it to "sort of" do > it, but there are non-obvious failure modes to most of the solutions. > > Cisco could solve the problem for us with just a little work by > providing an option to remove the local connected route on HSRP slaves. Indeed - I was hoping there would be an easy solution such as this, but it appears that there is not. Thanks to all who replied. -Mike From oboehmer at cisco.com Mon Nov 24 01:47:55 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 24 Nov 2008 07:47:55 +0100 Subject: [c-nsp] ldp-igp In-Reply-To: <200811241005.29744.mtinka@globaltransit.net> References: <383357750811230219x39bfb68eo3baaceee8afd475e@mail.gmail.com> <200811241005.29744.mtinka@globaltransit.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784066BDF27@xmb-ams-333.emea.cisco.com> Mark Tinka <> wrote on Monday, November 24, 2008 03:05: > On Monday 24 November 2008 03:41:07 Marlon Duksa wrote: > >> Thanks Mat. That helps a lot. >> But is there any way to select IP instead MPLS for >> forwarding witout ACLs. Say that route x.x.x.x is >> received by OSPF and LDP (FEC mapping). Is there any way >> to enable forwarding only on IP and not MPLS for that >> particular route without ACLs. For example, changing >> preference (or administrative cost) of OSPF to a lower >> value than LDP - something like that but on a per >> interface basis. Or changing preference of LDP to a >> higher value on a global basis. Juniper for example can >> change preference of LDP. > > From your initial e-mail I could tell you were trying to do, > in IOS, what JunOS does, i.e., treat LDP and RSVP as route > sources and install forwarding entries into the routing > table with preferences (administrative distance in IOS), > e.g.,: [...] > > Aside from what others have already mentioned in this > thread, I'm not sure IOS treats these label distribution > protocols as routing protocols. No, it doesn't. To put is simple: if IOS installs a RIB entry and it finds a FEC binding in its LIB for the respective next-hop/oif, it uses it. If you don't want this to happen (for whatever reason), you can either filter the outgoing LDP advertisement downstream, or filter the LDP advertisement on the node itself (Inbound label filtering, "mpls ldp neighbor x.x.x.x labels accept "). Marlon: What are you trying to achieve? If you don't want to add a label to packets over a given interface, why did you enable LDP on it in the first place? oli From suzan_ccie at yahoo.com Mon Nov 24 04:07:14 2008 From: suzan_ccie at yahoo.com (Suzan S.) Date: Mon, 24 Nov 2008 01:07:14 -0800 (PST) Subject: [c-nsp] PIM Hello Option2 LAN Prune Delay ,Override Interval In-Reply-To: <4927212A.3010600@pins.net> Message-ID: <835223.74455.qm@web35404.mail.mud.yahoo.com> Dears,Is there any command in Cisco IOS 12.x or other version that can enable option 2 in pim hello. I have an alcatel router neighbored with Cisco 7609 , the hello packets are ignored on Cisco that ios coming from alcatel as the have option2 enabled with delay & override timers?How can we get these hellos on Cisco? is there any way?Seems this command can be found in IOS XR only?? Thank you Suzan From gulerozgur at yahoo.co.uk Mon Nov 24 05:32:49 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Mon, 24 Nov 2008 10:32:49 +0000 (GMT) Subject: [c-nsp] 3550 CPU Usage & IPSec In-Reply-To: Message-ID: <853246.24555.qm@web25502.mail.ukl.yahoo.com> The "bad hop count" seems to be too high here. It might be causing the interrupts as well. --- On Sun, 23/11/08, randal k wrote: From: randal k Subject: Re: [c-nsp] 3550 CPU Usage & IPSec To: cisco-nsp at puck.nether.net Date: Sunday, 23 November, 2008, 4:52 PM Oli, Another good idea. This switch does some Q-in-Q service, and its MTU is 1530 everywhere; unfortunately it is virtually fragment free: IP statistics: Rcvd: 2218345267 total, 62765867 local destination 52 format errors, 33 checksum errors, 16655618 bad hop count 0 unknown protocol, 17690 not a gateway 0 security failures, 0 bad options, 58045 with options Opts: 329 end, 35 nop, 0 basic security, 0 loose source route 0 timestamp, 0 extended security, 3 record route 0 stream ID, 0 strict source route, 57716 alert, 0 cipso, 0 ump 0 other Frags: 40 reassembled, 46 timeouts, 0 couldn't reassemble 78 fragmented, 0 couldn't fragment Bcast: 14256448 received, 40677 sent Mcast: 7140931 received, 817787 sent Sent: 57670558 generated, 1091620153 forwarded Drop: 41037866 encapsulation failed, 0 unresolved, 0 no adjacency 3872 no route, 0 unicast RPF, 706317 forced drop 0 options denied, 0 source IP address zero Since I'm plum out of ideas, I've already scheduled a time to switch this customer over to a different 3550 to see if the problem persists or follows him. I'll definitely post back with results. Cheers, Randal On Sun, Nov 23, 2008 at 6:59 AM, Oliver Boehmer (oboehmer) wrote: > I would check for fragmentation, as suggested by someone earlier in the > thread. I didn't check, but I would suspect the 3550 doing fragmentation > in "software" (i.e. within the interrupt context). How are your MTUs on > your core interface up to (and including) the 3550? > Check "show ip traffic", fragmentations should show up there.. > > oli > > randal k <> wrote on Friday, November 21, 2008 23:18: > >> Burton, >> There is already ~150mbps of other traffic flowing through this >> switch, all of which generates approximately zero CPU, which is how it >> looks for 11 other active 3550s, all pushing hundreds of mbps; they're >> extremely good at high pps layer 3 with very little CPU usage. Yes, >> cef is on everywhere. >> >> The thing that draws the attention here is that it is the only 3550 in >> our network that has more than 1-2% CPU. Of all of the customers >> attached to this switch, his is the only port whose graph is an exact >> match for the CPU usage, and his traffic is overwhelmingly IPSec. I >> guess I could move him to a different 3550 distribution switch and see >> if the problem follows. >> >> Thanks for your continued input - >> Randal >> >> >> >> >> On Fri, Nov 21, 2008 at 11:17 AM, Burton Windle >> wrote: >>> I could be very wrong here, but I'm thought that if the usage is in >>> the interrupt, then the CPU usage is just because of the volume of >>> traffic, not the contents. But don't quote me on that. >>> >>> Easy way to test would be to push a similar volume of non-IPSec >>> traffic and see what the CPU does. >>> >>> >>> -- >>> Burton Windle bwindle at fint.org >>> >>> >>> On Fri, 21 Nov 2008, randal k wrote: >>> >>>> Excuse my typo, my original answer of "IP Input" was completely >>>> wrong, since it's pretty easy to get them confused. I'm looking at >>>> it now and it's purely Interrupt traffic. >>>> >>>> dist03.cos01#show proc cpu >>>> CPU utilization for five seconds: 26%/24%; one minute: 25%; five >>>> minutes: 26% >>>> >>>> No, I'm not running anything on the 3550, it's purely a packet >>>> pusher. It is a 3550-12T, and hanging off of it is the customer's >>>> 3560g-24TS >>>> and VPN3000. All of the tunnels terminate on the Concentrator - the >>>> 3550 just does some basic layer3 forwarding and has no features. >>>> >>>> Net -- 7206edge -- 6509core --- 3550dist --- >>>> 3560customer/VPN3000customer >>>> >>>> That's why I find it a little bit odd that just forwarding IPSec >>>> packets (not originating/terminating them) is hitting the CPU. >>>> >>>> Randal >>>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From zhuifeng0426 at gmail.com Mon Nov 24 06:10:14 2008 From: zhuifeng0426 at gmail.com (zhuifeng0426) Date: Mon, 24 Nov 2008 19:10:14 +0800 Subject: [c-nsp] About IXIA Message-ID: <200811241910113757619@gmail.com> Hi all: Is there any one have training events about IXIA? Would you please give me one? Thanks 2008-11-24 Best regards? YiFeng Zhou Mail:zhuifeng0426 at gmail.com MSN:zhuifeng0426 at hotmail.com Mobile:+86 (0)15905171724 From gulerozgur at yahoo.co.uk Mon Nov 24 06:53:24 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Mon, 24 Nov 2008 11:53:24 +0000 (GMT) Subject: [c-nsp] Troubleshooting a GRE tunnel terminated in a MPLS VPN In-Reply-To: <49282E62.1010300@justinshore.com> Message-ID: <637938.11848.qm@web25502.mail.ukl.yahoo.com> Does this work when you enable "debug mpls packet"? --- On Sat, 22/11/08, Justin Shore wrote: From: Justin Shore Subject: [c-nsp] Troubleshooting a GRE tunnel terminated in a MPLS VPN To: "'Cisco-nsp'" Date: Saturday, 22 November, 2008, 4:08 PM I'm testing a different method of terminating VPN tunnels in our data center. We're going to switch from IPSec L2L tunnels to GRE tunnels with IPSec protection. The big benefit is that it cuts our admin overhead significantly. It's also a hell of a lot easier to deploy. Instead of having to have 6 lines of config for each remote customer prefix I can simply set up an IGP in their VRF and let the customer drive. Much easier. So I have one of my 7600s with a Sup720-3BXL running SRB1 with a 2G IPSec SPA and 6700 series line cards. On the 7600 I've configured my VRF, GRE tunnel, OSPF vrf instance and set up iBGP to carry the VRF routes upstream to the data center. I'm holding off on the IPSec config for now. I want to get GRE working first. Upstream at the DC I've configured that router with the VRF, sub-int in the VRF facing the DC switch, and iBGP for the VRF's routes. LDP was configured with MPLS between the core and the DC and has been working for over a year so I doubt if that's a problem. Downstream across the ISP I've set up a test router to simulate the customer's CPE. I've configured it with the GRE tunnel, OSPF and the back-side network for a test laptop to test connectivity from the 192.168.0/24 subnet. Laptop---CPE router---(ISP)---7600----DC Router |--------------GRE Tunnel------------| |------VRF------| Here's my config: !!! 7600 ip vrf dc-gre-test description DC - GRE Test rd 100:2999 route-target export 100:2999 route-target import 100:2999 ! interface Tunnel2999 ip vrf forwarding dc-gre-test ip address 10.125.124.1 255.255.255.252 tunnel source aa.bb.cc.1 tunnel destination cc.dd.aa.2 ! router ospf 2999 vrf dc-gre-test ignore lsa mospf ispf log-adjacency-changes redistribute bgp 65001 subnets passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 10.125.125.0 0.0.0.255 area 0 ! router bgp 65001 address-family ipv4 vrf dc-gre-test no synchronization redistribute connected redistribute static redistribute ospf 2999 vrf dc-gre-test exit-address-family !!! CPE Router interface Tunnel2999 ip address 10.125.124.2 255.255.255.252 tunnel source FastEthernet0/0 tunnel destination aa.bb.cc.1 ! router ospf 1 ignore lsa mospf ispf log-adjacency-changes passive-interface default no passive-interface Tunnel2999 network 10.125.124.0 0.0.0.3 area 0 network 192.168.0.0 0.0.0.255 area 0 !!! DC router ip vrf dc-gre-test description DC - GRE Test rd 100:2999 route-target export 100:2999 route-target import 100:2999 ! interface GigabitEthernet0/1.2999 description DC - GRE Test encapsulation dot1Q 2999 ip vrf forwarding dc-gre-test ip address 10.125.125.2 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp standby version 2 standby 2999 ip 10.125.125.1 standby 2999 timers msec 500 3 standby 2999 priority 255 standby 2999 preempt ! router bgp 65001 address-family ipv4 vrf dc-gre-test redistribute connected no synchronization exit-address-family OSPF is up on the CPE and 7600 and I'm getting the DC route on the CPE and the CPE route on the DC router (and everything on the 7600 in the middle). Currently I can ping within the VRF from the DC router to the tunnel interface on the 7600. From the CPE router I can ping across the tunnel to the tunnel interface on the 7600. For some reason though I can't ping from the DC to the CPE. Traceroutes from both sides get to the tunnel interface on the 7600 and then die. I can't figure out where the packets are going. The CEF table for that VRF looks ok. All adjacencies are pointing out the right interfaces. 7613-1.clr#sh ip cef vrf dc-gre-test detail IPv4 CEF is enabled for distributed and running VRF dc-gre-test 12 prefixes (12/0 fwd/non-fwd) Table id 0x8 Database epoch: 3 (12 entries at this epoch) 0.0.0.0/0, epoch 3, flags default route handler no route 0.0.0.0/32, epoch 3, flags receive Special source: receive receive 10.125.124.0/30, epoch 3, flags attached, connected, cover dependents, need deagg Covered dependent prefixes: 2 need deagg: 2 attached to Tunnel2999 10.125.124.0/32, epoch 3, flags receive Dependent covered prefix type cover need deagg cover 10.125.124.0/30 Interface source: Tunnel2999 receive for Tunnel2999 10.125.124.1/32, epoch 3, flags receive Interface source: Tunnel2999 receive for Tunnel2999 10.125.124.3/32, epoch 3, flags receive Dependent covered prefix type cover need deagg cover 10.125.124.0/30 Interface source: Tunnel2999 receive for Tunnel2999 10.125.125.0/24, epoch 3 recursive via 10.64.0.33 label 31 nexthop 10.64.0.176 GigabitEthernet9/1 192.168.0.0/24, epoch 3 local label info: other/138 nexthop 10.125.124.2 Tunnel2999 224.0.0.0/4, epoch 3 Special source: drop drop 224.0.0.0/24, epoch 3, flags receive Special source: receive receive 240.0.0.0/4, epoch 3 Special source: drop drop 255.255.255.255/32, epoch 3, flags receive Special source: receive receive The LFIB for that VRF on the 7600: 7613-1.clr#sh mpls forwarding-table vrf dc-gre-test detail Local Outgoing Prefix Bytes Label Outgoing Next Hop Label Label or VC or Tunnel Id Switched interface 56 Pop Label IPv4 VRF[V] 1140 aggregate/dc-gre-test MAC/Encaps=0/0, MRU=0, Label Stack{} VPN route: dc-gre-test No output feature configured 138 No Label 192.168.0.0/24[V] 96080 Tu2999 point2point MAC/Encaps=24/24, MRU=1480, Label Stack{} 4500000000000000FF2F5D194ADDC00143D5100200000800 VPN route: dc-gre-test No output feature configured The RIB for that VRF on the 7600: Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks C 10.125.124.0/30 is directly connected, Tunnel2999 L 10.125.124.1/32 is directly connected, Tunnel2999 B 10.125.125.0/24 [200/0] via 10.64.0.33, 7w0d O 192.168.0.0/24 [110/11112] via 10.125.124.2, 7w0d, Tunnel2999 On the DC router: Gateway of last resort is not set 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks C 10.125.125.0/24 is directly connected, GigabitEthernet0/1.2999 B 10.125.124.0/30 [200/0] via 10.64.0.10, 00:56:22 B 192.168.0.0/24 [200/11112] via 10.64.0.10, 00:56:07 On the CPE router: Gateway of last resort is cc.dd.aa.1 to network 0.0.0.0 cc.0.0.0/30 is subnetted, 1 subnets C cc.dd.aa.0 is directly connected, FastEthernet0/0 10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks O E2 10.125.125.0/24 [110/1] via 10.125.124.1, 12:05:31, Tunnel2999 C 10.125.124.0/30 is directly connected, Tunnel2999 C 192.168.0.0/24 is directly connected, FastEthernet0/1 S* 0.0.0.0/0 [1/0] via 67.213.16.1 I don't have remote access to the laptop at this time so I can't sniff on the wire to see what's coming in there. I'd have to place a device at the DC in that VRF to have something to ping out there other than the sub-int. I can do that next week. Any thoughts as to what might be going on? Nothing is jumping out at me. As a separate issue, my tunnel source on the 7600 is a SVI on a VLAN that spans 2 7600s. HSRP is configured between them already though I haven't set up HA for VPN yet. The 7600 we're working with is forced active with the priority setting. I tried to use define tunnel source as that SVI, vl192. It wouldn't work though. I had to explicitly define the IP. I used the HSRP floater and it worked. I ran into a problem recently with our IPSec L2Ls where I couldn't use the floater. I had to use the interface IP specifically. The IPSec packets originated from the interface IP and not the HSRP floater even though I had my crypto map local-address defined at that interface. Any ideas why that is? I need to do more research on IPSec and GRE HA. Thanks Justin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Mon Nov 24 08:52:25 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 24 Nov 2008 07:52:25 -0600 Subject: [c-nsp] Troubleshooting a GRE tunnel terminated in a MPLS VPN In-Reply-To: <49282E62.1010300@justinshore.com> References: <49282E62.1010300@justinshore.com> Message-ID: <492AB199.40506@justinshore.com> Justin Shore wrote: > I'm testing a different method of terminating VPN tunnels in our data > center. We're going to switch from IPSec L2L tunnels to GRE tunnels > with IPSec protection. The big benefit is that it cuts our admin > overhead significantly. It's also a hell of a lot easier to deploy. > Instead of having to have 6 lines of config for each remote customer > prefix I can simply set up an IGP in their VRF and let the customer > drive. Much easier. I received an off-list reply that solved the problem. I didn't enable 'mls mpls tunnel-recir' on the 7600. I'm not certain exactly what it does to solve the problem but it works. I'll research it later. Thanks for the assistance Justin From A.L.M.Buxey at lboro.ac.uk Mon Nov 24 10:41:57 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 24 Nov 2008 15:41:57 +0000 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> Message-ID: <20081124154157.GD22774@lboro.ac.uk> Hi, > The fork based on Cisco's code over at shrubbery has worked out well for me. > > > http://www.shrubbery.net/tac_plus/ agreed. also note, theres been hints of TACACS+ being part of future FreeRADIUS capability for some time too. alan From christian at broknrobot.com Mon Nov 24 10:48:09 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 24 Nov 2008 10:48:09 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <20081124154157.GD22774@lboro.ac.uk> References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> <20081124154157.GD22774@lboro.ac.uk> Message-ID: on a side note - has anyone had any success getting older catos switches and enable mode to work with the newer versions of tacplus? christian On Mon, Nov 24, 2008 at 10:41 AM, wrote: > Hi, > >> The fork based on Cisco's code over at shrubbery has worked out well for me. >> >> >> http://www.shrubbery.net/tac_plus/ > > agreed. also note, theres been hints of TACACS+ being part of > future FreeRADIUS capability for some time too. > > alan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ian.mackinnon at lumison.net Mon Nov 24 11:07:39 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Mon, 24 Nov 2008 16:07:39 +0000 Subject: [c-nsp] Cisco E-di and 6500 Sup32 Message-ID: <492AD14B.7090300@lumison.net> Hi All, Has anybody had any success running Cisco E-DI against 6500Sup32 running SXH? Failing that, has anybody done any NETCONF XML to the same? Thanks -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From rich.davies at gmail.com Mon Nov 24 11:02:57 2008 From: rich.davies at gmail.com (Rich Davies) Date: Mon, 24 Nov 2008 11:02:57 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> <20081124154157.GD22774@lboro.ac.uk> Message-ID: <3e4b8fe10811240802v78d288a7rc7fd558b8ad0e6a3@mail.gmail.com> Here is an example CatOS config for TACACS auth. It's been awhile since I used a CatOS device however if I remember correctly this config was structured so that if the device can't talk to the TACACS server it would fail back to a local userid (by using "if-authenticated" in the #authorization section). #tacacs+ set tacacs server 1.1.1.1 primary set tacacs server 2.2.2.2 set tacacs key [tacacs key] #authentication set authentication login tacacs enable console primary set authentication login tacacs enable telnet primary set authentication enable tacacs enable console primary set authentication enable tacacs enable telnet primary #accounting set accounting exec enable stop-only tacacs+ set accounting connect enable stop-only tacacs+ set accounting system enable stop-only tacacs+ set accounting commands enable all stop-only tacacs+ #authorization set authorization exec enable tacacs+ if-authenticated console set authorization exec enable tacacs+ if-authenticated telnet set authorization enable enable if-authenticated none console set authorization enable enable if-authenticated none telnet set authorization commands enable all if-authenticated none console set authorization commands enable all if-authenticated none telnet Hope it helps. -Rich On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch wrote: > on a side note - > > has anyone had any success getting older catos switches and enable > mode to work with the newer versions of tacplus? > > christian > > On Mon, Nov 24, 2008 at 10:41 AM, wrote: > > Hi, > > > >> The fork based on Cisco's code over at shrubbery has worked out well for > me. > >> > >> > >> http://www.shrubbery.net/tac_plus/ > > > > agreed. also note, theres been hints of TACACS+ being part of > > future FreeRADIUS capability for some time too. > > > > alan > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From christian at broknrobot.com Mon Nov 24 11:16:29 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 24 Nov 2008 11:16:29 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <3e4b8fe10811240802v78d288a7rc7fd558b8ad0e6a3@mail.gmail.com> References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> <20081124154157.GD22774@lboro.ac.uk> <3e4b8fe10811240802v78d288a7rc7fd558b8ad0e6a3@mail.gmail.com> Message-ID: Rich- thanks and sorry i guess i was a little vague... i meant to say i am looking for configuration for the tac_plus.conf side On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies wrote: > Here is an example CatOS config for TACACS auth. It's been awhile since I > used a CatOS device however if I remember correctly this config was > structured so that if the device can't talk to the TACACS server it would > fail back to a local userid (by using "if-authenticated" in the > #authorization section). > > > #tacacs+ > set tacacs server 1.1.1.1 primary > set tacacs server 2.2.2.2 > set tacacs key [tacacs key] > > #authentication > set authentication login tacacs enable console primary > set authentication login tacacs enable telnet primary > set authentication enable tacacs enable console primary > set authentication enable tacacs enable telnet primary > > #accounting > set accounting exec enable stop-only tacacs+ > set accounting connect enable stop-only tacacs+ > set accounting system enable stop-only tacacs+ > set accounting commands enable all stop-only tacacs+ > > #authorization > set authorization exec enable tacacs+ if-authenticated console > set authorization exec enable tacacs+ if-authenticated telnet > set authorization enable enable if-authenticated none console > set authorization enable enable if-authenticated none telnet > set authorization commands enable all if-authenticated none console > set authorization commands enable all if-authenticated none telnet > > > Hope it helps. > > -Rich > > > On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch > wrote: >> >> on a side note - >> >> has anyone had any success getting older catos switches and enable >> mode to work with the newer versions of tacplus? >> >> christian >> >> On Mon, Nov 24, 2008 at 10:41 AM, wrote: >> > Hi, >> > >> >> The fork based on Cisco's code over at shrubbery has worked out well >> >> for me. >> >> >> >> >> >> http://www.shrubbery.net/tac_plus/ >> > >> > agreed. also note, theres been hints of TACACS+ being part of >> > future FreeRADIUS capability for some time too. >> > >> > alan >> > _______________________________________________ >> > cisco-nsp mailing list cisco-nsp at puck.nether.net >> > https://puck.nether.net/mailman/listinfo/cisco-nsp >> > archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From raymondh.nsp at gmail.com Mon Nov 24 11:27:53 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Tue, 25 Nov 2008 00:27:53 +0800 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> <20081124154157.GD22774@lboro.ac.uk> <3e4b8fe10811240802v78d288a7rc7fd558b8ad0e6a3@mail.gmail.com> Message-ID: You'll just need to fix your expressions in your tacacs config. e.g. cmd = set { permit "^blah blah .*" } --raymondh On Nov 25, 2008, at 12:16 AM, Christian Koch wrote: > Rich- thanks and sorry i guess i was a little vague... > > i meant to say i am looking for configuration for the tac_plus.conf > side > > On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies > wrote: >> Here is an example CatOS config for TACACS auth. It's been awhile >> since I >> used a CatOS device however if I remember correctly this config was >> structured so that if the device can't talk to the TACACS server it >> would >> fail back to a local userid (by using "if-authenticated" in the >> #authorization section). >> >> >> #tacacs+ >> set tacacs server 1.1.1.1 primary >> set tacacs server 2.2.2.2 >> set tacacs key [tacacs key] >> >> #authentication >> set authentication login tacacs enable console primary >> set authentication login tacacs enable telnet primary >> set authentication enable tacacs enable console primary >> set authentication enable tacacs enable telnet primary >> >> #accounting >> set accounting exec enable stop-only tacacs+ >> set accounting connect enable stop-only tacacs+ >> set accounting system enable stop-only tacacs+ >> set accounting commands enable all stop-only tacacs+ >> >> #authorization >> set authorization exec enable tacacs+ if-authenticated console >> set authorization exec enable tacacs+ if-authenticated telnet >> set authorization enable enable if-authenticated none console >> set authorization enable enable if-authenticated none telnet >> set authorization commands enable all if-authenticated none console >> set authorization commands enable all if-authenticated none telnet >> >> >> Hope it helps. >> >> -Rich >> >> >> On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch > > >> wrote: >>> >>> on a side note - >>> >>> has anyone had any success getting older catos switches and enable >>> mode to work with the newer versions of tacplus? >>> >>> christian >>> >>> On Mon, Nov 24, 2008 at 10:41 AM, wrote: >>>> Hi, >>>> >>>>> The fork based on Cisco's code over at shrubbery has worked out >>>>> well >>>>> for me. >>>>> >>>>> >>>>> http://www.shrubbery.net/tac_plus/ >>>> >>>> agreed. also note, theres been hints of TACACS+ being part of >>>> future FreeRADIUS capability for some time too. >>>> >>>> alan >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From yuval.ben.ari at gmail.com Mon Nov 24 14:48:18 2008 From: yuval.ben.ari at gmail.com (Yuval Ben Ari) Date: Mon, 24 Nov 2008 21:48:18 +0200 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <20081120083017.17c4050e.simestd@netexpress.com> References: <20081120083017.17c4050e.simestd@netexpress.com> Message-ID: Hi Tom, You did not mention your requirements like does it need to be GUI based or is conf file based is ok (tac_plus)? Also what is the reason you want to abandon the ACS? I'm asking because we actually migrated from tac_plus to ACS due to the improved management capabilities via GUI. I think there are actually not a lot of alternatives around. Yuval On Thu, Nov 20, 2008 at 7:30 PM, Tom Simes wrote: > > Hi all, > > We've got an aging Cisco Secure ACS install on the Windows platform > and we're looking for alternatives. We're only using TACACS+ for admin > authentication into our Cisco gear (not RADIUS), but we do have a > variety of groups defined with differing access to commands and > equipment and our user store is LDAP so we need at least that level of > functionality. > > What are folks using these days for a TACACS+ server that they're happy > with? > TIA! > > Tom > > ====================================================================== > "Z-80 system stack overflow. Shut 'er down Scotty, the system's > sucking mud" - Error message on TRS 80 Model-16B > > Tom Simes simestd at netexpress.com > ====================================================================== > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chale99 at gmail.com Mon Nov 24 15:08:51 2008 From: chale99 at gmail.com (Chris Hale) Date: Mon, 24 Nov 2008 15:08:51 -0500 Subject: [c-nsp] To OSR7609 or not to OSR7609? Message-ID: All - We have the ability to pick up some OSR7609's pretty cheap. We'd like to use them as a core router for 100-200Mbps capacity with multiple full BGP feeds, 802.1q subinterfaces, MPLS/VPLS, and possibly some WAN interfaces (i.e. MC-T3/OC3). Any big drawbacks or negatives to this chassis? We'd like to run them with SUP720-3BXL processors and 6548 series Ethernet cards. Thanks, Chris -- ------------------ Chris Hale chale99 at gmail.com From dwcarder at wisc.edu Mon Nov 24 15:51:31 2008 From: dwcarder at wisc.edu (Dale W. Carder) Date: Mon, 24 Nov 2008 14:51:31 -0600 Subject: [c-nsp] SXI testing In-Reply-To: <49259605.4030601@imperial.ac.uk> References: <49259605.4030601@imperial.ac.uk> Message-ID: <8009D3A9-8FBE-4506-8EB5-B5E4B3DBFADD@wisc.edu> On Nov 20, 2008, at 10:53 AM, Phil Mayers wrote: > In case people are interested, I have tested a load of stuff as > working on 12.2(33)SXI. > > http://cisco.cluepon.net/index.php/Ios_sxi Does anyone use "mac-address-table notification threshold"? It exists but is hidden in SXF. It is not in SXI. Can anyone with SXH let me know if it is in there? http://www.cisco.com/en/US/customer/docs/ios/lanswitch/command/reference/lsw_m1.html#wp1012786 Thanks, Dale From achatz at forthnet.gr Mon Nov 24 16:43:11 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 24 Nov 2008 23:43:11 +0200 Subject: [c-nsp] SXI testing In-Reply-To: <8009D3A9-8FBE-4506-8EB5-B5E4B3DBFADD@wisc.edu> References: <49259605.4030601@imperial.ac.uk> <8009D3A9-8FBE-4506-8EB5-B5E4B3DBFADD@wisc.edu> Message-ID: <492B1FEF.9010405@forthnet.gr> SXH doesn't have it, SRB has it! -- Tassos Dale W. Carder wrote on 24/11/2008 22:51: > > > Does anyone use "mac-address-table notification threshold"? > > It exists but is hidden in SXF. > It is not in SXI. > Can anyone with SXH let me know if it is in there? > > http://www.cisco.com/en/US/customer/docs/ios/lanswitch/command/reference/lsw_m1.html#wp1012786 > > > Thanks, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sigurbjornl at vodafone.is Mon Nov 24 16:01:59 2008 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Mon, 24 Nov 2008 21:01:59 +0000 Subject: [c-nsp] SXI testing In-Reply-To: <8009D3A9-8FBE-4506-8EB5-B5E4B3DBFADD@wisc.edu> Message-ID: Isn't in SXH3a at least... BR, Sibbi On 24.11.2008 20:51, "Dale W. Carder" wrote: > > On Nov 20, 2008, at 10:53 AM, Phil Mayers wrote: >> In case people are interested, I have tested a load of stuff as >> working on 12.2(33)SXI. >> >> http://cisco.cluepon.net/index.php/Ios_sxi > > Does anyone use "mac-address-table notification threshold"? > > It exists but is hidden in SXF. > It is not in SXI. > Can anyone with SXH let me know if it is in there? > > http://www.cisco.com/en/US/customer/docs/ios/lanswitch/command/reference/lsw_m > 1.html#wp1012786 > > Thanks, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ardabalkanay at gmail.com Mon Nov 24 16:59:08 2008 From: ardabalkanay at gmail.com (Arda Balkanay) Date: Mon, 24 Nov 2008 23:59:08 +0200 Subject: [c-nsp] To OSR7609 or not to OSR7609? In-Reply-To: References: Message-ID: <9af987420811241359l366b5d8bkf992b7a25f506f34@mail.gmail.com> Hi with 6548 Ethernet cards you can not use VPLS, you can only configure EoMPLS for vpls you will need ES20 or similar modules. Also if you use WAN cards with Flexwan modules it will behave like built-in 7200s on a 7600 chassis so my suggestion is to try SIP modules for terminating WAN. kind regards Arda On Mon, Nov 24, 2008 at 10:08 PM, Chris Hale wrote: > All - > > We have the ability to pick up some OSR7609's pretty cheap. We'd like to > use them as a core router for 100-200Mbps capacity with multiple full BGP > feeds, 802.1q subinterfaces, MPLS/VPLS, and possibly some WAN interfaces > (i.e. MC-T3/OC3). > > Any big drawbacks or negatives to this chassis? We'd like to run them with > SUP720-3BXL processors and 6548 series Ethernet cards. > > Thanks, > Chris > > -- > ------------------ > Chris Hale > chale99 at gmail.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mduksa at gmail.com Mon Nov 24 18:27:20 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Mon, 24 Nov 2008 15:27:20 -0800 Subject: [c-nsp] mpls ping Message-ID: Hi - does anyone know if a ping packet can be sent through an IP path instead of MPLS, from control lane prospective.I have a route that is learned through IGP and an LDP neighbor is also advertising FEC for it. So by default, MPLS encap will be used. I would like to ping a host on that network from this Cisco box, but I see that the ping is also mpls encapsulated. Is there any way to send the ping through IP (non mpls encapsulated)? Thanks, Marlon From chloekcy2000 at yahoo.ca Mon Nov 24 20:26:09 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Mon, 24 Nov 2008 20:26:09 -0500 (EST) Subject: [c-nsp] can't ping - please help Message-ID: <502568.80820.qm@web57405.mail.re1.yahoo.com> Hi I have very old 2600 router with 10M ethernet I am trying to learn configuration. I can't ping 192.168.0.116 from outside network. but I can ping this ip 192.168.0.116 within same network eg: 192.168.0.114. the network is 192.168.0.112/29 and the router interface is 192.168.0.116 Can you help? Current configuration : 1202 bytes ! version 12.1 no service single-slot-reload-enable service timestamps debug uptime service timestamps log uptime service password-encryption no service dhcp ! hostname cisco ! no ip subnet-zero ! no ip bootp server ip inspect dns-timeout 10 ip inspect tcp synwait-time 40 ip auth-proxy auth-cache-time 20 ip auth-proxy name chloe http ip audit notify log ip audit po max-events 100 ip audit smtp spam 500 ! interface Ethernet0/0 ip address 192.168.0.116 255.255.255.248 no cdp enable ! interface Serial0/0 no ip address clockrate 56000 no cdp enable ! interface Serial0/1 no ip address shutdown no cdp enable ! ip default-gateway 192.168.0.113 no ip classless ip http server ! logging trap debugging logging facility local2 logging 192.168.0.114 no cdp run ! end --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! From mduksa at gmail.com Mon Nov 24 20:55:00 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Mon, 24 Nov 2008 17:55:00 -0800 Subject: [c-nsp] LDP label allocation modes Message-ID: Hi - does anyone know what are the default label distribution/allocation modes on Cisco 7600 on Ethernet interfaces for LDP. I suspect label distribution mode is 'downstream unsolicited' (as opposed to on-demand) and label allocation is 'independent control mode' (as opposed to ordered control). If this is correct, is there any way to change this through CLI? Thanks, Marlon From s00664233 at gmail.com Mon Nov 24 22:25:55 2008 From: s00664233 at gmail.com (cc loo) Date: Tue, 25 Nov 2008 11:25:55 +0800 Subject: [c-nsp] can't ping - please help In-Reply-To: <502568.80820.qm@web57405.mail.re1.yahoo.com> References: <502568.80820.qm@web57405.mail.re1.yahoo.com> Message-ID: <49999c420811241925t3f29cd00i7471c81c2175e58c@mail.gmail.com> Hi Chloe, When your configuration seems to be incomplete. When a router is facing 2 networks, there should be 2 distinct IP addresses in a router. For example : # faces your local lan Ethernet 0/0 IP address 192.168.0.116 255.255.255.248 # faces your "external" network Serial 0/0 IP address 10.0.0.1 255.255.255.252 Before you try to ping "across" different networks, make sure both links are up locally first (Eth0/0 must be pingable from 192.168.0.116 subnet, while S0/0 must be pingable from 10.0.0.1 subnet) After you can achieve this, then you can check out the routing tables by typing myrouter> *show ip route* On Tue, Nov 25, 2008 at 9:26 AM, chloe K wrote: > Hi > > I have very old 2600 router with 10M ethernet > I am trying to learn configuration. I can't ping 192.168.0.116 from > outside network. but I can ping this ip 192.168.0.116 within same network > eg: 192.168.0.114. > > the network is 192.168.0.112/29 > and the router interface is 192.168.0.116 > > Can you help? > > Current configuration : 1202 bytes > ! > version 12.1 > no service single-slot-reload-enable > service timestamps debug uptime > service timestamps log uptime > service password-encryption > no service dhcp > ! > hostname cisco > ! > no ip subnet-zero > ! > no ip bootp server > ip inspect dns-timeout 10 > ip inspect tcp synwait-time 40 > ip auth-proxy auth-cache-time 20 > ip auth-proxy name chloe http > ip audit notify log > ip audit po max-events 100 > ip audit smtp spam 500 > ! > interface Ethernet0/0 > ip address 192.168.0.116 255.255.255.248 > no cdp enable > ! > interface Serial0/0 > no ip address > clockrate 56000 > no cdp enable > ! > interface Serial0/1 > no ip address > shutdown > no cdp enable > ! > ip default-gateway 192.168.0.113 > no ip classless > ip http server > ! > logging trap debugging > logging facility local2 > logging 192.168.0.114 > no cdp run > ! > end > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > > > > --------------------------------- > > > Yahoo! Canada Toolbar : Search from anywhere on the web and > bookmark your favourite sites. Download it now! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mduksa at gmail.com Tue Nov 25 00:19:51 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Mon, 24 Nov 2008 21:19:51 -0800 Subject: [c-nsp] mpls/ip load balancing Message-ID: Hi - does anyone know how load balancing by default works over two paths, one using MPLS and the other one IP. I have the same route advertisement received over two different interfaces. On one interface LDP is enabled (and of course OSPF), the other interface is only OSPF enabled. Traffic is definitely load balanced across the two interfaces, but I was wondering what fields the hashing is based on? Thanks, Marlon From chale99 at gmail.com Tue Nov 25 00:25:29 2008 From: chale99 at gmail.com (Chris Hale) Date: Tue, 25 Nov 2008 00:25:29 -0500 Subject: [c-nsp] OSR7609 w/Sup720-3BXL Message-ID: Anyone know if you can use a Sup720-3BXL with a OSR7609? Are there any restrictions on the modules/cards that you can use in the OSR7609? What's the main differences between the OSR and non-OSR chassis? Chris -- ------------------ Chris Hale chale99 at gmail.com From SocratesPapachilleos at semltd.com.cy Tue Nov 25 00:37:09 2008 From: SocratesPapachilleos at semltd.com.cy (Socrates) Date: Tue, 25 Nov 2008 07:37:09 +0200 Subject: [c-nsp] Clientless webvpn on ASA Message-ID: <0KAV001L9JIYZ600@mailsrv.semltd.com.cy> Hi all, We have configured a VPN cluster on my two ASAs and some clients while trying to connect get the message "ssl_error_connect_rx_record_too_long". Before the clustering I did not had such an issue. Note that my certificates are self-signed. Is there anything to do about it on ASA? ---------------------------------------------------------- This email and its contents are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error, please notify the Security Administrator. This email has been swept by SEM Ltd for the presence of computer viruses. www.semltd.com.cy ---------------------------------------------------------- From markom at markom.info Tue Nov 25 00:48:43 2008 From: markom at markom.info (Marko Milivojevic) Date: Tue, 25 Nov 2008 05:48:43 +0000 Subject: [c-nsp] shape withing policy map In-Reply-To: References: Message-ID: <1fb747910811242148l2f512332j9a9a870541572f07@mail.gmail.com> You made a small configuration mistake. > Enter configuration commands, one per line. End with CNTL/Z. > JID_CORE_Router(config)#policy-map CMS > JID_CORE_Route(config-pmap-c)#shape average 1000000 > JID_CORE_Route(config-pmap-c)# > > It takes the command just fine. You need to aply shape command under the class, not under the policy-map: policy-map CMS class CMS shape average ... ! ! Note that shape uses Kb/s and not b/s. However, you may find that this may not work on an ATM interface. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From markom at markom.info Tue Nov 25 01:07:34 2008 From: markom at markom.info (Marko Milivojevic) Date: Tue, 25 Nov 2008 06:07:34 +0000 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> Message-ID: <1fb747910811242207w6f57d078ucb3a9757262440c9@mail.gmail.com> On Tue, Nov 11, 2008 at 08:27, Mohammad Khalil wrote: > > the success rate is about (930/1000) and as i told u the MTU is configured on the ATM link to be 1500 > the physical links are not congested > what else can i add or modify to solve this issue ?? What about ATM traffic shaping? Are you sure that packets are not being dropped by the ATM network in-between? -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From oboehmer at cisco.com Tue Nov 25 01:50:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 25 Nov 2008 07:50:25 +0100 Subject: [c-nsp] LDP label allocation modes In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406715EB0@xmb-ams-333.emea.cisco.com> Marlon Duksa <> wrote on Tuesday, November 25, 2008 02:55: > Hi - does anyone know what are the default label > distribution/allocation modes on Cisco 7600 on Ethernet interfaces > for LDP. > I suspect label distribution mode is 'downstream unsolicited' (as > opposed to on-demand) and label allocation is 'independent control > mode' (as opposed to ordered control). > > If this is correct, is there any way to change this through CLI? yes, it's correct, and you can't change it. Why are you asking? oli From oboehmer at cisco.com Tue Nov 25 01:53:45 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 25 Nov 2008 07:53:45 +0100 Subject: [c-nsp] mpls/ip load balancing In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406715EB4@xmb-ams-333.emea.cisco.com> Marlon Duksa <> wrote on Tuesday, November 25, 2008 06:20: > Hi - does anyone know how load balancing by default works over two > paths, one using MPLS and the other one IP. I have the same route > advertisement received over two different interfaces. On one > interface LDP is enabled (and of course OSPF), the other interface is > only OSPF enabled. Traffic > is definitely load balanced across the two interfaces, but I was > wondering what fields the hashing is based on? Well, hash is based on Layer 3 information. However this is doomed to fail if the ingress packet is tagged (for example L3VPN), then the node might strip the labels when hashing it over the non-LDP-enabled interface. oli From zivl at gilat.net Tue Nov 25 02:42:46 2008 From: zivl at gilat.net (Ziv Leyes) Date: Tue, 25 Nov 2008 09:42:46 +0200 Subject: [c-nsp] can't ping - please help In-Reply-To: <49999c420811241925t3f29cd00i7471c81c2175e58c@mail.gmail.com> References: <502568.80820.qm@web57405.mail.re1.yahoo.com> <49999c420811241925t3f29cd00i7471c81c2175e58c@mail.gmail.com> Message-ID: Make sure you also set the command "ip routing" in general configuration in order to "switch on" the ip route engine. You won't see this setting on the config though. In old versions this command was not implicit, funny though, what could I possibly want a router to do other than routing? Perhaps it has something to do with old technologies routing which wasn't IP? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of cc loo Sent: Tuesday, November 25, 2008 5:26 AM To: chloe K Cc: cisco-nsp mailing list Subject: Re: [c-nsp] can't ping - please help Hi Chloe, When your configuration seems to be incomplete. When a router is facing 2 networks, there should be 2 distinct IP addresses in a router. For example : # faces your local lan Ethernet 0/0 IP address 192.168.0.116 255.255.255.248 # faces your "external" network Serial 0/0 IP address 10.0.0.1 255.255.255.252 Before you try to ping "across" different networks, make sure both links are up locally first (Eth0/0 must be pingable from 192.168.0.116 subnet, while S0/0 must be pingable from 10.0.0.1 subnet) After you can achieve this, then you can check out the routing tables by typing myrouter> *show ip route* On Tue, Nov 25, 2008 at 9:26 AM, chloe K wrote: > Hi > > I have very old 2600 router with 10M ethernet > I am trying to learn configuration. I can't ping 192.168.0.116 from > outside network. but I can ping this ip 192.168.0.116 within same network > eg: 192.168.0.114. > > the network is 192.168.0.112/29 > and the router interface is 192.168.0.116 > > Can you help? > > Current configuration : 1202 bytes > ! > version 12.1 > no service single-slot-reload-enable > service timestamps debug uptime > service timestamps log uptime > service password-encryption > no service dhcp > ! > hostname cisco > ! > no ip subnet-zero > ! > no ip bootp server > ip inspect dns-timeout 10 > ip inspect tcp synwait-time 40 > ip auth-proxy auth-cache-time 20 > ip auth-proxy name chloe http > ip audit notify log > ip audit po max-events 100 > ip audit smtp spam 500 > ! > interface Ethernet0/0 > ip address 192.168.0.116 255.255.255.248 > no cdp enable > ! > interface Serial0/0 > no ip address > clockrate 56000 > no cdp enable > ! > interface Serial0/1 > no ip address > shutdown > no cdp enable > ! > ip default-gateway 192.168.0.113 > no ip classless > ip http server > ! > logging trap debugging > logging facility local2 > logging 192.168.0.114 > no cdp run > ! > end > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > > > > --------------------------------- > > > Yahoo! Canada Toolbar : Search from anywhere on the web and > bookmark your favourite sites. Download it now! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From s00664233 at gmail.com Tue Nov 25 02:46:47 2008 From: s00664233 at gmail.com (cc loo) Date: Tue, 25 Nov 2008 15:46:47 +0800 Subject: [c-nsp] Need help figuring out IOS versions / featuresets / MIBs Message-ID: <49999c420811242346w393618efy24ffe099d24982e3@mail.gmail.com> Hi all, I have difficulties trying to figure out what versions of IOS provide which featuresets. For example i would like to know more about ISG (intelligent services gateway), i would like to know which IOS version supports it. >From this, i would like to find out what related information could be polled from SNMP. I tried http://tools.cisco.com/ITDIT/MIBS/servlet/index IOS MIB Locator but im lost on what to input as search fields Some kind souls please enlighten me From Niels.denOtter at surfnet.nl Tue Nov 25 03:57:03 2008 From: Niels.denOtter at surfnet.nl (Niels den Otter) Date: Tue, 25 Nov 2008 09:57:03 +0100 Subject: [c-nsp] Need help figuring out IOS versions / featuresets / MIBs In-Reply-To: <49999c420811242346w393618efy24ffe099d24982e3@mail.gmail.com> References: <49999c420811242346w393618efy24ffe099d24982e3@mail.gmail.com> Message-ID: <492BBDDF.6080606@surfnet.nl> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello cc, cc loo wrote: > I have difficulties trying to figure out what versions of IOS provide which > featuresets. > > For example i would like to know more about ISG (intelligent services > gateway), i would like to know which IOS version supports it. > >>From this, i would like to find out what related information could be polled > from SNMP. > > I tried http://tools.cisco.com/ITDIT/MIBS/servlet/index > IOS MIB Locator but im lost on what to input as search fields Have you tried the feature navigator at http://www.cisco.com/go/fn ? - -- Niels -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkrvd4ACgkQDxUhWEap0R76mgCeIlW0P9vpTTGoXutsQBYX9REP o6UAoJKAJB2oczwf113E81WYdrYEqswr =o4pt -----END PGP SIGNATURE----- From gulerozgur at yahoo.co.uk Tue Nov 25 07:15:04 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Tue, 25 Nov 2008 12:15:04 +0000 (GMT) Subject: [c-nsp] mpls/ip load balancing In-Reply-To: Message-ID: <342761.13608.qm@web25506.mail.ukl.yahoo.com> Best is? to check "show ip cef internal" to see if the packets are load balanced. Afaik, IOS does not load balance between labelled and unlabelled paths. (Think about sending AToM or MPLS VPN traffic out towards an unlabelled path.) --- On Tue, 25/11/08, Marlon Duksa wrote: From: Marlon Duksa Subject: [c-nsp] mpls/ip load balancing To: "cisco-nsp at puck.nether.net" Date: Tuesday, 25 November, 2008, 5:19 AM Hi - does anyone know how load balancing by default works over two paths, one using MPLS and the other one IP. I have the same route advertisement received over two different interfaces. On one interface LDP is enabled (and of course OSPF), the other interface is only OSPF enabled. Traffic is definitely load balanced across the two interfaces, but I was wondering what fields the hashing is based on? Thanks, Marlon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From chloekcy2000 at yahoo.ca Tue Nov 25 07:18:16 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Tue, 25 Nov 2008 07:18:16 -0500 (EST) Subject: [c-nsp] tclsh and ip access list help Message-ID: <58010.8662.qm@web57406.mail.re1.yahoo.com> Hi I borrow a lab book and there is tclsh command. but I can't find it in my router How can I get this command working? I also have question about access list I did the following access-list access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.16.0.0 0.0.255.255 access-list 10 remark this is for telnet access-list 10 deny any log I add extra one access-list later access-list 10 permit 192.168.0.0 0.0.0.255 But this one is the later of those lines as below. it won't work access-list 10 permit 10.0.0.0 0.255.255.255 access-list 10 permit 172.16.0.0 0.0.255.255 access-list 10 remark this is for telnet access-list 10 deny any log access-list 10 permit 192.168.0.0 0.0.0.255 I have to remove "no access-list 10 deny any log" But when I remove this line, I have to add all of that again How can I do it easy to add this line? and How can I make it reliable as it is easy to loss the connection? Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! From rni at umn.edu Tue Nov 25 07:23:21 2008 From: rni at umn.edu (Richard N. Ingram) Date: Tue, 25 Nov 2008 06:23:21 -0600 Subject: [c-nsp] can't ping - please help In-Reply-To: <342761.13608.qm@web25506.mail.ukl.yahoo.com> References: <342761.13608.qm@web25506.mail.ukl.yahoo.com> Message-ID: <492BEE39.9070804@umn.edu> Also: ip subnet-zero ip classless Best regards, Rich Message: 8 Date: Tue, 25 Nov 2008 09:42:46 +0200 From: Ziv Leyes Subject: Re: [c-nsp] can't ping - please help Cc: cisco-nsp mailing list Message-ID: Content-Type: text/plain; charset="us-ascii" Make sure you also set the command "ip routing" in general configuration in order to "switch on" the ip route engine. You won't see this setting on the config though. In old versions this command was not implicit, funny though, what could I possibly want a router to do other than routing? Perhaps it has something to do with old technologies routing which wasn't IP? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of cc loo Sent: Tuesday, November 25, 2008 5:26 AM To: chloe K Cc: cisco-nsp mailing list Subject: Re: [c-nsp] can't ping - please help Hi Chloe, When your configuration seems to be incomplete. When a router is facing 2 networks, there should be 2 distinct IP addresses in a router. For example : # faces your local lan Ethernet 0/0 IP address 192.168.0.116 255.255.255.248 # faces your "external" network Serial 0/0 IP address 10.0.0.1 255.255.255.252 Before you try to ping "across" different networks, make sure both links are up locally first (Eth0/0 must be pingable from 192.168.0.116 subnet, while S0/0 must be pingable from 10.0.0.1 subnet) After you can achieve this, then you can check out the routing tables by typing myrouter> *show ip route* On Tue, Nov 25, 2008 at 9:26 AM, chloe K wrote: > > Hi > > > > I have very old 2600 router with 10M ethernet > > I am trying to learn configuration. I can't ping 192.168.0.116 from > > outside network. but I can ping this ip 192.168.0.116 within same network > > eg: 192.168.0.114. > > > > the network is 192.168.0.112/29 > > and the router interface is 192.168.0.116 > > > > Can you help? > > > > Current configuration : 1202 bytes > > ! > > version 12.1 > > no service single-slot-reload-enable > > service timestamps debug uptime > > service timestamps log uptime > > service password-encryption > > no service dhcp > > ! > > hostname cisco > > ! > > no ip subnet-zero > > ! > > no ip bootp server > > ip inspect dns-timeout 10 > > ip inspect tcp synwait-time 40 > > ip auth-proxy auth-cache-time 20 > > ip auth-proxy name chloe http > > ip audit notify log > > ip audit po max-events 100 > > ip audit smtp spam 500 > > ! > > interface Ethernet0/0 > > ip address 192.168.0.116 255.255.255.248 > > no cdp enable > > ! > > interface Serial0/0 > > no ip address > > clockrate 56000 > > no cdp enable > > ! > > interface Serial0/1 > > no ip address > > shutdown > > no cdp enable > > ! > > ip default-gateway 192.168.0.113 > > no ip classless > > ip http server > > ! > > logging trap debugging > > logging facility local2 > > logging 192.168.0.114 > > no cdp run > > ! > > end > > > > > > --------------------------------- > > Be smarter than spam. See how smart SpamGuard is at giving junk email the > > boot with the All-new Yahoo! Mail > > > > > > > > --------------------------------- > > > > > > Yahoo! Canada Toolbar : Search from anywhere on the web and > > bookmark your favourite sites. Download it now! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mjsaarin at cc.helsinki.fi Tue Nov 25 07:56:51 2008 From: mjsaarin at cc.helsinki.fi (Matti Saarinen) Date: Tue, 25 Nov 2008 14:56:51 +0200 Subject: [c-nsp] Problems with Apple laptops and Cisco lightweight access points Message-ID: Is there any know issue with Apple's intel based laptops and Cisco's WLAN controllers? Recentlty, we have been hearing complaints from our uses, who have got intel Mac laptos, that there is about 10 % packet loss in wlan. The problem occurs only when a Mac laptop is associated to a lightweight AP connected to a WLC4404. Users having non-Apple laptops haven't complained (yet). So far the only remotely relating pieces of information I am aware of are these two threads in an Apple forum: http://discussions.apple.com/thread.jspa?threadID=1389453&tstart=0 http://discussions.apple.com/thread.jspa?threadID=1389855&tstart=0 Cheers, -- - Matti - From achatz at forthnet.gr Tue Nov 25 08:31:36 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 25 Nov 2008 15:31:36 +0200 Subject: [c-nsp] shape withing policy map In-Reply-To: <1fb747910811242148l2f512332j9a9a870541572f07@mail.gmail.com> References: <1fb747910811242148l2f512332j9a9a870541572f07@mail.gmail.com> Message-ID: <492BFE38.9000103@forthnet.gr> Also make sure you don't exceed the max-reserved bandwidth (default=75%). -- Tassos Marko Milivojevic wrote on 25/11/2008 07:48: > You made a small configuration mistake. > >> Enter configuration commands, one per line. End with CNTL/Z. >> JID_CORE_Router(config)#policy-map CMS >> JID_CORE_Route(config-pmap-c)#shape average 1000000 >> JID_CORE_Route(config-pmap-c)# >> >> It takes the command just fine. > > You need to aply shape command under the class, not under the policy-map: > > policy-map CMS > class CMS > shape average ... > ! > ! Note that shape uses Kb/s and not b/s. > > However, you may find that this may not work on an ATM interface. > > -- > Marko > CCIE #18427 (SP) > My network blog: http://cisco.markom.info/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sheaujiun at gmail.com Tue Nov 25 09:53:26 2008 From: sheaujiun at gmail.com (sheaujiun) Date: Tue, 25 Nov 2008 22:53:26 +0800 Subject: [c-nsp] Vlan assignments Message-ID: <2c9e35ed0811250653g4bd4011dw9fed44a405ef493@mail.gmail.com> Hi, I have a customer in a DSLAM/BRAS environment where they have 4 main groups of Vlans assignments - Data, Voice, Management and Other services. Currently there is not fixed rules as to how vlan ids are assigned to the 4 main groups. It has come to a time the network has grown to a rather huge size and they are trying to reassign the vlan assignments. Generally, the network is as such: DSLAM --> aggregation switch --> BRAS Is there a standard guideline as to how vlan assignments are to be designed? What considerates are needed? e.g. Is there a need to consider how different vlans are to be terminated into the the aggregation switch if they are running VPLS? How the BRAS will handle the vlans coming from the aggregation? Sheau Jiun From RTeller at deltadentalwa.com Tue Nov 25 10:23:15 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 25 Nov 2008 07:23:15 -0800 Subject: [c-nsp] can't ping - please help In-Reply-To: <492BEE39.9070804@umn.edu> References: <342761.13608.qm@web25506.mail.ukl.yahoo.com> <492BEE39.9070804@umn.edu> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01890@tiger.deltadentalwa.com> Try adding the following command in stead of using the ip default-gateway command Ip route 0.0.0.0 0.0.0.0 192.168.0.113 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard N. Ingram Sent: Tuesday, November 25, 2008 4:23 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] can't ping - please help Also: ip subnet-zero ip classless Best regards, Rich Message: 8 Date: Tue, 25 Nov 2008 09:42:46 +0200 From: Ziv Leyes Subject: Re: [c-nsp] can't ping - please help Cc: cisco-nsp mailing list Message-ID: Content-Type: text/plain; charset="us-ascii" Make sure you also set the command "ip routing" in general configuration in order to "switch on" the ip route engine. You won't see this setting on the config though. In old versions this command was not implicit, funny though, what could I possibly want a router to do other than routing? Perhaps it has something to do with old technologies routing which wasn't IP? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of cc loo Sent: Tuesday, November 25, 2008 5:26 AM To: chloe K Cc: cisco-nsp mailing list Subject: Re: [c-nsp] can't ping - please help Hi Chloe, When your configuration seems to be incomplete. When a router is facing 2 networks, there should be 2 distinct IP addresses in a router. For example : # faces your local lan Ethernet 0/0 IP address 192.168.0.116 255.255.255.248 # faces your "external" network Serial 0/0 IP address 10.0.0.1 255.255.255.252 Before you try to ping "across" different networks, make sure both links are up locally first (Eth0/0 must be pingable from 192.168.0.116 subnet, while S0/0 must be pingable from 10.0.0.1 subnet) After you can achieve this, then you can check out the routing tables by typing myrouter> *show ip route* On Tue, Nov 25, 2008 at 9:26 AM, chloe K wrote: > > Hi > > > > I have very old 2600 router with 10M ethernet > > I am trying to learn configuration. I can't ping 192.168.0.116 from > > outside network. but I can ping this ip 192.168.0.116 within same network > > eg: 192.168.0.114. > > > > the network is 192.168.0.112/29 > > and the router interface is 192.168.0.116 > > > > Can you help? > > > > Current configuration : 1202 bytes > > ! > > version 12.1 > > no service single-slot-reload-enable > > service timestamps debug uptime > > service timestamps log uptime > > service password-encryption > > no service dhcp > > ! > > hostname cisco > > ! > > no ip subnet-zero > > ! > > no ip bootp server > > ip inspect dns-timeout 10 > > ip inspect tcp synwait-time 40 > > ip auth-proxy auth-cache-time 20 > > ip auth-proxy name chloe http > > ip audit notify log > > ip audit po max-events 100 > > ip audit smtp spam 500 > > ! > > interface Ethernet0/0 > > ip address 192.168.0.116 255.255.255.248 > > no cdp enable > > ! > > interface Serial0/0 > > no ip address > > clockrate 56000 > > no cdp enable > > ! > > interface Serial0/1 > > no ip address > > shutdown > > no cdp enable > > ! > > ip default-gateway 192.168.0.113 > > no ip classless > > ip http server > > ! > > logging trap debugging > > logging facility local2 > > logging 192.168.0.114 > > no cdp run > > ! > > end > > > > > > --------------------------------- > > Be smarter than spam. See how smart SpamGuard is at giving junk email the > > boot with the All-new Yahoo! Mail > > > > > > > > --------------------------------- > > > > > > Yahoo! Canada Toolbar : Search from anywhere on the web and > > bookmark your favourite sites. Download it now! > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Tue Nov 25 09:51:59 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 25 Nov 2008 06:51:59 -0800 Subject: [c-nsp] 4402 guest wireless access Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0188E@tiger.deltadentalwa.com> I am trying to configure a 4402 controller to allow basic web authentication to guess users. I am using Cisco 1131 aps and a 4402 wlc. If the guest connects with a wpa key it works but as soon as I require web authentication it just hangs at the redirect screen. Any suggestions? ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From RTeller at deltadentalwa.com Tue Nov 25 10:32:48 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 25 Nov 2008 07:32:48 -0800 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: References: <20081120083017.17c4050e.simestd@netexpress.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01892@tiger.deltadentalwa.com> I am using radius and Microsoft's IAS server and that works just fine. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Yuval Ben Ari Sent: Monday, November 24, 2008 11:48 AM To: Tom Simes Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Alternatives to Cisco's TACACS server? Hi Tom, You did not mention your requirements like does it need to be GUI based or is conf file based is ok (tac_plus)? Also what is the reason you want to abandon the ACS? I'm asking because we actually migrated from tac_plus to ACS due to the improved management capabilities via GUI. I think there are actually not a lot of alternatives around. Yuval On Thu, Nov 20, 2008 at 7:30 PM, Tom Simes wrote: > > Hi all, > > We've got an aging Cisco Secure ACS install on the Windows platform > and we're looking for alternatives. We're only using TACACS+ for admin > authentication into our Cisco gear (not RADIUS), but we do have a > variety of groups defined with differing access to commands and > equipment and our user store is LDAP so we need at least that level of > functionality. > > What are folks using these days for a TACACS+ server that they're happy > with? > TIA! > > Tom > > ====================================================================== > "Z-80 system stack overflow. Shut 'er down Scotty, the system's > sucking mud" - Error message on TRS 80 Model-16B > > Tom Simes simestd at netexpress.com > ====================================================================== > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From christian at broknrobot.com Tue Nov 25 11:07:09 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 25 Nov 2008 11:07:09 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: References: <20081120083017.17c4050e.simestd@netexpress.com> <39647f4d0811200941o5a988564v65ef1c3aac8e6fd7@mail.gmail.com> <20081124154157.GD22774@lboro.ac.uk> <3e4b8fe10811240802v78d288a7rc7fd558b8ad0e6a3@mail.gmail.com> Message-ID: my problem is the normal "#enable = 15" does not work for catos as it does with IOS in the later tac_plus software as it did in the earlier developed versions On Mon, Nov 24, 2008 at 11:27 AM, raymondh (NSP) wrote: > You'll just need to fix your expressions in your tacacs config. > > e.g. cmd = set { permit "^blah blah .*" } > > > --raymondh > > On Nov 25, 2008, at 12:16 AM, Christian Koch wrote: > >> Rich- thanks and sorry i guess i was a little vague... >> >> i meant to say i am looking for configuration for the tac_plus.conf side >> >> On Mon, Nov 24, 2008 at 11:02 AM, Rich Davies >> wrote: >>> >>> Here is an example CatOS config for TACACS auth. It's been awhile since >>> I >>> used a CatOS device however if I remember correctly this config was >>> structured so that if the device can't talk to the TACACS server it would >>> fail back to a local userid (by using "if-authenticated" in the >>> #authorization section). >>> >>> >>> #tacacs+ >>> set tacacs server 1.1.1.1 primary >>> set tacacs server 2.2.2.2 >>> set tacacs key [tacacs key] >>> >>> #authentication >>> set authentication login tacacs enable console primary >>> set authentication login tacacs enable telnet primary >>> set authentication enable tacacs enable console primary >>> set authentication enable tacacs enable telnet primary >>> >>> #accounting >>> set accounting exec enable stop-only tacacs+ >>> set accounting connect enable stop-only tacacs+ >>> set accounting system enable stop-only tacacs+ >>> set accounting commands enable all stop-only tacacs+ >>> >>> #authorization >>> set authorization exec enable tacacs+ if-authenticated console >>> set authorization exec enable tacacs+ if-authenticated telnet >>> set authorization enable enable if-authenticated none console >>> set authorization enable enable if-authenticated none telnet >>> set authorization commands enable all if-authenticated none console >>> set authorization commands enable all if-authenticated none telnet >>> >>> >>> Hope it helps. >>> >>> -Rich >>> >>> >>> On Mon, Nov 24, 2008 at 10:48 AM, Christian Koch >>> >>> wrote: >>>> >>>> on a side note - >>>> >>>> has anyone had any success getting older catos switches and enable >>>> mode to work with the newer versions of tacplus? >>>> >>>> christian >>>> >>>> On Mon, Nov 24, 2008 at 10:41 AM, wrote: >>>>> >>>>> Hi, >>>>> >>>>>> The fork based on Cisco's code over at shrubbery has worked out well >>>>>> for me. >>>>>> >>>>>> >>>>>> http://www.shrubbery.net/tac_plus/ >>>>> >>>>> agreed. also note, theres been hints of TACACS+ being part of >>>>> future FreeRADIUS capability for some time too. >>>>> >>>>> alan >>>>> _______________________________________________ >>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>>> >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From frnkblk at iname.com Tue Nov 25 11:09:46 2008 From: frnkblk at iname.com (Frank Bulk) Date: Tue, 25 Nov 2008 10:09:46 -0600 Subject: [c-nsp] Problems with Apple laptops and Cisco lightweight access points In-Reply-To: References: Message-ID: Check out EDUCAUSE's WIRELESS-LAN listserv -- I think this has been discussed there. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matti Saarinen Sent: Tuesday, November 25, 2008 6:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Problems with Apple laptops and Cisco lightweight access points Is there any know issue with Apple's intel based laptops and Cisco's WLAN controllers? Recentlty, we have been hearing complaints from our uses, who have got intel Mac laptos, that there is about 10 % packet loss in wlan. The problem occurs only when a Mac laptop is associated to a lightweight AP connected to a WLC4404. Users having non-Apple laptops haven't complained (yet). So far the only remotely relating pieces of information I am aware of are these two threads in an Apple forum: http://discussions.apple.com/thread.jspa?threadID=1389453&tstart=0 http://discussions.apple.com/thread.jspa?threadID=1389855&tstart=0 Cheers, -- - Matti - _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lgeyer at gmail.com Tue Nov 25 11:26:20 2008 From: lgeyer at gmail.com (Laurent Geyer) Date: Tue, 25 Nov 2008 11:26:20 -0500 Subject: [c-nsp] Alternatives to Cisco's TACACS server? In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01892@tiger.deltadentalwa.com> References: <20081120083017.17c4050e.simestd@netexpress.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01892@tiger.deltadentalwa.com> Message-ID: <39647f4d0811250826r68bf695aneebb68b8919791eb@mail.gmail.com> On Tue, Nov 25, 2008 at 10:32 AM, Teller, Robert wrote: > I am using radius and Microsoft's IAS server and that works just fine. > Radius works fine for authentication, but how are you handling accounting? - Laurent From mduksa at gmail.com Tue Nov 25 12:09:54 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Tue, 25 Nov 2008 09:09:54 -0800 Subject: [c-nsp] LDP label allocation modes In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406715EB0@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406715EB0@xmb-ams-333.emea.cisco.com> Message-ID: I'm trying to understand MPLS/LDP behavior on 7600 and figure out what I can do and what I can't. Doing the same thing with Juniper M320 and I'm trying to note the difference in behavior and figure out which implementation would fit our customer better. On Mon, Nov 24, 2008 at 10:50 PM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Marlon Duksa <> wrote on Tuesday, November 25, 2008 02:55: > > > Hi - does anyone know what are the default label > > distribution/allocation modes on Cisco 7600 on Ethernet interfaces > > for LDP. > > I suspect label distribution mode is 'downstream unsolicited' (as > > opposed to on-demand) and label allocation is 'independent control > > mode' (as opposed to ordered control). > > > > If this is correct, is there any way to change this through CLI? > > yes, it's correct, and you can't change it. Why are you asking? > > oli > From felixnkansah at gmail.com Tue Nov 25 12:26:04 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Tue, 25 Nov 2008 17:26:04 +0000 Subject: [c-nsp] Resources for Migration to IP/MPLS in Carrier Environment Message-ID: <18dba4e50811250926x151a9e10ja514a6682d44ebfa@mail.gmail.com> Hi All, I am presently tasked with designing an IP/MPLS core solution, along with migration strategy for some mobile carriers in my country. The problem is that I am required to understand not just IP communications, but also telecom protocols and their connections & operation in real life. These include TDM, DWDM, SS7, SGSN, MSC, GPRS, etc so I can help with the migration to the IP/NGN solution. Unfortunately, I see myself as a pure IP guy without much understanding of telecom protocols. I was wondering if any of you involved with such projects could direct me to some useful stuff on these topics. I am not just looking for documents that explain these protocols with lengthy signal and wavelength charts, etc. Those are readily available. I want guides that explain the real application of these protocols and how to migrate them onto an MPLS core. I have already read most of the CCIE SP online guides at http://www.cisco.com/web/learning/le3/ccie/sp/online_resources.html anyway. Thanks, Felix From rodunn at cisco.com Tue Nov 25 12:34:59 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 25 Nov 2008 12:34:59 -0500 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? In-Reply-To: <20081105122448.GK93039@ronin.4ever.de> References: <20081105122448.GK93039@ronin.4ever.de> Message-ID: <20081125173459.GU11474@rtp-cse-489.cisco.com> Elmar, I think I recreated it. Can you remove this and check it again: ip cef accounting non-recursive Then check the programming via: sh platform software ip f0 cef summ get the id: sh plat hard cpp active feature cef prefix ip z.z.z.z | incl Next to check it. Rodney On Wed, Nov 05, 2008 at 01:24:48PM +0100, Elmar K. Bins wrote: > Re again, > > I am running into trouble with the CEF load sharing algorithm > on the ASR / IOS-XE platform. We've had this kind of setup > with 7301s for four years now, and it's never given us any > trouble. Distributed traffic pretty evenly (whenever it was > not only one or two top-talkers hitting us). > > With the new ASR / IOS-XE (1.1.2 currently, but I have found > nothing in the release notes of later versions) traffic > distribution has become in favour of the server with the > lowest IP address - very much so. It's getting 85% of all > packets. > > The setup in brief (all IPv4): > > z.z.z.z = Service address > > a.a.a.a, a.a.a.b, a.a.a.c = Interface addresses of three servers, > a a.a.a.d = Interface address of the ASR > > External routing gets z.z.z.z to the ASR. > > +--------+ ----(a.a.a.a)-[srv1] > (Internet) --- | Router |-(a.a.a.d)---+---(a.a.a.b)-[srv2] > +--------+ ----(a.a.a.c)-[srv3] > > > z.z.z.z is the only target address, all external traffic goes there, > and it does go to a specific port. This is a DNS setup, so we can > also assume that 99.9% of the protocols seen is UDP/53. > > Routing on the Router is as follows: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > > > rt#sh run | i cef > ip cef load-sharing algorithm tunnel 000FFEED > > > On 7301s, typical distribution is 3:4:3 or something like that. > On the ASR I see 10:1:2 (on srv1:srv2:srv3). > > This did change immediately through the replacement of the 7301 by the ASR. > My colleague tells me, we have not one but several (like a dozen) top > talkers (out of several million), just like before the router swap. > > What could cause this phenomenon? > > 1. Traffic pattern has changed. > -> my colleague denies this > > 2. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) has been altered. > > 3. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) is now buggy. > > > Experiment 1 > > Changing the algorithm to "include-ports source". > > Did not change the traffic pattern a bit. I didn't expect a > change, since AFAIK it would do the same as the "tunnel" algorithm. > > > Experiment 2 > > I added a.a.a.d to srv1, a.a.a.e to srv2 and a.a.a.f to srv3 and > the appropriate routes: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > ip route z.z.z.z 255.255.255.255 a.a.a.d > ip route z.z.z.z 255.255.255.255 a.a.a.e > ip route z.z.z.z 255.255.255.255 a.a.a.f > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > nexthop a.a.a.d GigabitEthernet0/0/3 > nexthop a.a.a.e GigabitEthernet0/0/3 > nexthop a.a.a.f GigabitEthernet0/0/3 > > > This changed the distribution pattern from 10:1:2 to a somewhat > better 5:1:2. > > It still shows a strong favouring of the server with the smallest > IP address. > > > Experiment 3 > > I removed the z.z.z.z -> a.a.a.d route, so that Server 1 would > only have 1/5 of the routing table pointing to it, while Servers > 2 and 3 get twice as many slots in routing and forwarding table. > I'll spare you the cef output here. > > This changed the distribution pattern - not at all, at least not > noticeably. > > > I wonder what I have stumbled onto here, and whether someone around > or at Cisco knows about a change in the algorithms that would lead > to such an effect. > > I would also be very interested in some paper that really explained > the load-sharing algorithms, since everything one can find about the > tunnel algorithm is: > > "The tunnel keyword sets the load-balancing algorithm to one > that can be used in tunnel environments or in environments > where there are only a few IP source and destination address > pairs. " > > > I appreciate any help - the server is still holding, but it's > really bad Karma, and I'd like to find a way to do my L3 poor > man's load balancing in a working fashion. > > Elmar. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mduksa at gmail.com Tue Nov 25 12:51:13 2008 From: mduksa at gmail.com (Marlon Duksa) Date: Tue, 25 Nov 2008 09:51:13 -0800 Subject: [c-nsp] mpls/ip load balancing In-Reply-To: <342761.13608.qm@web25506.mail.ukl.yahoo.com> References: <342761.13608.qm@web25506.mail.ukl.yahoo.com> Message-ID: It actually works over a combination of tagged and untagged interfaces. As a matter of fact it works for both, LER and LSR cases. I have two outgoing interfaces for the same route, one tagged and one untagged. 1) On ingress I'm sending IP packets, and they are load balanced on egress. 2) On ingress I'm also sending tagged packets and they are load balanced as well on egress. So, in case: 1) I guess, the hashing is done on ingress and the FIB is consulted. And as Oli mentioned, the hashing is done on L3 info (src,dst IP)?? 2) In this case, LIB is consulted - what is hash based on? IP packets may be encapsulated few times over in this case (VLAN, another MPLS header...) Thanks, Marlon On Tue, Nov 25, 2008 at 4:15 AM, Ozgur Guler wrote: > > Best is to check "show ip cef internal" to see if the packets are load > balanced. > Afaik, IOS does not load balance between labelled and unlabelled paths. > > (Think about sending AToM or MPLS VPN traffic out towards an unlabelled > path.) > > > > --- On *Tue, 25/11/08, Marlon Duksa * wrote: > > From: Marlon Duksa > Subject: [c-nsp] mpls/ip load balancing > To: "cisco-nsp at puck.nether.net" > Date: Tuesday, 25 November, 2008, 5:19 AM > > Hi - does anyone know how load balancing by default works over two paths, > one using MPLS and the other one IP. I have the same route advertisement > received over two different interfaces. On one interface LDP is enabled (and > of course OSPF), the other interface is only OSPF enabled. Traffic > is definitely load balanced across the two interfaces, but I was wondering > what fields the hashing is based > on? > Thanks, > Marlon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From kratzers at pa.net Tue Nov 25 13:44:48 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Tue, 25 Nov 2008 13:44:48 -0500 Subject: [c-nsp] multipoint VPN options Message-ID: <200811251344.49795.kratzers@pa.net> All, What options are available for a multipoint VPN for a customer with multiple connections via a dot1q-encapsulated VLAN back to a 7200 PE router? Would like to be able to offer a choice of layer 2 or layer 3, but the 7200 platform may dictate. Things to consider: - we're not running MPLS, but we could - no requirements for layer 2 yet, but it would be nice to offer - pretty sure the 7200s don't support VPLS - no requirements for encryption yet, but it would be nice to offer on top of whatever VPN architecture is used - not sure yet if they'll want to do dynamic routing across the VPN Thanks, Stephen Kratzer Network Engineer CTI Networks, Inc. From raymondh.nsp at gmail.com Tue Nov 25 13:51:47 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 26 Nov 2008 02:51:47 +0800 Subject: [c-nsp] LDP label allocation modes In-Reply-To: References: Message-ID: <0743D316-1861-4DDE-A354-002640A58093@gmail.com> It's correct. There's no way you can change it. --raymondh On Nov 25, 2008, at 9:55 AM, Marlon Duksa wrote: > Hi - does anyone know what are the default label distribution/ > allocation > modes on Cisco 7600 on Ethernet interfaces for LDP. > I suspect label distribution mode is 'downstream unsolicited' (as > opposed > to on-demand) and label allocation is 'independent control mode' (as > opposed > to ordered control). > > If this is correct, is there any way to change this through CLI? > Thanks, > Marlon > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Tue Nov 25 13:54:19 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 26 Nov 2008 02:54:19 +0800 Subject: [c-nsp] Need help figuring out IOS versions / featuresets / MIBs In-Reply-To: <492BBDDF.6080606@surfnet.nl> References: <49999c420811242346w393618efy24ffe099d24982e3@mail.gmail.com> <492BBDDF.6080606@surfnet.nl> Message-ID: What you're looking for would be more on the AAA portion. Are you looking at any particular features inside ISG ? e.g. Subscriber Aware ? Some chassis does not support certain features of the ISG. Do take note of the VSA(s) too. --raymondh On Nov 25, 2008, at 4:57 PM, Niels den Otter wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello cc, > > cc loo wrote: >> I have difficulties trying to figure out what versions of IOS >> provide which >> featuresets. >> >> For example i would like to know more about ISG (intelligent services >> gateway), i would like to know which IOS version supports it. >> >>> From this, i would like to find out what related information could >>> be polled >> from SNMP. >> >> I tried http://tools.cisco.com/ITDIT/MIBS/servlet/index >> IOS MIB Locator but im lost on what to input as search fields > > Have you tried the feature navigator at > > http://www.cisco.com/go/fn > ? > > > - -- Niels > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkkrvd4ACgkQDxUhWEap0R76mgCeIlW0P9vpTTGoXutsQBYX9REP > o6UAoJKAJB2oczwf113E81WYdrYEqswr > =o4pt > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Tue Nov 25 13:56:28 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Wed, 26 Nov 2008 02:56:28 +0800 Subject: [c-nsp] Vlan assignments In-Reply-To: <2c9e35ed0811250653g4bd4011dw9fed44a405ef493@mail.gmail.com> References: <2c9e35ed0811250653g4bd4011dw9fed44a405ef493@mail.gmail.com> Message-ID: <4F1062A0-AB64-4586-95F5-E5CB4D59623C@gmail.com> It's very subjective to one's environment. On Nov 25, 2008, at 10:53 PM, sheaujiun wrote: > Hi, > > I have a customer in a DSLAM/BRAS environment where they have 4 main > groups > of Vlans assignments - Data, Voice, Management and Other services. > > Currently there is not fixed rules as to how vlan ids are assigned > to the 4 > main groups. It has come to a time the network has grown to a rather > huge > size and they are trying to reassign the vlan assignments. > > Generally, the network is as such: > > DSLAM --> aggregation switch --> BRAS > > Is there a standard guideline as to how vlan assignments are to be > designed? > What considerates are needed? > e.g. Is there a need to consider how different vlans are to be > terminated > into the the aggregation switch if they are running VPLS? > How the BRAS will handle the vlans coming from the aggregation? > > > Sheau Jiun > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at errxtx.net Tue Nov 25 14:51:37 2008 From: christian at errxtx.net (Christian Meutes) Date: Tue, 25 Nov 2008 20:51:37 +0100 Subject: [c-nsp] mpls/ip load balancing In-Reply-To: References: <342761.13608.qm@web25506.mail.ukl.yahoo.com> Message-ID: <6940D207D8B4810F613C63C4@jesk-laptop> Hey, --On Tuesday, November 25, 2008 09:51:13 -0800 Marlon Duksa wrote: > 2) In this case, LIB is consulted - what is hash based on? IP packets may > be encapsulated few times over in this case (VLAN, another MPLS > header...) usually the router consults the header under the bottomost label. If the packet is an IPv4 packet it uses the plattform dependent cef load-sharing algorithm. If it can't detect an IP packet (AToM i.e.) it uses the bottommost label to load-share across equal-cost pathes which is usually the VC label and results in all frames/cells for same customer-VC routed over the same path. Cheers, christian From elmi at 4ever.de Tue Nov 25 15:07:41 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Tue, 25 Nov 2008 21:07:41 +0100 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? In-Reply-To: <20081125173459.GU11474@rtp-cse-489.cisco.com> References: <20081105122448.GK93039@ronin.4ever.de> <20081125173459.GU11474@rtp-cse-489.cisco.com> Message-ID: <20081125200740.GG93039@ronin.4ever.de> rodunn at cisco.com (Rodney Dunn) wrote: > I think I recreated it. You did indeed. Since > ip cef accounting non-recursive is not currently vital, I'll keep it removed until an IOS that has this bug and the MAC accounting thingy fixed; then I'll upgrade. Btw - are the CSC BugIDs a secret? > get the id: > sh plat hard cpp active feature cef prefix ip z.z.z.z | incl Next Next Hop Address: : c0a8ff07 00000000 00000000 00000000 Next Hop Address: : c0a8ff08 00000000 00000000 00000000 Next Hop Address: : c0a8ff09 00000000 00000000 00000000 Next Hop Address: : c0a8ff07 00000000 00000000 00000000 Next Hop Address: : c0a8ff08 00000000 00000000 00000000 Next Hop Address: : c0a8ff09 00000000 00000000 00000000 Next Hop Address: : c0a8ff07 00000000 00000000 00000000 Next Hop Address: : c0a8ff08 00000000 00000000 00000000 Next Hop Address: : c0a8ff09 00000000 00000000 00000000 Next Hop Address: : c0a8ff07 00000000 00000000 00000000 Next Hop Address: : c0a8ff08 00000000 00000000 00000000 Next Hop Address: : c0a8ff09 00000000 00000000 00000000 Next Hop Address: : c0a8ff07 00000000 00000000 00000000 Next Hop Address: : c0a8ff08 00000000 00000000 00000000 Next Hop Address: : c0a8ff09 00000000 00000000 00000000 Packet distribution is now within the expected boundaries. Thank you for your efforts! Elmar. From rodunn at cisco.com Tue Nov 25 15:33:07 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 25 Nov 2008 15:33:07 -0500 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? In-Reply-To: <20081125200740.GG93039@ronin.4ever.de> References: <20081105122448.GK93039@ronin.4ever.de> <20081125173459.GU11474@rtp-cse-489.cisco.com> <20081125200740.GG93039@ronin.4ever.de> Message-ID: <20081125203307.GF15752@rtp-cse-489.cisco.com> CSCsv98296 Equal cost routes not programmed with CEF non-recursive accounting CSCsv93452 ASR1000 SIP crash with mac accounting Both are recreated and we are working on the fixes. They should show up in BTK in the next day or so. Rodney On Tue, Nov 25, 2008 at 09:07:41PM +0100, Elmar K. Bins wrote: > rodunn at cisco.com (Rodney Dunn) wrote: > > > I think I recreated it. > > You did indeed. > Since > > > ip cef accounting non-recursive > > is not currently vital, I'll keep it removed until an IOS > that has this bug and the MAC accounting thingy fixed; then > I'll upgrade. > > Btw - are the CSC BugIDs a secret? > > > get the id: > > sh plat hard cpp active feature cef prefix ip z.z.z.z | incl Next > > Next Hop Address: : c0a8ff07 00000000 00000000 00000000 > Next Hop Address: : c0a8ff08 00000000 00000000 00000000 > Next Hop Address: : c0a8ff09 00000000 00000000 00000000 > Next Hop Address: : c0a8ff07 00000000 00000000 00000000 > Next Hop Address: : c0a8ff08 00000000 00000000 00000000 > Next Hop Address: : c0a8ff09 00000000 00000000 00000000 > Next Hop Address: : c0a8ff07 00000000 00000000 00000000 > Next Hop Address: : c0a8ff08 00000000 00000000 00000000 > Next Hop Address: : c0a8ff09 00000000 00000000 00000000 > Next Hop Address: : c0a8ff07 00000000 00000000 00000000 > Next Hop Address: : c0a8ff08 00000000 00000000 00000000 > Next Hop Address: : c0a8ff09 00000000 00000000 00000000 > Next Hop Address: : c0a8ff07 00000000 00000000 00000000 > Next Hop Address: : c0a8ff08 00000000 00000000 00000000 > Next Hop Address: : c0a8ff09 00000000 00000000 00000000 > > Packet distribution is now within the expected boundaries. > > Thank you for your efforts! > > Elmar. From arla at rn.dk Tue Nov 25 15:52:50 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Tue, 25 Nov 2008 21:52:50 +0100 Subject: [c-nsp] wireless access-controll feature in ios software Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> Hi all. I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. /Arne From eninja at gmail.com Tue Nov 25 17:18:21 2008 From: eninja at gmail.com (e ninja) Date: Tue, 25 Nov 2008 14:18:21 -0800 Subject: [c-nsp] Non-zero CAN jam reset counter in slot In-Reply-To: <82957ce50811141210v573f3037v62cd38adb7f4c0e2@mail.gmail.com> References: <82957ce50811141210v573f3037v62cd38adb7f4c0e2@mail.gmail.com> Message-ID: Bharath, See http://solutions.mysolvr.com/MBUS_CAN_Jam_Reset_Errors_on_Cisco_GSR_12000 /eninja Pingsta ICE? - monetize your knowledge - www.pingsta.com/ice/intro On Fri, Nov 14, 2008 at 12:10 PM, bharath kondi < bluffmaster4hearts at gmail.com> wrote: > Hello, > > I am getting this type of errors when I restart the GSR, while loading the > IOS the alarm on GSR is not shown, once the whole GSR is loaded then I am > seeing this error. The led on clock shedular module showing major alarm. > > Please help me with this errors why i am getting major alarm on last module > and these errors in GSR. > > WARNING: Non-zero CAN jam reset counter in slot 17 > WARNING: Non-zero CAN jam reset counter in slot 18 > WARNING: Non-zero CAN jam reset counter in slot 20 > WARNING: Non-zero CAN jam reset counter in slot 24 > WARNING: Non-zero CAN jam reset counter in slot 26 > WARNING: Non-zero CAN jam reset counter in slot 28 > WARNING: Non-zero CAN jam reset counter in slot 29 > > > thanks alot ... > > Bharath > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From risnaini at indo.net.id Tue Nov 25 18:00:20 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 26 Nov 2008 06:00:20 +0700 Subject: [c-nsp] tclsh and ip access list help In-Reply-To: <58010.8662.qm@web57406.mail.re1.yahoo.com> References: <58010.8662.qm@web57406.mail.re1.yahoo.com> Message-ID: <492C8384.9050500@indo.net.id> That's Cisco default, no access-list x command will remove entire access-list x from your config. Safe way from being disconnected is ensuring your ip is allowed & remove ip access-group in interface before making any change to acl in global config. Or it might cisco developing kind of 'sequential' access-list whit ' insertable ' command :) a. r. isnaini rangkayo sutan chloe K wrote: > Hi > > I borrow a lab book and there is tclsh command. but I can't find it in my router > How can I get this command working? > > I also have question about access list > > I did the following access-list > > access-list 10 permit 10.0.0.0 0.255.255.255 > access-list 10 permit 172.16.0.0 0.0.255.255 > access-list 10 remark this is for telnet > access-list 10 deny any log > > I add extra one access-list later > access-list 10 permit 192.168.0.0 0.0.0.255 > > But this one is the later of those lines as below. it won't work > access-list 10 permit 10.0.0.0 0.255.255.255 > access-list 10 permit 172.16.0.0 0.0.255.255 > access-list 10 remark this is for telnet > access-list 10 deny any log > access-list 10 permit 192.168.0.0 0.0.0.255 > > I have to remove "no access-list 10 deny any log" > But when I remove this line, I have to add all of that again > > How can I do it easy to add this line? > and How can I make it reliable as it is easy to loss the connection? > > Thank you > > > > > > > --------------------------------- > > > Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From ras at e-gerbil.net Tue Nov 25 18:10:23 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Tue, 25 Nov 2008 17:10:23 -0600 Subject: [c-nsp] OSR7609 w/Sup720-3BXL In-Reply-To: References: Message-ID: <20081125231023.GH72019@gerbil.cluepon.net> On Tue, Nov 25, 2008 at 12:25:29AM -0500, Chris Hale wrote: > Anyone know if you can use a Sup720-3BXL with a OSR7609? Are there any > restrictions on the modules/cards that you can use in the OSR7609? What's > the main differences between the OSR and non-OSR chassis? There is no such thing. OSR was a product name for a packaged 7609 + SUP2, which has since been dropped in favor of just calling it a 7609 chassis + whatever SUP you are running. http://www.cisco.com/en/US/products/hw/routers/ps368/prod_eol_notice09186a008032d52e.html -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From sheaujiun at gmail.com Tue Nov 25 18:48:26 2008 From: sheaujiun at gmail.com (sheaujiun) Date: Wed, 26 Nov 2008 07:48:26 +0800 Subject: [c-nsp] Vlan assignments In-Reply-To: <4F1062A0-AB64-4586-95F5-E5CB4D59623C@gmail.com> References: <2c9e35ed0811250653g4bd4011dw9fed44a405ef493@mail.gmail.com> <4F1062A0-AB64-4586-95F5-E5CB4D59623C@gmail.com> Message-ID: <2c9e35ed0811251548g56f2cfa8md4453ea666ae6f8a@mail.gmail.com> Yes, it seems subjective but is there possibly a general idea that can be provided? For now, I do not have give a detail plan, just introduce a general concept. On Wed, Nov 26, 2008 at 2:56 AM, raymondh (NSP) wrote: > It's very subjective to one's environment. > > > On Nov 25, 2008, at 10:53 PM, sheaujiun wrote: > > Hi, >> >> I have a customer in a DSLAM/BRAS environment where they have 4 main >> groups >> of Vlans assignments - Data, Voice, Management and Other services. >> >> Currently there is not fixed rules as to how vlan ids are assigned to the >> 4 >> main groups. It has come to a time the network has grown to a rather huge >> size and they are trying to reassign the vlan assignments. >> >> Generally, the network is as such: >> >> DSLAM --> aggregation switch --> BRAS >> >> Is there a standard guideline as to how vlan assignments are to be >> designed? >> What considerates are needed? >> e.g. Is there a need to consider how different vlans are to be terminated >> into the the aggregation switch if they are running VPLS? >> How the BRAS will handle the vlans coming from the aggregation? >> >> >> Sheau Jiun >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From danletkeman at gmail.com Tue Nov 25 19:02:11 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 25 Nov 2008 18:02:11 -0600 Subject: [c-nsp] IP Sla Configuration Message-ID: Hello, I have 5 different route's on our 2821 router and I'm running IP SLA to dynamically remove routes if they are down. The problem is that when I monitor the address of the device, but the link is up but flaky it still responds and does not remove the route. The device i'm monitoring is an 827 router with an adsl connection. Is there a better way to configure it that what I have done? ip sla 1 icmp-echo *.*.56.144 timeout 3000 frequency 5 ip sla schedule 1 life forever start-time now ip route 0.0.0.0 0.0.0.0 192.168.11.101 track 1 track 1 ip sla 1 reachability Thanks, Dan. From bennetb at gmail.com Tue Nov 25 19:19:43 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Tue, 25 Nov 2008 17:19:43 -0700 Subject: [c-nsp] tclsh and ip access list help In-Reply-To: <492C8384.9050500@indo.net.id> References: <58010.8662.qm@web57406.mail.re1.yahoo.com> <492C8384.9050500@indo.net.id> Message-ID: On Tue, Nov 25, 2008 at 4:00 PM, a. rahman isnaini r.sutan wrote: > That's Cisco default, no access-list x command will remove entire > access-list x from your config. > Safe way from being disconnected is ensuring your ip is allowed & remove ip > access-group in interface before making any change to acl in global config. > > Or it might cisco developing kind of 'sequential' access-list whit ' > insertable ' command :) > Named access-list can do this now. You can even use named access-list type commands on numbered ACLS You can actually achive this Cisco's new named access-lists. You can even use the named access-list commands on numbers acls. For Example Router(config)# access-list 10 permit 10.0.0.0 0.255.255.255 Router(config)#access-list 10 permit 172.16.0.0 0.0.255.255 Router(config)#access-list 10 remark this is for telnet Router(config)#access-list 10 deny any log Router(config)#end Router#show access-list 10 Standard IP access list 10 10 permit 10.0.0.0, wildcard bits 0.255.255.255 20 permit 172.16.0.0, wildcard bits 0.0.255.255 30 deny any log Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list standard 10 Router(config-std-nacl)#25 permit 192.168.0.0 0.0.0.255 Router(config-std-nacl)#end Router#show access-list 10 Standard IP access list 10 10 permit 10.0.0.0, wildcard bits 0.255.255.255 20 permit 172.16.0.0, wildcard bits 0.0.255.255 25 permit 192.168.0.0, wildcard bits 0.0.0.255 30 deny any log Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#ip access-list ? extended Extended Access List log-update Control access list log updates logging Control access list logging resequence Resequence Access List standard Standard Access List Router(config)#ip access-list re Router(config)#ip access-list resequence ? <1-99> Standard IP access-list number <100-199> Extended IP access-list number <1300-1999> Standard IP access-list number (expanded range) <2000-2699> Extended IP access list number (expanded range) WORD Access-list name Router(config)#ip access-list resequence 10 ? <1-2147483647> Starting Sequence Number Router(config)#ip access-list resequence 10 10 ? <1-2147483647> Step to increment the sequence number Router(config)#ip access-list resequence 10 10 10 ? Router(config)#ip access-list resequence 10 10 10 Router(config)#end Router#show access-list 10 Standard IP access list 10 10 permit 10.0.0.0, wildcard bits 0.255.255.255 20 permit 172.16.0.0, wildcard bits 0.0.255.255 30 permit 192.168.0.0, wildcard bits 0.0.0.255 40 deny any log Router# http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00800a5b9a.shtml -Brandon From mtinka at globaltransit.net Tue Nov 25 20:57:30 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 26 Nov 2008 09:57:30 +0800 Subject: [c-nsp] mpls/ip load balancing In-Reply-To: References: <342761.13608.qm@web25506.mail.ukl.yahoo.com> Message-ID: <200811260957.31283.mtinka@globaltransit.net> On Wednesday 26 November 2008 01:51:13 Marlon Duksa wrote: > 2) In this case, LIB is consulted - what is hash based > on? IP packets may be encapsulated few times over in this > case (VLAN, another MPLS header...) Thanks, If the payload is IP, hashing is done based on the underlying IP header. If the payload is non-IP, hashing is done based on the innermost MPLS label. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From RTeller at deltadentalwa.com Tue Nov 25 22:07:05 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 25 Nov 2008 19:07:05 -0800 Subject: [c-nsp] 4402 guest wireless access In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0188E@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0188E@tiger.deltadentalwa.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018A3@tiger.deltadentalwa.com> The issue was resolved by updating the dns entry for the hostname of the device to reflect the virtual ip address instead of the management ip address. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: Tuesday, November 25, 2008 6:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 4402 guest wireless access I am trying to configure a 4402 controller to allow basic web authentication to guess users. I am using Cisco 1131 aps and a 4402 wlc. If the guest connects with a wpa key it works but as soon as I require web authentication it just hangs at the redirect screen. Any suggestions? ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jaime at ulima.edu.pe Tue Nov 25 21:54:24 2008 From: Jaime at ulima.edu.pe (Velasquez Venegas Jaime Omar) Date: Tue, 25 Nov 2008 21:54:24 -0500 Subject: [c-nsp] wireless access-controll feature in ios software In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> Message-ID: <8DD1F4B50477AC45A35AB5F8C03B62C40185688B@sauce.ulima.ul> One year ago I was looking for the same.As far as my research went, Cisco supports a kind of "captive portal" only on specific hardware platforms and with the following components: SSG - Service Selection Gateway SESM - Subscriber Edged Service Manager and an auth server. Back in that time,my impression was that the whole solution comprises of a number of components that exceeds way over the implementation of a simple captive portal. Maybe this has changed since. -----Mensaje original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] En nombre de Arne Larsen / Region Nordjylland Enviado el: Tuesday, November 25, 2008 3:53 PM Para: 'cisco-nsp at puck.nether.net' Asunto: [c-nsp] wireless access-controll feature in ios software Hi all. I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gkg at gmx.de Wed Nov 26 00:20:36 2008 From: gkg at gmx.de (Garry) Date: Wed, 26 Nov 2008 06:20:36 +0100 Subject: [c-nsp] 3560G Update - which IOS? Message-ID: <492CDCA4.3010404@gmx.de> Hi, we're running several 3560G's, a couple with a relatively old 12.2(25), some with the newer (35). I have one or two features that I know have been added since 25 and are available with (35), so I would prefer to upgrade at least to that, which I know has run flawlessly for a year or so ... question is - should I dare to upgrade to a more recent version, or are there any issues known? Also, is there a list of features that have been added in the respective sub-releases, in order to decide whether I even need a newer version than what I know to work? Tnx, -garry From mtinka at globaltransit.net Wed Nov 26 00:54:53 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 26 Nov 2008 13:54:53 +0800 Subject: [c-nsp] 3560G Update - which IOS? In-Reply-To: <492CDCA4.3010404@gmx.de> References: <492CDCA4.3010404@gmx.de> Message-ID: <200811261355.01366.mtinka@globaltransit.net> On Wednesday 26 November 2008 13:20:36 Garry wrote: > we're running several 3560G's, a couple with a relatively > old 12.2(25), some with the newer (35). I have one or two > features that I know have been added since 25 and are > available with (35), so I would prefer to upgrade at > least to that, which I know has run flawlessly for a year > or so ... question is - should I dare to upgrade to a > more recent version, or are there any issues known? Also, > is there a list of features that have been added in the > respective sub-releases, in order to decide whether I > even need a newer version than what I know to work? We've been happy with 12.2(44)SE2; but admittedly, we only use our 3560G's as Layer 2 devices. There's a known cosmetic issue with this release: #sh ver | i memory cisco WS-C3560G-48TS (PowerPC405) processor (revision D0) with 0K/8184K bytes of memory. ^^^^^^^^ 512K bytes of flash-simulated non-volatile configuration memory. # Other than that, we've had no real issues to report. You probably want to take a look at the release notes for more current revisions to see if there's anything you like, or don't like. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From Damien.Vigar at det.nsw.edu.au Wed Nov 26 00:17:56 2008 From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien) Date: Wed, 26 Nov 2008 16:17:56 +1100 Subject: [c-nsp] Windows server hangs connected to 3750 Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> Hi all, We are experiencing an issue with Windows 2003R2 servers connected to our 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, responding to a ping but not to anything else. It looks to us like an issue with the servers, but our server administrator insists that it must be the GBIC/switch combination. We've put the servers in question back onto fast ethernet ports, and haven't seen any problems in the meantime. Other sites' servers are running fine on the same GBIC/switch combination. We've tried to find anything relating to this issue online, with no luck. Any ideas on where to go next? Cheers, Damien ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** From ariemer at wesenergy.com.au Wed Nov 26 02:12:00 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 26 Nov 2008 16:12:00 +0900 Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface Message-ID: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> Hey guys, I am hoping someone out there has configured something similar as I am having a lot of grief getting this working. Essentially what we are trying to do is to allow our VPN clients to access other L2L sites that terminate on the same outside interface. See below for details. VPN Client address range 10.100.1.100-200/24 VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop after ASA) ASA Inside address 10.100.1.10/24 VPN tunnel peer addressing: 172.16.0.0/16 We have configured the necessary commands to allow this hairpinning.. i.e. 'same-security-traffic permit intra-interface'. The relevant VPN rules and nonat are in place to allow the entire 10.100.1.0/24 range across the L2L tunnel and this has been tested by attempting to telnet to a web server at the tunnel destination via the inside 3750. It's just the VPN clients on the outside interface can't seem to get through the tunnel. What makes things even more confusing is that ICMP goes across no problem but no TCP traffic will pass. (No SYN-ACK received from the web server). I have checked the logs and they don't indicate that any traffic is being denied. I can see the connection being built twice from the outside back to the inside default gateway then back from the inside (maybe this is the problem do we need to make the vpn client pool gateway address an address on the firewall??) 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP connection 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to Inside:172.16.1.10/80 (172.16.1.10/80) 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP connection 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to Inside:10.100.1.101/2523 (10.100.1.101/2523) Thanks in advance. Aaron. LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From gert at greenie.muc.de Wed Nov 26 02:34:01 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 26 Nov 2008 08:34:01 +0100 Subject: [c-nsp] tclsh and ip access list help In-Reply-To: <492C8384.9050500@indo.net.id> References: <58010.8662.qm@web57406.mail.re1.yahoo.com> <492C8384.9050500@indo.net.id> Message-ID: <20081126073401.GX8535@greenie.muc.de> Hi, On Wed, Nov 26, 2008 at 06:00:20AM +0700, a. rahman isnaini r.sutan wrote: > Or it might cisco developing kind of 'sequential' access-list whit ' > insertable ' command :) They already have. Named ACLs always had this, and in "very recent" IOS versions (SXH, at least, haven't checked 12.4*), you can do this for numbered ACLs as well. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From td_miles at yahoo.com Wed Nov 26 02:47:40 2008 From: td_miles at yahoo.com (Tony) Date: Tue, 25 Nov 2008 23:47:40 -0800 (PST) Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface In-Reply-To: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> Message-ID: <477208.9218.qm@web110107.mail.gq1.yahoo.com> Hi Aaron, I have set this up before (was setup many years ago on PIX v7 but still is used today) and it does work. I would suggest you change the VPN client address pool to a totally DIFFERENT range. At the moment it seems that it is part of the same /24 that is on the ASA inteface. You may need to add a static route to any internal gateways so that they know about this new IP range you are using (this depends on your setup). You will also need to ensure that this new address range is added to the ACL for the match traffic on your static tunnels. Here is a Cisco doc on doing this: http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00807f9a89.shtml Look about halfway down the page for the section "Add a Remote Access VPN to the Configuration". The description for this says "This section provides the required procedures to add remote access capability and to allow remote users to access all sites." which would appear to be exactly what you want to do. In the example they have, they also use a seperate subnet for the remote users. regards, Tony. --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > > > LEGAL DISCLAIMER: This message contains confidential > information and is intended only for the individual named. > If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > If you are not the intended recipient you are notified that > disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly > prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Wed Nov 26 02:52:07 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 26 Nov 2008 08:52:07 +0100 Subject: [c-nsp] IP Sla Configuration In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A50239D9DE@xmb-ams-331.emea.cisco.com> Dan, Take a look at EEM: http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_o verview_ps6441_TSD_Products_Configuration_Guide_Chapter.html You can monitor things like counters (crc etc) and other more advanced things, and act when something is wrong. Take a look, and let me know if you need further info. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Wednesday, November 26, 2008 02:02 AM To: cisco_nsp Subject: [c-nsp] IP Sla Configuration Hello, I have 5 different route's on our 2821 router and I'm running IP SLA to dynamically remove routes if they are down. The problem is that when I monitor the address of the device, but the link is up but flaky it still responds and does not remove the route. The device i'm monitoring is an 827 router with an adsl connection. Is there a better way to configure it that what I have done? ip sla 1 icmp-echo *.*.56.144 timeout 3000 frequency 5 ip sla schedule 1 life forever start-time now ip route 0.0.0.0 0.0.0.0 192.168.11.101 track 1 track 1 ip sla 1 reachability Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariemer at wesenergy.com.au Wed Nov 26 02:51:19 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 26 Nov 2008 16:51:19 +0900 Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface In-Reply-To: <477208.9218.qm@web110107.mail.gq1.yahoo.com> References: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> <477208.9218.qm@web110107.mail.gq1.yahoo.com> Message-ID: <0867622C64B50C4B878AB45C95F43F11064E0BA5@MAILWA01.wesenergy.local> Hi Tony, Thanks for your advice. I have read this before I might just setup another pool for testing to see if this works. Also I was thinking it may be an mss/mtu issue as trying to ping without fragmentation with anything above 1300 bytes returns an error Packet needs fragmentation but DF bit set. Sysopt connection tcpmss?? Thanks! Aaron. -----Original Message----- From: Tony [mailto:td_miles at yahoo.com] Sent: Wednesday, 26 November 2008 4:48 PM To: cisco-nsp at puck.nether.net; Aaron Riemer Subject: Re: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface Hi Aaron, I have set this up before (was setup many years ago on PIX v7 but still is used today) and it does work. I would suggest you change the VPN client address pool to a totally DIFFERENT range. At the moment it seems that it is part of the same /24 that is on the ASA inteface. You may need to add a static route to any internal gateways so that they know about this new IP range you are using (this depends on your setup). You will also need to ensure that this new address range is added to the ACL for the match traffic on your static tunnels. Here is a Cisco doc on doing this: http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a00807f9a89.shtml Look about halfway down the page for the section "Add a Remote Access VPN to the Configuration". The description for this says "This section provides the required procedures to add remote access capability and to allow remote users to access all sites." which would appear to be exactly what you want to do. In the example they have, they also use a seperate subnet for the remote users. regards, Tony. --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > > > LEGAL DISCLAIMER: This message contains confidential > information and is intended only for the individual named. > If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > If you are not the intended recipient you are notified that > disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly > prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From adrian at creative.net.au Wed Nov 26 03:09:25 2008 From: adrian at creative.net.au (Adrian Chadd) Date: Wed, 26 Nov 2008 17:09:25 +0900 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> Message-ID: <20081126080925.GA10747@skywalker.creative.net.au> Hm, are the servers configured in some kind of active/failover or somesuch? I vaguely remember the default Windows method of "failover" causing no end of trouble to default-configured Cisco switches as MAC addresses pingpong between ports.. Adrian On Wed, Nov 26, 2008, Vigar, Damien wrote: > Hi all, > > We are experiencing an issue with Windows 2003R2 servers connected to our 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, responding to a ping but not to anything else. It looks to us like an issue with the servers, but our server administrator insists that it must be the GBIC/switch combination. > > We've put the servers in question back onto fast ethernet ports, and haven't seen any problems in the meantime. Other sites' servers are running fine on the same GBIC/switch combination. > > We've tried to find anything relating to this issue online, with no luck. Any ideas on where to go next? > > > Cheers, > > Damien > > > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - From koug at intracom.gr Wed Nov 26 02:33:18 2008 From: koug at intracom.gr (John Kougoulos) Date: Wed, 26 Nov 2008 09:33:18 +0200 (GTB Standard Time) Subject: [c-nsp] wireless access-controll feature in ios software In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> Message-ID: Hello, perhaps you are looking for this: Consent Feature for Cisco IOS Routers 12.4(15)T http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html However you can also use the embedded captive portal when you use Cisco WLC controllers or you can also try Chillispot --koug On Tue, 25 Nov 2008, Arne Larsen / Region Nordjylland wrote: > > Hi all. > > I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. > But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. > > /Arne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dgranzer at gmail.com Wed Nov 26 03:19:45 2008 From: dgranzer at gmail.com (David Granzer) Date: Wed, 26 Nov 2008 09:19:45 +0100 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> Message-ID: <844ef89c0811260019u55ba4877ycfc70b4fa0138f3b@mail.gmail.com> Hello, some 1000T SFP are 1000-Full only and does not support auto negotiation. You can try set 1000-Full on the servers and check if that helps. Regards, David On Wed, Nov 26, 2008 at 6:17 AM, Vigar, Damien wrote: > Hi all, > > We are experiencing an issue with Windows 2003R2 servers connected to our 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, responding to a ping but not to anything else. It looks to us like an issue with the servers, but our server administrator insists that it must be the GBIC/switch combination. > > We've put the servers in question back onto fast ethernet ports, and haven't seen any problems in the meantime. Other sites' servers are running fine on the same GBIC/switch combination. > > We've tried to find anything relating to this issue online, with no luck. Any ideas on where to go next? > > > Cheers, > > Damien > > > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Wed Nov 26 03:22:05 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 26 Nov 2008 09:22:05 +0100 Subject: [c-nsp] wireless access-controll feature in ios software In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> Message-ID: you mean the authentication proxy in ios? http://www.cisco.com/en/US/docs/ios/12_0t/12_0t5/feature/guide/iosfw2_1.html Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: marted? 25 novembre 2008 21.53 To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] wireless access-controll feature in ios software Hi all. I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From td_miles at yahoo.com Wed Nov 26 03:31:30 2008 From: td_miles at yahoo.com (Tony) Date: Wed, 26 Nov 2008 00:31:30 -0800 (PST) Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> Message-ID: <748865.92820.qm@web110112.mail.gq1.yahoo.com> Damien, What sort of troubleshooting have you done thus far ? Some questions/suggestions: * check to make sure MAC addresses on the servers aren't the same. Sounds strange but I've had it before (from a reputable vendor whose name is abbreviated to 3 letters). * hard code both switch & server to 1000/full to make sure you're not getting speed/duplex mismatches. * does the problem continue to happen when ONLY the servers are connected to the switch (ie. isolated from rest of the network) ? * try new GBICs to check they aren't bad. Swap the ones that aren't working for some that are known to work (you mentioned you have some switches/servers that are working). * change the NIC in the server. You're probably using the onboard NIC's so this would mean adding a PCI Gb NIC to a server to test. * move one of your servers that IS working to the same switchport that isn't working with these new servers. This will pretty much rule out the switch (provided that it continues to work) and you can start looking at the servers harder. * does it happen immediately (ie. as soon as you connect the servers) or does it takes minutes/hours for the problem to show up ? * have you got anything fancy configured on the switch ? * To attempt to see if it's a software issue you could boot up a live linux distro (eg. knoppix) and see if it has the same problems with the Gb cards/switch. If that works fine, then a reinstall of Windows might be called for and following that up with MS tech support if problem still occurs. * I think someone else already asked if you're doing anything fancy like clustering or load sharing/balancing ? regards, Tony. --- On Wed, 26/11/08, Vigar, Damien wrote: > From: Vigar, Damien > Subject: [c-nsp] Windows server hangs connected to 3750 > To: "cisco-nsp at puck.nether.net" > Date: Wednesday, 26 November, 2008, 4:17 PM > Hi all, > > We are experiencing an issue with Windows 2003R2 servers > connected to our 3560/3750 switches via a 1000T SFP GBIC. > The servers appear to hang, responding to a ping but not to > anything else. It looks to us like an issue with the > servers, but our server administrator insists that it must > be the GBIC/switch combination. > > We've put the servers in question back onto fast > ethernet ports, and haven't seen any problems in the > meantime. Other sites' servers are running fine on the > same GBIC/switch combination. > > We've tried to find anything relating to this issue > online, with no luck. Any ideas on where to go next? > > > Cheers, > > Damien > > From vinzoda.hitesh at gmail.com Wed Nov 26 04:30:32 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Wed, 26 Nov 2008 01:30:32 -0800 Subject: [c-nsp] ASA AIP-SSM-10 Message-ID: Dear all, We were upgrading the patches on AIP-SSM-10 and IPS seems not to be coming up after reload. the module status is UNRESPONSIVE. more over we havent configure recovery on it. please suggest to bring up the IDS from scratch. Thanks Ronnie From hegedus.gabor at euroway.hu Wed Nov 26 04:36:22 2008 From: hegedus.gabor at euroway.hu (Hegedus Gabor) Date: Wed, 26 Nov 2008 10:36:22 +0100 Subject: [c-nsp] Cisco sw mac based auth Message-ID: <492D1896.2060001@euroway.hu> Hi all, I hope it is a good mailing list, and i will get answer to my problem: I use 802.1x for user authentication, a still have configured a switch to AAA(radius), I want to use mac address based authentication: - I plug in my cabel, - pc send auth(contains mac; and hostname, pass not important) to switch - the switch get it and forward to my freeradius server like username: MAC, passwd: MAC. - and my freeradius allow the authentication, and this time not necessary username/pass, enough mac. I find a config command like: aaa port-access mac-based but it is only for HP devices. what can i use for cisco? finaly, how can i set up mac based authentication on cisco sw. thx Gabor From pavel.skovajsa at gmail.com Wed Nov 26 05:52:40 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Wed, 26 Nov 2008 11:52:40 +0100 Subject: [c-nsp] SM SFP over MM cable Message-ID: <323aca890811260252g3e738316ra42bb8af854243b5@mail.gmail.com> Hello, I have heard stories that normal LX single mode SFP works fine over any MM fiber. Is that true? Does it have any distance limitation? Is there any doc I can read so that I understand what are the various possibilities to mix/match various SM/MM SFPs etc. Regards, Pavel Skovajsa From risnaini at indo.net.id Wed Nov 26 06:03:42 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Wed, 26 Nov 2008 18:03:42 +0700 Subject: [c-nsp] tclsh and ip access list help In-Reply-To: <20081126073401.GX8535@greenie.muc.de> References: <58010.8662.qm@web57406.mail.re1.yahoo.com> <492C8384.9050500@indo.net.id> <20081126073401.GX8535@greenie.muc.de> Message-ID: <492D2D0E.9020002@indo.net.id> Cool. Gert Doering wrote: > Hi, > > On Wed, Nov 26, 2008 at 06:00:20AM +0700, a. rahman isnaini r.sutan wrote: >> Or it might cisco developing kind of 'sequential' access-list whit ' >> insertable ' command :) > > They already have. Named ACLs always had this, and in "very recent" IOS > versions (SXH, at least, haven't checked 12.4*), you can do this for > numbered ACLs as well. > > gert From csirek at cooler.hu Wed Nov 26 06:12:07 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 26 Nov 2008 12:12:07 +0100 Subject: [c-nsp] vpn_hw-1-packet_error / 7201 Message-ID: <492D2F07.7070601@cooler.hu> Hi all, I have 2 Cisco 7201 routers (c7200p-advipservicesk9-mz.124-15.T3.bin) with SA-VAM2+ VPN modul. Between this routers i use a crypted GRE tunnel: interface Tunnel0 description TUNNEL ip address 192.168.1.1 255.255.255.252 ip mtu 1418 ip tcp adjust-mss 1300 ip ospf cost 100 load-interval 30 keepalive 2 2 tunnel source 10.0.0.1 tunnel destination 10.0.1.1 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ingyombingyom address 10.0.1.1 ! crypto ipsec transform-set nyulambulam-standard esp-3des esp-sha-hmac I get the next error messages in the last 2-3 days and only for some hours (2-3 messages / minutes) on a day but only in one router (the router uptime is ~9 week): Nov 26 03:06:49 PST: %VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, ESP Pad Length:srcadr=10.0.0.1,dstadr=10.0.1.1,size=104,handle=0x7D4F Nov 26 03:07:34 PST: %VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.0.0.1,dstadr=10.0.1.1,size=160,handle=0x7D4F Nov 26 03:07:34 PST: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=11551 local=10.0.0.1 remote=10.0.1.1 spi=FCAF23B3 seqno=000008A5 The router on the other side didn't log anything. The tunnel doesn't go down when i get this errors. Any idea? Thanks Laszlo From p.mayers at imperial.ac.uk Wed Nov 26 06:13:07 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 26 Nov 2008 11:13:07 +0000 Subject: [c-nsp] SM SFP over MM cable In-Reply-To: <323aca890811260252g3e738316ra42bb8af854243b5@mail.gmail.com> References: <323aca890811260252g3e738316ra42bb8af854243b5@mail.gmail.com> Message-ID: <492D2F43.4090709@imperial.ac.uk> Pavel Skovajsa wrote: > Hello, > > I have heard stories that normal LX single mode SFP works fine over > any MM fiber. Is that true? Does it have any distance limitation? Is > there any doc I can read so that I understand what are the various > possibilities to mix/match various SM/MM SFPs etc. It's true. We run LX over OM1. Of course it has a distance limitation; a commonly quoted figure is 550 metres. There are various gotchas which can be resolved using "conditioned launch" fibre patch leads, but we haven't experience any issues. IIRC they're only an issue on OM1/OM2. Having said that, we have links running stably with LX over OM1 without mode-conditioned patch leads, so YMMV. Cisco appear to have an interesting (if somewhat old) page: http://www.cisco.com/en/US/prod/collateral/modules/ps5455/white_paper_c11-463677.html There are lots of hits for "LX over OM[123]" From arne.svennevik at met.no Wed Nov 26 06:28:31 2008 From: arne.svennevik at met.no (Arne Svennevik) Date: Wed, 26 Nov 2008 12:28:31 +0100 Subject: [c-nsp] SM SFP over MM cable In-Reply-To: <323aca890811260252g3e738316ra42bb8af854243b5@mail.gmail.com> References: <323aca890811260252g3e738316ra42bb8af854243b5@mail.gmail.com> Message-ID: <004101c94fba$1f9b1ba0$5ed152e0$@svennevik@met.no> Yes, a normal single mode SFP (GLC-LH-SM) works with both SM and MM fiber. MM is limited to 300 meters (greater distances may be possible with a mode-conditioning patch cord). Have a look at GLC-LH-SM in table 6 at http://www.cisco.com/en/US/docs/routers/7200/install_and_upgrade/gbic_sfp_mo dules_install/5067g.html#wp34124 for more info. Regards, Arne Svennevik -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pavel Skovajsa Sent: Wednesday, November 26, 2008 11:53 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SM SFP over MM cable Hello, I have heard stories that normal LX single mode SFP works fine over any MM fiber. Is that true? Does it have any distance limitation? Is there any doc I can read so that I understand what are the various possibilities to mix/match various SM/MM SFPs etc. Regards, Pavel Skovajsa _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From arla at rn.dk Wed Nov 26 06:57:59 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 26 Nov 2008 12:57:59 +0100 Subject: [c-nsp] wireless access-controll feature in ios software In-Reply-To: References: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FB@SRVEXC02.aas.its.nja.dk> Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FE@SRVEXC02.aas.its.nja.dk> Jep, I beleive that's it. Great thanks. /Arne -----Oprindelig meddelelse----- Fra: John Kougoulos [mailto:koug at intracom.gr] Sendt: 26. november 2008 08:33 Til: Arne Larsen / Region Nordjylland Cc: 'cisco-nsp at puck.nether.net' Emne: Re: [c-nsp] wireless access-controll feature in ios software Hello, perhaps you are looking for this: Consent Feature for Cisco IOS Routers 12.4(15)T http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html However you can also use the embedded captive portal when you use Cisco WLC controllers or you can also try Chillispot --koug On Tue, 25 Nov 2008, Arne Larsen / Region Nordjylland wrote: > > Hi all. > > I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. > But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. > > /Arne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Wed Nov 26 07:41:34 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 26 Nov 2008 13:41:34 +0100 Subject: [c-nsp] 3560G Update - which IOS? In-Reply-To: <492CDCA4.3010404@gmx.de> References: <492CDCA4.3010404@gmx.de> Message-ID: <1227703294.5999.5.camel@abehat> On Wed, 2008-11-26 at 06:20 +0100, Garry wrote: > we're running several 3560G's, a couple with a relatively old 12.2(25), > some with the newer (35). I have one or two features that I know have > been added since 25 and are available with (35), so I would prefer to > upgrade at least to that, which I know has run flawlessly for a year or > so ... question is - should I dare to upgrade to a more recent version, > or are there any issues known? Also, is there a list of features that > have been added in the respective sub-releases, in order to decide > whether I even need a newer version than what I know to work? We're using 12.2(35)SE5 on a couple of hundred L2-only devices (running IP Base) for almost a year and have had no problems at all. I would stay with the "older" releases unless you really need some of the new features. You can use the Feature Navigator to compare the sub-releases. Regards, Peter From dmitry at dmitry.net Wed Nov 26 07:14:50 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Wed, 26 Nov 2008 14:14:50 +0200 Subject: [c-nsp] no implementation plans Message-ID: <20081126121450.GA1517@f17.dmitry.net> Hello! According to rumors Cisco have no plans: to DWDM-X2 modules support for 6708 cards on C7600 under 12.2SR to 6716 support on C7600 to finish SCE blade Any other rumors? :) Thanks! -- Dmitry Kiselev From chloekcy2000 at yahoo.ca Wed Nov 26 07:55:48 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Wed, 26 Nov 2008 07:55:48 -0500 (EST) Subject: [c-nsp] any way to check the cisco interface to output to file Message-ID: <299580.80430.qm@web57413.mail.re1.yahoo.com> Hi I realize there is dropping packet in router. Is there any way to check cisco interface to output to file? I want to record every minutes Thank you --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From christian at errxtx.net Wed Nov 26 08:09:55 2008 From: christian at errxtx.net (Christian Meutes) Date: Wed, 26 Nov 2008 14:09:55 +0100 Subject: [c-nsp] Cisco sw mac based auth In-Reply-To: <492D1896.2060001@euroway.hu> References: <492D1896.2060001@euroway.hu> Message-ID: <22E461A4B40A330564977684@tok> --On Wednesday, 26. November 2008 10:36 +0100 Hegedus Gabor wrote: > what can i use for cisco? > finaly, how can i set up mac based authentication on cisco sw. You can use MAC Authentication Bypass. From amsoares at netcabo.pt Wed Nov 26 08:34:57 2008 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 26 Nov 2008 13:34:57 -0000 Subject: [c-nsp] any way to check the cisco interface to output to file In-Reply-To: <299580.80430.qm@web57413.mail.re1.yahoo.com> References: <299580.80430.qm@web57413.mail.re1.yahoo.com> Message-ID: If you use SecureCRT, it's very easy. Just log the output to a file and run a script like this one: ++++++++++++++++++++++++ #$language = "VBScript" #$interface = "1.0" Sub Main do crt.Screen.Send "sh interface x/y" & VbCr crt.Sleep 60000 loop End Sub ++++++++++++++++++++++++ The crt.Sleep value is in msec. Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K Sent: quarta-feira, 26 de Novembro de 2008 12:56 To: cisco-nsp at puck.nether.net Subject: [c-nsp] any way to check the cisco interface to output to file Hi I realize there is dropping packet in router. Is there any way to check cisco interface to output to file? I want to record every minutes Thank you --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Wed Nov 26 08:41:50 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 26 Nov 2008 05:41:50 -0800 Subject: [c-nsp] any way to check the cisco interface to output to file In-Reply-To: <299580.80430.qm@web57413.mail.re1.yahoo.com> References: <299580.80430.qm@web57413.mail.re1.yahoo.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018A9@tiger.deltadentalwa.com> Snmp probes to the interface -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of chloe K Sent: Wednesday, November 26, 2008 4:56 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] any way to check the cisco interface to output to file Hi I realize there is dropping packet in router. Is there any way to check cisco interface to output to file? I want to record every minutes Thank you --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From amsoares at netcabo.pt Wed Nov 26 08:49:36 2008 From: amsoares at netcabo.pt (Antonio Soares) Date: Wed, 26 Nov 2008 13:49:36 -0000 Subject: [c-nsp] vpn_hw-1-packet_error / 7201 In-Reply-To: <492D2F07.7070601@cooler.hu> References: <492D2F07.7070601@cooler.hu> Message-ID: <9877500FFDF243F6B5207984BEE538CD@int.convex.pt> I had the same problem a few weeks ago with a 3845. Initially we thought we were hitting an IOS Bug but in the end of the day, the messages were correlated with some circuit problems. Verify if your circuits are clean and in the case they are, check these two Bugs: - CSCee43714 - CSCeg52468 Regards, Antonio Soares, CCIE #18473 (R&S) amsoares at netcabo.pt -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nemeth Laszlo Sent: quarta-feira, 26 de Novembro de 2008 11:12 To: cisco-nsp at puck.nether.net Subject: [c-nsp] vpn_hw-1-packet_error / 7201 Hi all, I have 2 Cisco 7201 routers (c7200p-advipservicesk9-mz.124-15.T3.bin) with SA-VAM2+ VPN modul. Between this routers i use a crypted GRE tunnel: interface Tunnel0 description TUNNEL ip address 192.168.1.1 255.255.255.252 ip mtu 1418 ip tcp adjust-mss 1300 ip ospf cost 100 load-interval 30 keepalive 2 2 tunnel source 10.0.0.1 tunnel destination 10.0.1.1 crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 crypto isakmp key ingyombingyom address 10.0.1.1 ! crypto ipsec transform-set nyulambulam-standard esp-3des esp-sha-hmac I get the next error messages in the last 2-3 days and only for some hours (2-3 messages / minutes) on a day but only in one router (the router uptime is ~9 week): Nov 26 03:06:49 PST: %VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, ESP Pad Length:srcadr=10.0.0.1,dstadr=10.0.1.1,size=104,handle=0x7D4F Nov 26 03:07:34 PST: %VPN_HW-1-PACKET_ERROR: slot: 1 Packet Encryption/Decryption error, Output Authentication error:srcadr=10.0.0.1,dstadr=10.0.1.1,size=160,handle=0x7D4F Nov 26 03:07:34 PST: %CRYPTO-4-RECVD_PKT_MAC_ERR: decrypt: mac verify failed for connection id=11551 local=10.0.0.1 remote=10.0.1.1 spi=FCAF23B3 seqno=000008A5 The router on the other side didn't log anything. The tunnel doesn't go down when i get this errors. Any idea? Thanks Laszlo _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Wed Nov 26 09:13:29 2008 From: dcp at dcptech.com (David Prall) Date: Wed, 26 Nov 2008 09:13:29 -0500 Subject: [c-nsp] any way to check the cisco interface to output to file In-Reply-To: References: <299580.80430.qm@web57413.mail.re1.yahoo.com> Message-ID: <008501c94fd1$282eba80$788c2f80$@com> Create a kron job on the router itself and then use "command | append flash:filename" to collect the information local to the router. The router will have to support append on it's filesystem, some don't, 800 series specifically. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Antonio Soares > Sent: Wednesday, November 26, 2008 8:35 AM > To: 'chloe K'; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] any way to check the cisco interface to output to > file > > If you use SecureCRT, it's very easy. Just log the output to a file and > run a script like this one: > > ++++++++++++++++++++++++ > #$language = "VBScript" > #$interface = "1.0" > > Sub Main > > do > crt.Screen.Send "sh interface x/y" & VbCr > crt.Sleep 60000 > loop > > End Sub > ++++++++++++++++++++++++ > > The crt.Sleep value is in msec. > > > Regards, > > Antonio Soares, CCIE #18473 (R&S) > amsoares at netcabo.pt > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of chloe K > Sent: quarta-feira, 26 de Novembro de 2008 12:56 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] any way to check the cisco interface to output to file > > Hi > > I realize there is dropping packet in router. > > Is there any way to check cisco interface to output to file? > > I want to record every minutes > > Thank you > > > --------------------------------- > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Wed Nov 26 09:36:49 2008 From: frnkblk at iname.com (Frank Bulk) Date: Wed, 26 Nov 2008 08:36:49 -0600 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> Message-ID: What NIC(s) do you have in the server? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vigar, Damien Sent: Tuesday, November 25, 2008 11:18 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Windows server hangs connected to 3750 Hi all, We are experiencing an issue with Windows 2003R2 servers connected to our 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, responding to a ping but not to anything else. It looks to us like an issue with the servers, but our server administrator insists that it must be the GBIC/switch combination. We've put the servers in question back onto fast ethernet ports, and haven't seen any problems in the meantime. Other sites' servers are running fine on the same GBIC/switch combination. We've tried to find anything relating to this issue online, with no luck. Any ideas on where to go next? Cheers, Damien ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Wed Nov 26 09:43:44 2008 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 26 Nov 2008 06:43:44 -0800 (PST) Subject: [c-nsp] Static default route VRF not appearing Message-ID: <405563.67808.qm@web44802.mail.sp1.yahoo.com> Hi In an IP-VPN test, I need to add a static default route pointing to CE1 from PE1. This would I assume be redistributed to other PE's, then CE routers as 'redistribute static' is enabled on the PE config for this customer however this seems not to be the case. In fact PE2 never even sees that particular static route, even though it can see other redistributed static routes that I put in just to check. Is there some extra config needed on PE1 in order for the 0/0 static route to be advertised to other PE's and therefore CE's such as default-originate as per standard BGP? Regards Mark From sigurbjornl at vodafone.is Wed Nov 26 09:52:27 2008 From: sigurbjornl at vodafone.is (=?ISO-8859-1?B?U2lndXJiavZybg==?= Birkir =?ISO-8859-1?B?TOFydXNzb24=?=) Date: Wed, 26 Nov 2008 14:52:27 +0000 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: Message-ID: One issue I've seen with 2003R2 is that it implemented Chimney (TCP checksum offloading) by default which has caused us endless grief with really bad TCP performance. It seems network drivers shipped with 2003R2 were not really ready for this chance and many of them perform very badly even under little TCP load. You can try netsh int ip set chimney disable To turn it off and see if the situation improves BR, Sibbi On 26.11.2008 14:36, "Frank Bulk" wrote: > What NIC(s) do you have in the server? > > Frank > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vigar, Damien > Sent: Tuesday, November 25, 2008 11:18 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Windows server hangs connected to 3750 > > Hi all, > > We are experiencing an issue with Windows 2003R2 servers connected to our > 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, > responding to a ping but not to anything else. It looks to us like an issue > with the servers, but our server administrator insists that it must be the > GBIC/switch combination. > > We've put the servers in question back onto fast ethernet ports, and haven't > seen any problems in the meantime. Other sites' servers are running fine on > the same GBIC/switch combination. > > We've tried to find anything relating to this issue online, with no luck. > Any ideas on where to go next? > > > Cheers, > > Damien > > > ********************************************************************** > This message is intended for the addressee named and may contain > privileged information or confidential information or both. If you > are not the intended recipient please delete it and notify the sender. > ********************************************************************** > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From vincent.aniello at pipelinefinancial.com Wed Nov 26 10:02:41 2008 From: vincent.aniello at pipelinefinancial.com (Vincent Aniello) Date: Wed, 26 Nov 2008 10:02:41 -0500 Subject: [c-nsp] txQueueNotAvail on a Cisco 4948 Switch Message-ID: <9DF561416307E245950A6E212A55367A03588D03@EMAILSRV1.exad.net> We are seeing the txQueueNotAvail counter increase for TxQueue 3 on a Cisco Catalyst 4948 switch. Does anyone have any insight on what txQueueNotAvail means? Also, are there specific switch ports associated with TxQueue 3 and if so how do I find out what ports those are? The output from the "show platform cpu packet statistics" is below: Packets Dropped In Hardware By CPU Subport (txQueueNotAvail) CPU Subport TxQueue 0 TxQueue 1 TxQueue 2 TxQueue 3 ------------ --------------- --------------- --------------- --------------- 0 0 0 0 17391 Thanks. --Vincent Disclaimer: Any references to Pipeline performance contained herein are based on internal testing and / or historic performance levels which Pipeline expects to maintain or exceed but nevertheless does not guarantee. Congested networks, price volatility, or other extraordinary events may impede future trading activities and degrade performance statistics. Pipeline is a member of FINRA and SIPC. From tdurack at gmail.com Wed Nov 26 10:12:26 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Nov 2008 10:12:26 -0500 Subject: [c-nsp] no implementation plans In-Reply-To: <20081126121450.GA1517@f17.dmitry.net> References: <20081126121450.GA1517@f17.dmitry.net> Message-ID: <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> On Wed, Nov 26, 2008 at 7:14 AM, Dmitry Kiselev wrote: > Hello! > > According to rumors Cisco have no plans: > to DWDM-X2 modules support for 6708 cards on C7600 under 12.2SR > to 6716 support on C7600 > to finish SCE blade > > Any other rumors? :) > Thanks! VSS will die a horrible lingering death. SUP4 will be released early next year. Cisco will port NX-OS to the 6500 (they already have, for the MDS) (Obviously I just made these up, but they smell good to me!) > -- > Dmitry Kiselev > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Wed Nov 26 10:17:10 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 26 Nov 2008 16:17:10 +0100 Subject: [c-nsp] Static default route VRF not appearing In-Reply-To: <405563.67808.qm@web44802.mail.sp1.yahoo.com> References: <405563.67808.qm@web44802.mail.sp1.yahoo.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406760081@xmb-ams-333.emea.cisco.com> Mark Tech <> wrote on Wednesday, November 26, 2008 15:44: > Hi > In an IP-VPN test, I need to add a static default route pointing to > CE1 from PE1. This would I assume be redistributed to other PE's, > then CE routers as 'redistribute static' is enabled on the PE config > for this customer however this seems not to be the case. > > In fact PE2 never even sees that particular static route, even though > it can see other redistributed static routes that I put in just to > check. Is there some extra config needed on PE1 in order for the 0/0 > static route to be advertised to other PE's and therefore CE's such > as default-originate as per standard BGP? yes, you need the same commands in ipv4 vrf as in "standard BGP", i.e. default-information originate in this case. oli From tdurack at gmail.com Wed Nov 26 10:20:38 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Nov 2008 10:20:38 -0500 Subject: [c-nsp] no implementation plans In-Reply-To: <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> Message-ID: <9e246b4d0811260720h6cd510ccp17189ae4adc54331@mail.gmail.com> On Wed, Nov 26, 2008 at 10:12 AM, Tim Durack wrote: > On Wed, Nov 26, 2008 at 7:14 AM, Dmitry Kiselev wrote: >> Hello! >> >> According to rumors Cisco have no plans: >> to DWDM-X2 modules support for 6708 cards on C7600 under 12.2SR >> to 6716 support on C7600 >> to finish SCE blade >> >> Any other rumors? :) >> Thanks! > > VSS will die a horrible lingering death. > SUP4 will be released early next year. > Cisco will port NX-OS to the 6500 (they already have, for the MDS) > > (Obviously I just made these up, but they smell good to me!) This might be a little more reliable for the 6500 at least: http://tinyurl.com/572mbc > >> -- >> Dmitry Kiselev >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From RTeller at deltadentalwa.com Wed Nov 26 10:21:06 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 26 Nov 2008 07:21:06 -0800 Subject: [c-nsp] no implementation plans In-Reply-To: <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> Why do you say vss will die a horrible death? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Durack Sent: Wednesday, November 26, 2008 7:12 AM To: dmitry at dmitry.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] no implementation plans On Wed, Nov 26, 2008 at 7:14 AM, Dmitry Kiselev wrote: > Hello! > > According to rumors Cisco have no plans: > to DWDM-X2 modules support for 6708 cards on C7600 under 12.2SR > to 6716 support on C7600 > to finish SCE blade > > Any other rumors? :) > Thanks! VSS will die a horrible lingering death. SUP4 will be released early next year. Cisco will port NX-OS to the 6500 (they already have, for the MDS) (Obviously I just made these up, but they smell good to me!) > -- > Dmitry Kiselev > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From tdurack at gmail.com Wed Nov 26 10:23:35 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Nov 2008 10:23:35 -0500 Subject: [c-nsp] no implementation plans In-Reply-To: <9e246b4d0811260720h6cd510ccp17189ae4adc54331@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> <9e246b4d0811260720h6cd510ccp17189ae4adc54331@mail.gmail.com> Message-ID: <9e246b4d0811260723v436349e6pe1b1da2ee91203d5@mail.gmail.com> On Wed, Nov 26, 2008 at 10:20 AM, Tim Durack wrote: > On Wed, Nov 26, 2008 at 10:12 AM, Tim Durack wrote: >> On Wed, Nov 26, 2008 at 7:14 AM, Dmitry Kiselev wrote: >>> Hello! >>> >>> According to rumors Cisco have no plans: >>> to DWDM-X2 modules support for 6708 cards on C7600 under 12.2SR >>> to 6716 support on C7600 >>> to finish SCE blade >>> >>> Any other rumors? :) >>> Thanks! >> >> VSS will die a horrible lingering death. >> SUP4 will be released early next year. >> Cisco will port NX-OS to the 6500 (they already have, for the MDS) >> >> (Obviously I just made these up, but they smell good to me!) > > This might be a little more reliable for the 6500 at least: > > http://tinyurl.com/572mbc "SFP+ Adapter for X2 Slots" Now that's forward thinking... From techconfig at yahoo.com Wed Nov 26 10:25:20 2008 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 26 Nov 2008 07:25:20 -0800 (PST) Subject: [c-nsp] Static default route VRF not appearing References: <405563.67808.qm@web44802.mail.sp1.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406760081@xmb-ams-333.emea.cisco.com> Message-ID: <856729.42295.qm@web44804.mail.sp1.yahoo.com> Got it Cheers Mark ----- Original Message ---- From: Oliver Boehmer (oboehmer) To: Mark Tech Cc: cisco-nsp at puck.nether.net Sent: Wednesday, November 26, 2008 3:17:10 PM Subject: RE: [c-nsp] Static default route VRF not appearing Mark Tech <> wrote on Wednesday, November 26, 2008 15:44: > Hi > In an IP-VPN test, I need to add a static default route pointing to > CE1 from PE1. This would I assume be redistributed to other PE's, > then CE routers as 'redistribute static' is enabled on the PE config > for this customer however this seems not to be the case.? > > In fact PE2 never even sees that particular static route, even though > it can see other redistributed static routes that I put in just to > check. Is there some extra config needed on PE1 in order for the 0/0 > static route to be advertised to other PE's and therefore CE's such > as default-originate as per standard BGP?? ? yes, you need the same commands in ipv4 vrf as in "standard BGP", i.e. default-information originate in this case. ??? oli From tdurack at gmail.com Wed Nov 26 10:42:47 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Nov 2008 10:42:47 -0500 Subject: [c-nsp] no implementation plans In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> Message-ID: <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> On Wed, Nov 26, 2008 at 10:21 AM, Teller, Robert wrote: > Why do you say vss will die a horrible death? 'Cos it looks real "glossy." I was excited by VSS when I first saw it, we even waited on the VS-S720 so we would be VSS ready. Since then feature parity has been slow. We had to go with a standard dual-switch setup, as that works today. But I did say: > (Obviously I just made these up, but they smell good to me!) And the posted link shows VSS has plenty of development roadmap, so I guess we'll see what happens. Open questions in my mind: am I really going to go back and do a VSS conversion on existing installations? That's a lot of time and energy, especially as it doesn't reduce exposure to IOS bugs (we haven't had any hardware failures, but we have had software failures.) Tim:> From razor at meganet.net Wed Nov 26 09:48:20 2008 From: razor at meganet.net (Paul A) Date: Wed, 26 Nov 2008 09:48:20 -0500 Subject: [c-nsp] 6509 problems Message-ID: <01dc01c94fd6$067730c0$13659240$@net> Hi all. We have been using a 7200 and recently we purchased a 6509. The plan is to move everything to the 6509 from the 7200. In order to accomplish this our plan was to connect the 7200 to the 6509 via GigE. Our current network is like this: Internet traffic hits the 7200, the 7200 has a riverstone switch directly connected to it via fastethernet which handles a bunch of vlans and then we have the 7200 connected to the 6509 via GigE. On the 6509 we moved out www clusters to it, which are connected to another GigE interface on that switch. The www cluster was previously connected to the 7200 that same way its connected to the 6509 without any issues. The cluster is connected to the 6509 on another GigE interface. This interface has multiple ip, secondary ips and is a routed interface which connects to an HP switch that the www clusters are on. We have hard coded speed and duplex on all interfaces and we have 0% packet loss etc. What is happening is that customers from various points on the internet cannot bring up sites on the cluster on port 80 and probably other ports. These customers cant even telnet to port 80. They can however ping and trace everytime when the port 80 issue happens ( I have no ACLS). With that said other customers from other point on the internet can pull the same sites without any issue, again I have no ACLS that would do this. Some of the symptoms customers report, not everything comes up on the site, can't telnet to port 80/25/etc on the server but can ping/trace to it. From my desktop that is directly connected to a switchport on the 6509 I never have that problem. I have look at cef/arp/acls/etc and everything looks fine from a config prospective but I still can't figure out the problem. Although when I do a shut/no shut on the GigE interface on the 6509 that is facing the cluster customer report that after that they can pull up the website again. Thanks in advance, Paul From RTeller at deltadentalwa.com Wed Nov 26 10:56:08 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Wed, 26 Nov 2008 07:56:08 -0800 Subject: [c-nsp] no implementation plans In-Reply-To: <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018B0@tiger.deltadentalwa.com> That's where I am at, now that VSS supports fwsm and ace I'll probably be looking at migrating in January or February. -----Original Message----- From: Tim Durack [mailto:tdurack at gmail.com] Sent: Wednesday, November 26, 2008 7:43 AM To: Teller, Robert Cc: dmitry at dmitry.net; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] no implementation plans On Wed, Nov 26, 2008 at 10:21 AM, Teller, Robert wrote: > Why do you say vss will die a horrible death? 'Cos it looks real "glossy." I was excited by VSS when I first saw it, we even waited on the VS-S720 so we would be VSS ready. Since then feature parity has been slow. We had to go with a standard dual-switch setup, as that works today. But I did say: > (Obviously I just made these up, but they smell good to me!) And the posted link shows VSS has plenty of development roadmap, so I guess we'll see what happens. Open questions in my mind: am I really going to go back and do a VSS conversion on existing installations? That's a lot of time and energy, especially as it doesn't reduce exposure to IOS bugs (we haven't had any hardware failures, but we have had software failures.) Tim:> ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From chale99 at gmail.com Wed Nov 26 11:04:11 2008 From: chale99 at gmail.com (Chris Hale) Date: Wed, 26 Nov 2008 11:04:11 -0500 Subject: [c-nsp] OSR7609 w/Sup720-3BXL In-Reply-To: <20081125231023.GH72019@gerbil.cluepon.net> References: <20081125231023.GH72019@gerbil.cluepon.net> Message-ID: On Tue, Nov 25, 2008 at 6:10 PM, Richard A Steenbergen wrote: > On Tue, Nov 25, 2008 at 12:25:29AM -0500, Chris Hale wrote: > > Anyone know if you can use a Sup720-3BXL with a OSR7609? Are there any > > restrictions on the modules/cards that you can use in the OSR7609? > What's > > the main differences between the OSR and non-OSR chassis? > > There is no such thing. OSR was a product name for a packaged 7609 + > SUP2, which has since been dropped in favor of just calling it a 7609 > chassis + whatever SUP you are running. > > > http://www.cisco.com/en/US/products/hw/routers/ps368/prod_eol_notice09186a008032d52e.html > > So I can just assume it's a 7609 chassis and use all IOS/cards applicable to a 7609 chassis? Thanks! -- ------------------ Chris Hale chale99 at gmail.com From sidney.boumendil at gmail.com Wed Nov 26 11:04:29 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Wed, 26 Nov 2008 17:04:29 +0100 Subject: [c-nsp] no implementation plans In-Reply-To: <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> Message-ID: <41522e900811260804v20de9965u43001c449e390ed7@mail.gmail.com> On Wed, Nov 26, 2008 at 4:42 PM, Tim Durack wrote: > Open questions in my mind: am I really going to go back and do a VSS > conversion on existing installations? That's a lot of time and energy, > especially as it doesn't reduce exposure to IOS bugs (we haven't had > any hardware failures, but we have had software failures.) I'd be interested to know what kind of bugs you came across (on SXH4?). S.B From tdurack at gmail.com Wed Nov 26 11:10:30 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 26 Nov 2008 11:10:30 -0500 Subject: [c-nsp] no implementation plans In-Reply-To: <41522e900811260804v20de9965u43001c449e390ed7@mail.gmail.com> References: <20081126121450.GA1517@f17.dmitry.net> <9e246b4d0811260712h19b13555q8099bb22519dfb34@mail.gmail.com> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC018AD@tiger.deltadentalwa.com> <9e246b4d0811260742y3f464bcbx1beda62851a771e9@mail.gmail.com> <41522e900811260804v20de9965u43001c449e390ed7@mail.gmail.com> Message-ID: <9e246b4d0811260810s33a74649ta4295093babe1ced@mail.gmail.com> On Wed, Nov 26, 2008 at 11:04 AM, Sidney Boumendil wrote: > On Wed, Nov 26, 2008 at 4:42 PM, Tim Durack wrote: >> Open questions in my mind: am I really going to go back and do a VSS >> conversion on existing installations? That's a lot of time and energy, >> especially as it doesn't reduce exposure to IOS bugs (we haven't had >> any hardware failures, but we have had software failures.) > > I'd be interested to know what kind of bugs you came across (on SXH4?). SXH2, Netflow bug that crippled rtr-2 and shortly thereafter rtr-1 in a redundant pair. Control-plane was half dead, but did not reboot. Needed maual intervention for recovery. We have disabled Netflow on all chassis running SXH2, and are testing SXI (we need SXI for IPv6 VRF stuff anyway, so I'm hoping this will work for us.) When it comes to IOS, hardware failures are the least of our worries... Tim:> From ecables at gmail.com Wed Nov 26 12:39:14 2008 From: ecables at gmail.com (Eric Cables) Date: Wed, 26 Nov 2008 09:39:14 -0800 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? Message-ID: We have a number of large MQC policies, and I'd like to graph the throughput of each class, allowing us to pro-actively identify any classes that may be exceeding their allocated bandwidth. Are there any tools available that allow service policy bandwidth graphing, on a per-class basis (maybe a Cacti addon)? -- Eric Cables From wp at null0.nl Wed Nov 26 13:09:35 2008 From: wp at null0.nl (Wouter Prins) Date: Wed, 26 Nov 2008 19:09:35 +0100 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: References: Message-ID: Hi Eric, There's a qos mib available for use with cbwfq on the cisco website (software navigator), i also found this link on the cacti forum, it's not done yet tho: http://forums.cacti.net/about7401.html&highlight=cbwfq -- Wouter Prins 2008/11/26 Eric Cables : > We have a number of large MQC policies, and I'd like to graph the > throughput of each class, allowing us to pro-actively identify any > classes that may be exceeding their allocated bandwidth. > > Are there any tools available that allow service policy bandwidth > graphing, on a per-class basis (maybe a Cacti addon)? > > -- Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Wed Nov 26 13:10:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 26 Nov 2008 20:10:28 +0200 Subject: [c-nsp] Vlan assignments In-Reply-To: <2c9e35ed0811251548g56f2cfa8md4453ea666ae6f8a@mail.gmail.com> References: <2c9e35ed0811250653g4bd4011dw9fed44a405ef493@mail.gmail.com> <4F1062A0-AB64-4586-95F5-E5CB4D59623C@gmail.com> <2c9e35ed0811251548g56f2cfa8md4453ea666ae6f8a@mail.gmail.com> Message-ID: <492D9114.8050804@forthnet.gr> Have a look at TR-101 & TR-144 from broadband forum (ex dsl forum). http://www.broadband-forum.org/technical/trlist.php Also, Cisco provides some design guides; you just have to ask your account manager. -- Tassos sheaujiun wrote on 26/11/2008 01:48: > Yes, it seems subjective but is there possibly a general idea that can be > provided? For now, I do not have give a detail plan, just introduce a > general concept. > > On Wed, Nov 26, 2008 at 2:56 AM, raymondh (NSP) wrote: > >> It's very subjective to one's environment. >> >> >> On Nov 25, 2008, at 10:53 PM, sheaujiun wrote: >> >> Hi, >>> I have a customer in a DSLAM/BRAS environment where they have 4 main >>> groups >>> of Vlans assignments - Data, Voice, Management and Other services. >>> >>> Currently there is not fixed rules as to how vlan ids are assigned to the >>> 4 >>> main groups. It has come to a time the network has grown to a rather huge >>> size and they are trying to reassign the vlan assignments. >>> >>> Generally, the network is as such: >>> >>> DSLAM --> aggregation switch --> BRAS >>> >>> Is there a standard guideline as to how vlan assignments are to be >>> designed? >>> What considerates are needed? >>> e.g. Is there a need to consider how different vlans are to be terminated >>> into the the aggregation switch if they are running VPLS? >>> How the BRAS will handle the vlans coming from the aggregation? >>> >>> >>> Sheau Jiun >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Wed Nov 26 13:20:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 26 Nov 2008 20:20:28 +0200 Subject: [c-nsp] 3560G Update - which IOS? In-Reply-To: <200811261355.01366.mtinka@globaltransit.net> References: <492CDCA4.3010404@gmx.de> <200811261355.01366.mtinka@globaltransit.net> Message-ID: <492D936C.9070609@forthnet.gr> If i remember right, SE3 solves it ;) -- Tassos Mark Tinka wrote on 26/11/2008 07:54: > On Wednesday 26 November 2008 13:20:36 Garry wrote: > >> we're running several 3560G's, a couple with a relatively >> old 12.2(25), some with the newer (35). I have one or two >> features that I know have been added since 25 and are >> available with (35), so I would prefer to upgrade at >> least to that, which I know has run flawlessly for a year >> or so ... question is - should I dare to upgrade to a >> more recent version, or are there any issues known? Also, >> is there a list of features that have been added in the >> respective sub-releases, in order to decide whether I >> even need a newer version than what I know to work? > > We've been happy with 12.2(44)SE2; but admittedly, we only > use our 3560G's as Layer 2 devices. > > There's a known cosmetic issue with this release: > > #sh ver | i memory > cisco WS-C3560G-48TS (PowerPC405) processor (revision D0) > with 0K/8184K bytes of memory. > ^^^^^^^^ > 512K bytes of flash-simulated non-volatile configuration > memory. > # > > Other than that, we've had no real issues to report. > > You probably want to take a look at the release notes for > more current revisions to see if there's anything you like, > or don't like. > > Mark. > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff at ocjtech.us Wed Nov 26 13:40:12 2008 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Wed, 26 Nov 2008 12:40:12 -0600 Subject: [c-nsp] Multicast Over Wireless Message-ID: <935ead450811261040h2411eb77o24f7aace8557579@mail.gmail.com> I have four buildings connected with 1310 wireless bridges. One building is set up as the root bridge and the rest are configured for non-root bridge access. I'm unable to get multicast working over the bridges. OSPF works, but PIM won't establish neighbors and multicast routes/packets don't make it across the link. Can anyone give me some clues on how to make this work? -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From moua0100 at umn.edu Wed Nov 26 13:32:57 2008 From: moua0100 at umn.edu (Ge Moua) Date: Wed, 26 Nov 2008 12:32:57 -0600 Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface In-Reply-To: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> References: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> Message-ID: <492D9659.7030906@umn.edu> What about setting up some GRE tunnels to route the traffic of interest over to the other L2L sites. I've seen configs for this on Cisco CCO. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Aaron Riemer wrote: > Hey guys, > > I am hoping someone out there has configured something similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN clients to > access other L2L sites that terminate on the same outside interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this hairpinning.. > i.e. 'same-security-traffic permit intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire 10.100.1.0/24 range > across the L2L tunnel and this has been tested by attempting to telnet > to a web server at the tunnel destination via the inside 3750. > > It's just the VPN clients on the outside interface can't seem to get > through the tunnel. What makes things even more confusing is that ICMP > goes across no problem but no TCP traffic will pass. (No SYN-ACK > received from the web server). I have checked the logs and they don't > indicate that any traffic is being denied. I can see the connection > being built twice from the outside back to the inside default gateway > then back from the inside (maybe this is the problem do we need to make > the vpn client pool gateway address an address on the firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > > > LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From moua0100 at umn.edu Wed Nov 26 17:19:14 2008 From: moua0100 at umn.edu (Ge Moua) Date: Wed, 26 Nov 2008 16:19:14 -0600 Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface In-Reply-To: <20081126221419.5D9CF7DA14@smtp1.wa.amnet.net.au> References: <20081126221419.5D9CF7DA14@smtp1.wa.amnet.net.au> Message-ID: <492DCB62.8070300@umn.edu> You could also bring up another L2L tunnel specific to your client vpn hosts: pc = client vpn = asa int1 = asa int2 = l2l vpn = checkpoint convoluted but another (static) crypto map for l2l tunnel from client vpn (off of dynamic crypto map). Good luck. Regards, Ge Moua | Email: moua0100 at umn.edu Network Design Engineer University of Minnesota | Networking & Telecommunications Services Aaron wrote: > We don't manage the other L2L sites. Plus the L2L tunnel is terminating at > the other end at a checkpoint :| > > Cheers, > > Aaron. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ge Moua > Sent: Thursday, 27 November 2008 3:33 AM > To: Aaron Riemer > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Allowing VPN clients to access L2L tunnels terminating > on the same outside interface > > What about setting up some GRE tunnels to route the traffic of interest > over to the other L2L sites. I've seen configs for this on Cisco CCO. > > Regards, > Ge Moua | Email: moua0100 at umn.edu > > Network Design Engineer > University of Minnesota | Networking & Telecommunications Services > > Aaron Riemer wrote: > >> Hey guys, >> >> I am hoping someone out there has configured something similar as I am >> having a lot of grief getting this working. >> >> Essentially what we are trying to do is to allow our VPN clients to >> access other L2L sites that terminate on the same outside interface. See >> below for details. >> >> VPN Client address range 10.100.1.100-200/24 >> VPN client default gateway 10.100.1.1/24 (Inside 3750 switch next hop >> after ASA) >> ASA Inside address 10.100.1.10/24 >> VPN tunnel peer addressing: 172.16.0.0/16 >> >> We have configured the necessary commands to allow this hairpinning.. >> i.e. 'same-security-traffic permit intra-interface'. The relevant VPN >> rules and nonat are in place to allow the entire 10.100.1.0/24 range >> across the L2L tunnel and this has been tested by attempting to telnet >> to a web server at the tunnel destination via the inside 3750. >> >> It's just the VPN clients on the outside interface can't seem to get >> through the tunnel. What makes things even more confusing is that ICMP >> goes across no problem but no TCP traffic will pass. (No SYN-ACK >> received from the web server). I have checked the logs and they don't >> indicate that any traffic is being denied. I can see the connection >> being built twice from the outside back to the inside default gateway >> then back from the inside (maybe this is the problem do we need to make >> the vpn client pool gateway address an address on the firewall??) >> >> 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP connection >> 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) to >> Inside:172.16.1.10/80 (172.16.1.10/80) >> 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP connection >> 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to >> Inside:10.100.1.101/2523 (10.100.1.101/2523) >> >> Thanks in advance. >> >> Aaron. >> >> >> >> >> >> LEGAL DISCLAIMER: This message contains confidential information and is >> > intended only for the individual named. If you are not the named addressee > you should not disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this e-mail by mistake > and delete this e-mail from your system. If you are not the intended > recipient you are notified that disclosing, copying, distributing or taking > any action in reliance on the contents of this information is strictly > prohibited. > >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From dean at eatworms.org.uk Wed Nov 26 17:39:39 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 26 Nov 2008 22:39:39 -0000 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: References: Message-ID: <009c01c95017$de39a740$9aacf5c0$@org.uk> Eric The cbQoS mib uses dynamic indexes which change if you amend the Service Policy or class definition. It is possible though (if you can walk the relevant MIB) to work out for yourself the indexes. You can then graph the relevant oids directly. You haven't mentioned which platform - the 10720 (12.0S IOS) actually has the MIB indexes on the CLI - so it can be quite easy with no snmp browsing required. I don't know if this applies to other 12.0S platforms. So...If you're comfortable poking around SNMP and looking at MIB walks....and your policy is static (you can amend ACLs etc - but change the policy/classes and you have to start again)...shout and I'll write up some pointers. Its this sort of MIB - with 2 dynamic indexes where things like Cacti really struggle. I did some scripts and templates for cacti a few years ago and you end up having to walk quite large bits of the MIB every poll to accurately tie the Interface + PolicyName + Class Name together if you want to keep do it by names. Cisco have introduced some index persistence to the cbQos mib but I haven't personally tested whether this gives persistence between policy edits...or simply between reboots. http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_cbqos.html Regards Dean -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wouter Prins Sent: 26 November 2008 18:10 To: Eric Cables Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? Hi Eric, There's a qos mib available for use with cbwfq on the cisco website (software navigator), i also found this link on the cacti forum, it's not done yet tho: http://forums.cacti.net/about7401.html&highlight=cbwfq -- Wouter Prins 2008/11/26 Eric Cables : > We have a number of large MQC policies, and I'd like to graph the > throughput of each class, allowing us to pro-actively identify any > classes that may be exceeding their allocated bandwidth. > > Are there any tools available that allow service policy bandwidth > graphing, on a per-class basis (maybe a Cacti addon)? > > -- Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Moens at carrier2carrier.com Wed Nov 26 18:15:20 2008 From: Moens at carrier2carrier.com (Martin Moens) Date: Thu, 27 Nov 2008 00:15:20 +0100 Subject: [c-nsp] 7600-RSP720-10GE - which IOS ? Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905CC1@bilbo.bdhz.c2c.local> Hi list, I will problably receive a rsp720-3CXL 10G to replace an rsp720-3C-GE later this week, and I am curious if any of of you can give me advice on which IOS version to go for.. I see I can choose from SRC,SRC1,SRC2 and SRD versions. Anyone has good/bad experiences with one of the above? Tnx, Martin From lists.james.edwards at gmail.com Wed Nov 26 18:23:46 2008 From: lists.james.edwards at gmail.com (james edwards) Date: Wed, 26 Nov 2008 16:23:46 -0700 Subject: [c-nsp] shape withing policy map In-Reply-To: <1fb747910811242148l2f512332j9a9a870541572f07@mail.gmail.com> References: <1fb747910811242148l2f512332j9a9a870541572f07@mail.gmail.com> Message-ID: On Mon, Nov 24, 2008 at 10:48 PM, Marko Milivojevic wrote: > You made a small configuration mistake. > > > Enter configuration commands, one per line. End with CNTL/Z. > > JID_CORE_Router(config)#policy-map CMS > > JID_CORE_Route(config-pmap-c)#shape average 1000000 > > JID_CORE_Route(config-pmap-c)# > > > > It takes the command just fine. > > You need to aply shape command under the class, not under the policy-map: > > policy-map CMS > class CMS > shape average ... Thanks, I should of mentioned I tried that and it did not work. > > ! > ! Note that shape uses Kb/s and not b/s. > > However, you may find that this may not work on an ATM interface. > > Correct, it does not. I am finding using the bandwidth command and WRED is working well. I raised the interface limits to 90% available bandwidth. Thanks to all who responded, -- James H. Edwards Senior Network Systems Administrator Judicial Information Division jedwards at nmcourts.gov From Damien.Vigar at det.nsw.edu.au Wed Nov 26 19:03:49 2008 From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien) Date: Thu, 27 Nov 2008 11:03:49 +1100 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <844ef89c0811260019u55ba4877ycfc70b4fa0138f3b@mail.gmail.com> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> <844ef89c0811260019u55ba4877ycfc70b4fa0138f3b@mail.gmail.com> Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAA863140@SLPPEXCCR02.central.det.win> Hi David, Yes, we've tried that and still had the problem (our SFPs seem to support auto-negotiation just fine). The odd thing there is that another of our larger sites is using auto on their site server, and it's having no problems at all with the setup. Cheers, Damien > -----Original Message----- > From: David Granzer [mailto:dgranzer at gmail.com] > Sent: Wednesday, 26 November 2008 7:20 PM > To: Vigar, Damien > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Windows server hangs connected to 3750 > > Hello, > > some 1000T SFP are 1000-Full only and does not support auto > negotiation. You can try set 1000-Full on the servers and check if > that helps. > > Regards, > David > > > On Wed, Nov 26, 2008 at 6:17 AM, Vigar, Damien > wrote: > > Hi all, > > > > We are experiencing an issue with Windows 2003R2 servers connected to our > 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, > responding to a ping but not to anything else. It looks to us like an issue > with the servers, but our server administrator insists that it must be the > GBIC/switch combination. > > > > We've put the servers in question back onto fast ethernet ports, and > haven't seen any problems in the meantime. Other sites' servers are running > fine on the same GBIC/switch combination. > > > > We've tried to find anything relating to this issue online, with no luck. > Any ideas on where to go next? > > > > > > Cheers, > > > > Damien > > > > > > ********************************************************************** > > This message is intended for the addressee named and may contain > > privileged information or confidential information or both. If you > > are not the intended recipient please delete it and notify the sender. > > ********************************************************************** > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** From Damien.Vigar at det.nsw.edu.au Wed Nov 26 19:04:58 2008 From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien) Date: Thu, 27 Nov 2008 11:04:58 +1100 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <20081126080925.GA10747@skywalker.creative.net.au> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> <20081126080925.GA10747@skywalker.creative.net.au> Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAA863141@SLPPEXCCR02.central.det.win> Nope. They are single servers, functioning as DC/File and print servers for individual sites. The odd thing is that one is at our largest site, with hundreds of staff and students, and another is at a small site with maybe a couple dozen people tops. But other sites of similar size are not experiencing this problem, which is what leads us to suspect these servers rather than the network. Cheers, Damien > -----Original Message----- > From: Adrian Chadd [mailto:adrian at creative.net.au] > Sent: Wednesday, 26 November 2008 7:09 PM > To: Vigar, Damien > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Windows server hangs connected to 3750 > > Hm, are the servers configured in some kind of active/failover or somesuch? > I vaguely remember the default Windows method of "failover" causing no end > of trouble to default-configured Cisco switches as MAC addresses pingpong > between ports.. > > > > Adrian > > On Wed, Nov 26, 2008, Vigar, Damien wrote: > > Hi all, > > > > We are experiencing an issue with Windows 2003R2 servers connected to our > 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, > responding to a ping but not to anything else. It looks to us like an issue > with the servers, but our server administrator insists that it must be the > GBIC/switch combination. > > > > We've put the servers in question back onto fast ethernet ports, and > haven't seen any problems in the meantime. Other sites' servers are running > fine on the same GBIC/switch combination. > > > > We've tried to find anything relating to this issue online, with no luck. > Any ideas on where to go next? > > > > > > Cheers, > > > > Damien > > > > > > ********************************************************************** > > This message is intended for the addressee named and may contain > > privileged information or confidential information or both. If you > > are not the intended recipient please delete it and notify the sender. > > ********************************************************************** > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -- > - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid > Support - > - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA - ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** From Damien.Vigar at det.nsw.edu.au Wed Nov 26 19:07:00 2008 From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien) Date: Thu, 27 Nov 2008 11:07:00 +1100 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: References: Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAA863142@SLPPEXCCR02.central.det.win> I've checked with our server admin and he's turned ip chimney off on all our servers. > -----Original Message----- > From: Sigurbj?rn Birkir L?russon [mailto:sigurbjornl at vodafone.is] > Sent: Thursday, 27 November 2008 1:52 AM > To: frnkblk at iname.com; Vigar, Damien; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Windows server hangs connected to 3750 > > One issue I've seen with 2003R2 is that it implemented Chimney (TCP checksum > offloading) by default which has caused us endless grief with really bad TCP > performance. It seems network drivers shipped with 2003R2 were not really > ready for this chance and many of them perform very badly even under little > TCP load. > > You can try > > netsh int ip set chimney disable > > To turn it off and see if the situation improves > > BR, > Sibbi > > > On 26.11.2008 14:36, "Frank Bulk" wrote: > > > What NIC(s) do you have in the server? > > > > Frank > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Vigar, Damien > > Sent: Tuesday, November 25, 2008 11:18 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Windows server hangs connected to 3750 > > > > Hi all, > > > > We are experiencing an issue with Windows 2003R2 servers connected to our > > 3560/3750 switches via a 1000T SFP GBIC. The servers appear to hang, > > responding to a ping but not to anything else. It looks to us like an > issue > > with the servers, but our server administrator insists that it must be the > > GBIC/switch combination. > > > > We've put the servers in question back onto fast ethernet ports, and > haven't > > seen any problems in the meantime. Other sites' servers are running fine > on > > the same GBIC/switch combination. > > > > We've tried to find anything relating to this issue online, with no luck. > > Any ideas on where to go next? > > > > > > Cheers, > > > > Damien > > > > > > ********************************************************************** > > This message is intended for the addressee named and may contain > > privileged information or confidential information or both. If you > > are not the intended recipient please delete it and notify the sender. > > ********************************************************************** > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** From ariemer at wesenergy.com.au Wed Nov 26 19:10:10 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Thu, 27 Nov 2008 09:10:10 +0900 Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface In-Reply-To: <477208.9218.qm@web110107.mail.gq1.yahoo.com> References: <0867622C64B50C4B878AB45C95F43F11064E0B81@MAILWA01.wesenergy.local> <477208.9218.qm@web110107.mail.gq1.yahoo.com> Message-ID: <0867622C64B50C4B878AB45C95F43F11064E0C6A@MAILWA01.wesenergy.local> Hi Guys, We have resolved this by simply putting a static route pointing out to the spoke VPN site's internal addressing pointing to the outside interface on our firewall. I believe changing the addressing of the VPN clients would have done the same thing though. Thanks, Aaron -----Original Message----- From: Tony [mailto:td_miles at yahoo.com] Sent: Wednesday, 26 November 2008 4:48 PM To: cisco-nsp at puck.nether.net; Aaron Riemer Subject: Re: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface Hi Aaron, I have set this up before (was setup many years ago on PIX v7 but still is used today) and it does work. I would suggest you change the VPN client address pool to a totally DIFFERENT range. At the moment it seems that it is part of the same /24 that is on the ASA inteface. You may need to add a static route to any internal gateways so that they know about this new IP range you are using (this depends on your setup). You will also need to ensure that this new address range is added to the ACL for the match traffic on your static tunnels. Here is a Cisco doc on doing this: http://www.cisco.com/en/US/products/ps6120/products_configuration_exampl e09186a00807f9a89.shtml Look about halfway down the page for the section "Add a Remote Access VPN to the Configuration". The description for this says "This section provides the required procedures to add remote access capability and to allow remote users to access all sites." which would appear to be exactly what you want to do. In the example they have, they also use a seperate subnet for the remote users. regards, Tony. --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > --- On Wed, 26/11/08, Aaron Riemer wrote: > From: Aaron Riemer > Subject: [c-nsp] Allowing VPN clients to access L2L tunnels terminating on the same outside interface > To: cisco-nsp at puck.nether.net > Date: Wednesday, 26 November, 2008, 6:12 PM > Hey guys, > > I am hoping someone out there has configured something > similar as I am > having a lot of grief getting this working. > > Essentially what we are trying to do is to allow our VPN > clients to > access other L2L sites that terminate on the same outside > interface. See > below for details. > > VPN Client address range 10.100.1.100-200/24 > VPN client default gateway 10.100.1.1/24 (Inside 3750 > switch next hop > after ASA) > ASA Inside address 10.100.1.10/24 > VPN tunnel peer addressing: 172.16.0.0/16 > > We have configured the necessary commands to allow this > hairpinning.. > i.e. 'same-security-traffic permit > intra-interface'. The relevant VPN > rules and nonat are in place to allow the entire > 10.100.1.0/24 range > across the L2L tunnel and this has been tested by > attempting to telnet > to a web server at the tunnel destination via the inside > 3750. > > It's just the VPN clients on the outside interface > can't seem to get > through the tunnel. What makes things even more confusing > is that ICMP > goes across no problem but no TCP traffic will pass. (No > SYN-ACK > received from the web server). I have checked the logs and > they don't > indicate that any traffic is being denied. I can see the > connection > being built twice from the outside back to the inside > default gateway > then back from the inside (maybe this is the problem do we > need to make > the vpn client pool gateway address an address on the > firewall??) > > 2008/11/26 15:08:48 %ASA-6-302013: Built inbound TCP > connection > 137555837 for Outside:10.100.1.101/2523 (10.100.1.101/2523) > to > Inside:172.16.1.10/80 (172.16.1.10/80) > 2008/11/26 15:08:48 %ASA-6-302013: Built outbound TCP > connection > 137555838 for Outside: 172.16.1.10/80 (172.16.1.10/80) to > Inside:10.100.1.101/2523 (10.100.1.101/2523) > > Thanks in advance. > > Aaron. > > > > > > LEGAL DISCLAIMER: This message contains confidential > information and is intended only for the individual named. > If you are not the named addressee you should not > disseminate, distribute or copy this e-mail. Please notify > the sender immediately by e-mail if you have received this > e-mail by mistake and delete this e-mail from your system. > If you are not the intended recipient you are notified that > disclosing, copying, distributing or taking any action in > reliance on the contents of this information is strictly > prohibited. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From Damien.Vigar at det.nsw.edu.au Wed Nov 26 20:26:14 2008 From: Damien.Vigar at det.nsw.edu.au (Vigar, Damien) Date: Thu, 27 Nov 2008 12:26:14 +1100 Subject: [c-nsp] Windows server hangs connected to 3750 In-Reply-To: <748865.92820.qm@web110112.mail.gq1.yahoo.com> References: <0DD0E17BE9C0FA47981C67E9939D3D342EAA86312B@SLPPEXCCR02.central.det.win> <748865.92820.qm@web110112.mail.gq1.yahoo.com> Message-ID: <0DD0E17BE9C0FA47981C67E9939D3D342EAA863145@SLPPEXCCR02.central.det.win> Responses inline... > > Damien, > > What sort of troubleshooting have you done thus far ? > > Some questions/suggestions: > > * check to make sure MAC addresses on the servers aren't the same. Sounds > strange but I've had it before (from a reputable vendor whose name is > abbreviated to 3 letters). No, they're unique - I've heard of this but never seen it. The NICs show as HP NC373i Multifunction Gigabit Server Adapter on our newer server, and HP NC7781 Gigabit Server Adapter on the server at another smaller site where the issue has occurred. > * hard code both switch & server to 1000/full to make sure you're not > getting speed/duplex mismatches. As mentioned in another email, we've tried both auto and hard-coded. Currently the local support guys onsite have moved the server back to a fast ethernet port, and the problem hasn't recurred (ports and NIC both on Auto-negotiate) > * does the problem continue to happen when ONLY the servers are connected to > the switch (ie. isolated from rest of the network) ? I'd love to be able to test that - as these are the DC/file & print servers for TAFE (educational) campuses we won't be able to do that, at least during the week. And as a government job, overtime doesn't happen :-) Hmm - we've got the Xmas break coming up soon, I may be able to get them isolated for a bit during this time... > * try new GBICs to check they aren't bad. Swap the ones that aren't working > for some that are known to work (you mentioned you have some > switches/servers that are working). I can try this. It'll take time - we have one server at each of our 35 sites, spread across about half of New South Wales. So I can send new GBICs to sites and get some returned, but it might not be for a while. > * change the NIC in the server. You're probably using the onboard NIC's so > this would mean adding a PCI Gb NIC to a server to test. Pretty sure the onboard card is what is in use. I'll see if there's any NICs around that we can test with. > * move one of your servers that IS working to the same switchport that isn't > working with these new servers. This will pretty much rule out the switch > (provided that it continues to work) and you can start looking at the > servers harder. As mentioned above, we've pretty much only the one server at each site. I'll check what we can do, though. > * does it happen immediately (ie. as soon as you connect the servers) or > does it takes minutes/hours for the problem to show up ? It can take quite a while. It happened about once a week for a couple of weeks. > * have you got anything fancy configured on the switch ? Pretty basic - running one vlan for data, another for voice (Cisco IP Tel). The SFP port the GBIC is in is configured only for the data VLAN. > * To attempt to see if it's a software issue you could boot up a live linux > distro (eg. knoppix) and see if it has the same problems with the Gb > cards/switch. If that works fine, then a reinstall of Windows might be > called for and following that up with MS tech support if problem still > occurs. I'll speak to our local support staff and see if we can get a box booted with knoppix or similar put onto the port for a while. > * I think someone else already asked if you're doing anything fancy like > clustering or load sharing/balancing ? Yep. Nothing like that at these sites. > regards, > Tony. Cheers, Damien ********************************************************************** This message is intended for the addressee named and may contain privileged information or confidential information or both. If you are not the intended recipient please delete it and notify the sender. ********************************************************************** From chloekcy2000 at yahoo.ca Wed Nov 26 21:48:56 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Wed, 26 Nov 2008 21:48:56 -0500 (EST) Subject: [c-nsp] broadcast address question Message-ID: <841677.73604.qm@web57406.mail.re1.yahoo.com> Hi I got this info from sh int but how come the broadcast address is not 192,168,0.195 and 192.168.0.165 but those are 255.255.255.255 in linux, those are 192,168,0.195 and 192.168.0.165 router#sh ip interface FastEthernet0/0 is up, line protocol is up Internet address is 192.168.0.193/30 Broadcast address is 255.255.255.255 FastEthernet0/1 is up, line protocol is up Internet address 192.168.0.164/30 Broadcast address is 255.255.255.255 Thank you --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! From zardoz at hotblack.net Wed Nov 26 21:34:45 2008 From: zardoz at hotblack.net (Tristan Gulyas) Date: Thu, 27 Nov 2008 13:34:45 +1100 Subject: [c-nsp] Stack port flaps on Cisco 3750G series (was: Re: Catalyst 3750 stacks with many members) References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: Hi, We've had no real trouble with large stacks of 3750G switches vs. smaller ones - I can see we have over 60 stacks of 7 and above (14 of these are 9 stack members). We poll these switches every minute using SNMP (statseeker, cacti) and have several scripts that perform configuration backups. I can't say I've seen high CPU at all. Unfortunately one problem we've seen has been related to the stack ports - without warning, we will see stack ports flap down/up between paticular switches. In one or two cases, the stack cable has been at fault but usually an RMA fixes the problem. We monitor syslog for this and we have scripts that check every switch stack for stack interconnects which are down (the danger here is that when a stack link fails, we aren't informed about it). If the stack ports flap up/down rapidly and for a long time in quick succession, the stack will crash and reload. Reproducing this issue in the lab has been a challenge and it seems to be environmental - i.e. we notice this more on warm, humid days. Has anybody else encountered this issue? It doesn't seem at all related to the size of the stack, either. thanks, Tristan ----- Original Message ----- From: "Dale Shaw" To: Sent: Saturday, November 15, 2008 5:19 AM Subject: [c-nsp] Catalyst 3750 stacks with many members > Hi all, > > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. > > Does anyone have any tips as to how to make large stacks more > reliable? We're seeing really high CPU and have found you need to be > really careful doing anything that has the potential to swamp the CPU > -- the other day I crashed a stack master by clearing the CDP > neighbour table (a bit silly in hindsight, given the number of CDP > table entries [phones], but I was troubleshooting a stale neighbour > problem). > > Does changing to the 'VLANs' SDM template for switch stacks in this > role make any difference? These stacks don't do any routing, or > traffic ACLs. > > We've tried 12.2(40)SE, 12.2(44)SE2 and 12.2(44)SE3. Our biggest stack > is 7 members. You're supposed to be able to stack 9 of these things > (and I don't recall reading about any caveats), so it's a bit > concerning. Disabling certain functionality (e.g. CDP) to stabilise is > one thing, but long term it would be nice if it 'just worked'. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p_ambedkar at rediffmail.com Thu Nov 27 00:09:33 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 27 Nov 2008 05:09:33 -0000 Subject: [c-nsp] cisco6500-vlans missing Message-ID: <20081127050933.38729.qmail@f4mail-235-244.rediffmail.com> hi, 1. In cisco 6500 switch, the vlans are missing whenever it is restarted manually. please give me solution why it is happening. 2. one of the gig port showing errdisable. cheers, bye. From dino at cisco.com Thu Nov 27 00:10:15 2008 From: dino at cisco.com (Dino Farinacci) Date: Wed, 26 Nov 2008 21:10:15 -0800 Subject: [c-nsp] Opinions about ICMP Destination Unreachable Message-ID: I am just wondering how many people have ICMP Destination Unreachables disabled on their core routers. Could an CPE router, which may encapsulate data, be able to depend on ICMP Unreachables to be sent to it? I know there are many cases where router implementations default it to off (to not send ICMP DUs), but wondering who leaves it this way or turns them on? Of when it defaults to on, who explicitly turns them off. Thanks in advance, Dino From mtinka at globaltransit.net Thu Nov 27 00:13:15 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 27 Nov 2008 13:13:15 +0800 Subject: [c-nsp] =?iso-8859-1?q?Service_Policy_per-class_bandwidth_graphin?= =?iso-8859-1?q?g_--_any=09tools_available=3F?= In-Reply-To: <009c01c95017$de39a740$9aacf5c0$@org.uk> References: <009c01c95017$de39a740$9aacf5c0$@org.uk> Message-ID: <200811271313.20055.mtinka@globaltransit.net> On Thursday 27 November 2008 06:39:39 Dean Smith wrote: > Cisco have introduced some index persistence to the cbQos > mib but I haven't personally tested whether this gives > persistence between policy edits...or simply between > reboots. > http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_cbqos >.html It does work for us (cbqos persistence, that is), and pretty well - we've been happy with it on the 12.2SR* train. We use the Cacti template as indicated in a previous post. The installation into Cacti (0.8.7b) can be a bit interesting, but once you're done, it's very stable. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ecables at gmail.com Thu Nov 27 01:40:55 2008 From: ecables at gmail.com (Eric Cables) Date: Wed, 26 Nov 2008 22:40:55 -0800 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: <009c01c95017$de39a740$9aacf5c0$@org.uk> References: <009c01c95017$de39a740$9aacf5c0$@org.uk> Message-ID: Dean, Thanks for the reply, very helpful info. The platform is a 7200VXR NPE-G2. The policy isn't exactly static, changing versions as new classes are defined (QOS_POLICY_V1 -> QOS_POLICY_V2, for example). I think it may be difficult with the dynamic nature to define any static OIDs to graph, unless the persistence you mentioned has been implemented. I'll do some additional research to see what options are available. Thanks again.. -- Eric Cables On Wed, Nov 26, 2008 at 2:39 PM, Dean Smith wrote: > Eric > > The cbQoS mib uses dynamic indexes which change if you amend the Service > Policy or class definition. It is possible though (if you can walk the > relevant MIB) to work out for yourself the indexes. You can then graph the > relevant oids directly. > > You haven't mentioned which platform - the 10720 (12.0S IOS) actually has > the MIB indexes on the CLI - so it can be quite easy with no snmp browsing > required. I don't know if this applies to other 12.0S platforms. > > So...If you're comfortable poking around SNMP and looking at MIB > walks....and your policy is static (you can amend ACLs etc - but change the > policy/classes and you have to start again)...shout and I'll write up some > pointers. > > Its this sort of MIB - with 2 dynamic indexes where things like Cacti really > struggle. I did some scripts and templates for cacti a few years ago and you > end up having to walk quite large bits of the MIB every poll to accurately > tie the Interface + PolicyName + Class Name together if you want to keep do > it by names. > > Cisco have introduced some index persistence to the cbQos mib but I haven't > personally tested whether this gives persistence between policy edits...or > simply between reboots. > http://www.cisco.com/en/US/docs/ios/12_4t/12_4t4/ht_cbqos.html > > Regards > Dean > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wouter Prins > Sent: 26 November 2008 18:10 > To: Eric Cables > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Service Policy per-class bandwidth graphing -- any > tools available? > > Hi Eric, > > There's a qos mib available for use with cbwfq on the cisco website > (software navigator), i also found this link on the cacti forum, it's > not done yet tho: > http://forums.cacti.net/about7401.html&highlight=cbwfq > > -- > Wouter Prins > > 2008/11/26 Eric Cables : >> We have a number of large MQC policies, and I'd like to graph the >> throughput of each class, allowing us to pro-actively identify any >> classes that may be exceeding their allocated bandwidth. >> >> Are there any tools available that allow service policy bandwidth >> graphing, on a per-class basis (maybe a Cacti addon)? >> >> -- Eric Cables >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From mtinka at globaltransit.net Thu Nov 27 01:49:31 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 27 Nov 2008 14:49:31 +0800 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: References: <009c01c95017$de39a740$9aacf5c0$@org.uk> Message-ID: <200811271449.32824.mtinka@globaltransit.net> On Thursday 27 November 2008 14:40:55 Eric Cables wrote: > Thanks for the reply, very helpful info. The platform is > a 7200VXR NPE-G2. The policy isn't exactly static, > changing versions as new classes are defined > (QOS_POLICY_V1 -> QOS_POLICY_V2, for example). > > I think it may be difficult with the dynamic nature to > define any static OIDs to graph, unless the persistence > you mentioned has been implemented. I'll do some > additional research to see what options are available. We have this working fine with persistence on the same platform, as well the NPE-G1 - 12.2(33)SRC2. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From ecables at gmail.com Thu Nov 27 01:58:56 2008 From: ecables at gmail.com (Eric Cables) Date: Wed, 26 Nov 2008 22:58:56 -0800 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: <200811271449.32824.mtinka@globaltransit.net> References: <009c01c95017$de39a740$9aacf5c0$@org.uk> <200811271449.32824.mtinka@globaltransit.net> Message-ID: Excellent. I just finished reading through the provided link, and it does appear to be a viable solution. i'll work on getting that Cacti template implemented, and see how things go. Thanks for the replies.. -- Eric Cables On Wed, Nov 26, 2008 at 10:49 PM, Mark Tinka wrote: > On Thursday 27 November 2008 14:40:55 Eric Cables wrote: > >> Thanks for the reply, very helpful info. The platform is >> a 7200VXR NPE-G2. The policy isn't exactly static, >> changing versions as new classes are defined >> (QOS_POLICY_V1 -> QOS_POLICY_V2, for example). >> >> I think it may be difficult with the dynamic nature to >> define any static OIDs to graph, unless the persistence >> you mentioned has been implemented. I'll do some >> additional research to see what options are available. > > We have this working fine with persistence on the same > platform, as well the NPE-G1 - 12.2(33)SRC2. > > Cheers, > > Mark. > From rmikisa at gmail.com Thu Nov 27 03:11:07 2008 From: rmikisa at gmail.com (Mikisa Richard) Date: Thu, 27 Nov 2008 11:11:07 +0300 Subject: [c-nsp] Rate limit or policy-map In-Reply-To: <200811271313.20055.mtinka@globaltransit.net> References: <009c01c95017$de39a740$9aacf5c0$@org.uk> <200811271313.20055.mtinka@globaltransit.net> Message-ID: <492E561B.1020607@gmail.com> Hi all I have a scenario where I have to dedicate 256K to a particular host out of my 1M link. What would be the best way to go about it? Should I do a simple interface rate limit or should I do a policy and police off that ? Regards Richard. From avayner at cisco.com Thu Nov 27 03:38:45 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 27 Nov 2008 09:38:45 +0100 Subject: [c-nsp] Rate limit or policy-map In-Reply-To: <492E561B.1020607@gmail.com> References: <009c01c95017$de39a740$9aacf5c0$@org.uk><200811271313.20055.mtinka@globaltransit.net> <492E561B.1020607@gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50239DF6C@xmb-ams-331.emea.cisco.com> Richard, Using a policer (rate-limit) does not dedicate or allocate any minimal bandwidth... It creates an upper limit for the specific class. You should be using the "bandwidth" statement inside the correct class-map for the relevant traffic. A very basic config for something that sounds like what you need would be: class-map match-all CRITICAL-TRAFFIC match access-group 1 ! ! policy-map SERIAL-1-0-EGRESS class CRITICAL-TRAFFIC bandwidth 256 class class-default bandwidth 512 ! interface Serial1/0 service-policy output SERIAL-1-0-EGRESS ! access-list 1 permit 1.1.1.0 0.0.0.255 ! The above config would allocate a minimal rate of 256K for the traffic originated from 1.1.1.0/24, and would assign a minimal rate of 512K for all the rest. The remaining bandwidth would be split by the 2 classes. Also each class can use the other class's unused bandwidth. For more information, take a look at: http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/12_4t/qos_12 _4t_book.html Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mikisa Richard Sent: Thursday, November 27, 2008 10:11 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Rate limit or policy-map Hi all I have a scenario where I have to dedicate 256K to a particular host out of my 1M link. What would be the best way to go about it? Should I do a simple interface rate limit or should I do a policy and police off that ? Regards Richard. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Thu Nov 27 03:58:07 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 27 Nov 2008 10:58:07 +0200 Subject: [c-nsp] cisco6500-vlans missing In-Reply-To: <20081127050933.38729.qmail@f4mail-235-244.rediffmail.com> References: <20081127050933.38729.qmail@f4mail-235-244.rediffmail.com> Message-ID: <492E611F.6080804@forthnet.gr> ambedkar wrote on 27/11/2008 07:09: > hi, > 1. In cisco 6500 switch, the vlans are missing whenever it is > restarted manually. please give me solution why it is happening. > Is it a vtp client? What does "sh vtp status" show? > 2. one of the gig port showing errdisable. > Do you have errdisable recovery enabled for all causes? "sh errdisable recovery" will probably show you the reason. -- Tassos > cheers, bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From arla at rn.dk Thu Nov 27 04:33:51 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Thu, 27 Nov 2008 10:33:51 +0100 Subject: [c-nsp] dns rewrite on FWSM Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F7784106@SRVEXC02.aas.its.nja.dk> Hi Folks. Isn't it possible to do rewrite dns on a Firewall service modul, or do I need to make an upgrade off the software ?? I'm current running 3.1(6). /Arne From furry13 at gmail.com Thu Nov 27 06:15:02 2008 From: furry13 at gmail.com (Jen Linkova) Date: Thu, 27 Nov 2008 14:15:02 +0300 Subject: [c-nsp] Opinions about ICMP Destination Unreachable In-Reply-To: References: Message-ID: <6b86f99d0811270315y3e4165cdj862eea1b96ef5309@mail.gmail.com> On Thu, Nov 27, 2008 at 8:10 AM, Dino Farinacci wrote: > I am just wondering how many people have ICMP Destination Unreachables > disabled on their core routers. Could an CPE router, which may encapsulate > data, be able to depend on ICMP Unreachables to be sent to it? > > I know there are many cases where router implementations default it to off > (to not send ICMP DUs), but wondering who leaves it this way or turns them > on? Of when it defaults to on, who explicitly turns them off. Most of people who disable ICMP DU just don't understand what ICMP DU is for. Need I mention that PMTUD relies on ICMP type 3/code 4... In addition, it looks like that "no ip unreach" interface command disables "too big" message as well, breaking PMTUD. I prefer to enable ICMP DU on any interfaces where fragmentation may occur. P.S. Fortunately, there are separate types for "Packet Too Big" and "Destination Unreachable" messages in ICMPv6 ;-) -- SY, Jen Linkova aka Furry From vinzoda.hitesh at gmail.com Thu Nov 27 06:28:38 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Thu, 27 Nov 2008 03:28:38 -0800 Subject: [c-nsp] ASA AIP-SSM-10 In-Reply-To: <20081126155807.GU21516@thot.informatik.uni-kl.de> References: <20081126155807.GU21516@thot.informatik.uni-kl.de> Message-ID: Does that tftp server need to be of the same subnet for which i had one for IPS or nothing to be done. Regards On 11/26/08, Joerg Mayer wrote: > > On Wed, Nov 26, 2008 at 01:30:32AM -0800, Hitesh Vinzoda wrote: > > We were upgrading the patches on AIP-SSM-10 and IPS seems not to be > coming > > up after reload. the module status is UNRESPONSIVE. more over we havent > > configure recovery on it. please suggest to bring up the IDS from > scratch. > > You configure the recovery on the asa (hw module configure recover or > something > to that end). Make sure you have a tftp-server connected to the external > ge-port of the aip. Start recovery (hw module recover or whatever). The > commands all need to be typed from the asa command line, the asa acts as > the > rommon replacement for the SSMs. There's also a debug (on the asa) that > let's > you watch the recovery process but I currently don't remember the exact > debug > command. > > ciao > Joerg > > -- > Joerg Mayer > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > From sthaug at nethelp.no Thu Nov 27 07:16:00 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 27 Nov 2008 13:16:00 +0100 (CET) Subject: [c-nsp] Opinions about ICMP Destination Unreachable In-Reply-To: <6b86f99d0811270315y3e4165cdj862eea1b96ef5309@mail.gmail.com> References: <6b86f99d0811270315y3e4165cdj862eea1b96ef5309@mail.gmail.com> Message-ID: <20081127.131600.74661715.sthaug@nethelp.no> > > I am just wondering how many people have ICMP Destination Unreachables > > disabled on their core routers. Could an CPE router, which may encapsulate > > data, be able to depend on ICMP Unreachables to be sent to it? > > > > I know there are many cases where router implementations default it to off > > (to not send ICMP DUs), but wondering who leaves it this way or turns them > > on? Of when it defaults to on, who explicitly turns them off. > > Most of people who disable ICMP DU just don't understand what ICMP DU > is for. Need I mention that PMTUD relies on ICMP type 3/code 4... > In addition, it looks like that "no ip unreach" interface command > disables "too big" message as well, breaking PMTUD. > I prefer to enable ICMP DU on any interfaces where fragmentation may occur. There is also a middle ground here - leave ICMP Destination Unreachable on but rate limit the replies to a suitably low value. This means that you will *probably* get a reply, but it's certainly not guaranteed. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From avayner at cisco.com Thu Nov 27 08:08:25 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 27 Nov 2008 14:08:25 +0100 Subject: [c-nsp] dns rewrite on FWSM In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F7784106@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F7784106@SRVEXC02.aas.its.nja.dk> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50239E166@xmb-ams-331.emea.cisco.com> Arne, Can you please explain what you want to achieve? What do you mean by DNS Rewrite? Thanks Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Thursday, November 27, 2008 11:34 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] dns rewrite on FWSM Hi Folks. Isn't it possible to do rewrite dns on a Firewall service modul, or do I need to make an upgrade off the software ?? I'm current running 3.1(6). /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From moshemizrachi at gmail.com Thu Nov 27 08:26:44 2008 From: moshemizrachi at gmail.com (moshe mizrachi) Date: Thu, 27 Nov 2008 15:26:44 +0200 Subject: [c-nsp] load balance between to EBGP peers Message-ID: Hi all , i have MPLS/VPN network based on 7600's . all the Internet is going via VRF-INTERNET , my ASBR gets full route from 2 peers via OC12 POS interfaces on VRF INTERNET , also he gets 0.0.0.0 route from both peers but of course only 1 gets to FIB . my target is to get load balance between the 2 peers(on the ASBR) in the outgoing traffic and to redistribute only 0.0.0.0 to VRF INTERNET to all the IBGP peers. what i see now is that the 0.0.0.0 gets label in the FIB of the ASBR pointing on one of the POS interface, so the other POS stay empty , with the show ip route vrf INTERNET 0.0.0.0 0.0.0.0 command i see the LB0 of the ASBR which is OK but the MPLS label table on the VRF INTERNET is pointing on the POS interface . i just want that the ASBR will route the traffic according to his full route table . so actually now i redistribute to all PE's /20 subnets for getting load balance , does someone have a good ides for this one ? regards moshe From avayner at cisco.com Thu Nov 27 08:36:04 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 27 Nov 2008 14:36:04 +0100 Subject: [c-nsp] load balance between to EBGP peers In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A50239E18F@xmb-ams-331.emea.cisco.com> Moshe, Take a look at these command: http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp3.h tml#wp1012317 Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of moshe mizrachi Sent: Thursday, November 27, 2008 15:27 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] load balance between to EBGP peers Hi all , i have MPLS/VPN network based on 7600's . all the Internet is going via VRF-INTERNET , my ASBR gets full route from 2 peers via OC12 POS interfaces on VRF INTERNET , also he gets 0.0.0.0 route from both peers but of course only 1 gets to FIB . my target is to get load balance between the 2 peers(on the ASBR) in the outgoing traffic and to redistribute only 0.0.0.0 to VRF INTERNET to all the IBGP peers. what i see now is that the 0.0.0.0 gets label in the FIB of the ASBR pointing on one of the POS interface, so the other POS stay empty , with the show ip route vrf INTERNET 0.0.0.0 0.0.0.0 command i see the LB0 of the ASBR which is OK but the MPLS label table on the VRF INTERNET is pointing on the POS interface . i just want that the ASBR will route the traffic according to his full route table . so actually now i redistribute to all PE's /20 subnets for getting load balance , does someone have a good ides for this one ? regards moshe _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From TOMAS.LYNCH at GlobalCrossing.com Thu Nov 27 08:41:01 2008 From: TOMAS.LYNCH at GlobalCrossing.com (Lynch, Tomas) Date: Thu, 27 Nov 2008 08:41:01 -0500 Subject: [c-nsp] load balance between to EBGP peers References: Message-ID: <5210A1C9084123478E12AA5924D1F2538EC0A7@w3usmia2.lat.gblxint.com> You don't need the default route from your providers, just the full table. Inside your VRF, originate the default route locally from you ASBR and redistribute it to the rest of your routers (I'm assuming you are not sending the full table to the rest of the routers due to several limitations you may have there). To balance between your providers use any BGP attribute that may suit the purpose. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of moshe mizrachi > Sent: Thursday, November 27, 2008 11:27 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] load balance between to EBGP peers > > Hi all , > > i have MPLS/VPN network based on 7600's . all the Internet is going via > VRF-INTERNET , my ASBR gets full route from 2 peers via OC12 POS > interfaces > on VRF INTERNET , also he gets 0.0.0.0 route from both peers but of > course > only 1 gets to FIB . > my target is to get load balance between the 2 peers(on the ASBR) in > the > outgoing traffic and to redistribute only 0.0.0.0 to VRF INTERNET to > all the > IBGP peers. what i see now is that the 0.0.0.0 gets label in the FIB > of > the ASBR pointing on one of the POS interface, so the other POS stay > empty , with the show ip route vrf INTERNET 0.0.0.0 0.0.0.0 command i > see > the LB0 of the ASBR which is OK but the MPLS label table on the VRF > INTERNET > is pointing on the POS interface . i just want that the ASBR will route > the > traffic according to his full route table . > > so actually now i redistribute to all PE's /20 subnets for getting load > balance , > does someone have a good ides for this one ? > > regards moshe > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lee.e.rian at census.gov Thu Nov 27 08:48:03 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Thu, 27 Nov 2008 08:48:03 -0500 Subject: [c-nsp] broadcast address question In-Reply-To: <841677.73604.qm@web57406.mail.re1.yahoo.com> References: <841677.73604.qm@web57406.mail.re1.yahoo.com> Message-ID: Either one works, but the all 1s broadcast address is more correct. See RFC-1122 Requirements for Internet Hosts -- Communication Layers 3.3.6 Broadcasts Hosts SHOULD use the Limited Broadcast address to broadcast to a connected network. Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: cisco-nsp at puck.nether.net >From: chloe K >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 11/26/2008 09:48PM >Subject: [c-nsp] broadcast address question > >Hi > > I got this info from sh int > but how come the broadcast address is not > 192,168,0.195 > and > 192.168.0.165 > but those are 255.255.255.255 > in linux, those are 192,168,0.195 and 192.168.0.165 > > > router#sh ip interface >FastEthernet0/0 is up, line protocol is up > Internet address is 192.168.0.193/30 > Broadcast address is 255.255.255.255 > > FastEthernet0/1 is up, line protocol is up > Internet address 192.168.0.164/30 > Broadcast address is 255.255.255.255 > > > Thank you > > > > > >--------------------------------- > > >Yahoo! Canada Toolbar : Search from anywhere on the >web and bookmark your favourite sites. Download it now! >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From arla at rn.dk Thu Nov 27 09:25:28 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Thu, 27 Nov 2008 15:25:28 +0100 Subject: [c-nsp] dns rewrite on FWSM In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50239E166@xmb-ams-331.emea.cisco.com> References: <8D68760F464FFD40A01BF2FB374E4A28C6F7784106@SRVEXC02.aas.its.nja.dk> <67F7C1FAF83A074AA3520D8F155782A50239E166@xmb-ams-331.emea.cisco.com> Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F7784108@SRVEXC02.aas.its.nja.dk> Hi Arie. As Jen Likova wrote it should be possible to change the answer from an public dns server. My problem is that we got to access RFC1918 address from our internal network to dmz web-servers, and public users need to use public address off cause. So by rewriteing the dns answer we wont need to maintain internal dns for the servers on the the dmz. But I just can't get it working on the FWSM, I made somthing like this on an asa5510 and that works fine. http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/configuration/guide/cfgnat_f.html#wp1042753 /Arne -----Oprindelig meddelelse----- Fra: Arie Vayner (avayner) [mailto:avayner at cisco.com] Sendt: 27. november 2008 14:08 Til: Arne Larsen / Region Nordjylland; cisco-nsp at puck.nether.net Emne: RE: [c-nsp] dns rewrite on FWSM Arne, Can you please explain what you want to achieve? What do you mean by DNS Rewrite? Thanks Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arne Larsen / Region Nordjylland Sent: Thursday, November 27, 2008 11:34 AM To: 'cisco-nsp at puck.nether.net' Subject: [c-nsp] dns rewrite on FWSM Hi Folks. Isn't it possible to do rewrite dns on a Firewall service modul, or do I need to make an upgrade off the software ?? I'm current running 3.1(6). /Arne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff-kell at utc.edu Thu Nov 27 11:14:41 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Thu, 27 Nov 2008 11:14:41 -0500 Subject: [c-nsp] dns rewrite on FWSM In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F7784108@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F7784106@SRVEXC02.aas.its.nja.dk> <67F7C1FAF83A074AA3520D8F155782A50239E166@xmb-ams-331.emea.cisco.com> <8D68760F464FFD40A01BF2FB374E4A28C6F7784108@SRVEXC02.aas.its.nja.dk> Message-ID: <492EC771.4090301@utc.edu> Arne Larsen / Region Nordjylland wrote: > As Jen Likova wrote it should be possible to change the answer from an public dns server. > My problem is that we got to access RFC1918 address from our internal network to dmz web-servers, and public users need to use public address off cause. > So by rewriteing the dns answer we wont need to maintain internal dns for the servers on the the dmz. > But I just can't get it working on the FWSM, I made somthing like this on an asa5510 and that works fine. Haven't done this in awhile (we split internal/external DNS servers) but works on PIX and ASA, not sure about FWSM. Be sure you have DNS rewrite enabled on the static translations for the DMZ servers. Jeff From dino at cisco.com Thu Nov 27 12:19:08 2008 From: dino at cisco.com (Dino Farinacci) Date: Thu, 27 Nov 2008 09:19:08 -0800 Subject: [c-nsp] Opinions about ICMP Destination Unreachable In-Reply-To: <20081127.131600.74661715.sthaug@nethelp.no> References: <6b86f99d0811270315y3e4165cdj862eea1b96ef5309@mail.gmail.com> <20081127.131600.74661715.sthaug@nethelp.no> Message-ID: <7A6B4F11-C88D-4776-B3D2-882125BB946F@cisco.com> Thanks all for your replies. The Nexus 7000 defaults IPv4 ICMP Destination Unreachables to off but Port Unreachables to on. But when any DU are configured on, we rate- limit 1 per second per interface (where interface is the next-hop interface to send the DU to the source of the invoking packet). Dino On Nov 27, 2008, at 4:16 AM, sthaug at nethelp.no wrote: >>> I am just wondering how many people have ICMP Destination >>> Unreachables >>> disabled on their core routers. Could an CPE router, which may >>> encapsulate >>> data, be able to depend on ICMP Unreachables to be sent to it? >>> >>> I know there are many cases where router implementations default >>> it to off >>> (to not send ICMP DUs), but wondering who leaves it this way or >>> turns them >>> on? Of when it defaults to on, who explicitly turns them off. >> >> Most of people who disable ICMP DU just don't understand what ICMP DU >> is for. Need I mention that PMTUD relies on ICMP type 3/code 4... >> In addition, it looks like that "no ip unreach" interface command >> disables "too big" message as well, breaking PMTUD. >> I prefer to enable ICMP DU on any interfaces where fragmentation >> may occur. > > There is also a middle ground here - leave ICMP Destination > Unreachable > on but rate limit the replies to a suitably low value. This means that > you will *probably* get a reply, but it's certainly not guaranteed. > > Steinar Haug, Nethelp consulting, sthaug at nethelp.no > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Jaime at ulima.edu.pe Thu Nov 27 14:08:09 2008 From: Jaime at ulima.edu.pe (Velasquez Venegas Jaime Omar) Date: Thu, 27 Nov 2008 14:08:09 -0500 Subject: [c-nsp] wireless access-controll feature in ios software In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F77840FE@SRVEXC02.aas.its.nja.dk> Message-ID: <8DD1F4B50477AC45A35AB5F8C03B62C401856892@sauce.ulima.ul> I believe auth proxy can authenticate on specific and a limited number of protocols (telnet,http,ssh).Authentication forced by captive portal applies to any type traffic going through which is mostly the case for a typical wireless users network .Can anyone confirm? Thanks -----Mensaje original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] En nombre de Arne Larsen / Region Nordjylland Enviado el: Wednesday, November 26, 2008 6:58 AM Para: 'John Kougoulos' CC: 'cisco-nsp at puck.nether.net' Asunto: Re: [c-nsp] wireless access-controll feature in ios software Jep, I beleive that's it. Great thanks. /Arne -----Oprindelig meddelelse----- Fra: John Kougoulos [mailto:koug at intracom.gr] Sendt: 26. november 2008 08:33 Til: Arne Larsen / Region Nordjylland Cc: 'cisco-nsp at puck.nether.net' Emne: Re: [c-nsp] wireless access-controll feature in ios software Hello, perhaps you are looking for this: Consent Feature for Cisco IOS Routers 12.4(15)T http://www.cisco.com/en/US/docs/ios/12_4t/12_4t15/auth_fw.html However you can also use the embedded captive portal when you use Cisco WLC controllers or you can also try Chillispot --koug On Tue, 25 Nov 2008, Arne Larsen / Region Nordjylland wrote: > > Hi all. > > I'm searching my memory about an IOS that I seem to remember, that can authenticate wireless users via an authentication website configured directly in the IOS box. > But I just can't remember what or where it was. Is there someone here that remember anything about this; I believe that it was an unsupported feature. > > /Arne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Nov 27 15:07:08 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 27 Nov 2008 21:07:08 +0100 Subject: [c-nsp] load balance between to EBGP peers In-Reply-To: References: Message-ID: <1227816428.3582.5.camel@abehat> On Thu, 2008-11-27 at 15:26 +0200, moshe mizrachi wrote: > i have MPLS/VPN network based on 7600's . all the Internet is going via > VRF-INTERNET , my ASBR gets full route from 2 peers via OC12 POS > interfaces on VRF INTERNET , also he gets 0.0.0.0 route from both > peers but of course only 1 gets to FIB . > my target is to get load balance between the 2 peers(on the ASBR) in > the outgoing traffic and to redistribute only 0.0.0.0 to VRF INTERNET > to all the IBGP peers. what i see now is that the 0.0.0.0 gets label > in the FIB of the ASBR pointing on one of the POS interface, so the > other POS stay empty , with the show ip route vrf INTERNET 0.0.0.0 > 0.0.0.0 command i see the LB0 of the ASBR which is OK but the MPLS > label table on the VRF INTERNET is pointing on the POS interface . i > just want that the ASBR will route the traffic according to his full > route table . > > so actually now i redistribute to all PE's /20 subnets for getting load > balance , > does someone have a good ides for this one ? As I understand your description, the box has a specific forwarding adjacency for the traffic received on the 0/0 LSP from the core. To make it use the routing table, you need it to perform a routing lookup, which (AFAIK) an aggregate label will do for you. Haven't tested this, but if you stop redistributing a default received from upstream, and instead add a static default pointing to Null0 in the VRF, you should get an aggregate label. This might result in lower performance, since the router needs to a full IP lookup. Regards, Peter From jim at tgasolutions.com Thu Nov 27 21:39:52 2008 From: jim at tgasolutions.com (Jim McBurnett) Date: Thu, 27 Nov 2008 21:39:52 -0500 Subject: [c-nsp] Downloadable ACLs without using ACS In-Reply-To: <4925986E.3070701@technovoid.com> References: <4925986E.3070701@technovoid.com> Message-ID: I've got customer's using Microsoft IAS... But they have spent lots of time securing AD so that non-employee users have no AD folder/LAN permissions.. This makes me say- any standards based RADIUS should work.. jim -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ivor Coons Sent: Thursday, November 20, 2008 12:04 PM To: cisco NSP Puck Nether Net Subject: [c-nsp] Downloadable ACLs without using ACS Does anyone here have experience configuring downloadable ACLs on an ASA/PIX using freeradius or some other free AAA server? Every search I have done references Cisco's TACACS server as the AAA option. Is it even possible to use a third party server? Thanks, Ivor _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p_ambedkar at rediffmail.com Fri Nov 28 00:26:58 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 28 Nov 2008 05:26:58 -0000 Subject: [c-nsp] cisco6500-vlans missing Message-ID: <20081128052658.12964.qmail@f4mail-234-242.rediffmail.com> ? hi, this is the log... 106_6509_CAT_1> 106_6509_CAT_1> sh port * = Configured MAC Address. # = 802.1X Authenticated Port Name. Port Name Status Vlan Duplex Speed Type ----- -------------------- ---------- ---------- ------ ----------- -- ---------- 1/1 notconnect 1 full 1000 No Connector 1/2 notconnect 1 full 1000 No Connector 2/1 notconnect 1 full 1000 No Connector 2/2 notconnect 1 full 1000 No Connector 3/1 notconnect 1 auto auto 10/100BaseTX 3/2 connected 1 a-full a-100 10/100BaseTX 3/3 connected 1 a-full a-100 10/100BaseTX 3/4 notconnect 1 auto auto 10/100BaseTX 3/5 notconnect 1 auto auto 10/100BaseTX 3/6 connected 1 a-full a-100 10/100BaseTX 3/7 notconnect 1 auto auto 10/100BaseTX 3/8 connected 1 a-half a-100 10/100BaseTX 3/9 notconnect 1 auto auto 10/100BaseTX 3/10 notconnect 1 auto auto 10/100BaseTX 3/11 notconnect 1 auto auto 10/100BaseTX 3/12 notconnect 1 auto auto 10/100BaseTX 3/13 connected 1 a-full a-100 10/100BaseTX 3/14 connected 1 a-half a-100 10/100BaseTX 3/15 notconnect 1 auto auto 10/100BaseTX 3/16 notconnect 1 auto auto 10/100BaseTX 3/17 connected 1 a-full a-100 10/100BaseTX 3/18 connected 1 a-full a-100 10/100BaseTX 3/19 connected 1 a-full a-100 10/100BaseTX 3/20 notconnect 1 auto auto 10/100BaseTX 3/21 connected 1 a-full a-100 10/100BaseTX 3/22 connected 1 a-full a-100 10/100BaseTX 3/23 connected 1 a-full a-100 10/100BaseTX 3/24 connected 1 a-full a-100 10/100BaseTX 3/25 connected 1 a-half a-10 10/100BaseTX 3/26 connected 1 a-half a-10 10/100BaseTX 3/27 connected 1 a-half a-10 10/100BaseTX 3/28 notconnect 1 auto auto 10/100BaseTX 3/29 connected 1 a-half a-10 10/100BaseTX 3/30 notconnect 1 auto auto 10/100BaseTX 3/31 notconnect 1 auto auto 10/100BaseTX 3/32 notconnect 1 auto auto 10/100BaseTX 3/33 notconnect 1 auto auto 10/100BaseTX 3/34 notconnect 1 auto auto 10/100BaseTX 3/35 notconnect 1 auto auto 10/100BaseTX 3/36 notconnect 1 auto auto 10/100BaseTX 3/37 notconnect 1 auto auto 10/100BaseTX 3/38 notconnect 1 auto auto 10/100BaseTX 3/39 notconnect 1 auto auto 10/100BaseTX 3/40 notconnect 1 auto auto 10/100BaseTX 3/41 connected 1 a-full a-100 10/100BaseTX 3/42 connected 1 a-full a-100 10/100BaseTX 3/43 connected 1 a-full a-100 10/100BaseTX 3/44 connected 1 a-full a-100 10/100BaseTX 3/45 notconnect 1 auto auto 10/100BaseTX 3/46 notconnect 1 auto auto 10/100BaseTX 3/47 notconnect 1 auto auto 10/100BaseTX 3/48 notconnect 1 auto auto 10/100BaseTX 9/1 TO_TUT_ON_FO notconnect 1 full 1000 1000-LX/LH 9/2 TO_TUT_ON_FO_STDBY notconnect 1 full 1000 1000-LX/LH 9/3 TO_COMN_ON_FO disabled 1 full 1000 1000-LX/LH 9/4 TO_COMN_ON_FO_STDBY connected trunk full 1000 1000-LX/LH 9/5 TO_LRTR_ON_FO connected trunk full 1000 1000-LX/LH 9/6 TO_LRTR_ON_FO_STDBY disabled 1 full 1000 1000-LX/LH 9/7 t_tut_on_fo notconnect 1 full 1000 No Connector 9/8 t_tut_on_fo_stdby notconnect 1 full 1000 No Connector 15/1 connected trunk full 1000 Route Switch 16/1 connected trunk full 1000 Route Switch 106_6509_CAT_1> 106_6509_CAT_1> 106_6509_CAT_1> sh vtp statistics VTP statistics: summary advts received 4 subset advts received 0 request advts received 0 summary advts transmitted 9 subset advts transmitted 4 request advts transmitted 0 No of config revision errors 0 No of config digest errors 0 VTP pruning statistics: Trunk Join Transmitted Join Received Summary advts received from GVRP PDU non-pruning-capable device Received -------- ---------------- ------------- --------------------------- -- -------- 9/4 0 0 0 0 9/5 0 0 0 0 15/1 0 0 0 0 16/1 0 0 0 0 106_6509_CAT_1> 106_6509_CAT_1> 106_6509_CAT_1> 106_6509_CAT_1> sh vtp domain Version : running VTP1 (VTP3 capable) Domain Name : 106 Password : not configured Notifications: disabled Updater ID: 10.200.10.253 Feature Mode Revision -------------- -------------- ----------- VLAN Server 66 Pruning : disabled VLANs prune eligible: 2-1000 106_6509_CAT_1> 106_6509_CAT_1> sh ver WS-C6509 Software, Version NmpSW: 8.3(2) Copyright (c) 1995-2004 by Cisco Systems NMP S/W compiled on May 29 2004, 00:23:16 System Bootstrap Version: 7.1(1) System Web Interface Version: Engine Version: 5.3.4 ADP Device: Cat6000 ADP Version: 6.0 ADK: 40 System Boot Image File is 'bootflash:cat6000-sup2cvk9.8-3-2.bin' System Configuration register is 0x2102 Hardware Version: 3.0 Model: WS-C6509 Serial #: SAL0811WCZP PS1 Module: WS-CAC-2500W Serial #: ART0810E0A1 PS2 Module: WS-CAC-2500W Serial #: ART0810E0A2 From peter at rathlev.dk Fri Nov 28 05:24:10 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 28 Nov 2008 11:24:10 +0100 Subject: [c-nsp] cisco6500-vlans missing In-Reply-To: <20081128052658.12964.qmail@f4mail-234-242.rediffmail.com> References: <20081128052658.12964.qmail@f4mail-234-242.rediffmail.com> Message-ID: <1227867850.3785.2.camel@abehat> On Fri, 2008-11-28 at 05:26 +0000, ambedkar wrote: > 106_6509_CAT_1> sh vtp domain > Version : running VTP1 (VTP3 capable) > Domain Name : 106 Password : not > configured > Notifications: disabled Updater ID: > 10.200.10.253 Who is 10.200.10.253? The device is running VTP, so if it has a VTP revision number lower than some other device on the network (client or server) it will have its VLAN database overwritten. When running VTP, make sure that the server(s) have the largest revision number and all the relevant VLANs. Regards, Peter From vinzoda.hitesh at gmail.com Fri Nov 28 06:07:50 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Fri, 28 Nov 2008 03:07:50 -0800 Subject: [c-nsp] ASA AIP-SSM-10 In-Reply-To: <20081127135811.GZ21516@thot.informatik.uni-kl.de> References: <20081126155807.GU21516@thot.informatik.uni-kl.de> <20081127135811.GZ21516@thot.informatik.uni-kl.de> Message-ID: I m thru. Thanks Ronnie On Thu, Nov 27, 2008 at 5:58 AM, Joerg Mayer wrote: > On Thu, Nov 27, 2008 at 03:28:38AM -0800, Hitesh Vinzoda wrote: > > Does that tftp server need to be of the same subnet for which i had one > for > > IPS or nothing to be done. > > That tftp-server can be any box reachable by IP (you can set a default-gw > as well). > > The commands are: > > hw module 1 recover configure > (then answer the questions about tftp-server, default-gw etc) > debug module (just to have something to watch when running the next command > :-) > hw module 1 recover boot (this will actually *do* the recovery). > > Ciao > Joerg > -- > Joerg Mayer > We are stuck with technology when what we really want is just stuff that > works. Some say that should read Microsoft instead of technology. > From david.freedman at uk.clara.net Fri Nov 28 08:20:53 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Fri, 28 Nov 2008 13:20:53 +0000 Subject: [c-nsp] Service Policy per-class bandwidth graphing -- any tools available? In-Reply-To: References: Message-ID: I wrote a simple perl script a while back to dynamically generate MRTG "configmaker" style files from routers using these OIDs , check out http://www.convergence.cx/scripts/qosmaker.gz Dave. Eric Cables wrote: > We have a number of large MQC policies, and I'd like to graph the > throughput of each class, allowing us to pro-actively identify any > classes that may be exceeding their allocated bandwidth. > > Are there any tools available that allow service policy bandwidth > graphing, on a per-class basis (maybe a Cacti addon)? > > -- Eric Cables > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From blahu77 at gmail.com Fri Nov 28 10:33:52 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 28 Nov 2008 15:33:52 +0000 Subject: [c-nsp] load balance between to EBGP peers In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50239E18F@xmb-ams-331.emea.cisco.com> References: <67F7C1FAF83A074AA3520D8F155782A50239E18F@xmb-ams-331.emea.cisco.com> Message-ID: <383357750811280733t7f4410b8id09f2f825f8a9fb4@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Arie, Is "maximum-path eibgp" a good command for this? For multipath eibgp paths to be installed AS-PATH should be the same (not only the length of path vector - [http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094431.shtml#bgpmpath]). On OP's scenario he got INTERNET into vrf so AS-PATHs are not the same almost always (unless he is dual homed to the same provider) Am I understanding this correctly? Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJMA9h+BuaDRxlXKsRAilvAJ9j4Yg6UdG4k5tX4SU3+92aG+vPSgCdH+m+ 1idFt613Qx4aNN8a/S7OwH0= =06Ty -----END PGP SIGNATURE----- From techconfig at yahoo.com Fri Nov 28 10:52:23 2008 From: techconfig at yahoo.com (Mark Tech) Date: Fri, 28 Nov 2008 07:52:23 -0800 (PST) Subject: [c-nsp] Cisco 7600 vlan issue Message-ID: <330568.38828.qm@web44809.mail.sp1.yahoo.com> Hi With my GSR, I can split traffic on seperate physical interfaces, reusing the same vlan #, i.e. interface GigabitEthernet0/0/6.2 ?encapsulation dot1Q 2 ?ip address 7.7.7.1 255.255.255.252 ?no ip directed-broadcast ?no cdp enable ! interface GigabitEthernet0/0/7.2 ?encapsulation dot1Q 2 ?ip address 8.8.8.1 255.255.255.252 ?no ip directed-broadcast ?no cdp enable However with?a 7600, if I try to do the same I get the following error: interface GigabitEthernet1/9.2 ?encapsulation dot1Q 2 ?ip address 3.3.3.1 255.255.255.252 ?no cdp enable ! 7600(config)#interface GigabitEthernet1/10.2 7600(config-subif)# encapsulation dot1Q 2 Command rejected: VLAN 10 not available 7600(config-subif)# Is there anyway around this? I want the 7600 to act like a router, not a switch! Regards Mark From achatz at forthnet.gr Fri Nov 28 11:01:53 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 28 Nov 2008 18:01:53 +0200 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <330568.38828.qm@web44809.mail.sp1.yahoo.com> References: <330568.38828.qm@web44809.mail.sp1.yahoo.com> Message-ID: <493015F1.8090901@forthnet.gr> You're looking for "local VLAN significance". You probably have to get one of the WAN-style (ES20/40 for sure, don't know for SIP/SPA) cards. -- Tassos Mark Tech wrote on 28/11/2008 17:52: > Hi > With my GSR, I can split traffic on seperate physical interfaces, reusing the same vlan #, i.e. > > interface GigabitEthernet0/0/6.2 > encapsulation dot1Q 2 > ip address 7.7.7.1 255.255.255.252 > no ip directed-broadcast > no cdp enable > ! > interface GigabitEthernet0/0/7.2 > encapsulation dot1Q 2 > ip address 8.8.8.1 255.255.255.252 > no ip directed-broadcast > no cdp enable > > However with a 7600, if I try to do the same I get the following error: > > > > interface GigabitEthernet1/9.2 > encapsulation dot1Q 2 > ip address 3.3.3.1 255.255.255.252 > no cdp enable > ! > 7600(config)#interface GigabitEthernet1/10.2 > 7600(config-subif)# encapsulation dot1Q 2 > Command rejected: VLAN 10 not available > 7600(config-subif)# > > > Is there anyway around this? I want the 7600 to act like a router, not a switch! > > Regards > > Mark > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Fri Nov 28 11:07:29 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 28 Nov 2008 18:07:29 +0200 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <493015F1.8090901@forthnet.gr> References: <330568.38828.qm@web44809.mail.sp1.yahoo.com> <493015F1.8090901@forthnet.gr> Message-ID: <49301741.9050500@forthnet.gr> Just to add (if i remember right) that ES and SRB didn't support local VLAN significance under single tagged subifs. I haven't checked if SRD and/or ES+ solve this problem. -- Tassos Tassos Chatzithomaoglou wrote on 28/11/2008 18:01: > You're looking for "local VLAN significance". > > You probably have to get one of the WAN-style (ES20/40 for sure, don't > know for SIP/SPA) cards. > > -- > Tassos > > Mark Tech wrote on 28/11/2008 17:52: >> Hi >> With my GSR, I can split traffic on seperate physical interfaces, >> reusing the same vlan #, i.e. >> >> interface GigabitEthernet0/0/6.2 >> encapsulation dot1Q 2 >> ip address 7.7.7.1 255.255.255.252 >> no ip directed-broadcast >> no cdp enable >> ! >> interface GigabitEthernet0/0/7.2 >> encapsulation dot1Q 2 >> ip address 8.8.8.1 255.255.255.252 >> no ip directed-broadcast >> no cdp enable >> >> However with a 7600, if I try to do the same I get the following error: >> >> >> >> interface GigabitEthernet1/9.2 >> encapsulation dot1Q 2 >> ip address 3.3.3.1 255.255.255.252 >> no cdp enable >> ! >> 7600(config)#interface GigabitEthernet1/10.2 >> 7600(config-subif)# encapsulation dot1Q 2 >> Command rejected: VLAN 10 not available >> 7600(config-subif)# >> >> >> Is there anyway around this? I want the 7600 to act like a router, not >> a switch! >> >> Regards >> >> Mark >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From gert at greenie.muc.de Fri Nov 28 12:02:21 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 28 Nov 2008 18:02:21 +0100 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <330568.38828.qm@web44809.mail.sp1.yahoo.com> References: <330568.38828.qm@web44809.mail.sp1.yahoo.com> Message-ID: <20081128170220.GL8535@greenie.muc.de> Hi, On Fri, Nov 28, 2008 at 07:52:23AM -0800, Mark Tech wrote: > Is there anyway around this? I want the 7600 to act like a router, not a switch! In that case, buy a router, not a switch... The upside is that the 7600 can do proper ether channels - so if you just want to distribute traffic for the same VLAN over multiple GigEs, just do an etherchannel and configure the routing on an SVI interface (unlike the GSR which is severely limited on what features you can have on an etherchannel). And yes, this is one of the most serious design limitations of the 6500/7600 - "global VLAN space" (with LAN interfaces). But it's a well-known and well-documented limitation, so usually people know in advance and can decide for themselve whether the tremendous price advantage of LAN cards is worth the associated restrictions. Our decision was: "'real' router interfaces are waaaay too expensive", so we live with the restrictions and enjoy the sheer forwarding power :) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From saku+cisco-nsp at ytti.fi Fri Nov 28 13:57:49 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Fri, 28 Nov 2008 20:57:49 +0200 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <49301741.9050500@forthnet.gr> References: <330568.38828.qm@web44809.mail.sp1.yahoo.com> <493015F1.8090901@forthnet.gr> <49301741.9050500@forthnet.gr> Message-ID: <20081128185748.GA19050@mx.ytti.net> On (2008-11-28 18:07 +0200), Tassos Chatzithomaoglou wrote: > Just to add (if i remember right) that ES and SRB didn't support local VLAN significance under single tagged subifs. > I haven't checked if SRD and/or ES+ solve this problem. ES+ does solve the issue indeed, but you're still limited to 4k VLANs. In ES cards you need you use EVC to terminate colliding VLANs. Cisco, please allow defining IP address directly under EVC, without requiring bridge-group. For setups where you always only terminate through one interface, switching is not needed and the additional configuration is undesired. > > -- > Tassos > > Tassos Chatzithomaoglou wrote on 28/11/2008 18:01: >> You're looking for "local VLAN significance". >> >> You probably have to get one of the WAN-style (ES20/40 for sure, don't >> know for SIP/SPA) cards. >> >> -- >> Tassos >> >> Mark Tech wrote on 28/11/2008 17:52: >>> Hi >>> With my GSR, I can split traffic on seperate physical interfaces, >>> reusing the same vlan #, i.e. >>> >>> interface GigabitEthernet0/0/6.2 >>> encapsulation dot1Q 2 >>> ip address 7.7.7.1 255.255.255.252 >>> no ip directed-broadcast >>> no cdp enable >>> ! >>> interface GigabitEthernet0/0/7.2 >>> encapsulation dot1Q 2 >>> ip address 8.8.8.1 255.255.255.252 >>> no ip directed-broadcast >>> no cdp enable >>> >>> However with a 7600, if I try to do the same I get the following error: >>> >>> >>> >>> interface GigabitEthernet1/9.2 >>> encapsulation dot1Q 2 >>> ip address 3.3.3.1 255.255.255.252 >>> no cdp enable >>> ! >>> 7600(config)#interface GigabitEthernet1/10.2 >>> 7600(config-subif)# encapsulation dot1Q 2 >>> Command rejected: VLAN 10 not available >>> 7600(config-subif)# >>> >>> >>> Is there anyway around this? I want the 7600 to act like a router, >>> not a switch! >>> >>> Regards >>> >>> Mark >>> >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- ++ytti From manafo at hotmail.com Fri Nov 28 14:24:38 2008 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Fri, 28 Nov 2008 21:24:38 +0200 Subject: [c-nsp] Configuring PVLAN Trunk Port? Message-ID: Is there any way to configure private vlan on a trunk port? I've been searching on a way to use the private vlan on dot1q port but the command ""switchport mode private-vlan trunk" is only supported on Cisco Catalyst 4500 series. why it is not supported on Cisco ME3750 series switch and what could be the replacement of this command in order to use it on the trunk port? Manaf From spinthiras.mario at gmail.com Fri Nov 28 16:32:48 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Fri, 28 Nov 2008 21:32:48 +0000 Subject: [c-nsp] cisco networking research Message-ID: <4f890e580811281332k572bd10bs8ac428c1d1161d1a@mail.gmail.com> Hello guys n gals, Honestly , this is coffee number 4 , and I hate decaf. I have a proposal to write at uni and obviously I want it related to Cisco networking. I was thinking something on monitoring and management systems. Any ideas thrown at me are more than welcome. Regards, Mario A. Spinthiras http://www.spinthiras.net/ From rekordmeister at gmail.com Sun Nov 30 05:00:00 2008 From: rekordmeister at gmail.com (MKS) Date: Sun, 30 Nov 2008 10:00:00 +0000 Subject: [c-nsp] ASR terminating PPPoE Message-ID: Hi Has anyone any experience using the ASR 100x as a bras, terminating pppoe. Some traffic/sessions vs CPU load info would be great (on or off list) Cisco clams up to 32.000 session, does that hold? Regards MKS From roddy.strachan at staff.netspace.net.au Sun Nov 30 07:23:18 2008 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Sun, 30 Nov 2008 23:23:18 +1100 Subject: [c-nsp] ASR terminating PPPoE In-Reply-To: Message-ID: Actually testing/implementing one now. One test we had about 12-13000 sessions on it, CPU was about 12% That was a rough figure... On 30/11/08 9:00 PM, "MKS" wrote: > Hi > > Has anyone any experience using the ASR 100x as a bras, terminating pppoe. > Some traffic/sessions vs CPU load info would be great (on or off list) > Cisco clams up to 32.000 session, does that hold? > > Regards > MKS > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From matt at melbourne.org.uk Sun Nov 30 09:23:35 2008 From: matt at melbourne.org.uk (Matthew Melbourne) Date: Sun, 30 Nov 2008 14:23:35 +0000 (GMT) Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: References: Message-ID: <500660a858matt@melbourne.org.uk> In article , > > On Fri, Nov 28, 2008 at 07:52:23AM -0800, Mark Tech wrote: > > Is there anyway around this? I want the 7600 to act like a router, not > > a switch! > > In that case, buy a router, not a switch... > > The upside is that the 7600 can do proper ether channels - so if you > just want to distribute traffic for the same VLAN over multiple GigEs, > just do an etherchannel and configure the routing on an SVI interface > (unlike the GSR which is severely limited on what features you can have > on an etherchannel). > > And yes, this is one of the most serious design limitations of the > 6500/7600 - "global VLAN space" (with LAN interfaces). But it's a > well-known and well-documented limitation, so usually people know in > advance and can decide for themselve whether the tremendous price > advantage of LAN cards is worth the associated restrictions. > > Our decision was: "'real' router interfaces are waaaay too expensive", > so we live with the restrictions and enjoy the sheer forwarding power :) > > gert Hi, Can you point me in the direction of any "global VLAN space" documentation for the Catalyst 6500? The helps to explain why the same dot1q tag shouldn't be re-used on separate routed sub-interfaces. e.g. interface FastEthernet4/1.100 encapsulation dot1Q 100 ip address 10.1.100.1 255.255.255.252 ip vrf forwarding CUST1 ! interface FastEthernet4/1.101 encapsulation dot1Q 101 ip address 10.1.101.1 255.255.255.252 ip vrf forwarding CUST2 ! ! interface FastEthernet4/2.100 encapsulation dot1Q 100 ip address 10.2.100.1 255.255.255.252 ip vrf forwarding CUST1 ! interface FastEthernet4/2.101 encapsulation dot1Q 101 ip address 10.2.101.1 255.255.255.252 ip vrf forwarding CUST2 I was hoping to re-use VLANs 100/101, as it looks like it should only be locally significant on the L3 trunk Cheers, Matt -- Matthew Melbourne From justin at justinshore.com Sun Nov 30 11:33:02 2008 From: justin at justinshore.com (Justin Shore) Date: Sun, 30 Nov 2008 10:33:02 -0600 Subject: [c-nsp] cisco networking research In-Reply-To: <4f890e580811281332k572bd10bs8ac428c1d1161d1a@mail.gmail.com> References: <4f890e580811281332k572bd10bs8ac428c1d1161d1a@mail.gmail.com> Message-ID: <4932C03E.2050000@justinshore.com> Mario Spinthiras wrote: > Hello guys n gals, > > Honestly , this is coffee number 4 , and I hate decaf. > > I have a proposal to write at uni and obviously I want it related to > Cisco networking. I was thinking something on monitoring and > management systems. Any ideas thrown at me are more than welcome. When you say monitoring are you referring to performance monitoring or security monitoring? If it's security monitoring then you should look at Cisco's MARS appliance. http://www.cisco.com/en/US/products/ps6241/index.html From gert at greenie.muc.de Sun Nov 30 13:24:02 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 30 Nov 2008 19:24:02 +0100 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <500660a858matt@melbourne.org.uk> References: <500660a858matt@melbourne.org.uk> Message-ID: <20081130182402.GO8535@greenie.muc.de> Hi, On Sun, Nov 30, 2008 at 02:23:35PM +0000, Matthew Melbourne wrote: > > And yes, this is one of the most serious design limitations of the > > 6500/7600 - "global VLAN space" (with LAN interfaces). But it's a > > well-known and well-documented limitation, so usually people know in > > advance and can decide for themselve whether the tremendous price > > advantage of LAN cards is worth the associated restrictions. > Can you point me in the direction of any "global VLAN space" documentation > for the Catalyst 6500? I can't point you to a given document on cisco.com. It has been mentioned a number of times on this mailing list, though. It is easy to understand if you look at the way the "big catalyst boxes" are built (more prominent in the cat5000 series): - there's a layer2 switching engine - loosely coupled to that is a layer3 forwarding box - ports are put into a L2 VLAN - the L3 engine has a VLAN trunk into the L2 box of the switch, and this is used for routing between VLANs on the 6500, you can have "no switchport" ports, which sort of hide this mechanics - but under the hood, the cat65 will allocate an internal VLAN, put the port in that VLAN (disable spanning tree and other switch things, though) and trunk it to the routing engine... [Yes, this is simplifying things a lot, but the basic architecture works that way - and all the rest is "powerups" to improve throughput] Some of the line cards have "more intelligence", like the SIP boards - those are, basically, a router-on-a-stick that taps into the switch fabric and has its own brains - so it doesn't know anything of the "switch VLAN" stuff, but can allocate dot1q tags on a per-port basis. > The helps to explain why the same dot1q tag > shouldn't be re-used on separate routed sub-interfaces. Yep. Because it's a switch - and VLAN IDs are global. [..] > I was hoping to re-use VLANs 100/101, as it looks like it should only be > locally significant on the L3 trunk L3 "trunks" are an illusion, created for convenience. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mm at math.pub.ro Sun Nov 30 13:32:39 2008 From: mm at math.pub.ro (mm-tech) Date: Sun, 30 Nov 2008 20:32:39 +0200 (EET) Subject: [c-nsp] bgp weird issue Message-ID: <4812.79.118.191.156.1228069959.squirrel@ssl.math.pub.ro> Hi guys, I'm having this weird issue with BGP and I was wondering if you could help. Topology: - 2 X cisco 1800 series routers, both connected to 2 different ISPs: Router1 -> ISPA and RouterB -> ISPB - Router1 and Router2 are directly connected - on Router1 receiving only the default route from ISPA - on Router2 receiving customer routes from ISPB - announcing a /23 address block through both ISPA and ISPB (91.195.X.X) The connectivity with ISPA is being done using a /30 subnet (interconnected subnets): ISPA(172.28.164.17/30) -> router1(172.28.164.18/30). Also, I have a /29 public address space on router1 (62.217.X.X) routed through the /30 subnet. The default gw for Router1 received via eBGP is 62.217.w.w and I have added a static route for it: ip route 62.217.w.w 255.255.255.255 172.28.164.17 That's how ISPA has it's network configured and I cannot change anything. The connectivity with ISPB is simple: only a /32 ip address on Router2: 89.149.X.X BGP config Router1: router bgp myASN no synchronization bgp router-id 62.217.X.X bgp log-neighbor-changes network 91.195.X.0 mask 255.255.254.0 neighbor 62.217.X.X remote-as ASN_ISPA neighbor 62.217.X.X ebgp-multihop 8 neighbor 62.217.X.X soft-reconfiguration inbound neighbor 62.217.X.X filter-list 10 out neighbor 91.195.y.1 remote-as myASN neighbor 91.195.y.1 next-hop-self no auto-summary ip as-path access-list 10 permit ^$ BGP config Router2: router bgp myASN no synchronization bgp router-id 89.149.X.X bgp log-neighbor-changes network 91.195.X.0 mask 255.255.254.0 neighbor 89.149.X.X remote-as ASN_ISPB neighbor 89.149.X.X filter-list 10 out neighbor 91.195.z.1 remote-as myASN neighbor 91.195.z.1 next-hop-self no auto-summary ip as-path access-list 10 permit ^$ The issue is after I configure the iBGP relationship between Router1 and Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost. It cannot be pinged anymore from outside. The 91.195.X.X/23 is announced correctly through both ISPs and any IP in this /23 subnet is pingable from outside. They only problem is with the 62.217.X.X/29 block that becomes unreachable after configuring the iBGP relationship and I don't understand why this is happening. Sorry for the long post and I hope you'll give me some hints -:) Thanks, John From jonas at bjorklund.cn Sun Nov 30 14:36:18 2008 From: jonas at bjorklund.cn (jonas at bjorklund.cn) Date: Sun, 30 Nov 2008 20:36:18 +0100 (CET) Subject: [c-nsp] Netflow for 6500? Message-ID: Hello, Which supervisors has support for Netflow on the 6500 series? SUP2? SUP32? SUP720? /Jonas From Joerg.Koelling at telefonica.de Sun Nov 30 15:26:06 2008 From: Joerg.Koelling at telefonica.de (Joerg.Koelling at telefonica.de) Date: Sun, 30 Nov 2008 21:26:06 +0100 Subject: [c-nsp] =?iso-8859-1?q?Joerg_Koelling_ist_au=DFer_Haus=2E?= Message-ID: Ich werde ab 30.11.2008 nicht im B?ro sein. Ich kehre zur?ck am 04.12.2008. Ich werde Ihre Nachricht nach meiner R?ckkehr beantworten. In dringenden F?llen wenden sie sich bitte an meinen Vertreter: Manuel.Meier at telefonica.de +49 5246 80 1369 From Reinhold.Fischer at gmx.net Sun Nov 30 15:42:00 2008 From: Reinhold.Fischer at gmx.net (Reinhold Fischer) Date: Sun, 30 Nov 2008 21:42:00 +0100 Subject: [c-nsp] bgp weird issue In-Reply-To: <4812.79.118.191.156.1228069959.squirrel@ssl.math.pub.ro> References: <4812.79.118.191.156.1228069959.squirrel@ssl.math.pub.ro> Message-ID: <20081130204200.GA29636@susi> hi john, is the /29 address-block assigned by ISPA and staticall routed to you only by ISPA? Does the connectivity problem only exist from networks that you reach preferrably through ISPB? If so, then could it be that ISPB has packet filters applied that drop packets with the source of the /29 network? To ISPB traffic from the /29 network looks like illegal traffic since the packets have a source IP other than the networks you announce with BGP. regards Reinhold On Sun, Nov 30, 2008 at 08:32:39PM +0200, mm-tech wrote: > Hi guys, > > I'm having this weird issue with BGP and I was wondering if you could help. > > Topology: > - 2 X cisco 1800 series routers, both connected to 2 different ISPs: > Router1 -> ISPA and RouterB -> ISPB > - Router1 and Router2 are directly connected > - on Router1 receiving only the default route from ISPA > - on Router2 receiving customer routes from ISPB > - announcing a /23 address block through both ISPA and ISPB (91.195.X.X) > > The connectivity with ISPA is being done using a /30 subnet > (interconnected subnets): ISPA(172.28.164.17/30) -> > router1(172.28.164.18/30). Also, I have a /29 public address space on > router1 (62.217.X.X) routed through the /30 subnet. The default gw for > Router1 received via eBGP is 62.217.w.w and I have added a static route > for it: > ip route 62.217.w.w 255.255.255.255 172.28.164.17 > > That's how ISPA has it's network configured and I cannot change anything. > > The connectivity with ISPB is simple: only a /32 ip address on Router2: > 89.149.X.X > > BGP config Router1: > > router bgp myASN > no synchronization > bgp router-id 62.217.X.X > bgp log-neighbor-changes > network 91.195.X.0 mask 255.255.254.0 > neighbor 62.217.X.X remote-as ASN_ISPA > neighbor 62.217.X.X ebgp-multihop 8 > neighbor 62.217.X.X soft-reconfiguration inbound > neighbor 62.217.X.X filter-list 10 out > neighbor 91.195.y.1 remote-as myASN > neighbor 91.195.y.1 next-hop-self > no auto-summary > > ip as-path access-list 10 permit ^$ > > BGP config Router2: > > router bgp myASN > no synchronization > bgp router-id 89.149.X.X > bgp log-neighbor-changes > network 91.195.X.0 mask 255.255.254.0 > neighbor 89.149.X.X remote-as ASN_ISPB > neighbor 89.149.X.X filter-list 10 out > neighbor 91.195.z.1 remote-as myASN > neighbor 91.195.z.1 next-hop-self > no auto-summary > > ip as-path access-list 10 permit ^$ > > The issue is after I configure the iBGP relationship between Router1 and > Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost. It > cannot be pinged anymore from outside. The 91.195.X.X/23 is announced > correctly through both ISPs and any IP in this /23 subnet is pingable from > outside. They only problem is with the 62.217.X.X/29 block that becomes > unreachable after configuring the iBGP relationship and I don't understand > why this is happening. > > Sorry for the long post and I hope you'll give me some hints -:) > > Thanks, > John > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mm at math.pub.ro Sun Nov 30 17:02:43 2008 From: mm at math.pub.ro (mm-tech) Date: Mon, 1 Dec 2008 00:02:43 +0200 (EET) Subject: [c-nsp] bgp weird issue In-Reply-To: <20081130204200.GA29636@susi> References: <4812.79.118.191.156.1228069959.squirrel@ssl.math.pub.ro> <20081130204200.GA29636@susi> Message-ID: <1827.79.118.191.156.1228082563.squirrel@ssl.math.pub.ro> > hi john, > > is the /29 address-block assigned by ISPA and staticall routed to > you only by ISPA? > Does the connectivity problem only exist from networks that you reach > preferrably through ISPB? > Yes, the /29 block is assigned by ISPA from their address space and it's statically routed to me by them. No, the connectivity issue occurs for both networks reachable through ISPA or ISPB. > If so, then could it be that ISPB has packet filters applied > that drop packets with the source of the /29 network? To ISPB traffic from > the /29 network looks like illegal traffic since the packets have a source > IP other than the networks you announce with BGP. > I don't think ISPB has any packet filters blocking my /29 subnet, because this /29 subnet is part of the whole ISPA address space, and ISPB has a route to this ISPA address space... Thanks, john > regards > > Reinhold > > > > On Sun, Nov 30, 2008 at 08:32:39PM +0200, mm-tech wrote: >> Hi guys, >> >> I'm having this weird issue with BGP and I was wondering if you could >> help. >> >> Topology: >> - 2 X cisco 1800 series routers, both connected to 2 different ISPs: >> Router1 -> ISPA and RouterB -> ISPB >> - Router1 and Router2 are directly connected >> - on Router1 receiving only the default route from ISPA >> - on Router2 receiving customer routes from ISPB >> - announcing a /23 address block through both ISPA and ISPB (91.195.X.X) >> >> The connectivity with ISPA is being done using a /30 subnet >> (interconnected subnets): ISPA(172.28.164.17/30) -> >> router1(172.28.164.18/30). Also, I have a /29 public address space on >> router1 (62.217.X.X) routed through the /30 subnet. The default gw for >> Router1 received via eBGP is 62.217.w.w and I have added a static route >> for it: >> ip route 62.217.w.w 255.255.255.255 172.28.164.17 >> >> That's how ISPA has it's network configured and I cannot change >> anything. >> >> The connectivity with ISPB is simple: only a /32 ip address on Router2: >> 89.149.X.X >> >> BGP config Router1: >> >> router bgp myASN >> no synchronization >> bgp router-id 62.217.X.X >> bgp log-neighbor-changes >> network 91.195.X.0 mask 255.255.254.0 >> neighbor 62.217.X.X remote-as ASN_ISPA >> neighbor 62.217.X.X ebgp-multihop 8 >> neighbor 62.217.X.X soft-reconfiguration inbound >> neighbor 62.217.X.X filter-list 10 out >> neighbor 91.195.y.1 remote-as myASN >> neighbor 91.195.y.1 next-hop-self >> no auto-summary >> >> ip as-path access-list 10 permit ^$ >> >> BGP config Router2: >> >> router bgp myASN >> no synchronization >> bgp router-id 89.149.X.X >> bgp log-neighbor-changes >> network 91.195.X.0 mask 255.255.254.0 >> neighbor 89.149.X.X remote-as ASN_ISPB >> neighbor 89.149.X.X filter-list 10 out >> neighbor 91.195.z.1 remote-as myASN >> neighbor 91.195.z.1 next-hop-self >> no auto-summary >> >> ip as-path access-list 10 permit ^$ >> >> The issue is after I configure the iBGP relationship between Router1 and >> Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost. It >> cannot be pinged anymore from outside. The 91.195.X.X/23 is announced >> correctly through both ISPs and any IP in this /23 subnet is pingable >> from >> outside. They only problem is with the 62.217.X.X/29 block that becomes >> unreachable after configuring the iBGP relationship and I don't >> understand >> why this is happening. >> >> Sorry for the long post and I hope you'll give me some hints -:) >> >> Thanks, >> John >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lists at hojmark.org Sun Nov 30 17:31:28 2008 From: lists at hojmark.org (Asbjorn Hojmark - Lists) Date: Sun, 30 Nov 2008 23:31:28 +0100 Subject: [c-nsp] To OSR7609 or not to OSR7609? In-Reply-To: References: Message-ID: <4A0995FD04B7479B934669112BFF72B9@hojmark.net> > Any big drawbacks or negatives to this chassis? It's dead. See http://tinyurl.com/5mv7fn > We'd like to run them with SUP720-3BXL processors and 6548 > series Ethernet cards. 12.2 SR doesn't support the OSR 7609 chassis. 12.2 SXF does support it, but is no longer getting new features. 12.2 SXH and newer doesn't support that chassis either. If you chose to buy it anyway and run SXF, keep in mind that you also need a WS-6509-NEB-UPGRD= (basically a new fan tray) to run it with a Sup720. -A From ras at e-gerbil.net Sun Nov 30 17:53:24 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Sun, 30 Nov 2008 16:53:24 -0600 Subject: [c-nsp] To OSR7609 or not to OSR7609? In-Reply-To: <4A0995FD04B7479B934669112BFF72B9@hojmark.net> References: <4A0995FD04B7479B934669112BFF72B9@hojmark.net> Message-ID: <20081130225324.GC72019@gerbil.cluepon.net> On Sun, Nov 30, 2008 at 11:31:28PM +0100, Asbjorn Hojmark - Lists wrote: > > Any big drawbacks or negatives to this chassis? > > It's dead. See http://tinyurl.com/5mv7fn > > > We'd like to run them with SUP720-3BXL processors and 6548 > > series Ethernet cards. > > 12.2 SR doesn't support the OSR 7609 chassis. > 12.2 SXF does support it, but is no longer getting new features. > 12.2 SXH and newer doesn't support that chassis either. That isn't true. OSR is nothing more than an old product name for a 7609 chassis bundled with a SUP2/MSFC2. Cisco ditched this scheme when they started pushing the SUP720, in favor of just describing the chassis and sup with different part numbers. There is absolutely no such thing as an "OSR" chassis, a 7609 is a 7609 is a 7609. What you're actually refering to above is the SUP2/MSFC2 support, which has nothing to do with the chassis. After you replace the sup with a SUP720 or RSP720 it will run SR/SXH just fine. > If you chose to buy it anyway and run SXF, keep in mind that you > also need a WS-6509-NEB-UPGRD= (basically a new fan tray) to run > it with a Sup720. The two major caveats for putting SUP720 into an older chassis which originally shipped with SUP2's (and this applies to 6500 just the same) are: a) In the 09 you need a 2500W power supply (old 1300W's which were common with sup2's work work) b) You need to upgrade to a high speed fan tray (which goes by many different part numbers depending on the chassis, 6509-NEB-UPGRD is indeed the correct fan for the old classic 7609). After that, it will run whatever you'd like. -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From jarruda-cnsp at jarruda.com Sun Nov 30 19:28:48 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Sun, 30 Nov 2008 19:28:48 -0500 Subject: [c-nsp] Cisco 7600 vlan issue In-Reply-To: <20081130182402.GO8535@greenie.muc.de> References: <500660a858matt@melbourne.org.uk> <20081130182402.GO8535@greenie.muc.de> Message-ID: <49332FC0.3000308@jarruda.com> Gert Doering wrote: > Hi, > > On Sun, Nov 30, 2008 at 02:23:35PM +0000, Matthew Melbourne wrote: >>> And yes, this is one of the most serious design limitations of the >>> 6500/7600 - "global VLAN space" (with LAN interfaces). But it's a >>> well-known and well-documented limitation, so usually people know in >>> advance and can decide for themselve whether the tremendous price >>> advantage of LAN cards is worth the associated restrictions. > >> Can you point me in the direction of any "global VLAN space" documentation >> for the Catalyst 6500? > > I can't point you to a given document on cisco.com. It has been mentioned > a number of times on this mailing list, though. > > It is easy to understand if you look at the way the "big catalyst boxes" > are built (more prominent in the cat5000 series): > > - there's a layer2 switching engine > - loosely coupled to that is a layer3 forwarding box > - ports are put into a L2 VLAN > - the L3 engine has a VLAN trunk into the L2 box of the switch, and > this is used for routing between VLANs > I was under impression the L3 forwarding and the L2 forwarding was done by the same engine, in the PFC card(s) ? and behind it, the EARL for the lookup and the rewriting of the header info (mac rewrite, dec ttl and goes on) ? That is how Nortel 8600 (and earlier gen, rapidcity-legacy) did the work, the same lookup engine would do l2 and l3, so I may be messing up things in my mind :-), in a little more distributed fashion (more like DFCs) > on the 6500, you can have "no switchport" ports, which sort of hide this > mechanics - but under the hood, the cat65 will allocate an internal VLAN, > put the port in that VLAN (disable spanning tree and other switch things, > though) and trunk it to the routing engine... > > [Yes, this is simplifying things a lot, but the basic architecture works > that way - and all the rest is "powerups" to improve throughput] > > > Some of the line cards have "more intelligence", like the SIP boards - those > are, basically, a router-on-a-stick that taps into the switch fabric and > has its own brains - so it doesn't know anything of the "switch VLAN" stuff, > but can allocate dot1q tags on a per-port basis. > > >> The helps to explain why the same dot1q tag >> shouldn't be re-used on separate routed sub-interfaces. > > Yep. Because it's a switch - and VLAN IDs are global. > > [..] >> I was hoping to re-use VLANs 100/101, as it looks like it should only be >> locally significant on the L3 trunk > > L3 "trunks" are an illusion, created for convenience. > > gert > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Sun Nov 30 19:54:01 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Sun, 30 Nov 2008 16:54:01 -0800 Subject: [c-nsp] bgp weird issue In-Reply-To: <4812.79.118.191.156.1228069959.squirrel@ssl.math.pub.ro> Message-ID: Hello John: On 11/30/08 10:32 AM, "mm-tech" wrote: > The issue is after I configure the iBGP relationship between Router1 and > Router2: connectivity to the 62.217.X.X/29 subnet on Router1 is lost. It > cannot be pinged anymore from outside. The 91.195.X.X/23 is announced > correctly through both ISPs and any IP in this /23 subnet is pingable from > outside. They only problem is with the 62.217.X.X/29 block that becomes > unreachable after configuring the iBGP relationship and I don't understand > why this is happening. > > Sorry for the long post and I hope you'll give me some hints -:) > > Thanks, > John > How is the /29 configured on router 1? If it's being statically routed from your ISP, then you need to have it in your IGP somehow. Something simple would be: Interface x/x Ip address 62.217.x.x 255.255.255.248 Router ospf 10 Redistribute connected subnets More information is needed, I'm afraid. Regards, Mike From chale99 at gmail.com Sun Nov 30 20:11:58 2008 From: chale99 at gmail.com (Chris Hale) Date: Sun, 30 Nov 2008 20:11:58 -0500 Subject: [c-nsp] To OSR7609 or not to OSR7609? In-Reply-To: <4A0995FD04B7479B934669112BFF72B9@hojmark.net> References: <4A0995FD04B7479B934669112BFF72B9@hojmark.net> Message-ID: On Sun, Nov 30, 2008 at 5:31 PM, Asbjorn Hojmark - Lists wrote: > > Any big drawbacks or negatives to this chassis? > > It's dead. See http://tinyurl.com/5mv7fn Yes, I saw that, but then look at this: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/product_data_sheet09186a0080159856.html Specifically, look at Table 5 for Compatibility: Product Specifications Chassis Compatibility ? Cisco 6503, 6503-E, 6404-E, 6506, 6506-E, 6509, 6509-E, 6509-NEB, 6509-NEB-A, 6513 ? Cisco 7603, 7606, OSR-7609, 7609, 7613 Fan Tray and Power Supply Required ? High speed fan ? 2500W AC or DC So while I may need to upgrade the fan tray, everything I've read and been told so far shows me I'm ok. If you can think of anything specific such as what you mention with the software (and is that only for the Sup2)? Thanks, Chris > > > > We'd like to run them with SUP720-3BXL processors and 6548 > > series Ethernet cards. > > 12.2 SR doesn't support the OSR 7609 chassis. > 12.2 SXF does support it, but is no longer getting new features. > 12.2 SXH and newer doesn't support that chassis either. > > If you chose to buy it anyway and run SXF, keep in mind that you > also need a WS-6509-NEB-UPGRD= (basically a new fan tray) to run > it with a Sup720. > > -A > > -- ------------------ Chris Hale chale99 at gmail.com From frnkblk at iname.com Sun Nov 30 21:54:17 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sun, 30 Nov 2008 20:54:17 -0600 Subject: [c-nsp] ASR terminating PPPoE In-Reply-To: References: Message-ID: I know of a neighboring telco doing the same thing, but I was surprised they bought an ASR because they have less than 2000 subscribers. Can anyone comment on cost/session and when an ASR1000 has a better price point than a Cisco 7206VXR with a G2? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roddy Strachan Sent: Sunday, November 30, 2008 6:23 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] ASR terminating PPPoE Actually testing/implementing one now. One test we had about 12-13000 sessions on it, CPU was about 12% That was a rough figure... On 30/11/08 9:00 PM, "MKS" wrote: > Hi > > Has anyone any experience using the ASR 100x as a bras, terminating pppoe. > Some traffic/sessions vs CPU load info would be great (on or off list) > Cisco clams up to 32.000 session, does that hold? > > Regards > MKS > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/