From lnarayanan.p at gmail.com Sat Nov 1 07:56:14 2008 From: lnarayanan.p at gmail.com (Lakshminarayanan P) Date: Sat, 1 Nov 2008 17:26:14 +0530 Subject: [c-nsp] OID to pick up Device Type of Cisco devices Message-ID: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> Hi All, There is a requirement for me to pick up "device types" of Cisco devices using SNMP. Could somebody share a OID or direct me to the MIB file that can help me get this information? For example, a 2811 polled with this OID should return a value which says that the device is a "Router". While I understand that a lot of Cisco modular devices can act as a Switch / Router / Firewall / Load Balancer based on the modules installed and/or the IOS running, I just need to get the basic device type. As an example, a Catalyst 6500 chassis polled with this OID should return something like "Switch" regardless of the presence of a Firewall Services Module on it. Is there such an Object? Thanks in anticipation..... Lakshminarayanan From mussieg at comcast.net Sat Nov 1 08:34:23 2008 From: mussieg at comcast.net (mussieg at comcast.net) Date: Sat, 01 Nov 2008 12:34:23 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices Message-ID: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> I highly doubt you will find an OID that tells you if a device is router or a switch. For awhile now, Cisco has managed to merge the various functions (bridge, switch, router ..etc) into a single chassis. Your best bet might be to create your own mapping file and use the output of sysDescr.0 to determine which one is which .. -------------- Original message ---------------------- From: "Lakshminarayanan P" > Hi All, > > > > There is a requirement for me to pick up "device types" of Cisco devices > using SNMP. Could somebody share a OID or direct me to the MIB file that can > help me get this information? > > > > For example, a 2811 polled with this OID should return a value which says > that the device is a "Router". > > > > While I understand that a lot of Cisco modular devices can act as a Switch / > Router / Firewall / Load Balancer based on the modules installed and/or the > IOS running, I just need to get the basic device type. As an example, a > Catalyst 6500 chassis polled with this OID should return something like > "Switch" regardless of the presence of a Firewall Services Module on it. > > > > Is there such an Object? > > > > Thanks in anticipation..... > > Lakshminarayanan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From adriankok2000 at yahoo.com.hk Sat Nov 1 07:51:51 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Sat, 1 Nov 2008 19:51:51 +0800 (CST) Subject: [c-nsp] acces list help and best way to do acess-list Message-ID: <676471.19513.qm@web33301.mail.mud.yahoo.com> Hi I have this original access-list in running config access-list 20 deny 192.168.0.0 access-list 20 permit any line vty 0 4 access-class 20 in and want to change to add log "access-list 20 deny 192.168.0.0 0.0.0.255 log" When I change router(config)#access-list 20 deny 192.168.0.0 0.0.0.255 log I realize it can't be changed and have to use "no" router(config)#no access-list 20 deny 192.168.0.0 0.0.0.255 When I use this command, I almost lost the connection from anywhere. My questions 1/ how can I prevent it happens? 2/ What is the best way to do the access-list in "line vty"? 3/ ls it good to use log in access-list? Not sure how router busy or not? thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From networking.stuff at googlemail.com Sat Nov 1 09:46:53 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Sat, 1 Nov 2008 19:16:53 +0530 Subject: [c-nsp] 3750 Etherchannel loadbalnace Message-ID: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> Hi, I have 3750 aggregation switches as aggregation layer to connect 2 access router to Core router. 3750 runs e etherchannel from to Core with 2 1 gig link I have src-mac based loadbalanced method used in 3750 and what I see that 3750 use only one link part of ethrchannel so during test when i have total traffic comming more than 1gig , i see drops.... Here are details : Mac address : 000d.edac.8900 ? Access Router 1 0006.d61b3c1a - Access Router r2 0015.c75d.d42c- Core router sw1.LAB-3750G#show etherchannel summary | beg Group Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 1 Po1(SU) - Gi2/0/1(P) Gi2/0/4(P) sw1.LAB-3750G# sw1.LAB-3750G#test etherchannel load-balance interface port-channel 1 mac 000d.edac.8900 0015.c75d.d42c Would select Gi2/0/1 of Po1 sw1.LAB-3750G# test etherchannel load-balance interface port-channel 1 mac 0006.d61b.3c1a 0015.c75d.d42c Would select Gi2/0/1 of Po1 As per above test, I see that 3750 select Gi2/0/1 for two source mac-address and that's reason i have only one link utilized.. Does some body knows the algorithm used by 3750 for above two source-mac address and how did it select always gi2/0/1 not other link for 2nd stream of traffic ?? Unforutnately I can't do src-dst-ip based loadbalnace becuase incomming traffic is MPLS labelled and existing 3750 doens't have capbility to understand MPLS so it takes as non-ip traffic.. Thanks in advance, Chintan From lee.e.rian at census.gov Sat Nov 1 11:00:52 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:00:52 -0400 Subject: [c-nsp] acces list help and best way to do acess-list In-Reply-To: <676471.19513.qm@web33301.mail.mud.yahoo.com> References: <676471.19513.qm@web33301.mail.mud.yahoo.com> Message-ID: >1/ how can I prevent it happens? line vty 0 4 no access-class 20 in >2/ What is the best way to do the access-list in "line vty"? How perfect can you be? If you aren't going to make any mistakes, create a file on a tftp server that has the no access-list 20 access-list 20 ... access-list 20 ... and do a conf net to get the changes applied. If make typos as often as I do, remove the access list from the vty, recreate the access list and, if there's no mistakes, reapply the access list: line vty 0 4 no access-class 20 in no access-list 20 access-list 20 ... access-list 20 ... line vty 0 4 access-class 20 in Even better is using a different access list number. I don't bother for vtys, but on our ISP link I alternate between access list numbers: no access-list 21 access-list 21 ... access-list 21 ... line vty 0 4 access-class 21 in >3/ ls it good to use log in access-list? >Not sure how router busy or not? It is extra overhead... but it's also a real easy way to see what's being blocked. Just be sure that the console logging level is low enough so that stuff doesn't get logged to the console. I like "no logging console" - but I watch the logs from a syslog server, so YMMV Regards, Lee -----adrian kok wrote: ----- >Hi > >I have this original access-list in running config > >access-list 20 deny 192.168.0.0 >access-list 20 permit any >line vty 0 4 >access-class 20 in > > > >and want to change to add log "access-list 20 deny >192.168.0.0 0.0.0.255 log" > >When I change >router(config)#access-list 20 deny 192.168.0.0 >0.0.0.255 log >I realize it can't be changed and have to use "no" >router(config)#no access-list 20 deny 192.168.0.0 >0.0.0.255 > > > >When I use this command, I almost lost the connection >from anywhere. > >My questions > >1/ how can I prevent it happens? > >2/ What is the best way to do the access-list in "line >vty"? > >3/ ls it good to use log in access-list? >Not sure how router busy or not? > >thank you From lee.e.rian at census.gov Sat Nov 1 11:30:23 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:30:23 -0400 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> Message-ID: -----mussieg wrote: ----- >I highly doubt you will find an OID that tells you if a device is >router or a switch. For awhile now, Cisco has managed to merge the >various functions (bridge, switch, router ..etc) into a single >chassis. Your best bet might be to create your own mapping file and >use the output of sysDescr.0 to determine which one is which .. Especially considering his example was a Catalyst 6500 chassis. He'd have to distinguish switched/routed ports present or not... I'm not a work, so I can't check, but the RFC1213 sysServices might show if the routing and/or bridging functionality is enabled: sysServices OBJECT-TYPE SYNTAX INTEGER (0..127) ACCESS read-only STATUS mandatory DESCRIPTION "A value which indicates the set of services that this entity primarily offers. The value is a sum. This sum initially takes the value zero, Then, for each layer, L, in the range 1 through 7, that this node performs transactions for, 2 raised to (L - 1) is added to the sum. For example, a node which performs primarily routing functions would have a value of 4 (2^(3-1)). In contrast, a node which is a host offering application services would have a value of 72 (2^(4-1) + 2^(7-1)). Note that in the context of the Internet suite of protocols, values should be calculated accordingly: layer functionality 1 physical (e.g., repeaters) 2 datalink/subnetwork (e.g., bridges) 3 internet (e.g., IP gateways) 4 end-to-end (e.g., IP hosts) 7 applications (e.g., mail relays) Lee > > >-------------- Original message ---------------------- >From: "Lakshminarayanan P" >> Hi All, >> >> >> >> There is a requirement for me to pick up "device types" of Cisco >devices >> using SNMP. Could somebody share a OID or direct me to the MIB file >that can >> help me get this information? >> >> >> >> For example, a 2811 polled with this OID should return a value >which says >> that the device is a "Router". >> >> >> >> While I understand that a lot of Cisco modular devices can act as a >Switch / >> Router / Firewall / Load Balancer based on the modules installed >and/or the >> IOS running, I just need to get the basic device type. As an >example, a >> Catalyst 6500 chassis polled with this OID should return something >like >> "Switch" regardless of the presence of a Firewall Services Module >on it. >> >> >> >> Is there such an Object? >> >> >> >> Thanks in anticipation..... >> >> Lakshminarayanan >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariev at vayner.net Sat Nov 1 11:37:59 2008 From: ariev at vayner.net (Arie Vayner) Date: Sat, 1 Nov 2008 17:37:59 +0200 Subject: [c-nsp] 3750 Etherchannel loadbalnace In-Reply-To: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> References: <1e7e04890811010646q47502a97vdc23ecb8efd6fa66@mail.gmail.com> Message-ID: <20b13c6b0811010837p601e8ae9x5aeb2635193e4f54@mail.gmail.com> Chintan, The switches use a hash function. This means that if you have only 2 MACs, there is a 50:50 chance that only one link would be used... If the number of MACs is higher, the chances get better. On thing you could do is to split the traffic on the MPLS speaker's level by breaking the etherchannel, and running 2 VLANs end to end (each on a single link). This would allow the MPLS hosts to make the load sharing decision... Arie On Sat, Nov 1, 2008 at 3:46 PM, Chintan Shah < networking.stuff at googlemail.com> wrote: > Hi, > > I have 3750 aggregation switches as aggregation layer to connect 2 access > router to Core router. 3750 runs e etherchannel from to Core with 2 1 gig > link > > I have src-mac based loadbalanced method used in 3750 and what I see > that 3750 use only one link part of ethrchannel so during test when i have > total traffic comming more than 1gig , i see drops.... > > Here are details : > > > Mac address : 000d.edac.8900 ? Access Router 1 > > 0006.d61b3c1a - Access Router r2 > > 0015.c75d.d42c- Core router > > sw1.LAB-3750G#show etherchannel summary | beg Group > Group Port-channel Protocol Ports > > ------+-------------+-----------+----------------------------------------------- > 1 Po1(SU) - Gi2/0/1(P) Gi2/0/4(P) > > sw1.LAB-3750G# > > > sw1.LAB-3750G#test etherchannel load-balance interface port-channel 1 mac > 000d.edac.8900 0015.c75d.d42c > > Would select Gi2/0/1 of Po1 > > > sw1.LAB-3750G# test etherchannel load-balance interface port-channel 1 mac > 0006.d61b.3c1a 0015.c75d.d42c > > Would select Gi2/0/1 of Po1 > > As per above test, I see that 3750 select Gi2/0/1 for two source > mac-address > and that's reason i have only one link utilized.. > > Does some body knows the algorithm used by 3750 for above two source-mac > address and how did it select always gi2/0/1 not other link for 2nd stream > of traffic ?? > > Unforutnately I can't do src-dst-ip based loadbalnace becuase incomming > traffic is MPLS labelled and existing 3750 doens't have capbility to > understand MPLS so it takes as non-ip traffic.. > > > Thanks in advance, > Chintan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lee.e.rian at census.gov Sat Nov 1 11:57:09 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 11:57:09 -0400 Subject: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... In-Reply-To: <02f701c93b88$0d3f67e0$27be37a0$@net> References: <51636.47426.qm@web180013.mail.gq1.yahoo.com>, <02f701c93b88$0d3f67e0$27be37a0$@net> Message-ID: "mtu 1600" on the wan interface also works & doesn't require any changes on the lan interfaces :) Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: "'Derick Winkworth'" , "'Rodney Dunn'" > >From: "Luan Nguyen" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 02:39PM >cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" >and crypto... > >The MSS tells the maximum data a host will accept in an TCP/IP >datagram. >Each side reports the value to the other side and the sending will >abide by >it. It's all before encryption. >So typically like you said, people put ip tcp adjust-mss 1360 on the >group >member LAN interface and also set ip mtu 1400 on the WAN side hoping >for >PMTUD to work its magic. >Putting both on the WAN interface should work as well, though, I >don't quite >understand the backside is MPLS statement :)...the packet has to be >originated from somewhere. >There's a very good paper here on Fragmentation >http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0 >9186a00 >800d6979.shtml#t3 > > >Luan Nguyen >Chesapeake NetCraftsmen, LLC. >www.NetCraftsmen.net > >(blog) http://ccie-security.blogspot.com/ >(e) luan at netcraftsmen.net >(aim/yahoo): luancnc > > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick >Winkworth >Sent: Friday, October 31, 2008 11:52 AM >To: Rodney Dunn >Cc: cisco-nsp at puck.nether.net >Subject: [c-nsp] Order-of-operations question about "adjust-mss" and >crypto... > >If you apply the "ip tcp adjust-mss" command on an interface that has >a >crypto statement on it... > >Does it perform the MSS adjustment on outbound packets before they >are >encrypted? >Does it perform the MSS adjustment on inbound packets after they are >decrypted? > >I know that this is typically placed on a tunnel interface or, for >instance, >on an ethernet interface of a remote VPN site or something... but I >have a >case where we have many GET encryped sub-interfaces (each in their >own VRF) >which are the only logical IP interfaces on the box. The backside is >MPLS >so there is no place to put the statement there... so I was just >going to >apply it to the interfaces where the crypto maps are.. not sure if >this will >work. > >I'll probably have to lab it up I'm guessing. > >Derick >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From lee.e.rian at census.gov Sat Nov 1 12:02:39 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 12:02:39 -0400 Subject: [c-nsp] ME Switch Managment over Trunk Interfaces? In-Reply-To: <7A6C26B678F8EB48ADBA3A1C75FD250807115E@moe.pleasants.net> References: <7A6C26B678F8EB48ADBA3A1C75FD250807115E@moe.pleasants.net> Message-ID: Have you tried it without the "switchport trunk native vlan 106"? If the other side is tagging everything.. Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: >From: "cp" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 01:06PM >Subject: [c-nsp] ME Switch Managment over Trunk Interfaces? > >I'm new to Cisco ME switches, so please bare with my basic question. >I >am having a difficult time trying to manage the device over trunk >interface. It doesn't work. My management IP lives on a vlan >interface. >Below is my configuration. I tried vlan1 without luck too. Do I >really >have to burn a port for management? I'm probably missing something >simple. Any assistance is appreciated. > > > >Thanks, > >Chip > > > > > > > >vlan 100-106 > > > >interface GigabitEthernet0/1 > >port-type nni > >switchport trunk native vlan 106 > >switchport trunk allowed vlan 100-106 > >switchport mode trunk > > > >interface Vlan106 > >ip address 10.24.100.2 255.255.255.252 > > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Sat Nov 1 12:28:25 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 01 Nov 2008 17:28:25 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> Message-ID: <1225556905.14164.19.camel@abehat> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: > Especially considering his example was a Catalyst 6500 chassis. He'd have > to distinguish switched/routed ports present or not... > > I'm not a work, so I can't check, but the RFC1213 sysServices might show if > the routing and/or bridging functionality is enabled: I was thinking the same, but it doesn't seem very useful when trying it out. All the units I looked at was either "INTEGER: 6" (bridge and IP gateway) or "INTEGER: 78" (bridge, IP gateway, IP host and application host). Among the former was: - Small L3 switches (C3550s, C3560s and C3570s) - A C7206 doing VRF Lite and L2L VPN, running 12.4(12) IP/IPSEC/3DES. - Cat6500 Sup720s SXD acting as core routers (no MPLS). Among the latter was: - Cat 6500 Sup720s SXF acting as PEs. - C7600 Sup7600 SRB acting as PEs. - C2651XM 12.3(26), C2621 12.2(40) and C2801 12.4(19) doing DLSw and RTR - C2511 running 12.1 and doing serial line muxing. I can't seem to find a pattern that makes sense. Regards, Peter From lee.e.rian at census.gov Sat Nov 1 12:46:43 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 12:46:43 -0400 Subject: [c-nsp] acess-list In-Reply-To: <4909A926.2050801@templin.org> References: <102009.40727.qm@web33303.mail.mud.yahoo.com> <4908D510.8080800@gmail.com> <1225369421.4523.13.camel@abehat>, <4909A926.2050801@templin.org> Message-ID: -----Pete Templin wrote: ----- >Peter Rathlev wrote: > >> The router allocates the VTY from 0 an onwards, so the first person >> connecting gets VTY 0, next one VTY 1 and so on. There is practically no >> security benifits in having different ACLs on different VTYs. It is >> trivial for an attacker to starve e.g. VTY 0 - 4 so he can connect to >> VTY 5. In my eyes: Always treat every VTY the same. > >What about the reverse logic, putting a tighter ACL on higher VTYs? >I've heard of this as a safety valve: if too many connections are >open >to a router, the last few connections have to come from a key point. Cisco gave us that recommendation a long time ago - allow only very limited access to vty 4. It came in quite handy the few times ciscoworks decided it **really** wanted to talk so some box and opened as many connections to it as possible ... and then kept them open :( Lee From karl.gaissmaier at uni-ulm.de Sat Nov 1 13:17:09 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Sat, 01 Nov 2008 18:17:09 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> References: <84fa1a380811010456m36fb68fcv7579cffdeda17bb6@mail.gmail.com> Message-ID: <490C8F15.2080809@uni-ulm.de> Hello, Lakshminarayanan P schrieb: > Hi All, > > > > There is a requirement for me to pick up "device types" of Cisco devices > using SNMP. Could somebody share a OID or direct me to the MIB file that can > help me get this information? > > > > For example, a 2811 polled with this OID should return a value which says > that the device is a "Router". > > > > While I understand that a lot of Cisco modular devices can act as a Switch / > Router / Firewall / Load Balancer based on the modules installed and/or the > IOS running, I just need to get the basic device type. As an example, a > Catalyst 6500 chassis polled with this OID should return something like > "Switch" regardless of the presence of a Firewall Services Module on it. if you only need to compare between a pure Layer2 or a Layer3 device, then you could use the following OID: > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > ACCESS read-write > STATUS mandatory > DESCRIPTION > "The indication of whether this entity is acting > as an IP gateway in respect to the forwarding of > datagrams received by, but not addressed to, this > entity. IP gateways forward datagrams. IP hosts > do not (except those source-routed via the host). > > Note that for some managed nodes, this object may > take on only a subset of the values possible. > Accordingly, it is appropriate for an agent to > return a `badValue' response if a management > station attempts to change this object to an > inappropriate value." > ::= { ip 1 } Example: snmpget YOUR-SWITCH .1.3.6.1.2.1.4.1.0 IP-MIB::ipForwarding.0 = INTEGER: notForwarding(2) snmpget YOUR-ROUTER .1.3.6.1.2.1.4.1.0 IP-MIB::ipForwarding.0 = INTEGER: forwarding(1) Regards Charly From lee.e.rian at census.gov Sat Nov 1 14:24:41 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sat, 1 Nov 2008 14:24:41 -0400 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <1225556905.14164.19.camel@abehat> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: -----Peter Rathlev wrote: ----- >On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: >> Especially considering his example was a Catalyst 6500 chassis. He'd have >> to distinguish switched/routed ports present or not... >> >> I'm not a work, so I can't check, but the RFC1213 sysServices might show if >> the routing and/or bridging functionality is enabled: > > >I was thinking the same, but it doesn't seem very useful when trying >it out. All the units I looked at was either > >"INTEGER: 6" (bridge and IP gateway) or >"INTEGER: 78" (bridge, IP gateway, IP host and application host). <.. snip ..> Too bad Cisco says what the box *can* do instead of what it's actually doing. Maybe RFC1213 ipForwarding would work ipForwarding OBJECT-TYPE SYNTAX INTEGER { forwarding(1), -- acting as a gateway not-forwarding(2) -- NOT acting as a gateway } but I kind of doubt it. We just got some SUP32s in to replace CatOS SUP2s (pure L2 switches) & I haven't been able to figure out yet how to tell them _not_ to play router. Only the directly connected router can talk to the sup32 if it's configured with a default gateway but no default route. Seems to me that you should only need a default route on something that's acting as a router. (If it makes any difference, "no ip proxy-arp" is the standard here :) So my guess is that they're going to say they're acting as a gateway even tho I don't want them to play router nor is there anything L3 configured on them beyond the management vlan IP address and syslog, tacacs, etc. server addresses. Lee From rakeshh at gmail.com Sat Nov 1 14:52:58 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sat, 1 Nov 2008 13:52:58 -0500 Subject: [c-nsp] EoMPLS + Control word + Fragementation Message-ID: <8a4649bb0811011152w60347e78ke3882b91e3f5ede8@mail.gmail.com> Hi, What critiria does a PE use to decide wheter it wants to use control word or not ? I want to test if we can configure an ingress PE to framgment L2 payload using a combination of B & E bit , and sequence number fields inside the control word. Is it possible to force a a Cisco PE to use/not use control word ? How can I configure the PE(CIsco box) to fragment L2 payload when its using a control word ? Regards, Rakesh From robert at tellurian.com Sat Nov 1 15:02:39 2008 From: robert at tellurian.com (Robert Boyle) Date: Sat, 01 Nov 2008 15:02:39 -0400 Subject: [c-nsp] Lightstream Alternative In-Reply-To: References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> Message-ID: <1225566160_64084@mail1.tellurian.net> At 03:21 AM 10/31/2008, you wrote: >I just need to switch pvc from one OC3/STM-1 to another and configure >soft-vc's. Have you tried L2TPv3? Quick, simple and it should do what you need. There is no ATM QOS or buffering, but you can shuttle packets from one port to another quite easily. We use it on 7200 series, but it is supposed to work on 7500, 10k, and 12k GSR stuff too. Dependent on your exact config, you may need two boxes to make it work with one OC3 on the first and the other OC3 the second. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From dale.shaw+cisco-nsp at gmail.com Sat Nov 1 16:48:02 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Sat, 1 Nov 2008 13:48:02 -0700 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> Message-ID: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Hi all, Here's the scenario: - L2 switchport in cat3750 "up/up" - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no dynamic MAC address) - Attached device not necessarily configured with an IP in the correct VLAN (mismatched with switchport) - endpoint IP configuration unknown I haven't really given this much consideration, but does anyone know of any tricks, ideally executed _from_ the switch, to encourage the attached device to spit back a frame? Essentially I want/need to figure out what's attached. Even knowing the MAC vendor would help. Other suggestions are welcome. I guess I could try things like a broadcast ping from a host in the same VLAN, make the port a trunk and madly ping sweep, but something more elegant would be nice. A physical inspection, in this case, is not possible. cheers, Dale From method at b.astral.ro Sat Nov 1 17:07:59 2008 From: method at b.astral.ro (Dan) Date: Sat, 01 Nov 2008 23:07:59 +0200 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Message-ID: <490CC52F.4020009@b.astral.ro> Hi , I would say set on port : port-security with mac-address sticky - > first frame must have a src mac-address ( or if there will be many you will have logs ) bpduguard enable -> if it's a switch ( with spanning-tree enabled ) you will have the port on err-disable Any cdp info ? Dan Dale Shaw wrote: > Hi all, > > Here's the scenario: > > - L2 switchport in cat3750 "up/up" > - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no > dynamic MAC address) > - Attached device not necessarily configured with an IP in the correct > VLAN (mismatched with switchport) - endpoint IP configuration unknown > > I haven't really given this much consideration, but does anyone know > of any tricks, ideally executed _from_ the switch, to encourage the > attached device to spit back a frame? Essentially I want/need to > figure out what's attached. Even knowing the MAC vendor would help. > > Other suggestions are welcome. I guess I could try things like a > broadcast ping from a host in the same VLAN, make the port a trunk and > madly ping sweep, but something more elegant would be nice. > > A physical inspection, in this case, is not possible. > > cheers, > Dale > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From karl.gaissmaier at uni-ulm.de Sat Nov 1 17:22:02 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Sat, 01 Nov 2008 22:22:02 +0100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: <490CC87A.20205@uni-ulm.de> Hello, ... > > Maybe RFC1213 ipForwarding would work > > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > > but I kind of doubt it. We just got some SUP32s in to replace CatOS SUP2s > (pure L2 switches) & I haven't been able to figure out yet how to tell them ... then you need a workaround. I agree, it's a real hassle with Cisco not supporting the most needed standard MIBs like IP-FORWARD-MIB, Q-BRIDGE-MIB, LLDP-MIB, ... Shame on your head, Cisco! Try the following OIDs with your boxes running different IOS versions to determine the number of routing entries: - ipForwardNumber: .1.3.6.1.2.1.4.24.1 (obsolete) or - ipCidrRouteNumber: .1.3.6.1.2.1.4.24.3 (deprecated) or - inetCidrRouteNumber: .1.3.6.1.2.1.4.24.6 (current) and if your Cisco boxes don't support any of these OIDs you have to look for the routing protocol and the corresponding MIBs. If all your routers speak for example OSPF, then you can determine your bridges and switches with some OIDs in the OSPF-MIB. Regards Charly From rakeshh at gmail.com Sat Nov 1 18:36:49 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sat, 1 Nov 2008 17:36:49 -0500 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <490CC52F.4020009@b.astral.ro> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <490CC52F.4020009@b.astral.ro> Message-ID: <8a4649bb0811011536w50a2f0a1l3bef3d805c120aff@mail.gmail.com> As Dan said , I would also use port security to get the source mac .You can also enable bpdguard on the switch port just to make sure that you are not receiving any BPDUs.If the switch port is a trunk you may want to enable port security for all vlans allowed on the trunk. -Rakesh. On Sat, Nov 1, 2008 at 4:07 PM, Dan wrote: > Hi , > > I would say set on port : > > port-security with mac-address sticky - > first frame must have a src > mac-address ( or if there will be many you will have logs ) > bpduguard enable -> if it's a switch ( with spanning-tree enabled ) you > will have the port on err-disable > Any cdp info ? > > Dan > > Dale Shaw wrote: > >> Hi all, >> >> Here's the scenario: >> >> - L2 switchport in cat3750 "up/up" >> - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no >> dynamic MAC address) >> - Attached device not necessarily configured with an IP in the correct >> VLAN (mismatched with switchport) - endpoint IP configuration unknown >> >> I haven't really given this much consideration, but does anyone know >> of any tricks, ideally executed _from_ the switch, to encourage the >> attached device to spit back a frame? Essentially I want/need to >> figure out what's attached. Even knowing the MAC vendor would help. >> >> Other suggestions are welcome. I guess I could try things like a >> broadcast ping from a host in the same VLAN, make the port a trunk and >> madly ping sweep, but something more elegant would be nice. >> >> A physical inspection, in this case, is not possible. >> >> cheers, >> Dale >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Sat Nov 1 18:46:35 2008 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 02 Nov 2008 09:46:35 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CC87A.20205@uni-ulm.de> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> Message-ID: <490CDC4B.2090802@cisco.com> Karl Gaissmaier wrote: >> Maybe RFC1213 ipForwarding would work >> >> ipForwarding OBJECT-TYPE >> SYNTAX INTEGER { >> forwarding(1), -- acting as a gateway >> not-forwarding(2) -- NOT acting as a gateway >> } >> >> but I kind of doubt it. We just got some SUP32s in to replace CatOS >> SUP2s >> (pure L2 switches) & I haven't been able to figure out yet how to >> tell them ipForwarding should work fine. it _should_ change behavior based on whether there are any L3 interfaces configured or not. the challenge is how to use this moving forward on Cisco platforms that have dedicated out-of-band management interfaces (e.g. Nexus platforms), because technically speaking, they ALWAYS have at L3 interface configured (mgmt0 out-of-band) which is L3 by definition because it exists in its own 'management' VRF). its one case where the MIB falls down & is showing its age. in the case of Nexus, we're thinking about 'lying' in the ipForwarding answer to exclude 'management VRF' but even so . . . cheers, lincoln. From blahu77 at gmail.com Sat Nov 1 19:01:02 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 1 Nov 2008 23:01:02 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CDC4B.2090802@cisco.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> Message-ID: <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> 2008/11/1 Lincoln Dale : > Karl Gaissmaier wrote: >>> >>> Maybe RFC1213 ipForwarding would work >>> >>> ipForwarding OBJECT-TYPE >>> SYNTAX INTEGER { >>> forwarding(1), -- acting as a gateway >>> not-forwarding(2) -- NOT acting as a gateway >>> } >>> > the challenge is how to use this moving forward on Cisco platforms that have > dedicated out-of-band management interfaces (e.g. Nexus platforms), because > technically speaking, they ALWAYS have at L3 interface configured (mgmt0 > out-of-band) which is L3 by definition because it exists in its own > 'management' VRF). > its one case where the MIB falls down & is showing its age. > in the case of Nexus, we're thinking about 'lying' in the ipForwarding > answer to exclude 'management VRF' but even so . . . does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? I understand that it should be 0 as it is a host, not a gateway, shouldn't it? -- -mat From ltd at cisco.com Sat Nov 1 19:08:02 2008 From: ltd at cisco.com (Lincoln Dale) Date: Sun, 02 Nov 2008 10:08:02 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> Message-ID: <490CE152.40705@cisco.com> Mateusz B?aszczyk wrote: >> the challenge is how to use this moving forward on Cisco platforms that have >> dedicated out-of-band management interfaces (e.g. Nexus platforms), because >> technically speaking, they ALWAYS have at L3 interface configured (mgmt0 >> out-of-band) which is L3 by definition because it exists in its own >> 'management' VRF). >> its one case where the MIB falls down & is showing its age. >> in the case of Nexus, we're thinking about 'lying' in the ipForwarding >> answer to exclude 'management VRF' but even so . . . >> > > does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? > I understand that it should be 0 as it is a host, not a gateway, shouldn't it? > > IP-MIB::ipForwarding is not a per-VRF MIB. as such, i don't think your question makes sense. cheers, lincoln. From blahu77 at gmail.com Sat Nov 1 19:47:45 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 1 Nov 2008 23:47:45 +0000 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CE152.40705@cisco.com> References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> <1225556905.14164.19.camel@abehat> <490CC87A.20205@uni-ulm.de> <490CDC4B.2090802@cisco.com> <383357750811011601k3628dbe4lae75c7d6fd380864@mail.gmail.com> <490CE152.40705@cisco.com> Message-ID: <383357750811011647m21b0a04h924be25dab1b9b38@mail.gmail.com> >> does it mean that the value of nexus' mgmt VRF is 0 or 1 for ipForwading? >> I understand that it should be 0 as it is a host, not a gateway, >> shouldn't it? >> > IP-MIB::ipForwarding is not a per-VRF MIB. > as such, i don't think your question makes sense. > true, my bad. -- -mat From axhasan at gmail.com Sat Nov 1 22:34:09 2008 From: axhasan at gmail.com (Asad Hasan) Date: Sat, 1 Nov 2008 22:34:09 -0400 Subject: [c-nsp] Monitoring Routing Table Message-ID: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> Is there an OID that can pull back number of routes within the routing table? OID which can generate results such as 'show ip ro summ'. I found OID 1.3.6.1.2.1.4.21.1.1 and 1.3.6.1.2.1.4.21.1.9 (IpRouteTable and IpRouteProto), but this pulls back every routing entry. Also is there an OID that can pull back similar information for a VRF. Right now we are not summarizing any of our routes. Im planning to implement OSPF summarization and my goal is to see how how much routing table has been reduced and also start graphing the routing table information. Thanks in advance. Asad From dentonj at gmail.com Sun Nov 2 01:20:21 2008 From: dentonj at gmail.com (Jeffrey Denton) Date: Sun, 2 Nov 2008 06:20:21 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> Message-ID: <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> On Sat, Nov 1, 2008 at 9:48 PM, Dale Shaw wrote: > Hi all, > > Here's the scenario: > > - L2 switchport in cat3750 "up/up" > - No MAC learnt on the interface ("sh mac-addr int gi1/0/4" shows no > dynamic MAC address) > - Attached device not necessarily configured with an IP in the correct > VLAN (mismatched with switchport) - endpoint IP configuration unknown > > I haven't really given this much consideration, but does anyone know > of any tricks, ideally executed _from_ the switch, to encourage the > attached device to spit back a frame? Essentially I want/need to > figure out what's attached. Even knowing the MAC vendor would help. > > Other suggestions are welcome. I guess I could try things like a > broadcast ping from a host in the same VLAN, make the port a trunk and > madly ping sweep, but something more elegant would be nice. > > A physical inspection, in this case, is not possible. Nothing elegant... You could always shutdown the port and wait for someone to complain. If it's not randomly generating traffic, then it's not a windows box. Switches tend to be noisy with layer 2 protocols. Firewall or UNIX/Linux based system? Does the duplex and speed show up as auto-negotiated (a-full, a-100)? You could try "no switchport" and the "ip add dhcp" on the interface to see if you can generate a response that way. Set an IP on the interface so that you can "ping 192.168.1.255 source ...". Pinging broadcast addresses might speed up the process. Setting up a SPAN or RSPAN might help you capture some traffic. "test cable-diagnostics tdr interface ..." would at least tell you how long the cable is. Setup the port as a trunk or port-channel or .... with auto-negotiation and see what happens. Set the switch up as a management cluster and then run "show cluster members". Use the other suggestions.... From dentonj at gmail.com Sun Nov 2 01:23:48 2008 From: dentonj at gmail.com (Jeffrey Denton) Date: Sun, 2 Nov 2008 06:23:48 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> Message-ID: <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> On Sun, Nov 2, 2008 at 6:20 AM, Jeffrey Denton wrote: > > Nothing elegant... > > You could always shutdown the port and wait for someone to complain. > > If it's not randomly generating traffic, then it's not a windows box. > Switches tend to be noisy with layer 2 protocols. Firewall or > UNIX/Linux based system? Does the duplex and speed show up as > auto-negotiated (a-full, a-100)? > > You could try "no switchport" and the "ip add dhcp" on the interface > to see if you can generate a response that way. Set an IP on the > interface so that you can "ping 192.168.1.255 source ...". Pinging > broadcast addresses might speed up the process. > > Setting up a SPAN or RSPAN might help you capture some traffic. > > "test cable-diagnostics tdr interface ..." would at least tell you how > long the cable is. > > Setup the port as a trunk or port-channel or .... with > auto-negotiation and see what happens. > > Set the switch up as a management cluster and then run "show cluster members". > > Use the other suggestions.... > SNMP sweeps.... From kiwi at oav.net Sun Nov 2 03:32:36 2008 From: kiwi at oav.net (Xavier Beaudouin) Date: Sun, 2 Nov 2008 09:32:36 +0100 Subject: [c-nsp] Cisco 3550 + BGP In-Reply-To: <87iqrdgjj9.fsf@clarabella.noc.seabone.net> References: <4906C4D2.50204@fnbs.net> <87iqrdgjj9.fsf@clarabella.noc.seabone.net> Message-ID: <2C770C78-4F18-47A6-BE91-2F9D8E8137BB@oav.net> Hello, Le 28 oct. 08 ? 10:23, Pierfrancesco Caci a ?crit : > :-> "Nimal" == Nimal David Sirimanne writes: > >> Anyone have any experience running BGP on Cisco 3550 platforms? Any >> idea how many BGP routes it can handle? > > last I tried (some 3 years ago) it died with about 7000 routes. > > died = cpu 100%, packet loss, black holes eating traffic and the > datacenter surrounding it... Hum, I run a couple of them for IX stuff... With a sdm prefer routing, you can handle : sh sdm prefer The current template is the routing template. The selected template optimizes the resources in the switch to support this level of features for 8 routed interfaces and 1K VLANs. number of unicast mac addresses: 5K number of igmp groups: 1K number of qos aces: 512 number of security aces: 512 number of unicast routes: 16K number of multicast routes: 1K Anyway this is really low limits.... But can help sometime. Another stuff, there is some limitation ... ie ip prefix-list that handled by configuration of the switch but not evaluated when bgp is running :/ /Xavier From mdado at Airspan.com Sun Nov 2 06:26:10 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 11:26:10 +0000 Subject: [c-nsp] Client DHCP Server Message-ID: Guys, Anybody faced such a case before ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd _____________________________________________ From: Mohammed Dado Sent: 30 October 2008 12:24 To: cisco-nsp at puck.nether.net Subject: Client DHCP Server Gents, I have a customer facing a problem that his end-user WiFi router's are issuing IP addresses ! I'm under the impression that this could be stopped by the DHCP snooping binding configurations in the ISP end. Any ideas ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd << OLE Object: Picture (Device Independent Bitmap) >> [cid:identifierFooterImage] From simon at slimey.org Sun Nov 2 06:33:50 2008 From: simon at slimey.org (Simon Lockhart) Date: Sun, 2 Nov 2008 11:33:50 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: Message-ID: <20081102113350.GY18579@virtual.bogons.net> On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From mdado at Airspan.com Sun Nov 2 06:52:06 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 11:52:06 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: <20081102113350.GY18579@virtual.bogons.net> References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * From cchurc05 at harris.com Sun Nov 2 07:58:19 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 2 Nov 2008 06:58:19 -0600 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Sun Nov 2 08:04:13 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 13:04:13 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> Message-ID: <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> My friends suggestion in such a problem is shut the port and wait for someone to start screamin.. If none, you can disconnect the cable :) -- -mat From mdado at Airspan.com Sun Nov 2 08:11:22 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:11:22 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From cchurc05 at harris.com Sun Nov 2 08:21:35 2008 From: cchurc05 at harris.com (Church, Charles) Date: Sun, 2 Nov 2008 07:21:35 -0600 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Sun Nov 2 08:29:23 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 2 Nov 2008 08:29:23 -0500 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: <001501c93cef$056fc0b0$104f4210$@org> Does the Airspan equipment not support filtering? Almost all Wimax/BBW gear I work on has filtering for PPPOE, DHCP, Netbios etc. so someone can't plugin their router backwards and create havoc... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: November 2, 2008 8:22 AM To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mdado at Airspan.com Sun Nov 2 08:48:29 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:48:29 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: <001501c93cef$056fc0b0$104f4210$@org> References: <20081102113350.GY18579@virtual.bogons.net> <001501c93cef$056fc0b0$104f4210$@org> Message-ID: It does support filtering using our NMS monitoring tool. I'm investigating this as well. We've an option that helps stopping this from occurring which is discarding classifiers, this is created upon the service flow products depending on our customer network behaviour ! Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: 02 November 2008 15:29 To: 'Church, Charles'; Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server Does the Airspan equipment not support filtering? Almost all Wimax/BBW gear I work on has filtering for PPPOE, DHCP, Netbios etc. so someone can't plugin their router backwards and create havoc... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Charles Sent: November 2, 2008 8:22 AM To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mdado at Airspan.com Sun Nov 2 08:57:07 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sun, 2 Nov 2008 13:57:07 +0000 Subject: [c-nsp] Client DHCP Server In-Reply-To: References: <20081102113350.GY18579@virtual.bogons.net> Message-ID: Yes. The 7500 is doing bridge and a DHCP server for clients is affecting multiple customers. It's almost your second proposed scenario. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 15:22 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I'm assuming your network is a LAN at the customer site, with a Wimax bridged connection back to the 7500, so the 7500 interface is the default gateway for the LAN. If so, I don't believe there is anything you can configure on the 7500 to stop DHCP clients on the LAN from obtaining addresses from a DHCP server (wifi router) also located on the LAN. Or is your 7500 acting as a bridge, and a customer DHCP server is affecting multiple customers? That can be fixed by some changes on the 7500. Chuck -----Original Message----- From: Mohammed Dado [mailto:mdado at Airspan.com] Sent: Sunday, November 02, 2008 8:11 AM To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server I've tried turning of the DHCP server on the wifi routers, but there's a problem in some of them that the option of turning this service off is already missed. What about using some supported features by the ISP-router to stop this DHCP requests from happening ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: 02 November 2008 14:58 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Client DHCP Server As you probably know, a DHCP server without some getting some help from the routers is only going to serve addresses on the network it's located on. Assuming this is on the customer prem, you're probably not going to see them at the 7500 end. Do you have a topology diagram? Any reason you can't tell the customers to turn off DHCP server on the wifi routers? Unless you've got a DHCP-snooping-capable switch located on each customer network, you probably can't use that. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: Sunday, November 02, 2008 6:52 AM To: Simon Lockhart Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server Access NW is WiMAX. Cisco hardware at the ISP end is Cisco 7500 Series. Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd -----Original Message----- From: Simon Lockhart [mailto:simon at slimey.org] Sent: 02 November 2008 13:34 To: Mohammed Dado Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Client DHCP Server On Sun Nov 02, 2008 at 11:26:10AM +0000, Mohammed Dado wrote: > I have a customer facing a problem that his end-user WiFi router's are > issuing IP addresses ! I'm under the impression that this could be stopped > by the DHCP snooping binding configurations in the ISP end. Any ideas ? Before anyone can try to speculate on how to solve such a problem, you'll need to provide more information, such as what the access network technology is, what Cisco hardware you have at the "ISP end". Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director | * Domain & Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: info at bogons.net * _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Sun Nov 2 09:55:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 2 Nov 2008 09:55:36 -0500 Subject: [c-nsp] QOS Revisited Message-ID: <001601c93cfb$266bb2e0$734318a0$@org> Hi there. I'm trying to create a policy-map to be applied on a subinterface - Cisco 1841 router .. wanted to get a basic config running and then I'll expand it a bit more (separate signaling from the actual voice streams etc) class-map match-any Voice match access-group 10 ! ! policy-map VOIP class Voice set dscp cs5 class class-default set dscp default interface FastEthernet0/1.10 encapsulation dot1Q 10 ip address xx.xx.xx.129 255.255.255.192 pppoe enable group Moto900 no cdp enable service-policy output VOIP ! interface FastEthernet0/1.20 encapsulation dot1Q 20 ip address xx.xx.xx.1 255.255.255.192 pppoe enable group Moto2400 no cdp enable service-policy output VOIP The configuration seems to be working per say but it's not setting dscp=5 even though it's idenfying the traffic source via the access-list: dis1-rtr-br#sh policy-map interface FastEthernet 0/1.20 FastEthernet0/1.20 Service-policy output: VOIP Class-map: Voice (match-any) 3625 packets, 834212 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: access-group 10 3625 packets, 834212 bytes 30 second rate 0 bps QoS Set dscp cs5 Packets marked 0 Class-map: class-default (match-any) 235110 packets, 298289353 bytes 30 second offered rate 4690000 bps, drop rate 0 bps Match: any QoS Set dscp default Packets marked 90 What am I doing wrong here? I don't understand if it's matching access-group 10 and showing the number of packets increasing then why does it not set dscp as I've told it to? Thanks in advance, Paul From scott at labyrinth.org Sun Nov 2 11:00:23 2008 From: scott at labyrinth.org (Scott Keoseyan) Date: Sun, 2 Nov 2008 11:00:23 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: <110120081234.10953.490C4CCF000ADC7600002AC92206424613090A079C9C9A03@comcast.net> , <1225556905.14164.19.camel@abehat> Message-ID: <04F4AE1E-6B23-44EF-A0EB-89400BA7F832@labyrinth.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Is there not a MIB out there that contains/displays the contents of what's in the CDP neighbor table, and is this information not in the table itself... bridge/router/ip-phone/AP/etc.,,? I thought there was a network-management tool out there somewhere that used the contents of the CDP table to help map-out the network or something like that using this technique. Scott On Nov 1, 2008, at 2:24 PM, lee.e.rian at census.gov wrote: > -----Peter Rathlev wrote: ----- > >> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: >>> Especially considering his example was a Catalyst 6500 chassis. He'd > have >>> to distinguish switched/routed ports present or not... >>> >>> I'm not a work, so I can't check, but the RFC1213 sysServices >>> might show > if >>> the routing and/or bridging functionality is enabled: >> >> >> I was thinking the same, but it doesn't seem very useful when trying >> it out. All the units I looked at was either >> >> "INTEGER: 6" (bridge and IP gateway) or >> "INTEGER: 78" (bridge, IP gateway, IP host and application host). > <.. snip ..> > > Too bad Cisco says what the box *can* do instead of what it's actually > doing. > > Maybe RFC1213 ipForwarding would work > > ipForwarding OBJECT-TYPE > SYNTAX INTEGER { > forwarding(1), -- acting as a gateway > not-forwarding(2) -- NOT acting as a gateway > } > > but I kind of doubt it. We just got some SUP32s in to replace CatOS > SUP2s > (pure L2 switches) & I haven't been able to figure out yet how to > tell them > _not_ to play router. Only the directly connected router can talk > to the > sup32 if it's configured with a default gateway but no default route. > Seems to me that you should only need a default route on something > that's > acting as a router. (If it makes any difference, "no ip proxy-arp" > is the > standard here :) So my guess is that they're going to say they're > acting > as a gateway even tho I don't want them to play router nor is there > anything L3 configured on them beyond the management vlan IP address > and > syslog, tacacs, etc. server addresses. > > Lee > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkNzpcACgkQA7TpMPAlvEcD8gCeKbcepeEmh0tubt0a7D/rDjAg GHMAn1iNyVdMiPpVwMNz6/v4WmdJTZb+ =5/bp -----END PGP SIGNATURE----- From cisco at peakpeak.com Sun Nov 2 12:20:27 2008 From: cisco at peakpeak.com (Networkers) Date: Sun, 02 Nov 2008 11:20:27 -0600 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: Message-ID: What code rev is in there? Thanks, Chris On 10/20/08 3:20 AM, "Brian Turnbow" wrote: > Please don't tell that to this router > > > policy-map llq > class sipRTP > priority 512 > class class-default > fair-queue > random-detect > > vc-class atm CVPHDSL-VoIP > vbr-nrt 1524 1524 > encapsulation aal5snap > > interface ATM3/0.20842 point-to-point > description cust 1 > ip address192.168.0.41 255.255.255.252 > pvc CVPH_CUSTVOIP 208/42 > class-vc CVPHDSL-VoIP > service-policy out llq > > 7200-accessjn3#sh policy-map int ATM3/0.20842 > ATM3/0.20842: VC 208/42 - > > Service-policy output: llq > > queue stats for all priority classes: > > queue limit 64 packets > (queue depth/total drops/no-buffer drops) 0/0/0 > (pkts output/bytes output) 5466056/418685691 > > Class-map: sipRTP (match-all) > 5466056 packets, 418685691 bytes > 5 minute offered rate 61000 bps, drop rate 0 bps > Match: access-group 5 > Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 > > Class-map: class-default (match-any) > 492783 packets, 493906760 bytes > 5 minute offered rate 509000 bps, drop rate 0 bps > Match: any > 492783 packets, 493906760 bytes > 5 minute rate 509000 bps > Queueing > queue limit 64 packets > (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 > (pkts output/bytes output) 492733/493866217 > Fair-queue: per-flow queue limit 16 > Exp-weight-constant: 9 (1/512) > Mean queue depth: 0 packets > class Transmitted Random drop Tail/Flow drop Minimum > Maximum Mark > pkts/bytes pkts/bytes pkts/bytes thresh > thresh prob > > 0 486842/493318682 0/0 50/40543 > 20 40 1/10 > 1 54/22464 0/0 0/0 > 22 40 1/10 > 2 6/746 0/0 0/0 > 24 40 1/10 > 3 0/0 0/0 0/0 > 26 40 1/10 > 4 5/330 0/0 0/0 > 28 40 1/10 > 5 20/1200 0/0 0/0 > 30 40 1/10 > 6 5753/515372 0/0 0/0 > 32 40 1/10 > 7 53/7423 0/0 0/0 > 34 40 1/10 > > http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example0 > 9186a0080094cf6.shtml > > > Brian > > > > > > From: Victor Cappuccio [mailto:vcappuccio at gmail.com] > Sent: venerd? 17 ottobre 2008 18.52 > To: Brian Turnbow > Cc: Networkers; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7206VXR and CBWFQ > > Hi, > > Subinterfaces and software interfaces do not have their own separate transmit > (Tx) ring; therefore, no congestion can occur. These interface types include > dialers, tunnels, and Frame Relay subinterfaces, and will only congest when > their main hardware interface Tx ring congests. The Tx ring state is an > indication of congestion for software interfaces. > > > router(config)# interface Serial0/0.1 > router(config-subif)# service-policy output test > CBWFQ : Not supported on subinterfaces > > > 1.- Create a child or lower-level policy that configures a queueing mechanism. > In the example below, we configure LLQ using the priority command and CBWFQ > using the bandwidth command. Refer to Congestion Management Overview for more > information. > > policy-map child > class voice > priority 512 > > 2. Create a parent or top-level policy that applies class-based shaping. Apply > the child policy as a command under the parent policy since the admission > control for the child class is done based on the shaping rate for the parent > class. > > policy-map parent > class class-default > shape average 2000000 > service-policy child > > 3. Apply the parent policy to the subinterface. > > interface Serial0/0.1 > service-policy parent > > Cisco Page: http://tinyurl.com/ytt8ge > > Note: Class-based shaping works at the interface and subinterface level. Cisco > IOS 12.2(2.5) introduces the ability to configure shaping on the main > interface and IP addresses on the subinterfaces. > > thanks, > > Victor Cappuccio > CCIE R/S# 20657 > CCSI# 30452 > www.anetworkerblog.com > > On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: >> Your pvc needs to be abr/vbr/cbr >> You can't do it on ubr >> >> Regards >> >> Brian >> >> >> >> >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers >> >> Sent: venerd? 17 ottobre 2008 17.10 >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] 7206VXR and CBWFQ >> >> >> >> >> Whenever I try to apply the following I get an error message about how >> CBWFQ can't be applied to subinterfaces. What is the correct way to do >> this? >> >> Thanks, >> Chris >> >> class-map match-any VOIP >> match ip dscp ef >> match precedence 5 >> class-map match-all CRITICAL >> match access-group 100 >> >> policy-map MyCBWFQ >> class CRITICAL >> priority 48 >> class VOIP >> bandwidth 320 >> set precedence 6 >> >> vc-class atm MyClass >> ubr 1536 >> encapsulation aal5mux ppp Virtual-Template5 >> >> interface Virtual-Template5 >> ip unnumbered Loopback0 >> service-policy output MyCBWFQ >> peer default ip address pool default >> ppp authentication pap callin >> >> interface ATM2/0.1921 point-to-point >> pvc 1/1921 >> class-vc MyClass >> >> >> >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From giesen at snickers.org Sun Nov 2 14:05:33 2008 From: giesen at snickers.org (Gary T. Giesen) Date: Sun, 2 Nov 2008 14:05:33 -0500 Subject: [c-nsp] L2VPN Pseudowire Redundancy Message-ID: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> I'm not sure if this is possible, but maybe someone can give me some input on how to best achieve this. I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully redundant pseudowire (from the provider persective). The idea is to put two PE routers at each end of the pseudowire (with a common VLAN at each end shared through a switch), so that I can fully lose a PE router and the VC still stays up. The topology looks like this: [PE1] [PE3] CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 [PE2] [PE4] I've tried a number of ways using xconnect-peers and backup peers (per http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html ), and it works great when I only have redundancy on one end, but as soon as I add the 4th PE, nothing works anymore. When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a VC with PE4, when in reality I should only ever have one VC formed at any given time, and PE2 should never form a VC with PE4 until PE1 or PE3 goes down. Does anyone have any suggested configurations? Regards, GG From blahu77 at gmail.com Sun Nov 2 14:39:35 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 19:39:35 +0000 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> Message-ID: <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> you would have to land these xconnects on VPLS instance. so add 4 more devices that would be your N-PEs with VPLS instance and your current PEs would become U-PEs connected to the rest of the MPLS cloud with 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. But I am not sure it is possible on 7206. -- -mat 2008/11/2 Gary T. Giesen : > I'm not sure if this is possible, but maybe someone can give me some > input on how to best achieve this. > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > redundant pseudowire (from the provider persective). > > The idea is to put two PE routers at each end of the pseudowire (with > a common VLAN at each end shared through a switch), so that I can > fully lose a PE router and the VC still stays up. > > The topology looks like this: > > [PE1] [PE3] > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > [PE2] [PE4] > > I've tried a number of ways using xconnect-peers and backup peers (per > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > ), and it works great when I only have redundancy on one end, but as > soon as I add the 4th PE, nothing works anymore. > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > VC with PE4, when in reality I should only ever have one VC formed at > any given time, and PE2 should never form a VC with PE4 until PE1 or > PE3 goes down. > > Does anyone have any suggested configurations? > > Regards, > > GG > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From blahu77 at gmail.com Sun Nov 2 14:41:43 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sun, 2 Nov 2008 19:41:43 +0000 Subject: [c-nsp] Lightstream Alternative In-Reply-To: References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> Message-ID: <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> > If the SPA card for the 7600 could do the switching, the cat 6500 should > also be able to do it. But even for the 7600 I can't find any > information on atm switching. http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 -- -mat From avayner at cisco.com Sun Nov 2 15:07:47 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Sun, 2 Nov 2008 21:07:47 +0100 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> I would suggest that you treat these 2 parallel PW's as 2 separate L2 connections. Each connection would be handed over to the end customer separately, and the customer can run STP end to end between their CE's. This way the failover between PW1 and PW2 would be based on CE-to-CE STP Alternatively, if the customer is using L3 CE's, then its just 2 parallel L3 links... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk Sent: Sunday, November 02, 2008 21:40 PM To: giesen at snickers.org Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy you would have to land these xconnects on VPLS instance. so add 4 more devices that would be your N-PEs with VPLS instance and your current PEs would become U-PEs connected to the rest of the MPLS cloud with 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. But I am not sure it is possible on 7206. -- -mat 2008/11/2 Gary T. Giesen : > I'm not sure if this is possible, but maybe someone can give me some > input on how to best achieve this. > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > redundant pseudowire (from the provider persective). > > The idea is to put two PE routers at each end of the pseudowire (with > a common VLAN at each end shared through a switch), so that I can > fully lose a PE router and the VC still stays up. > > The topology looks like this: > > [PE1] [PE3] > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > [PE2] [PE4] > > I've tried a number of ways using xconnect-peers and backup peers (per > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > ), and it works great when I only have redundancy on one end, but as > soon as I add the 4th PE, nothing works anymore. > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > VC with PE4, when in reality I should only ever have one VC formed at > any given time, and PE2 should never form a VC with PE4 until PE1 or > PE3 goes down. > > Does anyone have any suggested configurations? > > Regards, > > GG > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From lee.e.rian at census.gov Sun Nov 2 18:06:13 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sun, 2 Nov 2008 18:06:13 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490CDC4B.2090802@cisco.com> Message-ID: Lincoln Dale wrote on 11/01/2008 06:46:35 PM: > Karl Gaissmaier wrote: > >> Maybe RFC1213 ipForwarding would work > >> > >> ipForwarding OBJECT-TYPE > >> SYNTAX INTEGER { > >> forwarding(1), -- acting as a gateway > >> not-forwarding(2) -- NOT acting as a gateway > >> } > >> > >> but I kind of doubt it. We just got some SUP32s in to replace CatOS > >> SUP2s > >> (pure L2 switches) & I haven't been able to figure out yet how to > >> tell them > ipForwarding should work fine. it _should_ change behavior based on > whether there are any L3 interfaces configured or not. I hope not. Seems to me that it _should_ change behavior based on whether or not the device is acting as a router. Consider the case of all interfaces configured as a switchport. Plain old L2 switch - right? Now add an IP address under the vlan interface so that I can manage the switch. It still shouldn't be playing router - so ipForwarding should still return not-forwarding(2) > the challenge is how to use this moving forward on Cisco platforms that > have dedicated out-of-band management interfaces (e.g. Nexus platforms), > because technically speaking, they ALWAYS have at L3 interface > configured (mgmt0 out-of-band) which is L3 by definition because it > exists in its own 'management' VRF). I'm missing why having an L3 interface would make any difference. A cat2900xl configured with an L3 address for management purposes doesn't turn the box into a router. Why should simply configuring an L3 interface on a box change the value of ipForwarding? hrmm.. or are you saying that some boxes are *always* going to think they're a router regardless? Regards, Lee From lee.e.rian at census.gov Sun Nov 2 18:09:47 2008 From: lee.e.rian at census.gov (lee.e.rian at census.gov) Date: Sun, 2 Nov 2008 18:09:47 -0500 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <04F4AE1E-6B23-44EF-A0EB-89400BA7F832@labyrinth.org> Message-ID: Scott Keoseyan wrote on 11/02/2008 11:00:23 AM: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Is there not a MIB out there that contains/displays the contents of > what's in the CDP neighbor table, and is this information not in the > table itself... bridge/router/ip-phone/AP/etc.,,? I think what's in the CDP table is the same thing that's in the systems services MIB - what the box is capable of; not what it's actually configured to do. Lee > > I thought there was a network-management tool out there somewhere that > used the contents of the CDP table to help map-out the network or > something like that using this technique. > > Scott > > On Nov 1, 2008, at 2:24 PM, lee.e.rian at census.gov wrote: > > > -----Peter Rathlev wrote: ----- > > > >> On Sat, 2008-11-01 at 11:30 -0400, lee.e.rian at census.gov wrote: > >>> Especially considering his example was a Catalyst 6500 chassis. He'd > > have > >>> to distinguish switched/routed ports present or not... > >>> > >>> I'm not a work, so I can't check, but the RFC1213 sysServices > >>> might show > > if > >>> the routing and/or bridging functionality is enabled: > >> > >> > >> I was thinking the same, but it doesn't seem very useful when trying > >> it out. All the units I looked at was either > >> > >> "INTEGER: 6" (bridge and IP gateway) or > >> "INTEGER: 78" (bridge, IP gateway, IP host and application host). > > <.. snip ..> > > > > Too bad Cisco says what the box *can* do instead of what it's actually > > doing. > > > > Maybe RFC1213 ipForwarding would work > > > > ipForwarding OBJECT-TYPE > > SYNTAX INTEGER { > > forwarding(1), -- acting as a gateway > > not-forwarding(2) -- NOT acting as a gateway > > } > > > > but I kind of doubt it. We just got some SUP32s in to replace CatOS > > SUP2s > > (pure L2 switches) & I haven't been able to figure out yet how to > > tell them > > _not_ to play router. Only the directly connected router can talk > > to the > > sup32 if it's configured with a default gateway but no default route. > > Seems to me that you should only need a default route on something > > that's > > acting as a router. (If it makes any difference, "no ip proxy-arp" > > is the > > standard here :) So my guess is that they're going to say they're > > acting > > as a gateway even tho I don't want them to play router nor is there > > anything L3 configured on them beyond the management vlan IP address > > and > > syslog, tacacs, etc. server addresses. > > > > Lee > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > > iEYEARECAAYFAkkNzpcACgkQA7TpMPAlvEcD8gCeKbcepeEmh0tubt0a7D/rDjAg > GHMAn1iNyVdMiPpVwMNz6/v4WmdJTZb+ > =5/bp > -----END PGP SIGNATURE----- From ltd at cisco.com Sun Nov 2 18:39:06 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 03 Nov 2008 10:39:06 +1100 Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: References: Message-ID: <490E3A1A.6070604@cisco.com> lee.e.rian at census.gov wrote: > > Lincoln Dale wrote on 11/01/2008 06:46:35 PM: > > > Karl Gaissmaier wrote: > > >> Maybe RFC1213 ipForwarding would work > > >> > > >> ipForwarding OBJECT-TYPE > > >> SYNTAX INTEGER { > > >> forwarding(1), -- acting as a gateway > > >> not-forwarding(2) -- NOT acting as a > gateway > > >> } > > >> > > >> but I kind of doubt it. We just got some SUP32s in to replace CatOS > > >> SUP2s > > >> (pure L2 switches) & I haven't been able to figure out yet how to > > >> tell them > > > ipForwarding should work fine. it _should_ change behavior based on > > whether there are any L3 interfaces configured or not. > > I hope not. Seems to me that it _should_ change behavior based on > whether or not the device is acting as a router. Consider the case of > all interfaces configured as a switchport. Plain old L2 switch - > right? Now add an IP address under the vlan interface so that I can > manage the switch. It still shouldn't be playing router - so > ipForwarding should still return not-forwarding(2) the moment you've created a SVI, the device is now behaving as a L3 switch a.k.a. its routing. my understanding is that on something like a Catalyst 6500 the result of ipForwarding _will_ change based on the above logic. the logic may be a little bit more complicated than that - i can see that it probably makes more sense for the result to change only if there is either: - an SVI and there is at least 1 routed interface too, or - more than one SVI. because its not technically possible to be a "router" if you only have 1 L3 interface. :) note that i haven't verified the snmp response from a c6k for any of this, but the above would make the most sense in terms of responding whether there is "IP Forwarding" aka "L3 switching" aka "routing" going on. > > > the challenge is how to use this moving forward on Cisco platforms that > > have dedicated out-of-band management interfaces (e.g. Nexus > platforms), > > because technically speaking, they ALWAYS have at L3 interface > > configured (mgmt0 out-of-band) which is L3 by definition because it > > exists in its own 'management' VRF). > > I'm missing why having an L3 interface would make any difference. A > cat2900xl configured with an L3 address for management purposes > doesn't turn the box into a router. Why should simply configuring an > L3 interface on a box change the value of ipForwarding? well - Catalyst 2900XL doesn't do L3 switching (i guess thats why you chose it as an example), so to my mind, it should not ever respond saying that it can do IP Forwarding. > > hrmm.. or are you saying that some boxes are *always* going to think > they're a router regardless? i think that may be the case today, yes. getting back to the original poster's question, one true method one could use to determine of a device is operating as a 'router' or as a L2 switch is to use a SNMP OID that indicates whether the device is participating in a L3 routing protocol, e.g. if you use OSPF as your IGP, then querying an OID associated with that perhaps makes more sense. that would never be ambiguous. cheers, lincoln. From rakeshh at gmail.com Sun Nov 2 21:24:47 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Sun, 2 Nov 2008 20:24:47 -0600 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <383357750811021139i43443804h9f33770affe3d6eb@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> Message-ID: <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> How about creating two psudowires , PE1- PE3 and PE2-PE4 ? This will give you two logical point to point connections between SW1 and SW2 and at the same time take care of device (PE) failure . STP,by default, will take care of the redundancy. You may also want to use UDLD and/or PAGP or LACP to provide end to end link status. -Rakesh. On Sun, Nov 2, 2008 at 2:07 PM, Arie Vayner (avayner) wrote: > I would suggest that you treat these 2 parallel PW's as 2 separate L2 > connections. > Each connection would be handed over to the end customer separately, and > the customer can run STP end to end between their CE's. > This way the failover between PW1 and PW2 would be based on CE-to-CE STP > > Alternatively, if the customer is using L3 CE's, then its just 2 parallel > L3 links... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk > Sent: Sunday, November 02, 2008 21:40 PM > To: giesen at snickers.org > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy > > you would have to land these xconnects on VPLS instance. > so add 4 more devices that would be your N-PEs with VPLS instance and your > current PEs would become U-PEs connected to the rest of the MPLS cloud with > 1 xconnect to the "active" N-PE and backup xconnect to the "standby" N-PE. > > But I am not sure it is possible on 7206. > > > > -- > -mat > > > 2008/11/2 Gary T. Giesen : > > I'm not sure if this is possible, but maybe someone can give me some > > input on how to best achieve this. > > > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a fully > > redundant pseudowire (from the provider persective). > > > > The idea is to put two PE routers at each end of the pseudowire (with > > a common VLAN at each end shared through a switch), so that I can > > fully lose a PE router and the VC still stays up. > > > > The topology looks like this: > > > > [PE1] [PE3] > > CE1 --- [SW1] ---< > [MPLS CLOUD] < >--- [SW2] --- CE2 > > [PE2] [PE4] > > > > I've tried a number of ways using xconnect-peers and backup peers (per > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseudo.html > > ), and it works great when I only have redundancy on one end, but as > > soon as I add the 4th PE, nothing works anymore. > > > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 forms a > > VC with PE4, when in reality I should only ever have one VC formed at > > any given time, and PE2 should never form a VC with PE4 until PE1 or > > PE3 goes down. > > > > Does anyone have any suggested configurations? > > > > Regards, > > > > GG > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From netgeek at bgp4.net Sun Nov 2 23:34:17 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Sun, 02 Nov 2008 20:34:17 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? Message-ID: <490E7F49.8070901@bgp4.net> I'm interested in hearing about people's experiences with SXF15/15a, especially in an internet edge/full BGP route table type environment. So far I've run into one oddity with SXF15 (BGP wasn't updating the local routing table until a clear ip route *), and I'm debating whether to downgrade. Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting of the SXH beast still. From b.turnbow at twt.it Mon Nov 3 02:49:29 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 3 Nov 2008 08:49:29 +0100 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: Cisco IOS Software, 7200 Software (C7200P-JS-M), Version 12.2(31)SB13, RELEASE SOFTWARE (fc1) Brian ________________________________ From: Networkers [mailto:cisco at peakpeak.com] Sent: domenica 2 novembre 2008 18.20 To: Brian Turnbow; Victor Cappuccio Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ What code rev is in there? Thanks, Chris On 10/20/08 3:20 AM, "Brian Turnbow" wrote: Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 486842/493318682 0/0 50/40543 20 40 1/10 1 54/22464 0/0 0/0 22 40 1/10 2 6/746 0/0 0/0 24 40 1/10 3 0/0 0/0 0/0 26 40 1/10 4 5/330 0/0 0/0 28 40 1/10 5 20/1200 0/0 0/0 30 40 1/10 6 5753/515372 0/0 0/0 32 40 1/10 7 53/7423 0/0 0/0 34 40 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian ________________________________ From: Victor Cappuccio [mailto:vcappuccio at gmail.com] Sent: venerd? 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 2000000 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent Cisco Page: http://tinyurl.com/ytt8ge Note: Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: venerd? 17 ottobre 2008 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From karl.gaissmaier at uni-ulm.de Mon Nov 3 03:30:16 2008 From: karl.gaissmaier at uni-ulm.de (Karl Gaissmaier) Date: Mon, 03 Nov 2008 09:30:16 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <490EB698.4080304@uni-ulm.de> Hi, Janet Sullivan schrieb: .. > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. my tests with SXH on a sup720-3B showed a constant higher load of the switch processor compared to any SXF version: Version SXF: > cat65# remote command switch show proc cpu sort > > CPU utilization for five seconds: 14%/1%; one minute: 11%; five minutes: 11% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 41 18207424 33591134 542 5.51% 6.73% 6.77% 0 slcp process > 133 321528 49015 6559 4.47% 0.37% 0.16% 0 L2 MAC oob sync > 101 4551988 195787 23249 1.67% 1.70% 1.68% 0 Vlan Statistics Version SXH: The slcp process is consuming always at least 20% on SXH releases on the same box. Remarks: The box is used as a LAN collapsed backbone router, terminating ~ 170 SVIs with about 8k MAC addresses in the LAN. Best Regards Charly From dgranzer at gmail.com Mon Nov 3 03:49:04 2008 From: dgranzer at gmail.com (David Granzer) Date: Mon, 3 Nov 2008 09:49:04 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <844ef89c0811030049h5316a727s34e457f308b5e086@mail.gmail.com> Hello, we had exactly the same troubles with SXF15, now we are back to previous version. It seemed like CEF related bug. David On Mon, Nov 3, 2008 at 5:34 AM, Janet Sullivan wrote: > I'm interested in hearing about people's experiences with SXF15/15a, > especially in an internet edge/full BGP route table type environment. So far > I've run into one oddity with SXF15 (BGP wasn't updating the local routing > table until a clear ip route *), and I'm debating whether to downgrade. > > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting of > the SXH beast still. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sthaug at nethelp.no Mon Nov 3 04:23:07 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Mon, 03 Nov 2008 10:23:07 +0100 (CET) Subject: [c-nsp] OID to pick up Device Type of Cisco devices In-Reply-To: <490E3A1A.6070604@cisco.com> References: <490E3A1A.6070604@cisco.com> Message-ID: <20081103.102307.74668825.sthaug@nethelp.no> > the moment you've created a SVI, the device is now behaving as a L3 > switch a.k.a. its routing. This may be true on the 6500/7600. It's definitely not true on for instance 3550/3560/3750, where you need an explicit "ip routing" for the box to perform IP forwarding. > my understanding is that on something like a Catalyst 6500 the result of > ipForwarding _will_ change based on the above logic. Seems reasonable for the 6500/7600, but quite *un*reasonable for boxes like 3550/3560/3750 given the default of "no ip routing". Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ibrahim.abozaid at gmail.com Mon Nov 3 04:41:06 2008 From: ibrahim.abozaid at gmail.com (Ibrahim Abo Zaid) Date: Mon, 3 Nov 2008 11:41:06 +0200 Subject: [c-nsp] Strange beahvior of Catalyst 6509 Message-ID: Hi All we had Cat 6509 gear running 12.0(7)XE1 image on MSFC , we faced a strange behavior as all servers and clients connected to a VLAN can't exchange any packet size exceeding a certain limit although no configuration is used to limit that and no IP reachability problem exist the problem has solved after deleting VLAN SVI and create it again any one has any idea what can be the problem is ? i searched IOS bugs and can't get any bug with this symptoms thanks --Ibrahim From ivan at ig.sk Mon Nov 3 04:01:42 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Mon, 3 Nov 2008 11:01:42 +0200 Subject: [c-nsp] L2VPN Pseudowire Redundancy In-Reply-To: <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> References: <9a9d0c6a0811021105ye2e5847gc6b2249427934865@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A50215341E@xmb-ams-331.emea.cisco.com> <8a4649bb0811021824n3b3c528br7316259bae8d9e03@mail.gmail.com> Message-ID: <200811031001.42096.ivan@ig.sk> If the goal is hardware redundancy (to ensure working VC when one of the PE's fails), you can create one VC and configure it using two separate loopback ip addresses. You will assign a loopback interface to PE1 and PE2 with the same ip address. The other couple of PE's - PE3 and PE4 - will share another ip address on their loopbacks. Every PE will have VC configured using these ip addresses, you will choose one of each couple as primary and configure IGP to pick ip address of the primary PE's and propagate it across the backbone. In case of primary PE failure will IGP do its job - propagate the loopback ip address of the backup PE and allow LDP to establish new session between working PE's. Ivan On Monday 03 November 2008, Rakesh Hegde wrote: > How about creating two psudowires , PE1- PE3 and PE2-PE4 ? This > will give you two logical point to point connections between SW1 > and SW2 and at the same time take care of device (PE) failure . > STP,by default, will take care of the redundancy. You may also > want to use UDLD and/or PAGP or LACP to provide end to end link > status. > > -Rakesh. > > On Sun, Nov 2, 2008 at 2:07 PM, Arie Vayner (avayner) wrote: > > I would suggest that you treat these 2 parallel PW's as 2 > > separate L2 connections. > > Each connection would be handed over to the end customer > > separately, and the customer can run STP end to end between their > > CE's. > > This way the failover between PW1 and PW2 would be based on > > CE-to-CE STP > > > > Alternatively, if the customer is using L3 CE's, then its just 2 > > parallel L3 links... > > > > Arie > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto: > > cisco-nsp-bounces at puck.nether.net] On Behalf Of Mateusz B?aszczyk > > Sent: Sunday, November 02, 2008 21:40 PM > > To: giesen at snickers.org > > Cc: cisco-nsp at puck.nether.net > > Subject: Re: [c-nsp] L2VPN Pseudowire Redundancy > > > > you would have to land these xconnects on VPLS instance. > > so add 4 more devices that would be your N-PEs with VPLS instance > > and your current PEs would become U-PEs connected to the rest of > > the MPLS cloud with 1 xconnect to the "active" N-PE and backup > > xconnect to the "standby" N-PE. > > > > But I am not sure it is possible on 7206. > > > > > > > > -- > > -mat > > > > 2008/11/2 Gary T. Giesen : > > > I'm not sure if this is possible, but maybe someone can give me > > > some input on how to best achieve this. > > > > > > I'm labbing EoMPLS using 4x 7206 VXR. I'd like to create a > > > fully redundant pseudowire (from the provider persective). > > > > > > The idea is to put two PE routers at each end of the pseudowire > > > (with a common VLAN at each end shared through a switch), so > > > that I can fully lose a PE router and the VC still stays up. > > > > > > The topology looks like this: > > > > > > [PE1] > > > [PE3] CE1 --- [SW1] ---< > [MPLS CLOUD] < > > > >--- [SW2] --- CE2 [PE2] [PE4] > > > > > > I've tried a number of ways using xconnect-peers and backup > > > peers (per > > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fspseud > > >o.html ), and it works great when I only have redundancy on one > > > end, but as soon as I add the 4th PE, nothing works anymore. > > > > > > When I add the 4th PE router, PE1 forms a VC with PE3, and PE2 > > > forms a VC with PE4, when in reality I should only ever have > > > one VC formed at any given time, and PE2 should never form a VC > > > with PE4 until PE1 or PE3 goes down. > > > > > > Does anyone have any suggested configurations? > > > > > > Regards, > > > > > > GG > > > _______________________________________________ > > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Mon Nov 3 05:15:22 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 10:15:22 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <490ECF3A.70804@imperial.ac.uk> Janet Sullivan wrote: > I'm interested in hearing about people's experiences with SXF15/15a, > especially in an internet edge/full BGP route table type environment. So > far I've run into one oddity with SXF15 (BGP wasn't updating the local > routing table until a clear ip route *), and I'm debating whether to > downgrade. That bug was discussed on the list recently. Search for the thread "SXH3 ghost bugs". It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still has all the *other* bugs that SXH3 has, including the SCP-crasher) SXF15a wasn't out last time I looked, so I don't know, but I assume SXF15a cures the BGP bug. > > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. Consensus seems to be that unless you specifically need some of the 12.2(33) features, you're best on SXF We've just recently *down*graded from SXH2a on one box; the progress of that train has been inadequate for our stability needs. We've actually been very stable on SXF10 for a while now (over 1 year on our busiest box). From A.L.M.Buxey at lboro.ac.uk Mon Nov 3 05:23:27 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 3 Nov 2008 10:23:27 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ECF3A.70804@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> Message-ID: <20081103102327.GB32130@lboro.ac.uk> Hi, > We've actually been very stable on SXF10 for a while now (over 1 year on > our busiest box). any reason you're not using SXF12a - the safeharbor release? we've had to upgrade a box to SXF15 to 'fix' a bug in SXF9..so I'll see what happens to that box.. alan From p.mayers at imperial.ac.uk Mon Nov 3 05:44:19 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 10:44:19 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081103102327.GB32130@lboro.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> Message-ID: <490ED603.2020903@imperial.ac.uk> A.L.M.Buxey at lboro.ac.uk wrote: > Hi, > >> We've actually been very stable on SXF10 for a while now (over 1 year on >> our busiest box). > > any reason you're not using SXF12a - the safeharbor release? That was not what we had running and tested elsewhere. There are no problems etc. that I know of in 12a if that's what you mean. I'm aware that SXF10 is actually deferred in favour of SXF10a, but frankly this tells me all I need to know: me-core#sh ver | inc ^IOS|uptime IOS (tm) s72033_rp Software (s72033_rp-ADVIPSERVICESK9_WAN-M), Version 12.2(18)SXF10, RELEASE SOFTWARE (fc1) me-core uptime is 1 year, 7 weeks, 1 day, 18 hours, 20 minutes We tend to upgrade only if we're well overdue, or there's a specific bug or feature we need. If matters had progressed differently we'd probably have had SXF12a on a busy router, and that would have become our target image. From A.L.M.Buxey at lboro.ac.uk Mon Nov 3 06:08:26 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Mon, 3 Nov 2008 11:08:26 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ED603.2020903@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> <490ED603.2020903@imperial.ac.uk> Message-ID: <20081103110826.GA32765@lboro.ac.uk> Hi, > That was not what we had running and tested elsewhere. There are no ah, fair enough. the 'run with it,and if no problems or features required,stay with it' approach is a fine way of operating imho :-) alan From dwinkworth at att.net Mon Nov 3 07:16:18 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Mon, 3 Nov 2008 04:16:18 -0800 (PST) Subject: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... Message-ID: <299162.64956.qm@web180012.mail.gq1.yahoo.com> Indeed it does. This is the preferred route. Abandon dealing with fragmentation altogether. Sadly, some MPLS access options (like ethernet access) have a limitation of 1500 byte MTUs in the cloud. My thought is, just do the MSS adjustments at the sites with this limitation. We are seeing some corruption of fragments with GET in 12.4(15)T5. Thats what this is about. So we upgraded to T7 and jacked up the MTUs wherever possible. ----- Original Message ---- From: "lee.e.rian at census.gov" To: Luan Nguyen Cc: Derick Winkworth ; Rodney Dunn ; cisco-nsp at puck.nether.net Sent: Saturday, November 1, 2008 10:57:09 AM Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" and crypto... "mtu 1600" on the wan interface also works & doesn't require any changes on the lan interfaces :) Lee -----cisco-nsp-bounces at puck.nether.net wrote: ----- >To: "'Derick Winkworth'" , "'Rodney Dunn'" > >From: "Luan Nguyen" >Sent by: cisco-nsp-bounces at puck.nether.net >Date: 10/31/2008 02:39PM >cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Order-of-operations question about "adjust-mss" >and crypto... > >The MSS tells the maximum data a host will accept in an TCP/IP >datagram. >Each side reports the value to the other side and the sending will >abide by >it. It's all before encryption. >So typically like you said, people put ip tcp adjust-mss 1360 on the >group >member LAN interface and also set ip mtu 1400 on the WAN side hoping >for >PMTUD to work its magic. >Putting both on the WAN interface should work as well, though, I >don't quite >understand the backside is MPLS statement :)...the packet has to be >originated from somewhere. >There's a very good paper here on Fragmentation >http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper0 >9186a00 >800d6979.shtml#t3 > > >Luan Nguyen >Chesapeake NetCraftsmen, LLC. >www.NetCraftsmen.net > >(blog) http://ccie-security.blogspot.com/ >(e) luan at netcraftsmen.net >(aim/yahoo): luancnc > > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick >Winkworth >Sent: Friday, October 31, 2008 11:52 AM >To: Rodney Dunn >Cc: cisco-nsp at puck.nether.net >Subject: [c-nsp] Order-of-operations question about "adjust-mss" and >crypto... > >If you apply the "ip tcp adjust-mss" command on an interface that has >a >crypto statement on it... > >Does it perform the MSS adjustment on outbound packets before they >are >encrypted? >Does it perform the MSS adjustment on inbound packets after they are >decrypted? > >I know that this is typically placed on a tunnel interface or, for >instance, >on an ethernet interface of a remote VPN site or something... but I >have a >case where we have many GET encryped sub-interfaces (each in their >own VRF) >which are the only logical IP interfaces on the box. The backside is >MPLS >so there is no place to put the statement there... so I was just >going to >apply it to the interfaces where the crypto maps are.. not sure if >this will >work. > >I'll probably have to lab it up I'm guessing. > >Derick >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From netgeek at bgp4.net Mon Nov 3 09:49:12 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Mon, 03 Nov 2008 06:49:12 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081103102327.GB32130@lboro.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <20081103102327.GB32130@lboro.ac.uk> Message-ID: <490F0F68.3020208@bgp4.net> A.L.M.Buxey at lboro.ac.uk wrote: > we've had to upgrade a box to SXF15 to 'fix' a bug in SXF9..so > I'll see what happens to that box.. > > alan We just went from SXF9 to SXF15. I notice SXF15a is out, anyone know the story behind it? From netgeek at bgp4.net Mon Nov 3 09:52:28 2008 From: netgeek at bgp4.net (Janet Sullivan) Date: Mon, 03 Nov 2008 06:52:28 -0800 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490ECF3A.70804@imperial.ac.uk> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> Message-ID: <490F102C.7070106@bgp4.net> Phil Mayers wrote: > Janet Sullivan wrote: >> I'm interested in hearing about people's experiences with SXF15/15a, >> especially in an internet edge/full BGP route table type environment. >> So far I've run into one oddity with SXF15 (BGP wasn't updating the >> local routing table until a clear ip route *), and I'm debating >> whether to downgrade. > > That bug was discussed on the list recently. Search for the thread "SXH3 > ghost bugs". > > It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still > has all the *other* bugs that SXH3 has, including the SCP-crasher) I thought the ghost bug was fixed in SXF15? Wasn't there a discussion about how it had been both found and fixed in that version? In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local routing table on the box did not. That seems slightly different than the ghost bug as I understood it, but I'd be happy to be proven wrong. From streiner at cluebyfour.org Mon Nov 3 09:05:43 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Mon, 3 Nov 2008 09:05:43 -0500 (EST) Subject: [c-nsp] Monitoring Routing Table In-Reply-To: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> References: <2590c0610811011934l7ee7f775yf4ba2f8154b63359@mail.gmail.com> Message-ID: On Sat, 1 Nov 2008, Asad Hasan wrote: > Is there an OID that can pull back number of routes within the routing > table? OID which can generate results such as 'show ip ro summ'. I found OID > 1.3.6.1.2.1.4.21.1.1 and 1.3.6.1.2.1.4.21.1.9 (IpRouteTable and > IpRouteProto), but this pulls back every routing entry. Also is there an OID > that can pull back similar information for a VRF. Not sure about VRFs, as I don't use them at the moment, but you can run a count on the number of entries that are returned by polling ipRouteTable to get the number of routes. You can also try it with ipRouteProto and just looking at connected + static + OSPF. That might actually be better, if you carry IBGP w/full views on your routers since it will be less taxing on the router's CPU. If you're planning to do this with something like MRTG, I believe it has an option you can to use to count the number of routes. If you're not using MRTG, it would be easy enough to write a script to poll the appropriate OID and pipe the output into a counter to get the number you're looking for. jms From p.mayers at imperial.ac.uk Mon Nov 3 10:13:02 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 03 Nov 2008 15:13:02 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <490F14FE.7080302@imperial.ac.uk> Janet Sullivan wrote: > Phil Mayers wrote: >> Janet Sullivan wrote: >>> I'm interested in hearing about people's experiences with SXF15/15a, >>> especially in an internet edge/full BGP route table type environment. >>> So far I've run into one oddity with SXF15 (BGP wasn't updating the >>> local routing table until a clear ip route *), and I'm debating >>> whether to downgrade. >> >> That bug was discussed on the list recently. Search for the thread >> "SXH3 ghost bugs". >> >> It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still >> has all the *other* bugs that SXH3 has, including the SCP-crasher) > > I thought the ghost bug was fixed in SXF15? Wasn't there a discussion > about how it had been both found and fixed in that version? You could be right: http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg15107.html I might be thinking of the BFD bug. > > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. > Well either way - it adds to the reports of SXF15 being a poor release: http://www.mail-archive.com/cisco-nsp at puck.nether.net/msg14944.html From dkcctc at gmail.com Mon Nov 3 10:55:09 2008 From: dkcctc at gmail.com (Daniel Chapman) Date: Mon, 3 Nov 2008 10:55:09 -0500 Subject: [c-nsp] IOS and Calea Feature Set References: <4909F8A0.4040200@mt.net> Message-ID: <001e01c93dcc$8d87cdc0$0c01000a@cittel.com> The Lawful Intercept feature uses SNMP V3 and MIBs like ciscoIpTapMIB and ciscoTap2MIB. You setup a group and a view including these mibs and intiate the intercept from your mediation/sniffer device. It can be tricky if you are doing PPP, because you specify the IP to tap. Your configuration could include setting up a AAA group and allowing the mediation device to receive accounting records to determine end-user IP addresses. The median device needs to be able to act as a RADIUS server so it isn't marked Dead by the AAA processes in the router. Dan ----- Original Message ----- From: "Forrest W Christian" To: Sent: Thursday, October 30, 2008 1:10 PM Subject: [c-nsp] IOS and Calea Feature Set > I'm working on improving my CALEA compliance here. One of the big things > I need to handle is better extraction of frames out of several cisco > routers we have scattered around our network. > Today, we handle our CALEA requests by using a span/mirroring port on a > switch plugged into a CALEA collection device which conforms to the WISPA > CALEA standard. That way, we can capture all of the internet and most of > the on-network traffic, but not quite 100% since traffic which never > leaves the border router doesn't ever exit the border router so it can't > be captured for Law Enforcement. > > It looks like the IP Traffic Export would allow me to basically use the > tools we already have in place for this. But, I also am looking at the > CALEA features in the later IOS'es. Unfortunately, the documentation is > written in CALEA-speak, which makes for confusing reading, especially when > you are trying to figure out what pieces you need to make this work. > > I'm curious if someone on-list has gotten the CALEA features to work in a > Broadband provider setting, and if so, if they could perhaps point me in > the right direction as far as what pieces we need (aka specific products > instead of "functions") other than the Cisco router w/CALEA features? > > -forrest > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From markom at markom.info Mon Nov 3 11:15:20 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 3 Nov 2008 16:15:20 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> Message-ID: <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> On Sun, Nov 2, 2008 at 13:04, Mateusz B?aszczyk wrote: > My friends suggestion in such a problem is shut the port and wait for > someone to start screamin.. > If none, you can disconnect the cable :) Given that no mac addresses are learned on the port, there is probably no traffic there and shutting it down shouldn't do any real damage. ... unless it's some really weird (Ericsson?) device that uses that port to stay alive or some similar nonsense. -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From c.spurgeon at mail.utexas.edu Mon Nov 3 10:54:22 2008 From: c.spurgeon at mail.utexas.edu (Charles Spurgeon) Date: Mon, 3 Nov 2008 09:54:22 -0600 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <20081103155422.GA32332@argus.gw.utexas.edu> As noted on NSP recently, SXF15 appears to share some bugs with SXH3. We've found that the set of shared bugs includes the "crashes when route-map is removed" bug (CSCsk21935, which will be fixed via CSCsm75286 according to the TAC). We first encountered the SXH3 route-map issue when a core router crashed during a route-map removal that is performed by a script twice a day. We downgraded to SXF6, which we have been running for nearly two years on our core routers with no issues (including one BGP peering box with a full route table). A little while later we upgraded the core box that had crashed on SXH3 to SXF15 to deal with the multicast vulnerability (cisco-sa-20080924-multicast). Two weeks after the upgrade that core router crashed on the route-map bug, which is the first time we had seen that in SXF code. >From which we deduce that SXF15 picked up some bugs from the SXH branch which are not present in SXF6. Not sure where along the path that happened, although from Phil's report it sounds like SXF10 is running stably as well. We modified our route-map script, and are continuing to run on SXF15 on that core box (which is not a BGP peering box) with no other issues found (we don't use scp, so we have avoided that particular SXH and presumably SXF15 bug as well). Since Cisco appears to be spreading the buggy code around in later releases of SXF code, it's getting difficult to find a stable release that *stays* stable. -Charles Charles E. Spurgeon / UTnet UT Austin ITS / Networking c.spurgeon at its.utexas.edu / 512.475.9265 On Mon, Nov 03, 2008 at 06:52:05AM -0800, Janet Sullivan wrote: > Phil Mayers wrote: > >Janet Sullivan wrote: > >>I'm interested in hearing about people's experiences with SXF15/15a, > >>especially in an internet edge/full BGP route table type environment. > >>So far I've run into one oddity with SXF15 (BGP wasn't updating the > >>local routing table until a clear ip route *), and I'm debating > >>whether to downgrade. > > > >That bug was discussed on the list recently. Search for the thread "SXH3 > >ghost bugs". > > > >It's present in SXH15 & SXH3, but fixed in SXH3a (however SXH3a still > >has all the *other* bugs that SXH3 has, including the SCP-crasher) > > I thought the ghost bug was fixed in SXF15? Wasn't there a discussion > about how it had been both found and fixed in that version? > > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tomas at soitron.com Mon Nov 3 15:11:58 2008 From: tomas at soitron.com (Tomas Daniska) Date: Mon, 3 Nov 2008 21:11:58 +0100 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com><3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com><8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com><8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com><383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> Message-ID: <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> > -----Original Message----- > Given that no mac addresses are learned on the port, there is probably > no traffic there and shutting it down shouldn't do any real damage. Wrong. There are appliances/applications that are quiet enough not to populate (or timeout) the mac tables, just sittin' there and receiving traffic. And even though there is no mac entry for that address, the switch simply floods the traffic (by default... unless you configure block-unknown-unicast) to all ports, including the one with the quiet black box But - yes, there often is no other option for 'discovery' of such devices than to shut down and wait for complaints -- deejay From markom at markom.info Mon Nov 3 15:18:58 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 3 Nov 2008 20:18:58 +0000 Subject: [c-nsp] Identifying device(s) connected to cisco L2-only switch In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> References: <3329cbb40811011304q6b1e6c1djc6669b97372e0fe1@mail.gmail.com> <3329cbb40811011348y234b4c0fp399c923ce0f9a1c7@mail.gmail.com> <8ebbd7f50811012220j3c38b4a8xcd1c8c07b3e2682f@mail.gmail.com> <8ebbd7f50811012223t2c708900x12b7c68f525ff850@mail.gmail.com> <383357750811020504v42cd80dexcde375ccdb392c90@mail.gmail.com> <1fb747910811030815u5301337aod8a04757a5a3a7e5@mail.gmail.com> <6B43981C32F8464CB24CEE209DA32BD3019ACBDD@kenya.tronet.as> Message-ID: <1fb747910811031218i42ac8ea2o1a69c478ca282f84@mail.gmail.com> On Mon, Nov 3, 2008 at 20:11, Tomas Daniska wrote: > Wrong. There are appliances/applications that are quiet enough not to populate (or timeout) the mac tables, just sittin' there and receiving traffic. And even though there is no mac entry for that address, the switch simply floods the traffic (by default... unless you configure block-unknown-unicast) to all ports, including the one with the quiet black box I stand corrected about the listen-only device. I must admit it didn't cross my mind :-). -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From kohlstetter at blue-networks.de Mon Nov 3 17:30:59 2008 From: kohlstetter at blue-networks.de (Peer Kohlstetter) Date: Mon, 3 Nov 2008 23:30:59 +0100 Subject: [c-nsp] MPLS VPN Design with very fast convergence Message-ID: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> Hi, I'm currently working on a Design for a MPLS VPN with very fast convergence times. We have the goal to reach a maximum convergence time of 1,5 seconds when a single error occurs. In the Backbone I try to work with FRR (FastReRoute). Between PE and CE I'm not sure what protocol to use. I'm also thinking about L3VPN or L2VPN solution. Are there any information, whitepapers, designs about such a solution in the web? Do somebody have experience with such convergence times in a MPLS environment? Thanks and best regrads, Peer From christian at broknrobot.com Mon Nov 3 22:24:10 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 3 Nov 2008 22:24:10 -0500 Subject: [c-nsp] Whats up with this? In-Reply-To: References: Message-ID: new edge router, os will run ios-xr On Fri, Oct 31, 2008 at 5:03 PM, Mike Louis wrote: > http://www.cisco.com/cdc_content_elements/flash/netsol/sp/getready/index.html?POSITION=banner&COUNTRY_SITE=us&CAMPAIGN=GetReady&CREATIVE=Corner+Banner+Ad+go/getready&REFERRING_SITE=CISCO%2ECOM+INDEX > > > ________________________________ > Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p_ambedkar at rediffmail.com Mon Nov 3 23:46:04 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 4 Nov 2008 04:46:04 -0000 Subject: [c-nsp] Layer-2 backup Message-ID: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> ? hi, i want to implement layer-2 backup with minimum delay with cisco 2950 switches. i have seen flexlinks, but this is for cisco 3500 series and above. please help me in this regard. Thanks in advance. bye. From ben.steele at internode.on.net Mon Nov 3 23:55:12 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 4 Nov 2008 15:25:12 +1030 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <001501c93e39$862b9170$9282b450$@steele@internode.on.net> Check out rapid spanning-tree (802.1w) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of ambedkar Sent: Tuesday, 4 November 2008 3:16 PM To: cisco_nsp Subject: [c-nsp] Layer-2 backup ? hi, i want to implement layer-2 backup with minimum delay with cisco 2950 switches. i have seen flexlinks, but this is for cisco 3500 series and above. please help me in this regard. Thanks in advance. bye. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From risnaini at indo.net.id Mon Nov 3 23:56:58 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Tue, 04 Nov 2008 11:56:58 +0700 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <490FD61A.6030707@indo.net.id> STP 40 ms. rgs a. rahman isnaini r.sutan ambedkar wrote: > > hi, i want to implement layer-2 backup with minimum delay with cisco > 2950 switches. > i have seen flexlinks, but this is for cisco 3500 series and above. > > please help me in this regard. > Thanks in advance. > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From sethm at rollernet.us Tue Nov 4 00:28:42 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Mon, 03 Nov 2008 21:28:42 -0800 Subject: [c-nsp] HWIC-3G-* experience? Message-ID: <490FDD8A.9050104@rollernet.us> Does anyone have any experience with the HWIC-3G-* cards in real life? I'm considering emergency access plans using these as opposed to traditional methods, and I'd be interested in any success or horror stories before jumping in. ~Seth From rshughes at gmail.com Tue Nov 4 00:49:55 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Tue, 4 Nov 2008 00:49:55 -0500 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: Site survey, site survey, site survey. I've had limited exposure with the 3G's and haven't enjoyed it. Make sure whichever carrier you're evaluating/planning with perform site surveys for each and every location; this will help put some of the burden on them to prove that your specific facility is even capable of riding on the link. Some will often offer cables for extending the dipole antenna for better placement for signal. Quite honestly, pick a carrier you have the best relationship with and make them come to the table for support of these. Without their intervention/support, you'll be left pulling your hair out. Make sure your design for the backup connection involves some type of dynamic crypto map as you'll often change ip addresses on these networks which can lead to interesting anti-replay issues. One of my customers is having reasonable success with this for fast office deployments but the nuts of it boils down to proper site assessments before installation and the logistics around it. Good Luck. On Tue, Nov 4, 2008 at 12:28 AM, Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? I'm > considering emergency access plans using these as opposed to traditional > methods, and I'd be interested in any success or horror stories before > jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From oboehmer at cisco.com Tue Nov 4 01:16:52 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 4 Nov 2008 07:16:52 +0100 Subject: [c-nsp] MPLS VPN Design with very fast convergence In-Reply-To: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> References: <16A8F2A3B686224481DE4856D8404CFE09B033@exc-w2k-blue.blue-networks.local> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784065200CF@xmb-ams-333.emea.cisco.com> Peer Kohlstetter <> wrote on Monday, November 03, 2008 23:31: > Hi, > > I'm currently working on a Design for a MPLS VPN with very fast > convergence times. > > We have the goal to reach a maximum convergence time of 1,5 seconds > when a single error occurs. > > In the Backbone I try to work with FRR (FastReRoute). Between PE and > CE I'm not sure what protocol to use. I'm also thinking about L3VPN or > L2VPN solution. > > Are there any information, whitepapers, designs about such a solution > in the web? > > Do somebody have experience with such convergence times in a MPLS > environment? generally in IOS, 1.5 sec is tricky to achieve (especially in scaled configs), and it might not be for free. In a nutshell: For core failures, you can tune your IGP to converge in sub-second, assuming you can detect core link/node failures quickly enough, so you might need to evaluate BFD. I wouldn't run TE-FRR for this target. Edge/PE failures are detected via IGP and reacted upon using BGP NHT. But invalidating the next-hops involve a table walk in IOS, so depending on your size of the BGP table on the PEs, this can take its time. Make sure all PEs have an alternate next-hop to converge to already imported in the VRF to avoid import-scanner delay. PE-CE link failures might also require BFD to be detected quickly, and rely on BGP processing (as well as table scans, so BGP table size matters). New features like "PE-CE Link Protection" could help here. We're working on BGP-PIC (Prefix Independent Convergence) to speed up things, but this is not yet available in IOS (IOS-XR already uses part of it and optimized other things as well). Not running a PE-CE protocol can speed up things in some configs (i.e. directly-connected voice gateways where PEs speak HSRP).. I guess you'll achieve 1-1.5 sec in the lab, but scaling this up in IOS is tricky.. oli From brett at looney.id.au Tue Nov 4 01:19:46 2008 From: brett at looney.id.au (Brett Looney) Date: Tue, 4 Nov 2008 15:19:46 +0900 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <064e01c93e45$57ce8e70$076bab50$@id.au> > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. We've had good experiences with them here in Oz. Had a few that were DOA or failed during firmware upgrade but have been replaced under maintenance. But 99% have been rock solid. In fact, had a customer primary land-line link fail the other day, router automagically failed across to the 3G and with WAAS in place no-one even noticed. Not suitable for running VoIP across today but that may come (for us here down-under, anyway) mid 2009. B. From edward_iong_ at hotmail.com Tue Nov 4 03:14:33 2008 From: edward_iong_ at hotmail.com (Edward Iong) Date: Tue, 4 Nov 2008 08:14:33 +0000 Subject: [c-nsp] multicast-routing Message-ID: about multicast-routing there are two switches -SW1 and SW2 SW1 is connected to an sender, a router, reciever 1 and SW2 SW2 is connected to Reciever 2 Why reciever 2 cannot recieve the multicast packet? _________________________________________________________________ When your life is on the go?take your life with you. http://clk.atdmt.com/MRT/go/115298558/direct/01/ From ygauteron at gmail.com Tue Nov 4 03:20:23 2008 From: ygauteron at gmail.com (Yann Gauteron) Date: Tue, 4 Nov 2008 09:20:23 +0100 Subject: [c-nsp] multicast-routing In-Reply-To: References: Message-ID: <8097baf0811040020q3f2aee2q1947d45210df6b7@mail.gmail.com> I forget where I left my crystal ball. Can anybody help me to find it ? From achatz at forthnet.gr Tue Nov 4 03:51:38 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 04 Nov 2008 10:51:38 +0200 Subject: [c-nsp] multicast-routing In-Reply-To: References: Message-ID: <49100D1A.80104@forthnet.gr> Edward, have a look at the following link: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008059a9df.shtml -- Tassos Edward Iong wrote on 04/11/2008 10:14: > about multicast-routing > > > there are two switches -SW1 and SW2 > SW1 is connected to an sender, a router, reciever 1 and SW2 > SW2 is connected to Reciever 2 > > > Why reciever 2 cannot recieve the multicast packet? > > > _________________________________________________________________ > When your life is on the go---take your life with you. > http://clk.atdmt.com/MRT/go/115298558/direct/01/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Tue Nov 4 04:25:07 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Tue, 04 Nov 2008 10:25:07 +0100 Subject: [c-nsp] Lightstream Alternative In-Reply-To: <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> Message-ID: <491014F3.3090304@buelow-masiak.de> Mateusz B?aszczyk schrieb: >> If the SPA card for the 7600 could do the switching, the cat 6500 should >> also be able to do it. But even for the 7600 I can't find any >> information on atm switching. > > http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 > Okay, this should work for PVCs. But this wouldn't work for soft-vc's. We're using soft-vc's for redundancy reasons in some scenarios. So our network will self repair the failure of one router, atm-switch or interlink between to pops. As I see, there's probably no way to replace the lightstream with a device, which could be atm-switch as well as router. So we need to rely on a atm-switch at the pop. Sebastian From blahu77 at gmail.com Tue Nov 4 04:38:08 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 4 Nov 2008 09:38:08 +0000 Subject: [c-nsp] Lightstream Alternative In-Reply-To: <491014F3.3090304@buelow-masiak.de> References: <383357750810301249r295ffd20ocfc1abbddecd96f@mail.gmail.com> <383357750811021141p24400379ybfb029d55ab1a5d7@mail.gmail.com> <491014F3.3090304@buelow-masiak.de> Message-ID: <383357750811040138h726b1178lf9e02ab7ff8593d7@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/4 Sebastian Ganschow : > Mateusz B?aszczyk schrieb: >>> If the SPA card for the 7600 could do the switching, the cat 6500 should >>> also be able to do it. But even for the 7600 I can't find any >>> information on atm switching. >> >> http://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/fslocal.html#wp1098419 >> > > Okay, this should work for PVCs. But this wouldn't work for soft-vc's. for soft-vcs you can utilize mpls xconnects (AToM atm to atm), Also supported by aforementioned. > We're using soft-vc's for redundancy reasons in some scenarios. So our > network will self repair the failure of one router, atm-switch or interlink > between to pops. > > As I see, there's probably no way to replace the lightstream with a device, > which could be atm-switch as well as router. So we need to rely on a > atm-switch at the pop. I think at this stage you can do 1) for pvcs on same box - the "connect" between atm pvcs 2) for pvcs (soft-vcs) between 2 boxes - the "xconnect" between atm pvcs on different boxes. - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJEBf++BuaDRxlXKsRAt0gAJ99Xz+CSOBHnOd5JyoxXHz4fDtuyQCgiaf7 LEt7rqDJ6g2+Y+WisxUBF/w= =PK6f -----END PGP SIGNATURE----- From gk at ax.tc Tue Nov 4 05:16:46 2008 From: gk at ax.tc (Gerald Krause) Date: Tue, 04 Nov 2008 11:16:46 +0100 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <4910210E.6090300@ax.tc> Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. Works here in Germany with T-Mobile (UMTS/HSDPA). We use it as backup for some DSL circuits. Good signal coverage is a precondition, that's why we have ordered a special external antenna: http://www.wimo.com/cgi-bin/verteiler.pl?url=gsm-antennas_e.html Maybe a little bit dangerous: We have to unlock the SIM card permanently, at least in our setup with a 1841 and a HWIC-3G-GSM. So a stealer could use it without cracking. -- Gerald (ax/tc) From howie at thingy.com Tue Nov 4 05:32:37 2008 From: howie at thingy.com (Howard Jones) Date: Tue, 04 Nov 2008 10:32:37 +0000 Subject: [c-nsp] Message Types/Classes? (%PLATFORM_RPC-3-MSG_THROTTLED) Message-ID: <491024C5.4040404@thingy.com> I'm seeing a lot of this in the logs of a 3750: %PLATFORM_RPC-3-MSG_THROTTLED: RPC Msg Dropped by throttle mechanism: type 37, class 14, max_msg 32, total throttled 24852 Thing is, where do I find out what message type 37 class 14 is? the Output Interpreter just gives a generic message for %PLATFORM_RPC-3-MSG_THROTTLED, but not specifics for certain messages. I would have expected to be able to find a giant table of these somewhere, but haven't had any luck so far... Can anyone point me in the right direction? Cheers, Howie From dwinkworth at att.net Tue Nov 4 06:39:24 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 04 Nov 2008 05:39:24 -0600 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <490FDD8A.9050104@rollernet.us> References: <490FDD8A.9050104@rollernet.us> Message-ID: <4910346C.8070703@att.net> (1) We've had good experience with this. Decent throughput, but high amount of jitter/latency. Its just another internet access method at this point... it works fine. Really its about the carrier... (2) Cables and antennas as needed for getting the signal required can be expensive if you go through the wrong channels (like Cisco... don't do it!) (3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited usage. They offer great deals on cables and antennas. They also do free site-surveys, noone else does that we talked to. (4) AT&T. Variable bill rates. AT&T can work something out through their account reps where you will never be charged more than a certain amount every month, but its supposed to be for "backup only" so if you use it frequenty... you can go through your sales rep to make sure you don't get locked out or whatever. Right now, they offer a service to back-up MPLS circuits, but they manage the endpoint at your site... this is their ANIRA product. You configure VRRP on your router and they configure it on theirs. You configure whatever tracking you want so that when a failure occurs, AT&T's ANIRA router takes over and gets you back to the cloud (through the internet though)... (5) Verizon. No variable billing. The best throughput with dual-antennas. They also offer internet-to-MPLS backup like AT&T and Sprint, but you get to manage the endpoint. (6) There is no direct-to-VRF type MPLS backup at this time, but all three carriers are rolling it out from what I understand. When this occurs, the card will come up direct to the MPLS cloud. Until then, its VPN tunnel to somewhere over the internet. Permanent IP is available. Some of them can create "private" subnets on the internet for you... you get a public IP in a /27 or something and it can only talk to other IPs in that /27. hmmm... Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008 4:59 PM > > From kharananda at subisu.net.np Tue Nov 4 07:36:22 2008 From: kharananda at subisu.net.np (kharananda) Date: Tue, 04 Nov 2008 18:21:22 +0545 Subject: [c-nsp] sending BPDUs in tagged frame in MST Message-ID: <491041C6.8030706@subisu.net.np> Dear All, I need to send BPDUs in tagged frame. I don't want to use PVST and PVST+ since stp instances per VLAN is not preferable at least in my scenario. I want to use standard STP or RSTP or MST. Is there any command in cisco where I can send BPDUs in tagged (vlan) frame. I have been trying this in Catalyst 2950. If this can be done on other higher end cisco switches please suggest me on this. Regards, Khara Nanda Luitel. From luan at netcraftsmen.net Tue Nov 4 08:20:50 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Tue, 4 Nov 2008 08:20:50 -0500 Subject: [c-nsp] HWIC-3G-* experience? In-Reply-To: <4910346C.8070703@att.net> References: <490FDD8A.9050104@rollernet.us> <4910346C.8070703@att.net> Message-ID: <04a101c93e80$281b8d00$7852a700$@net> We've been having good results with Verizon. Couple months ago, they got EVDO backup to Internet and MPLS as well - for VPN products, and in the process of making the backend systems ready to roll out. No permanent IP yet and the IP are from Verizon Wireless. So, even though they might say it's directly from the MPLS cloud, they still have to route around and around in their networks since Internet and MPLS are from Verizon Business. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Derick Winkworth Sent: Tuesday, November 04, 2008 6:39 AM To: Seth Mattinen Cc: cisco-nsp Subject: Re: [c-nsp] HWIC-3G-* experience? (1) We've had good experience with this. Decent throughput, but high amount of jitter/latency. Its just another internet access method at this point... it works fine. Really its about the carrier... (2) Cables and antennas as needed for getting the signal required can be expensive if you go through the wrong channels (like Cisco... don't do it!) (3) Sprint has a flat-rate plan thats 100 bucks or so for unlimited usage. They offer great deals on cables and antennas. They also do free site-surveys, noone else does that we talked to. (4) AT&T. Variable bill rates. AT&T can work something out through their account reps where you will never be charged more than a certain amount every month, but its supposed to be for "backup only" so if you use it frequenty... you can go through your sales rep to make sure you don't get locked out or whatever. Right now, they offer a service to back-up MPLS circuits, but they manage the endpoint at your site... this is their ANIRA product. You configure VRRP on your router and they configure it on theirs. You configure whatever tracking you want so that when a failure occurs, AT&T's ANIRA router takes over and gets you back to the cloud (through the internet though)... (5) Verizon. No variable billing. The best throughput with dual-antennas. They also offer internet-to-MPLS backup like AT&T and Sprint, but you get to manage the endpoint. (6) There is no direct-to-VRF type MPLS backup at this time, but all three carriers are rolling it out from what I understand. When this occurs, the card will come up direct to the MPLS cloud. Until then, its VPN tunnel to somewhere over the internet. Permanent IP is available. Some of them can create "private" subnets on the internet for you... you get a public IP in a /27 or something and it can only talk to other IPs in that /27. hmmm... Seth Mattinen wrote: > Does anyone have any experience with the HWIC-3G-* cards in real life? > I'm considering emergency access plans using these as opposed to > traditional methods, and I'd be interested in any success or horror > stories before jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.8.6/1765 - Release Date: 11/3/2008 4:59 PM > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Tue Nov 4 08:37:04 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Tue, 4 Nov 2008 13:37:04 +0000 Subject: [c-nsp] sending BPDUs in tagged frame in MST In-Reply-To: <491041C6.8030706@subisu.net.np> References: <491041C6.8030706@subisu.net.np> Message-ID: <383357750811040537o3024fc25g98fe3f96b7b19b2d@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > I need to send BPDUs in tagged frame. I don't want to use PVST and > PVST+ since stp instances per VLAN is not preferable at least in my > scenario. > > I want to use standard STP or RSTP or MST. Is there any command in cisco > where I can send BPDUs in tagged (vlan) frame. I have been trying this > in Catalyst 2950. what do you want to achieve? 1) if you want pass MSTP over through your network you should be using l2 protocol tunneling. Router(config-if)# l2protocol-tunnel stp 2) if you want to tag MSTP BPDUs send over a link between 2 switches that are in the same region - I think it is not possible > If this can be done on other higher end cisco switches please suggest me > on this. as above.. Best regards, - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJEE//+BuaDRxlXKsRAu0OAJ9cFqrMWY2S8b2/89n1u33UGKNysQCfQesh jdqx6bw56i0fzIfEPOyVByI= =o30I -----END PGP SIGNATURE----- From tvarriale at comcast.net Tue Nov 4 10:00:18 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Tue, 4 Nov 2008 09:00:18 -0600 Subject: [c-nsp] HWIC-3G-* experience? References: <490FDD8A.9050104@rollernet.us> Message-ID: <004101c93e8e$0defd770$0100fea9@flamadam> Decent experience here. As another posted stated make sure you have decent connectivity where the box is going to reside. The only real downside is "low" bandwidth and high latency and jitter. So, no VoIP obviously and you will definately know when you are on backup. And, make sure you test with your carrier...especially if you are going to be backing up into a MPLS net. tv ----- Original Message ----- From: "Seth Mattinen" To: "cisco-nsp" Sent: Monday, November 03, 2008 11:28 PM Subject: [c-nsp] HWIC-3G-* experience? > Does anyone have any experience with the HWIC-3G-* cards in real life? I'm > considering emergency access plans using these as opposed to traditional > methods, and I'd be interested in any success or horror stories before > jumping in. > > ~Seth > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From csirek at cooler.hu Tue Nov 4 11:20:39 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Tue, 04 Nov 2008 17:20:39 +0100 Subject: [c-nsp] ACK/RST rate-limit? Message-ID: <49107657.6060401@cooler.hu> Hi List, I have a Cisco 7600 / Sup720-3BXL (12.2.18SXF6). Only the telnet port (23/tcp) is open. If i try to open a session to a random port, i get back a TCP ACK/RST packet from the CPU. I think it is normal. :) But if I send lot of SYN packets to random ports, i get back lot of ACK/RST but it send the CPU to me, and it will make a big load on the CPU. So the question: can i limit the number of ACK/RST packets/sec what the router send back to the SYN sender? Thanks! Laszlo From rakeshh at gmail.com Tue Nov 4 11:41:56 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Tue, 4 Nov 2008 10:41:56 -0600 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <49107657.6060401@cooler.hu> References: <49107657.6060401@cooler.hu> Message-ID: <8a4649bb0811040841q5c0e78c5ufddee702890b8268@mail.gmail.com> Have you tried control plane polcing ? -Rakesh On Tue, Nov 4, 2008 at 10:20 AM, Nemeth Laszlo wrote: > Hi List, > > I have a Cisco 7600 / Sup720-3BXL (12.2.18SXF6). > > Only the telnet port (23/tcp) is open. > > If i try to open a session to a random port, i get back a TCP ACK/RST > packet from the CPU. I think it is normal. :) > > But if I send lot of SYN packets to random ports, i get back lot of ACK/RST > but it send the CPU to me, and it will make a big load on the CPU. > > So the question: can i limit the number of ACK/RST packets/sec what the > router send back to the SYN sender? > > Thanks! > > Laszlo > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Tue Nov 4 12:21:07 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Tue, 4 Nov 2008 18:21:07 +0100 Subject: [c-nsp] CISCO-AAL5-MIB Message-ID: Hello all, I have some vxrs running 12.2.31SB13 and have run into a strange situation. We use snmp for statistics gathering ecc . Specifically we use the aal5 mib for atm info gathering 1.3.6.1.4.1.9.9.66.1.1.1.1.1 Everything seemed to be going fine but now I see that some vcs do not show up in the mib. I can see the aal5 interface in the ifindex and browsing .1.3.6.1.2.1.2.2 everything is fine there are statistics names ecc for the interfaces Yet in the cisco mib nothing, and there is also nothing in the ATM-EXT-Mib for these pvcs as well. There is no configuration difference between the pvcs correctly showing up and those that aren't. I have checked the bug toolkit yet not found anything. Has anyone ran into this? Any suggestions? Thanks Brian From adriankok2000 at yahoo.com.hk Tue Nov 4 11:51:22 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Wed, 5 Nov 2008 00:51:22 +0800 (CST) Subject: [c-nsp] command auto and ftp server Message-ID: <885233.53283.qm@web33307.mail.mud.yahoo.com> Hi all I read cisco lab book, it said to disble aut summary but don't explain why can you explain to me? which ftp server is easy to use to backup? or whicch way to backup except fpt server? Thank you for your help again Send instant messages to your online friends http://uk.messenger.yahoo.com From omar.parihuana at gmail.com Tue Nov 4 14:21:57 2008 From: omar.parihuana at gmail.com (omar parihuana) Date: Tue, 4 Nov 2008 14:21:57 -0500 Subject: [c-nsp] Accounting VPN PIX and ACS Message-ID: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! From thomas at czarnetzki.net Tue Nov 4 13:47:52 2008 From: thomas at czarnetzki.net (Thomas Czarnetzki) Date: Tue, 04 Nov 2008 19:47:52 +0100 Subject: [c-nsp] Cisco 6509: WS-F6K-MSFC2 missing on WS-X6K-S2U-MSFC2 Message-ID: <491098D8.4060003@czarnetzki.net> Hi I have a Cisco 6509 with Supervisor-Engine 2 (WS-X6K-S2U-MSFC2). According to the specification they have a MSFC2 on it, but i can see that in the Output of "show version". I have put Out the Card and compare pictures from the MSFC2-Module with the Card. So i can confirm, that a MSFC2 is really mounted on the Card. I have a second SUP2 with the same specification and a Second Chassis. The Problem is the same, so that i think, it can't be a hardware failure. The output is as follows: Console> (enable) show version WS-C6509 Software, Version NmpSW: 8.5(1) Copyright (c) 1995-2005 by Cisco Systems NMP S/W compiled on Oct 22 2005, 11:11:35 System Bootstrap Version: 7.1(1) System Boot Image File is 'bootflash:cat6000-sup2k8.8-5-1.bin' System Configuration register is 0x10f Hardware Version: 2.0 Model: WS-C6509 Serial #: ... PS1 Module: WS-CAC-1300W Serial #: ... Mod Port Model Serial # Versions --- ---- ------------------- ----------- -------------------------------------- 1 2 WS-X6K-S2U-MSFC2 ... Hw : 5.3 Fw : 7.1(1) Fw1: 6.1(3) Sw : 8.5(1) Sw1: 8.5(1) WS-F6K-PFC2 ... Hw : 3.5 Sw : DRAM FLASH NVRAM Module Total Used Free Total Used Free Total Used Free ------ ------- ------- ------- ------- ------- ------- ----- ----- ----- 1 262144K 88516K 173628K 31232K 31232K 0K 512K 270K 242K Uptime is 0 day, 0 hour, 27 minutes Console> (enable) Has somebody an idea why the module is not recognized? Regards Thomas From achatz at forthnet.gr Tue Nov 4 15:21:31 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 04 Nov 2008 22:21:31 +0200 Subject: [c-nsp] Cisco 6509: WS-F6K-MSFC2 missing on WS-X6K-S2U-MSFC2 In-Reply-To: <491098D8.4060003@czarnetzki.net> References: <491098D8.4060003@czarnetzki.net> Message-ID: <4910AECB.8000400@forthnet.gr> Thomas, have a look at the following link: http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013495f.shtml#msfc_2 -- Tassos Thomas Czarnetzki wrote on 04/11/2008 20:47: > Hi > > I have a Cisco 6509 with Supervisor-Engine 2 (WS-X6K-S2U-MSFC2). > > According to the specification they have a MSFC2 on it, but i can see > that in the Output of "show version". > I have put Out the Card and compare pictures from the MSFC2-Module with > the Card. So i can confirm, that a MSFC2 is really mounted on the Card. > > I have a second SUP2 with the same specification and a Second Chassis. > The Problem is the same, so that i think, it can't be a hardware failure. > > > The output is as follows: > > Console> (enable) show version > WS-C6509 Software, Version NmpSW: 8.5(1) > Copyright (c) 1995-2005 by Cisco Systems > NMP S/W compiled on Oct 22 2005, 11:11:35 > > System Bootstrap Version: 7.1(1) > System Boot Image File is 'bootflash:cat6000-sup2k8.8-5-1.bin' > System Configuration register is 0x10f > > Hardware Version: 2.0 Model: WS-C6509 Serial #: ... > > PS1 Module: WS-CAC-1300W Serial #: ... > > Mod Port Model Serial # Versions > --- ---- ------------------- ----------- > -------------------------------------- > 1 2 WS-X6K-S2U-MSFC2 ... Hw : 5.3 > Fw : 7.1(1) > Fw1: 6.1(3) > Sw : 8.5(1) > Sw1: 8.5(1) > WS-F6K-PFC2 ... Hw : 3.5 > Sw : > > DRAM FLASH NVRAM > Module Total Used Free Total Used Free Total Used Free > ------ ------- ------- ------- ------- ------- ------- ----- ----- ----- > 1 262144K 88516K 173628K 31232K 31232K 0K 512K 270K 242K > > Uptime is 0 day, 0 hour, 27 minutes > Console> (enable) > > > Has somebody an idea why the module is not recognized? > > Regards > > Thomas > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Tue Nov 4 15:49:33 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 4 Nov 2008 15:49:33 -0500 Subject: [c-nsp] Weird BGP Routing Problem Message-ID: <003101c93ebe$d965de10$8c319a30$@org> Hi there... Sometime this morning, we noted a sudden increase in outbound traffic to one of our transit providers. Have now realized that some routes that should prefer peering are now going via transit. What makes this very strange is that in our routing table, the best route chosen is not being honoured - very confused about this... Below is an example: core1-rtr-to#sh ip bgp xxx.xxx.xxx.105 BGP routing table entry for xxx.xxx.xxx.0/18, version 36369947 Paths: (5 available, best #1, table default) Not advertised to any peer xxxx xxx.32.245.67 from xx.75.100.39 (xx.75.100.39) Origin IGP, metric 0, localpref 200, valid, internal, best Community: 5645:5000 11666:2000 11666:2001 Highest localpref, low metric and all kinds of other good reasons state this is the best route. But this isn't the route being chosen and I don't know why...?? The route being chosen is one AS hop longer, local-pref of 100 (instead of 200 above) and for what it's worth a metric of 50 (not that it matters at this point) Feeling kinda silly here - but why is the route not the best route? ;) Cisco IOS Software, c7600s72033_rp Software (c7600s72033_rp-ADVENTERPRISEK9-M), Version 12.2(33)SRC, RELEASE SOFTWARE (fc3) Thanks for any input... Paul From ccoueffe at gmail.com Tue Nov 4 15:57:39 2008 From: ccoueffe at gmail.com (charly coueffe) Date: Tue, 4 Nov 2008 21:57:39 +0100 Subject: [c-nsp] Frame error Message-ID: Hi, I have a problem between two 10 Gig interfaces. I have many errors between two routers 7606. I have two types of error : giants and frame and i search the problem. R2#sh int te5/2 | inc Desc|MTU|error|frame|gian Description: R2 - R1 MTU 9216 bytes, BW 10000000 Kbit, DLY 10 usec, 0 runts, 2864673045 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 1 interface resets R1#sh int te5/3 | inc error|giant|Desc|MTU Description: R1 - R2 MTU 9216 bytes, BW 10000000 Kbit, DLY 10 usec, 0 runts, 10853142 giants, 0 throttles 0 input errors, 0 CRC, 2266 frame, 0 overrun, 0 ignored 0 output errors, 0 collisions, 0 interface resets In the ONT book the frame error, runt and giant are explain in the QoS part. I think that the frame error are related about the size of the buffer and not a physical problem with the connector or optical fiber. I have seen in the configuration that the hold queue is configure with 4096 packets. interface TenGigabitEthernet5/3 description R1 - R2 mtu 9216 ip address xxxxxxxxxxxxxxxxxxxxxx no ip redirects no ip unreachables no ip proxy-arp no ip mroute-cache load-interval 30 mls qos trust cos mpls label protocol ldp mpls ip no cdp enable no mop enabled no clns route-cache hold-queue 4096 in hold-queue 4096 out end Do you think that the problem come of the configuration ? Because I have change the Xen-Pack and card 10 gig, and i have the same problem. Thanks for your help. Regards. Charly From chrismcc at pricegrabber.com Tue Nov 4 18:42:14 2008 From: chrismcc at pricegrabber.com (Christopher McCrory) Date: Tue, 04 Nov 2008 15:42:14 -0800 Subject: [c-nsp] Layer-2 backup In-Reply-To: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> References: <20081104044604.8512.qmail@f4mail-235-233.rediffmail.com> Message-ID: <1225842135.7393.6.camel@localhost> Hello... On Tue, 2008-11-04 at 04:46 +0000, ambedkar wrote: > > hi, i want to implement layer-2 backup with minimum delay with cisco > 2950 switches. > i have seen flexlinks, but this is for cisco 3500 series and above. > uplinkfast > please help me in this regard. > Thanks in advance. > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Christopher McCrory "The guy that keeps the servers running" To the optimist, the glass is half full. To the pessimist, the glass is half empty. To the engineer, the glass is twice as big as it needs to be. From gregariouspearl at gmail.com Tue Nov 4 23:34:41 2008 From: gregariouspearl at gmail.com (Muhammad Salman Zahid) Date: Wed, 5 Nov 2008 09:34:41 +0500 Subject: [c-nsp] command auto and ftp server In-Reply-To: <885233.53283.qm@web33307.mail.mud.yahoo.com> References: <885233.53283.qm@web33307.mail.mud.yahoo.com> Message-ID: <44c523750811042034g1c42ccf0qd4e6af1f86ef1b6d@mail.gmail.com> no auto-summary This is useful when you are using classless routing protocols. If you don't disable it then it will auto summarize your subnets. Guild FTP is a software easy to use for the backup. you have to define the ftp user name and password. ip ftp username [User name] ip ftp password [Password] FTP server must be a reachable network from your device. Also, you can use TFTP server such as solar wind. MSZ. On Tue, Nov 4, 2008 at 9:51 PM, adrian kok wrote: > Hi all > > I read cisco lab book, it said to disble aut summary > but don't explain why > can you explain to me? > > which ftp server is easy to use to backup? > > or whicch way to backup except fpt server? > > Thank you for your help again > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- "Death is no the greatest loss in life .... The greatest loss is what dies inside you while U live...!" From rakeshh at gmail.com Wed Nov 5 00:36:38 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Tue, 4 Nov 2008 23:36:38 -0600 Subject: [c-nsp] 6509 sup 720 + export map Message-ID: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> Hello, I am not able to filter prefixes using export map under vrf on a 6509 . I can set attibutes by matching prefixes with out issues , it's just that I can not filter them . I have tried 12.2(33)SXH3a and 12.2(18)SXF7 with no luck. I was wondering if anybody had come accross the same issue. -Rakesh From oboehmer at cisco.com Wed Nov 5 01:24:11 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 5 Nov 2008 07:24:11 +0100 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> Rakesh Hegde <> wrote on Wednesday, November 05, 2008 06:37: > Hello, > > I am not able to filter prefixes using export map under vrf on a > 6509 . I can set attibutes by matching prefixes with out issues , > it's just that I can not filter them . I have tried 12.2(33)SXH3a and > 12.2(18)SXF7 with no luck. > > I was wondering if anybody had come accross the same issue. if I recall correctly, we can't filter/drop routes in VRF export-maps (we can in import-maps).. you could set "no-advertise" or a bogus route-target extcommunity to prevent it from being advertised to your RRs/remote PEs or from being imported into other VRFs. If you don't want to export a certain VRF prefix, just don't redistribute it into BGP (if it's a non-BGP route to begin with). oli From gert at greenie.muc.de Wed Nov 5 02:55:58 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 08:55:58 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <49107657.6060401@cooler.hu> References: <49107657.6060401@cooler.hu> Message-ID: <20081105075558.GK8535@greenie.muc.de> Hi, On Tue, Nov 04, 2008 at 05:20:39PM +0100, Nemeth Laszlo wrote: > So the question: can i limit the number of ACK/RST packets/sec what the > router send back to the SYN sender? Yes. Check www.cisco.com for "control-plane policing" (CoPP) - this is exactly what you need. It needs a bit of consideration what sort of packets the router is meant to receive ("routing protocols", anyone?) and you should lab-test it before rolling out on production routers. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 5 02:58:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 08:58:24 +0100 Subject: [c-nsp] Weird BGP Routing Problem In-Reply-To: <003101c93ebe$d965de10$8c319a30$@org> References: <003101c93ebe$d965de10$8c319a30$@org> Message-ID: <20081105075824.GL8535@greenie.muc.de> Hi, On Tue, Nov 04, 2008 at 03:49:33PM -0500, Paul Stewart wrote: > Sometime this morning, we noted a sudden increase in outbound traffic to one > of our transit providers. Have now realized that some routes that should > prefer peering are now going via transit. > > What makes this very strange is that in our routing table, the best route > chosen is not being honoured - very confused about this... > > Below is an example: > > core1-rtr-to#sh ip bgp xxx.xxx.xxx.105 > BGP routing table entry for xxx.xxx.xxx.0/18, version 36369947 > Paths: (5 available, best #1, table default) > Not advertised to any peer > xxxx > xxx.32.245.67 from xx.75.100.39 (xx.75.100.39) > Origin IGP, metric 0, localpref 200, valid, internal, best > Community: 5645:5000 11666:2000 11666:2001 > > Highest localpref, low metric and all kinds of other good reasons state this > is the best route. But this isn't the route being chosen and I don't know > why...?? We don't know either, because you're not showing the relevant data to answer, and my crystal ball seems to be cloudy today. One possible guess would be that there is a more-specific route for the specific destination that you're observing. Start with "show ip route xxx.xx.xx.105", then check where that route is coming from, and why it's not the BGP route. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From tim at pelican.org Wed Nov 5 04:03:14 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 5 Nov 2008 09:03:14 -0000 (GMT) Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> Message-ID: <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > if I recall correctly, we can't filter/drop routes in VRF export-maps > (we can in import-maps).. you could set "no-advertise" or a bogus > route-target extcommunity to prevent it from being advertised to your > RRs/remote PEs or from being imported into other VRFs. > If you don't want to export a certain VRF prefix, just don't > redistribute it into BGP (if it's a non-BGP route to begin with). Or don't set the export-target that should only be on *some* routes in the VRF config, just set on the matching routes in the export-map. I'm not sure, off the top of my head, what happens if you have a VRF with *no* export-target defined in the VRF config, but an rt ext-community set on some routes in the export map - does the redist from 'local' BGP into MP-BGP still happen? I know there are some gotchas in the other direction; even if you're matching an RT in the import map, you still need it as an import target, or the prefix is dropped before it gets as far as the map. Regards, Tim. From oboehmer at cisco.com Wed Nov 5 05:27:33 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 5 Nov 2008 11:27:33 +0100 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> Tim Franklin wrote on Wednesday, November 05, 2008 10:03: > On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > >> if I recall correctly, we can't filter/drop routes in VRF export-maps >> (we can in import-maps).. you could set "no-advertise" or a bogus >> route-target extcommunity to prevent it from being advertised to your >> RRs/remote PEs or from being imported into other VRFs. >> If you don't want to export a certain VRF prefix, just don't >> redistribute it into BGP (if it's a non-BGP route to begin with). > > Or don't set the export-target that should only be on *some* routes > in the VRF config, just set on the matching routes in the export-map. ack, this would work as well. > I'm > not sure, off the top of my head, what happens if you have a VRF with *no* > export-target defined in the VRF config, but an rt ext-community set > on some routes in the export map - does the redist from 'local' BGP into > MP-BGP still happen? yes, and if you don't set an rt-extcomm in the export-map, the prefix is left without a RT. > I know there are some gotchas in the other > direction; even if you're matching an RT in the import map, you still > need it as an import target, or the prefix is dropped before it gets as > far as the map. right, this is due to the automatic route-target filter which only examines the "route-target import" statements in the VRF, not the route-maps. oli From aaronis at people.net.au Wed Nov 5 05:48:47 2008 From: aaronis at people.net.au (Aaron R) Date: Wed, 5 Nov 2008 19:48:47 +0900 Subject: [c-nsp] Accounting VPN PIX and ACS In-Reply-To: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Message-ID: <200811051049.mA5An2ch037655@puck.nether.net> Hi, You can use netflow on your external router if you have one. ESP protocol or Protocol 50. Take a look at what protocols your VPN client is using for transport and filter netflow based on this info. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of omar parihuana Sent: Wednesday, November 05, 2008 4:22 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Accounting VPN PIX and ACS Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Wed Nov 5 05:58:39 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 11:58:39 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490E7F49.8070901@bgp4.net> References: <490E7F49.8070901@bgp4.net> Message-ID: <20081105105839.GN8535@greenie.muc.de> Hi, On Sun, Nov 02, 2008 at 08:34:17PM -0800, Janet Sullivan wrote: > Of course, opinions on SXH3a are also welcome, but I'm a bit untrusting > of the SXH beast still. We're actually quite happy with SXH3a. SXH3 is evil (BGP ghost). I haven't tested anything on SXF more recent than SXF13a, and that is working quite well for us as well. There have been reports about crashes and BGP funkiness in SXF15, so I'd be a bit wary. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Nov 5 06:00:53 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 12:00:53 +0100 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <490F102C.7070106@bgp4.net> References: <490E7F49.8070901@bgp4.net> <490ECF3A.70804@imperial.ac.uk> <490F102C.7070106@bgp4.net> Message-ID: <20081105110053.GO8535@greenie.muc.de> Hi, On Mon, Nov 03, 2008 at 06:52:28AM -0800, Janet Sullivan wrote: > In my SXF15 experience, I actually shut down a BGP peer (good 'ol nei > xxx.xxx.xxx.xxx shut), and while BGP saw the routes go away, the local > routing table on the box did not. That seems slightly different than > the ghost bug as I understood it, but I'd be happy to be proven wrong. That's definitely different from the Ghost Bugs. In the ghost bugs, at least as far as I observed, updates BGP table -> routing table happened just fine. Only BGP withdraw messages to other (i-)BGP peers were sometimes lost, so a route "stuck" in the other router's BGP table. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From elmi at 4ever.de Wed Nov 5 07:24:48 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Wed, 5 Nov 2008 13:24:48 +0100 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? Message-ID: <20081105122448.GK93039@ronin.4ever.de> Re again, I am running into trouble with the CEF load sharing algorithm on the ASR / IOS-XE platform. We've had this kind of setup with 7301s for four years now, and it's never given us any trouble. Distributed traffic pretty evenly (whenever it was not only one or two top-talkers hitting us). With the new ASR / IOS-XE (1.1.2 currently, but I have found nothing in the release notes of later versions) traffic distribution has become in favour of the server with the lowest IP address - very much so. It's getting 85% of all packets. The setup in brief (all IPv4): z.z.z.z = Service address a.a.a.a, a.a.a.b, a.a.a.c = Interface addresses of three servers, a my colleague denies this 2. The tunnel balancing algorithm (which to my knowledge includes source/dest IP addresses _and_ ports) has been altered. 3. The tunnel balancing algorithm (which to my knowledge includes source/dest IP addresses _and_ ports) is now buggy. Experiment 1 Changing the algorithm to "include-ports source". Did not change the traffic pattern a bit. I didn't expect a change, since AFAIK it would do the same as the "tunnel" algorithm. Experiment 2 I added a.a.a.d to srv1, a.a.a.e to srv2 and a.a.a.f to srv3 and the appropriate routes: rt#sh ip route static ip route z.z.z.z 255.255.255.255 a.a.a.a ip route z.z.z.z 255.255.255.255 a.a.a.b ip route z.z.z.z 255.255.255.255 a.a.a.c ip route z.z.z.z 255.255.255.255 a.a.a.d ip route z.z.z.z 255.255.255.255 a.a.a.e ip route z.z.z.z 255.255.255.255 a.a.a.f rt#sh ip cef z.z.z.z z.z.z.z/32 nexthop a.a.a.a GigabitEthernet0/0/3 nexthop a.a.a.b GigabitEthernet0/0/3 nexthop a.a.a.c GigabitEthernet0/0/3 nexthop a.a.a.d GigabitEthernet0/0/3 nexthop a.a.a.e GigabitEthernet0/0/3 nexthop a.a.a.f GigabitEthernet0/0/3 This changed the distribution pattern from 10:1:2 to a somewhat better 5:1:2. It still shows a strong favouring of the server with the smallest IP address. Experiment 3 I removed the z.z.z.z -> a.a.a.d route, so that Server 1 would only have 1/5 of the routing table pointing to it, while Servers 2 and 3 get twice as many slots in routing and forwarding table. I'll spare you the cef output here. This changed the distribution pattern - not at all, at least not noticeably. I wonder what I have stumbled onto here, and whether someone around or at Cisco knows about a change in the algorithms that would lead to such an effect. I would also be very interested in some paper that really explained the load-sharing algorithms, since everything one can find about the tunnel algorithm is: "The tunnel keyword sets the load-balancing algorithm to one that can be used in tunnel environments or in environments where there are only a few IP source and destination address pairs. " I appreciate any help - the server is still holding, but it's really bad Karma, and I'd like to find a way to do my L3 poor man's load balancing in a working fashion. Elmar. From A.L.M.Buxey at lboro.ac.uk Wed Nov 5 08:02:20 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Wed, 5 Nov 2008 13:02:20 +0000 Subject: [c-nsp] SXF15/SXF15a experiences? In-Reply-To: <20081105105839.GN8535@greenie.muc.de> References: <490E7F49.8070901@bgp4.net> <20081105105839.GN8535@greenie.muc.de> Message-ID: <20081105130220.GA9543@lboro.ac.uk> Hi, > We're actually quite happy with SXH3a. SXH3 is evil (BGP ghost). so far...(touch wood) our 2 SXH3a boxes have been quite happy. > I haven't tested anything on SXF more recent than SXF13a, and that is > working quite well for us as well. There have been reports about crashes > and BGP funkiness in SXF15, so I'd be a bit wary. unfortunately we've been rushed into migrating all our systems up to SXF15a due to several issues with various services we deliver on our network (eg VoIP) - I'm awaiting the exact firmware version in which fixes were introduced but since every previous version also had undocumented features it was felt that a half-hearted upgrade eg SXF12a was a moot point. I'm still delving into the SXH notes to see if we can just ove wholesale across....anyone running WISMs on SXH boxes? alan From adriankok2000 at yahoo.com.hk Wed Nov 5 07:52:11 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Wed, 5 Nov 2008 20:52:11 +0800 (CST) Subject: [c-nsp] anaysis networrk Message-ID: <799205.58383.qm@web33305.mail.mud.yahoo.com> Hi Can I know the different between wireshark vs etheral? which one is better to anaylsis network? other than two, any suggestion Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From anderson.levi at gmail.com Wed Nov 5 08:59:23 2008 From: anderson.levi at gmail.com (Anderson Levi) Date: Wed, 5 Nov 2008 16:59:23 +0300 Subject: [c-nsp] anaysis networrk In-Reply-To: <799205.58383.qm@web33305.mail.mud.yahoo.com> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: Ethereal was renamed Wireshark sometime in '06. On Wed, Nov 5, 2008 at 3:52 PM, adrian kok wrote: > Hi > > Can I know the different between wireshark vs etheral? > > which one is better to anaylsis network? > > other than two, any suggestion > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From avayner at cisco.com Wed Nov 5 09:44:20 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Wed, 5 Nov 2008 15:44:20 +0100 Subject: [c-nsp] anaysis networrk In-Reply-To: <799205.58383.qm@web33305.mail.mud.yahoo.com> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A5021BAD51@xmb-ams-331.emea.cisco.com> http://en.wikipedia.org/wiki/Wireshark -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of adrian kok Sent: Wednesday, November 05, 2008 14:52 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] anaysis networrk Hi Can I know the different between wireshark vs etheral? which one is better to anaylsis network? other than two, any suggestion Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From csirek at cooler.hu Wed Nov 5 09:51:47 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 05 Nov 2008 15:51:47 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <20081105075558.GK8535@greenie.muc.de> References: <49107657.6060401@cooler.hu> <20081105075558.GK8535@greenie.muc.de> Message-ID: <4911B303.2020007@cooler.hu> Hi, Gert Doering wrote: > It needs a bit of consideration what sort of packets the router is meant > to receive ("routing protocols", anyone?) and you should lab-test it before > rolling out on production routers. It's a border test router with BGP and OSPF. I made a config from this page: http://aharp.ittns.northwestern.edu/papers/copp.html Now i'm flooding my router with SYN packets and it's interesting... Whitout control-plane policy the cpu goes on 100%. This normal :) If i set the CPP the CPU in every 4. minutes goes up to 100% until 20 seconds and go back down to 0-2% until the next 4 minutes. And again goes up... It's the cpu "log": > show processes cpu | exclude 0\.00\% 0\.00\% 0\.00\% CPU utilization for five seconds: 79%/79%;one minute: 6%;five minutes:2% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23872 29219 817 0.00% 0.07% 0.05% 0 Exec 5 24736 1940 12750 0.00% 0.23% 0.18% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minu 122 589744 2731281 215 0.00% 0.01% 0.23% 0 IP Input 179 3532 17519 201 0.00% 0.02% 0.00% 0 CEF proce after 4 sec: tartalek_6500#cpu CPU utilization for five seconds: 96%/8%;one minute: 14%;five minutes:3% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23884 29224 817 0.07% 0.07% 0.05% 0 Exec 5 24736 1940 12750 0.00% 0.21% 0.18% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minut 122 591616 2731775 216 87.91% 7.05% 1.69% 0 IP Input 179 3532 17522 201 0.07% 0.02% 0.00% 0 CEF proce after 4 sec: CPU utilization for five seconds: 50%/32%;one minute:17%;five minutes:4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23912 29234 817 0.39% 0.09% 0.06% 0 Exec 5 24736 1940 12750 0.00% 0.19% 0.17% 0 Check hea 37 4388 204 21509 0.00% 0.02% 0.00% 0 Per-minut 122 592324 2732929 216 17.59% 7.89% 1.95% 0 IP Input 179 3532 17528 201 0.00% 0.02% 0.00% 0 CEF process after 4 sec: CPU utilization for five seconds: 1%/0%; one minute: 15%;five minutes:4% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 23944 29244 818 0.79% 0.15% 0.07% 0 Exec 5 24736 1940 12750 0.00% 0.18% 0.17% 0 Chec heap 37 4388 204 21509 0.00% 0.01% 0.00% 0 Per-minut 122 592324 2733929 216 0.07% 7.26% 1.92% 0 IP Input 179 3532 17534 201 0.00% 0.02% 0.00% 0 CEF proce This 0% cpu is to the next 4 minutes. It's a Sup720-3BXL with 12.2.18SXF6. I know it's not a new IOS, but it's very stable in my network. My policy config is: class-map match-all cp-normal-in description Control plane normal traffic match access-group name cp-normal-in class-map match-all cp-critical-in description Control plane critcal traffic match access-group name cp-critical-in class-map match-any cp-undesirable-in description Control plane undesirable traffic match access-group name cp-undesirable-in class-map match-all cp-important-in description Control plane important traffic match access-group name cp-important-in class-map match-all cp-default-in description Control plane default traffic match access-group 2 ! ! policy-map control-plane-in class cp-critical-in class cp-important-in police cir 128000 bc 24000 be 48000 conform-action transmit exceed-action drop violate-action drop class cp-normal-in police cir 32000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop class cp-undesirable-in police cir 32000 bc 1000 be 1000 conform-action transmit exceed-action drop violate-action drop class cp-default-in police cir 128000 bc 1500 be 1500 conform-action transmit exceed-action drop violate-action drop ! ip access-list extended cp-critical-in remark Control plane critical traffic - inbound remark OSPF permit ospf host 10.0.0.101 any permit ospf host 10.0.0.102 any remark PIM permit pim host 10.0.0.101 any permit pim host 10.0.0.102 any remark IGMP permit igmp any 224.0.0.0 15.255.255.255 remark BGP permit tcp host 10.0.0.101 eq bgp host 10.0.0.1 permit tcp host 10.0.0.102 host 10.0.0.1 eq bgp deny ip any any ip access-list extended cp-important-in remark Control plane important traffic - inbound remark SSH/TELNET permit tcp 10.0.0.0 0.0.0.255 any range 22 telnet deny ip any any ip access-list extended cp-normal-in remark Control plane normal traffic - inbound remark ICMP permit icmp any any echo permit icmp any any echo-reply permit icmp any any parameter-problem permit icmp any any time-exceeded permit icmp any any unreachable deny ip any any ip access-list extended cp-undesirable-in remark Control plane undesirable traffic - inbound remark NTP permit udp any any eq ntp remark SNMPTRAP permit udp any any eq snmptrap deny ip any any ! access-list 2 remark utility ACL to allow everything access-list 2 permit any If I set the CIR from 128000 to 32000 in cp-default-in class, i see a very litle cpu load between the 100%, but this wave is on every 4 minutes... So i thing the 4 minutes wave caused by CPP settings. But why?? Laszlo From justin at justinshore.com Wed Nov 5 09:56:24 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 05 Nov 2008 08:56:24 -0600 Subject: [c-nsp] PA-A3-T3 Message-ID: <4911B418.1070502@justinshore.com> Is the PA-A3-T3 ATM only? I have to use a DS3 for backhaul from a small remote POP and would like to avoid the ATM overhead if at all possible. I have a pair of PA-A3-T3s sitting around I thought I could use if they could be configured for frame or something else without the ATM tax. Thanks Justin From csirek at cooler.hu Wed Nov 5 09:58:51 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 05 Nov 2008 15:58:51 +0100 Subject: [c-nsp] ACK/RST rate-limit? In-Reply-To: <4911B303.2020007@cooler.hu> References: <49107657.6060401@cooler.hu> <20081105075558.GK8535@greenie.muc.de> <4911B303.2020007@cooler.hu> Message-ID: <4911B4AB.4040200@cooler.hu> Nemeth Laszlo wrote: > If I set the CIR from 128000 to 32000 in cp-default-in class, i see a > very litle cpu load between the 100%, but this wave is on every 4 > minutes... So i thing the 4 minutes wave caused by CPP settings. But why?? Sorry, i see the small (10-20%) cpu load INSTEAD 100% in every 4. minutes to 20 seconds. Laszlo From david at davidcoulson.net Wed Nov 5 10:00:51 2008 From: david at davidcoulson.net (David Coulson) Date: Wed, 05 Nov 2008 10:00:51 -0500 Subject: [c-nsp] PA-A3-T3 In-Reply-To: <4911B418.1070502@justinshore.com> References: <4911B418.1070502@justinshore.com> Message-ID: <4911B523.3090108@davidcoulson.net> Yep, they only do ATM. A PA-T3 (or, PA-MC-T3+) is required to do frame or a plain old DS-3. That's why a PA-A3-T3 goes for next to nothing on the used market. Justin Shore wrote: > Is the PA-A3-T3 ATM only? I have to use a DS3 for backhaul from a > small remote POP and would like to avoid the ATM overhead if at all > possible. I have a pair of PA-A3-T3s sitting around I thought I could > use if they could be configured for frame or something else without > the ATM tax. > > Thanks > Justin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From cklam at ias.edu Wed Nov 5 09:46:50 2008 From: cklam at ias.edu (Christina Klam) Date: Wed, 05 Nov 2008 09:46:50 -0500 Subject: [c-nsp] More info on bugs CSCsi03864 & CSCsi49150 Message-ID: <1225896410.3240.28.camel@klamtest.net.ias.edu> All, Last week our core router (a 6509) crashed. After reading the crashinfo and the logs, we determined the the source of the crash to be CSCsi49150 (%PM-SP-4-PORT_BOUNCED: Port Gi2/3 was bounced by Consistency Check IDBS). ----------- Conditions: Not specific to standby. Seen on both active and standby. Seen in images where fix for CSCsi03864 is present. Workaround None. Further information: This bug is to backout the bug CSCsi03864 ----------- Does anyone know more about these two bugs than what is in Bug Toolkit? Currently, info on CSCsi03864 is reserved for cisco only eyes. So, I have no info about it. The only solution given by Cisco is to upgrade from 12.2(33)SXH2 to SXH3 or SXH3a. Because of the bugs in SXH3a that I have read this last week on cisco-nsp, I am reluctant to do so. I am hoping to wait until SXHi comes out. I just wish I knew more about the bugs so I could make a more educated decision on the value of waiting. Thanks, C. Klam Institute for Advanced Study From brun0_filipe at yahoo.com Wed Nov 5 10:36:43 2008 From: brun0_filipe at yahoo.com (Bruno Filipe) Date: Wed, 5 Nov 2008 07:36:43 -0800 (PST) Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Message-ID: <616511.7071.qm@web39701.mail.mud.yahoo.com> Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhhhhhhhhhhhhhhhhhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd shhhhhhhhhhhhhhhh encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150-192.168.91.240 inside dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain genius.co.ao dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440 : end [OK] asa# DEBUG OUTPUT OUTPUT OMMITTED :: asa# debug crypto isakmp 127 asa# terminal monitor Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) , : TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) , : AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0 :: :: OUTPUT OMMITTED :: :: Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry From mr.dave.jacobs at gmail.com Wed Nov 5 11:08:18 2008 From: mr.dave.jacobs at gmail.com (David Jacobs) Date: Wed, 5 Nov 2008 11:08:18 -0500 Subject: [c-nsp] ISIS Route Flapping Issue Message-ID: Hello All, So I just encountered a very strange issue and I was trying to get some more information or opinions on what Just happened. I am using a Cisco 7507, previously running an RSP16 - 2 GEIP cards and an OC3 card on a VIP2-50. On one particular day one of our GEIP cards lost connectivity to one of our core routers, I used standard troubleshooting techniques IE: change the cable, change the Gbic reset the card - all of which had no effect. I replaced the GEIP with a brand new one and I placed it in a different slot, I still could not get connectivity. As a last ditch effort I reloaded the router and this is where things get weird. After the router reload, we started experiencing odd ISIS issues, on all of our routers we noticed our problem 7507's Loopback address begin to flap I did a sh ip route X.X.X.X and at times it would say x.x.x.x/32 and other times I would just see x.x.x.x/16. Quite obviously this made life for my frame relay customers life misery. After trying all sorts of steps we could not get the flapping to stop. In a last ditch effort we offloaded our OC3 onto another router,( we are still using this router as a lifeboat.) To skip ahead, I ended up getting a new 7507 chassis, brand new RSP 4 and brand new GEIP's and OC3 cards. I reconfigured the router with the same Ip and ISIS config and WHAMMO the same ISIS route flapping begins to happen. After many hours of troubleshooting one thing I did was change the ISIS NET address, once this was changed things went back to normal. Why would changing the NET address suddenly stop an ISIS route from flapping? Apologies for the long email, but this problem has been happening for quite a few weeks now. Any comments or suggestions would be appreciated Thanks DaveJ From willay at gmail.com Wed Nov 5 11:08:24 2008 From: willay at gmail.com (William) Date: Wed, 5 Nov 2008 16:08:24 +0000 Subject: [c-nsp] problems filtering multicast Message-ID: Hi, I'm running multicast routing with sparse-dense-mode and I'd like to filter out some of the addresses, I've created a standard access list permitting the multicast addresses i want to be routed out and then a deny any at the end. I've applied it to the interface using the ip igmp access-group command but it doesn't seem to be affective, the end hosts are still receiving the multicast streams which i've attempted to filter out. The hardware is a 6500 (catos) with a sup2, the configuration looks like so on the first switch: interface vlan999 ip address 192.168.99.254255.255.255.0 ip pim sparse-dense-mode ip igmp access-group multicast ip access-list standard multicast permit 239.255.1.1 deny any The end host is on a 3750, I tried applying the access-list and ip igmp access-group statement to the vlan interface where the end host is and the multicast traffic that I wish to be filtered is still coming over. Am I doing something terribly wrong here for it not to work? Thank you for your time. W From jmb287 at gmail.com Wed Nov 5 11:08:32 2008 From: jmb287 at gmail.com (Mike Brown) Date: Wed, 5 Nov 2008 09:08:32 -0700 Subject: [c-nsp] Need pin-outs for a ONS 15454/15327 Password recovery cable Message-ID: <1a85d2430811050808h5a361478x277c6d2c60d456e7@mail.gmail.com> Hi, does anyone here know the pin-outs for the password recovery cable that connects to a TCC/TCC+/TCC2 card?? We have a client that has an ONS that they are locked out of. Cisco is being a real PIA. Thanks in advance. From Drikus.Brits at is.co.za Wed Nov 5 11:17:40 2008 From: Drikus.Brits at is.co.za (Drikus Brits) Date: Wed, 5 Nov 2008 18:17:40 +0200 Subject: [c-nsp] Accounting VPN PIX and ACS References: <834c50110811041121y7a61d074i785391a46215f56@mail.gmail.com> Message-ID: <89D2AE9E4EAAB34FABDBF2913867C62F1A18DB4B@ZABRYSVISEX04.af.didata.local> Hi, I'm assuming that you have already setup accounting to be pushed thru to your ACS ? On your acs you can selectively choose what you want to log. Essentially, you can use either RADIUS or TACACS+ to log your accounting packets. I'd prefer the Radius method though, especially since it is for remote access usage. Your setup shouldn't change much, apart from you changing to RADIUS instead of TACACS+. As long as your keys on the ACS & PIX is the same , you should get Authentication & Accounting logs. Do you still need docs on how to change these and set it up ? Regards, -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of omar parihuana Sent: Tuesday, November 04, 2008 9:22 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Accounting VPN PIX and ACS Hi List, I'm facing a trouble, I have a PIX and one ACS 3.3. The pix act like VPN concetrator for the clients (Windows Based - Cisco VPN Client) and ACS like authenticator I'm using TACACS+. All were working well. But now my boss said: We need to get the VPN usage so I need:, who? when? and how long...? were connected... please could you provide me some suggestions, some samples, or docs... maybe to change to RADIUS? or is it possible with TACACS+? Rgds. -- Omar E.P.T ----------------- Certified Networking Professionals make better Connections! _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Please note: This email and its content are subject to the disclaimer as displayed at the following link http://www.is.co.za/legal/E-mail+Confidentiality+Notice+and+Disclaimer.htm. Should you not have Web access, send a mail to disclaimers at is.co.za and a copy will be emailed to you. From cisco-nsp at slepicka.net Wed Nov 5 11:24:38 2008 From: cisco-nsp at slepicka.net (James Slepicka) Date: Wed, 05 Nov 2008 10:24:38 -0600 Subject: [c-nsp] problems filtering multicast] Message-ID: <4911C8C6.7030103@slepicka.net> use the ip multicast boundary command: http://www.cisco.com/en/US/docs/ios/12_2/ipmulti/command/reference/1rfmult1.html#wp1058494 e.g. ip access-l standard mcast_boundary_vl999 permit 224.9.9.9 int vl999 ip multicast boundary mcast_boundary_vl999 James William wrote: > Hi, > > I'm running multicast routing with sparse-dense-mode and I'd like to > filter out some of the addresses, I've created a standard access list > permitting the multicast addresses i want to be routed out and then a > deny any at the end. > > I've applied it to the interface using the ip igmp access-group > command but it doesn't seem to be affective, the end hosts > are still receiving the multicast streams which i've attempted to > filter out. > > The hardware is a 6500 (catos) with a sup2, the configuration looks > like so on the first switch: > > interface vlan999 > ip address 192.168.99.254255.255.255.0 > ip pim sparse-dense-mode > ip igmp access-group multicast > > > ip access-list standard multicast > permit 239.255.1.1 > deny any > > The end host is on a 3750, I tried applying the access-list and ip > igmp access-group statement to the vlan interface where the end host > is and the multicast traffic that I wish to be filtered is still > coming over. > > Am I doing something terribly wrong here for it not to work? > > Thank you for your time. > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From justin at justinshore.com Wed Nov 5 11:30:31 2008 From: justin at justinshore.com (Justin Shore) Date: Wed, 05 Nov 2008 10:30:31 -0600 Subject: [c-nsp] PA-A3-T3 In-Reply-To: <4911B523.3090108@davidcoulson.net> References: <4911B418.1070502@justinshore.com> <4911B523.3090108@davidcoulson.net> Message-ID: <4911CA27.5060001@justinshore.com> David Coulson wrote: > Yep, they only do ATM. A PA-T3 (or, PA-MC-T3+) is required to do frame > or a plain old DS-3. > > That's why a PA-A3-T3 goes for next to nothing on the used market. After thinking about it a bit more, I think we'll use the ATM PAs to get this project off the ground and get some revenue coming in. When we start running short on BW rather than buy the non-ATM versions will skip the DS3 entirely and jump to an OC3. That would make the most sense I think. Thanks for the info Justin From ross at kallisti.us Wed Nov 5 11:51:46 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 5 Nov 2008 11:51:46 -0500 Subject: [c-nsp] ip cef optimize neighbor resolution Message-ID: <20081105165146.GA8842@kallisti.us> Hi everyone, Has anyone running SXH on a SUP720-3B(-XL) series 6500 tried "ip cef optimize neighbor resolution"? Cisco's docs seem to offer the usual tautologous explanation, and as a bonus, include a circular reference: "The ip cef optimize neighbor resolution command is very similar to the ipv6 cef optimize neighbor resolution command, except that it is IPv4-specific." http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.html#wp1036767 "The ipv6 cef optimize neighbor resolution command is very similar to the ip cef optimize neighbor resolution command, except that it is IPv6-specific." http://www.cisco.com/en/US/docs/ios/ipswitch/command/reference/isw_i1.html#wp1037762 Both indicate that it triggers "Layer 2 address resolution of neighbors directly from Cisco Express Forwarding for IPv[46]". Has anyone tried this? It sounds like this could be a win for a pair of 6500s I have with unexplainable high RP utilization problems - the boxes terminate a lot of VLANs and have a lot of ARP responsibilities. But I can't really find much discussion of it. Thanks! -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From peter at rathlev.dk Wed Nov 5 12:19:04 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 05 Nov 2008 18:19:04 +0100 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: References: Message-ID: <1225905544.13955.6.camel@abehat> Hi David, On Wed, 2008-11-05 at 11:08 -0500, David Jacobs wrote: > I did a sh ip route X.X.X.X and at times it would say x.x.x.x/32 and > other times I would just see x.x.x.x/16. Quite obviously this made > life for my frame relay customers life misery. > After trying all sorts of steps we could not get the flapping to stop. > In a last ditch effort we offloaded our OC3 onto another router,( we > are still using this router as a lifeboat.) What did the box itself have in its routing table at this time? How does the box lift the host prefix into IS-IS? Does a "debug isis rib resdistribution" give any clues? > To skip ahead, I ended up getting a new 7507 chassis, brand new RSP 4 > and brand new GEIP's and OC3 cards. I reconfigured the router with the > same Ip and ISIS config and WHAMMO the same ISIS route flapping begins > to happen. After many hours of troubleshooting one thing I did was > change the ISIS NET address, once this was changed things went back to > normal. Brand new 7500 hardware? Where? ;-) > Why would changing the NET address suddenly stop an ISIS route from > flapping? A shot in the dark, but you wouldn't happen to have another box with the same NET on your network? Regards, Peter From gert at greenie.muc.de Wed Nov 5 12:22:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 5 Nov 2008 18:22:15 +0100 Subject: [c-nsp] 12.2SRC or 12.4T for 7200VXR NPE400 In-Reply-To: <4909F5F1.6030406@mt.net> References: <4909F5F1.6030406@mt.net> Message-ID: <20081105172215.GQ8535@greenie.muc.de> Hi, On Thu, Oct 30, 2008 at 11:59:13AM -0600, Forrest W Christian wrote: > The must-have features in my mind are: > > BGP4 w/Long ASN Complain to your Cisco sales representative. And do it loudly. To my knowledge, there is *still* no IOS version with support for 32bit-AS-Numbers (IOS XR has this since a year or so). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From luan at netcraftsmen.net Wed Nov 5 13:08:13 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 5 Nov 2008 13:08:13 -0500 Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP In-Reply-To: <616511.7071.qm@web39701.mail.mud.yahoo.com> References: <616511.7071.qm@web39701.mail.mud.yahoo.com> Message-ID: <06a601c93f71$77debc30$679c3490$@net> Maybe try using the global commands no vpn-addr-assign local no vpn-addr-assign aaa vpn-addr-assign dhcp And under tunnel-group COMPANY-TUNNEL-GROUP general-attributes Add: default-group-policy COMPANY-REMOTE-ACCESS Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bruno Filipe Sent: Wednesday, November 05, 2008 10:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] IPSec Remote Access VPN getting Addresses from the DHCP Hi there,... Can u guys help me understand why the dhcp is not providing addressing information to the VPN Clients...If I use a local pool, I can connect and get addressing info Here's my config: asa# wr t : Saved : ASA Version 7.0(7) ! hostname asa domain-name domain.co.ao enable password shhhhhhhhhhhhhhhhhhh encrypted names dns-guard ! interface Ethernet0/0 description 100BASETX to LAN Switch nameif inside security-level 100 ip address 192.168.91.254 255.255.255.0 ! interface Ethernet0/1 description 100BASETX link to Alvarion BMAX-CPE-ODU (INTERNET) nameif outside security-level 0 ip address xxx.xxx.xx.xxx 255.255.255.252 ! interface Ethernet0/2 description FOR FUTURE USE nameif dmz security-level 5 ip address xxx.xxx.xx.xxx 255.255.255.0 ! interface Management0/0 nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 management-only ! passwd shhhhhhhhhhhhhhhh encrypted ftp mode passive access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq smtp access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq pop3 access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq https access-list outside_access_in extended permit tcp any host xxx.xxx.xx.xxx eq 3389 pager lines 24 logging timestamp logging buffer-size 16384 logging buffered critical logging trap debugging logging asdm informational mtu inside 1500 mtu outside 1500 mtu dmz 1500 mtu management 1500 ip local pool COMPANY-LOCAL-POOL 192.168.91.230-192.168.91.240 asdm image disk0:/asdm-507.bin no asdm history enable arp timeout 14400 global (outside) 10 interface nat (inside) 10 0.0.0.0 0.0.0.0 static (inside,outside) tcp interface smtp 192.168.91.112 smtp netmask 255.255.255.255 static (inside,outside) tcp interface pop3 192.168.91.112 pop3 netmask 255.255.255.255 static (inside,outside) tcp interface https 192.168.91.112 https netmask 255.255.255.255 static (inside,outside) tcp interface 3389 192.168.91.112 3389 netmask 255.255.255.255 access-group outside_access_in in interface outside route outside 0.0.0.0 0.0.0.0 196.216.54.229 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00 timeout uauth 0:05:00 absolute group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-session-timeout none vpn-filter none vpn-tunnel-protocol IPSec webvpn password-storage disable ip-comp enable re-xauth disable group-lock none pfs disable ipsec-udp disable ipsec-udp-port 10000 split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none secure-unit-authentication disable user-authentication disable user-authentication-idle-timeout 30 ip-phone-bypass disable leap-bypass disable nem disable backup-servers keep-client-config client-firewall none client-access-rule none webvpn functions url-entry port-forward-name value Application Access group-policy COMPANY-REMOTE-ACCESS internal group-policy COMPANY-REMOTE-ACCESS attributes dhcp-network-scope 192.168.91.150 webvpn username some.name password EB4ztYh0SYsdhnHI encrypted aaa authentication ssh console LOCAL aaa authentication enable console LOCAL http server enable http 192.168.91.0 255.255.255.0 inside http 192.168.1.0 255.255.255.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set COMPANY-TRANSFORM-SET esp-3des esp-md5-hmac crypto dynamic-map COMPANY-DYNAMIC-MAP 10 set transform-set GENIUS-TRANSFORM-SET crypto map COMPANY-CRYPTO-MAP 65535 ipsec-isakmp dynamic GENIUS-DYNAMIC-MAP crypto map COMPANY-CRYPTO-MAP interface outside isakmp enable outside isakmp policy 10 authentication pre-share isakmp policy 10 encryption aes-256 isakmp policy 10 hash sha isakmp policy 10 group 2 isakmp policy 10 lifetime 86400 tunnel-group COMPANY-TUNNEL-GROUP type ipsec-ra tunnel-group COMPANY-TUNNEL-GROUP general-attributes dhcp-server 192.168.91.254 tunnel-group COMPANY-TUNNEL-GROUP ipsec-attributes pre-shared-key * telnet timeout 5 ssh xxx.xxx.xx.x 255.255.255.0 outside ssh timeout 30 ssh version 2 console timeout 0 dhcpd address 192.168.91.150-192.168.91.240 inside dhcpd dns xxx.xxx.xx.xx xxx.xxx.xx.xx dhcpd lease 3600 dhcpd ping_timeout 50 dhcpd domain genius.co.ao dhcpd enable inside ! class-map inspection_default match default-inspection-traffic ! ! policy-map global_policy class inspection_default inspect dns maximum-length 512 inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp ! service-policy global_policy global Cryptochecksum:d60a247e16f4bf6dd36da42b71aa1440 : end [OK] asa# DEBUG OUTPUT OUTPUT OMMITTED :: asa# debug crypto isakmp 127 asa# terminal monitor Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Received unknown transaction mode attribute: 28684 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Application Version! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Client Type: WinNT Client Application Version: 5.0.04.0300 Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for FWTYPE! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for DHCP hostname for DDNS is: ispdomain! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for UDP Port! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, MODE_CFG: Received request for Local LAN Include! Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE received response of type [VALID (but no address supplied)] to a request from the IP address utility Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Cannot obtain an IP address for remote peer Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE TM V6 FSM error history (struct &0x39c1900) , : TM_DONE, EV_ERROR-->TM_BLD_REPLY, EV_IP_FAIL-->TM_BLD_REPLY, NullEvent-->TM_BLD_REPLY, EV_GET_IP-->TM_BLD_REPLY, EV_NEED_IP-->TM_WAIT_REQ, EV_PROC_MSG-->TM_WAIT_REQ, EV_HASH_OK-->TM_WAIT_REQ, NullEvent Nov 05 07:59:15 [IKEv1 DEBUG]: Group = GENIUS-TUNNEL-GROUP, Username = some.usera, IP = xxx.xxx.xx.xx, IKE AM Responder FSM error history (struct &0x3ac4060) , : AM_DONE, EV_ERROR-->AM_TM_INIT_MODECFG_V6H, EV_TM_FAIL-->AM_TM_INIT_MODECFG_V6H, NullEvent-->AM_TM_INIT_MODECFG, EV_WAIT-->AM_TM_INIT_XAUTH_V6H, EV_CHECK_QM_MSG-->AM_TM_INIT_XAUTH_V6H, EV_TM_XAUTH_OK-->AM_TM_INIT_XAUTH_V6H, NullEvent-->AM_TM_INIT_XAUTH_V6H, EV_ACTIVATE_NEW_SA Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, IKE SA AM:835707d8 terminating: flags 0x0945c001, refcnt 0, tuncnt 0 :: :: OUTPUT OMMITTED :: :: Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, sending delete/delete with reason message Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing blank hash payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing IKE delete payload Nov 05 07:59:15 [IKEv1 DEBUG]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, constructing qm hash payload Nov 05 07:59:15 [IKEv1]: IP = xxx.xxx.xx.xx, IKE_DECODE SENDING Message (msgid=52532842) with payloads : HDR + HASH (8) + DELETE (12) + NONE (0) total length : 80 Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx,Removing peer from peer table failed, no match! Nov 05 07:59:15 [IKEv1]: Group = COMPANY-TUNNEL-GROUP, Username = some.user, IP = xxx.xxx.xx.xx, Error: Unable to remove PeerTblEntry _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From drew.weaver at thenap.com Wed Nov 5 15:07:48 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Wed, 5 Nov 2008 15:07:48 -0500 Subject: [c-nsp] show ip cef resources Message-ID: This is kind of a trivial question but does anyone know at or around what numbers the 'show ip cef resources' is no longer G (Green?) It has been creeping up over the last year or so and I'm just trying to make sure we plan accordingly. Thanks, -Drew From bob at tink.com Wed Nov 5 17:04:32 2008 From: bob at tink.com (Bob Tinkelman) Date: Wed, 05 Nov 2008 17:04:32 -0500 (EST) Subject: [c-nsp] ipsec over gre with nhrp Message-ID: <01N1KT6EUKF89AQUIH@queens.tink.com> I'm doing something that I thought I'd done before, but am running into problems and need a sanity check. I have 2 "customer site routers", each configured for main access via T1 and backup Internet access via a cable-modem service with a dynamic ip address. They also have an ipsec vpn to route internal (192.168/16 and 10/8) nets between the two sites, using crypto maps on the T1 serial ports in the standard way. All that works. I wanted to provide a backup to the ipsec VPN using the cable modem ports, and proceeded as follows: o I configured a multi-point tunnel with both customer sites using nhrp to connect to one of my routers. [This works. the routers can ping either other over the tunnel.] This was done because otherwise the routers, each with a dynamic ip address, would have trouble finding each other. o I mimic'd the ipsec vpn on the T1 serial interfaces, building a similar one on the tunnel interfaces. [This didn't work, and it's pretty clear why.] Here are the relevant portions of the config. [I'm willing to share more, but wanted to keep this post managable.] Interface housing the cable-modem: | CT-gw#sho run int fa0/1 | Building configuration... | | Current configuration : 186 bytes | ! | interface FastEthernet0/1 | description Cable modem connection | ip address dhcp | ip access-group from-cablemodem in | ip nat outside | ip virtual-reassembly | duplex auto | speed auto | end | CT-gw# The address dhcp-assigned by the carrier: | CT-gw#sho int fa0/1 | inc Internet address | Internet address is 192.168.1.64/24 | CT-gw# The tunnel interface: | CT-gw#sho run int t202 | Building configuration... | | Current configuration : 729 bytes | ! | interface Tunnel202 | description Dynamic multi-point ISPnet-customer tunnel | bandwidth 1000 | ip address 69.48.189.23 255.255.255.0 | ip access-group from-world in | no ip redirects | ip mtu 1416 | ip nat inside | ip nhrp authentication | ip nhrp map multicast 165.254.97.2 | ip nhrp map multicast 165.254.147.2 | ip nhrp map 69.48.189.1 165.254.97.2 | ip nhrp map 69.48.189.2 165.254.147.2 | ip nhrp network-id | ip nhrp holdtime 300 | ip nhrp nhs 69.48.189.1 | ip nhrp nhs 69.48.189.2 | ip nhrp server-only | ip virtual-reassembly | no ip route-cache cef | no ip route-cache | no ip mroute-cache | delay 1000 | tunnel source FastEthernet0/1 | tunnel mode gre multipoint | tunnel key | crypto map CLINTON-TU-202-MAP | end | CT-gw# The tunnel is working: | CT-gw#ping 69.48.189.24 | | Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: | !!!!! | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 ms | CT-gw# | CT-gw#tr 69.48.189.24 | | Type escape sequence to abort. | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) | | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 msec | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec | CT-gw# The crypto map is defined like this: | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP | crypto map CLINTON-TU-202-MAP local-address Tunnel202 | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp | set peer 69.48.189.24 | set transform-set TRANSFORM-SET-FL | match address CT-inside-to-FL-inside | ! But it's not working. It looks like it's using the wrong ip address for the "local address" of the crypto map. It's using the dhcp-assigned address of Fa0/1, when I'd thought it should be using the address of Tu202. | CT-gw#sho crypto map int t202 >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: 192.168.1.64 | | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp | Peer = 69.48.189.24 | Extended IP access list CT-inside-to-FL-inside | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 0.0.0.255 10.1.1.0 0.0.0.255 | Current peer: 69.48.189.24 | Security association lifetime: 4608000 kilobytes/3600 seconds | PFS (Y/N): N | Transform sets={ | TRANSFORM-SET-FL, | } | Interfaces using crypto map CLINTON-TU-202-MAP: | Tunnel202 | CT-gw# I think it's pretty clear that 192.168.1.64 won't cut it as one end of the VPN. The two customer sites are in CT and FL, both with their "cable modem connections" actually being ATT DSL services. [Long story; don't ask.] Amusingly, both show the leases with the same IP Addr and gateway, as in: | CT-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:58:12 | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356234312D4661302F31 | Hostname: CT-gw | FL-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:57:26 | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356337392D4661302F31 | Hostname: FL-gw | FL-gw# I don't think that's relevant. I think the problem is that I need to get the crypto map to use the 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. Thoughts? -- Bob Tinkelman From luan at netcraftsmen.net Wed Nov 5 21:11:36 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 5 Nov 2008 21:11:36 -0500 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <01N1KT6EUKF89AQUIH@queens.tink.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> Message-ID: <06ee01c93fb4$ff03c4b0$fd0b4e10$@net> You have to use tunnel protection profile instead. Get rid of the local-address, and put these in: crypto isakmp policy 3000 encr aes 256 authentication pre-share group 5 crypto isakmp key test address 165.254.97.2 crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile foo set transform-set TEST set pfs group5 ! Int tun202 No crypto map tunnel protection ipsec profile foo Then route over the tunnel accordingly...intstead of using ACL to match traffic. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net (blog) http://ccie-security.blogspot.com/ (e) luan at netcraftsmen.net (aim/yahoo): luancnc -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Bob Tinkelman Sent: Wednesday, November 05, 2008 5:05 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ipsec over gre with nhrp I'm doing something that I thought I'd done before, but am running into problems and need a sanity check. I have 2 "customer site routers", each configured for main access via T1 and backup Internet access via a cable-modem service with a dynamic ip address. They also have an ipsec vpn to route internal (192.168/16 and 10/8) nets between the two sites, using crypto maps on the T1 serial ports in the standard way. All that works. I wanted to provide a backup to the ipsec VPN using the cable modem ports, and proceeded as follows: o I configured a multi-point tunnel with both customer sites using nhrp to connect to one of my routers. [This works. the routers can ping either other over the tunnel.] This was done because otherwise the routers, each with a dynamic ip address, would have trouble finding each other. o I mimic'd the ipsec vpn on the T1 serial interfaces, building a similar one on the tunnel interfaces. [This didn't work, and it's pretty clear why.] Here are the relevant portions of the config. [I'm willing to share more, but wanted to keep this post managable.] Interface housing the cable-modem: | CT-gw#sho run int fa0/1 | Building configuration... | | Current configuration : 186 bytes | ! | interface FastEthernet0/1 | description Cable modem connection | ip address dhcp | ip access-group from-cablemodem in | ip nat outside | ip virtual-reassembly | duplex auto | speed auto | end | CT-gw# The address dhcp-assigned by the carrier: | CT-gw#sho int fa0/1 | inc Internet address | Internet address is 192.168.1.64/24 | CT-gw# The tunnel interface: | CT-gw#sho run int t202 | Building configuration... | | Current configuration : 729 bytes | ! | interface Tunnel202 | description Dynamic multi-point ISPnet-customer tunnel | bandwidth 1000 | ip address 69.48.189.23 255.255.255.0 | ip access-group from-world in | no ip redirects | ip mtu 1416 | ip nat inside | ip nhrp authentication | ip nhrp map multicast 165.254.97.2 | ip nhrp map multicast 165.254.147.2 | ip nhrp map 69.48.189.1 165.254.97.2 | ip nhrp map 69.48.189.2 165.254.147.2 | ip nhrp network-id | ip nhrp holdtime 300 | ip nhrp nhs 69.48.189.1 | ip nhrp nhs 69.48.189.2 | ip nhrp server-only | ip virtual-reassembly | no ip route-cache cef | no ip route-cache | no ip mroute-cache | delay 1000 | tunnel source FastEthernet0/1 | tunnel mode gre multipoint | tunnel key | crypto map CLINTON-TU-202-MAP | end | CT-gw# The tunnel is working: | CT-gw#ping 69.48.189.24 | | Type escape sequence to abort. | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: | !!!!! | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 ms | CT-gw# | CT-gw#tr 69.48.189.24 | | Type escape sequence to abort. | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) | | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 msec | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec | CT-gw# The crypto map is defined like this: | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP | crypto map CLINTON-TU-202-MAP local-address Tunnel202 | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp | set peer 69.48.189.24 | set transform-set TRANSFORM-SET-FL | match address CT-inside-to-FL-inside | ! But it's not working. It looks like it's using the wrong ip address for the "local address" of the crypto map. It's using the dhcp-assigned address of Fa0/1, when I'd thought it should be using the address of Tu202. | CT-gw#sho crypto map int t202 >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: 192.168.1.64 | | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp | Peer = 69.48.189.24 | Extended IP access list CT-inside-to-FL-inside | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 0.0.0.255 10.1.1.0 0.0.0.255 | Current peer: 69.48.189.24 | Security association lifetime: 4608000 kilobytes/3600 seconds | PFS (Y/N): N | Transform sets={ | TRANSFORM-SET-FL, | } | Interfaces using crypto map CLINTON-TU-202-MAP: | Tunnel202 | CT-gw# I think it's pretty clear that 192.168.1.64 won't cut it as one end of the VPN. The two customer sites are in CT and FL, both with their "cable modem connections" actually being ATT DSL services. [Long story; don't ask.] Amusingly, both show the leases with the same IP Addr and gateway, as in: | CT-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:58:12 | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356234312D4661302F31 | Hostname: CT-gw | FL-gw#sho dhcp lease | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 | Temp sub net mask: 255.255.255.0 | DHCP Lease server: 192.168.1.254, state: 3 Bound | DHCP transaction id: 1FD4 | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs | Temp default-gateway addr: 192.168.1.254 | Next timer fires after: 07:57:26 | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 | Client-ID hex dump: 636973636F2D303031392E353535302E | 356337392D4661302F31 | Hostname: FL-gw | FL-gw# I don't think that's relevant. I think the problem is that I need to get the crypto map to use the 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. Thoughts? -- Bob Tinkelman _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Wed Nov 5 21:55:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 6 Nov 2008 10:55:03 +0800 Subject: [c-nsp] watchdog timeout - nmi reset Message-ID: <200811061055.12235.mtinka@globaltransit.net> Hi all. We've had a bit of bad luck lately with a couple of NPE-G1's suddenly reloading due watchdog timeouts. In all cases, we've been running 12.2SRC (first SRC1, and currently SRC2). Without any crashinfo generated from the reload, Cisco say this points to a hardware problem. We initially experienced this on an NPE-G1 built in 2003 (the chassis might have been built about the same time also). But then it also affected NPE-G1's built in 2005, as well as 2007. We swapped out one of them that has been rebooting more frequently (once every 2 months) with a 2007-model NPE-G1. This just failed a few days back, same reason. This morning, yet another 2007-model NPE-G1 also experienced the same problem. This one had never done this before. It also is installed in a 2007-model chassis. The following is consistent: * The watchdog timeout reset is affecting only our NPE-G1's. * All NPE-G2's and 7201's, running SRC2, are not affected. * It affects both old and new NPE-G1's. * It affects both old and new chassis'. * All routers are running 12.2(33)SRC2. We're going to open another case with TAC on this, but I feel this is going to be drawn out. It would have been easier if this affected either ONLY the old model NPE-G1's, or the new model NPE-G1's; because then we could either chalk it down to old boards or a bad batch (the 2007 models were all built to the same order). But since this is affecting both old and new, and the information suggests it's not software-related, it gets tricky. Aside from software, the only other thing that unites both the old and new chassis'/processors is PA-2FE-TX cards we bought for both the old and new models. Suffice it to say that before the older NPE-G1's were running SRC (they either run 12.3 mainline or 12.2S), we didn't see this issue. Appreciate any thoughts here. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rakeshh at gmail.com Wed Nov 5 22:11:57 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Wed, 5 Nov 2008 21:11:57 -0600 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <01N1KT6EUKF89AQUIH@queens.tink.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> Message-ID: <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> Hello, With the information you have provided, what I can see is that you are trying IPSEC over GRE . I had come accross a similar issue where the router used the GRE tunnel source interface to build the IPSEC tunnel even though I had the tunnel interface as the local interface for the crypto map. This is exactly what you are seeing here. I resloved the issue by learing a loopback through the tunnel and using it as the IPSEC tunnel source/destination points with the local loopback as the local interface for crypto map. You also need to point any traffic to be encrypted, matching the destination subnet in crypto acl, to the tunnel interface . Thre is a simpler and prefered way of doing this using VTI interfaces . In your case this is going to be GRE protection using IPSEC . It has worked great for us. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html Hope this helps -Rakesh On Wed, Nov 5, 2008 at 4:04 PM, Bob Tinkelman wrote: > I'm doing something that I thought I'd done before, but am > running into problems and need a sanity check. > > I have 2 "customer site routers", each configured for main > access via T1 and backup Internet access via a cable-modem > service with a dynamic ip address. > > They also have an ipsec vpn to route internal (192.168/16 and > 10/8) nets between the two sites, using crypto maps on the > T1 serial ports in the standard way. > > All that works. > > I wanted to provide a backup to the ipsec VPN using the cable > modem ports, and proceeded as follows: > > o I configured a multi-point tunnel with both customer sites > using nhrp to connect to one of my routers. [This works. > the routers can ping either other over the tunnel.] > This was done because otherwise the routers, each with a > dynamic ip address, would have trouble finding each other. > > o I mimic'd the ipsec vpn on the T1 serial interfaces, building > a similar one on the tunnel interfaces. [This didn't work, > and it's pretty clear why.] > > > Here are the relevant portions of the config. [I'm willing to > share more, but wanted to keep this post managable.] > > Interface housing the cable-modem: > > | CT-gw#sho run int fa0/1 > | Building configuration... > | > | Current configuration : 186 bytes > | ! > | interface FastEthernet0/1 > | description Cable modem connection > | ip address dhcp > | ip access-group from-cablemodem in > | ip nat outside > | ip virtual-reassembly > | duplex auto > | speed auto > | end > | CT-gw# > > The address dhcp-assigned by the carrier: > > | CT-gw#sho int fa0/1 | inc Internet address > | Internet address is 192.168.1.64/24 > | CT-gw# > > The tunnel interface: > > | CT-gw#sho run int t202 > | Building configuration... > | > | Current configuration : 729 bytes > | ! > | interface Tunnel202 > | description Dynamic multi-point ISPnet-customer tunnel > | bandwidth 1000 > | ip address 69.48.189.23 255.255.255.0 > | ip access-group from-world in > | no ip redirects > | ip mtu 1416 > | ip nat inside > | ip nhrp authentication > | ip nhrp map multicast 165.254.97.2 > | ip nhrp map multicast 165.254.147.2 > | ip nhrp map 69.48.189.1 165.254.97.2 > | ip nhrp map 69.48.189.2 165.254.147.2 > | ip nhrp network-id > | ip nhrp holdtime 300 > | ip nhrp nhs 69.48.189.1 > | ip nhrp nhs 69.48.189.2 > | ip nhrp server-only > | ip virtual-reassembly > | no ip route-cache cef > | no ip route-cache > | no ip mroute-cache > | delay 1000 > | tunnel source FastEthernet0/1 > | tunnel mode gre multipoint > | tunnel key > | crypto map CLINTON-TU-202-MAP > | end > | CT-gw# > > The tunnel is working: > > | CT-gw#ping 69.48.189.24 > | > | Type escape sequence to abort. > | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: > | !!!!! > | Success rate is 100 percent (5/5), round-trip min/avg/max = 140/141/144 > ms > | CT-gw# > > | CT-gw#tr 69.48.189.24 > | > | Type escape sequence to abort. > | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) > | > | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec 28 > msec > | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec > | CT-gw# > > The crypto map is defined like this: > > | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP > | crypto map CLINTON-TU-202-MAP local-address Tunnel202 > | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp > | set peer 69.48.189.24 > | set transform-set TRANSFORM-SET-FL > | match address CT-inside-to-FL-inside > | ! > > But it's not working. > > It looks like it's using the wrong ip address for the "local > address" of the crypto map. > > It's using the dhcp-assigned address of Fa0/1, when I'd thought > it should be using the address of Tu202. > > | CT-gw#sho crypto map int t202 > >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: > 192.168.1.64 > | > | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp > | Peer = 69.48.189.24 > | Extended IP access list CT-inside-to-FL-inside > | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 > 0.0.0.255 10.1.1.0 0.0.0.255 > | Current peer: 69.48.189.24 > | Security association lifetime: 4608000 kilobytes/3600 seconds > | PFS (Y/N): N > | Transform sets={ > | TRANSFORM-SET-FL, > | } > | Interfaces using crypto map CLINTON-TU-202-MAP: > | Tunnel202 > | CT-gw# > > I think it's pretty clear that 192.168.1.64 won't cut it as one end > of the VPN. > > > > The two customer sites are in CT and FL, both with their "cable modem > connections" actually being ATT DSL services. [Long story; don't ask.] > > Amusingly, both show the leases with the same IP Addr and gateway, as in: > > | CT-gw#sho dhcp lease > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > | Temp sub net mask: 255.255.255.0 > | DHCP Lease server: 192.168.1.254, state: 3 Bound > | DHCP transaction id: 1FD4 > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > | Temp default-gateway addr: 192.168.1.254 > | Next timer fires after: 07:58:12 > | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 > | Client-ID hex dump: 636973636F2D303031392E353535302E > | 356234312D4661302F31 > | Hostname: CT-gw > > > | FL-gw#sho dhcp lease > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > | Temp sub net mask: 255.255.255.0 > | DHCP Lease server: 192.168.1.254, state: 3 Bound > | DHCP transaction id: 1FD4 > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > | Temp default-gateway addr: 192.168.1.254 > | Next timer fires after: 07:57:26 > | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 > | Client-ID hex dump: 636973636F2D303031392E353535302E > | 356337392D4661302F31 > | Hostname: FL-gw > | FL-gw# > > > I don't think that's relevant. > > I think the problem is that I need to get the crypto map to use the > 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. > > Thoughts? > -- > Bob Tinkelman > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From risnaini at indo.net.id Wed Nov 5 23:43:50 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Thu, 06 Nov 2008 11:43:50 +0700 Subject: [c-nsp] anaysis networrk In-Reply-To: References: <799205.58383.qm@web33305.mail.mud.yahoo.com> Message-ID: <49127606.4020403@indo.net.id> Yah :) Wireshark more features. Anderson Levi wrote: > Ethereal was renamed Wireshark sometime in '06. > > On Wed, Nov 5, 2008 at 3:52 PM, adrian kok wrote: > >> Hi >> >> Can I know the different between wireshark vs etheral? >> >> which one is better to anaylsis network? >> >> other than two, any suggestion >> >> Thank you >> >> Send instant messages to your online friends http://uk.messenger.yahoo.com >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From fropert at packetfault.org Thu Nov 6 03:05:16 2008 From: fropert at packetfault.org (Francois ROPERT) Date: Thu, 06 Nov 2008 09:05:16 +0100 Subject: [c-nsp] anaysis networrk In-Reply-To: <49127606.4020403@indo.net.id> References: <799205.58383.qm@web33305.mail.mud.yahoo.com> <49127606.4020403@indo.net.id> Message-ID: <4912A53C.4050609@packetfault.org> More features and above all more SECURITY. Wireshark dissectors are tested against fuzzing by Mister G. Combs and should be by dissectors authors by running tools/fuzz-test.sh before putting public dissectors on bugs.wireshark.org. My advice here is to always use the last version for limiting exposure of your computer if you don't want to get pwned by a miscreant who knows counter forensics attack against ethereal/wireshark (intentionnaly crash a wireshark with malicious packets to hide *FACTS* from the analyst eyes). Francois a. rahman isnaini r.sutan a ?crit : > Yah :) > Wireshark more features. > > Anderson Levi wrote: >> Ethereal was renamed Wireshark sometime in '06. >> >> On Wed, Nov 5, 2008 at 3:52 PM, adrian kok >> wrote: >> >>> Hi >>> >>> Can I know the different between wireshark vs etheral? >>> >>> which one is better to anaylsis network? >>> >>> other than two, any suggestion >>> >>> Thank you >>> >>> Send instant messages to your online friends >>> http://uk.messenger.yahoo.com >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From antal.gergely at hu.digi.tv Thu Nov 6 03:16:53 2008 From: antal.gergely at hu.digi.tv (Antal GERGELY) Date: Thu, 06 Nov 2008 09:16:53 +0100 Subject: [c-nsp] 12.2SRC or 12.4T for 7200VXR NPE400 In-Reply-To: <20081105172215.GQ8535@greenie.muc.de> References: <4909F5F1.6030406@mt.net> <20081105172215.GQ8535@greenie.muc.de> Message-ID: <4912A7F5.9050309@hu.digi.tv> fyi about 4B ASN :) Gert Doering wrote: > Hi, > > On Thu, Oct 30, 2008 at 11:59:13AM -0600, Forrest W Christian wrote: >> The must-have features in my mind are: >> >> BGP4 w/Long ASN > > Complain to your Cisco sales representative. And do it loudly. > > To my knowledge, there is *still* no IOS version with support for > 32bit-AS-Numbers (IOS XR has this since a year or so). > > gert > > -- Antal GERGELY Backbone Network Department IP Services DIGI KFT Budapest Vaci ut 35. H-1134 Hungary -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 260 bytes Desc: OpenPGP digital signature URL: From Anton.Schweitzer at o2.com Thu Nov 6 03:56:33 2008 From: Anton.Schweitzer at o2.com (Anton.Schweitzer at o2.com) Date: Thu, 6 Nov 2008 09:56:33 +0100 Subject: [c-nsp] Cisco 881 3G Router Experiences In-Reply-To: <4912A53C.4050609@packetfault.org> Message-ID: Hi, is anybody here using a Cisco 881 3G Router with IPSEC and can share his experiences/config with me ? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. From david.freedman at uk.clara.net Thu Nov 6 04:28:35 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 06 Nov 2008 09:28:35 +0000 Subject: [c-nsp] show ip cef resources In-Reply-To: References: Message-ID: What kind of box is this? GSR? what kind of cards? Dave. Drew Weaver wrote: > This is kind of a trivial question but does anyone know at or around what numbers the 'show ip cef resources' is no longer G (Green?) > > It has been creeping up over the last year or so and I'm just trying to make sure we plan accordingly. > > Thanks, > -Drew > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ltd at cisco.com Thu Nov 6 04:49:27 2008 From: ltd at cisco.com (Lincoln Dale) Date: Thu, 06 Nov 2008 20:49:27 +1100 Subject: [c-nsp] ip cef optimize neighbor resolution In-Reply-To: <20081105165146.GA8842@kallisti.us> References: <20081105165146.GA8842@kallisti.us> Message-ID: <4912BDA7.2000605@cisco.com> hi Ross, Ross Vandegrift wrote: > Hi everyone, > > Has anyone running SXH on a SUP720-3B(-XL) series 6500 tried "ip cef > optimize neighbor resolution"? > > Cisco's docs seem to offer the usual tautologous explanation, and as a > bonus, include a circular reference: > LOL, classic. > Both indicate that it triggers "Layer 2 address resolution of neighbors > directly from Cisco Express Forwarding for IPv[46]". > > Has anyone tried this? It sounds like this could be a win for a pair > of 6500s I have with unexplainable high RP utilization problems - the > boxes terminate a lot of VLANs and have a lot of ARP responsibilities. > But I can't really find much discussion of it. > the feature is essentially an enhancement for how CEF Gleans and the like are handled. if you're familiar with how those kinds of things work, they would typically need to punt to software to resolve a (not yet available) adjacency through ARP or similar. the enhancement/optimization here is that it can do it with fewer CPU cycles. as to whether this would help in your scenario, its certainly a possibility. but unless what you're seeing is a relatively short period of higher CPU during ARP / IP to MAC discovery, me thinks you may want to look into what your ARP aging timers are relative to your MAC aging timers. cheers, lincoln. From willay at gmail.com Thu Nov 6 05:58:51 2008 From: willay at gmail.com (William) Date: Thu, 6 Nov 2008 10:58:51 +0000 Subject: [c-nsp] problems filtering multicast] In-Reply-To: <4911C8C6.7030103@slepicka.net> References: <4911C8C6.7030103@slepicka.net> Message-ID: Thanks James this worked perfectly! Cheers. W 2008/11/5 James Slepicka : > use the ip multicast boundary command: > http://www.cisco.com/en/US/docs/ios/12_2/ipmulti/command/reference/1rfmult1.html#wp1058494 > > e.g. > ip access-l standard mcast_boundary_vl999 > permit 224.9.9.9 > > int vl999 > ip multicast boundary mcast_boundary_vl999 > > James > > William wrote: >> >> Hi, >> >> I'm running multicast routing with sparse-dense-mode and I'd like to >> filter out some of the addresses, I've created a standard access list >> permitting the multicast addresses i want to be routed out and then a >> deny any at the end. >> >> I've applied it to the interface using the ip igmp access-group >> command but it doesn't seem to be affective, the end hosts >> are still receiving the multicast streams which i've attempted to >> filter out. >> >> The hardware is a 6500 (catos) with a sup2, the configuration looks >> like so on the first switch: >> >> interface vlan999 >> ip address 192.168.99.254255.255.255.0 >> ip pim sparse-dense-mode >> ip igmp access-group multicast >> >> >> ip access-list standard multicast >> permit 239.255.1.1 >> deny any >> >> The end host is on a 3750, I tried applying the access-list and ip >> igmp access-group statement to the vlan interface where the end host >> is and the multicast traffic that I wish to be filtered is still >> coming over. >> >> Am I doing something terribly wrong here for it not to work? >> >> Thank you for your time. >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From willay at gmail.com Thu Nov 6 06:03:42 2008 From: willay at gmail.com (William) Date: Thu, 6 Nov 2008 11:03:42 +0000 Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? Message-ID: Hi Chaps, I use to have a VPN tunnel running between two sites using Cisco Pix 6.x, the B end now has a dynamic IP address every time the router reloads which means the tunnel has gone down and to get it back up we have to reconfigure a ISAKMP key and change our config here on the A end. Is there a way I can get round this? the router infront of our B-end PIX is not Cisco nor is it under our control. My client downgraded their Internet Service package which also meant that they now have a dynamic IP address :( Thanks for your time. W From mvanton at gmail.com Thu Nov 6 06:05:10 2008 From: mvanton at gmail.com (vince anton) Date: Thu, 6 Nov 2008 12:05:10 +0100 Subject: [c-nsp] 10G MMF on 12k ? Message-ID: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Hi Im looking at enabling 10G on the 12k platform and it looks like the SPA-1x10GE-L-V2 is the one to go for inside a SIP601. But it seems like the SPA only supports single mode SFPs. Im finding hard to believe that i need to use single mode fibre to connect the SPA to a switch in the same rack, besides the fact that I then most likely need to use optical attenuators to 'fix' the fact that Im using single mode fibre for such short distance !! whats everyone doing with 10G on the 12k out there ? Thanks, anton From swmike at swm.pp.se Thu Nov 6 06:15:03 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 6 Nov 2008 12:15:03 +0100 (CET) Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Message-ID: On Thu, 6 Nov 2008, vince anton wrote: > Im looking at enabling 10G on the 12k platform and it looks like the > SPA-1x10GE-L-V2 is the one to go for inside a SIP601. But it seems like > the SPA only supports single mode SFPs. The SPA-1x10GE-L-V2 supports XFP, not SFP. > Im finding hard to believe that i need to use single mode fibre to connect > the SPA to a switch in the same rack, besides the fact that I then most > likely need to use optical attenuators to 'fix' the fact that Im using > single mode fibre for such short distance !! There is no need to use attenuators for 10GBASE-LR even if you run it over a 1 meter cable. Also, I would be very surprised if cisco didn't support SR in that module, where did you get that information? > whats everyone doing with 10G on the 12k out there ? For 10GE on 12k, I'd say the SIP-601 + SPA1x10GE-L-V2 is the best way to go. -- Mikael Abrahamsson email: swmike at swm.pp.se From mvanton at gmail.com Thu Nov 6 07:12:55 2008 From: mvanton at gmail.com (vince anton) Date: Thu, 6 Nov 2008 13:12:55 +0100 Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> Message-ID: <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> > > There is no need to use attenuators for 10GBASE-LR even if you run it over > a 1 meter cable. Also, I would be very surprised if cisco didn't support SR > in that module, where did you get that information? > The datasheet doesnt say anything about supporting SR in that SPA. looks like 10km with LR optics is the lowest you can go to cross a rack !!! - check it out at http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd804dc62d.html whats everyone doing with 10G on the 12k out there ? For 10GE on 12k, I'd say the SIP-601 + SPA1x10GE-L-V2 is the best way to go. > thanks for that :-) cheers, anton From swmike at swm.pp.se Thu Nov 6 07:18:57 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Thu, 6 Nov 2008 13:18:57 +0100 (CET) Subject: [c-nsp] 10G MMF on 12k ? In-Reply-To: <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com> <87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: On Thu, 6 Nov 2008, vince anton wrote: > The datasheet doesnt say anything about supporting SR in that SPA. looks > like 10km with LR optics is the lowest you can go to cross a rack !!! - > check it out at > http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd804dc62d.html Yes, I think you're right, the XFP-10G-MM-SR isn't listed as supported on any of the SPA based platforms. Talk to your account team and ask why and if it'll change in the future. Compared to what the SIP-601 and the SPA costs, the price difference between SM and MM isn't that great, but I guess that if you standardise on MM within site (we use SM everywhere) I guess this might be a hassle. -- Mikael Abrahamsson email: swmike at swm.pp.se From Jamie.Stephens at chartercom.com Thu Nov 6 09:17:58 2008 From: Jamie.Stephens at chartercom.com (Stephens, Jamie A) Date: Thu, 6 Nov 2008 08:17:58 -0600 Subject: [c-nsp] BGP Question In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com><87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: Is there a command to allow received routes from the same AS #? E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. From luan at netcraftsmen.net Thu Nov 6 09:25:07 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 09:25:07 -0500 Subject: [c-nsp] BGP Question In-Reply-To: References: <87e0d3ae0811060305t42436040t307893ea458afb48@mail.gmail.com><87e0d3ae0811060412y3c986a5eqf6188bbe00065dc1@mail.gmail.com> Message-ID: <072d01c9401b$780d6c10$68284430$@net> Neighbor allowas-in Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephens, Jamie A Sent: Thursday, November 06, 2008 9:18 AM To: cisco-nsp Subject: [c-nsp] BGP Question Is there a command to allow received routes from the same AS #? E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ecables at gmail.com Thu Nov 6 09:46:39 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 6 Nov 2008 06:46:39 -0800 Subject: [c-nsp] ipsec over gre with nhrp In-Reply-To: <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> References: <01N1KT6EUKF89AQUIH@queens.tink.com> <8a4649bb0811051911g552e35b5nc0fd24d11b9dfdaa@mail.gmail.com> Message-ID: Make certain that if you have multiple tunnels on your gateway device that use the same tunnel source/ipsec profile, that you specify the "shared" keyword at the end of the tunnel protection statement. -- Eric Cables On Wed, Nov 5, 2008 at 7:11 PM, Rakesh Hegde wrote: > Hello, > > With the information you have provided, what I can see is that you are > trying IPSEC over GRE . I had come accross a similar issue where the > router > used the GRE tunnel source interface to build the IPSEC tunnel even though > I > had the tunnel interface as the local interface for the crypto map. This is > exactly what you are seeing here. I resloved the issue by learing a > loopback > through the tunnel and using it as the IPSEC tunnel source/destination > points with the local loopback as the local interface for crypto map. > You also need to point any traffic to be encrypted, matching > the destination subnet in crypto acl, to the tunnel interface . > > Thre is a simpler and prefered way of doing this using VTI interfaces . > In > your case this is going to be GRE protection using IPSEC . It has worked > great for us. > > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtIPSctm.html > > Hope this helps > > -Rakesh > > > On Wed, Nov 5, 2008 at 4:04 PM, Bob Tinkelman wrote: > > > I'm doing something that I thought I'd done before, but am > > running into problems and need a sanity check. > > > > I have 2 "customer site routers", each configured for main > > access via T1 and backup Internet access via a cable-modem > > service with a dynamic ip address. > > > > They also have an ipsec vpn to route internal (192.168/16 and > > 10/8) nets between the two sites, using crypto maps on the > > T1 serial ports in the standard way. > > > > All that works. > > > > I wanted to provide a backup to the ipsec VPN using the cable > > modem ports, and proceeded as follows: > > > > o I configured a multi-point tunnel with both customer sites > > using nhrp to connect to one of my routers. [This works. > > the routers can ping either other over the tunnel.] > > This was done because otherwise the routers, each with a > > dynamic ip address, would have trouble finding each other. > > > > o I mimic'd the ipsec vpn on the T1 serial interfaces, building > > a similar one on the tunnel interfaces. [This didn't work, > > and it's pretty clear why.] > > > > > > Here are the relevant portions of the config. [I'm willing to > > share more, but wanted to keep this post managable.] > > > > Interface housing the cable-modem: > > > > | CT-gw#sho run int fa0/1 > > | Building configuration... > > | > > | Current configuration : 186 bytes > > | ! > > | interface FastEthernet0/1 > > | description Cable modem connection > > | ip address dhcp > > | ip access-group from-cablemodem in > > | ip nat outside > > | ip virtual-reassembly > > | duplex auto > > | speed auto > > | end > > | CT-gw# > > > > The address dhcp-assigned by the carrier: > > > > | CT-gw#sho int fa0/1 | inc Internet address > > | Internet address is 192.168.1.64/24 > > | CT-gw# > > > > The tunnel interface: > > > > | CT-gw#sho run int t202 > > | Building configuration... > > | > > | Current configuration : 729 bytes > > | ! > > | interface Tunnel202 > > | description Dynamic multi-point ISPnet-customer tunnel > > | bandwidth 1000 > > | ip address 69.48.189.23 255.255.255.0 > > | ip access-group from-world in > > | no ip redirects > > | ip mtu 1416 > > | ip nat inside > > | ip nhrp authentication > > | ip nhrp map multicast 165.254.97.2 > > | ip nhrp map multicast 165.254.147.2 > > | ip nhrp map 69.48.189.1 165.254.97.2 > > | ip nhrp map 69.48.189.2 165.254.147.2 > > | ip nhrp network-id > > | ip nhrp holdtime 300 > > | ip nhrp nhs 69.48.189.1 > > | ip nhrp nhs 69.48.189.2 > > | ip nhrp server-only > > | ip virtual-reassembly > > | no ip route-cache cef > > | no ip route-cache > > | no ip mroute-cache > > | delay 1000 > > | tunnel source FastEthernet0/1 > > | tunnel mode gre multipoint > > | tunnel key > > | crypto map CLINTON-TU-202-MAP > > | end > > | CT-gw# > > > > The tunnel is working: > > > > | CT-gw#ping 69.48.189.24 > > | > > | Type escape sequence to abort. > > | Sending 5, 100-byte ICMP Echos to 69.48.189.24, timeout is 2 seconds: > > | !!!!! > > | Success rate is 100 percent (5/5), round-trip min/avg/max = > 140/141/144 > > ms > > | CT-gw# > > > > | CT-gw#tr 69.48.189.24 > > | > > | Type escape sequence to abort. > > | Tracing the route to tu-202.fl-gw.cngrp.com (69.48.189.24) > > | > > | 1 tu-202.gw1.nycmnycz.ispnetinc.net (69.48.189.1) 28 msec 28 msec > 28 > > msec > > | 2 tu-202.fl-gw.cngrp.com (69.48.189.24) 136 msec * 136 msec > > | CT-gw# > > > > The crypto map is defined like this: > > > > | CT-gw#sho run | begin crypto map CLINTON-TU-202-MAP > > | crypto map CLINTON-TU-202-MAP local-address Tunnel202 > > | crypto map CLINTON-TU-202-MAP 1 ipsec-isakmp > > | set peer 69.48.189.24 > > | set transform-set TRANSFORM-SET-FL > > | match address CT-inside-to-FL-inside > > | ! > > > > But it's not working. > > > > It looks like it's using the wrong ip address for the "local > > address" of the crypto map. > > > > It's using the dhcp-assigned address of Fa0/1, when I'd thought > > it should be using the address of Tu202. > > > > | CT-gw#sho crypto map int t202 > > >>| Crypto Map: "CLINTON-TU-202-MAP" idb: Tunnel202 local address: > > 192.168.1.64 > > | > > | Crypto Map "CLINTON-TU-202-MAP" 1 ipsec-isakmp > > | Peer = 69.48.189.24 > > | Extended IP access list CT-inside-to-FL-inside > > | access-list CT-inside-to-FL-inside permit ip 192.168.7.0 > > 0.0.0.255 10.1.1.0 0.0.0.255 > > | Current peer: 69.48.189.24 > > | Security association lifetime: 4608000 kilobytes/3600 seconds > > | PFS (Y/N): N > > | Transform sets={ > > | TRANSFORM-SET-FL, > > | } > > | Interfaces using crypto map CLINTON-TU-202-MAP: > > | Tunnel202 > > | CT-gw# > > > > I think it's pretty clear that 192.168.1.64 won't cut it as one end > > of the VPN. > > > > > > > > The two customer sites are in CT and FL, both with their "cable modem > > connections" actually being ATT DSL services. [Long story; don't ask.] > > > > Amusingly, both show the leases with the same IP Addr and gateway, as in: > > > > | CT-gw#sho dhcp lease > > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > > | Temp sub net mask: 255.255.255.0 > > | DHCP Lease server: 192.168.1.254, state: 3 Bound > > | DHCP transaction id: 1FD4 > > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > > | Temp default-gateway addr: 192.168.1.254 > > | Next timer fires after: 07:58:12 > > | Retry count: 0 Client-ID: cisco-0019.5550.5b41-Fa0/1 > > | Client-ID hex dump: 636973636F2D303031392E353535302E > > | 356234312D4661302F31 > > | Hostname: CT-gw > > > > > > | FL-gw#sho dhcp lease > > | Temp IP addr: 192.168.1.64 for peer on Interface: FastEthernet0/1 > > | Temp sub net mask: 255.255.255.0 > > | DHCP Lease server: 192.168.1.254, state: 3 Bound > > | DHCP transaction id: 1FD4 > > | Lease: 86400 secs, Renewal: 43200 secs, Rebind: 75600 secs > > | Temp default-gateway addr: 192.168.1.254 > > | Next timer fires after: 07:57:26 > > | Retry count: 0 Client-ID: cisco-0019.5550.5c79-Fa0/1 > > | Client-ID hex dump: 636973636F2D303031392E353535302E > > | 356337392D4661302F31 > > | Hostname: FL-gw > > | FL-gw# > > > > > > I don't think that's relevant. > > > > I think the problem is that I need to get the crypto map to use the > > 69.48.189.23 (CT) and 69.48.189.24 (FL) addresses, not 192.168.1.*. > > > > Thoughts? > > -- > > Bob Tinkelman > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mr.dave.jacobs at gmail.com Thu Nov 6 09:48:28 2008 From: mr.dave.jacobs at gmail.com (David Jacobs) Date: Thu, 6 Nov 2008 09:48:28 -0500 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: <1225905544.13955.6.camel@abehat> References: <1225905544.13955.6.camel@abehat> Message-ID: Hello Peter, thank you for your reply, I changed my NET address back to the original and reloaded and I tried to dig up more data on this FYI This is what my config looks like on this box. router isis net 49.0001.0001.5011.1565.00 is-type level-2-only metric-style wide spf-interval 30 log-adjacency-changes redistribute connected redistribute static ip > > >What did the box itself have in its routing table at this time? How does > >the box lift the host prefix into IS-IS? Does a "debug isis rib > >resdistribution" give any clues? > Here is a summary of what is in the routing table now... router1#sh ip route summary IP routing table name is Default-IP-Routing-Table(0) Route Source Networks Subnets Overhead Memory (bytes) connected 0 4 256 608 static 1 6 448 1064 isis 144 6179 732864 961096 Level 1: 0 Level 2: 6323 "debug isis rib redis" doesnt seem to lend any clues unfortunately. I did find something odd, although When I did a "sh clns interface" I am seeing the "circuit ID:" of the neighboring core routers in the Circuit ID field GigabitEthernet5/0/0 is up, line protocol is up Level-2 Metric: 99999, Priority: 64, Circuit ID: Name of Neighboring Router1 GigabitEthernet6/0/0 is up, line protocol is up Level-2 Metric: 99999, Priority: 64, Circuit ID: Name of Neighboring Router2 but when I do this from all other routers, the Circuit ID is the local hostname of the router. Not sure if that has anything to do with it or not. When I do a "sh spf-log" this is the message I keep seeing On Cisco 00:24:50 72 109 8 router1.00-00 TLVCONTENT 00:24:20 72 109 8 router1.00-00 TLVCONTENT 00:23:50 76 109 8 router1.00-00 TLVCONTENT 00:23:20 64 109 8 router1.00-00 TLVCONTENT 00:22:50 76 109 8 router1.00-00 TLVCONTENT 00:22:20 72 109 8 router1.00-00 TLVCONTENT 00:21:50 72 109 8 router1.00-00 TLVCONTENT 00:21:20 72 109 8 router1.00-00 TLVCONTENT 00:20:50 72 109 8 router1.00-00 TLVCONTENT 00:20:19 72 108 7 router1.00-00 TLVCONTENT 00:19:49 72 108 8 router1.00-00 TLVCONTENT 00:19:19 68 108 8 router1.00-00 TLVCONTENT and on Foundry 1m55s 450ms 78 6 router1.00-00 Area Address TLV Change 2m26s 450ms 39 17 router1.00-00 Area Address TLV Change 2m56s 450ms 39 17 router1.00-00 Area Address TLV Change 3m27s 450ms 39 13 router1.00-00 Area Address TLV Change 3m57s 450ms 39 18 router1.00-00 Area Address TLV Change > > > >Brand new 7500 hardware? Where? ;-) By new I mean just purchased from somewhere, right out of the box in that new (never been crinkled) static wrap and never used by us before =) > > > > >A shot in the dark, but you wouldn't happen to have another box with the > >same NET on your network? > > I thought of that as well, But I compared all of the other NET address's > and they are pretty unique. And correct me if i'm wrong, but if there was > another router running ISIS with the same NET address wouldn't it come up > with an error like.. %CLNS-4-BADPACKET: ISIS: LAN L2 hello, Duplicate system ID detected from (duplicate NET address) I forget if there is a command to view all NET address's in the database Thanks again for all of the help From luan at netcraftsmen.net Thu Nov 6 09:56:30 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 09:56:30 -0500 Subject: [c-nsp] Cisco 881 3G Router Experiences In-Reply-To: References: <4912A53C.4050609@packetfault.org> Message-ID: <073c01c9401f$da103970$8e30ac50$@net> Basically just another DHCP interface IP-wise. Here's a sample configuration for DMVPN/IPSEC I used for 1841 3G-EVDO. I used it as a primary connection as well as backup connection. interface Dialer1 ip address negotiated ip virtual-reassembly encapsulation ppp dialer pool 1 dialer idle-timeout 0 dialer string cdma dialer persistent dialer-group 1 ! interface Cellular0/1/0 ip address negotiated ip virtual-reassembly encapsulation ppp dialer in-band dialer pool-member 1 dialer-group 1 ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 5 crypto isakmp key test address x.x.x.x crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set cisco esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile cisco set transform-set cisco set pfs group5 ! interface Tunnel0 bandwidth 1000 ip address 10.0.0.2 255.255.255.0 ip mtu 1400 ip nhrp authentication donttell ip nhrp map 10.0.0.1 x.x.x.x ip nhrp map multicast x.x.x.x ip nhrp network-id 99 ip nhrp holdtime 300 ip nhrp nhs 10.0.0.1 ip tcp adjust-mss 1360 delay 100 tunnel source dialer1 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile cisco You could use IPSEC tunnel mode without DMVPN as well, just make sure the other side configured for dynamic crypto map. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Anton.Schweitzer at o2.com Sent: Thursday, November 06, 2008 3:57 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Cisco 881 3G Router Experiences Hi, is anybody here using a Cisco 881 3G Router with IPSEC and can share his experiences/config with me ? Cheers Anton Anton Schweitzer Senior Specialist BS Projekt & Service Customer Design o2 (Germany) GmbH & Co.OHG Georg Brauchle-Ring 23-25, D-80992 M?nchen Tel +49(0)89-2442-5794 Mobil +49(0)176-23407715 Fax +49(0)89-2442-4281 anton.schweitzer at o2.com Telef?nica o2 Germany GmbH & Co. OHG ? Georg-Brauchle-Ring 23-25 ? 80992 M?nchen ? Deutschland ? www.o2.com/de Ust.-Id.-Nr. DE 811 889 638. Amtsgericht M?nchen HRA 70343. Gesellschafter: Telef?nica o2 Germany Management GmbH. Amtsgericht M?nchen HRB 109061 und Telef?nica o2 Germany Verwaltungs GmbH. Amtsgericht M?nchen HRB 121389, beide ebenda. Gesch?ftsf?hrer beider Gesellschafter: Jaime Smith Basterra, Vorsitzender. Antonio Botas Banuelos. Andrea Folgueiras. Andr? Krause. Lutz Sch?ler. Carsten Wreth. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at netcraftsmen.net Thu Nov 6 10:05:59 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 6 Nov 2008 10:05:59 -0500 Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? In-Reply-To: References: Message-ID: <073d01c94021$2d2d4610$8787d230$@net> Just change your A end to use dynamic map. http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration _example09186a0080094680.shtml Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of William Sent: Thursday, November 06, 2008 6:04 AM To: cisco-nsp Subject: [c-nsp] PIX 6.x Site2Site with dynamic IP? Hi Chaps, I use to have a VPN tunnel running between two sites using Cisco Pix 6.x, the B end now has a dynamic IP address every time the router reloads which means the tunnel has gone down and to get it back up we have to reconfigure a ISAKMP key and change our config here on the A end. Is there a way I can get round this? the router infront of our B-end PIX is not Cisco nor is it under our control. My client downgraded their Internet Service package which also meant that they now have a dynamic IP address :( Thanks for your time. W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ross at kallisti.us Thu Nov 6 11:00:13 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Thu, 6 Nov 2008 11:00:13 -0500 Subject: [c-nsp] ip cef optimize neighbor resolution In-Reply-To: <4912BDA7.2000605@cisco.com> References: <20081105165146.GA8842@kallisti.us> <4912BDA7.2000605@cisco.com> Message-ID: <20081106160013.GA20669@kallisti.us> On Thu, Nov 06, 2008 at 08:49:27PM +1100, Lincoln Dale wrote: > the feature is essentially an enhancement for how CEF Gleans and the > like are handled. > if you're familiar with how those kinds of things work, they would > typically need to punt to software to resolve a (not yet available) > adjacency through ARP or similar. > > the enhancement/optimization here is that it can do it with fewer CPU > cycles. Well that always sounds like a good idea! > as to whether this would help in your scenario, its certainly a > possibility. but unless what you're seeing is a relatively short period > of higher CPU during ARP / IP to MAC discovery, me thinks you may want > to look into what your ARP aging timers are relative to your MAC aging > timers. Hmmm, we do see ARP Input spikes, but the symptoms are a pretty constantly elevated CPU utilization. Sounds like a win but not a panacea. Do you know if a change is service impacting? Our MAC aging timers are 300 seconds and ARP is 4 hours. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From csirek at cooler.hu Thu Nov 6 11:24:38 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Thu, 06 Nov 2008 17:24:38 +0100 Subject: [c-nsp] service policy + SYN flood vs. periodic high cpu load Message-ID: <49131A46.7030801@cooler.hu> Hi all, I'm testing the control plane policy in my lab. Now i found a very interesting event. I have a 6500/sup720 whit different IOS (SXF6, SXF10a, SXH3a). I send a very big SYN flood to this router. I'm doing this test in clear config. (erase startup, reload :) ) I made a policy: class-map match-all synfloodgeprol match access-group 199 ! policy-map synflood-in class synfloodgeprol police cir 128000 bc 4000 be 4000 conform-action transmit exceed-action drop violate-action drop ! access-list 199 remark DEFAULT access-list 199 permit tcp any any access-list 199 permit udp any any access-list 199 permit icmp any any access-list 199 permit ip any any ! interface GigabitEthernet5/2 ip address 10.0.0.1 255.255.255.0 load-interval 30 media-type rj45 service-policy input synflood-in I tried to put the service-policy to the control-plane but no difference: The input interface traffic is: 30 second input rate 155775000 bits/sec, 304249 packets/sec 30 second output rate 128000 bits/sec, 250 packets/sec The output rate is good, the cpu receive 128K SYN and answer 128K ACK/RST packets because my policy is working. That is the goal in this case. Under this flood the CPU load: Router#cpu CPU utilization for five seconds: 0%/0%; one minute: 3%; five minutes:6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 1368 1378 992 0.55% 0.07% 0.06% 0 Exec 5 3868 263 14707 0.00% 0.33% 0.25% 0 Check hea 20 2624 34446 76 0.00% 0.09% 0.06% 0 IPC Seat 43 652 27 24148 0.00% 0.02% 0.00% 0 Per-minu 155 57572 310276 185 0.00% 1.57% 3.56% 0 IP Input 230 368 2206 166 0.00% 0.01% 0.00% 0 CEF: IPv4 240 528 703 751 0.07% 0.03% 0.02% 0 HIDDEN VL The policy is working great. But. In every 4. minutes the cpu load goes up: Router#cpu CPU utilization for five seconds: 79%/68%; one minute: 8%; five minutes: 6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2012 1617 1244 0.31% 0.61% 0.22% 0 Exec 5 4072 278 14647 0.00% 0.20% 0.22% 0 Check hea 20 2812 37348 75 0.00% 0.04% 0.05% 0 IPC Seat 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minut 155 59732 336634 177 10.47% 1.13% 2.68% 0 IP Input 230 400 2373 168 0.00% 0.01% 0.00% 0 CEF: IPv4 240 568 756 751 0.00% 0.03% 0.02% 0 HIDDEN VL some second later: Router#cpu CPU utilization for five seconds: 99%/7%; one minute: 15%; five minutes: 7% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2100 1637 1282 1.11% 0.65% 0.23% 0 Exec 5 4072 278 14647 0.00% 0.19% 0.22% 0 Check he 20 2812 37348 75 0.00% 0.03% 0.05% 0 IPC Seat 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minu 77 252 1539 163 0.07% 0.00% 0.00% 0 Heartbeat 155 66192 338269 195 90.71% 8.30% 4.14% 0 IP Input 230 400 2382 167 0.07% 0.02% 0.00% 0 CEF: IPv4 240 572 759 753 0.00% 0.03% 0.01% 0 HIDDEN VL and again some second later: Router#cpu CPU utilization for five seconds: 0%/0%; one minute: 2%; five minutes: 6% PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process 3 2320 1730 1341 0.23% 0.08% 0.17% 0 Exec 5 4552 308 14779 0.00% 0.25% 0.24% 0 Check hea 20 3008 40249 74 0.00% 0.04% 0.04% 0 IPC Seat 43 792 32 24750 0.00% 0.04% 0.00% 0 Per-minu 77 316 1702 185 0.00% 0.01% 0.00% 0 Heartbeat 155 68644 378964 181 0.00% 1.03% 3.26% 0 IP Input 230 444 2639 168 0.07% 0.02% 0.00% 0 CEF: IPv4 240 636 841 756 0.00% 0.03% 0.02% 0 HIDDEN VL This is the history of cpu: 55555999999999944444 333330000099999666667777711111 2222211111 100 ********** 90 ********** 80 ********** 70 ********** 60 ********** 50 ******************** 40 ******************** 30 ******************** 20 ******************** 10 ******************** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per second (last 60 seconds) 1 0 9 9 12 460444944394439 100 * * * 90 * * * 80 * * * 70 * * * 60 * * * 50 * * * 40 * * * 30 * * * * 20 # # # * 10 # # # ** 0....5....1....1....2....2....3....3....4....4....5....5.... 0 5 0 5 0 5 0 5 0 5 CPU% per minute (last 60 minutes) * = maximum CPU% # = average CPU% If i increase the 128K to 256K in the policy, the big CPU load comes in every 2. minutes. If i set it on 64K, the load is stay in every 4. minutes, but is ~40-50% instead 100%. Any idea? Thanks Laszlo From techconfig at yahoo.com Thu Nov 6 11:38:49 2008 From: techconfig at yahoo.com (Mark Tech) Date: Thu, 6 Nov 2008 08:38:49 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden Message-ID: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark From jml at packetpimp.org Thu Nov 6 10:58:39 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 06 Nov 2008 10:58:39 -0500 Subject: [c-nsp] sup1a -> sup32 image questions Message-ID: <4913142F.1070604@packetpimp.org> Hi all, I'm about to begin upgrading our old sup1a/msfc1 switches from both native and hybrid ios to sup32 native. My main requirements are simple, bgp and ios slb. The new download layout and new hardware are causing me some problems. Am I going to need both sp and rp images or a single image? Jason From rakeshh at gmail.com Thu Nov 6 11:58:56 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Thu, 6 Nov 2008 10:58:56 -0600 Subject: [c-nsp] 6509 sup 720 + export map In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> References: <8a4649bb0811042136k3cd6dc07uf62aef54026bb553@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406520703@xmb-ams-333.emea.cisco.com> <3987971183870a6f5041c7613bef12a7.squirrel@webmail.pelican.org> <70B7A1CCBFA5C649BD562B6D9F7ED78406520887@xmb-ams-333.emea.cisco.com> Message-ID: <8a4649bb0811060858j3ea11ea0ja104d0c8d8a172a1@mail.gmail.com> Thanks for the input. -Rakesh On Wed, Nov 5, 2008 at 4:27 AM, Oliver Boehmer (oboehmer) < oboehmer at cisco.com> wrote: > Tim Franklin wrote on Wednesday, November 05, > 2008 10:03: > > > On Wed, November 5, 2008 6:24 am, Oliver Boehmer (oboehmer) wrote: > > > >> if I recall correctly, we can't filter/drop routes in VRF export-maps > >> (we can in import-maps).. you could set "no-advertise" or a bogus > >> route-target extcommunity to prevent it from being advertised to your > >> RRs/remote PEs or from being imported into other VRFs. > >> If you don't want to export a certain VRF prefix, just don't > >> redistribute it into BGP (if it's a non-BGP route to begin with). > > > > Or don't set the export-target that should only be on *some* routes > > in the VRF config, just set on the matching routes in the export-map. > > > ack, this would work as well. > > > I'm > > not sure, off the top of my head, what happens if you have a VRF with > *no* > > export-target defined in the VRF config, but an rt ext-community set > > on some routes in the export map - does the redist from 'local' BGP > into > > MP-BGP still happen? > > yes, and if you don't set an rt-extcomm in the export-map, the prefix is > left without a RT. > > > I know there are some gotchas in the other > > direction; even if you're matching an RT in the import map, you still > > need it as an import target, or the prefix is dropped before it gets > as > > far as the map. > > right, this is due to the automatic route-target filter which only > examines the "route-target import" statements in the VRF, not the > route-maps. > > oli > From gert at greenie.muc.de Thu Nov 6 12:03:24 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 6 Nov 2008 18:03:24 +0100 Subject: [c-nsp] sup1a -> sup32 image questions In-Reply-To: <4913142F.1070604@packetpimp.org> References: <4913142F.1070604@packetpimp.org> Message-ID: <20081106170324.GP8535@greenie.muc.de> Hi, On Thu, Nov 06, 2008 at 10:58:39AM -0500, Jason LeBlanc wrote: > Am I going to need both sp and rp images or a single image? For native, it's a single image. We run "s3223-advipservicesk9_wan-mz.122-18.SXF7.bin" and yours should be similarily named (starting with "s3223-..."). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From david.freedman at uk.clara.net Thu Nov 6 12:15:26 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Thu, 06 Nov 2008 17:15:26 +0000 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <880615.45377.qm@web44811.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: control plane overloaded by traffic? are you doing control plane policing? Mark Tech wrote: > Hi > I have a couple of GSR's and 7600'2 running ldp in an an MPLS test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success > > Here is an brief output of some ldp commands: > > > ---------here the LDP suddenly dropped-------- > Nov 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) > Nov 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending > Nov 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) > Nov 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending > Nov 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) > Nov 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending > > rt-lon-12#sh mpls ldp neighbor > > rt-lon-12#sh mpls ldp discovery > Local LDP Identifier: > 5.14.95.246:0 > Discovery Sources: > Interfaces: > Port-channel1 (ldp): xmit/recv > LDP Id: 5.14.95.243:0 > Port-channel2 (ldp): xmit/recv > LDP Id: 5.14.95.244:0 > Port-channel3 (ldp): xmit/recv > LDP Id: 5.14.95.245:0 > > rt-lon-12#sh mpls interfaces > Interface IP Tunnel Operational > GigabitEthernet0/0/0 Yes No Yes > GigabitEthernet0/0/1 Yes No Yes > GigabitEthernet0/0/2 Yes No Yes > GigabitEthernet0/0/3 Yes No Yes > GigabitEthernet0/0/4 Yes No Yes > GigabitEthernet0/0/5 Yes No Yes > Port-channel1 Yes (ldp) No Yes > Port-channel2 Yes (ldp) No Yes > Port-channel3 Yes (ldp) No Yes > > Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar IP addresses > > Regards > > Mark > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From b.turnbow at twt.it Thu Nov 6 12:23:52 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 6 Nov 2008 18:23:52 +0100 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <880615.45377.qm@web44811.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: I would start with what was done here ? Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: gioved? 6 novembre 2008 17.39 To: cisco-nsp at puck.nether.net Subject: [c-nsp] GSR no ldp all of a sudden Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From linkconnect at googlemail.com Thu Nov 6 12:51:27 2008 From: linkconnect at googlemail.com (Wayne Lee) Date: Thu, 6 Nov 2008 17:51:27 +0000 Subject: [c-nsp] vrf-lite and pppoA interfaces Message-ID: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> Hello List I have a dedicated LNS for what we call our pwan customers, all connections are ADSL PPPoA and they all use private IP ranges as there is currently no internet access. We have about 150 connections spread over 8 customers, these are currently grouped by customer and then separated from other pwans using access-lists which are applied via radius. We want to allow internet access to these pwans and move them into a vrf-lite setup with one vrf per pwan so this also gives us the abillty to allow over-lapping IP space. My vrf knowledge is (very) limited and I'm struggling to understand the best way to make this work. I have tested a basic vrf setup (with success) in the lab but this was with 3 routers and no PPPoA/virtual-access interfaces. My confusion is about the ip vrf forwarding, in the lab I put this on each ethernet on the main router but in the PPPoA setup there will not be a dedicated ethernet per vrf, also I'll not need traffic between vrf's so do I just need to export the routes to the rib so the customers can get internet traffic? Help, clue sticks and any advice will be very welcome. Thanks Wayne From jml at packetpimp.org Thu Nov 6 13:08:02 2008 From: jml at packetpimp.org (Jason LeBlanc) Date: Thu, 06 Nov 2008 13:08:02 -0500 Subject: [c-nsp] sup1a -> sup32 image questions In-Reply-To: <20081106170324.GP8535@greenie.muc.de> References: <4913142F.1070604@packetpimp.org> <20081106170324.GP8535@greenie.muc.de> Message-ID: <49133282.7080408@packetpimp.org> Great, thanks for simplifying this for me. ;) Gert Doering wrote: > Hi, > > On Thu, Nov 06, 2008 at 10:58:39AM -0500, Jason LeBlanc wrote: > >> Am I going to need both sp and rp images or a single image? >> > > For native, it's a single image. We run > > "s3223-advipservicesk9_wan-mz.122-18.SXF7.bin" > > and yours should be similarily named (starting with "s3223-..."). > > gert > From rechew at ucsc.edu Thu Nov 6 12:11:35 2008 From: rechew at ucsc.edu (Richard Chew) Date: Thu, 06 Nov 2008 09:11:35 -0800 Subject: [c-nsp] Slave Supervisor for Sup 720 10G Crashing on 6500's Message-ID: <49132547.3090403@ucsc.edu> Hi All, We have recently deployed 17, 6500's on campus, and about two months in we have already had 5 supervisors fail for no apparent reason. When we call TAC they just RMA us a new Sup, but I suspect (cannot prove) that something else is causing this problem. At first I thought it was SXH2, but we have recently seen the problem on SXH3, so any help would be appreciated. Thanks. BTW : Nov 5 14:38:55.405 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:39:55.437 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:40:55.533 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:41:55.633 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:10 Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=8% RP=3% Traffic=0% netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:10 Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=8% RP=3% Traffic=0% netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] Nov 5 14:42:55.765 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD Nov 5 14:43:55.837 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:44:55.925 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:45:55.965 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:20 Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=2% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, fail=20], 3[IPv4, fail=20], 4[IPv6, fail=20] Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 TestSPRPInbandPing consecutive failure count:20 Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): SP=14% RP=0% Traffic=0% netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, fail=20], 3[IPv4, fail=20], 4[IPv6, fai=20] Nov 5 14:46:56.077 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD Nov 5 14:47:03.241 PST: %PFREDUN-SP-6-ACTIVE: Standby supervisor removed or reloaded, changing to Simplex mode Nov 5 14:47:03.261 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (RF request) Nov 5 14:47:13.470 PST: %LINK-3-UPDOWN: Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.470 PST: %OSPF-5-ADJCHG: Process 5739, Nbr 128.114.0.4 on GigabitEthernet6/1 from FULL to DOWN, Neighbor Down: Interface down or detached Nov 5 14:47:13.494 PST: %PIM-5-NBRCHG: neighbor 128.114.1.157 DOWN on interface GigabitEthernet6/1 non DR Nov 5 14:47:13.494 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.606 PST: %SNMP-5-MODULETRAP: Module 6 [Down] Trap Nov 5 14:47:13.461 PST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet6/1, changed state to down Nov 5 14:47:13.593 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being power-cycled (Slot disabled) Nov 5 14:47:13.597 PST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface GigabitEthernet6/1, changed state to down From pavel.skovajsa at gmail.com Thu Nov 6 13:40:07 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Thu, 6 Nov 2008 19:40:07 +0100 Subject: [c-nsp] Slave Supervisor for Sup 720 10G Crashing on 6500's In-Reply-To: <49132547.3090403@ucsc.edu> References: <49132547.3090403@ucsc.edu> Message-ID: <323aca890811061040w6fab55b3jb3fe48633d422792@mail.gmail.com> I will at least give it a try and upgrade to SXH3a or wait couple weeks for SXH4. SXH2 is really buggy. pavel On Thu, Nov 6, 2008 at 6:11 PM, Richard Chew wrote: > Hi All, > > We have recently deployed 17, 6500's on campus, and about two months in we > have already had 5 supervisors fail for no apparent reason. When we call > TAC they just RMA us a new Sup, but I suspect (cannot prove) that something > else is causing this problem. At first I thought it was SXH2, but we have > recently seen the problem on SXH3, so any help would be appreciated. > Thanks. > > BTW : > > Nov 5 14:38:55.405 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:39:55.437 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:40:55.533 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:41:55.633 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD > Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:10 > Nov 5 14:42:39.425 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=8% RP=3% Traffic=0% > netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, > fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] > Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:10 > Nov 5 14:42:39.757 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=8% RP=3% Traffic=0% > netint_thr_active[0], Tx_Rate[56], Rx_Rate[0], dev=1[IPv4, fail=10], 2[IPv4, > fail=10], 3[IPv4, fail=10], 4[IPv6, fail=10] > Nov 5 14:42:55.765 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB080EBD > Nov 5 14:43:55.837 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:44:55.925 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:45:55.965 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:20 > Nov 5 14:46:37.882 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=2% RP=0% Traffic=0% > netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, > fail=20], 3[IPv4, fail=20], 4[IPv6, fail=20] > Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-3-HM_TEST_FAIL: Module 6 > TestSPRPInbandPing consecutive failure count:20 > Nov 5 14:46:38.218 PST: %CONST_DIAG-SPSTBY-6-HM_TEST_INFO: CPU util(5sec): > SP=14% RP=0% Traffic=0% > netint_thr_active[0], Tx_Rate[49], Rx_Rate[0], dev=1[IPv4, fail=20], 2[IPv4, > fail=20], 3[IPv4, fail=20], 4[IPv6, fai=20] > Nov 5 14:46:56.077 PST: %EARL_L2_ASIC-SPSTBY-4-DBUS_HDR_ERR: EARL L2 ASIC > #0: Dbus Hdr. Error occurred. Ctrl1 0xB08D0EBD > Nov 5 14:47:03.241 PST: %PFREDUN-SP-6-ACTIVE: Standby supervisor removed or > reloaded, changing to Simplex mode > Nov 5 14:47:03.261 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being > power-cycled (RF request) > Nov 5 14:47:13.470 PST: %LINK-3-UPDOWN: Interface GigabitEthernet6/1, > changed state to down > Nov 5 14:47:13.470 PST: %OSPF-5-ADJCHG: Process 5739, Nbr 128.114.0.4 on > GigabitEthernet6/1 from FULL to DOWN, Neighbor Down: Interface down or > detached > Nov 5 14:47:13.494 PST: %PIM-5-NBRCHG: neighbor 128.114.1.157 DOWN on > interface GigabitEthernet6/1 non DR > Nov 5 14:47:13.494 PST: %LINEPROTO-5-UPDOWN: Line protocol on Interface > GigabitEthernet6/1, changed state to down > Nov 5 14:47:13.606 PST: %SNMP-5-MODULETRAP: Module 6 [Down] Trap > Nov 5 14:47:13.461 PST: %LINK-SP-3-UPDOWN: Interface GigabitEthernet6/1, > changed state to down > Nov 5 14:47:13.593 PST: %OIR-SP-3-PWRCYCLE: Card in module 6, is being > power-cycled (Slot disabled) > Nov 5 14:47:13.597 PST: %LINEPROTO-SP-5-UPDOWN: Line protocol on Interface > GigabitEthernet6/1, changed state to down > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From howard at leadmon.net Thu Nov 6 14:24:15 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 14:24:15 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... Message-ID: <021101c94045$45120620$cf361260$@net> Hello to all, I thought this would be easy to find, and maybe I haven't looked in the right place, but figured I'd ask. I have a Cat6509 switch, and on a couple of the interfaces I have feeding from some servers, I keep seeing input errors, as shown below: FastEthernet9/48 is up, line protocol is up (connected) Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia 0004.de66.8f73) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 3/255, rxload 24/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s input flow-control is off, output flow-control is unsupported ARP type: ARPA, ARP Timeout 04:00:00 Last input never, output 00:00:43, output hang never Last clearing of "show interface" counters 00:12:47 Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 1 minute input rate 9759000 bits/sec, 1396 packets/sec 1 minute output rate 1505000 bits/sec, 1110 packets/sec 1067610 packets input, 920823086 bytes, 0 no buffer Received 0 broadcasts (0 multicasts) 0 runts, 0 giants, 0 throttles 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 0 watchdog, 0 multicast, 0 pause input 0 input packets with dribble condition detected 839374 packets output, 146203703 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 PAUSE output 0 output buffer failures, 0 output buffers swapped out Notice that in less than 15 min I have almost 1000 input errors, but the other more detailed counters show nothing. I have had the cable swapped, and the LAN card in the PC swapped, still the same results. What is just an input error? Is this bad hardware, something I should just expect on some interfaces to PC's, or what? I have googled around a bit, looked on Cisco's site, and everything says that the input error counter is just the combined count of the other counters like CRC, overrun, and so on, but they are all 0 for me.. Any clues on where to look or what would cause this??? --- Howard Leadmon From rodunn at cisco.com Thu Nov 6 14:43:26 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 6 Nov 2008 14:43:26 -0500 Subject: [c-nsp] ASR / IOS XE: CEF load-sharing algorithms changed? In-Reply-To: <20081105122448.GK93039@ronin.4ever.de> References: <20081105122448.GK93039@ronin.4ever.de> Message-ID: <20081106194326.GI5059@rtp-cse-489.cisco.com> Let me ask around about this. Interesting observation. I don't know the answer. Rodney On Wed, Nov 05, 2008 at 01:24:48PM +0100, Elmar K. Bins wrote: > Re again, > > I am running into trouble with the CEF load sharing algorithm > on the ASR / IOS-XE platform. We've had this kind of setup > with 7301s for four years now, and it's never given us any > trouble. Distributed traffic pretty evenly (whenever it was > not only one or two top-talkers hitting us). > > With the new ASR / IOS-XE (1.1.2 currently, but I have found > nothing in the release notes of later versions) traffic > distribution has become in favour of the server with the > lowest IP address - very much so. It's getting 85% of all > packets. > > The setup in brief (all IPv4): > > z.z.z.z = Service address > > a.a.a.a, a.a.a.b, a.a.a.c = Interface addresses of three servers, > a a.a.a.d = Interface address of the ASR > > External routing gets z.z.z.z to the ASR. > > +--------+ ----(a.a.a.a)-[srv1] > (Internet) --- | Router |-(a.a.a.d)---+---(a.a.a.b)-[srv2] > +--------+ ----(a.a.a.c)-[srv3] > > > z.z.z.z is the only target address, all external traffic goes there, > and it does go to a specific port. This is a DNS setup, so we can > also assume that 99.9% of the protocols seen is UDP/53. > > Routing on the Router is as follows: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > > > rt#sh run | i cef > ip cef load-sharing algorithm tunnel 000FFEED > > > On 7301s, typical distribution is 3:4:3 or something like that. > On the ASR I see 10:1:2 (on srv1:srv2:srv3). > > This did change immediately through the replacement of the 7301 by the ASR. > My colleague tells me, we have not one but several (like a dozen) top > talkers (out of several million), just like before the router swap. > > What could cause this phenomenon? > > 1. Traffic pattern has changed. > -> my colleague denies this > > 2. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) has been altered. > > 3. The tunnel balancing algorithm (which to my knowledge includes > source/dest IP addresses _and_ ports) is now buggy. > > > Experiment 1 > > Changing the algorithm to "include-ports source". > > Did not change the traffic pattern a bit. I didn't expect a > change, since AFAIK it would do the same as the "tunnel" algorithm. > > > Experiment 2 > > I added a.a.a.d to srv1, a.a.a.e to srv2 and a.a.a.f to srv3 and > the appropriate routes: > > rt#sh ip route static > ip route z.z.z.z 255.255.255.255 a.a.a.a > ip route z.z.z.z 255.255.255.255 a.a.a.b > ip route z.z.z.z 255.255.255.255 a.a.a.c > ip route z.z.z.z 255.255.255.255 a.a.a.d > ip route z.z.z.z 255.255.255.255 a.a.a.e > ip route z.z.z.z 255.255.255.255 a.a.a.f > > rt#sh ip cef z.z.z.z > z.z.z.z/32 > nexthop a.a.a.a GigabitEthernet0/0/3 > nexthop a.a.a.b GigabitEthernet0/0/3 > nexthop a.a.a.c GigabitEthernet0/0/3 > nexthop a.a.a.d GigabitEthernet0/0/3 > nexthop a.a.a.e GigabitEthernet0/0/3 > nexthop a.a.a.f GigabitEthernet0/0/3 > > > This changed the distribution pattern from 10:1:2 to a somewhat > better 5:1:2. > > It still shows a strong favouring of the server with the smallest > IP address. > > > Experiment 3 > > I removed the z.z.z.z -> a.a.a.d route, so that Server 1 would > only have 1/5 of the routing table pointing to it, while Servers > 2 and 3 get twice as many slots in routing and forwarding table. > I'll spare you the cef output here. > > This changed the distribution pattern - not at all, at least not > noticeably. > > > I wonder what I have stumbled onto here, and whether someone around > or at Cisco knows about a change in the algorithms that would lead > to such an effect. > > I would also be very interested in some paper that really explained > the load-sharing algorithms, since everything one can find about the > tunnel algorithm is: > > "The tunnel keyword sets the load-balancing algorithm to one > that can be used in tunnel environments or in environments > where there are only a few IP source and destination address > pairs. " > > > I appreciate any help - the server is still holding, but it's > really bad Karma, and I'd like to find a way to do my L3 poor > man's load balancing in a working fashion. > > Elmar. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Nov 6 15:40:49 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Nov 2008 21:40:49 +0100 Subject: [c-nsp] ISIS Route Flapping Issue In-Reply-To: References: <1225905544.13955.6.camel@abehat> Message-ID: <1226004049.8786.19.camel@abehat> On Thu, 2008-11-06 at 09:48 -0500, David Jacobs wrote: > When I do a "sh spf-log" this is the message I keep seeing > > On Cisco > > 00:24:50 72 109 8 router1.00-00 TLVCONTENT > 00:24:20 72 109 8 router1.00-00 TLVCONTENT > 00:23:50 76 109 8 router1.00-00 TLVCONTENT > 00:23:20 64 109 8 router1.00-00 TLVCONTENT > 00:22:50 76 109 8 router1.00-00 TLVCONTENT > 00:22:20 72 109 8 router1.00-00 TLVCONTENT > 00:21:50 72 109 8 router1.00-00 TLVCONTENT > 00:21:20 72 109 8 router1.00-00 TLVCONTENT > 00:20:50 72 109 8 router1.00-00 TLVCONTENT > 00:20:19 72 108 7 router1.00-00 TLVCONTENT > 00:19:49 72 108 8 router1.00-00 TLVCONTENT > 00:19:19 68 108 8 router1.00-00 TLVCONTENT This is from a neighboring router, right? It seems the router is sending out LSP TLV changes, and rather many of them. In each 30 second interval the router sent 8 TLV changes, about one every four seconds. What does "show isis lsp-log" say on "router1"? > and on Foundry > > 1m55s 450ms 78 6 router1.00-00 Area Address TLV Change > 2m26s 450ms 39 17 router1.00-00 Area Address TLV Change > 2m56s 450ms 39 17 router1.00-00 Area Address TLV Change > 3m27s 450ms 39 13 router1.00-00 Area Address TLV Change > 3m57s 450ms 39 18 router1.00-00 Area Address TLV Change I don't know Foundry, but I could be tempted to read this as "Area ID changed". > > A shot in the dark, but you wouldn't happen to have another box with > > the same NET on your network? > > I thought of that as well, But I compared all of the other NET > address's and they are pretty unique. And correct me if i'm wrong, but > if there was another router running ISIS with the same NET address > wouldn't it come up with an error like.. > > %CLNS-4-BADPACKET: ISIS: LAN L2 hello, Duplicate system > ID detected from (duplicate NET address) That sounds reasonable. > I forget if there is a command to view all NET address's in the database That would be "show isis hostname". Regards, Peter From raa at opusnet.com Thu Nov 6 16:03:30 2008 From: raa at opusnet.com (Ruben Alvarez) Date: Thu, 6 Nov 2008 13:03:30 -0800 Subject: [c-nsp] Cisco IOS for broadband aggregation Message-ID: <000001c94053$1fb18280$5f148780$@com> Hi All, I'm upgrading IOS on my c7206VXR with an npe-300 and: UBR7200-I/O-2FE/E PA-A3-T3= PA-IMA-T1= PA-4E= I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't seen much about it. I assume it's got the same features as (28)? If anyone has any feedback let me know. Thanks. From roddy.strachan at staff.netspace.net.au Thu Nov 6 16:10:40 2008 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Fri, 07 Nov 2008 08:10:40 +1100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> Message-ID: Ruben, Funny you mention it. I've just finished an upgrade of a mixture of 7301 and 7206vxr to 12.2(31)SB13. Had a 7301 running in production for 1 week, no issues, the LNS seems a lot more stable if you ask me. Don't know how the 7206 will go as they have been in production less than an hour :). So far so good, no real issues to report. On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the > 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't > seen much about it. I assume it's got the same features as (28)? If anyone > has any feedback let me know. > > Thanks. > This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From rinse.kloek at isp.solcon.nl Thu Nov 6 16:11:43 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Thu, 06 Nov 2008 22:11:43 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> References: <000001c94053$1fb18280$5f148780$@com> Message-ID: <49135D8F.8090803@isp.solcon.nl> Ruben, We are using the 12.2.(31)SB on one of our routers. We saw some problems with policy routing with VRF's with the SB6 release, but we expect this be fixed in the SB12+. For a full list of software/hardware features/caveats, see http://www.cisco.com/en/US/docs/ios/12_2sb/release/notes/122SB.html Be aware that the SB train will be superseded by the 12.2.33SRC. regards Rinse Kloek Ruben Alvarez schreef: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the > 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't > seen much about it. I assume it's got the same features as (28)? If anyone > has any feedback let me know. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rinse.kloek at isp.solcon.nl Thu Nov 6 16:14:25 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Thu, 06 Nov 2008 22:14:25 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: References: Message-ID: <49135E31.8010102@isp.solcon.nl> What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peter at rathlev.dk Thu Nov 6 16:20:17 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 06 Nov 2008 22:20:17 +0100 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <021101c94045$45120620$cf361260$@net> References: <021101c94045$45120620$cf361260$@net> Message-ID: <1226006417.8786.34.camel@abehat> On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > FastEthernet9/48 is up, line protocol is up (connected) > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > 0004.de66.8f73) > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > reliability 255/255, txload 3/255, rxload 24/255 > Encapsulation ARPA, loopback not set > Keepalive set (10 sec) > Full-duplex, 100Mb/s > input flow-control is off, output flow-control is unsupported > ARP type: ARPA, ARP Timeout 04:00:00 > Last input never, output 00:00:43, output hang never > Last clearing of "show interface" counters 00:12:47 > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > drops: 0 > Queueing strategy: fifo > Output queue: 0/40 (size/max) > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > 1067610 packets input, 920823086 bytes, 0 no buffer > Received 0 broadcasts (0 multicasts) > 0 runts, 0 giants, 0 throttles > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > 0 watchdog, 0 multicast, 0 pause input > 0 input packets with dribble condition detected > 839374 packets output, 146203703 bytes, 0 underruns > 0 output errors, 0 collisions, 0 interface resets > 0 babbles, 0 late collision, 0 deferred > 0 lost carrier, 0 no carrier, 0 PAUSE output > 0 output buffer failures, 0 output buffers swapped out > > Notice that in less than 15 min I have almost 1000 input errors, but > the other more detailed counters show nothing. I have had the cable > swapped, and the LAN card in the PC swapped, still the same results. Well, a thousand errors may sound like much, but it's less than 0.1% of the total number of packets received. > What is just an input error? Is this bad hardware, something I should > just expect on some interfaces to PC's, or what? > > I have googled around a bit, looked on Cisco's site, and everything > says that the input error counter is just the combined count of the > other counters like CRC, overrun, and so on, but they are all 0 for > me.. > > Any clues on where to look or what would cause this??? What type of card is it? If you have an oversubscribed path to the backplane the switch might drops packets there. AFAIK there's no surefire way to find out though. Input flow control might help reducing lost packets if they're caused by oversubscription / too small buffers. This assumes the server NICs know flow-control of course. Do you have any interface on a similar module with similar traffic/load patterns that is not experiencing these errors? Regards, Peter From raa at opusnet.com Thu Nov 6 16:29:25 2008 From: raa at opusnet.com (Ruben Alvarez) Date: Thu, 6 Nov 2008 13:29:25 -0800 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> Message-ID: <000101c94056$c0378940$40a69bc0$@com> That's a great Cisco doc, thanks. I haven't been able to find anything on Google, but we are having issues with static IP configuration with the new Actiontec M1000 modem firmware (v2.) I can assign static IP addresses to the modem via radius, but cannot with the IP unnumbered mode feature in the Actiontec CPE. I figured I'd give the newer IOS a try before I start debugging PPP or radius. Thanks. -----Original Message----- From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] Sent: Thursday, November 06, 2008 1:14 PM To: Roddy Strachan Cc: Ruben Alvarez; Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Curtis at GreenKey.net Thu Nov 6 17:11:42 2008 From: Curtis at GreenKey.net (Curtis Doty) Date: Thu, 6 Nov 2008 14:11:42 -0800 (PST) Subject: [c-nsp] watchdog timeout - nmi reset In-Reply-To: <200811061055.12235.mtinka@globaltransit.net> References: <200811061055.12235.mtinka@globaltransit.net> Message-ID: <20081106221142.49BA76F073@alopias.GreenKey.net> 10:55am Mark Tinka said: > Hi all. > > We've had a bit of bad luck lately with a couple of NPE-G1's > suddenly reloading due watchdog timeouts. WAG: The pseudo-preemption gets tangled by something like BFD? http://puck.nether.net/pipermail/cisco-nsp/2008-October/055734.html ../C From roddy.strachan at staff.netspace.net.au Thu Nov 6 17:29:50 2008 From: roddy.strachan at staff.netspace.net.au (Roddy Strachan) Date: Fri, 07 Nov 2008 09:29:50 +1100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> Message-ID: No real special features. MQOS to allow QOS policies on the fly as well as POD radius disconnects. Other than that its a plan vanilla PPP/LNS termination device. On 7/11/08 8:14 AM, "Rinse Kloek" wrote: > What kind of features do you use with the 7206VXR box ? We are also > looking to upgrade to 12.2.31SB13 because we have some problems with > 12.2(31)SB6. > > regards Rinse > > Roddy Strachan schreef: >> Ruben, >> >> Funny you mention it. >> >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to >> 12.2(31)SB13. >> >> Had a 7301 running in production for 1 week, no issues, the LNS seems a lot >> more stable if you ask me. >> >> Don't know how the 7206 will go as they have been in production less than an >> hour :). >> >> So far so good, no real issues to report. >> >> >> >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: >> >> >>> Hi All, >>> >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: >>> UBR7200-I/O-2FE/E >>> PA-A3-T3= >>> PA-IMA-T1= >>> PA-4E= >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >>> seen much about it. I assume it's got the same features as (28)? If anyone >>> has any feedback let me know. >>> >>> Thanks. >>> >>> >> >> >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are addressed. >> Please notify the sender immediately by email if you have received this >> email by mistake and delete this email from your system. Please note that >> any views or opinions presented in this email are solely those of the >> author and do not necessarily represent those of the organisation. >> Finally, the recipient should check this email and any attachments for >> the presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > > ______________________________________________________________________ > This email has been scanned by the MessageLabs Email Security System. > For more information please visit http://www.messagelabs.com/email > ______________________________________________________________________ -- Regards, Roddy Strachan Sysadmin Team Leader Netspace Online Systems Ph : 03-9811-0016 Mob : 0416-116-291 Fax : 03-9811-0044 Email: roddy.strachan at staff.netspace.net.au From peter at rathlev.dk Thu Nov 6 18:30:32 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Nov 2008 00:30:32 +0100 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226006417.8786.34.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> Message-ID: <1226014232.8786.49.camel@abehat> On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? Also "show interface Fa9/48 counters errors" gives you a couple more counters to gaze at. :-) Regards, Peter From paul at paulstewart.org Thu Nov 6 19:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 6 Nov 2008 19:23:17 -0500 Subject: [c-nsp] Limiting upstream paths to downstream customer - BGP Message-ID: <00c201c9406f$0e5db6e0$2b1924a0$@org> Hi there. I'm looking for a Cisco doc or a quick guide to *best practice* for the following scenario: Provider A gets 5 upstream BGP feeds via two core routers. Provider B wants to purchase transit from Provider A but does not want to send/receive any traffic via one of Provider A's upstreams (Provider X in this case). Provider A also uses BGP communities to mark their downstream customers, their upstream connections etc. Obviously Provider A can simply not announce Provider B to Provider X solving this issue in one direction. but what about traffic coming into Provider A from Provider B that prefers Provider X outbound? I'm thinking that you could use route-maps on Provider A (which would already be in place anyways most likely) and local-pref Provider X's routes specific to Provider B's community? If this is the best practice, anyone have a config snippet they could share or is there is a better way? Thanks in advance, hopefully I'm explaining this well. Paul From phila at cascopoint.com Thu Nov 6 19:49:27 2008 From: phila at cascopoint.com (Anton Yurchenko) Date: Thu, 06 Nov 2008 16:49:27 -0800 Subject: [c-nsp] Link level compression Message-ID: <49139097.4070005@cascopoint.com> Hi All, I am researching if there is a possibility to save some money on links by using link compression. I am not talking WAN acceleration, but something that will basically zip packets on one end and unzip on another. Link bandwidths are 10Gig and up. Any recommendations/experiences are very much welcome. Thanks, Anton Yurchenko From howard at leadmon.net Thu Nov 6 21:05:12 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 21:05:12 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226006417.8786.34.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> Message-ID: <024001c9407d$484e7200$d8eb5600$@net> > On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > > FastEthernet9/48 is up, line protocol is up (connected) > > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > > 0004.de66.8f73) > > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > > reliability 255/255, txload 3/255, rxload 24/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Full-duplex, 100Mb/s > > input flow-control is off, output flow-control is unsupported > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output 00:00:43, output hang never > > Last clearing of "show interface" counters 00:12:47 > > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > > drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 watchdog, 0 multicast, 0 pause input > > 0 input packets with dribble condition detected > > 839374 packets output, 146203703 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier, 0 PAUSE output > > 0 output buffer failures, 0 output buffers swapped out > > > > Notice that in less than 15 min I have almost 1000 input errors, but > > the other more detailed counters show nothing. I have had the cable > > swapped, and the LAN card in the PC swapped, still the same results. > > Well, a thousand errors may sound like much, but it's less than 0.1% of > the total number of packets received. Understood, and I think the clients network is working OK, but when all the other interfaces are running without a constant stream of errors, it has to make you wonder! > > What is just an input error? Is this bad hardware, something I > should > > just expect on some interfaces to PC's, or what? > > > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? > > What type of card is it? If you have an oversubscribed path to the > backplane the switch might drops packets there. AFAIK there's no > surefire way to find out though. Basically it's a BSDi based firewall (they need to replace at some point), that has a pair of Intel Pro/100B adapters installed in it for the in/out paths. Both are running 100/FDX, verified with ifconfig, and of course as you could see from my original posting the switch ports are also 100/FDX. Just FYI, cables and network cards replaced on the server, but same thing. > Input flow control might help reducing lost packets if they're caused > by > oversubscription / too small buffers. This assumes the server NICs know > flow-control of course. > > Do you have any interface on a similar module with similar traffic/load > patterns that is not experiencing these errors? As stated above, it's the two PRO/100 cards generating errors to the switch. There are other machines/devices plugged in to the various ports that seem to be working fine, why at first I figured maybe some wonky hardware. On the issue of traffic loading, and oversubscription. I don't know what the max on a WS-X6348-RJ-45 board is, I know it's not the star champ of the 6500 line, but if you look at the data flows the sucker only sees 6-10 meg of traffic, in fact nothing on that board is pounding the heck out of it, so I wouldn't think a couple meg of traffic (it was only running 3meg when I took the samples with the increasing errors) would blow out any port on a switch like that, but maybe I am wrong.. > Regards, > Peter --- Howard Leadmon From howard at leadmon.net Thu Nov 6 21:08:26 2008 From: howard at leadmon.net (Howard Leadmon) Date: Thu, 6 Nov 2008 21:08:26 -0500 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <1226014232.8786.49.camel@abehat> References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> <1226014232.8786.49.camel@abehat> Message-ID: <024301c9407d$bb5417f0$31fc47d0$@net> > On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > > 1067610 packets input, 920823086 bytes, 0 no buffer > > > Received 0 broadcasts (0 multicasts) > > > 0 runts, 0 giants, 0 throttles > > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > > > I have googled around a bit, looked on Cisco's site, and everything > > > says that the input error counter is just the combined count of the > > > other counters like CRC, overrun, and so on, but they are all 0 for > > > me.. > > > > > > Any clues on where to look or what would cause this??? > > Also "show interface Fa9/48 counters errors" gives you a couple more > counters to gaze at. :-) > > Regards, > Peter Thanks Peter, I knew I had looked at show interface Fa9/48 counters, but not the show interface Fa9/48 counters errors command. Actually doing that shows me: #show interface Fa9/48 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa9/48 42994 0 0 42994 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa9/48 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa9/48 0 0 0 0 0 So Align-Err is the issue, of course a quick look for that seems to indicate a hardware issue, but heck we replaced the various components and still have the issue. So still stumped at this point.. --- Howard Leadmon From Jamie.Stephens at chartercom.com Thu Nov 6 21:40:59 2008 From: Jamie.Stephens at chartercom.com (Stephens, Jamie A) Date: Thu, 6 Nov 2008 20:40:59 -0600 Subject: [c-nsp] Catalyst LAN Input Errors Query... References: <021101c94045$45120620$cf361260$@net> <1226006417.8786.34.camel@abehat> <1226014232.8786.49.camel@abehat> <024301c9407d$bb5417f0$31fc47d0$@net> Message-ID: I know this seems minor but I see this all the time with a duplex mismatch Jamie Stephens Network Sales Engineer 2 Digital Place Simpsonville, SC 29681 Cell 864-505-9879 ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Howard Leadmon Sent: Thu 11/6/2008 9:08 PM To: 'Peter Rathlev' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst LAN Input Errors Query... > On Thu, 2008-11-06 at 22:20 +0100, Peter Rathlev wrote: > > > 1067610 packets input, 920823086 bytes, 0 no buffer > > > Received 0 broadcasts (0 multicasts) > > > 0 runts, 0 giants, 0 throttles > > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > > > I have googled around a bit, looked on Cisco's site, and everything > > > says that the input error counter is just the combined count of the > > > other counters like CRC, overrun, and so on, but they are all 0 for > > > me.. > > > > > > Any clues on where to look or what would cause this??? > > Also "show interface Fa9/48 counters errors" gives you a couple more > counters to gaze at. :-) > > Regards, > Peter Thanks Peter, I knew I had looked at show interface Fa9/48 counters, but not the show interface Fa9/48 counters errors command. Actually doing that shows me: #show interface Fa9/48 counters errors Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize OutDiscards Fa9/48 42994 0 0 42994 0 0 Port Single-Col Multi-Col Late-Col Excess-Col Carri-Sen Runts Giants Fa9/48 0 0 0 0 0 0 0 Port SQETest-Err Deferred-Tx IntMacTx-Err IntMacRx-Err Symbol-Err Fa9/48 0 0 0 0 0 So Align-Err is the issue, of course a quick look for that seems to indicate a hardware issue, but heck we replaced the various components and still have the issue. So still stumped at this point.. --- Howard Leadmon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ E-MAIL CONFIDENTIALITY NOTICE: The contents of this e-mail message and any attachments are intended solely for the addressee(s) and may contain confidential and/or legally privileged information. If you are not the intended recipient of this message or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message and any attachments. If you are not the intended recipient, you are notified that any use, dissemination, distribution, copying, or storage of this message or any attachment is strictly prohibited. From ariemer at wesenergy.com.au Thu Nov 6 21:46:16 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 7 Nov 2008 11:46:16 +0900 Subject: [c-nsp] Catalyst LAN Input Errors Query... In-Reply-To: <024001c9407d$484e7200$d8eb5600$@net> References: <021101c94045$45120620$cf361260$@net><1226006417.8786.34.camel@abehat> <024001c9407d$484e7200$d8eb5600$@net> Message-ID: <0867622C64B50C4B878AB45C95F43F11063E95F8@MAILWA01.wesenergy.local> Hi, That module is limited to 32Gbps which is split up into 4 ASIC's that handle 12 ports each. Quoting Cisco's website -> http://www.cisco.com/en/US/products/hw/switches/ps700/products_configura tion_example09186a0080118a5c.shtml You can also take a look at the counters that indicate if the ASIC is being oversubscribed. Refer here -> http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note 09186a00801751d7.shtml#ASIC Cheers, Aaron Riemer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Leadmon Sent: Friday, 7 November 2008 11:05 AM To: 'Peter Rathlev' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst LAN Input Errors Query... > On Thu, 2008-11-06 at 14:24 -0500, Howard Leadmon wrote: > > FastEthernet9/48 is up, line protocol is up (connected) > > Hardware is C6k 100Mb 802.3, address is 0004.de66.8f73 (bia > > 0004.de66.8f73) > > MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, > > reliability 255/255, txload 3/255, rxload 24/255 > > Encapsulation ARPA, loopback not set > > Keepalive set (10 sec) > > Full-duplex, 100Mb/s > > input flow-control is off, output flow-control is unsupported > > ARP type: ARPA, ARP Timeout 04:00:00 > > Last input never, output 00:00:43, output hang never > > Last clearing of "show interface" counters 00:12:47 > > Input queue: 0/2000/0/0 (size/max/drops/flushes); Total output > > drops: 0 > > Queueing strategy: fifo > > Output queue: 0/40 (size/max) > > 1 minute input rate 9759000 bits/sec, 1396 packets/sec > > 1 minute output rate 1505000 bits/sec, 1110 packets/sec > > 1067610 packets input, 920823086 bytes, 0 no buffer > > Received 0 broadcasts (0 multicasts) > > 0 runts, 0 giants, 0 throttles > > 980 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored > > 0 watchdog, 0 multicast, 0 pause input > > 0 input packets with dribble condition detected > > 839374 packets output, 146203703 bytes, 0 underruns > > 0 output errors, 0 collisions, 0 interface resets > > 0 babbles, 0 late collision, 0 deferred > > 0 lost carrier, 0 no carrier, 0 PAUSE output > > 0 output buffer failures, 0 output buffers swapped out > > > > Notice that in less than 15 min I have almost 1000 input errors, but > > the other more detailed counters show nothing. I have had the cable > > swapped, and the LAN card in the PC swapped, still the same results. > > Well, a thousand errors may sound like much, but it's less than 0.1% of > the total number of packets received. Understood, and I think the clients network is working OK, but when all the other interfaces are running without a constant stream of errors, it has to make you wonder! > > What is just an input error? Is this bad hardware, something I > should > > just expect on some interfaces to PC's, or what? > > > > I have googled around a bit, looked on Cisco's site, and everything > > says that the input error counter is just the combined count of the > > other counters like CRC, overrun, and so on, but they are all 0 for > > me.. > > > > Any clues on where to look or what would cause this??? > > What type of card is it? If you have an oversubscribed path to the > backplane the switch might drops packets there. AFAIK there's no > surefire way to find out though. Basically it's a BSDi based firewall (they need to replace at some point), that has a pair of Intel Pro/100B adapters installed in it for the in/out paths. Both are running 100/FDX, verified with ifconfig, and of course as you could see from my original posting the switch ports are also 100/FDX. Just FYI, cables and network cards replaced on the server, but same thing. > Input flow control might help reducing lost packets if they're caused > by > oversubscription / too small buffers. This assumes the server NICs know > flow-control of course. > > Do you have any interface on a similar module with similar traffic/load > patterns that is not experiencing these errors? As stated above, it's the two PRO/100 cards generating errors to the switch. There are other machines/devices plugged in to the various ports that seem to be working fine, why at first I figured maybe some wonky hardware. On the issue of traffic loading, and oversubscription. I don't know what the max on a WS-X6348-RJ-45 board is, I know it's not the star champ of the 6500 line, but if you look at the data flows the sucker only sees 6-10 meg of traffic, in fact nothing on that board is pounding the heck out of it, so I wouldn't think a couple meg of traffic (it was only running 3meg when I took the samples with the increasing errors) would blow out any port on a switch like that, but maybe I am wrong.. > Regards, > Peter --- Howard Leadmon _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From mtinka at globaltransit.net Thu Nov 6 23:13:13 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 7 Nov 2008 12:13:13 +0800 Subject: [c-nsp] watchdog timeout - nmi reset In-Reply-To: <20081106221142.49BA76F073@alopias.GreenKey.net> References: <200811061055.12235.mtinka@globaltransit.net> <20081106221142.49BA76F073@alopias.GreenKey.net> Message-ID: <200811071213.18100.mtinka@globaltransit.net> On Friday 07 November 2008 06:11:42 Curtis Doty wrote: > WAG: The pseudo-preemption gets tangled by something like > BFD? > http://puck.nether.net/pipermail/cisco-nsp/2008-October/0 >55734.html Yep, I recalled this e-mail you sent about your BFD woes after the TAC engineer came back to say it's software-related. The first time we logged this case with TAC, they were sure it was a hardware issue. The second time around - and I must say this TAC engineer was very impressive in identifying this issue quickly and decisively - it took less than a day and turned out to be the code. Let's hope SRC3 comes out as scheduled. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rvelnara at cisco.com Fri Nov 7 00:11:57 2008 From: rvelnara at cisco.com (Ramnath Velnarayanan) Date: Fri, 7 Nov 2008 10:41:57 +0530 Subject: [c-nsp] Need help in V6MCAST Group count Message-ID: <000001c94097$5ccfc750$e5064d0a@cisco.com> Hi All, I am facing an issue with Ipv6-multicast. Here I am seeing variance in route entries with different command outputs 1) sh ipv mld groups summary MLD Route Summary No. of (*,G) routes = 16 No. of (S,G) routes = 0 2) sh ipv6 mfib summary IPv6 MFIB summary: 64 total entries [4 (S,G), 13 (*,G), 47 (*,G/m)] 40 total MFIB interfaces I need to find how many groups been added .So which " (*,G) " count to take as Group count. s/w version - 12.2(32.8.11)SX209 H/w - ME6523 Please help in this issue. Thanks in advance Ram From jeremy at mojohost.com Thu Nov 6 23:38:09 2008 From: jeremy at mojohost.com (Jeremy Reid) Date: Fri, 07 Nov 2008 04:38:09 GMT Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... Message-ID: <200811062338406.SM03088@[64.59.94.34]> Hi, I'm wondering if anyone else on the list here has seen this issue we've been struggling to pin down: We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, currently running SXH3a) to aggregate data from (3) different 10G interfaces into a 10G output port for use with a BGP route control product. The three input interfaces have a *combined* peak traffic rate of around 8Gbps. The SPAN destination interface, however, is only indicating that we are sending around 5Gbps at peak. This does not appear to be a counters problem, as we can confirm from the destination device on the other end of the SPAN port that it is indeed only seeing 5Gbps worth of traffic. Doing a little 'deconstructuve' unit testing -- we have tried eliminating the 'aggregation angle' and picked a single source 10G interface that only had about 1Gbps worth of traffic to span. Looking at the destination interface, it was consistantly only reporting about 600mbps. We have tried various such tests and we always seem to get simillar results in that the destination interface traffic is always significantly (between 20 and 40%) LESS than the whatever the source interface is actually carrying -- at least on the egress side of things (our ingress traffic is not sizable enough to gauge accurately). There are no physical errors/malformed frames/drops (including queue drops) being reported on either the SPAN source interface(s) or the destination. Jumbos aren't allowed on either interface, so its not related to that either. The only plus to this (from a troubleshooting perspective, anyway) is that it is consistantly 'broke' -- which should make finding the solution easier, but so far, it has proved rather ellusive. We have replicated this scenario on both our current code (SXH3a) as well as SXF14 (previous code until very recently). Further, we can replicate it on multiple independant 65k platforms (all equipped simmillarly). We have also verified there is no bus/proc oversubscription or anything of the sort going on -- but even went to the extent of moving two test interfaces containing both the SPAN source and destination to the same physical linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good measure (even though we saw no reason to do so from a numbers point of view). No change in the behavior with the DFC. Anyone seen anything along these lines? Couldn't find anything publically on the bug toolkit that seemed relevant... (big surprise). Just thought I'd try the list here before getting on the TAC merry-go-round. Thoughts? -Jeremy Jeremy Reid Network Engineer Mojohost From ivan at ig.sk Fri Nov 7 02:36:02 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Fri, 7 Nov 2008 08:36:02 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c94053$1fb18280$5f148780$@com> References: <000001c94053$1fb18280$5f148780$@com> Message-ID: <200811070836.02950.ivan@ig.sk> Hi, be careful with your NPE-300, which has already reached End-of-everything and is not supported with 12.2SB train. As far as I know the last supported S-based train for NPE-300 is 12.2S. You might notice the warning message at bootup of the router or if issuing of show version command. Ivan On Thursday 06 November 2008, Ruben Alvarez wrote: > Hi All, > > I'm upgrading IOS on my c7206VXR with an npe-300 and: > UBR7200-I/O-2FE/E > PA-A3-T3= > PA-IMA-T1= > PA-4E= > I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone > using the 12.2(31)SB instead of the 12.2(28)SB? I've been looking > online and haven't seen much about it. I assume it's got the same > features as (28)? If anyone has any feedback let me know. > > Thanks. > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From techconfig at yahoo.com Fri Nov 7 03:46:01 2008 From: techconfig at yahoo.com (Mark Tech) Date: Fri, 7 Nov 2008 00:46:01 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> Message-ID: <641393.84470.qm@web44804.mail.sp1.yahoo.com> Got it. OSPF was removed from loopback interface Got it working now ----- Original Message ---- From: Brian Turnbow To: Mark Tech ; cisco-nsp at puck.nether.net Sent: Thursday, November 6, 2008 5:23:52 PM Subject: RE: [c-nsp] GSR no ldp all of a sudden I would start with? what was done here ? Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: gioved? 6 novembre 2008 17.39 To: cisco-nsp at puck.nether.net Subject: [c-nsp] GSR no ldp all of a sudden Hi I have a couple of GSR's and 7600'2 running ldp in an an MPLS?test environment. All of a sudden 1 GSR has lost all its LDP neighours. I have cleared the mpls ldp neighours, and finally ended up rebooting the router with no success Here is an brief output of some ldp commands: ---------here the LDP suddenly dropped-------- Nov? 6 14:44:45 GMT: %SYS-5-CONFIG_I: Configured from console by vty0 (5.14.64.1) Nov? 6 14:47:05 GMT: %LDP-5-GR: GR session 5.14.95.243:0 (inst. 3): interrupted--recovery pending Nov? 6 14:47:05 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.243:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:28 GMT: %LDP-5-GR: GR session 5.14.95.245:0 (inst. 2): interrupted--recovery pending Nov? 6 14:47:28 GMT: %LDP-5-NBRCHG: LDP Neighbor 5.14.95.245:0 (0) is DOWN (Session KeepAlive Timer expired) Nov? 6 14:47:37 GMT: %LDP-5-GR: GR session 5.14.95.244:0 (inst. 1): interrupted--recovery pending rt-lon-12#sh mpls ldp neighbor rt-lon-12#sh mpls ldp discovery ?Local LDP Identifier: ??? 5.14.95.246:0 ??? Discovery Sources: ??? Interfaces: ??????? Port-channel1 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.243:0 ??????? Port-channel2 (ldp): xmit/recv ??????????? LDP Id: 5.14.95..244:0 ??????? Port-channel3 (ldp): xmit/recv ??????????? LDP Id: 5.14.95.245:0 rt-lon-12#sh mpls interfaces Interface????????????? IP??????????? Tunnel?? Operational GigabitEthernet0/0/0?? Yes?????????? No?????? Yes GigabitEthernet0/0/1?? Yes?????????? No?????? Yes GigabitEthernet0/0/2?? Yes?????????? No?????? Yes GigabitEthernet0/0/3?? Yes?????????? No?????? Yes GigabitEthernet0/0/4?? Yes?????????? No?????? Yes GigabitEthernet0/0/5?? Yes?????????? No?????? Yes Port-channel1????????? Yes (ldp)???? No?????? Yes Port-channel2????????? Yes (ldp)???? No?????? Yes Port-channel3????????? Yes (ldp)???? No?????? Yes Anyone have any ideas? This has been working for over a month now and all other routers are up and using LDP successfully. In fact the other GSR this is connected to is a carbon-copy, bar?IP addresses Regards Mark ? ? ? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 03:48:35 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 09:48:35 +0100 Subject: [c-nsp] vrf-lite and pppoA interfaces In-Reply-To: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> References: <3044d0930811060951t1b52fb0egc18efb1d5870cdef@mail.gmail.com> Message-ID: Hi Wayne, Take a look into assigning via radius the vrf for the ppoa sessions. If you google on the list you will find several discussions on the issue. You can then use vrf aware firewall features (like vrf aware nat ecc) for internet access. http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_vrfaw.html Other options are listed here http://www.cisco.com/en/US/tech/tk436/tk428/technologies_white_paper09186a00801281f1.shtml Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee Sent: gioved? 6 novembre 2008 18.51 To: cisco-nsp at puck.nether.net Subject: [c-nsp] vrf-lite and pppoA interfaces Hello List I have a dedicated LNS for what we call our pwan customers, all connections are ADSL PPPoA and they all use private IP ranges as there is currently no internet access. We have about 150 connections spread over 8 customers, these are currently grouped by customer and then separated from other pwans using access-lists which are applied via radius. We want to allow internet access to these pwans and move them into a vrf-lite setup with one vrf per pwan so this also gives us the abillty to allow over-lapping IP space. My vrf knowledge is (very) limited and I'm struggling to understand the best way to make this work. I have tested a basic vrf setup (with success) in the lab but this was with 3 routers and no PPPoA/virtual-access interfaces. My confusion is about the ip vrf forwarding, in the lab I put this on each ethernet on the main router but in the PPPoA setup there will not be a dedicated ethernet per vrf, also I'll not need traffic between vrf's so do I just need to export the routes to the rib so the customers can get internet traffic? Help, clue sticks and any advice will be very welcome. Thanks Wayne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Fri Nov 7 03:52:45 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 7 Nov 2008 16:52:45 +0800 Subject: [c-nsp] GSR no ldp all of a sudden In-Reply-To: <641393.84470.qm@web44804.mail.sp1.yahoo.com> References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> <641393.84470.qm@web44804.mail.sp1.yahoo.com> Message-ID: <200811071652.49889.mtinka@globaltransit.net> On Friday 07 November 2008 16:46:01 Mark Tech wrote: > Got it. OSPF was removed from loopback interface Just wondering if you have RANCID configured so you can learn, more quickly, what changes the router has undergone. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From techconfig at yahoo.com Fri Nov 7 05:44:09 2008 From: techconfig at yahoo.com (Mark Tech) Date: Fri, 7 Nov 2008 02:44:09 -0800 (PST) Subject: [c-nsp] GSR no ldp all of a sudden References: <880615.45377.qm@web44811.mail.sp1.yahoo.com> <641393.84470.qm@web44804.mail.sp1.yahoo.com> <200811071652.49889.mtinka@globaltransit.net> Message-ID: <788694.67680.qm@web44806.mail.sp1.yahoo.com> Hi Actually we do run RANCID in the production network, however these boxes are still on test :) Cheers Mark ----- Original Message ---- From: Mark Tinka To: cisco-nsp at puck.nether.net Cc: Mark Tech ; Brian Turnbow Sent: Friday, November 7, 2008 8:52:45 AM Subject: Re: [c-nsp] GSR no ldp all of a sudden On Friday 07 November 2008 16:46:01 Mark Tech wrote: > Got it. OSPF was removed from loopback interface Just wondering if you have RANCID configured so you can learn, more quickly, what changes the router has undergone. Cheers, Mark. From hank at efes.iucc.ac.il Fri Nov 7 05:57:40 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 7 Nov 2008 12:57:40 +0200 (IST) Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... In-Reply-To: <200811062338406.SM03088@[64.59.94.34]> References: <200811062338406.SM03088@[64.59.94.34]> Message-ID: On Fri, 7 Nov 2008, Jeremy Reid wrote: Do you have an ACL on the source ports? I hit this years ago: CSCsb21148 Rx SPAN may not work when outbound ACL is applied to source interface A Catalyst 6500 switch running with SUP720 IOS version 12.2(18)SXE1 or greater may drop Rx SPAN packets if there is an outbound ACL applied on the source interface of the SPAN session. Workaround: - remove outbound ACL from source interface - downgrade to 12.2(18)SXD6 or lower The fix for this bug only applies to WS-X67xx line cards (SPAN source port on 67xx line cards ). The fix for 65xx line cards went in through another DDTS CSCse41963 in 12.2(18)SXF5 and higher codes. -Hank > Hi, > > I'm wondering if anyone else on the list here has seen this issue we've been struggling to pin down: > > We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, currently running SXH3a) to aggregate data from (3) different 10G interfaces into a 10G output port for use with a BGP route control product. The three input interfaces have a *combined* peak traffic rate of around 8Gbps. The SPAN destination interface, however, is only indicating that we are sending around 5Gbps at peak. This does not appear to be a counters problem, as we can confirm from the destination device on the other end of the SPAN port that it is indeed only seeing 5Gbps worth of traffic. > > Doing a little 'deconstructuve' unit testing -- we have tried eliminating the 'aggregation angle' and picked a single source 10G interface that only had about 1Gbps worth of traffic to span. Looking at the destination interface, it was consistantly only reporting about 600mbps. We have tried various such tests and we always seem to get simillar results in that the destination interface traffic is always significantly (between 20 and 40%) LESS than the whatever the source interface is actually carrying -- at least on the egress side of things (our ingress traffic is not sizable enough to gauge accurately). > > There are no physical errors/malformed frames/drops (including queue drops) being reported on either the SPAN source interface(s) or the destination. Jumbos aren't allowed on either interface, so its not related to that either. The only plus to this (from a troubleshooting perspective, anyway) is that it is consistantly 'broke' -- which should make finding the solution easier, but so far, it has proved rather ellusive. > > We have replicated this scenario on both our current code (SXH3a) as well as SXF14 (previous code until very recently). Further, we can replicate it on multiple independant 65k platforms (all equipped simmillarly). We have also verified there is no bus/proc oversubscription or anything of the sort going on -- but even went to the extent of moving two test interfaces containing both the SPAN source and destination to the same physical linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good measure (even though we saw no reason to do so from a numbers point of view). No change in the behavior with the DFC. > > Anyone seen anything along these lines? Couldn't find anything publically on the bug toolkit that seemed relevant... (big surprise). Just thought I'd try the list here before getting on the TAC merry-go-round. > > Thoughts? > > -Jeremy > > Jeremy Reid > Network Engineer > Mojohost From adriankok2000 at yahoo.com.hk Fri Nov 7 07:52:04 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Fri, 7 Nov 2008 20:52:04 +0800 (CST) Subject: [c-nsp] help: copy run tftp Message-ID: <579826.60286.qm@web33303.mail.mud.yahoo.com> Hi I install tftp server in linux and it is running router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? ..... %Error opening tftp://192.168.0.3/router-confg (Timed out) After checking tftp server in 192.168.0.3, I fix it to allow the router connect. but when I run command in second time, it is another error it shows the file not found! why? router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? TFTP: error code 1 received - File not found Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com From gkg at gmx.de Fri Nov 7 08:06:35 2008 From: gkg at gmx.de (Garry) Date: Fri, 07 Nov 2008 14:06:35 +0100 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <49143D5B.4080007@gmx.de> adrian kok wrote: > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > Did you allow the TFTP-Clients to create new files? If not, you will have to create the file first with sufficient rights for the TFTP-Server to overwrite, than copy again. -garry From drew.weaver at thenap.com Fri Nov 7 08:28:35 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Fri, 7 Nov 2008 08:28:35 -0500 Subject: [c-nsp] IP Cef load sharing, quick question Message-ID: Hi there. We have a Simple L3 switch (I think it's a 2960G) that we need to do some even simpler fault tolerance and load sharing on. We were going to connect this switch to 3x switches upstream and then do something like this: ip route 0.0.0.0 0.0.0.0 g0/32 gwip ip route 0.0.0.0 0.0.0.0 g0/33 gwip ip route 0.0.0.0 0.0.0.0 g0/34 gwip When we were testing we noticed some (well, quite a bit) of strangeness with traceroutes and the like (many multiple hops for the same, hop.. etc) is there a better way to do what we're trying to achieve? We were thinking about maybe doing VRRP on the 3 switches upstream but then we would only be using 1Gbps and the goal is to be able to use "a little more than" 1Gbps. Normally we'd just let routing protocols handle all of this fun, but this isn't our 'regular' slice of equipment. Any advice is swell, -Drew From paul at paulstewart.org Fri Nov 7 08:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 08:23:17 -0500 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49135E31.8010102@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> Message-ID: <000001c940dc$02301c60$06905520$@org> We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very brave and ran some 12.4T code for a while and had a major issue every 3-4 weeks that required a reboot (inbound sessions would just stop coming in pretty much via l2tp tunnels). On the NPE-1G's we're running same release with no issue neither.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek Sent: Thursday, November 06, 2008 4:14 PM To: Roddy Strachan Cc: Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 08:23:17 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 08:23:17 -0500 Subject: [c-nsp] Config Length Limit? 7600 Message-ID: <001001c940dc$1678fb60$436af220$@org> Hi there... Is there any limits we need to be aware of on a Sup720-3BXL 7600 in regards to size of configuration files? One of our core routers is hitting about 35k lines of config currently and we may need to add upwards of 50k more to the configuration in the near future.... this is mainly prefix-lists etc. Thanks, Paul From csirek at cooler.hu Fri Nov 7 08:46:09 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Fri, 07 Nov 2008 14:46:09 +0100 Subject: [c-nsp] service policy + SYN flood vs. periodic high cpu load In-Reply-To: <49131A46.7030801@cooler.hu> References: <49131A46.7030801@cooler.hu> Message-ID: <491446A1.7050204@cooler.hu> Hi all, I made a RP and SP monitor session. Under the SYN flood i saw the router got 250 SYN packages before sent back the first ACK,RST packet. It's normal? When cames the cpu load wave again got more (not much) SYN without ACK,RST. I no idea what is this periodic CPU load wave, but i see it only under SYN flood. If i sent only ICMP (size 1400) flood, i didn't see this wawes. Laszlo Nemeth Laszlo wrote: > Hi all, > > I'm testing the control plane policy in my lab. Now i found a very > interesting event. > > I have a 6500/sup720 whit different IOS (SXF6, SXF10a, SXH3a). I send a > very big SYN flood to this router. > > I'm doing this test in clear config. (erase startup, reload :) ) > > I made a policy: > > class-map match-all synfloodgeprol > match access-group 199 > ! > policy-map synflood-in > class synfloodgeprol > police cir 128000 bc 4000 be 4000 conform-action transmit > exceed-action drop violate-action drop > ! > access-list 199 remark DEFAULT > access-list 199 permit tcp any any > access-list 199 permit udp any any > access-list 199 permit icmp any any > access-list 199 permit ip any any > ! > interface GigabitEthernet5/2 > ip address 10.0.0.1 255.255.255.0 > load-interval 30 > media-type rj45 > service-policy input synflood-in > > I tried to put the service-policy to the control-plane but no difference: > > The input interface traffic is: > > 30 second input rate 155775000 bits/sec, 304249 packets/sec > 30 second output rate 128000 bits/sec, 250 packets/sec > > The output rate is good, the cpu receive 128K SYN and answer 128K > ACK/RST packets because my policy is working. That is the goal in this > case. > > Under this flood the CPU load: > > Router#cpu > CPU utilization for five seconds: 0%/0%; one minute: 3%; five minutes:6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 1368 1378 992 0.55% 0.07% 0.06% 0 Exec > 5 3868 263 14707 0.00% 0.33% 0.25% 0 Check hea > 20 2624 34446 76 0.00% 0.09% 0.06% 0 IPC Seat > 43 652 27 24148 0.00% 0.02% 0.00% 0 Per-minu > 155 57572 310276 185 0.00% 1.57% 3.56% 0 IP Input > 230 368 2206 166 0.00% 0.01% 0.00% 0 CEF: IPv4 > 240 528 703 751 0.07% 0.03% 0.02% 0 HIDDEN VL > > The policy is working great. > > But. In every 4. minutes the cpu load goes up: > > Router#cpu > CPU utilization for five seconds: 79%/68%; one minute: 8%; five minutes: 6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2012 1617 1244 0.31% 0.61% 0.22% 0 Exec > 5 4072 278 14647 0.00% 0.20% 0.22% 0 Check hea > 20 2812 37348 75 0.00% 0.04% 0.05% 0 IPC Seat > 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon > 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minut > 155 59732 336634 177 10.47% 1.13% 2.68% 0 IP Input > 230 400 2373 168 0.00% 0.01% 0.00% 0 CEF: IPv4 > 240 568 756 751 0.00% 0.03% 0.02% 0 HIDDEN VL > > some second later: > > Router#cpu > CPU utilization for five seconds: 99%/7%; one minute: 15%; five minutes: 7% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2100 1637 1282 1.11% 0.65% 0.23% 0 Exec > 5 4072 278 14647 0.00% 0.19% 0.22% 0 Check he > 20 2812 37348 75 0.00% 0.03% 0.05% 0 IPC Seat > 27 56 555 100 0.00% 0.02% 0.00% 0 EnvMon > 43 708 29 24413 0.00% 0.03% 0.00% 0 Per-minu > 77 252 1539 163 0.07% 0.00% 0.00% 0 Heartbeat > 155 66192 338269 195 90.71% 8.30% 4.14% 0 IP Input > 230 400 2382 167 0.07% 0.02% 0.00% 0 CEF: IPv4 > 240 572 759 753 0.00% 0.03% 0.01% 0 HIDDEN VL > > and again some second later: > > Router#cpu > CPU utilization for five seconds: 0%/0%; one minute: 2%; five minutes: 6% > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process > 3 2320 1730 1341 0.23% 0.08% 0.17% 0 Exec > 5 4552 308 14779 0.00% 0.25% 0.24% 0 Check hea > 20 3008 40249 74 0.00% 0.04% 0.04% 0 IPC Seat > 43 792 32 24750 0.00% 0.04% 0.00% 0 Per-minu > 77 316 1702 185 0.00% 0.01% 0.00% 0 Heartbeat > 155 68644 378964 181 0.00% 1.03% 3.26% 0 IP Input > 230 444 2639 168 0.07% 0.02% 0.00% 0 CEF: IPv4 > 240 636 841 756 0.00% 0.03% 0.02% 0 HIDDEN VL > > > > This is the history of cpu: > > 55555999999999944444 > 333330000099999666667777711111 2222211111 > 100 ********** > 90 ********** > 80 ********** > 70 ********** > 60 ********** > 50 ******************** > 40 ******************** > 30 ******************** > 20 ******************** > 10 ******************** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > CPU% per second (last 60 seconds) > > 1 > 0 9 9 12 > 460444944394439 > 100 * * * > 90 * * * > 80 * * * > 70 * * * > 60 * * * > 50 * * * > 40 * * * > 30 * * * * > 20 # # # * > 10 # # # ** > 0....5....1....1....2....2....3....3....4....4....5....5.... > 0 5 0 5 0 5 0 5 0 5 > CPU% per minute (last 60 minutes) > * = maximum CPU% # = average CPU% > > > If i increase the 128K to 256K in the policy, the big CPU load comes in > every 2. minutes. > > If i set it on 64K, the load is stay in every 4. minutes, but is ~40-50% > instead 100%. > > Any idea? > > Thanks > > Laszlo > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 08:56:02 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 14:56:02 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c940dc$02301c60$06905520$@org> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> Message-ID: We're stil on 12.2.31SB13 with g2s mainly due to an issue we found with tcp header compression with SRC We have some small vbr connections for voip with header compression enabled and found that a telnet session over the link would cause the router to crash in SRC. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: venerd? 7 novembre 2008 14.23 To: 'Rinse Kloek'; 'Roddy Strachan' Cc: 'Cisco-nsp' Subject: Re: [c-nsp] Cisco IOS for broadband aggregation We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very brave and ran some 12.4T code for a while and had a major issue every 3-4 weeks that required a reboot (inbound sessions would just stop coming in pretty much via l2tp tunnels). On the NPE-1G's we're running same release with no issue neither.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek Sent: Thursday, November 06, 2008 4:14 PM To: Roddy Strachan Cc: Cisco-nsp Subject: Re: [c-nsp] Cisco IOS for broadband aggregation What kind of features do you use with the 7206VXR box ? We are also looking to upgrade to 12.2.31SB13 because we have some problems with 12.2(31)SB6. regards Rinse Roddy Strachan schreef: > Ruben, > > Funny you mention it. > > I've just finished an upgrade of a mixture of 7301 and 7206vxr to > 12.2(31)SB13. > > Had a 7301 running in production for 1 week, no issues, the LNS seems a lot > more stable if you ask me. > > Don't know how the 7206 will go as they have been in production less than an > hour :). > > So far so good, no real issues to report. > > > > On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > > >> Hi All, >> >> I'm upgrading IOS on my c7206VXR with an npe-300 and: >> UBR7200-I/O-2FE/E >> PA-A3-T3= >> PA-IMA-T1= >> PA-4E= >> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using the >> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and haven't >> seen much about it. I assume it's got the same features as (28)? If anyone >> has any feedback let me know. >> >> Thanks. >> >> > > > This email and any files transmitted with it are confidential and intended > solely for the use of the individual or entity to whom they are addressed. > Please notify the sender immediately by email if you have received this > email by mistake and delete this email from your system. Please note that > any views or opinions presented in this email are solely those of the > author and do not necessarily represent those of the organisation. > Finally, the recipient should check this email and any attachments for > the presence of viruses. The organisation accepts no liability for any > damage caused by any virus transmitted by this email. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Fri Nov 7 09:00:34 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 7 Nov 2008 09:00:34 -0500 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <001001c940dc$1678fb60$436af220$@org> References: <001001c940dc$1678fb60$436af220$@org> Message-ID: <003301c940e1$36833ec0$a389bc40$@com> NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 09:18:49 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 09:18:49 -0500 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <003301c940e1$36833ec0$a389bc40$@com> References: <001001c940dc$1678fb60$436af220$@org> <003301c940e1$36833ec0$a389bc40$@com> Message-ID: <001901c940e3$c2837a00$478a6e00$@org> Thanks... confirmed what I was wondering .... we have lots of free space there which takes the concern out the the equation today...;) Cheers! Paul -----Original Message----- From: David Prall [mailto:dcp at dcptech.com] Sent: Friday, November 07, 2008 9:01 AM To: 'Paul Stewart'; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] Config Length Limit? 7600 NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Nov 7 11:30:51 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 7 Nov 2008 17:30:51 +0100 Subject: [c-nsp] Config Length Limit? 7600 In-Reply-To: <003301c940e1$36833ec0$a389bc40$@com> References: <001001c940dc$1678fb60$436af220$@org> <003301c940e1$36833ec0$a389bc40$@com> Message-ID: You can always save /boot to/from a copy saved to disk Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of David Prall Sent: venerd? 7 novembre 2008 15.01 To: 'Paul Stewart'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Config Length Limit? 7600 NVRAM space, then you can use "service compress-config" but that makes boot time slower. You have 2MB of NVRAM, mine states 1917KB. But crypto keys and the such don't show up in "sh run" and they do take space. Also snmp ifindex takes space as well. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Paul Stewart > Sent: Friday, November 07, 2008 8:23 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Config Length Limit? 7600 > > Hi there... > > Is there any limits we need to be aware of on a Sup720-3BXL 7600 in > regards > to size of configuration files? One of our core routers is hitting > about > 35k lines of config currently and we may need to add upwards of 50k > more to > the configuration in the near future.... this is mainly prefix-lists > etc. > > Thanks, > > Paul > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sthaug at nethelp.no Fri Nov 7 11:50:06 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 07 Nov 2008 17:50:06 +0100 (CET) Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: Message-ID: <20081107.175006.74682859.sthaug@nethelp.no> > We have a Simple L3 switch (I think it's a 2960G) that we need to do some even simpler fault tolerance and load sharing on. > > We were going to connect this switch to 3x switches upstream and then do something like this: > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > ip route 0.0.0.0 0.0.0.0 g0/34 gwip You are of course aware that not specifying an IP nexthop means you'll get lots of unnecessary ARPing here, and that the upstream routers have to support proxy ARP? Steinar Haug, Nethelp consulting, sthaug at nethelp.no From peter at rathlev.dk Fri Nov 7 12:32:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 07 Nov 2008 18:32:31 +0100 Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: Message-ID: <1226079151.3474.8.camel@abehat> On Fri, 2008-11-07 at 08:28 -0500, Drew Weaver wrote: > We have a Simple L3 switch (I think it's a 2960G) that we need to do > some even simpler fault tolerance and load sharing on. They're not 2960s, since those are L2 only. Maybe 3560s? > We were going to connect this switch to 3x switches upstream and then > do something like this: > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > ip route 0.0.0.0 0.0.0.0 g0/34 gwip As Steinar mentions, you should use a specific next hop address. I assume that the three interfaces are routed ports, or that they use seperate VLANs. What's upstream? > When we were testing we noticed some (well, quite a bit) of strangeness > with traceroutes and the like (many multiple hops for the same, hop.. > etc) What exactly do you mean with "many multiple hops"? Different answers for multiple requests with the same TTL (same hop in traceroute) is not all that unnormal for multiple paths -- each path is elegible for the traffic, so each next hop router can answer. The L3 switches (i.e. not software based routers) typically use a hashed load sharing algorithm, resulting in per destination or per source (or a combination) load sharing. They could also include the ports in the hashing, meaning that a traceroute using a different source port per probe would result in different next hops. If this is unwanted, you can change the algorithm to something that doesn't include L4 ports. > is there a better way to do what we're trying to achieve? > > We were thinking about maybe doing VRRP on the 3 switches upstream but > then we would only be using 1Gbps and the goal is to be able to use "a > little more than" 1Gbps. You _could_ use GLBP as a load sharing enabled equivalent of VRRP. Don't know is your hardware/software supports it though. And equal cost multipath (ECMP) would be my preferred choice if possible. Regards, Peter From daniel_p_lacey at yahoo.com Fri Nov 7 13:30:23 2008 From: daniel_p_lacey at yahoo.com (Daniel Lacey) Date: Fri, 07 Nov 2008 10:30:23 -0800 Subject: [c-nsp] Multiple Ethernet links for redundancy Message-ID: <4914893F.7050806@yahoo.com> Hi all, I have a 7206 with two fastethernet port adapters. I would like to have both of these run to the 6506 switch. I need a scenario that would allow one of the links to work if the other goes down. This is for redundancy and not for bandwidth issues. I was wondering if it is possible (or desirable) to make them a Multilink bundle? Any other suggestions? Thanks, Dan Lacey From rinse.kloek at isp.solcon.nl Fri Nov 7 13:47:35 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Fri, 07 Nov 2008 19:47:35 +0100 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <49148D47.3000808@isp.solcon.nl> One option is to configure bot interfaces with the same IP adresses and settings and use the following command on the primary interface: interface GigabitEthernet0/1 backup interface GigabitEthernet0/2 ip address 10.10.10.1 255.255.255.0 interface GigabitEthernet0/2 ip address 10.10.10.1 255.255.255.0 The GigabitEthernet 0/1 will be up and the GigabitEthernet 0/2 will be standby. If the link on Gi0/1 is going down, Gi0/2 will get up. regards Rinse Daniel Lacey schreef: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the > other goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a > Multilink bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rinse.kloek at isp.solcon.nl Fri Nov 7 13:51:58 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek) Date: Fri, 07 Nov 2008 19:51:58 +0100 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <000001c940dc$02301c60$06905520$@org> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> Message-ID: <49148E4E.1070001@isp.solcon.nl> Do you use 12.2(33)SRC2 in a box as Aggregation Router ? One bug we discovered was a Netflow bug wich resulted in crashes (CSCsu87248) kind regards Rinse Paul Stewart schreef: > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > brave and ran some 12.4T code for a while and had a major issue every 3-4 > weeks that required a reboot (inbound sessions would just stop coming in > pretty much via l2tp tunnels). > > On the NPE-1G's we're running same release with no issue neither.... > > Paul > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek > Sent: Thursday, November 06, 2008 4:14 PM > To: Roddy Strachan > Cc: Cisco-nsp > Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > > What kind of features do you use with the 7206VXR box ? We are also > looking to upgrade to 12.2.31SB13 because we have some problems with > 12.2(31)SB6. > > regards Rinse > > Roddy Strachan schreef: > >> Ruben, >> >> Funny you mention it. >> >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to >> 12.2(31)SB13. >> >> Had a 7301 running in production for 1 week, no issues, the LNS seems a >> > lot > >> more stable if you ask me. >> >> Don't know how the 7206 will go as they have been in production less than >> > an > >> hour :). >> >> So far so good, no real issues to report. >> >> >> >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: >> >> >> >>> Hi All, >>> >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: >>> UBR7200-I/O-2FE/E >>> PA-A3-T3= >>> PA-IMA-T1= >>> PA-4E= >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using >>> > the > >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and >>> > haven't > >>> seen much about it. I assume it's got the same features as (28)? If >>> > anyone > >>> has any feedback let me know. >>> >>> Thanks. >>> >>> >>> >> This email and any files transmitted with it are confidential and intended >> solely for the use of the individual or entity to whom they are >> > addressed. > >> Please notify the sender immediately by email if you have received this >> email by mistake and delete this email from your system. Please note that >> any views or opinions presented in this email are solely those of the >> author and do not necessarily represent those of the organisation. >> Finally, the recipient should check this email and any attachments for >> the presence of viruses. The organisation accepts no liability for any >> damage caused by any virus transmitted by this email. >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From pshuleski at gmail.com Fri Nov 7 13:56:21 2008 From: pshuleski at gmail.com (Pete S.) Date: Fri, 7 Nov 2008 13:56:21 -0500 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <50f158990811071056i485be057sb4809519cfbce6c5@mail.gmail.com> You can make each port a routed interface(/30 or /31) to the 6500. Control the failover/load balancing with your IGP. --Pete On Fri, Nov 7, 2008 at 1:30 PM, Daniel Lacey wrote: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the other > goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a Multilink > bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From asadh at comcast.net Fri Nov 7 14:00:49 2008 From: asadh at comcast.net (Asad) Date: Fri, 7 Nov 2008 19:00:49 +0000 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <623938200-1226084442-cardhu_decombobulator_blackberry.rim.net-1922886597-@bxe125.bisx.prod.on.blackberry> You can try a port-channel and add both interfaces to bundle. This would provide redundancy + more BW. Asad Sent from my Verizon Wireless BlackBerry -----Original Message----- From: Daniel Lacey Date: Fri, 07 Nov 2008 10:30:23 To: Subject: [c-nsp] Multiple Ethernet links for redundancy Hi all, I have a 7206 with two fastethernet port adapters. I would like to have both of these run to the 6506 switch. I need a scenario that would allow one of the links to work if the other goes down. This is for redundancy and not for bandwidth issues. I was wondering if it is possible (or desirable) to make them a Multilink bundle? Any other suggestions? Thanks, Dan Lacey _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Fri Nov 7 14:09:18 2008 From: paul at paulstewart.org (Paul Stewart) Date: Fri, 7 Nov 2008 14:09:18 -0500 Subject: [c-nsp] Cisco IOS for broadband aggregation In-Reply-To: <49148E4E.1070001@isp.solcon.nl> References: <49135E31.8010102@isp.solcon.nl> <000001c940dc$02301c60$06905520$@org> <49148E4E.1070001@isp.solcon.nl> Message-ID: <000001c9410c$569d9270$03d8b750$@org> Yes, that's correct - LAC/LNS We don't run Netflow off that box in particular (we do in our core 7600's though) so haven't come across that bug yet ;) Paul -----Original Message----- From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] Sent: Friday, November 07, 2008 1:52 PM To: Paul Stewart Cc: 'Roddy Strachan'; 'Cisco-nsp' Subject: Re: [c-nsp] Cisco IOS for broadband aggregation Do you use 12.2(33)SRC2 in a box as Aggregation Router ? One bug we discovered was a Netflow bug wich resulted in crashes (CSCsu87248) kind regards Rinse Paul Stewart schreef: > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > brave and ran some 12.4T code for a while and had a major issue every 3-4 > weeks that required a reboot (inbound sessions would just stop coming in > pretty much via l2tp tunnels). > > On the NPE-1G's we're running same release with no issue neither.... > > Paul From dudepron at gmail.com Fri Nov 7 15:57:05 2008 From: dudepron at gmail.com (Aaron) Date: Fri, 7 Nov 2008 15:57:05 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <49143D5B.4080007@gmx.de> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> <49143D5B.4080007@gmx.de> Message-ID: <480dad640811071257k761564e0n26f9066903048f7c@mail.gmail.com> Create the file in your tftp dir using touch... touch then chmod 777 Then you will should be good to go Note that this file is world readable and writable.. Aaron On Fri, Nov 7, 2008 at 8:06 AM, Garry wrote: > adrian kok wrote: > > router#copy running-config tftp > > Address or name of remote host []? 192.168.0.3 > > Destination filename [router-confg]? > > TFTP: error code 1 received - File not found > > > Did you allow the TFTP-Clients to create new files? If not, you will > have to create the file first with sufficient rights for the TFTP-Server > to overwrite, than copy again. > > > -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From aaron at wsc.ma.edu Fri Nov 7 16:54:59 2008 From: aaron at wsc.ma.edu (Childs, Aaron) Date: Fri, 7 Nov 2008 16:54:59 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> Hi Adrian, Add -c to the server_args. This will allow the tftp clients create the file. Aaron ----------- Aaron Childs Assistant Director, Networking Westfield State College http://www.wsc.ma.edu/it/ ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] Sent: Friday, November 07, 2008 7:52 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] help: copy run tftp Hi I install tftp server in linux and it is running router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? ..... %Error opening tftp://192.168.0.3/router-confg (Timed out) After checking tftp server in 192.168.0.3, I fix it to allow the router connect. but when I run command in second time, it is another error it shows the file not found! why? router#copy running-config tftp Address or name of remote host []? 192.168.0.3 Destination filename [router-confg]? TFTP: error code 1 received - File not found Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From danvoyer at gmail.com Fri Nov 7 18:22:44 2008 From: danvoyer at gmail.com (Dan Voyer) Date: Fri, 7 Nov 2008 18:22:44 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <579826.60286.qm@web33303.mail.mud.yahoo.com> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> Message-ID: <6c66c78d0811071522n5c5f50a3h6abf7ef341a94842@mail.gmail.com> tftp doest allow to actually "create" a file. So create that exact same file on your tftp server then restart your stuff in your router. On Fri, Nov 7, 2008 at 7:52 AM, adrian kok wrote: > Hi > > I install tftp server in linux and it is running > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > ..... > %Error opening tftp://192.168.0.3/router-confg (Timed > out) > > After checking tftp server in 192.168.0.3, I fix it to > allow the router connect. > > but when I run command in second time, it is another > error > > it shows the file not found! why? > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dudepron at gmail.com Fri Nov 7 20:56:37 2008 From: dudepron at gmail.com (Aaron) Date: Fri, 7 Nov 2008 20:56:37 -0500 Subject: [c-nsp] help: copy run tftp In-Reply-To: <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> References: <579826.60286.qm@web33303.mail.mud.yahoo.com> <3760B7E1B344364AA0384B231FE7BA6915787FC7@ex-be1.ads.wsc.ma.edu> Message-ID: <480dad640811071756l6b26aec4u688892434a93e644@mail.gmail.com> That doesn't look like a valid arg for freebsd. -c sets the root dir. Aaron On Fri, Nov 7, 2008 at 4:54 PM, Childs, Aaron wrote: > Hi Adrian, > Add -c to the server_args. This will allow the tftp clients create the > file. > > Aaron > ----------- > Aaron Childs > Assistant Director, Networking > Westfield State College > http://www.wsc.ma.edu/it/ > ________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] > On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] > Sent: Friday, November 07, 2008 7:52 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] help: copy run tftp > > Hi > > I install tftp server in linux and it is running > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > ..... > %Error opening tftp://192.168.0.3/router-confg (Timed > out) > > After checking tftp server in 192.168.0.3, I fix it to > allow the router connect. > > but when I run command in second time, it is another > error > > it shows the file not found! why? > > router#copy running-config tftp > Address or name of remote host []? 192.168.0.3 > Destination filename [router-confg]? > TFTP: error code 1 received - File not found > > Thank you > > Send instant messages to your online friends http://uk.messenger.yahoo.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From spinthiras.mario at gmail.com Fri Nov 7 21:26:09 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sat, 8 Nov 2008 04:26:09 +0200 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4914893F.7050806@yahoo.com> References: <4914893F.7050806@yahoo.com> Message-ID: <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> Most beneficial is to port-channel the interfaces. This is clever in many ways. Handling the interface redundancy any other way complicates things IMHO. With a port-channel interface you have more bandwidth and redundancy. Regards, Mario http://www.spinthiras.net/ On Fri, Nov 7, 2008 at 8:30 PM, Daniel Lacey wrote: > Hi all, > > I have a 7206 with two fastethernet port adapters. > I would like to have both of these run to the 6506 switch. > > I need a scenario that would allow one of the links to work if the other > goes down. > This is for redundancy and not for bandwidth issues. > > I was wondering if it is possible (or desirable) to make them a Multilink > bundle? > > Any other suggestions? > > Thanks, > Dan Lacey > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nicklinn at nurro.net Sat Nov 8 10:49:53 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Sat, 8 Nov 2008 10:49:53 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs Message-ID: <000001c941b9$a7b93da0$6a01a8c0@nurronetworks.com> Hello, I just bought myself a c3661 to play around with and experiment on. At any rate the machine is running bootstrap version 12.0(5r) to which I want to upgrade to 12.0(6r)T or whatever the latest version is. I have looked around and seem to be only able to find the upgrades for the 3620-3640. Does anyone know who sells this or has a digital image that I can burn myself to a flash chip? Thanks, Nick From rbf+cisco-nsp at panix.com Sat Nov 8 12:51:40 2008 From: rbf+cisco-nsp at panix.com (Brett Frankenberger) Date: Sat, 8 Nov 2008 11:51:40 -0600 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> Message-ID: <20081108175140.GA12497@panix.com> On Sat, Nov 08, 2008 at 04:26:09AM +0200, Mario Spinthiras wrote: > Most beneficial is to port-channel the interfaces. This is clever in many > ways. Handling the interface redundancy any other way complicates things > IMHO. With a port-channel interface you have more bandwidth and redundancy. And you also have exposure to any failure that puts one of the links into a DOWN state on end of the link but not on the other and any failure that prevents traffic from flowing over a link but doesn't put the interfaces into a DOWN state. On the other hand, having two Layer 3 links and running a routing protocol protects against most such failures -- if the OSPF hellos aren't being received bidirectionally, the link won't get used. -- Brett From spinthiras.mario at gmail.com Sat Nov 8 14:13:01 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sat, 8 Nov 2008 21:13:01 +0200 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <20081108175140.GA12497@panix.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> Message-ID: <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> thats very true. If you rely on etherchanneling then you are effectively relying on lower layer redundancy. If you go higher , then you rely on the normal operation of L3 , etc... Regards, Mario A. Spinthiras http://www.spinthiras.net/ From nicklinn at nurro.net Sat Nov 8 14:18:45 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Sat, 8 Nov 2008 14:18:45 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941b9$a7b93da0$6a01a8c0@nurronetworks.com> Message-ID: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Ted, Oh I have an image and it runs fine, to a degree. I had upgraded the flash memory in the unit and since I am working on a bit of a budget I got cheaper after market stuff. The problem is that my boot rom doesn't see the flash properly. So in order to run the correct image, I have to first boot a smaller image from a PCMCIA card, at which point the flash can now be seen, from there I need to do a "reload warm file xxxxxxxxx.bin" in order to boot the image I really want. In the end I am wasting about 12 megs on the PCMCIA card for the second image, that could be put to far better use. I have been assured by the seller that the latest boot rom will see the flash properly also having a tftp client from rommon would be nice too which I understand some of the newer versions have. I can find the boot-3600= (for the 3620 and 3640) in many places so I don't think my question is unreasonable. Thanks, Nick -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Saturday, November 08, 2008 1:15 PM To: Nicholas Linn Subject: RE: [c-nsp] c3660: Utterly baffled by ROMs Hi Nick, You don't ever upgrade the roms, at least, you don't unless you like flushing money down the crapper for no reason. The unit is supposed to run from flash, the boot rom is only used to tell the unit where the flash code is, then once the flash code is loaded the unit never touches the rom again. If your saying that your unit boots and shows it's running from rom, if you login to it and do a show ver, then that means that whoever sold you the router wiped the flash - as they are supposed to do if they sell one of these. Just like people are supposed to wipe off any copy of Windows that is on an old computer that they sell. Or, perhaps yours had a flash card originally that someone removed. You need to contact Cisco and get a referral to a Cisco reseller who will sell you a service contract for your unit. Once you have that then you can call Cisco and get the firmware you need. Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Nicholas Linn > Sent: Saturday, November 08, 2008 7:50 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] c3660: Utterly baffled by ROMs > > > Hello, > > > > I just bought myself a c3661 to play around with and > experiment > on. At any rate the machine is running bootstrap version > 12.0(5r) to which > I want to upgrade to 12.0(6r)T or whatever the latest version is. I have > looked around and seem to be only able to find the upgrades for the > 3620-3640. Does anyone know who sells this or has a digital image that I > can burn myself to a flash chip? > > > > Thanks, > > Nick > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gwendel at gmail.com Sat Nov 8 17:51:13 2008 From: gwendel at gmail.com (Greg Wendel) Date: Sat, 8 Nov 2008 17:51:13 -0500 Subject: [c-nsp] 65K: 10G SPAN destination interface outputs is significantly less traffic than sum of all source interfaces -- (not oversubscribed)... In-Reply-To: References: <200811062338406.SM03088@64.59.94.34> Message-ID: <8dfae3430811081451n7d10d908i1af26e9471bbc8fe@mail.gmail.com> The latest Spirent and Ixia test gear have 10 gig interfaces so you could use these to send 10 gigs of traffic with good reporting. Ixia allows you to rent their test gear so you could likely use them without spending too much money. Good luck, Greg, #20179(R&S) On Fri, Nov 7, 2008 at 5:57 AM, Hank Nussbacher wrote: > On Fri, 7 Nov 2008, Jeremy Reid wrote: > > Do you have an ACL on the source ports? I hit this years ago: > CSCsb21148 > > Rx SPAN may not work when outbound ACL is applied to source interface A > Catalyst 6500 switch running with SUP720 IOS version 12.2(18)SXE1 or greater > may drop Rx SPAN packets if there is an outbound ACL applied on the source > interface of the SPAN session. > > Workaround: > - remove outbound ACL from source interface > - downgrade to 12.2(18)SXD6 or lower > > The fix for this bug only applies to WS-X67xx line cards (SPAN source port > on 67xx line cards ). The fix for 65xx line cards went in through another > DDTS CSCse41963 in 12.2(18)SXF5 and higher codes. > > -Hank > > > > Hi, >> >> I'm wondering if anyone else on the list here has seen this issue we've >> been struggling to pin down: >> >> We are using interface SPAN (both rx tx) on the 65k platform (S720/3BXL, >> currently running SXH3a) to aggregate data from (3) different 10G interfaces >> into a 10G output port for use with a BGP route control product. The three >> input interfaces have a *combined* peak traffic rate of around 8Gbps. The >> SPAN destination interface, however, is only indicating that we are sending >> around 5Gbps at peak. This does not appear to be a counters problem, as we >> can confirm from the destination device on the other end of the SPAN port >> that it is indeed only seeing 5Gbps worth of traffic. >> >> Doing a little 'deconstructuve' unit testing -- we have tried eliminating >> the 'aggregation angle' and picked a single source 10G interface that only >> had about 1Gbps worth of traffic to span. Looking at the destination >> interface, it was consistantly only reporting about 600mbps. We have tried >> various such tests and we always seem to get simillar results in that the >> destination interface traffic is always significantly (between 20 and 40%) >> LESS than the whatever the source interface is actually carrying -- at least >> on the egress side of things (our ingress traffic is not sizable enough to >> gauge accurately). >> >> There are no physical errors/malformed frames/drops (including queue >> drops) being reported on either the SPAN source interface(s) or the >> destination. Jumbos aren't allowed on either interface, so its not related >> to that either. The only plus to this (from a troubleshooting perspective, >> anyway) is that it is consistantly 'broke' -- which should make finding the >> solution easier, but so far, it has proved rather ellusive. >> >> We have replicated this scenario on both our current code (SXH3a) as well >> as SXF14 (previous code until very recently). Further, we can replicate it >> on multiple independant 65k platforms (all equipped simmillarly). We have >> also verified there is no bus/proc oversubscription or anything of the sort >> going on -- but even went to the extent of moving two test interfaces >> containing both the SPAN source and destination to the same physical >> linecard (6704-10GE) and even popped in a DFC3BXL on this linecard for good >> measure (even though we saw no reason to do so from a numbers point of >> view). No change in the behavior with the DFC. >> >> Anyone seen anything along these lines? Couldn't find anything publically >> on the bug toolkit that seemed relevant... (big surprise). Just thought I'd >> try the list here before getting on the TAC merry-go-round. >> >> Thoughts? >> >> -Jeremy >> >> Jeremy Reid >> Network Engineer >> Mojohost >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From danletkeman at gmail.com Sat Nov 8 19:48:28 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 8 Nov 2008 18:48:28 -0600 Subject: [c-nsp] ips usbflash Message-ID: Hello, I have configured IPS on a 2821 running the firewall ios. I have the configuration and signature files on a usbflash card. It all works fine until the router reloads, then the usbflash does not mount. Is there a command load it? If I do a "show usb device 1" it show the device, and all the details, but I cannot do a dir on the device, and I cannot write to it. Dan. From christian at broknrobot.com Sat Nov 8 19:56:54 2008 From: christian at broknrobot.com (Christian Koch) Date: Sat, 8 Nov 2008 19:56:54 -0500 Subject: [c-nsp] ips usbflash In-Reply-To: References: Message-ID: do you have the signature location configured properly? ie: ip ips config location flash:(directory) On Sat, Nov 8, 2008 at 7:48 PM, Dan Letkeman wrote: > Hello, > > I have configured IPS on a 2821 running the firewall ios. I have the > configuration and signature files on a usbflash card. It all works > fine until the router reloads, then the usbflash does not mount. Is > there a command load it? > > If I do a "show usb device 1" it show the device, and all the details, > but I cannot do a dir on the device, and I cannot write to it. > > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From danletkeman at gmail.com Sun Nov 9 00:18:46 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sat, 8 Nov 2008 23:18:46 -0600 Subject: [c-nsp] ips usbflash In-Reply-To: References: Message-ID: I booted up our test router with a different usb flash card and it shows up after a reload. Must be something with the usb flash card. Dan. On Sat, Nov 8, 2008 at 7:26 PM, Christian Koch wrote: > hmm i cant think of anything else, that is odd..you do have the public > key configured right? > > also how did you copy the sigs to the usb drive, from a pc? or ftp > through the router? > > On Sat, Nov 8, 2008 at 8:04 PM, Dan Letkeman wrote: >> As far as I know yes. >> >> ip ips config location usbflash1:/ retries 5 timeout 10 >> >> Dan. >> >> On Sat, Nov 8, 2008 at 6:56 PM, Christian Koch wrote: >>> do you have the signature location configured properly? >>> >>> ie: ip ips config location flash:(directory) >>> >>> On Sat, Nov 8, 2008 at 7:48 PM, Dan Letkeman wrote: >>>> Hello, >>>> >>>> I have configured IPS on a 2821 running the firewall ios. I have the >>>> configuration and signature files on a usbflash card. It all works >>>> fine until the router reloads, then the usbflash does not mount. Is >>>> there a command load it? >>>> >>>> If I do a "show usb device 1" it show the device, and all the details, >>>> but I cannot do a dir on the device, and I cannot write to it. >>>> >>>> Dan. >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>>> >>> >> > From tt_745 at yahoo.co.uk Sun Nov 9 09:24:21 2008 From: tt_745 at yahoo.co.uk (tt tt) Date: Sun, 9 Nov 2008 14:24:21 +0000 (GMT) Subject: [c-nsp] Configuring a channelized STM-1/OC3 SPA as a full STM-1 Message-ID: <606542.55093.qm@web26701.mail.ukl.yahoo.com> Hi All, Does anyone know if the channelized SPA-1XCHSTM1/OC3 can be configured as a full STM-1 (SDH)? We need to terminate a full STM-1 for around 6 months and then hope to reuse the card for channelized E1 services. Thanks Dave From dudepron at gmail.com Sun Nov 9 12:00:42 2008 From: dudepron at gmail.com (Aaron) Date: Sun, 9 Nov 2008 12:00:42 -0500 Subject: [c-nsp] Configuring a channelized STM-1/OC3 SPA as a full STM-1 In-Reply-To: <606542.55093.qm@web26701.mail.ukl.yahoo.com> References: <606542.55093.qm@web26701.mail.ukl.yahoo.com> Message-ID: <480dad640811090900q630f6386x79780b39f9f89dec@mail.gmail.com> Nope. http://www.cisco.com/en/US/prod/collateral/modules/ps6267/product_data_sheet0900aecd80350c53.html On Sun, Nov 9, 2008 at 9:24 AM, tt tt wrote: > Hi All, > > Does anyone know if the channelized SPA-1XCHSTM1/OC3 can be configured as a > full STM-1 (SDH)? We need to terminate a full STM-1 for around 6 months and > then hope to reuse the card for channelized E1 services. > > Thanks > > Dave > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ben.steele at internode.on.net Sun Nov 9 22:57:29 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 10 Nov 2008 14:27:29 +1030 Subject: [c-nsp] ASA IPS Module - logging sent to email Message-ID: <000c01c942e8$73eeb740$5bcc25c0$@steele@internode.on.net> Has anybody setup an IPS module in an ASA to send an email on a triggered event? Just briefly looking through there is no obvious function for it, right now the only way I can think of doing it is by setting it to generate a log based on an event action and then setting up a logging class on the ASA to pick that up and email to the specified address. Would be interested to hear from anyone currently doing it - Note I don't want everything, I just want to be able to select specific events (ie if I make the action to generate a log for the events concerned to do it then thats fine.) Cheers Ben From p_ambedkar at rediffmail.com Sun Nov 9 23:24:22 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 10 Nov 2008 04:24:22 -0000 Subject: [c-nsp] help: copy run tftp Message-ID: <20081110042422.23797.qmail@f4mail-235-239.rediffmail.com> ? Hi, First create a file in the linux. cd /tftp/ touch xyz(filename) chmod 777 xyz -------------- in the router: copy run tftp://ipaddress/xyz try it. On Sat, 08 Nov 2008 cisco-nsp-request at puck.nether.net wrote : >Send cisco-nsp mailing list submissions to > cisco-nsp at puck.nether.net > >To subscribe or unsubscribe via the World Wide Web, visit > https://puck.nether.net/mailman/listinfo/cisco-nsp >or, via email, send a message with subject or body 'help' to > cisco-nsp-request at puck.nether.net > >You can reach the person managing the list at > cisco-nsp-owner at puck.nether.net > >When replying, please edit your Subject line so it is more specific >than "Re: Contents of cisco-nsp digest..." > > >Today's Topics: > > 1. Re: IP Cef load sharing, quick question (Peter Rathlev) > 2. Multiple Ethernet links for redundancy (Daniel Lacey) > 3. Re: Multiple Ethernet links for redundancy (Rinse Kloek) > 4. Re: Cisco IOS for broadband aggregation (Rinse Kloek) > 5. Re: Multiple Ethernet links for redundancy (Pete S.) > 6. Re: Multiple Ethernet links for redundancy (Asad) > 7. Re: Cisco IOS for broadband aggregation (Paul Stewart) > 8. Re: help: copy run tftp (Aaron) > 9. Re: help: copy run tftp (Childs, Aaron) > > >--------------------------------------------------------------------- - > >Message: 1 >Date: Fri, 07 Nov 2008 18:32:31 +0100 > From: Peter Rathlev >Subject: Re: [c-nsp] IP Cef load sharing, quick question >To: Drew Weaver >Cc: "'cisco-nsp at puck.nether.net'" >Message-ID: <1226079151.3474.8.camel at abehat> >Content-Type: text/plain > >On Fri, 2008-11-07 at 08:28 -0500, Drew Weaver wrote: > > We have a Simple L3 switch (I think it's a 2960G) that we need to do > > some even simpler fault tolerance and load sharing on. > >They're not 2960s, since those are L2 only. Maybe 3560s? > > > We were going to connect this switch to 3x switches upstream and then > > do something like this: > > > > ip route 0.0.0.0 0.0.0.0 g0/32 gwip > > ip route 0.0.0.0 0.0.0.0 g0/33 gwip > > ip route 0.0.0.0 0.0.0.0 g0/34 gwip > >As Steinar mentions, you should use a specific next hop address. I >assume that the three interfaces are routed ports, or that they use >seperate VLANs. What's upstream? > > > When we were testing we noticed some (well, quite a bit) of strangeness > > with traceroutes and the like (many multiple hops for the same, hop.. > > etc) > >What exactly do you mean with "many multiple hops"? Different answers >for multiple requests with the same TTL (same hop in traceroute) is not >all that unnormal for multiple paths -- each path is elegible for the >traffic, so each next hop router can answer. > >The L3 switches (i.e. not software based routers) typically use a hashed >load sharing algorithm, resulting in per destination or per source (or a >combination) load sharing. They could also include the ports in the >hashing, meaning that a traceroute using a different source port per >probe would result in different next hops. If this is unwanted, you can >change the algorithm to something that doesn't include L4 ports. > > > is there a better way to do what we're trying to achieve? > > > > We were thinking about maybe doing VRRP on the 3 switches upstream but > > then we would only be using 1Gbps and the goal is to be able to use "a > > little more than" 1Gbps. > >You _could_ use GLBP as a load sharing enabled equivalent of VRRP. Don't >know is your hardware/software supports it though. And equal cost >multipath (ECMP) would be my preferred choice if possible. > >Regards, >Peter > > > > >------------------------------ > >Message: 2 >Date: Fri, 07 Nov 2008 10:30:23 -0800 > From: Daniel Lacey >Subject: [c-nsp] Multiple Ethernet links for redundancy >To: cisco-nsp at puck.nether.net >Message-ID: <4914893F.7050806 at yahoo.com> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Hi all, > >I have a 7206 with two fastethernet port adapters. >I would like to have both of these run to the 6506 switch. > >I need a scenario that would allow one of the links to work if the other >goes down. >This is for redundancy and not for bandwidth issues. > >I was wondering if it is possible (or desirable) to make them a >Multilink bundle? > >Any other suggestions? > >Thanks, >Dan Lacey > > > > > > >------------------------------ > >Message: 3 >Date: Fri, 07 Nov 2008 19:47:35 +0100 > From: Rinse Kloek >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: Daniel Lacey >Cc: Cisco-nsp >Message-ID: <49148D47.3000808 at isp.solcon.nl> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >One option is to configure bot interfaces with the same IP adresses and >settings and use the following command on the primary interface: > >interface GigabitEthernet0/1 > backup interface GigabitEthernet0/2 > ip address 10.10.10.1 255.255.255.0 > >interface GigabitEthernet0/2 > ip address 10.10.10.1 255.255.255.0 > >The GigabitEthernet 0/1 will be up and the GigabitEthernet 0/2 will be >standby. If the link on Gi0/1 is going down, Gi0/2 will get up. > >regards Rinse > >Daniel Lacey schreef: > > Hi all, > > > > I have a 7206 with two fastethernet port adapters. > > I would like to have both of these run to the 6506 switch. > > > > I need a scenario that would allow one of the links to work if the > > other goes down. > > This is for redundancy and not for bandwidth issues. > > > > I was wondering if it is possible (or desirable) to make them a > > Multilink bundle? > > > > Any other suggestions? > > > > Thanks, > > Dan Lacey > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > >------------------------------ > >Message: 4 >Date: Fri, 07 Nov 2008 19:51:58 +0100 > From: Rinse Kloek >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation >To: Paul Stewart >Cc: 'Cisco-nsp' >Message-ID: <49148E4E.1070001 at isp.solcon.nl> >Content-Type: text/plain; charset=ISO-8859-1; format=flowed > >Do you use 12.2(33)SRC2 in a box as Aggregation Router ? >One bug we discovered was a Netflow bug wich resulted in crashes >(CSCsu87248) > >kind regards Rinse >Paul Stewart schreef: > > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > > brave and ran some 12.4T code for a while and had a major issue every 3-4 > > weeks that required a reboot (inbound sessions would just stop coming in > > pretty much via l2tp tunnels). > > > > On the NPE-1G's we're running same release with no issue neither.... > > > > Paul > > > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rinse Kloek > > Sent: Thursday, November 06, 2008 4:14 PM > > To: Roddy Strachan > > Cc: Cisco-nsp > > Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > > > > What kind of features do you use with the 7206VXR box ? We are also > > looking to upgrade to 12.2.31SB13 because we have some problems with > > 12.2(31)SB6. > > > > regards Rinse > > > > Roddy Strachan schreef: > > > >> Ruben, > >> > >> Funny you mention it. > >> > >> I've just finished an upgrade of a mixture of 7301 and 7206vxr to > >> 12.2(31)SB13. > >> > >> Had a 7301 running in production for 1 week, no issues, the LNS seems a > >> > > lot > > > >> more stable if you ask me. > >> > >> Don't know how the 7206 will go as they have been in production less than > >> > > an > > > >> hour :). > >> > >> So far so good, no real issues to report. > >> > >> > >> > >> On 7/11/08 8:03 AM, "Ruben Alvarez" wrote: > >> > >> > >> > >>> Hi All, > >>> > >>> I'm upgrading IOS on my c7206VXR with an npe-300 and: > >>> UBR7200-I/O-2FE/E > >>> PA-A3-T3= > >>> PA-IMA-T1= > >>> PA-4E= > >>> I'm currently using 122-28.SB2 and noticed a 122-31.SB. Is anyone using > >>> > > the > > > >>> 12.2(31)SB instead of the 12.2(28)SB? I've been looking online and > >>> > > haven't > > > >>> seen much about it. I assume it's got the same features as (28)? If > >>> > > anyone > > > >>> has any feedback let me know. > >>> > >>> Thanks. > >>> > >>> > >>> > >> This email and any files transmitted with it are confidential and intended > >> solely for the use of the individual or entity to whom they are > >> > > addressed. > > > >> Please notify the sender immediately by email if you have received this > >> email by mistake and delete this email from your system. Please note that > >> any views or opinions presented in this email are solely those of the > >> author and do not necessarily represent those of the organisation. > >> Finally, the recipient should check this email and any attachments for > >> the presence of viruses. The organisation accepts no liability for any > >> damage caused by any virus transmitted by this email. > >> > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > >------------------------------ > >Message: 5 >Date: Fri, 7 Nov 2008 13:56:21 -0500 > From: "Pete S." >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: "Daniel Lacey" >Cc: cisco-nsp at puck.nether.net >Message-ID: > <50f158990811071056i485be057sb4809519cfbce6c5 at mail.gmail.com> >Content-Type: text/plain; charset=ISO-8859-1 > >You can make each port a routed interface(/30 or /31) to the 6500. Control >the failover/load balancing with your IGP. > >--Pete > >On Fri, Nov 7, 2008 at 1:30 PM, Daniel Lacey wrote: > > > Hi all, > > > > I have a 7206 with two fastethernet port adapters. > > I would like to have both of these run to the 6506 switch. > > > > I need a scenario that would allow one of the links to work if the other > > goes down. > > This is for redundancy and not for bandwidth issues. > > > > I was wondering if it is possible (or desirable) to make them a Multilink > > bundle? > > > > Any other suggestions? > > > > Thanks, > > Dan Lacey > > > > > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > >------------------------------ > >Message: 6 >Date: Fri, 7 Nov 2008 19:00:49 +0000 > From: "Asad" >Subject: Re: [c-nsp] Multiple Ethernet links for redundancy >To: "Daniel Lacey" , > cisco-nsp-bounces at puck.nether.net, cisco-nsp at puck.nether.net >Message-ID: > <623938200-1226084442- cardhu_decombobulator_blackberry.rim.net-1922886597- @bxe125.bisx.prod.on.blackberry> > >Content-Type: text/plain > >You can try a port-channel and add both interfaces to bundle. This would provide redundancy + more BW. > >Asad >Sent from my Verizon Wireless BlackBerry > >-----Original Message----- > From: Daniel Lacey > >Date: Fri, 07 Nov 2008 10:30:23 >To: >Subject: [c-nsp] Multiple Ethernet links for redundancy > > >Hi all, > >I have a 7206 with two fastethernet port adapters. >I would like to have both of these run to the 6506 switch. > >I need a scenario that would allow one of the links to work if the other >goes down. >This is for redundancy and not for bandwidth issues. > >I was wondering if it is possible (or desirable) to make them a >Multilink bundle? > >Any other suggestions? > >Thanks, >Dan Lacey > > > > >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >------------------------------ > >Message: 7 >Date: Fri, 7 Nov 2008 14:09:18 -0500 > From: "Paul Stewart" >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation >To: "'Rinse Kloek'" >Cc: 'Cisco-nsp' >Message-ID: <000001c9410c$569d9270$03d8b750$@org> >Content-Type: text/plain; charset="us-ascii" > >Yes, that's correct - LAC/LNS > >We don't run Netflow off that box in particular (we do in our core 7600's >though) so haven't come across that bug yet ;) > >Paul > > >-----Original Message----- > From: Rinse Kloek [mailto:rinse.kloek at isp.solcon.nl] >Sent: Friday, November 07, 2008 1:52 PM >To: Paul Stewart >Cc: 'Roddy Strachan'; 'Cisco-nsp' >Subject: Re: [c-nsp] Cisco IOS for broadband aggregation > >Do you use 12.2(33)SRC2 in a box as Aggregation Router ? >One bug we discovered was a Netflow bug wich resulted in crashes >(CSCsu87248) > >kind regards Rinse >Paul Stewart schreef: > > We're running 12.2(33)SRC2 on NPE-2G's with no real issues - we were very > > brave and ran some 12.4T code for a while and had a major issue every 3-4 > > weeks that required a reboot (inbound sessions would just stop coming in > > pretty much via l2tp tunnels). > > > > On the NPE-1G's we're running same release with no issue neither.... > > > > Paul > > > >------------------------------ > >Message: 8 >Date: Fri, 7 Nov 2008 15:57:05 -0500 > From: Aaron >Subject: Re: [c-nsp] help: copy run tftp >To: Garry >Cc: cisco-nsp at puck.nether.net >Message-ID: > <480dad640811071257k761564e0n26f9066903048f7c at mail.gmail.com> >Content-Type: text/plain; charset=ISO-8859-1 > >Create the file in your tftp dir using touch... >touch >then >chmod 777 >Then you will should be good to go > >Note that this file is world readable and writable.. > >Aaron > >On Fri, Nov 7, 2008 at 8:06 AM, Garry wrote: > > > adrian kok wrote: > > > router#copy running-config tftp > > > Address or name of remote host []? 192.168.0.3 > > > Destination filename [router-confg]? > > > TFTP: error code 1 received - File not found > > > > > Did you allow the TFTP-Clients to create new files? If not, you will > > have to create the file first with sufficient rights for the TFTP- Server > > to overwrite, than copy again. > > > > > > -garry > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > >------------------------------ > >Message: 9 >Date: Fri, 7 Nov 2008 16:54:59 -0500 > From: "Childs, Aaron" >Subject: Re: [c-nsp] help: copy run tftp >To: adrian kok , > "cisco-nsp at puck.nether.net" >Message-ID: > <3760B7E1B344364AA0384B231FE7BA6915787FC7 at ex- be1.ads.wsc.ma.edu> >Content-Type: text/plain; charset="us-ascii" > >Hi Adrian, > Add -c to the server_args. This will allow the tftp clients create the file. > >Aaron >----------- >Aaron Childs >Assistant Director, Networking >Westfield State College >http://www.wsc.ma.edu/it/ >________________________________________ > From: cisco-nsp-bounces at puck.nether.net [cisco-nsp- bounces at puck.nether.net] On Behalf Of adrian kok [adriankok2000 at yahoo.com.hk] >Sent: Friday, November 07, 2008 7:52 AM >To: cisco-nsp at puck.nether.net >Subject: [c-nsp] help: copy run tftp > >Hi > >I install tftp server in linux and it is running > >router#copy running-config tftp >Address or name of remote host []? 192.168.0.3 >Destination filename [router-confg]? >..... >%Error opening tftp://192.168.0.3/router-confg (Timed >out) > >After checking tftp server in 192.168.0.3, I fix it to >allow the router connect. > >but when I run command in second time, it is another >error > >it shows the file not found! why? > >router#copy running-config tftp >Address or name of remote host []? 192.168.0.3 >Destination filename [router-confg]? >TFTP: error code 1 received - File not found > >Thank you > >Send instant messages to your online friends http://uk.messenger.yahoo.com >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > >------------------------------ > >_______________________________________________ >cisco-nsp mailing list >cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp > >End of cisco-nsp Digest, Vol 72, Issue 31 >***************************************** From vikassharmas at gmail.com Sun Nov 9 23:35:12 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Mon, 10 Nov 2008 10:05:12 +0530 Subject: [c-nsp] same mac address on two linecards on 7600 Message-ID: Hi, in 7600 and 6500 router I can see both interfaces have the sme mac address. Ideally it should be different. Can anyone explain me? Or can I use (hardcode) different mac address? what will be the impact? rtr1# GigabitEthernet7/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is* 0021.5693.b800 (bia 0021.5693.b800) * Description: MPS GE CR2.ZRH ZRH/ZRH/LE-089348 // Uplink to sw10.ZRH Gi1/0/12 Internet address is 212.74.70.7/31 MTU 1512 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Carrier delay is 8 msec Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 00:20:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/87/87 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 351000 bits/sec, 207 packets/sec 5 minute output rate 844000 bits/sec, 483 packets/sec L2 Switched: ucast: 28994052 pkt, 4799234912 bytes - mcast: 8010577 pkt, 3281624827 bytes L3 in Switched: ucast: 630901927 pkt, 136197265827 bytes - mcast: 0 pkt, 0 bytes mcast rtr2#sh inter gi7/13 GigabitEthernet7/13 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is* 0021.5693.b800 (bia 0021.5693.b800)* Description: MCL GE mas1.ZRH // x-link Internet address is 212.74.70.205/31 MTU 1512 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Carrier delay is 8 msec Full-duplex, 1000Mb/s, media type is LH input flow-control is off, output flow-control is off Clock mode is auto ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 5000 bits/sec, 1 packets/sec 5 minute output rate 6000 bits/sec, 1 packets/sec L2 Switched: ucast: 189399 pkt, 14697171 bytes - mcast: 6751962 pkt, 1745903975 bytes L3 in Switched: ucast: 1174 pkt, 189859 bytes - mcast: 0 pkt, 0 bytes mcast Regards, Vikas Sharma From oboehmer at cisco.com Mon Nov 10 00:52:10 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 10 Nov 2008 06:52:10 +0100 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Vikas Sharma wrote on Monday, November 10, 2008 05:35: > Hi, > > in 7600 and 6500 router I can see both interfaces have the sme mac > address. Ideally it should be different. Can anyone explain me? Or > can I use (hardcode) different mac address? what will be the impact? All L3 interfaces (both routed ports and SVIs) use the same MAC address on this platform, see http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note 09186a00801c9b4e.shtml. There is nothing wrong with this, all of the interfaces are (by definition) in different broadcast domains. You can change the mac if you want/need (using mac-address interface command) on the Sup720.. oli From md at bts.sk Mon Nov 10 03:36:33 2008 From: md at bts.sk (=?UTF-8?Q?Marian_=C4=8Eurkovi=C4=8D?=) Date: Mon, 10 Nov 2008 09:36:33 +0100 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Message-ID: <20081110082924.M63572@bts.sk> On Mon, 10 Nov 2008 06:52:10 +0100, Oliver Boehmer (oboehmer) wrote > All L3 interfaces (both routed ports and SVIs) use the same MAC address > on this platform. > There is nothing wrong with this, all of the interfaces are (by definition) in > different broadcast domains. You can change the mac if you want/need (using > mac-address interface command) on the Sup720.. Suprisingly, some IOS features still can't cope with this design. As an example: #traceroute mac ip a.b.c.d u.v.x.y Source ip a.b.c.d error. Mac found on multiple vlans. Layer2 trace aborted. With kind regards, M. From wyatt.eliasson at gmail.com Mon Nov 10 03:55:45 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Gyllenvarg) Date: Mon, 10 Nov 2008 09:55:45 +0100 Subject: [c-nsp] Ip unnumbered on 3750 Message-ID: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> Hi All I was playing around with an ip unnumbered config for our Dist-layer. I got a working config on a 3560 ie int loopback 10 ip address x.x.x.x y.y.y.y Vlan x ip unnumbered loopback 10 Vlan x1 ip unnumbered loopback 10 Vlan x2 ip unnumbered loopback 10 The same wont work on 3750 which gives the following when inputing the "ip unnumbered" command. Point-to-point (non-multi-access) interfaces only My question is, is there a work around for this or will 3750 never support "ip unnumbered" on multi-access interfaces? Best regards Mattias Gyllenvarg Omnitron From vinzoda.hitesh at gmail.com Mon Nov 10 05:13:16 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 02:13:16 -0800 Subject: [c-nsp] Multicast issue Message-ID: Hi all, I had configured multicast in my lan using sparse-dense mode. RP and group is defined statically on each L3 switches. I'm receiving the multicast beyond all L3's except ones running HSRP. Any ideas guyz Regards Hitesh Vinzoda From tedm at toybox.placo.com Mon Nov 10 05:18:32 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Mon, 10 Nov 2008 02:18:32 -0800 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Nicholas Linn > Sent: Saturday, November 08, 2008 11:19 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] c3660: Utterly baffled by ROMs > > > Ted, > > Oh I have an image and it runs fine, to a degree. I had upgraded > the flash memory in the unit and since I am working on a bit of a budget I > got cheaper after market stuff. The problem is that my boot rom > doesn't see > the flash properly. So in order to run the correct image, I have to first > boot a smaller image from a PCMCIA card, at which point the flash > can now be > seen, from there I need to do a "reload warm file xxxxxxxxx.bin" > in order to > boot the image I really want. In the end I am wasting about 12 > megs on the > PCMCIA card for the second image, that could be put to far better use. I > have been assured by the seller that the latest boot rom will see > the flash > properly also having a tftp client from rommon would be nice too which I > understand some of the newer versions have. > > I can find the boot-3600= (for the 3620 and 3640) in many places so > I don't think my question is unreasonable. > OK I understand now. What you want is a "rommon" upgrade. Unfortunately it's rather brutal on COO to find these after Cisco reorganized things. The "textbook" way to find it would be to go to: http://www.cisco.com click Support->Download Software->Router Software-> then go down to Cisco 3600 Series Multiservice Platforms, click the + to the left to expand, then click Cisco 3661 Multiservice Platform. IF a rommon upgrade was available, it would show as "IOS ROMMON Software" To do this as I mentioned you must have a login which you get when you buy that service contract. If an IOS ROMMON Software link does NOT show - which incidentally is the case for the majority of Cisco routers - then you CANNOT download rommon code. You -must- open a TAC case and if your rommon has the capability of being flashed then TAC will send it to you. BUT, many of the older Cisco routers DID NOT have this capability, you HAD to buy the rom chips from Cisco. Unfortunately, as I have NOT had experience with the 3661 I cannot tell you if it's rommon chip is user-flashable. You will have to contact TAC at Cisco to proceed further. Ted From fropert at packetfault.org Mon Nov 10 05:30:19 2008 From: fropert at packetfault.org (Francois ROPERT) Date: Mon, 10 Nov 2008 11:30:19 +0100 Subject: [c-nsp] Multicast issue In-Reply-To: References: Message-ID: <49180D3B.4090206@packetfault.org> Hitesh Vinzoda a ?crit : > Hi all, Hi Hitesh > > I had configured multicast in my lan using sparse-dense mode. RP and group > is defined statically on each L3 switches. I'm receiving the multicast > beyond all L3's except ones running HSRP. > > Any ideas guyz http://www.cisco.com/en/US/tech/tk828/technologies_tech_note09186a0080094aab.shtml Regards, -- Francois http://blog.packetfault.org From vinzoda.hitesh at gmail.com Mon Nov 10 06:39:37 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 03:39:37 -0800 Subject: [c-nsp] Fwd: Delivery Status Notification (Failure) In-Reply-To: <000e0cd2bd28cfc82a045b52d9a2@googlemail.com> References: <000e0cd2bd28cfc82a045b52d9a2@googlemail.com> Message-ID: ---------- Forwarded message ---------- From: Mail Delivery Subsystem Date: Nov 10, 2008 2:01 AM Subject: Delivery Status Notification (Failure) To: vinzoda.hitesh at gmail.com This is an automatically generated Delivery Status Notification Delivery to the following recipient failed permanently: ciso-nsp at puck.nether.net Technical details of permanent failure: Google tried to deliver your message, but it was rejected by the recipient domain. We recommend contacting the other email provider for further information about the cause of this error. The error that the other server returned was: 550 550 5.1.1 ... User unknown (state 14). ----- Original message ----- Received: by 10.141.115.6 with SMTP id s6mr3480514rvm.58.1226311300539; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Received: by 10.141.198.17 with HTTP; Mon, 10 Nov 2008 02:01:40 -0800 (PST) Message-ID: Date: Mon, 10 Nov 2008 02:01:40 -0800 From: "Hitesh Vinzoda" To: ciso-nsp at puck.nether.net Subject: Cisco ASA 5510 VPN problem MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_Part_47910_25183294.1226311300543" ------=_Part_47910_25183294.1226311300543 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline i have a cisco ASA 5510 and i had configured remote access VPN on it. but for some reason i m not able to ping inside interface from VPN although i get connected everytime i tried. please advice. Also, ----- Message truncated ----- From achatz at forthnet.gr Mon Nov 10 08:41:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 15:41:28 +0200 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> Message-ID: <49183A08.20209@forthnet.gr> If i understand correctly, i think Vikas is referring to two linecards (on different chassis) sharing a common mac. -- Tassos Oliver Boehmer (oboehmer) wrote on 10/11/2008 07:52: > Vikas Sharma wrote on Monday, November > 10, 2008 05:35: > >> Hi, >> >> in 7600 and 6500 router I can see both interfaces have the sme mac >> address. Ideally it should be different. Can anyone explain me? Or >> can I use (hardcode) different mac address? what will be the impact? > > All L3 interfaces (both routed ports and SVIs) use the same MAC address > on this platform, see > http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note > 09186a00801c9b4e.shtml. There is nothing wrong with this, all of the > interfaces are (by definition) in different broadcast domains. You can > change the mac if you want/need (using mac-address interface command) on > the Sup720.. > > oli > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Nov 10 09:09:00 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 14:09:00 +0000 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <49183A08.20209@forthnet.gr> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> Message-ID: <4918407C.9010105@imperial.ac.uk> Tassos Chatzithomaoglou wrote: > If i understand correctly, i think Vikas is referring to two linecards > (on different chassis) sharing a common mac. Yes, but look what he pasted as the output: GigabitEthernet7/1 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0021.5693.b800 Internet address is 212.74.70.7/31 GigabitEthernet7/13 is up, line protocol is up (connected) Hardware is C6k 1000Mb 802.3, address is 0021.5693.b800 Internet address is 212.74.70.205/31 i.e. they're in layer3 routed mode, and thus they inherit the MAC address of the MSFC (as the MSFC might have to receive packets, and the MSFC has a limited-size MAC filter) If you set them back to be "switchport" they'll go back to having a per-port MAC address; I've just done this on our test chassis: core-spare#sh int g9/10 | inc address Hardware is C6k 1000Mb 802.3, address is 0015.2cbf.1000 (bia 0015.2cbf.1000) core-spare#conf t Enter configuration commands, one per line. End with CNTL/Z. core-spare(config)#int g9/10 core-spare(config-if)#sw core-spare(config-if)#switchport core-spare(config-if)#^Z core-spare#sh int g9/10 | inc address Hardware is C6k 1000Mb 802.3, address is 0021.55d7.558d (bia 0021.55d7.558d) From p.mayers at imperial.ac.uk Mon Nov 10 09:10:36 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 14:10:36 +0000 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <4918407C.9010105@imperial.ac.uk> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> <4918407C.9010105@imperial.ac.uk> Message-ID: <491840DC.8040400@imperial.ac.uk> Phil Mayers wrote: > Tassos Chatzithomaoglou wrote: >> If i understand correctly, i think Vikas is referring to two linecards >> (on different chassis) sharing a common mac. Oops sorry for the noise - yes you're right: rtr1# GigabitEthernet7/1 ... rtr2# GigabitEthernet7/13 ... I don't know why that would happen unless the MSFCs have the same MAC address. From achatz at forthnet.gr Mon Nov 10 10:14:45 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 17:14:45 +0200 Subject: [c-nsp] Ip unnumbered on 3750 In-Reply-To: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> References: <994752fe0811100055q33d99e05ved0cd67d362d590a@mail.gmail.com> Message-ID: <49184FE5.80101@forthnet.gr> According to http://www.cisco.com/en/US/tech/tk648/tk362/technologies_tech_note09186a0080094e8d.shtml: "remember that the ip unnumbered command works on point-to-point interfaces only" On latest IOS it works on ethernet subifs too. So the above statement is not totally correct In your case, it's strange that 3560 accepts it, while 3750 rejects it. Are they using the same IOS? Under 12.2(44)SE2, it gets accepted, but you get the following warning: Warning: dynamic routing protocols will not work on non-point-to-point interfaces with IP unnumbered configured. -- Tassos Wyatt Mattias Gyllenvarg wrote on 10/11/2008 10:55: > Hi All > > I was playing around with an ip unnumbered config for our Dist-layer. > > I got a working config on a 3560 ie > > int loopback 10 > ip address x.x.x.x y.y.y.y > > Vlan x > ip unnumbered loopback 10 > > Vlan x1 > ip unnumbered loopback 10 > > Vlan x2 > ip unnumbered loopback 10 > > The same wont work on 3750 which gives the following when inputing the > "ip unnumbered" command. > > Point-to-point (non-multi-access) interfaces only > > My question is, is there a work around for this or will 3750 never > support "ip unnumbered" on multi-access interfaces? > > Best regards > Mattias Gyllenvarg > Omnitron > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rakeshh at gmail.com Mon Nov 10 10:44:31 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Mon, 10 Nov 2008 09:44:31 -0600 Subject: [c-nsp] same mac address on two linecards on 7600 In-Reply-To: <491840DC.8040400@imperial.ac.uk> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406570334@xmb-ams-333.emea.cisco.com> <49183A08.20209@forthnet.gr> <4918407C.9010105@imperial.ac.uk> <491840DC.8040400@imperial.ac.uk> Message-ID: <8a4649bb0811100744s52d6946dt683b91c48556f46c@mail.gmail.com> One of the scenarios where you would change the MAC address is when connecting two vrfs using a transparent firewall. -Rakesh. On Mon, Nov 10, 2008 at 8:10 AM, Phil Mayers wrote: > Phil Mayers wrote: > >> Tassos Chatzithomaoglou wrote: >> >>> If i understand correctly, i think Vikas is referring to two linecards >>> (on different chassis) sharing a common mac. >>> >> > Oops sorry for the noise - yes you're right: > > rtr1# > GigabitEthernet7/1 ... > rtr2# > GigabitEthernet7/13 ... > > I don't know why that would happen unless the MSFCs have the same MAC > address. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pete at bytemark.co.uk Mon Nov 10 10:04:28 2008 From: pete at bytemark.co.uk (Peter Taphouse) Date: Mon, 10 Nov 2008 15:04:28 +0000 Subject: [c-nsp] OIR in 6500/7600 Message-ID: <49184D7C.4010109@bytemark.co.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I've got a couple of new line cards that I would like to stick in a production 7606. When these were in the lab I tried OIR with decent success, but now the routers are production I'm a bit nervous of doing an OIR on these. - From what I've read there are the three pins that cause the bus stall and recovery, and fairly frequently the reload. If I were to "no power enable module X" for the appropriate slot, will this allow me to insert the card without having to worry about the bus stall and potential reload, or are those pins powered/effective regardless of the state of power to a particular slot? Does anyone have any useful advice/experience with adding new modules to 6500/7600s? Cheers, - -- Peter Taphouse Bytemark Hosting http://www.bytemark.co.uk/ tel. +44 (0) 845 004 3 004 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJGE18IAZ7OKeBB58RAqmPAKCjTnuvqdtkmjyrb6ov+MaEsg06vgCeKBdp dGZ6DwIOXO5C2c9LkbDbI90= =xECC -----END PGP SIGNATURE----- From gert at greenie.muc.de Mon Nov 10 11:04:01 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 10 Nov 2008 17:04:01 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <49184D7C.4010109@bytemark.co.uk> References: <49184D7C.4010109@bytemark.co.uk> Message-ID: <20081110160401.GM8535@greenie.muc.de> Hi, On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > - From what I've read there are the three pins that cause the bus stall > and recovery, and fairly frequently the reload. Sounds more like 7500 to me. I've never had any issues OIRing modules into a 6500/7600. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peter at rathlev.dk Mon Nov 10 11:24:57 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 17:24:57 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <1226334297.21668.78.camel@abehat> On Mon, 2008-11-10 at 17:04 +0100, Gert Doering wrote: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. > > I've never had any issues OIRing modules into a 6500/7600. We recently removed some LAN cards from two 6500s running SXF and it wasn't totally without issues. We removed the cards from the two boxes at the same time, and strangely they lost their IS-IS adjacency (with each other) because of BFD timeouts. (The interfaces are configured with "bfd interval 100 min_rx 100 multiplier 3".) Furthermore, one of them made all iBGP neighbors say: %TCP-6-BADAUTH: Invalid MD5 digest from (22964) to (179) (RST) several times, though no BGP sessions were torn down by this. (?) This was a POP currently not in production, so I don't know if any traffic forwarding would be disturbed by this. Regards, Peter From rakeshh at gmail.com Mon Nov 10 11:41:25 2008 From: rakeshh at gmail.com (Rakesh Hegde) Date: Mon, 10 Nov 2008 10:41:25 -0600 Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> Message-ID: <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> AFAIK, 720x doesn't support PAGP/LACP. It relies on ethenet keepalives (type 0x9000) sent every 10 secs to add/remove interfaces to the bundle. Does anybody know what kind of ethercahnnel load sharing algorithm 720xs use ? -Rakesh. On Sat, Nov 8, 2008 at 1:13 PM, Mario Spinthiras wrote: > thats very true. If you rely on etherchanneling then you are effectively > relying on lower layer redundancy. If you go higher , then you rely on the > normal operation of L3 , etc... > > Regards, > Mario A. Spinthiras > http://www.spinthiras.net/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cmadams at hiwaay.net Mon Nov 10 11:45:46 2008 From: cmadams at hiwaay.net (Chris Adams) Date: Mon, 10 Nov 2008 10:45:46 -0600 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <20081110164546.GD1450261@hiwaay.net> Once upon a time, Gert Doering said: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. Yeah, on the 7500 OIR = "Online Insert and Reboot". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. From damin at nacs.net Mon Nov 10 11:05:03 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Nov 2008 11:05:03 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness Message-ID: <091101c9434e$17309620$4591c260$@net> Hello, Over the weekend, we updated one of our 7513s from 12.2.25S12 to the 12.2.25S15. The driver behind this was service policies used for LLQ dropping from interfaces, causing all sorts of havoc w/ our voice prioritization. The thought was that moving to the more current issue would address this. It did not. We also noticed something else odd. We have three multilink bundles on this router, and have had them configured to use "ip route-cache distributed" for over a year. We haven't had any problems w/ this until rebooting into the S15 image. Of the three bundles, Mu1 is the only one that seems to work w/ dcef. Mu2 and Mu3 have had to be set w/ CEF disabled to route properly. The symptoms are that from the router you can ping the other sides of Mu2 and Mu3, but no external routing is possible. The interface stats show packets being dropped on the output buffer.. which is weird, until we disable CEF for those interfaces.. then everything starts working properly, and the stats show Processor Switching. Am I missing something? Or is there an issue w/ S15 / Dcef / Multilink and IP Unnumbered to a loopback? core-ar1#show interfaces mu1 stats Multilink1 Switch path Pkts In Chars In Pkts Out Chars Out Processor 0 0 0 0 Route cache 377309 104869674 0 0 Distributed cache 0 0 459932 500579863 Total 377309 104869674 459932 500579863 core-ar1#show interfaces mu2 stats Multilink2 Switch path Pkts In Chars In Pkts Out Chars Out Processor 212 12247 1339852 487984693 Route cache 1837532 2064076461 0 0 Distributed cache 0 0 0 0 Total 1837744 2064088708 1339852 487984693 core-ar1#show interfaces mu3 stats Multilink3 Switch path Pkts In Chars In Pkts Out Chars Out Processor 18 1640 1068371 1264449182 Route cache 701359 67160511 0 0 Distributed cache 0 0 0 0 Total 701377 67162151 1068371 1264449182 interface Multilink1 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 2 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 1 no clns route-cache end interface Multilink2 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 3 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 2 no clns route-cache end interface Multilink3 ip unnumbered Loopback0 no cdp enable ppp multilink ppp multilink interleave multilink max-links 2 multilink min-links 1 multilink load-threshold 1 either no ppp multilink fragmentation multilink-group 3 no clns route-cache end From swmike at swm.pp.se Mon Nov 10 11:47:21 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 17:47:21 +0100 (CET) Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <1226334297.21668.78.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> Message-ID: On Mon, 10 Nov 2008, Peter Rathlev wrote: > We recently removed some LAN cards from two 6500s running SXF and it > wasn't totally without issues. > > We removed the cards from the two boxes at the same time, and strangely > they lost their IS-IS adjacency (with each other) because of BFD > timeouts. (The interfaces are configured with "bfd interval 100 min_rx > 100 multiplier 3".) As far as I know, bfd timers so low aren't supported in SXF, you have to go to SRB to get those. -- Mikael Abrahamsson email: swmike at swm.pp.se From swmike at swm.pp.se Mon Nov 10 11:49:08 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 17:49:08 +0100 (CET) Subject: [c-nsp] Multiple Ethernet links for redundancy In-Reply-To: <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> References: <4914893F.7050806@yahoo.com> <4f890e580811071826s1b523720j47a5ef3b878eabf9@mail.gmail.com> <20081108175140.GA12497@panix.com> <4f890e580811081113s4fc884a5y8607518f600c264f@mail.gmail.com> <8a4649bb0811100841k3445012aoda7e1a9edfaa60ae@mail.gmail.com> Message-ID: On Mon, 10 Nov 2008, Rakesh Hegde wrote: > Does anybody know what kind of ethercahnnel load sharing algorithm 720xs > use ? It uses some kind of destination IP algorithm or alike, it doesn't do L4 anyway. I have a document somewhere that I received after a prolonged TAC case regarding etherchannel load sharing on 7200 and 7500. If it's of interest, email me offline and I'll look into it tomorrow. -- Mikael Abrahamsson email: swmike at swm.pp.se From paul at paulstewart.org Mon Nov 10 11:49:07 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 10 Nov 2008 11:49:07 -0500 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110164546.GD1450261@hiwaay.net> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <20081110164546.GD1450261@hiwaay.net> Message-ID: <002a01c94354$3fce7a60$bf6b6f20$@org> Heheehe.... that's quite true on the 7500's.. For the 6500/7600 the only issue we've ever had is "bus stalls" when the card isn't quite seeded quickly enough or not seeded correctly and still making contact. Don't be afraid to push those cards in with a *little* bit of force to ensure they are seeded..;) Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Chris Adams Sent: November 10, 2008 11:46 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OIR in 6500/7600 Once upon a time, Gert Doering said: > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: > > - From what I've read there are the three pins that cause the bus stall > > and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. Yeah, on the 7500 OIR = "Online Insert and Reboot". -- Chris Adams Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From achatz at forthnet.gr Mon Nov 10 11:50:34 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Mon, 10 Nov 2008 18:50:34 +0200 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <49184D7C.4010109@bytemark.co.uk> References: <49184D7C.4010109@bytemark.co.uk> Message-ID: <4918665A.2070101@forthnet.gr> The 6500/7600 chassis has three pins in each slot that during insertion get connected one by one (larger to smaller) to the module. The first one starts the bus stall and the last one stops the bus stall. I had problems when inserting too slowly the modules (the bus stall was lasting for more time). You just need to find the right speed. Keep in mimd that DFC equipped modules do not have this problem. According to Cisco: "The addition of a DFC module effectively disconnects a module from the Data Bus. As such, a DFC-enabled module is not subject to the bus stall mechanism that occurs when a module is inserted or removed from the chassis. Throughout these Online Insertion and Removal (OIR) events, the Data Bus is temporarily paused for just enough time to ensure that the insertion/removal process does not cause any data corruption on the backplane. This protection mechanism causes a very brief amount of packet loss (sub-second, but dependent on the time it takes to fully insert a module). A module with a DFC onboard is not directly affected by this stall mechanism and does not have any packet loss on OIR." -- Tassos Peter Taphouse wrote on 10/11/2008 17:04: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > I've got a couple of new line cards that I would like to stick in a > production 7606. When these were in the lab I tried OIR with decent > success, but now the routers are production I'm a bit nervous of doing > an OIR on these. > > - From what I've read there are the three pins that cause the bus stall > and recovery, and fairly frequently the reload. If I were to "no power > enable module X" for the appropriate slot, will this allow me to insert > the card without having to worry about the bus stall and potential > reload, or are those pins powered/effective regardless of the state of > power to a particular slot? > > Does anyone have any useful advice/experience with adding new modules to > 6500/7600s? > > Cheers, > > - -- > Peter Taphouse > > Bytemark Hosting > http://www.bytemark.co.uk/ > tel. +44 (0) 845 004 3 004 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJGE18IAZ7OKeBB58RAqmPAKCjTnuvqdtkmjyrb6ov+MaEsg06vgCeKBdp > dGZ6DwIOXO5C2c9LkbDbI90= > =xECC > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Mon Nov 10 11:57:58 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 16:57:58 +0000 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <20081110160401.GM8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> Message-ID: <49186816.4070203@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Mon, Nov 10, 2008 at 03:04:28PM +0000, Peter Taphouse wrote: >> - From what I've read there are the three pins that cause the bus stall >> and recovery, and fairly frequently the reload. > > Sounds more like 7500 to me. > > I've never had any issues OIRing modules into a 6500/7600. Likewise, we've had no problems. From peter at rathlev.dk Mon Nov 10 12:03:06 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 18:03:06 +0100 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> Message-ID: <1226336586.26527.2.camel@abehat> On Mon, 2008-11-10 at 17:47 +0100, Mikael Abrahamsson wrote: > As far as I know, bfd timers so low aren't supported in SXF, you have to > go to SRB to get those. Hmm... can you point to where this would be stated? The "IP Routing Protocol-Independent Commands" doesn't state any minimum for 12.2SX, just the 50 msec configurable minimum. Regards, Peter From swmike at swm.pp.se Mon Nov 10 12:18:14 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Mon, 10 Nov 2008 18:18:14 +0100 (CET) Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <1226336586.26527.2.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: On Mon, 10 Nov 2008, Peter Rathlev wrote: > Hmm... can you point to where this would be stated? The "IP Routing > Protocol-Independent Commands" doesn't state any minimum for 12.2SX, > just the 50 msec configurable minimum. I don't remember exactly, I just remember that Cisco engineer said that SXF doesn't support nearly as agressive timers as SRB, from the top of my head it was around second failure time (300x3), lower than that wasn't supported. Let's see if someone else here has more information, I don't have it in writing easily accessable. -- Mikael Abrahamsson email: swmike at swm.pp.se From p.mayers at imperial.ac.uk Mon Nov 10 12:37:46 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 10 Nov 2008 17:37:46 +0000 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: <4918716A.8030502@imperial.ac.uk> Mikael Abrahamsson wrote: > On Mon, 10 Nov 2008, Peter Rathlev wrote: > >> Hmm... can you point to where this would be stated? The "IP Routing >> Protocol-Independent Commands" doesn't state any minimum for 12.2SX, >> just the 50 msec configurable minimum. > > I don't remember exactly, I just remember that Cisco engineer said that > SXF doesn't support nearly as agressive timers as SRB, from the top of > my head it was around second failure time (300x3), lower than that > wasn't supported. > > Let's see if someone else here has more information, I don't have it in > writing easily accessable. > I can certainly state from experience that SXF BFD is highly unreliable with short timers (making it more or less useless). Does SRB support BFD on SVIs? From gtb at slac.stanford.edu Mon Nov 10 12:46:02 2008 From: gtb at slac.stanford.edu (Buhrmaster, Gary) Date: Mon, 10 Nov 2008 09:46:02 -0800 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: > ... BUT, many > of the older Cisco routers DID NOT have this capability, > you HAD to buy the rom chips from Cisco. Actually, some of the older rommon images could be downloaded from Cisco by "partners" and they could write them to PROMs for their direct customers. (And, of course, if you were of the mindset, and you had a working rommon, you could put same into the programmer and duplicate it; at least with all of the programmers I ever owned you could do that with ROM/PROM/EEPROMs, although sometimes it was a multi-step procedure since there was only one zif socket.) Gary From nicklinn at nurro.net Mon Nov 10 13:25:01 2008 From: nicklinn at nurro.net (Nicholas Linn) Date: Mon, 10 Nov 2008 13:25:01 -0500 Subject: [c-nsp] c3660: Utterly baffled by ROMs In-Reply-To: References: <000001c941d6$d50aee80$6a01a8c0@nurronetworks.com> Message-ID: <006f01c94361$a8ec31b0$6a01a8c0@nurronetworks.com> Gary, That is true for the 3660 it's just a standard 4mbit socketed PLCC flash. As a matter of fact one of the first things I did (as I do with most of my electronics) was download the image from the flash rom as a backup in the case of corruption or failure. Nick -----Original Message----- From: Buhrmaster, Gary [mailto:gtb at slac.stanford.edu] Sent: Monday, November 10, 2008 12:46 PM To: Ted Mittelstaedt; Nicholas Linn; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] c3660: Utterly baffled by ROMs > ... BUT, many > of the older Cisco routers DID NOT have this capability, > you HAD to buy the rom chips from Cisco. Actually, some of the older rommon images could be downloaded from Cisco by "partners" and they could write them to PROMs for their direct customers. (And, of course, if you were of the mindset, and you had a working rommon, you could put same into the programmer and duplicate it; at least with all of the programmers I ever owned you could do that with ROM/PROM/EEPROMs, although sometimes it was a multi-step procedure since there was only one zif socket.) Gary From damin at nacs.net Mon Nov 10 14:30:50 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Mon, 10 Nov 2008 14:30:50 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <3e4b8fe10811101050i40e4912bxd7e3ed9d3795d2c2@mail.gmail.com> References: <091101c9434e$17309620$4591c260$@net> <3e4b8fe10811101050i40e4912bxd7e3ed9d3795d2c2@mail.gmail.com> Message-ID: <0a1401c9436a$d6c55220$844ff660$@net> >What about if you do "show cef linecard" does it show cef as being active for the linecards that support the physical interfaces that you are binding to >a MLPPP group? > >I noticed alot of cef oddities on the 75xx platform with vip's not having sufficient memory (usually needed 128MB to maintain a normal cef table). core-ar1#show diagbus | inc Mem Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 4096 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 Kbytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Controller Memory Size: 128 MBytes DRAM, 8192 KBytes SRAM Looks good to me. The card in Slot 4 reporting 4096 SRAM is a Fast Ethernet card. core-ar1#show cef linecard Slot XDRSent Flags 5 291330 up 0 291342 up 9 291512 up 11 291965 up 12 291530 up 4 291519 up *7 288598 up VRF IPv4:Default-IP-Routing-Table, 112874 routes Slot I/Fs State Flags 5 5 Active sync, table-up 0 8 Active sync, table-up 9 5 Active sync, table-up 11 32 Active sync, table-up 12 9 Active sync, table-up 4 6 Active sync, table-up 7 5 Active sync, table-up From peter at rathlev.dk Mon Nov 10 14:32:38 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 10 Nov 2008 20:32:38 +0100 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> Message-ID: <1226345558.27769.20.camel@abehat> On Mon, 2008-11-10 at 18:18 +0100, Mikael Abrahamsson wrote: > On Mon, 10 Nov 2008, Peter Rathlev wrote: > > Hmm... can you point to where this would be stated? The "IP Routing > > Protocol-Independent Commands" doesn't state any minimum for 12.2SX, > > just the 50 msec configurable minimum. > > I don't remember exactly, I just remember that Cisco engineer said that > SXF doesn't support nearly as agressive timers as SRB, from the top of my > head it was around second failure time (300x3), lower than that wasn't > supported. Well, I can as well get used to not using BFD anyway, seeing as this "swiss army knife" of fast failover has its quirks on different software versions. :-) Can anybody say how BFD behaves on SXH? Apart from the SVI thingy of course. :-| Regards, Peter From rubensk at gmail.com Mon Nov 10 15:27:53 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Mon, 10 Nov 2008 18:27:53 -0200 Subject: [c-nsp] OER/PfR, 7600, DFZ Message-ID: <6bb5f5b10811101227o7b7441bdq749a83cfb7809dd7@mail.gmail.com> What are the current xSP impressions on using Performance Routing (formerly known as Optimized Edge Routing) on the current Internet Default-Free-Zone, manipulating inbound traffic by BGP route control ? Does it add availability and quality or troubles ? Platform is 7600, PFC3BXL. Rubens From gert at greenie.muc.de Mon Nov 10 16:45:02 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 10 Nov 2008 22:45:02 +0100 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: <1226345558.27769.20.camel@abehat> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> <1226345558.27769.20.camel@abehat> Message-ID: <20081110214502.GP8535@greenie.muc.de> Hi, On Mon, Nov 10, 2008 at 08:32:38PM +0100, Peter Rathlev wrote: > Can anybody say how BFD behaves on SXH? Apart from the SVI thingy of > course. :-| Can't say. Right now, all our interfaces that would benefit from having BFD are SVIs :( (Did anyone ever get an answer from Cisco on why it was removed, and whether it will be back eventually?) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From rlcwlist at gmail.com Mon Nov 10 18:26:20 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Tue, 11 Nov 2008 07:26:20 +0800 Subject: [c-nsp] VRF on BGP Message-ID: <53fb3cbd0811101526s25b3d3a8p72c4269236a21eb4@mail.gmail.com> Dear All : I'm seeking for a comment on my VRF configuration with BGP configuration Details BGP Graph there : http://i13.photobucket.com/albums/a279/rlcw/bgp.jpg --------- --------- | 7206 | | 7206 | --------- --------- | | | | --------- --------- | 6509 | | 6509 | --------- --------- \ / \ / \ / \ / ------------ | eXchange | ------------ 3 of VRF were created on 6509 ip vrf GLOBAL rd 65500:23 route-target export 65500:23 route-target import 65500:23 route-target import 65500:22 route-target import 65500:21 ! ip vrf HKIX rd 65500:22 route-target export 65500:22 route-target import 65500:22 ! ip vrf OVERSEAS rd 65500:21 route-target export 65500:21 route-target import 65500:21 In my 6509 , I'll provide the service of Broadband , IP Transit ... etc Hence I want to provide the IP transit service with using VRF , in order to select which kind of routes I'm going to sent to my customer , with differnet service using different routing table in order to make use of those upstream (7206) providers Sample output of sh ip route vrf GLOBAL B 210.34.240.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 202.119.189.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 199.254.56.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 B 202.49.249.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 Do you think I should work the VRF GLOBAL to the global routing table ? Or do you suggest the whole 6509's port default mapping to a VRF ? How can I import those route from VRF to Global routing table as well ? Thanks From rlcwlist at gmail.com Mon Nov 10 18:29:46 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Tue, 11 Nov 2008 07:29:46 +0800 Subject: [c-nsp] VRF on BGP (New) Message-ID: <53fb3cbd0811101529o7ea16120pfc468943cf9f64a7@mail.gmail.com> Dear All : I'm seeking for a comment on my VRF configuration with BGP configuration Details BGP Graph there : http://i13.photobucket.com/albums/a279/rlcw/bgp.jpg --------- --------- | 7206 | | 7206 | --------- --------- | | | | --------- --------- | 6509 | | 6509 | --------- --------- \ / \ / \ / \ / ------------ | eXchange | ------------ 3 of VRF were created on 6509 ip vrf GLOBAL rd 65500:23 route-target export 65500:23 route-target import 65500:23 route-target import 65500:22 route-target import 65500:21 ! ip vrf HKIX rd 65500:22 route-target export 65500:22 route-target import 65500:22 ! ip vrf OVERSEAS rd 65500:21 route-target export 65500:21 route-target import 65500:21 In my 6509 , I'll provide the service of Broadband , IP Transit ... etc Hence I want to provide the IP transit service with using VRF , in order to select which kind of routes I'm going to sent to my customer , with differnet service using different routing table in order to make use of those upstream (7206) providers Sample output of sh ip route vrf GLOBAL B 210.34.240.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 202.119.189.0/24 [20/0] via 192.168.199.2 (OVERSEAS), 00:15:59 B 199.254.56.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 B 202.49.249.0/24 [20/0] via 192.168.210.2 (HKIX), 00:22:37 Do you think I should work the VRF GLOBAL to the global routing table ? Or do you suggest the whole 6509's port default mapping to a VRF ? How can I import those route from VRF to Global routing table as well ? Thanks From linkconnect at googlemail.com Mon Nov 10 18:40:37 2008 From: linkconnect at googlemail.com (Wayne Lee) Date: Mon, 10 Nov 2008 23:40:37 +0000 Subject: [c-nsp] vrf-lite question Message-ID: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1-------R0-------R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne From ben.steele at internode.on.net Mon Nov 10 19:02:45 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 10:32:45 +1030 Subject: [c-nsp] vrf-lite question In-Reply-To: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> References: <3044d0930811101540m496a6488j41cc6035151fe5c0@mail.gmail.com> Message-ID: <000001c94390$d4709770$7d51c650$@steele@internode.on.net> Use an export map on the GW to only export the routes for GW and not the other custs. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wayne Lee Sent: Tuesday, 11 November 2008 10:11 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] vrf-lite question Hello I've been playing with vrf-lite in dynamips and I've hit a problem. I have 4 routers and 3 vrf's (cust1, cust 2 and GW) configured on R0 R1-------R0-------R2 | | | R4 cust1 and cust2 import from GW and GW imports from cust1 and cust2. The problem I'm having is that cust1 can reach cust2 via GW and vice-versa. I'm using OSPF and BGP to redistribute but I do not know how to stop the customer VRF's from seeing each other, they do need internet access via GW which will be performing NAT and allow inbound ipsec connections to the different VRF's (R4 will be a Netscreen firewall in the data-centre) ip vrf cust1 rd 172.16.1.1:100 route-target export 172.16.1.1:100 route-target import 172.16.1.1:100 route-target import 10.254.254.254:300 ! ip vrf cust2 rd 172.16.2.1:200 route-target export 172.16.2.1:200 route-target import 172.16.2.1:200 route-target import 10.254.254.254:300 ! ip vrf juniperGW rd 10.254.254.254:300 route-target export 10.254.254.254:300 route-target import 10.254.254.254:300 route-target import 172.16.1.1:100 route-target import 172.16.2.1:200 interface FastEthernet1/0 description link to R1 ip vrf forwarding cust1 ip address 172.16.1.254 255.255.255.0 duplex half ! interface FastEthernet2/0 description link to R2 ip vrf forwarding cust2 ip address 172.16.2.254 255.255.255.0 duplex half ! interface FastEthernet3/0 description link to R3 ip address 172.16.254.1 255.255.255.252 duplex half ! interface FastEthernet4/0 description juniper gateway to internet ip vrf forwarding juniperGW ip address 10.254.254.254 255.255.255.0 duplex half ! router ospf 11 vrf cust1 log-adjacency-changes capability vrf-lite network 172.16.1.0 0.0.0.255 area 11 ! router ospf 12 vrf cust2 log-adjacency-changes capability vrf-lite network 172.16.2.0 0.0.0.255 area 12 ! router ospf 1 log-adjacency-changes redistribute connected subnets redistribute static subnets passive-interface default no passive-interface FastEthernet3/0 network 172.16.254.0 0.0.0.255 area 0 ! router ospf 10 vrf juniperGW log-adjacency-changes capability vrf-lite network 10.254.254.0 0.0.0.255 area 10 ! router bgp 65400 no synchronization bgp router-id 10.10.254.254 bgp log-neighbor-changes no auto-summary ! address-family ipv4 vrf juniperGW redistribute ospf 10 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust2 redistribute ospf 12 no auto-summary no synchronization exit-address-family ! address-family ipv4 vrf cust1 redistribute ospf 11 no auto-summary no synchronization exit-address-family ! ip route vrf cust1 0.0.0.0 0.0.0.0 10.254.254.253 ip route vrf cust2 0.0.0.0 0.0.0.0 10.254.254.253 The end result I'm working towards will have ADSL PPPoA interfaces in each VRF and the Netscreen will provide internet access and VPN to other sites where we do not terminate the ADSL Thanks for your time Wayne _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mtinka at globaltransit.net Mon Nov 10 21:13:12 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 11 Nov 2008 10:13:12 +0800 Subject: [c-nsp] BFD timers (was: OIR in 6500/7600) In-Reply-To: <20081110214502.GP8535@greenie.muc.de> References: <49184D7C.4010109@bytemark.co.uk> <1226345558.27769.20.camel@abehat> <20081110214502.GP8535@greenie.muc.de> Message-ID: <200811111013.13097.mtinka@globaltransit.net> On Tuesday 11 November 2008 05:45:02 Gert Doering wrote: > (Did anyone ever get an answer from Cisco on why it was > removed, and whether it will be back eventually?) The last time I asked our SE, he didn't have any feedback but was checking. I've just sent him a reminder. Side note: I also asked him why BFD wasn't supported on 802.3ad bundles, and he said that's now in the plan, but no clear indication in which release it will ship. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From eng_mssk at hotmail.com Tue Nov 11 00:52:21 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 07:52:21 +0200 Subject: [c-nsp] test mail Message-ID: hey anyone rcvs my mail reply with an empty mail so i can make sure that my mails are rcvd by u thanks in advance _________________________________________________________________ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vista&mkt=en-US&form=QBRE From eng_mssk at hotmail.com Tue Nov 11 01:02:42 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 08:02:42 +0200 Subject: [c-nsp] L2VPN Interworking Message-ID: Dears i have the following setup: CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122-33.SRD.bin PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122-33.SRC1.bin CE1 --> PE1 is ATM connection CE2 --> PE2 Vlan connection (Sub interface) i have established xconnect between the 2 sides the xconnect is up and there is a ping between the 2 sides but the problem is in the size when i issue the command ping x.x.x.x repeat 1000 size 1500 i face remarkable packet drop !! any ideas ?? knowing that there is no congestion at all in my links nor through the MPLS cloud _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From p_ambedkar at rediffmail.com Tue Nov 11 01:15:39 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 11 Nov 2008 06:15:39 -0000 Subject: [c-nsp] 6500-sup-stdby Message-ID: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> ? Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 is standby. The problem is sup2 is not booting automatically when the system is switched ON. it is going to rommon mode, where we have to type boot command so that it will boot. after booting, boot variable is missing. if we set the boot variable,it will show the boot variable but it is temporary. Again we switched OFF and ON, The same situation is there. i tried lot, please help me. some details are here... Before sup2: CAT_1> (enable) sh mod Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- ----- --- 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok After sup2: CAT_1> (enable) sh mod Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- ----- --- 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes standby 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok bye. From vinzoda.hitesh at gmail.com Tue Nov 11 01:23:33 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 22:23:33 -0800 Subject: [c-nsp] FWSM Access-control lists Message-ID: Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue "sh access-list" command. it shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 & 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda From vinzoda.hitesh at gmail.com Tue Nov 11 01:27:50 2008 From: vinzoda.hitesh at gmail.com (Hitesh Vinzoda) Date: Mon, 10 Nov 2008 22:27:50 -0800 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: Check for MTU size on interfaces. Regards Hitesh Vinzoda On 11/10/08, Mohammad Khalil wrote: > > > Dears > i have the following setup: > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > PE1 is 7609 and has the IOS image > c7600rsp72043-advipservices-mz.122-33.SRD.bin > PE2 is a VXR G2 and has the IOS image > c7200p-spservicesk9-mz.122-33.SRC1.bin > CE1 --> PE1 is ATM connection > CE2 --> PE2 Vlan connection (Sub interface) > > i have established xconnect between the 2 sides > the xconnect is up and there is a ping between the 2 sides > but the problem is in the size > when i issue the command ping x.x.x.x repeat 1000 size 1500 > i face remarkable packet drop !! > any ideas ?? > knowing that there is no congestion at all in my links nor through the MPLS > cloud > > _________________________________________________________________ > News, entertainment and everything you care about at Live.com. Get it now! > http://www.live.com/getstarted.aspx > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From r.tahina at moov.mg Tue Nov 11 01:31:25 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Tue, 11 Nov 2008 09:31:25 +0300 Subject: [c-nsp] lacp on serial Message-ID: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> Dear All, I 'm looking for implementation of lacp on serial, docs only show on ethernet, is that possible? Kind regards. From eng_mssk at hotmail.com Tue Nov 11 01:33:10 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 08:33:10 +0200 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: i checked it and it configured to be 1500 (in face if u keep the mtu size on the atm sub interface the default 4470 , the xconnect will never come up) Date: Mon, 10 Nov 2008 22:27:50 -0800 From: vinzoda.hitesh at gmail.com To: eng_mssk at hotmail.com Subject: Re: [c-nsp] L2VPN Interworking CC: cisco-nsp at puck.nether.net Check for MTU size on interfaces. Regards Hitesh Vinzoda On 11/10/08, Mohammad Khalil wrote: Dears i have the following setup: CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122-33.SRD.bin PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122-33.SRC1.bin CE1 --> PE1 is ATM connection CE2 --> PE2 Vlan connection (Sub interface) i have established xconnect between the 2 sides the xconnect is up and there is a ping between the 2 sides but the problem is in the size when i issue the command ping x.x.x.x repeat 1000 size 1500 i face remarkable packet drop !! any ideas ?? knowing that there is no congestion at all in my links nor through the MPLS cloud _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From oboehmer at cisco.com Tue Nov 11 01:51:13 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 11 Nov 2008 07:51:13 +0100 Subject: [c-nsp] lacp on serial In-Reply-To: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> References: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea.cisco.com> RAZAFINDRATSIFA Rivo Tahina <> wrote on Tuesday, November 11, 2008 07:31: > Dear All, > > I 'm looking for implementation of lacp on serial, docs only show on > ethernet, is that possible? nope, you need to use multilink ppp to bundle serials on Layer 2.. oli From ben.steele at internode.on.net Tue Nov 11 02:40:04 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 18:10:04 +1030 Subject: [c-nsp] FWSM Access-control lists In-Reply-To: References: Message-ID: <000c01c943d0$b6857d30$23907790$@steele@internode.on.net> If you just add all your line numbers the same it will automatically bump the one its replacing up one. Ie say your permit ip any any is at line 4, if you just insert all your rules as line 4 you will find they bump each other up all the way to whatever line number you get too with the original line 4 statement at the very end. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hitesh Vinzoda Sent: Tuesday, 11 November 2008 4:54 PM To: Cisco Mailing list Subject: [c-nsp] FWSM Access-control lists Dear All, Im having a production server subnet of around 150 servers ( 172.16.2.0/24) and all of them are sitting behind FWSM. Current ACL applied is permit ip any any. Now we have got the details of one server communicating on some ports for that we are going to apply the ACL. I came to know about the Line numbers in ACE but for me its not working. Say e.g. my LAN is untrusted (192.168.0.0/16) access-list test line 1 extended permit ip 192.168.2.0 host 172.16.2.20 eq www access-list test line 2 extended permit ip 192.168.2.0 host 172.16.2.20 eq smtp access-list test line 3 extended permit ip 192.168.2.0 host 172.16.2.20 eq 445 now for any other traffic for particular server will be denied access-list test line 500 extended permit ip any host 172.16.2.20 access-list test line 501 extended permit ip any any the fascinating thing here is that when i issue "sh access-list" command. it shows the line numbers for 500 and 501 as 4 & 5 respectively. i.e. any thing added later is appended. I want to have ip any any at line 15000 which will removed once all ACE for each server are in place. FWSM is running of 3.2 any ideas about getting line 500 & 501 and fixed at there respective places. Thanks in advance Hitesh Vinzoda _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM From tomas at soitron.com Tue Nov 11 03:11:42 2008 From: tomas at soitron.com (Tomas Daniska) Date: Tue, 11 Nov 2008 09:11:42 +0100 Subject: [c-nsp] L2VPN Interworking In-Reply-To: References: Message-ID: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> What does it mean - remarkable? If it's 100% then it *might* be related to MTU. If it's <100% (at least a few packets pass) then it's *not* MTU related. Check links, queues, ATM... ? -- deejay > > Dears > i have the following setup: > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122- > 33.SRD.bin > PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122- > 33.SRC1.bin > CE1 --> PE1 is ATM connection > CE2 --> PE2 Vlan connection (Sub interface) > > i have established xconnect between the 2 sides > the xconnect is up and there is a ping between the 2 sides > but the problem is in the size > when i issue the command ping x.x.x.x repeat 1000 size 1500 > i face remarkable packet drop !! > any ideas ?? > knowing that there is no congestion at all in my links nor through the > MPLS cloud > From eng_mssk at hotmail.com Tue Nov 11 03:27:02 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 10:27:02 +0200 Subject: [c-nsp] L2VPN Interworking In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> References: <6B43981C32F8464CB24CEE209DA32BD301A45448@kenya.tronet.as> Message-ID: the success rate is about (930/1000) and as i told u the MTU is configured on the ATM link to be 1500 the physical links are not congested what else can i add or modify to solve this issue ?? > Subject: RE: [c-nsp] L2VPN Interworking > Date: Tue, 11 Nov 2008 09:11:42 +0100 > From: tomas at soitron.com > To: eng_mssk at hotmail.com; cisco-nsp at puck.nether.net > > What does it mean - remarkable? > > If it's 100% then it *might* be related to MTU. > > If it's <100% (at least a few packets pass) then it's *not* MTU related. > Check links, queues, ATM... ? > > -- > > deejay > > > > > Dears > > i have the following setup: > > CE1 --> PE1 --> MPLS Cloud --> PE2 --> CE2 > > PE1 is 7609 and has the IOS image c7600rsp72043-advipservices-mz.122- > > 33.SRD.bin > > PE2 is a VXR G2 and has the IOS image c7200p-spservicesk9-mz.122- > > 33.SRC1.bin > > CE1 --> PE1 is ATM connection > > CE2 --> PE2 Vlan connection (Sub interface) > > > > i have established xconnect between the 2 sides > > the xconnect is up and there is a ping between the 2 sides > > but the problem is in the size > > when i issue the command ping x.x.x.x repeat 1000 size 1500 > > i face remarkable packet drop !! > > any ideas ?? > > knowing that there is no congestion at all in my links nor through the > > MPLS cloud > > _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From pete at bytemark.co.uk Tue Nov 11 03:31:05 2008 From: pete at bytemark.co.uk (Peter Taphouse) Date: Tue, 11 Nov 2008 08:31:05 +0000 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> Message-ID: <491942C9.6020505@bytemark.co.uk> ambedkar wrote: > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > is standby. The problem is sup2 is not booting automatically when the > system is switched ON. it is going to rommon mode, where we have to > type boot command so that it will boot. after booting, boot variable > is missing. if we set the boot variable,it will show the boot variable > but it is temporary. > > Again we switched OFF and ON, The same situation is there. i tried > lot, please help me. some details are here... I had that on a sup720 once, it turned out that the onboard battery was dead. -- Peter Taphouse Bytemark Hosting http://www.bytemark-hosting.co.uk tel. +44 (0) 845 004 3 004 From affanzbasalamah at gmail.com Tue Nov 11 05:49:27 2008 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Tue, 11 Nov 2008 17:49:27 +0700 Subject: [c-nsp] Upgrading edge router Message-ID: Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan From ben.steele at internode.on.net Tue Nov 11 06:08:40 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Tue, 11 Nov 2008 21:38:40 +1030 Subject: [c-nsp] Upgrading edge router In-Reply-To: References: Message-ID: <001501c943ed$da89bda0$8f9d38e0$@steele@internode.on.net> I'd try and go the ASR1002 option, it shouldn't be too far off your 35k budget without smartnet, although i'd recommend maintenance on the software as you will want access to TAC for bugs, also if you can option in the HA feature so you can get ISSU. With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room for expansion it's good bang for buck, the ASR is really aimed as the next generation 7200 swiss army knife, being a software based feature platform rather than a hardware(ie 7600/6500) it's a welcome new product and you should see good life out of it, it has some limitations in its current form, the only one that may concern you with your list that I can think of is lack of AToM MPLS support, but that is due out in upcoming software release. Put the quagga to rest! :) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah Sent: Tuesday, 11 November 2008 9:19 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Upgrading edge router Hi all, I am network admin in university that have a UNIX PC that functions as core router and firewall to accomodate : - 2 x 45 Mb link to research education network (REN) - 100Mb link to local exchange point - 10Mb link to Internet Currently we accept partial route from Internet, and aggregated with REN prefixes, we have at least 30k prefixes. We would like to upgrade our router to accomodate : - new STM-1 link (physical connector is not STM1 port, but it is converted to Gigeth by our telco) - at least 4 1000BaseT port - firewall feature (packet filter and inspection) would be nice - IPv6 multicast and MPLS feature - can keep up the load at least for 5 years - budget around $35k I have done some research, and our choice could come to : - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 port gigabit ethernet, but I don't know whether it could handle the load. I also see it as integrated packet inspection with PISA daughterboard, but I don't have any experience with that. The supervisor is a bit old compared to ASR1000. - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet inspection, but I don't know whether it can suit the budget. - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit ports, and separate AS module can cost you too much. I don't know whether it suits the budget. - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had experience with this box, but the specs looks promising, and maybe it suits the budget. I would like your suggestion about my plan above, perhaps I can come out with better plan. Thank you, Regards, -affan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 7:53 AM From affanzbasalamah at gmail.com Tue Nov 11 06:55:10 2008 From: affanzbasalamah at gmail.com (Affan Basalamah) Date: Tue, 11 Nov 2008 18:55:10 +0700 Subject: [c-nsp] Upgrading edge router In-Reply-To: <4213440380134758766@unknownmsgid> References: <4213440380134758766@unknownmsgid> Message-ID: Thank you for your prompt response, I would like to know a thing about ASR1000 software components : - It says on ASR1000 software ordering guide (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html) that there is a FPM (flexible packet matching) service license and Firewall service license. I would like to know the difference between two license, since the latter cost the double from the former. - What version of IOS-XE is integrated in ASR1000 bundle ? Is it IP Base or Advanced IP Services ? I would like to run IPv6 on the router, so the router will need Advanced IP Services IOS. Regards, -affan On Tue, Nov 11, 2008 at 6:08 PM, Ben Steele wrote: > I'd try and go the ASR1002 option, it shouldn't be too far off your 35k > budget without smartnet, although i'd recommend maintenance on the software > as you will want access to TAC for bugs, also if you can option in the HA > feature so you can get ISSU. > > With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room > for expansion it's good bang for buck, the ASR is really aimed as the next > generation 7200 swiss army knife, being a software based feature platform > rather than a hardware(ie 7600/6500) it's a welcome new product and you > should see good life out of it, it has some limitations in its current form, > the only one that may concern you with your list that I can think of is lack > of AToM MPLS support, but that is due out in upcoming software release. > > Put the quagga to rest! :) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah > Sent: Tuesday, 11 November 2008 9:19 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Upgrading edge router > > Hi all, > > I am network admin in university that have a UNIX PC that functions as > core router and firewall to accomodate : > - 2 x 45 Mb link to research education network (REN) > - 100Mb link to local exchange point > - 10Mb link to Internet > Currently we accept partial route from Internet, and aggregated with > REN prefixes, we have at least 30k prefixes. > > We would like to upgrade our router to accomodate : > - new STM-1 link (physical connector is not STM1 port, but it is > converted to Gigeth by our telco) > - at least 4 1000BaseT port > - firewall feature (packet filter and inspection) would be nice > - IPv6 multicast and MPLS feature > - can keep up the load at least for 5 years > - budget around $35k > > I have done some research, and our choice could come to : > - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 > port gigabit ethernet, but I don't know whether it could handle the > load. I also see it as integrated packet inspection with PISA > daughterboard, but I don't have any experience with that. The > supervisor is a bit old compared to ASR1000. > - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet > inspection, but I don't know whether it can suit the budget. > - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't > compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit > ports, and separate AS module can cost you too much. I don't know > whether it suits the budget. > - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had > experience with this box, but the specs looks promising, and maybe it > suits the budget. > > I would like your suggestion about my plan above, perhaps I can come > out with better plan. > > Thank you, > Regards, > > -affan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 > 7:53 AM > > From eng_mssk at hotmail.com Tue Nov 11 07:31:28 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 14:31:28 +0200 Subject: [c-nsp] PPPoE over VRF Message-ID: I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us From chloekcy2000 at yahoo.ca Tue Nov 11 07:57:46 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Tue, 11 Nov 2008 07:57:46 -0500 (EST) Subject: [c-nsp] not understand some command Message-ID: <802016.76480.qm@web57416.mail.re1.yahoo.com> Hi I am in new cisco I don't understand the different between ip classless and ip classful and why don't need those commands no network-clock-participate slot 1 no network-clock-participate slot 2 no network-clock-participate wic 0 no network-clock-participate wic 1 no network-clock-participate wic 2 no network-clock-participate aim 0 no network-clock-participate aim 1 and What is ip proxy-arp? why don't need it? Thank you --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. From eng_mssk at hotmail.com Tue Nov 11 08:15:19 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Tue, 11 Nov 2008 15:15:19 +0200 Subject: [c-nsp] not understand some command In-Reply-To: <802016.76480.qm@web57416.mail.re1.yahoo.com> References: <802016.76480.qm@web57416.mail.re1.yahoo.com> Message-ID: ip classless , This command allows the software to forward packets that are destined for unrecognized subnets of directly connected networks. The packets are forwarded to the best supernet route. ip proxy-arp , Proxy ARP is the technique in which one host, usually a router, answers ARP requests intended for another machine. By "faking" its identity, the router accepts responsibility for routing packets to the "real" destination. Proxy ARP can help machines on a subnet reach remote subnets without the need to configure routing or a default gateway. network-clock-participate , To allow the ports on a specified network module or voice/WAN interface card (VWIC) to use the network clock for timing, use the network-clock-participate command in global configuration mode. To restrict the device to use only its own clock signals, use the no form of this command. > Date: Tue, 11 Nov 2008 07:57:46 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] not understand some command > > Hi > > I am in new cisco > > I don't understand the different between ip classless and ip classful > > and why don't need those commands > > no network-clock-participate slot 1 > no network-clock-participate slot 2 > no network-clock-participate wic 0 > no network-clock-participate wic 1 > no network-clock-participate wic 2 > no network-clock-participate aim 0 > no network-clock-participate aim 1 > > and > > What is ip proxy-arp? > why don't need it? > > Thank you > > > > > > --------------------------------- > Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Connect to the next generation of MSN Messenger? http://imagine-msn.com/messenger/launch80/default.aspx?locale=en-us&source=wlmailtagline From jmenendez at mecon.gov.ar Tue Nov 11 09:49:41 2008 From: jmenendez at mecon.gov.ar (Juan Angel Menendez) Date: Tue, 11 Nov 2008 11:49:41 -0300 Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. Message-ID: <200811111449.mABEnfOu030925@racing2.mecon.ar> Hello list, We're interested in the Nexus 7000 platform but we're wondering if fiber 1GBit linecard is going to be available anytime soon ? Thanks in advance. Regards Juan From lowen at pari.edu Tue Nov 11 09:09:31 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 09:09:31 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <091101c9434e$17309620$4591c260$@net> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811110909.31890.lowen@pari.edu> On Monday 10 November 2008 11:05:03 Gregory Boehnlein wrote: > Hello, > Over the weekend, we updated one of our 7513s from 12.2.25S12 to the > 12.2.25S15. The driver behind this was service policies used for LLQ > dropping from interfaces, causing all sorts of havoc w/ our voice > prioritization. The thought was that moving to the more current issue would > address this. It did not. Isn't 12.2(25)S really really not recommended on 7500? I seem to remember several exchanges where this was mentioned by cisco people here. From rshughes at gmail.com Tue Nov 11 09:12:55 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Tue, 11 Nov 2008 09:12:55 -0500 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <491942C9.6020505@bytemark.co.uk> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> <491942C9.6020505@bytemark.co.uk> Message-ID: Check to make sure the exact same image is on the bootflash of both supervisors. I've seen it where the primary sup boots up and when it tries to boot the second, the image is not available and it will sit in rommon. The boot variable from the primary is passed to the second and if it can't find the exact same image file, it will not boot. On Tue, Nov 11, 2008 at 3:31 AM, Peter Taphouse wrote: > ambedkar wrote: > > > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > > is standby. The problem is sup2 is not booting automatically when the > > system is switched ON. it is going to rommon mode, where we have to > > type boot command so that it will boot. after booting, boot variable > > is missing. if we set the boot variable,it will show the boot variable > > but it is temporary. > > > > Again we switched OFF and ON, The same situation is there. i tried > > lot, please help me. some details are here... > > I had that on a sup720 once, it turned out that the onboard battery was > dead. > > -- > Peter Taphouse > > Bytemark Hosting > http://www.bytemark-hosting.co.uk > tel. +44 (0) 845 004 3 004 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From damin at nacs.net Tue Nov 11 09:24:33 2008 From: damin at nacs.net (Gregory Boehnlein) Date: Tue, 11 Nov 2008 09:24:33 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811110909.31890.lowen@pari.edu> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> Message-ID: <0bff01c94409$37b67a70$a7236f50$@net> > Isn't 12.2(25)S really really not recommended on 7500? I seem to > remember several exchanges where this was mentioned by cisco people here. I'm going to look through the list archives and see if I can find those references. Everything that I've seen revolves around earlier iterations of the code, not the S15 release that has been out for a year. I'm happy to consider upgrading to a different IOS version.. just looking for recommendations on what I should be looking at for a 7515 w/ Dual RSP 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. From jlewis at lewis.org Tue Nov 11 09:37:21 2008 From: jlewis at lewis.org (Jon Lewis) Date: Tue, 11 Nov 2008 09:37:21 -0500 (EST) Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> Message-ID: On Tue, 11 Nov 2008, Gregory Boehnlein wrote: >> Isn't 12.2(25)S really really not recommended on 7500? I seem to >> remember several exchanges where this was mentioned by cisco people here. > > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. > > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. My recommendation would be whatever number of 7206's are necessary to handle the interfaces you're running on those 5 VIPs :) I used to run somewhat earlier 12.2S on a couple of dual-RSP4 7500s, and they weren't quite stable (periodic dCEF bugs). IIRC, the cisco guys on-list used to recommend sticking with 12.0S on the 7500. ---------------------------------------------------------------------- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________ From pshuleski at gmail.com Tue Nov 11 10:14:41 2008 From: pshuleski at gmail.com (Pete S.) Date: Tue, 11 Nov 2008 10:14:41 -0500 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> Message-ID: <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> Also, make sure the flash was formatted by the chassis its currently in. There was an issue where, if formatted in another chassis, the flash could be read, but not booted from, resulting in a boot to rommon where you have to manually enter the boot command. --Pete On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > > Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > is standby. The problem is sup2 is not booting automatically when the > system is switched ON. it is going to rommon mode, where we have to > type boot command so that it will boot. after booting, boot variable > is missing. if we set the boot variable,it will show the boot variable > but it is temporary. > > Again we switched OFF and ON, The same situation is there. i tried > lot, please help me. some details are here... > > Before sup2: > > CAT_1> (enable) sh mod > Mod Slot Ports Module-Type Model Sub > Status > --- ---- ----- ------------------------- ------------------- --- ----- > --- > 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > > > After sup2: > > CAT_1> (enable) sh mod > Mod Slot Ports Module-Type Model Sub > Status > --- ---- ----- ------------------------- ------------------- --- ----- > --- > 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes > standby > 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > > > bye. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From lowen at pari.edu Tue Nov 11 10:19:39 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 10:19:39 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811111019.39463.lowen@pari.edu> On Tuesday 11 November 2008 09:24:33 Gregory Boehnlein wrote: > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. Hmm, is there a better search for the archives than using Marc.info or similar? > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. See http://marc.info/?l=cisco-nsp&m=113154141708694&w=2 for Rodney's take on it a while back. Recent releases of 12.0S support SSO HA. Whether they support the other features you need, I don't know, and I don't particularly trust Feature Navigator for 12.xS releases (especially since some of the latest releases, at least when I checked a while back, don't even show up in FN). From petelists at templin.org Tue Nov 11 10:33:15 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 11 Nov 2008 09:33:15 -0600 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <0bff01c94409$37b67a70$a7236f50$@net> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> Message-ID: <4919A5BB.3080405@templin.org> Gregory Boehnlein wrote: >> Isn't 12.2(25)S really really not recommended on 7500? I seem to >> remember several exchanges where this was mentioned by cisco people here. > > I'm going to look through the list archives and see if I can find those > references. Everything that I've seen revolves around earlier iterations of > the code, not the S15 release that has been out for a year. > > I'm happy to consider upgrading to a different IOS version.. just looking > for recommendations on what I should be looking at for a 7515 w/ Dual RSP > 4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. I've been very happy with 12.0(27)S5 for MLPPP, LLQ, OSPF, BGP, MPLS. VLANs could be an issue - we had problems with subinterfaces not being fully CEF-switched in earlier 12.0(27)S releases and abandoned that configuration. SSO is quite good. It'd be 100% stable if it weren't for VIP2-50s having memory issues and bombing out occasionally, but that's not a code issue. Lucky guess, the first two routers I checked have uptimes of 2y13w. I've been somewhat happy with 12.0(32)S[7,8,10] for "simple" core routing. MPLS Traffic Engineering is garbage, at least when talking to GSRs, and we've now officially abandoned MPLS TE on 7507s entirely. That said, I like Jon Lewis' suggestion to switch to enough 7206s to carry the PAs you're using. Single forwarding engine on a clean, very well baked architecture means simple and reliable. We're moving to 7206s for CT3 aggregation, GSRs for DS3 and OCx, and 6500/7600/Sup720-3BXL for Ethernet. pt From lowen at pari.edu Tue Nov 11 11:10:02 2008 From: lowen at pari.edu (Lamar Owen) Date: Tue, 11 Nov 2008 11:10:02 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811111019.39463.lowen@pari.edu> References: <091101c9434e$17309620$4591c260$@net> Message-ID: <200811111110.02440.lowen@pari.edu> On Tuesday 11 November 2008 10:19:39 Lamar Owen wrote: > See http://marc.info/?l=cisco-nsp&m=113154141708694&w=2 for Rodney's take > on it a while back. Also see http://marc.info/?l=cisco-nsp&m=116645064330255&w=2 and http://marc.info/?l=cisco-nsp&m=113340513407711&w=2 and http://marc.info/?l=cisco-nsp&m=113145616327633&w=2 In essence: plain 12.2S isn't recommended (on any platform, unless I'm misunderstanding things, not just 7500); 12.2SB and others (SX, SR, etc) perhaps. From justin at justinshore.com Tue Nov 11 11:18:25 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 10:18:25 -0600 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <4918716A.8030502@imperial.ac.uk> References: <49184D7C.4010109@bytemark.co.uk> <20081110160401.GM8535@greenie.muc.de> <1226334297.21668.78.camel@abehat> <1226336586.26527.2.camel@abehat> <4918716A.8030502@imperial.ac.uk> Message-ID: <4919B051.3080803@justinshore.com> Phil Mayers wrote: > I can certainly state from experience that SXF BFD is highly unreliable > with short timers (making it more or less useless). I have a particular 2821 dual-homed to 2 7600s that has a BFD event 6-8 times a day. I can't correlate it to high CPU on either side or a noticeable increase in traffic. The settings were 50/50x3. I raised them to 50/500x3 yesterday and haven't seen any more hiccups. > Does SRB support BFD on SVIs? SRB and SRB1 both support BFD on SVIs. My understanding is that anything later removes that working feature. (see past posts about it from Gert and myself... :-( ). Email your account team weekly if you want to ever see that feature again. Justin From drew.weaver at thenap.com Tue Nov 11 11:34:46 2008 From: drew.weaver at thenap.com (Drew Weaver) Date: Tue, 11 Nov 2008 11:34:46 -0500 Subject: [c-nsp] Best practices/security feature mix for host ports Message-ID: Hello, I have been recently doing some random research on mixes of security features (Well, not specifically security features, I suppose) but I guess port configurations. Such as setting the switchport type to host, enabling bpdufilter/bpduguard, loopguard, storm-control, etc. Does anyone have any anecdotal tales about what has worked for you, what hasn't worked for you, etc. (this is for the access layer, where hosts are connecting to switches but we don't necessarily have control over what these hosts do.) Any thoughts would be great. -Drew From nicotine at warningg.com Tue Nov 11 11:11:28 2008 From: nicotine at warningg.com (Brandon Ewing) Date: Tue, 11 Nov 2008 10:11:28 -0600 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <200811111019.39463.lowen@pari.edu> References: <0bff01c94409$37b67a70$a7236f50$@net> <200811111019.39463.lowen@pari.edu> Message-ID: <20081111161128.GG31816@biological.warningg.com> On Tue, Nov 11, 2008 at 10:19:39AM -0500, Lamar Owen wrote: > On Tuesday 11 November 2008 09:24:33 Gregory Boehnlein wrote: > > I'm going to look through the list archives and see if I can find those > > references. Everything that I've seen revolves around earlier iterations of > > the code, not the S15 release that has been out for a year. > > Hmm, is there a better search for the archives than using Marc.info or > similar? Markmail (www.markmail.org) is a recent addition to mailing list archiving that recently started archiving puck.nether.net's lists, nanog-l, and a large number of other technical lists. It supports a very google-like search syntax, allowing one to specify searching specific groups of lists, searching for patch attachments, etc. I'm still waffling between primarily using it, or pointing google.com at a pipermail archive of a list, to find specific information from mailing lists. -- Brandon Ewing (nicotine at warningg.com) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: not available URL: From berni at birkenwald.de Tue Nov 11 12:04:32 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Tue, 11 Nov 2008 17:04:32 +0000 (UTC) Subject: [c-nsp] 2821 voice configuration Message-ID: Hello everyone, we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch for a slow migration from an old PBX to a VoIP PBX (Asterisk) | E1 carrier +------+-------+ | Cisco 2821 +---- IP/SIP to Asterisk +------+-------+ | E1 old PBX Required key feature is forwarding of calls between all three legs, especially transparent E1-E1 (using dial-peer statements). We have this setup running for more than three years on AS5350XM with a lot more E1 lines so I'm pretty sure how to configure that, but I have never done this with 2800 series and I don't want to buy anything we can't use afterwards. We want to use CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 PVDM2-32 32-Channel Packet Voice/Fax DSP Module can anyone see any reason why this might not work? Thanks, Bernhard From mrz at velvet.org Tue Nov 11 12:05:56 2008 From: mrz at velvet.org (matthew zeier) Date: Tue, 11 Nov 2008 09:05:56 -0800 Subject: [c-nsp] Standby FWSM not responding to mgmt ssh Message-ID: <4919BB74.2070102@velvet.org> My standby FWSM all of a sudden stopped accepting inbound ssh (so says RANCID, which is no complaining incessantly). Short of a reboot, is there a quick fix for this? From vijay.ramcharan at verizonbusiness.com Tue Nov 11 12:33:09 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Tue, 11 Nov 2008 17:33:09 +0000 Subject: [c-nsp] Standby FWSM not responding to mgmt ssh In-Reply-To: <4919BB74.2070102@velvet.org> References: <4919BB74.2070102@velvet.org> Message-ID: I believe we have run into a similar issue in the past. I think it was something to do with the FWSM not releasing prior sessions and eventually being unable to support additional mgmt sessions. I think the bug is CSCsd67334. At least that's what it looks like from what I remember. I do remember that the FWSM had to be reloaded to clear the sessions. Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of matthew zeier Sent: November 11, 2008 12:06 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Standby FWSM not responding to mgmt ssh My standby FWSM all of a sudden stopped accepting inbound ssh (so says RANCID, which is no complaining incessantly). Short of a reboot, is there a quick fix for this? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ______________________________________________________________________ This e-mail has been scanned by Verizon Managed Email Content Service, using Skeptic(tm) technology powered by MessageLabs. For more information on Verizon Managed Email Content Service, visit http://www.verizonbusiness.com. ______________________________________________________________________ From rodunn at cisco.com Tue Nov 11 13:35:35 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 11 Nov 2008 13:35:35 -0500 Subject: [c-nsp] 7513 - RSP4 - 122-25.S15 - MLPPP / Dcef Weirdness In-Reply-To: <4919A5BB.3080405@templin.org> References: <091101c9434e$17309620$4591c260$@net> <200811110909.31890.lowen@pari.edu> <0bff01c94409$37b67a70$a7236f50$@net> <4919A5BB.3080405@templin.org> Message-ID: <20081111183535.GL19607@rtp-cse-489.cisco.com> The two games in town for 75xx will be: 12.0(32)S(x) rebuild -- more HA features 12.4(latest) mainline until full EoS for the platform. I wouldn't recommned any other train at this point for the platform even if the code is available. Rodney On Tue, Nov 11, 2008 at 09:33:15AM -0600, Pete Templin wrote: > Gregory Boehnlein wrote: > >>Isn't 12.2(25)S really really not recommended on 7500? I seem to > >>remember several exchanges where this was mentioned by cisco people here. > > > >I'm going to look through the list archives and see if I can find those > >references. Everything that I've seen revolves around earlier iterations of > >the code, not the S15 release that has been out for a year. > > > >I'm happy to consider upgrading to a different IOS version.. just looking > >for recommendations on what I should be looking at for a 7515 w/ Dual RSP > >4+, 5 VIP cards and the need for LLQ, OSPF, BGP, VLANs, MLPPP etc.. > > I've been very happy with 12.0(27)S5 for MLPPP, LLQ, OSPF, BGP, MPLS. > VLANs could be an issue - we had problems with subinterfaces not being > fully CEF-switched in earlier 12.0(27)S releases and abandoned that > configuration. SSO is quite good. It'd be 100% stable if it weren't > for VIP2-50s having memory issues and bombing out occasionally, but > that's not a code issue. Lucky guess, the first two routers I checked > have uptimes of 2y13w. > > I've been somewhat happy with 12.0(32)S[7,8,10] for "simple" core > routing. MPLS Traffic Engineering is garbage, at least when talking to > GSRs, and we've now officially abandoned MPLS TE on 7507s entirely. > > That said, I like Jon Lewis' suggestion to switch to enough 7206s to > carry the PAs you're using. Single forwarding engine on a clean, very > well baked architecture means simple and reliable. We're moving to > 7206s for CT3 aggregation, GSRs for DS3 and OCx, and > 6500/7600/Sup720-3BXL for Ethernet. > > pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From guru6111 at gmail.com Tue Nov 11 13:46:39 2008 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 11 Nov 2008 13:46:39 -0500 Subject: [c-nsp] ISIS / NSF IOS XR Message-ID: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> I configured NSF under ISIS initially them removed it. Still shows NSF 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing This is IOS XR 3.6.1 and 3.6.0 both same condition. RP/0/9/CPU0:P1#sh isis adjacency IS-IS NP Level-2 adjacencies: System Id Interface SNPA State Hold Changed NSF BFD P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes None PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes None PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes None P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes None router isis NP set-overload-bit on-startup 300 is-type level-2-only net 49.0001.1921.1813.6001.00 log adjacency changes address-family ipv4 unicast metric-style wide ! interface Loopback0 passive address-family ipv4 unicast ! ! interface GigabitEthernet0/1/1/0 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 ! ! interface GigabitEthernet0/1/1/1 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 ! ! interface GigabitEthernet0/1/1/8 point-to-point hello-password keychain NP-ISIS address-family ipv4 unicast metric 10 mpls ldp sync ! ! interface POS0/0/0/0 hello-password keychain NP-ISIS address-family ipv4 unicast metric 100 ! ! ! From guru6111 at gmail.com Tue Nov 11 13:58:52 2008 From: guru6111 at gmail.com (Atif Sid) Date: Tue, 11 Nov 2008 13:58:52 -0500 Subject: [c-nsp] HA / SSO - IOS XR 3.6.1 Message-ID: <766b203d0811111058j1254feb8n773ad3f34c9ccb0d@mail.gmail.com> Q. SSO on GSR IOS XR is default? I have *not configured* LDP GR, NSF IETF on my IOS XR router; when RP failover occurs it does not see any packet loss; puzzled. LAB : PE1 (7606) --> P1 (GSR XR) --> P2 --> (GSR XR) --> PE3 (7606) PE1#sh mpls ld graceful-restart LDP Graceful Restart is disabled Neighbor Liveness Timer: 120 seconds Max Recovery Time: 120 seconds Forwarding State Holding Time: 600 seconds I reloaded the RP on P1; traffic goes through no packet loss. good but how? RP/0/9/CPU0:P1#sh mpls ldp graceful-restart RP/0/9/CPU0:P1# RP/0/8/CPU0:P2#sh mpls ldp graceful-restart RP/0/8/CPU0:P2# RP/0/9/CPU0:P1#sh mpls ldp neighbor br Peer GR Up Time Discovery Address ----------------- -- --------------- --------- ------- 10.10.136.128:0 N 02:21:26 3 10 10.10.136.2:0 N 02:21:04 2 6 10.10.136.3:0 N 02:21:00 2 9 RP/0/9/CPU0:P1# RP/0/9/CPU0:P1#sh isis neighbors IS-IS NRP neighbors: System Id Interface SNPA State Holdtime Type IETF-NSF P2 Gi0/1/1/8 *PtoP* Up 25 L2 Capable PE1 Gi0/1/1/0 *PtoP* Up 24 L2 Capable PE1 Gi0/1/1/1 *PtoP* Up 27 L2 Capable P3 PO0/0/0/0 *PtoP* Up 25 L2 Capable PE1#ping Protocol [ip]: Target IP address: pe3 Repeat count [5]: 50000 Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 50000, 100-byte ICMP Echos to 10.10.136.130, timeout is 2 seconds: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!!! Success rate is 100 percent (50000/50000), round-trip min/avg/max = 1/1/92 ms From tkacprzynski at SpencerStuart.com Tue Nov 11 16:29:23 2008 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Tue, 11 Nov 2008 15:29:23 -0600 Subject: [c-nsp] RPSL Popularity and Usage Message-ID: Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom From paul at paulstewart.org Tue Nov 11 16:38:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 11 Nov 2008 16:38:36 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: Message-ID: <00a901c94445$da9ca160$8fd5e420$@org> We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tkacprzynski at SpencerStuart.com Tue Nov 11 16:41:53 2008 From: tkacprzynski at SpencerStuart.com (tkacprzynski at SpencerStuart.com) Date: Tue, 11 Nov 2008 15:41:53 -0600 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: <00a901c94445$da9ca160$8fd5e420$@org> Message-ID: What are your thoughts on how much routing detail to put in there in terms of security? Thanks Tom -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Tuesday, November 11, 2008 3:39 PM To: Kacprzynski, Tomasz; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Tue Nov 11 16:49:39 2008 From: paul at paulstewart.org (Paul Stewart) Date: Tue, 11 Nov 2008 16:49:39 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: <00a901c94445$da9ca160$8fd5e420$@org> Message-ID: <00aa01c94447$65d53c50$317fb4f0$@org> Anything that someone with a bit of BGP knowledge can figure out would be ok to include - does that answer your actual question? ;) We're a service provider so anything you can find out about us with RADB would be the same (if not less) than you can figure out from us with some BGP tables... -----Original Message----- From: tkacprzynski at SpencerStuart.com [mailto:tkacprzynski at SpencerStuart.com] Sent: November 11, 2008 4:42 PM To: paul at paulstewart.org; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage What are your thoughts on how much routing detail to put in there in terms of security? Thanks Tom -----Original Message----- From: Paul Stewart [mailto:paul at paulstewart.org] Sent: Tuesday, November 11, 2008 3:39 PM To: Kacprzynski, Tomasz; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] RPSL Popularity and Usage We totally rely on RADB in particular .. all our peering and customer BGP sessions are filtered against it's data. It's not bulletproof by any means but a reasonable method of filtering IP blocks in my opinion... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of tkacprzynski at SpencerStuart.com Sent: November 11, 2008 4:29 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] RPSL Popularity and Usage Hello Just wanted to ask how must is Internet Routing Registry used with RPSL currently on the Internet? Do a lot of providers still rely on that to create configurations or is that just more of a documentation process that doesn't get updated after the first use? Thank you for your input. Tom _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Tue Nov 11 16:51:00 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 12 Nov 2008 08:51:00 +1100 Subject: [c-nsp] PPPoE over VRF Message-ID: <56F211C5E3F24F47B103EA1B253822BE03654A34@vic-cr-ex1.staff.netspace.net.au> We use Radius to place the PPPoX connection into the appropriate VRF. Your Radius config will look something similar to this. mplstest Password = "network" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = A.B.C.D, Framed-Netmask = 255.255.255.255, cisco-avpair="ip:vrf-id=NSTEST", cisco-avpair="ip:ip-unnumbered=lo100" cisco-avpair="ip:route=vrf NSTEST 192.168.1.0 255.255.255.0 203.17.103.50" Here I've set up Radius to accept the username of mplstest and place it into the VRF of NSTEST. Cheers. Andy -----Original Message----- Date: Tue, 11 Nov 2008 14:31:28 +0200 From: Mohammad Khalil eng_mssk at hotmail.com Subject: [c-nsp] PPPoE over VRF To: cisco-nsp at puck.nether.net Message-ID: BLU102-W58CAA1995B956EA0F08292FA150 at phx.gbl Content-Type: text/plain; charset="windows-1256" I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From charlieb at cot.net Tue Nov 11 17:16:05 2008 From: charlieb at cot.net (Charles Boening) Date: Tue, 11 Nov 2008 14:16:05 -0800 Subject: [c-nsp] PPPoE over VRF In-Reply-To: text/plain; charset=utf-8 References: Message-ID: <4FB2938B89459C41860C4DB9B1821D6FAC0BB5720B@exchange.calore.local> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Could use the virtual template for your PPPoE connections. interface Virtual-Template1 ip vrf forwarding vrf_pppoe - -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 11, 2008 4:31 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPoE over VRF I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx&mkt=en-us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) iD8DBQFJGgQlcGGHuFdGSWARAqO4AKCGeXS4zKvnSt+HDfNcWeECS0kbyACeIAD/ 9DBt9NQxswZURlrqYF6DnQ8= =bIhb -----END PGP SIGNATURE----- From justin at justinshore.com Tue Nov 11 17:42:03 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 16:42:03 -0600 Subject: [c-nsp] ASR 9000 Message-ID: <491A0A3B.3080809@justinshore.com> Did anyone else miss an announcement for the ASR 9000 series? http://www.cisco.com/en/US/products/ps9853/index.html How did I miss that bad boy? Anyone have any details? Justin From petelists at templin.org Tue Nov 11 17:55:20 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 11 Nov 2008 16:55:20 -0600 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0A3B.3080809@justinshore.com> References: <491A0A3B.3080809@justinshore.com> Message-ID: <491A0D58.1090503@templin.org> Justin Shore wrote: > Did anyone else miss an announcement for the ASR 9000 series? > > http://www.cisco.com/en/US/products/ps9853/index.html > > How did I miss that bad boy? Anyone have any details? Side to back airflow? Who thought that'd work well? Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency would be nice. Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. However, adding CE (hundred-gig Ethernet) support on the initial datasheet is impressive, along with XE and GE. Skipping LXE is interesting though. pt From justin at justinshore.com Tue Nov 11 18:56:03 2008 From: justin at justinshore.com (Justin Shore) Date: Tue, 11 Nov 2008 17:56:03 -0600 Subject: [c-nsp] (1|2)800 series hardware-based encryption Message-ID: <491A1B93.7090402@justinshore.com> The data sheets for the 1800 series all mention hardware-based encryption being built into the units. The 1841 mentions AIM support as well for "two to three times the performance of embedded encryption capabilities." No mention of AIM support for the 1861 but it too says hardware-based encryption. Does anyone have any performance numbers for IPSec-encrypted GRE on the 1800 series or the 800 series? I'm looking for an inexpensive platform for originating IPSec-encrypted GRE tunnels. Throughput will be reasonably low. OSPF and EIGRP support is required. It looks like the most cost-effective solution is the 881 with the Adv IP code which replaces the 871 (same price). The 1811, 1841 and 1861 all require DRAM and flash upgrades to support their respective image that has IPSec and IGP support (Adv IP for the 1811 and Adv Sec for the 1841 and 1861). That seriously jacks up the price compared to the turnkey 881. Any other recommendations? Thanks Justin From zhassan at gmx.net Tue Nov 11 19:06:31 2008 From: zhassan at gmx.net (Zahid Hassan) Date: Wed, 12 Nov 2008 00:06:31 -0000 Subject: [c-nsp] L2TP errors on LNS and no PPP sessions from CPE Message-ID: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> Dear All, I manage a LNS on which there are multiple L2TP tunnels. >From one of the L2TP tunnels, I am not getting any PPP sessions. Unfortunately, I do not have access to the LAC. Below is what I am seeing on the LNS and the CPE : LNS# debug vpdn l2x-errors Nov 11 23:51:53.998 GMT: L2TP tnl 0BE86:000041EC: Control connection authentication skipped/passed. Nov 11 23:51:54.618 GMT: L2TP tnl 05E82:0000C4DC: Control connection authentication skipped/passed. Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: Create session Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: Using ICRQ FSM Nov 11 23:51:54.618 GMT: L2TP _____:_____:________: remote ip set to 22.7.101.23 Nov 11 23:51:54.622 GMT: L2TP _____:_____:________: local ip set to 22.7.114.212 Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC ev Session-Conn Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC in established Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: FSM-CC do Session-Conn-Est Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: Session count now 2 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn ev CC-Up Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn in Idle Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn do CC-Up-Ignore0-1 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Session attached Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: no cookies enabled Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn ev Rx-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn Idle->Proc-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: FSM-Sn do Rx-ICRQ Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Chose application VPDN Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: App type set to VPDN Nov 11 23:51:54.622 GMT: L2TP tnl 05E82:0000C4DC: VPDN Session count now 2 Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: VPDN: process AVPs Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Local AC is now UP Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Remote AC is now UP Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Shutting down session Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Result Code Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Reserved (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Error Code Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: No error (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Vendor Error Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: None (0) Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: Optional Message Nov 11 23:51:54.622 GMT: L2TP _____:05E82:0000A327: "No disconnect reason given" LNS# debug vpdn l2x-events Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC ev Session-Conn Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC in established Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: FSM-CC do Session-Conn-Est Nov 11 23:54:54.971 GMT: L2TP tnl 0BE86:000041EC: Session count now 3 Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev CC-Up Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn in Idle Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do CC-Up-Ignore0-1 Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: Session attached Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: no cookies enabled Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev Rx-ICRQ Nov 11 23:54:54.971 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn Idle->Proc-ICRQ Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Rx-ICRQ Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Chose application VPDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: App type set to VPDN Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: VPDN Session count now 3 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: VPDN: process AVPs Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Local AC is now UP Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Remote AC is now UP Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Nov 11 23:54:54.975 GMT: L2TUN APP: handle/451345shutdown app session Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Shutting down session Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Result Code Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Reserved (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Error Code Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: No error (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Vendor Error Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: None (0) Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Optional Message Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: "No disconnect reason given" Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev ICRQ-ERR Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn Proc-ICRQ->Idle Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Tx-CDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: No L2TUN socket VPDN Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Open sock 22.4.14.22:1701->22.4.1.4:1701 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn ev Sock-Ready Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn in Idle Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: FSM-Sn do Ignore-Sock-Up Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Session down Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: 22.4.14.22:1701->22.4.1.4:1701 Nov 11 23:54:54.975 GMT: L2TP _____:0BE86:0000A33A: Destroying session Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC ev Session-Disc Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC in established Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: FSM-CC do Session-Disc-Est Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: Session count now 2 Nov 11 23:54:54.975 GMT: L2TP tnl 0BE86:000041EC: VPDN Session count now 2 Nov 11 23:54:54.975 GMT: L2TP _____:_____:________: Session detached Nov 11 23:54:54.975 GMT: L2X _____:_____:________: Destroying logical session CPE#debug ppp authentication *Mar 12 22:37:39.500: Vi2 CHAP: I CHALLENGE id 1 len 30 from "lon-0-dsl" *Mar 12 22:37:39.500: Vi2 CHAP: Using hostname from interface CHAP *Mar 12 22:37:39.500: Vi2 CHAP: Using password from interface CHAP *Mar 12 22:37:39.500: Vi2 CHAP: O RESPONSE id 1 len 48 from "testuser at bis-internet.co.uk" *Mar 12 22:37:39.540: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication failure" *Mar 12 22:37:39.540: Vi2 LCP: I TERMREQ [Open] id 3 len 4 *Mar 12 22:37:39.544: Vi2 LCP: O TERMACK [Open] id 3 len 4 *Mar 12 22:37:39.544: Vi2 PPP: Sending Acct Event[Down] id[99C] *Mar 12 22:37:39.548: Vi2 PPP: Phase is TERMINATING *Mar 12 22:37:39.576: Vi2 LCP: I CONFREQ [TERMsent] id 1 len 15 *Mar 12 22:37:39.576: Vi2 LCP: AuthProto CHAP (0x0305C22305) *Mar 12 22:37:39.576: Vi2 LCP: MagicNumber 0xDE87DF9D (0x0506DE87DF9D) *Mar 12 22:37:39.580: Vi2 LCP: Dropping packet, state is TERMsent *Mar 12 22:37:41.532: Vi2 LCP: TIMEout: State TERMsent *Mar 12 22:37:41.532: Vi2 LCP: State is Closed *Mar 12 22:37:41.532: Vi2 PPP: Phase is DOWN *Mar 12 22:37:41.532: Vi2 PPP: Phase is ESTABLISHING, Passive Open *Mar 12 22:37:41.536: Vi2 LCP: State is Listen *Mar 12 22:37:43.544: Vi2 LCP: TIMEout: State Listen Is it possible to tell where the problem could be ? I am not even seeing the CPE session hitting the LNS. Thanks in advance. Regards, Zahid From ben.steele at internode.on.net Tue Nov 11 19:50:14 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 12 Nov 2008 11:20:14 +1030 Subject: [c-nsp] Upgrading edge router In-Reply-To: References: <4213440380134758766@unknownmsgid> Message-ID: <000001c94460$a0ef5b40$e2ce11c0$@steele@internode.on.net> Without looking at the article (don't have time right now) "flexible packet matching" and firewalling are definitely 2 different things, i'd say packet matching is referring more to something like NBAR with some additional features, remember it only says packet matching(not blocking), the latter is the full stateful firewall feature set, so if you aren't wanting it to do proper firewalling then you want that one. As for licenses this one is a little weird, basically adv enterprise is cheaper than adv ip even though it has all the features of adv ip, seems to be purely based on ppl not wanting features they will never use available on an image and Cisco making them pay more for that feature, my advice is buy the cheaper adv enterprise, it will do IPv6. -----Original Message----- From: Affan Basalamah [mailto:affanzbasalamah at gmail.com] Sent: Tuesday, 11 November 2008 10:25 PM To: Ben Steele Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Upgrading edge router Thank you for your prompt response, I would like to know a thing about ASR1000 software components : - It says on ASR1000 software ordering guide (http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_ c07-448862.html) that there is a FPM (flexible packet matching) service license and Firewall service license. I would like to know the difference between two license, since the latter cost the double from the former. - What version of IOS-XE is integrated in ASR1000 bundle ? Is it IP Base or Advanced IP Services ? I would like to run IPv6 on the router, so the router will need Advanced IP Services IOS. Regards, -affan On Tue, Nov 11, 2008 at 6:08 PM, Ben Steele wrote: > I'd try and go the ASR1002 option, it shouldn't be too far off your 35k > budget without smartnet, although i'd recommend maintenance on the software > as you will want access to TAC for bugs, also if you can option in the HA > feature so you can get ISSU. > > With 5Gb of throughput, dual psu and 4Gb(SFP) int's out the box with room > for expansion it's good bang for buck, the ASR is really aimed as the next > generation 7200 swiss army knife, being a software based feature platform > rather than a hardware(ie 7600/6500) it's a welcome new product and you > should see good life out of it, it has some limitations in its current form, > the only one that may concern you with your list that I can think of is lack > of AToM MPLS support, but that is due out in upcoming software release. > > Put the quagga to rest! :) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Affan Basalamah > Sent: Tuesday, 11 November 2008 9:19 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Upgrading edge router > > Hi all, > > I am network admin in university that have a UNIX PC that functions as > core router and firewall to accomodate : > - 2 x 45 Mb link to research education network (REN) > - 100Mb link to local exchange point > - 10Mb link to Internet > Currently we accept partial route from Internet, and aggregated with > REN prefixes, we have at least 30k prefixes. > > We would like to upgrade our router to accomodate : > - new STM-1 link (physical connector is not STM1 port, but it is > converted to Gigeth by our telco) > - at least 4 1000BaseT port > - firewall feature (packet filter and inspection) would be nice > - IPv6 multicast and MPLS feature > - can keep up the load at least for 5 years > - budget around $35k > > I have done some research, and our choice could come to : > - Cisco 7603 with Sup32. I think this is the cheapest solution with 8 > port gigabit ethernet, but I don't know whether it could handle the > load. I also see it as integrated packet inspection with PISA > daughterboard, but I don't have any experience with that. The > supervisor is a bit old compared to ASR1000. > - Cisco ASR1002 with ESP-5G. Newer supervisor and enhanced with packet > inspection, but I don't know whether it can suit the budget. > - Juniper M7i with 2 x 1Gbps SFP port. It has better OS (but I haven't > compare it to Cisco IOS-XE in ASR1000), but it doesn't have 4 gigabit > ports, and separate AS module can cost you too much. I don't know > whether it suits the budget. > - Foundry NetIron MLX-4 with 20 port 1000BaseT. I haven't had > experience with this box, but the specs looks promising, and maybe it > suits the budget. > > I would like your suggestion about my plan above, perhaps I can come > out with better plan. > > Thank you, > Regards, > > -affan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.175 / Virus Database: 270.9.0/1779 - Release Date: 10/11/2008 > 7:53 AM > > From mtinka at globaltransit.net Tue Nov 11 21:19:46 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 12 Nov 2008 10:19:46 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <200811121019.47368.mtinka@globaltransit.net> On Wednesday 12 November 2008 06:55:20 Pete Templin wrote: > Runs IOS XR, while the recent ASR 1000 series runs IOS > XE? Consistency would be nice. I do like the fact that Cisco are "starting" to work on more consistent releases for their service provider platforms (SR, XE, XR). I just hope XR does not suffer too much from lack of features as compared to SR, especially when used in the edge. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rubensk at gmail.com Tue Nov 11 21:21:34 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Wed, 12 Nov 2008 00:21:34 -0200 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <6bb5f5b10811111821t4cd7c5e1k1af47235aa7b0af9@mail.gmail.com> I think ASR is just the cool name of the moment. The new ASRs could be called CRS-0.5, CRS-0.1, Edge-CRS... Rubens On Tue, Nov 11, 2008 at 8:55 PM, Pete Templin wrote: > Justin Shore wrote: >> >> Did anyone else miss an announcement for the ASR 9000 series? >> >> http://www.cisco.com/en/US/products/ps9853/index.html >> >> How did I miss that bad boy? Anyone have any details? > > Side to back airflow? Who thought that'd work well? > > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. > > Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. > > However, adding CE (hundred-gig Ethernet) support on the initial datasheet > is impressive, along with XE and GE. Skipping LXE is interesting though. > > pt > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From kgraham at industrial-marshmallow.com Tue Nov 11 21:38:53 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Tue, 11 Nov 2008 18:38:53 -0800 (PST) Subject: [c-nsp] ASR 9000 Message-ID: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. ...or atleast call this a CRS-2 or something. I'm still crossing my fingers that there's a master plan for consistency (or alternatively, clear differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. Nope, 7600 already revived it (RSP720). I don't see reference to line cards, but the photos look like ES40's, which finally gives some credibility to the 6500/7600 split (where new linecards are shared between ASR9000 and 7600). From christian at broknrobot.com Tue Nov 11 21:44:08 2008 From: christian at broknrobot.com (Christian Koch) Date: Tue, 11 Nov 2008 21:44:08 -0500 Subject: [c-nsp] RPSL Popularity and Usage In-Reply-To: References: Message-ID: http://nanog.org/meetings/nanog44/presentations/Tuesday/RAS_irrdata_N44.pdf On Tue, Nov 11, 2008 at 4:29 PM, wrote: > Hello > Just wanted to ask how must is Internet Routing Registry used with RPSL > currently on the Internet? Do a lot of providers still rely on that to > create configurations or is that just more of a documentation process > that doesn't get updated after the first use? > > Thank you for your input. > > > Tom > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From braaen at zcorum.com Tue Nov 11 23:27:01 2008 From: braaen at zcorum.com (Brian Raaen) Date: Tue, 11 Nov 2008 23:27:01 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access Message-ID: <200811112327.01891.braaen@zcorum.com> I am trying to set up a Cisco 1811 for ppp dial-in access for a client and am having difficulty finding configuration information. Most of the documentation I find is about using the router to dial out to support the network, but I am trying to do the opposite. I am trying to set up the router to provide access to the local network through a ppp dial in connection. Thank you for your help. ---------------------- Brian Raaen Network Engineer braaen at zcorum.com From ariemer at wesenergy.com.au Tue Nov 11 23:39:40 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Wed, 12 Nov 2008 13:39:40 +0900 Subject: [c-nsp] Setting up Cisco 1811 for dial in access In-Reply-To: <200811112327.01891.braaen@zcorum.com> References: <200811112327.01891.braaen@zcorum.com> Message-ID: <0867622C64B50C4B878AB45C95F43F110646D532@MAILWA01.wesenergy.local> Hi Brian, You need to configure the async interface on your 1811. Take a look here http://www.cisco.com/en/US/docs/routers/access/1800/1801/software/config uration/guide/dialbkup.html#wp1031537 Aaron Riemer Network Engineer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brian Raaen Sent: Wednesday, 12 November 2008 1:27 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Setting up Cisco 1811 for dial in access I am trying to set up a Cisco 1811 for ppp dial-in access for a client and am having difficulty finding configuration information. Most of the documentation I find is about using the router to dial out to support the network, but I am trying to do the opposite. I am trying to set up the router to provide access to the local network through a ppp dial in connection. Thank you for your help. ---------------------- Brian Raaen Network Engineer braaen at zcorum.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From dcp at dcptech.com Tue Nov 11 23:47:35 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 11 Nov 2008 23:47:35 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access In-Reply-To: <200811112327.01891.braaen@zcorum.com> References: <200811112327.01891.braaen@zcorum.com> Message-ID: <004401c94481$cd0c5fe0$67251fa0$@com> Brian, This should be a good start. It has been a long time since I did this. -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Brian Raaen > Sent: Tuesday, November 11, 2008 11:27 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Setting up Cisco 1811 for dial in access > > I am trying to set up a Cisco 1811 for ppp dial-in access for a client > and am > having difficulty finding configuration information. Most of the > documentation I find is about using the router to dial out to support > the > network, but I am trying to do the opposite. I am trying to set up the > router to provide access to the local network through a ppp dial in > connection. Thank you for your help. > > > ---------------------- > > Brian Raaen > Network Engineer > braaen at zcorum.com > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dcp at dcptech.com Tue Nov 11 23:48:24 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 11 Nov 2008 23:48:24 -0500 Subject: [c-nsp] Setting up Cisco 1811 for dial in access References: <200811112327.01891.braaen@zcorum.com> Message-ID: <004501c94481$e6ee32d0$b4ca9870$@com> This should help. http://www.cisco.com/en/US/docs/ios/12_2/dial/configuration/guide/dafmodmg.h tml -- http://dcp.dcptech.com > -----Original Message----- > From: David Prall [mailto:dcp at dcptech.com] > Sent: Tuesday, November 11, 2008 11:48 PM > To: 'Brian Raaen'; 'cisco-nsp at puck.nether.net' > Subject: RE: [c-nsp] Setting up Cisco 1811 for dial in access > > Brian, > This should be a good start. It has been a long time since I did this. > > -- > http://dcp.dcptech.com > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > > bounces at puck.nether.net] On Behalf Of Brian Raaen > > Sent: Tuesday, November 11, 2008 11:27 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] Setting up Cisco 1811 for dial in access > > > > I am trying to set up a Cisco 1811 for ppp dial-in access for a > client > > and am > > having difficulty finding configuration information. Most of the > > documentation I find is about using the router to dial out to support > > the > > network, but I am trying to do the opposite. I am trying to set up > the > > router to provide access to the local network through a ppp dial in > > connection. Thank you for your help. > > > > > > ---------------------- > > > > Brian Raaen > > Network Engineer > > braaen at zcorum.com > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.tahina at moov.mg Wed Nov 12 01:21:12 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Wed, 12 Nov 2008 09:21:12 +0300 Subject: [c-nsp] lacp on serial In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea. cisco.com> References: <7.0.1.0.2.20081111093006.0036fec0@moov.mg> <70B7A1CCBFA5C649BD562B6D9F7ED784065C8EF0@xmb-ams-333.emea.cisco.com> Message-ID: <7.0.1.0.2.20081112092032.0577e0c0@moov.mg> Thank you Oliver, Kind Regards. At 09:51 11/11/2008, Oliver Boehmer (oboehmer) wrote: >RAZAFINDRATSIFA Rivo Tahina <> wrote on Tuesday, November 11, 2008 >07:31: > > > Dear All, > > > > I 'm looking for implementation of lacp on serial, docs only show on > > ethernet, is that possible? > >nope, you need to use multilink ppp to bundle serials on Layer 2.. > > oli From achatz at forthnet.gr Wed Nov 12 03:12:33 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 12 Nov 2008 10:12:33 +0200 Subject: [c-nsp] L2TP errors on LNS and no PPP sessions from CPE In-Reply-To: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> References: <2BAAE2D0D2FE47828F7084C1E615A5C3@xp1> Message-ID: <491A8FF1.10606@forthnet.gr> It seems you have an authentication problem. -- Tassos Zahid Hassan wrote on 12/11/2008 02:06: > > CPE#debug ppp authentication > > *Mar 12 22:37:39.500: Vi2 CHAP: I CHALLENGE id 1 len 30 from "lon-0-dsl" > *Mar 12 22:37:39.500: Vi2 CHAP: Using hostname from interface CHAP > *Mar 12 22:37:39.500: Vi2 CHAP: Using password from interface CHAP > *Mar 12 22:37:39.500: Vi2 CHAP: O RESPONSE id 1 len 48 from > "testuser at bis-internet.co.uk" > *Mar 12 22:37:39.540: Vi2 CHAP: I FAILURE id 1 len 26 msg is "Authentication > failure" > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From p.mayers at imperial.ac.uk Wed Nov 12 04:27:57 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 12 Nov 2008 09:27:57 +0000 Subject: [c-nsp] ASR 9000 In-Reply-To: <491A0D58.1090503@templin.org> References: <491A0A3B.3080809@justinshore.com> <491A0D58.1090503@templin.org> Message-ID: <491AA19D.6040207@imperial.ac.uk> > > Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > would be nice. Ha ha IOS consistency From zhqasmi at cyber.net.pk Wed Nov 12 05:42:40 2008 From: zhqasmi at cyber.net.pk (Amjad Ul Hasnain Qasmi) Date: Wed, 12 Nov 2008 15:42:40 +0500 Subject: [c-nsp] PPPoE over VRF In-Reply-To: References: Message-ID: <000401c944b3$63a14d40$2ae3e7c0$@net.pk> You can configure your radius server to push Cisco AVpair "lcp:interface-config#1=ip vrf forwarding (vrf_name)". -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammad Khalil Sent: Tuesday, November 11, 2008 5:31 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] PPPoE over VRF I'm planning on terminating PPPoW sessions into a VRF , connected to a specific vlan instance and transporting the traffic to them via ethernet. how can i get the sessions to be inserted into the VRF correctly _________________________________________________________________ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=create&wx_url=/friends.aspx& mkt=en-us _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frederic.loui at renater.fr Wed Nov 12 05:14:16 2008 From: frederic.loui at renater.fr (Frederic LOUI) Date: Wed, 12 Nov 2008 11:14:16 +0100 Subject: [c-nsp] ISIS / NSF IOS XR In-Reply-To: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> References: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> Message-ID: <491AAC78.3010708@renater.fr> Hi, What state the section related to ISIS with the command "show ip protocols" output ? By default, NSF is disabled. It seems like the output of the "show isis adjacency" display if the ISIS neighbors are "NSF capable or not". IS-IS Router: ... Non-stop forwarding: Disabled Most recent startup mode: Cold Restart Topologies supported by IS-IS: IPv4 Unicast Level-1 Metric style (generate/accept): Wide/Wide ISPF status: Disabled No protocols redistributed Distance: 115 IPv6 Unicast Level-1 ISPF status: Disabled No protocols redistributed Distance: 115 ... Maybe, just try to enable NSF and re-check the "show ip protocols" output. Regards, Frederic -- Frederic LOUI / GIP RENATER Service de Suivi Operationnel / Metrologie & QoS Network Operations Service / Metrology & QoS Tel: +33 1 53 94 20 82 / Fax: +33 1 53 94 20 31 frederic.loui at renater.fr http://www.renater.fr Atif Sid a ?crit : > I configured NSF under ISIS initially them removed it. Still shows NSF > 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing > > This is IOS XR 3.6.1 and 3.6.0 both same condition. > > RP/0/9/CPU0:P1#sh isis adjacency > IS-IS NP Level-2 adjacencies: > System Id Interface SNPA State Hold Changed NSF BFD > P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes None > PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes None > PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes None > P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes None > > router isis NP > set-overload-bit on-startup 300 > is-type level-2-only > net 49.0001.1921.1813.6001.00 > log adjacency changes > address-family ipv4 unicast > metric-style wide > ! > interface Loopback0 > passive > address-family ipv4 unicast > ! > ! > interface GigabitEthernet0/1/1/0 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > ! > ! > interface GigabitEthernet0/1/1/1 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > ! > ! > interface GigabitEthernet0/1/1/8 > point-to-point > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 10 > mpls ldp sync > ! > ! > interface POS0/0/0/0 > hello-password keychain NP-ISIS > address-family ipv4 unicast > metric 100 > ! > ! > ! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From willay at gmail.com Wed Nov 12 06:15:11 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:15:11 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS Message-ID: Hi List, We currently have a 3750G-E in our network which is experiencing a high CPU load and I'm trying to understand why, the CPU is over 50% all the time and at peak traffic times we are seeing around 85% on Cacti using 5 minute averages. When running a show proc cpu sorted I can see that IP Input is taking up most of the CPU time with Spanning Tree coming second however ST is only using a fraction of what IP Input is using. The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the image is IPSERVICES, the configuration has one routed port to another site (with sparse-dense-mode on), has one EIGRP process, 19 static routes, access lists which are only used for SNMP/VTY and it has two VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode enabled and a igmp join-group command. It pushes a lot of multicast traffic (around 10Mbits) which is probably the problem but I thought the 3750 would have been able to handle it without an issue. Any help is appreciated, I'd like to have a good understanding of what is causing the issue. Thank you for your time, W From achatz at forthnet.gr Wed Nov 12 06:34:28 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 12 Nov 2008 13:34:28 +0200 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: Message-ID: <491ABF44.3030508@forthnet.gr> You can start with "sh controllers cpu-interface" and "sh platform tcam utilization" -- Tassos William wrote on 12/11/2008 13:15: > Hi List, > > We currently have a 3750G-E in our network which is experiencing a > high CPU load and I'm trying to understand why, the CPU is over 50% > all the time and at peak traffic times we are seeing around 85% on > Cacti using 5 minute averages. > > When running a show proc cpu sorted I can see that IP Input is taking > up most of the CPU time with Spanning Tree coming second however ST is > only using a fraction of what IP Input is using. > > The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the > image is IPSERVICES, the configuration has one routed port to another > site (with sparse-dense-mode on), has one EIGRP process, 19 static > routes, access lists which are only used for SNMP/VTY and it has two > VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode > enabled and a igmp join-group command. It pushes a lot of multicast > traffic (around 10Mbits) which is probably the problem but I thought > the 3750 would have been able to handle it without an issue. > > Any help is appreciated, I'd like to have a good understanding of what > is causing the issue. > > Thank you for your time, > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gulerozgur at yahoo.co.uk Wed Nov 12 06:41:18 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Wed, 12 Nov 2008 11:41:18 +0000 (GMT) Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: Message-ID: <845941.14812.qm@web25502.mail.ukl.yahoo.com> As far as i remember ip igmp static-group forces the packets to be process switched on the switch/router. You might need to replace it with ip igmp static-group which will do the same job (put the interface permanently into OIF). --- On Wed, 12/11/08, William wrote: From: William Subject: [c-nsp] High CPU on 3750G-24-TS To: "cisco-nsp" Date: Wednesday, 12 November, 2008, 11:15 AM Hi List, We currently have a 3750G-E in our network which is experiencing a high CPU load and I'm trying to understand why, the CPU is over 50% all the time and at peak traffic times we are seeing around 85% on Cacti using 5 minute averages. When running a show proc cpu sorted I can see that IP Input is taking up most of the CPU time with Spanning Tree coming second however ST is only using a fraction of what IP Input is using. The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the image is IPSERVICES, the configuration has one routed port to another site (with sparse-dense-mode on), has one EIGRP process, 19 static routes, access lists which are only used for SNMP/VTY and it has two VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode enabled and a igmp join-group command. It pushes a lot of multicast traffic (around 10Mbits) which is probably the problem but I thought the 3750 would have been able to handle it without an issue. Any help is appreciated, I'd like to have a good understanding of what is causing the issue. Thank you for your time, W _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From willay at gmail.com Wed Nov 12 06:48:00 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:48:00 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <845941.14812.qm@web25502.mail.ukl.yahoo.com> References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: We currently use ip igmp join-group x.x.x.x under the vlan interface. Cheers. W 2008/11/12 Ozgur Guler : > As far as i remember ip igmp static-group forces the packets to be process > switched on the switch/router. You might need to replace it with ip igmp > static-group which will do the same job (put the interface permanently into > OIF). > > > > --- On Wed, 12/11/08, William wrote: > > From: William > Subject: [c-nsp] High CPU on 3750G-24-TS > To: "cisco-nsp" > Date: Wednesday, 12 November, 2008, 11:15 AM > > Hi List, > > We currently have a 3750G-E in our network which is experiencing a > high CPU load and I'm trying to understand why, the CPU is over 50% > all the time and at peak traffic times we are seeing around 85% on > Cacti using 5 minute > averages. > > When running a show proc cpu sorted I can see that IP Input is taking > up most of the CPU time with Spanning Tree coming second however ST is > only using a fraction of what IP Input is using. > > The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the > image is IPSERVICES, the configuration has one routed port to another > site (with sparse-dense-mode on), has one EIGRP process, 19 static > routes, access lists which are only used for SNMP/VTY and it has two > VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode > enabled and a igmp join-group command. It pushes a lot of multicast > traffic (around 10Mbits) which is probably the problem but I thought > the 3750 would have been able to handle it without an issue. > > Any help is appreciated, I'd like to have a good understanding of what > is causing the issue. > > Thank you for your > time, > > W > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From willay at gmail.com Wed Nov 12 06:52:25 2008 From: willay at gmail.com (William) Date: Wed, 12 Nov 2008 11:52:25 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <491ABF44.3030508@forthnet.gr> References: <491ABF44.3030508@forthnet.gr> Message-ID: sh controllers cpu-interface: ASIC Rxbiterr Rxunder Fwdctfix Txbuflos Rxbufloc Rxbufdrain ------------------------------------------------------------------------- ASIC0 0 0 0 0 0 0 ASIC1 0 0 0 0 0 0 ASIC2 0 0 0 0 0 0 ASIC3 0 0 0 0 0 0 ASIC4 0 0 0 0 0 0 ASIC5 0 0 0 0 0 0 ASIC6 0 0 0 0 0 0 cpu-queue-frames retrieved dropped invalid hol-block stray ----------------- ---------- ---------- ---------- ---------- ---------- rpc 6978024 0 0 0 0 stp 75955900 0 0 0 0 ipc 757544 0 0 0 0 routing protocol 72189954 0 0 0 0 L2 protocol 206785 0 0 0 0 remote console 0 0 0 0 0 sw forwarding 757525900 0 0 0 0 host 2351100 0 0 0 0 broadcast 6883919 0 0 0 0 cbt-to-spt 3050 0 0 0 0 igmp snooping 70408141 0 0 0 0 icmp 1947383 0 0 0 0 logging 0 0 0 0 0 rpf-fail 281 0 0 0 0 queue14 0 0 0 0 0 cpu heartbeat 18351455 0 0 0 0 Supervisor ASIC receive-queue parameters ---------------------------------------- queue 0 maxrecevsize 7E0 pakhead 23C49A0 paktail 23B28E0 queue 1 maxrecevsize 7E0 pakhead 257E620 paktail 257C550 queue 2 maxrecevsize 7E0 pakhead 24432E8 paktail 2442C58 queue 3 maxrecevsize 7E0 pakhead 2955418 paktail 294FEC8 queue 4 maxrecevsize 7E0 pakhead 2588838 paktail 25884F0 queue 5 maxrecevsize 7E0 pakhead 2873240 paktail 28800F8 queue 6 maxrecevsize 7E0 pakhead 293E000 paktail 2944270 queue 7 maxrecevsize 7E0 pakhead 28ADC08 paktail 2898038 queue 8 maxrecevsize 7E0 pakhead 28B6A70 paktail 28B6098 queue 9 maxrecevsize 7E0 pakhead 275E410 paktail 275E410 queue A maxrecevsize 7E0 pakhead 2729DF0 paktail 272D270 queue B maxrecevsize 7E0 pakhead 28871D8 paktail 2889C80 queue C maxrecevsize 7E0 pakhead 2765818 paktail 2778FD0 queue D maxrecevsize 7E0 pakhead 275C538 paktail 275C1F0 queue E maxrecevsize 0 pakhead 0 paktail 0 queue F maxrecevsize 7E0 pakhead 2721B78 paktail 2721830 Supervisor ASIC exception status -------------------------------- Receive overrun 00000000 Transmit overrun 00000000 FrameSignatureErr 00000000 MicInitialize 00000000 BadFrameErr 00000000 LenExceededErr 00000000 BadJumboSegments 00000000 Supervisor ASIC Mic Registers ------------------------------ MicDirectPollInfo 80000800 MicIndicationsReceived 00000000 MicInterruptsReceived 00000000 MicPcsInfo 0006001F MicPlbMasterConfiguration 00000000 MicRxFifosAvailable 00000000 MicRxFifosReady 0000BFFF MicTimeOutPeriod: FrameTOPeriod: 00000EA6 DirectTOPeriod: 00004000 MicTransmFramesCopied 00000003 MicTxFifosAvailable 0000007F MicConfiguration: Conf flag: 00000110 Interrupt Flag: 0000000A MicReceiveFifoAssignmen Queue 0 - 7: 00000000 Queue 8 - 15:00000000 MicReceiveFramesReady: FrameAvailable: 00000041 frameAvaiMask: 00000000 MicException: Exception_flag 00000000 Message-1 00000000 Message-2 00000000 Message-3 00000000 MicIntRxFifo: ReadPtr 00000E98 WritePtr 00000E98 WHeadPtr 00000E98 TxFifoDepth C0000800 MicIntTxFifo: ReadPtr 00000AF0 WritePtr 00000AF0 WHeadPtr 00000AF0 TxFifoDepth C0000800 MicDecodeInfo: Fifo0: address: 03FF4000 asic_num: 00000100 Fifo1: address: 03FF4400 asic_num: 00000101 MicTransmitFifoInfo: Fifo0: StartPtrs: 07758000 ReadPtr: 077587C0 WritePtrs: 077587C0 Fifo_Flag: 8A800800 Weights: 001E001E Fifo1: StartPtrs: 0776A800 ReadPtr: 0776A930 WritePtrs: 0776A930 Fifo_Flag: 89800400 Weights: 000A000A MicReceiveFifoInfo: Fifo0: StartPtr: 0776C000 ReadPtr: 0776CEE0 WritePtrs: 0776CF40 Fifo_Flag: 8B000FA0 writeHeaderPtr: 0776CF40 Fifo1: StartPtr: 07A2CC00 ReadPtr: 07A2CDF8 WritePtrs: 07A2CDF8 Fifo_Flag: 89800400 writeHeaderPtr: 07A2CDF8 Fifo2: StartPtr: 0776DA00 ReadPtr: 0776DB40 WritePtrs: 0776DB40 Fifo_Flag: 88800200 writeHeaderPtr: 0776DB40 Fifo3: StartPtr: 07C46000 ReadPtr: 07C46010 WritePtrs: 07C46010 Fifo_Flag: 89800400 writeHeaderPtr: 07C46010 Fifo4: StartPtr: 07A77000 ReadPtr: 07A77208 WritePtrs: 07A77208 Fifo_Flag: 89800400 writeHeaderPtr: 07A77208 Fifo5: StartPtr: 07B2BA00 ReadPtr: 07B2BA00 WritePtrs: 07B2BA00 Fifo_Flag: 88800200 writeHeaderPtr: 07B2BA00 Fifo6: StartPtr: 07BFE000 ReadPtr: 07BFE040 WritePtrs: 07BFE080 Fifo_Flag: 890003C0 writeHeaderPtr: 07BFE080 Fifo7: StartPtr: 07B6C800 ReadPtr: 07B6CBE0 WritePtrs: 07B6CBE0 Fifo_Flag: 89800400 writeHeaderPtr: 07B6CBE0 Fifo8: StartPtr: 07BD7A00 ReadPtr: 07BD7A78 WritePtrs: 07BD7A78 Fifo_Flag: 88800200 writeHeaderPtr: 07BD7A78 Fifo9: StartPtr: 07758838 ReadPtr: 07758838 WritePtrs: 07758838 Fifo_Flag: 82800008 writeHeaderPtr: 07758838 Fifo10: StartPtr: 07AC3600 ReadPtr: 07AC3668 WritePtrs: 07AC3668 Fifo_Flag: 88800200 writeHeaderPtr: 07AC3668 Fifo11: StartPtr: 07B2B880 ReadPtr: 07B2B8B8 WritePtrs: 07B2B8B8 Fifo_Flag: 86800080 writeHeaderPtr: 07B2B8B8 Fifo12: StartPtr: 07AF3000 ReadPtr: 07AF3300 WritePtrs: 07AF3000 Fifo_Flag: 89000100 writeHeaderPtr: 07AF3000 Fifo13: StartPtr: 07757E00 ReadPtr: 07757E48 WritePtrs: 07757E48 Fifo_Flag: 86800080 writeHeaderPtr: 07757E48 Fifo14: StartPtr: 00000000 ReadPtr: 00000000 WritePtrs: 00000000 Fifo_Flag: 00800000 writeHeaderPtr: 00000000 Fifo15: StartPtr: 0776D960 ReadPtr: 0776D978 WritePtrs: 0776D978 Fifo_Flag: 84800020 writeHeaderPtr: 0776D978 =========================================================== Complete Board Id:0x0002 =========================================================== Theres no sh platform tcam utili but there is a usage instead: sh platform tcam usage ============================================================================= TCAM Table TCAM / SSRAM Table TCAM SSRAM Start Size X Start Size Y ============================================================================= Local Forwarding Table: 0 1D00 1 0 1D00 4 Local Learning Table: 0 1D00 1 7400 1D00 2 Secondary Forwarding Table: 1880 D00 1 AE00 D00 8 QoS Table: 2580 1000 1 11600 1000 4 ACL Table: 3580 2000 1 15600 2000 4 IPV6 Secondary Forwarding Tabl 7E40 C0 2 1D600 60 8 IPV6 Classification Table: 7F00 80 2 1D900 40 4 IPV6 ACL Table: 7F80 70 2 1DA00 38 4 Station Table: 0 0 0 1DB00 1D00 4 MAC Address Table: 0 0 0 24F00 1800 8 Multicast Expansion Table: 0 0 0 30F00 420 8 VLAN List Table: 0 0 0 34000 400 10 Equal Cost Route Table: 0 0 0 33000 80 20 X - Number of 144-bit TCAM entries per descriptor Y - Number of bytes per descriptor ============================================================================= 2008/11/12 Tassos Chatzithomaoglou : > You can start with "sh controllers cpu-interface" and "sh platform tcam > utilization" > > -- > Tassos > > William wrote on 12/11/2008 13:15: >> >> Hi List, >> >> We currently have a 3750G-E in our network which is experiencing a >> high CPU load and I'm trying to understand why, the CPU is over 50% >> all the time and at peak traffic times we are seeing around 85% on >> Cacti using 5 minute averages. >> >> When running a show proc cpu sorted I can see that IP Input is taking >> up most of the CPU time with Spanning Tree coming second however ST is >> only using a fraction of what IP Input is using. >> >> The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the >> image is IPSERVICES, the configuration has one routed port to another >> site (with sparse-dense-mode on), has one EIGRP process, 19 static >> routes, access lists which are only used for SNMP/VTY and it has two >> VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode >> enabled and a igmp join-group command. It pushes a lot of multicast >> traffic (around 10Mbits) which is probably the problem but I thought >> the 3750 would have been able to handle it without an issue. >> >> Any help is appreciated, I'd like to have a good understanding of what >> is causing the issue. >> >> Thank you for your time, >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From paul.cosgrove at heanet.ie Wed Nov 12 07:17:51 2008 From: paul.cosgrove at heanet.ie (Paul Cosgrove) Date: Wed, 12 Nov 2008 12:17:51 +0000 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: <491AC96F.80104@heanet.ie> Hi William, I would agree with Ozgur that you would be better off loosing the ip igmp join-group command. Also limit the number of register messages which can be created per second; it is only needed if you have sources attached, but personally I would apply this on every L3 multicast device: "ip pim register-rate-limit 5" Have seen a case where register stop messages were lost whilst being sent to a 3750. Debugs on the adjacent device indicated they were all being transmitted to the switch, debugs & SPAN on the 3750 indicated the switch was receiving very few of these. Paul. William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. > > Cheers. > > W > > 2008/11/12 Ozgur Guler : > >> As far as i remember ip igmp static-group forces the packets to be process >> switched on the switch/router. You might need to replace it with ip igmp >> static-group which will do the same job (put the interface permanently into >> OIF). >> >> >> >> --- On Wed, 12/11/08, William wrote: >> >> From: William >> Subject: [c-nsp] High CPU on 3750G-24-TS >> To: "cisco-nsp" >> Date: Wednesday, 12 November, 2008, 11:15 AM >> >> Hi List, >> >> We currently have a 3750G-E in our network which is experiencing a >> high CPU load and I'm trying to understand why, the CPU is over 50% >> all the time and at peak traffic times we are seeing around 85% on >> Cacti using 5 minute >> averages. >> >> When running a show proc cpu sorted I can see that IP Input is taking >> up most of the CPU time with Spanning Tree coming second however ST is >> only using a fraction of what IP Input is using. >> >> The switch is not in a stack, runs IOS version 12.2(25)SEB4 and the >> image is IPSERVICES, the configuration has one routed port to another >> site (with sparse-dense-mode on), has one EIGRP process, 19 static >> routes, access lists which are only used for SNMP/VTY and it has two >> VLAN interfaces. One of the VLAN interfaces has sparse-dense-mode >> enabled and a igmp join-group command. It pushes a lot of multicast >> traffic (around 10Mbits) which is probably the problem but I thought >> the 3750 would have been able to handle it without an issue. >> >> Any help is appreciated, I'd like to have a good understanding of what >> is causing the issue. >> >> Thank you for your >> time, >> >> W >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From chloekcy2000 at yahoo.ca Wed Nov 12 07:57:15 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Wed, 12 Nov 2008 07:57:15 -0500 (EST) Subject: [c-nsp] log failure logon Message-ID: <100284.92361.qm@web57409.mail.re1.yahoo.com> Hi I see there is command autheniticate failure rate but can't find my router Now. how I can log the failure logon Thank you --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From md at bts.sk Wed Nov 12 08:19:49 2008 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Wed, 12 Nov 2008 14:19:49 +0100 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> Message-ID: <20081112131949.GA9101@bts.sk> On Wed, Nov 12, 2008 at 11:48:00AM +0000, William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. This is exactly the problem. "ip igmp join-group" causes all multicast packets for this group to be forwarded also to the CPU. You need to use "ip igmp static-group" instead - then the packets are only forwared to the specified interface, but not copied to the CPU. With kind regards, M. From ross at kallisti.us Wed Nov 12 09:19:11 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 12 Nov 2008 09:19:11 -0500 Subject: [c-nsp] OIR in 6500/7600 In-Reply-To: <4918665A.2070101@forthnet.gr> References: <49184D7C.4010109@bytemark.co.uk> <4918665A.2070101@forthnet.gr> Message-ID: <20081112141911.GA7237@kallisti.us> On Mon, Nov 10, 2008 at 06:50:34PM +0200, Tassos Chatzithomaoglou wrote: > Keep in mimd that DFC equipped modules do not have this problem. According > to Cisco: > > "The addition of a DFC module effectively disconnects a module from the > Data Bus. As such, a DFC-enabled module is not subject to the bus stall > mechanism that occurs when a module is inserted or removed from the > chassis. Throughout these Online Insertion and Removal (OIR) events, the > Data Bus is temporarily paused for just enough time to ensure that the > insertion/removal process does not cause any data corruption on the > backplane. This protection mechanism causes a very brief amount of packet > loss (sub-second, but dependent on the time it takes to fully insert a > module). A module with a DFC onboard is not directly affected by this stall > mechanism and does not have any packet loss on OIR." This is correct, but it can be complicated. DFC enabled cards still stall the bus, but since they fabric switch, they won't experience drops. Be more careful if your chassis is running in mixed mode for fabric and bus mode switching - in that case, you have some cards that do need the bus (for example, the CSM). I've OIRed lots of cards on production 6500s and never had a problem with a bus-stall causing problems, even on systems that are fabric-enabled and have to do some bus switching. I agree with the previous poster that suggested not being afraid to use a little bit of force to make sure they seat quickly :) Of course, don't use so much force that a caught cable gets snapped off... This page from UCAR has pretty good descriptions of the bus and fabric basics, as well as info on some of the bizarre names that Cisco uses to refer to pieces that arbitrate backplane traffic: http://www.cisl.ucar.edu/nets/devices/eswitches/6500-backplane.html Ross -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From denyipanyany at gmail.com Wed Nov 12 09:32:05 2008 From: denyipanyany at gmail.com (Deny IP Any Any) Date: Wed, 12 Nov 2008 09:32:05 -0500 Subject: [c-nsp] PIX515E: time to upgrade? Message-ID: I've got an Active/Standby set of PIX515Es that I am trying to squeeze some more life out of (we are planning on replacing them next spring with a pair of ASA5520s, most likely). What is the best way to monitor how close to we are pushing these PIXes to their limit? Does the PIX (running 7.2) have something similar to 'show platform tcam utilization', or should I just watch CPU usage and interface counters? -- deny ip any any (4423143293 matches) From petelists at templin.org Wed Nov 12 09:41:07 2008 From: petelists at templin.org (Pete Templin) Date: Wed, 12 Nov 2008 08:41:07 -0600 Subject: [c-nsp] ASR 9000 In-Reply-To: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> References: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> Message-ID: <491AEB03.5060808@templin.org> Jim Devane wrote: > I heard the 9010 will be front to back and the 9006 is side to back. The flashy product intro said 'side to back'. If the 9010 is front to back, I'm happy with that choice. What vendor would think that operators would _want_ side to back? pt From jarruda-cnsp at jarruda.com Wed Nov 12 09:35:26 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Wed, 12 Nov 2008 09:35:26 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> Message-ID: <491AE9AE.7050806@jarruda.com> Kevin Graham wrote: > >> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency >> > > >> would be nice. >> > > ...or atleast call this a CRS-2 or something. I'm still crossing my fingers > that there's a master plan for consistency (or alternatively, clear > differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > > >> Re-uses the RSP nomenclature, just recently put to bed in the 7500 series. >> > > Nope, 7600 already revived it (RSP720). I don't see reference to line cards, > but the photos look like ES40's, which finally gives some credibility to the > 6500/7600 split (where new linecards are shared between ASR9000 and 7600). > I somewhat doubt this is the case..at least from what I can imagine... This would imply in the ASR9k cards being able to talk with the 7600 backplane, that I understand, is quite distinct from the CRS-1 ? Isn't the ASR9000 based of the CRS-1 hardware ? Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, while the packet crunching on the 7600 is based of the EARL, and on the ASR 1000 is based on the QFP ? I can't seem to find details on the cards on the ASR 9000, but, just making some wild guess here.. (of course, Cisco has been quite effective in getting a clear separation from control plane to forwarding plane, and IOS-XR sure already runs on another completely distinct box, the 12K-XR, so, maybe the 7600 will gain from the ASR 9000 'revamp'). > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ghostonthewire at gmail.com Wed Nov 12 11:15:00 2008 From: ghostonthewire at gmail.com (ghostonthewire) Date: Wed, 12 Nov 2008 19:15:00 +0300 Subject: [c-nsp] log failure logon In-Reply-To: <100284.92361.qm@web57409.mail.re1.yahoo.com> References: <100284.92361.qm@web57409.mail.re1.yahoo.com> Message-ID: <491B0104.7040708@gmail.com> Hi! Try to use "login on-failure log" command (Cisco IOS Login Enhancements feature, for futher details look through http://b23.ru/6f5). Also use feature navigator to find if this feauture supported by your software image (surely doesn't work on releases prior to 12.4(19), dunno about 12.2S trains). chloe K wrote: > Hi > > I see there is command autheniticate failure rate but can't find my router > > Now. how I can log the failure logon > > Thank you > > > --------------------------------- > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Wed Nov 12 11:40:26 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 12 Nov 2008 08:40:26 -0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AE9AE.7050806@jarruda.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: Am I the only one that's getting a bit wary of Cisco crowding their own product space? I guess it looks like they're trying to draw complete distinctions between their enterprise space and their carrier space, but who's ever really respected that distinction? Even if they do, the carrier I guess is doing ok by getting XR everywhere, but the typical enterprise is going to run a combination of 3500/3750, 2800/3800, 6500, 7600 and ASR1000s, right? So five different groups of platforms with five distinct feature sets and code bases. Not to mention any 'legacy' stuff you're running out there. God help anybody who deployed 7300s. On Wed, Nov 12, 2008 at 6:35 AM, Julio Arruda wrote: > Kevin Graham wrote: > >> >> >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency >>> >>> >> >> >> >>> would be nice. >>> >>> >> >> ...or atleast call this a CRS-2 or something. I'm still crossing my >> fingers >> that there's a master plan for consistency (or alternatively, clear >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. >> >> >> >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 >>> series. >>> >>> >> >> Nope, 7600 already revived it (RSP720). I don't see reference to line >> cards, >> but the photos look like ES40's, which finally gives some credibility to >> the >> 6500/7600 split (where new linecards are shared between ASR9000 and 7600). >> >> > I somewhat doubt this is the case..at least from what I can imagine... > This would imply in the ASR9k cards being able to talk with the 7600 > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > the ASR9000 based of the CRS-1 hardware ? > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > while the packet crunching on the 7600 is based of the EARL, and on the > ASR 1000 is based on the QFP ? > I can't seem to find details on the cards on the ASR 9000, but, just > making some wild guess here.. > (of course, Cisco has been quite effective in getting a clear separation > from control plane to forwarding plane, and IOS-XR sure already runs on > another completely distinct box, the 12K-XR, so, maybe the 7600 will > gain from the ASR 9000 'revamp'). > > _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ross at kallisti.us Wed Nov 12 12:20:35 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Wed, 12 Nov 2008 12:20:35 -0500 Subject: [c-nsp] SNMP-related IOS crashes Message-ID: <20081112172035.GA8395@kallisti.us> Hi everyone, I've been bitten numerous times by IOS crashes caused by bugs in SNMP. I'd like to start getting proactive about this and just blocking any problematic MIBs on our switches. I've seen two seperate issues crash IOS: 1) Polling SLB-MIB objects while the status of the object changes (see Bug ID CSCsi91875 - it's not fixed even though it says it is) 2) Polling the OSPF link-state database (TAC is still researching this one) As a result, we're excluding the OSPF-MIB and SLB-MIB from our views. Anyone else know any baddies I should tack onto the list? -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From christian.macnevin at gmail.com Wed Nov 12 12:36:07 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 12 Nov 2008 09:36:07 -0800 Subject: [c-nsp] God help anybody who deployed 7300s In-Reply-To: <90AA60B8-658B-469D-83D8-6E7670FBFBFF@mac.com> References: <90AA60B8-658B-469D-83D8-6E7670FBFBFF@mac.com> Message-ID: I forgot to add 10ks :) On Wed, Nov 12, 2008 at 8:56 AM, Darrell Root wrote: > > Thanks for your prayers ;-) > > Darrell > > From tdurack at gmail.com Wed Nov 12 13:01:55 2008 From: tdurack at gmail.com (Tim Durack) Date: Wed, 12 Nov 2008 13:01:55 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> I think this is the result of competing BUs - no cohesive product strategy, instead lots of groups trying to maximize profit out of existing/new products. That's why you have IOS/ION/IOS-XE/IOS-XR/NX-OS... Tim:> On Wed, Nov 12, 2008 at 11:40 AM, Christian MacNevin < christian.macnevin at gmail.com> wrote: > Am I the only one that's getting a bit wary of Cisco crowding their own > product space? > > I guess it looks like they're trying to draw complete distinctions between > their enterprise space and their carrier > space, but who's ever really respected that distinction? Even if they do, > the carrier I guess is doing ok by getting > XR everywhere, but the typical enterprise is going to run a combination of > 3500/3750, 2800/3800, 6500, 7600 > and ASR1000s, right? So five different groups of platforms with five > distinct feature sets and code bases. Not to > mention any 'legacy' stuff you're running out there. > > God help anybody who deployed 7300s. > > > > On Wed, Nov 12, 2008 at 6:35 AM, Julio Arruda >wrote: > > > Kevin Graham wrote: > > > >> > >> > >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? Consistency > >>> > >>> > >> > >> > >> > >>> would be nice. > >>> > >>> > >> > >> ...or atleast call this a CRS-2 or something. I'm still crossing my > >> fingers > >> that there's a master plan for consistency (or alternatively, clear > >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. > >> > >> > >> > >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 > >>> series. > >>> > >>> > >> > >> Nope, 7600 already revived it (RSP720). I don't see reference to line > >> cards, > >> but the photos look like ES40's, which finally gives some credibility to > >> the > >> 6500/7600 split (where new linecards are shared between ASR9000 and > 7600). > >> > >> > > I somewhat doubt this is the case..at least from what I can imagine... > > This would imply in the ASR9k cards being able to talk with the 7600 > > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > > the ASR9000 based of the CRS-1 hardware ? > > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > > while the packet crunching on the 7600 is based of the EARL, and on the > > ASR 1000 is based on the QFP ? > > I can't seem to find details on the cards on the ASR 9000, but, just > > making some wild guess here.. > > (of course, Cisco has been quite effective in getting a clear separation > > from control plane to forwarding plane, and IOS-XR sure already runs on > > another completely distinct box, the 12K-XR, so, maybe the 7600 will > > gain from the ASR 9000 'revamp'). > > > > _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > > > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From benny+usenet at amorsen.dk Wed Nov 12 12:12:27 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Wed, 12 Nov 2008 18:12:27 +0100 Subject: [c-nsp] Upgrading edge router In-Reply-To: <38938.5776049041$1226451212@news.gmane.org> (Ben Steele's message of "Wed\, 12 Nov 2008 11\:20\:14 +1030") References: <4213440380134758766@unknownmsgid> <38938.5776049041$1226451212@news.gmane.org> Message-ID: "Ben Steele" writes: > As for licenses this one is a little weird, basically adv enterprise is > cheaper than adv ip even though it has all the features of adv ip, seems to > be purely based on ppl not wanting features they will never use available on > an image and Cisco making them pay more for that feature, my advice is buy > the cheaper adv enterprise, it will do IPv6. It is a bit weird that an edge router in 2008 doesn't ship with IPv6 in its base image. It's also a bit weird that the price of the base image is separate from the price of the router. You can't just grab a random Linux distribution and install that... /Benny From pdavis at i2k.com Wed Nov 12 14:23:47 2008 From: pdavis at i2k.com (Phil Davis) Date: Wed, 12 Nov 2008 14:23:47 -0500 Subject: [c-nsp] rate-limit on subinterfaces Message-ID: <491B2D43.7010304@i2k.com> Hello, Are there any caveats on using rate-limit command on 802.1q subinterfaces? Thanks, Phil From brandon at sterling.net Wed Nov 12 17:21:25 2008 From: brandon at sterling.net (Brandon Price) Date: Wed, 12 Nov 2008 14:21:25 -0800 Subject: [c-nsp] Policy Based Routing on PE Message-ID: I have a PE with 2 interfaces going to the same CE in vrf CUSTA. I would like packets with a certain SOURCE ip to take interface 2 and all other packets to follow normal routing in the vrf (interface 1). Where on the PE would I set up the route-map ? Any configuration examples? Brandon From brett at looney.id.au Wed Nov 12 17:28:12 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 07:28:12 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: Message-ID: <021801c94515$f81b2c90$e85185b0$@id.au> > we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch > for a slow migration from an old PBX to a VoIP PBX (Asterisk) > CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D > VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 > PVDM2-32 32-Channel Packet Voice/Fax DSP Module > > can anyone see any reason why this might not work? Depending on how the calls are terminated you may need significantly more DSP resources than you have right now. You might need double or triple that depending on the number of calls. Also, be aware that you may not be able to independently clock the two E1 interfaces. B. From jared at puck.nether.net Wed Nov 12 19:53:18 2008 From: jared at puck.nether.net (Jared Mauch) Date: Wed, 12 Nov 2008 19:53:18 -0500 Subject: [c-nsp] SXI out Message-ID: <20081113005318.GA76126@puck.nether.net> It appears cisco released SXI already. http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From mtinka at globaltransit.net Wed Nov 12 20:04:15 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:04:15 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <200811130904.20213.mtinka@globaltransit.net> On Thursday 13 November 2008 00:40:26 Christian MacNevin wrote: > Am I the only one that's getting a bit wary of Cisco > crowding their own product space? Personally, I don't see why providers won't consider using the ASR9000 as a Metro-E router, even though Cisco are adamant that that's not what it's intended for, and that the 7600 still has a significant role to play in this area for a long time to come. I think the only reason folk wouldn't look at the ASR9000 for Metro-E P/PE deployments, at least in the short to medium term, is because IOS XR might be anaemic when compared to regular IOS. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 12 20:07:25 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:07:25 +0800 Subject: [c-nsp] ASR 9000 In-Reply-To: <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <9e246b4d0811121001j636e41eax892adc45856221f8@mail.gmail.com> Message-ID: <200811130907.26435.mtinka@globaltransit.net> On Thursday 13 November 2008 02:01:55 Tim Durack wrote: > I think this is the result of competing BUs - no cohesive > product strategy, instead lots of groups trying to > maximize profit out of existing/new products. I've always thought that classifying products into Enterprise, Service Provider, SOHO, e.t.c., is a waste of time - and that goes for all vendors. If it feels right, and cuts it, I'll deploy it. We use a bunch of "desktop" switches for real customer production traffic. The 6500 is what Cisco recommend for service providers, but it doesn't make sense for some areas of our network when compared to, say, the 3560. We use 2800's where Cisco say we should use a 7200, e.t.c., you get the point. I guess that kind of distinction is necessary from the point-of-view of a vendor, but in practice, that area is very, very grey. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Wed Nov 12 20:09:36 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 13 Nov 2008 09:09:36 +0800 Subject: [c-nsp] rate-limit on subinterfaces In-Reply-To: <491B2D43.7010304@i2k.com> References: <491B2D43.7010304@i2k.com> Message-ID: <200811130909.37591.mtinka@globaltransit.net> On Thursday 13 November 2008 03:23:47 Phil Davis wrote: > Are there any caveats on using rate-limit command on > 802.1q subinterfaces? It, generally, should work, although I'd consider using MQC instead. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From pwu828 at gmail.com Wed Nov 12 20:10:38 2008 From: pwu828 at gmail.com (Patrick Wu) Date: Thu, 13 Nov 2008 12:10:38 +1100 Subject: [c-nsp] Intermittent 100% backplane utilisation on Cisco 6500 Message-ID: Hi, I'm currently having issues with one of the Cisco 6506 in the network, it is running HSRP with another 6506 and also running OSPF/BGP. Recently, I this 6506 is having intermittent 100% backplane utilisation, which caused everything to stop responding for a couple of seconds. As a result, spanning tree recalculation and HSRP failover kicked in, and caused interruptions in many parts of the network. What I don't understand is what caused the 100% utilisation, googling reveals that it could be caused by spanning tree loops and broadcast storms. But I have already tuned down the storm-control on broadcast on all ports into the 6506, and I don't think there are any loops in the network. Unlike an DDoS attack where the 100% utilisation is continuous, it just peaks at 100% for 1 or 2 seconds and comes back down... the logs don't seem to show much Any one have similar experience or is able to point me in the right direction would be greatly appreciated! Thanks. Here's the show version and show module: show version Cisco Internetwork Operating System Software IOS (tm) c6sup1_rp Software (c6sup1_rp-PSV-M), Version 12.1(22)E1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2004 by cisco Systems, Inc. Compiled Fri 16-Apr-04 10:13 by pwade Image text-base: 0x60020F90, data-base: 0x616EA000 ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE BOOTLDR: MSFC Software (C6MSFC-BOOT-M), Version 12.1(3a)E4, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) xxxxxxxx uptime is 23 weeks, 5 days, 27 minutes Time since xxxxxxxx switched to active is 23 weeks, 5 days, 29 minutes System returned to ROM by power-on (SP by reload) System restarted at 09:34:31 AEST Sat May 31 2008 System image file is "slot0:c6sup11-psv-mz.121-22.E1" cisco WS-C6506 (R5000) processor (revision 3.0) with 114688K/16384K bytes of memory. Processor board ID TBA05290886 R5000 CPU at 200Mhz, Implementation 35, Rev 2.1 Last reset from power-on X.25 software, Version 3.0.0. Bridging software. 146 Virtual Ethernet/IEEE 802.3 interface(s) 48 FastEthernet/IEEE 802.3 interface(s) 10 Gigabit Ethernet/IEEE 802.3 interface(s) 381K bytes of non-volatile configuration memory. 4096K bytes of packet SRAM memory. 16384K bytes of Flash internal SIMM (Sector size 256K). Configuration register is 0x2102 show module Mod Ports Card Type Model Serial No. --- ----- -------------------------------------- ------------------ ----------- 1 2 Cat 6k sup 1 Enhanced QoS (Active) WS-X6K-SUP1A-2GE SAD03414219 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 SAD03430896 5 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC SAD05040L5K Mod MAC addresses Hw Fw Sw Status --- ---------------------------------- ------ ------------ ------------ ------- 1 00d0.bcee.59a8 to 00d0.bcee.59a9 3.2 5.3(1) 12.1(22)E1 Ok 3 0030.9613.f314 to 0030.9613.f343 1.1 4.2(0.24)VAI 8.3(0.111)TF Ok 5 0002.fc25.3224 to 0002.fc25.322b 1.6 5.4(2) 8.3(0.111)TF Ok Mod Sub-Module Model Serial Hw Status --- --------------------------- --------------- --------------- ------- ------- 1 Policy Feature Card WS-F6K-PFC SAD03424981 1.0 Ok 1 MSFC Cat6k daughterboard WS-F6K-MSFC SAD03427635 1.4 Ok Mod Online Diag Status --- ------------------- From berni at birkenwald.de Wed Nov 12 21:27:22 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 02:27:22 +0000 (UTC) Subject: [c-nsp] 2821 voice configuration References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: Brett Looney wrote: >> we want to use a Cisco 2821 as SIP-PSTN media gateway and PRI switch >> for a slow migration from an old PBX to a VoIP PBX (Asterisk) > >> CISCO2821-V/K9 2821 Voice Bundle,PVDM2-32,SP Serv,64F/256D >> VWIC-2MFT-E1 2-Port RJ-48 Multiflex Trunk - E1 >> PVDM2-32 32-Channel Packet Voice/Fax DSP Module >> can anyone see any reason why this might not work? > Depending on how the calls are terminated you may need significantly more > DSP resources than you have right now. You might need double or triple that > depending on the number of calls. Also, be aware that you may not be able to > independently clock the two E1 interfaces. Thanks for the answer. >95% of the calls should be G.711, so that leaves me with 64 channels. So in theory I should be able to fully utilize both E1s with calls originating from SIP, right? What about E1-to-E1 calls that are just switched in the box? Do they take any DSP resources at all? Regards, Bernhard From brett at looney.id.au Wed Nov 12 21:51:37 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 11:51:37 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: <024d01c9453a$c1768700$44639500$@id.au> > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? I'm unsure on that - best to check with Cisco. My guess is that they do take DSP resources and you'll be looking at two per call - one for the "incoming" E1 call leg and one for the "outgoing" E1 call leg. I could be wrong though - I would budget for worst-case in any event. B. From ATolstykh at integrysgroup.com Wed Nov 12 21:59:46 2008 From: ATolstykh at integrysgroup.com (Tolstykh, Andrew) Date: Wed, 12 Nov 2008 20:59:46 -0600 Subject: [c-nsp] SXI out In-Reply-To: <20081113005318.GA76126@puck.nether.net> Message-ID: <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Link to the release notes / new features etc. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel ease/notes/ol_14271.html#wp4208036 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch Sent: Wednesday, November 12, 2008 6:53 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] SXI out It appears cisco released SXI already. http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner .cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deplo yment -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. From ianh at chime.net.au Wed Nov 12 22:31:25 2008 From: ianh at chime.net.au (Ian Henderson) Date: Thu, 13 Nov 2008 12:31:25 +0900 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AEB03.5060808@templin.org> References: <10188D798B596E4585DEAEAC62596D233BF83749@WATERFORD.switchnet.nv> <491AEB03.5060808@templin.org> Message-ID: <100362309621454DAA534950B17E55DB0111FC199184@isp-per-exc01.win2k.iinet.net.au> Pete Templin wrote on 2008-11-12: > What vendor would think that operators would _want_ side to back? One that wants operators to purchase the larger, more expensive chassis? :) - I. -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From brett at looney.id.au Wed Nov 12 21:52:52 2008 From: brett at looney.id.au (Brett Looney) Date: Thu, 13 Nov 2008 11:52:52 +0900 Subject: [c-nsp] 2821 voice configuration In-Reply-To: References: <021801c94515$f81b2c90$e85185b0$@id.au> Message-ID: <024e01c9453a$ee2a9e80$ca7fdb80$@id.au> > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? Oh, and I forgot - you'll need 64 DSP resources in any case if you're doing the whole 30 channels on both E1s. You need one DSP resource per E1 call terminated with G.711. B. From vikassharmas at gmail.com Thu Nov 13 00:44:21 2008 From: vikassharmas at gmail.com (Vikas Sharma) Date: Thu, 13 Nov 2008 11:14:21 +0530 Subject: [c-nsp] number of vlan 16k Message-ID: Hi, I could see few of the vendors support 16k /128 k vlans on BRAS devices. I was wondering how can it be integrated with other devices which only support 4095 vlan !!! any help is appreciated.. Regards, Vikas Sharma From sthaug at nethelp.no Thu Nov 13 01:41:40 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Thu, 13 Nov 2008 07:41:40 +0100 (CET) Subject: [c-nsp] number of vlan 16k In-Reply-To: References: Message-ID: <20081113.074140.74748459.sthaug@nethelp.no> > I could see few of the vendors support 16k /128 k vlans on BRAS devices. I > was wondering how can it be integrated with other devices which only support > 4095 vlan !!! This will typically depend on either stacked (dual tagged) VLANs, or VLANs per port (not global to the box), or both. It all depends on your requirements. If you want to IP terminate 30k customers, for instance, you would typically need both. Steinar Haug, Nethelp consulting, sthaug at nethelp.no From b.turnbow at twt.it Thu Nov 13 03:01:43 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 13 Nov 2008 09:01:43 +0100 Subject: [c-nsp] 2821 voice configuration In-Reply-To: <024d01c9453a$c1768700$44639500$@id.au> References: <021801c94515$f81b2c90$e85185b0$@id.au> <024d01c9453a$c1768700$44639500$@id.au> Message-ID: The vwic-2 cards can do voip or cross connect (no dsp used) but a channel can not do both at the same time. It is done on the controller creating a ds0 group or tdm group. In one E1 you can have both but the channels are dedicated. At least AFAIK. With 2 pvdm-32s you can do 64 channels of g711 , but any other codecs, fax/modem relay will be a medium or high complexity codec and will lower your channels considerably. Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Brett Looney Sent: gioved? 13 novembre 2008 3.52 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2821 voice configuration > 95% of the calls should be G.711, so that leaves me with 64 channels. > So in theory I should be able to fully utilize both E1s with calls > originating from SIP, right? What about E1-to-E1 calls that are just > switched in the box? Do they take any DSP resources at all? I'm unsure on that - best to check with Cisco. My guess is that they do take DSP resources and you'll be looking at two per call - one for the "incoming" E1 call leg and one for the "outgoing" E1 call leg. I could be wrong though - I would budget for worst-case in any event. B. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From maureen.schaar at gmail.com Thu Nov 13 03:32:05 2008 From: maureen.schaar at gmail.com (maureen schaar) Date: Thu, 13 Nov 2008 09:32:05 +0100 Subject: [c-nsp] 6500-sup-stdby In-Reply-To: <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> References: <20081111061539.32297.qmail@f4mail-235-134.rediffmail.com> <50f158990811110714r1b912ebct2be503aff78b9912@mail.gmail.com> Message-ID: <2475c97c0811130032r1fe97016re4defd097b68e1ef@mail.gmail.com> If you still have the problem, maybe you can try something, since I once had a similar problem. There may a discrepancy between the confreg on the RP and the SP. You need to set the confreg again. Even though the remote command switch show bootvar command displayed the right confreg in the SP in my situation, I was still returned to rommon. After setting the confreg in the RP, the problem was resolved. See also http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008072c406.shtml#sup_sub_3 Hope this helps. Maureen On Tue, Nov 11, 2008 at 4:14 PM, Pete S. wrote: > Also, make sure the flash was formatted by the chassis its currently in. > There was an issue where, if formatted in another chassis, the flash could > be read, but not booted from, resulting in a boot to rommon where you have > to manually enter the boot command. > > > --Pete > > > On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > >> >> Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 >> is standby. The problem is sup2 is not booting automatically when the >> system is switched ON. it is going to rommon mode, where we have to >> type boot command so that it will boot. after booting, boot variable >> is missing. if we set the boot variable,it will show the boot variable >> but it is temporary. >> >> Again we switched OFF and ON, The same situation is there. i tried >> lot, please help me. some details are here... >> >> Before sup2: >> >> CAT_1> (enable) sh mod >> Mod Slot Ports Module-Type Model Sub >> Status >> --- ---- ----- ------------------------- ------------------- --- ----- >> --- >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok >> >> >> After sup2: >> >> CAT_1> (enable) sh mod >> Mod Slot Ports Module-Type Model Sub >> Status >> --- ---- ----- ------------------------- ------------------- --- ----- >> --- >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes >> standby >> 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok >> >> >> bye. >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From janasamit at wlink.com.np Thu Nov 13 03:36:24 2008 From: janasamit at wlink.com.np (Samit) Date: Thu, 13 Nov 2008 14:21:24 +0545 Subject: [c-nsp] interface packets/sec MIB Message-ID: <491BE708.50608@wlink.com.np> Hi list, I want to graph the in/out pps counter of every individual interface of my routers, but I could not find the MIB for it. Anyone knows the MIB for this? Regards, Samit From gert at greenie.muc.de Thu Nov 13 04:14:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 13 Nov 2008 10:14:23 +0100 Subject: [c-nsp] ASR 9000 In-Reply-To: References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <20081113091423.GD8535@greenie.muc.de> Hi, On Wed, Nov 12, 2008 at 08:40:26AM -0800, Christian MacNevin wrote: > Am I the only one that's getting a bit wary of Cisco crowding their own > product space? "Different BUs fighting for revenue" > God help anybody who deployed 7300s. Or 7120, 7140, 7400, RSFC, or ... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From b.turnbow at twt.it Thu Nov 13 05:22:52 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Thu, 13 Nov 2008 11:22:52 +0100 Subject: [c-nsp] interface packets/sec MIB In-Reply-To: <491BE708.50608@wlink.com.np> References: <491BE708.50608@wlink.com.np> Message-ID: RFC 1213 .1.3.6.1.2.1.2.2.1 Inside you may find unicast packets and non unicast packets Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Samit Sent: gioved? 13 novembre 2008 9.36 To: cisco-nsp at puck.nether.net Subject: [c-nsp] interface packets/sec MIB Hi list, I want to graph the in/out pps counter of every individual interface of my routers, but I could not find the MIB for it. Anyone knows the MIB for this? Regards, Samit _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From berni at birkenwald.de Thu Nov 13 05:35:54 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 10:35:54 +0000 (UTC) Subject: [c-nsp] SXI out References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: Tolstykh, Andrew wrote: > Link to the release notes / new features etc. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > ease/notes/ol_14271.html#wp4208036 Cisco promised us a lot of new IPv6-related features for SXI, including IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on VSS. None of that is listed in the release notes. Did anyone test already? Bernhard From manafo at hotmail.com Thu Nov 13 05:46:06 2008 From: manafo at hotmail.com (Manaf Al Oqlah) Date: Thu, 13 Nov 2008 12:46:06 +0200 Subject: [c-nsp] MAC Address Table Count Message-ID: Hi, I have a strange behavior on my mac-address table count. we are running L2 wimax network using Cisco 3750ME switches distributed on 60 sites and aggregated on 2 Cisco 7600 routers. the mac address table should be the same for all switches, since we are using the same traffic VLAN for all clients. the usual mac address table count is about 1600 which is the average number of clients concurrent sessions and shared between all switches and aggregated router, but intermittently the count decreased on all switches to be around 200-300 although the number of clients are still the same. any explanation for this behavior? AGG1 AGG2 | | ----------------------------------------------------------------------------------- | | | | SW1 SW2 SW3 ............... SW60 / |wimax| / / Client Thank you, Manaf From packetlss at gmail.com Thu Nov 13 05:52:29 2008 From: packetlss at gmail.com (Magnus Eriksson) Date: Thu, 13 Nov 2008 11:52:29 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? Message-ID: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> I'm looking for some pointers on what are the smallest recommeded Cisco boxes to use for a small multihoming solution. 2 full BGP views (approx 260k routes each) 100 Mbps bandwidth requirement. The setup currently uses 2 Juniper M5 but those are in dire need of refresh. What is the appropiate Cisco boxes to go for? Do I need any memory upgrades etc? Any suggestions are welcome. Regards Magnus From onechama at yahoo.com Thu Nov 13 06:48:57 2008 From: onechama at yahoo.com (Eslon BAchama) Date: Thu, 13 Nov 2008 03:48:57 -0800 (PST) Subject: [c-nsp] Burning switch ports on model 3750 Message-ID: <603777.63324.qm@web39506.mail.mud.yahoo.com> Hi Members, i have a cisco switch model 3750 series but the switch ports stops working one by one. any help. one end its connect to a trendNet switch( all ports on trend net are fine). Chama From gabbarsingh9009 at yahoo.com Thu Nov 13 06:58:11 2008 From: gabbarsingh9009 at yahoo.com (Gabby) Date: Thu, 13 Nov 2008 03:58:11 -0800 (PST) Subject: [c-nsp] packet capture on 6509....?? Message-ID: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Hello, Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... Gabby. Find your perfect match today at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151&pid=1012 From hroi at asdf.dk Thu Nov 13 07:23:27 2008 From: hroi at asdf.dk (Hroi Sigurdsson) Date: Thu, 13 Nov 2008 13:23:27 +0100 Subject: [c-nsp] SXI out In-Reply-To: <20081113005318.GA76126@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> Message-ID: <491C1C3F.405@asdf.dk> Jared Mauch wrote: > It appears cisco released SXI already. > > http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or just a tease? From p.mayers at imperial.ac.uk Thu Nov 13 07:41:30 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 12:41:30 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C1C3F.405@asdf.dk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> Message-ID: <491C207A.1010200@imperial.ac.uk> Hroi Sigurdsson wrote: > Jared Mauch wrote: >> It appears cisco released SXI already. >> >> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >> > > It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or > just a tease? The CLI is listed, not necessarily the support for 6vPE. I'm loading it onto a box now and will test it. From benny+usenet at amorsen.dk Thu Nov 13 07:43:09 2008 From: benny+usenet at amorsen.dk (Benny Amorsen) Date: Thu, 13 Nov 2008 13:43:09 +0100 Subject: [c-nsp] ASR 9000 In-Reply-To: <200811130904.20213.mtinka@globaltransit.net> (Mark Tinka's message of "Thu\, 13 Nov 2008 09\:04\:15 +0800") References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> <200811130904.20213.mtinka@globaltransit.net> Message-ID: Mark Tinka writes: > I think the only reason folk wouldn't look at the ASR9000 > for Metro-E P/PE deployments, at least in the short to > medium term, is because IOS XR might be anaemic when > compared to regular IOS. Isn't the 7600 likely to be cheaper than the ASR9000 for the same number of ports? I think the ASR9000 looks good for P/PE duty from what little information is out, but some price information would be nice. /Benny From sidney.boumendil at gmail.com Thu Nov 13 07:44:24 2008 From: sidney.boumendil at gmail.com (Sidney Boumendil) Date: Thu, 13 Nov 2008 13:44:24 +0100 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <41522e900811130444u47c83fa0kd0976e3bf2430814@mail.gmail.com> On Thu, Nov 13, 2008 at 12:58 PM, Gabby wrote: > > Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... It looks like a new feature in the SXI release. Sidney From gulerozgur at yahoo.co.uk Thu Nov 13 07:47:19 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 13 Nov 2008 12:47:19 +0000 (GMT) Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <22242.6601.qm@web25503.mail.ukl.yahoo.com> You can do packet captures with ELAM functionality. That is generally used for hw forwarding troubleshooting though. --- On Thu, 13/11/08, Gabby wrote: From: Gabby Subject: [c-nsp] packet capture on 6509....?? To: cisco-nsp at puck.nether.net Date: Thursday, 13 November, 2008, 11:58 AM Hello, Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... Gabby. Find your perfect match today at the new Yahoo!7 Dating. Get Started http://au.dating.yahoo.com/?cid=53151&pid=1012 _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Thu Nov 13 07:52:47 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Thu, 13 Nov 2008 20:52:47 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> You may want to consider getting either part # CISCO7201 (PSU included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite cheap). Both the part # for the box, shouldn't be much of a difference or same. --raymondh On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > I'm looking for some pointers on what are the smallest recommeded > Cisco > boxes to use for a small multihoming solution. > > 2 full BGP views (approx 260k routes each) > 100 Mbps bandwidth requirement. > > The setup currently uses 2 Juniper M5 but those are in dire need of > refresh. > > > What is the appropiate Cisco boxes to go for? Do I need any memory > upgrades > etc? > > Any suggestions are welcome. > > Regards Magnus > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gideon at adept.co.za Thu Nov 13 07:19:39 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Thu, 13 Nov 2008 14:19:39 +0200 Subject: [c-nsp] Burning switch ports on model 3750 In-Reply-To: <603777.63324.qm@web39506.mail.mud.yahoo.com> References: <603777.63324.qm@web39506.mail.mud.yahoo.com> Message-ID: <5CF12851-E38D-4CEA-B5AA-293ADD3FD67A@adept.co.za> On 13 Nov 2008, at 1:48 PM, Eslon BAchama wrote: > i have a cisco switch model 3750 series but the switch ports stops > working one by one. > Does it log anything to the console? Are any of the ports marked as being in an error state? G From tdurack at gmail.com Thu Nov 13 08:15:53 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 13 Nov 2008 08:15:53 -0500 Subject: [c-nsp] SXI out In-Reply-To: References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> http://tools.cisco.com/search/display?url=http%3A%2F%2Fwww.cisco.com%2Fen%2FUS%2Fprod%2Fcollateral%2Fiosswrel%2Fps8802%2Fps6970%2Fps6017%2Fps9673%2Fproduct_bulletin_c25-503086.html&pos=1&strqueryid=1&websessionid=m7dr3yFygHTz5Rv3D5SKdLV "The DHCPv6 Relay component is enhanced to support a stateless Relay. Remote Id and Interface Id options insertion is performed. DHCPv6 Relay now works in conjunction with Prefix Delegation for adding or removing corresponding routes in the Relay agent routing table." http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html "Software Features With some exceptions, the virtual switching system has feature parity with the standalone Catalyst 6500 series switch. Major exceptions include: ?The virtual switching system does not support MPLS or IPv6. ?In software releases earlier than Cisco IOS Release 12.2(33)SXI, port-based QoS and port ACLs (PACLs) are supported only on Layer 2 single-chassis or multichassis EtherChannel (MEC) links. Beginning with Cisco IOS Release 12.2(33)SXI, port-based QoS and PACLs can be applied to any physical port in the VSS, excluding ports in the VSL. PACLs can be applied to no more than 2046 ports in the VSS. ?The virtual switching system does not support supervisor engine redundancy within a chassis. ?The virtual switching system does not support Lawful Intercept." Got to wonder whether VSS is going to make it or not... Tim:> On Thu, Nov 13, 2008 at 5:35 AM, Bernhard Schmidt wrote: > Tolstykh, Andrew wrote: > > > Link to the release notes / new features etc. > > > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > > ease/notes/ol_14271.html#wp4208036 > > Cisco promised us a lot of new IPv6-related features for SXI, including > IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on > VSS. None of that is listed in the release notes. > > Did anyone test already? > > Bernhard > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rlcwlist at gmail.com Thu Nov 13 08:23:46 2008 From: rlcwlist at gmail.com (Raymond Leung) Date: Thu, 13 Nov 2008 21:23:46 +0800 Subject: [c-nsp] QOS CBWFQ Problems Message-ID: <53fb3cbd0811130523y3cad3a08of02af7e4ed92564@mail.gmail.com> Dear Sirs : I'm seeking for your expert supporting on my 6509 3CXL Before , I've deployed an ACL for all IP running through VLAN800 with 36000000 However , I've checked my CACTI shown me it's just 4Mb traffic on the limitation ! Right now , I've deployed the rule to transit for all including the violated On the following information , you can check out my interface were just running 50817000 , however the CBWFQ shown it's 75474008 Do you have any ideas on that ? Thanks for your supporting ! AGC-C6509-2>sh int vl800 Vlan800 is up, line protocol is up Hardware is EtherSVI, address is 1234.5678.90c0 (bia 1234.5678.90c0) Description: For AGC-C6509-72 segment Internet address is 192.168.92.4/24 MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, reliability 255/255, txload 11/255, rxload 12/255 Encapsulation ARPA, loopback not set Keepalive not supported ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:01, output hang never Last clearing of "show interface" counters never Input queue: 0/75/241/39 (size/max/drops/flushes); Total output drops: 0 Queueing strategy: fifo Output queue: 0/40 (size/max) 5 minute input rate 50817000 bits/sec, 12350 packets/sec 5 minute output rate 44609000 bits/sec, 10111 packets/sec L2 Switched: ucast: 858465873 pkt, 481650114649 bytes - mcast: 45143 pkt, 4578874 bytes L3 in Switched: ucast: 538560259 pkt, 294422484717 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 427084531 pkt, 232344575218 bytes mcast: 0 pkt, 0 bytes 538730837 packets input, 294446452281 bytes, 0 no buffer Received 44949 broadcasts (0 IP multicasts) 0 runts, 0 giants, 7 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored 427341594 packets output, 230684282878 bytes, 0 underruns 0 output errors, 0 interface resets 0 output buffer failures, 0 output buffers swapped out AGC-C6509-2>sh pol int Vlan800 Service-policy input: inbound-policy-test class-map: ACL165-in (match-all) Match: access-group 165 police : 36000000 bps 6750000 limit 13500000 extended limit Earl in slot 4 : 13005001476 bytes 5 minute offered rate 75474008 bps aggregate-forwarded 13005001476 bytes action: transmit exceeded 0 bytes action: transmit violated 0 bytes action: transmit aggregate-forward 77773744 bps exceed 0 bps violate 0 bps Earl in slot 5 : 0 bytes 5 minute offered rate 0 bps aggregate-forwarded 0 bytes action: transmit exceeded 0 bytes action: transmit violated 0 bytes action: transmit aggregate-forward 0 bps exceed 0 bps violate 0 bps Class-map: class-default (match-any) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 0 packets, 0 bytes 5 minute rate 0 bps AGC-C6509-2> AGC-C6509-2>sh ip access 165 Extended IP access list 165 10 permit ip any any (99540 matches) From p.mayers at imperial.ac.uk Thu Nov 13 08:24:51 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 13:24:51 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C1C3F.405@asdf.dk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> Message-ID: <491C2AA3.6070808@imperial.ac.uk> Hroi Sigurdsson wrote: > Jared Mauch wrote: >> It appears cisco released SXI already. >> >> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >> > > It looks like there is support for multi-AF (v4/v6) VRFs. Is it real or > just a tease? It would appear not: core-spare(config)#vrf definition PROD core-spare(config-vrf)#address-family ipv6 % VRF address family ipv6 is not supported or not enabled % Can't activate address-family 'ipv6' ...likewise in global config mode: core-spare(config)#ipv6 unicast-routing ? i.e. no "vrf" argument option. Various bits of fiddling indicate it has the CLI, but not the 6vPE support yet (maybe next release) From blahu77 at gmail.com Thu Nov 13 08:34:54 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Thu, 13 Nov 2008 13:34:54 +0000 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: Message-ID: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Brandon, 2008/11/12 Brandon Price > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > I would like packets with a certain SOURCE ip to take interface 2 and > all other packets to follow normal routing in the vrf (interface 1). How about GRE tunnel between SOURCE and CE in question, with PBR on SOURCE side if needed to direct traffic towards the tunnel? > Where on the PE would I set up the route-map ? Any configuration > examples? Unless there is some special feature I don't know about, it seems there is no way. Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV 3W4XMbcKq05a0vlCfpc+hdE= =fLim -----END PGP SIGNATURE----- From berni at birkenwald.de Thu Nov 13 08:37:04 2008 From: berni at birkenwald.de (Bernhard Schmidt) Date: Thu, 13 Nov 2008 14:37:04 +0100 Subject: [c-nsp] SXI out In-Reply-To: <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <9e246b4d0811130515l44f563c0r85ee88c9dacf4696@mail.gmail.com> Message-ID: <491C2D80.1090009@birkenwald.de> Tim Durack wrote: Hi, I was hoping that > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vss.html > > "Software Features > > With some exceptions, the virtual switching system has feature parity > with the standalone Catalyst 6500 series switch. Major exceptions include: > > ?The virtual switching system does not support MPLS or IPv6. was bogus and old information. But a VSS cluster with 12.2(33)SXI does not accept any IPv6 commands, so it's basically useless to us. Let's see what our account manager has to say about that, I'm very disappointed right now. SXI runs two months late and then misses most of the features we were promised. Regards, Bernhard From Fernando.Correa at tivit.com.br Thu Nov 13 09:02:08 2008 From: Fernando.Correa at tivit.com.br (=?iso-8859-1?Q?Fernando_de_Aquilino_Corr=EAa?=) Date: Thu, 13 Nov 2008 12:02:08 -0200 Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. In-Reply-To: <200811111449.mABEnfOu030925@racing2.mecon.ar> Message-ID: Hello, According to a Sales Engineer at Cisco, this is going to be available some time in H1 2009. It'll be a 48 port SFP line card if I remember correctly. I'd love to have their roadmap for this switch. Att, Fernando -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Juan Angel Menendez Sent: ter?a-feira, 11 de novembro de 2008 12:50 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Nexus 7000 fiber 1GBit linecard. Hello list, We're interested in the Nexus 7000 platform but we're wondering if fiber 1GBit linecard is going to be available anytime soon ? Thanks in advance. Regards Juan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Thu Nov 13 09:14:23 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 14:14:23 +0000 Subject: [c-nsp] SXI out In-Reply-To: References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <491C363F.5050409@imperial.ac.uk> Bernhard Schmidt wrote: > Tolstykh, Andrew wrote: > >> Link to the release notes / new features etc. >> >> http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel >> ease/notes/ol_14271.html#wp4208036 > > Cisco promised us a lot of new IPv6-related features for SXI, including > IPv6 policy-based routing, DHCPv6 relay and (most important) IPv6 on v6 relay and v6 HSRP are there: ip vrf forwarding PROD ip address 192.168.60.254 255.255.255.0 ipv6 address 2001:DB8:500::1/64 ipv6 dhcp relay destination 2001:DB8:502::3 ipv6 dhcp relay destination 2001:DB8:502::4 standby version 2 standby 0 ipv6 autoconfig ...I'll spin up a DHCPv6 server later and see if it works. From guru6111 at gmail.com Thu Nov 13 09:14:31 2008 From: guru6111 at gmail.com (Atif Sid) Date: Thu, 13 Nov 2008 09:14:31 -0500 Subject: [c-nsp] ISIS / NSF IOS XR In-Reply-To: <491AAC78.3010708@renater.fr> References: <766b203d0811111046s264178d4i2cf18ef299c4e6a5@mail.gmail.com> <491AAC78.3010708@renater.fr> Message-ID: <766b203d0811130614wb1bd1a6q481959eff6993833@mail.gmail.com> yes correct ! NSF is disabled but if you look closely 'sh isis neig' command says capabale 'yes' ; but ISIS adj command say NSF 'yes' which is misleading ! I have LDP GR also disabled. but when I failover RP's i do not see any traffic loss. have you tested ! On Wed, Nov 12, 2008 at 5:14 AM, Frederic LOUI wrote: > Hi, > > What state the section related to ISIS with the command "show ip protocols" > output ? > > By default, NSF is disabled. It seems like the output of the "show isis > adjacency" display if the ISIS neighbors are "NSF capable or not". > > IS-IS Router: > > ... > Non-stop forwarding: Disabled > Most recent startup mode: Cold Restart > Topologies supported by IS-IS: > IPv4 Unicast > Level-1 > Metric style (generate/accept): Wide/Wide > ISPF status: Disabled > No protocols redistributed > Distance: 115 > IPv6 Unicast > Level-1 > ISPF status: Disabled > No protocols redistributed > Distance: 115 > ... > > Maybe, just try to enable NSF and re-check the "show ip protocols" output. > > Regards, > Frederic > -- > Frederic LOUI / GIP RENATER > > Service de Suivi Operationnel / Metrologie & QoS > Network Operations Service / Metrology & QoS > > Tel: +33 1 53 94 20 82 / Fax: +33 1 53 94 20 31 > frederic.loui at renater.fr http://www.renater.fr > > > Atif Sid a ?crit : > >> I configured NSF under ISIS initially them removed it. Still shows NSF >> 'YES'; anyone seen this ? restarted ISIS process, cleared it nothing >> >> This is IOS XR 3.6.1 and 3.6.0 both same condition. >> >> RP/0/9/CPU0:P1#sh isis adjacency >> IS-IS NP Level-2 adjacencies: >> System Id Interface SNPA State Hold Changed NSF BFD >> P2 Gi0/1/1/8 *PtoP* Up 27 01:31:58 Yes >> None >> PE1 Gi0/1/1/0 *PtoP* Up 29 01:32:04 Yes >> None >> PE1 Gi0/1/1/1 *PtoP* Up 26 01:31:59 Yes >> None >> P3 PO0/0/0/0 *PtoP* Up 29 01:32:00 Yes >> None >> >> router isis NP >> set-overload-bit on-startup 300 >> is-type level-2-only >> net 49.0001.1921.1813.6001.00 >> log adjacency changes >> address-family ipv4 unicast >> metric-style wide >> ! >> interface Loopback0 >> passive >> address-family ipv4 unicast >> ! >> ! >> interface GigabitEthernet0/1/1/0 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> ! >> ! >> interface GigabitEthernet0/1/1/1 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> ! >> ! >> interface GigabitEthernet0/1/1/8 >> point-to-point >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 10 >> mpls ldp sync >> ! >> ! >> interface POS0/0/0/0 >> hello-password keychain NP-ISIS >> address-family ipv4 unicast >> metric 100 >> ! >> ! >> ! >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > From rodunn at cisco.com Thu Nov 13 09:21:39 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:21:39 -0500 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> Message-ID: <20081113142139.GD4897@rtp-cse-489.cisco.com> hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Thu Nov 13 09:25:08 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:25:08 -0500 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> Message-ID: <20081113142508.GE4897@rtp-cse-489.cisco.com> I haven't looked at the price list. How does an ASR1002 compare to a G2 combo? >From a growth perspective the ASR1002 would be what I would consider giving a potential migration to GigE. Rodney On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: > You may want to consider getting either part # CISCO7201 (PSU > included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite > cheap). > Both the part # for the box, shouldn't be much of a difference or same. > > > --raymondh > > On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > > >I'm looking for some pointers on what are the smallest recommeded > >Cisco > >boxes to use for a small multihoming solution. > > > >2 full BGP views (approx 260k routes each) > >100 Mbps bandwidth requirement. > > > >The setup currently uses 2 Juniper M5 but those are in dire need of > >refresh. > > > > > >What is the appropiate Cisco boxes to go for? Do I need any memory > >upgrades > >etc? > > > >Any suggestions are welcome. > > > >Regards Magnus > >_______________________________________________ > >cisco-nsp mailing list cisco-nsp at puck.nether.net > >https://puck.nether.net/mailman/listinfo/cisco-nsp > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From elmi at 4ever.de Thu Nov 13 09:29:34 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Thu, 13 Nov 2008 15:29:34 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <20081113142934.GI93039@ronin.4ever.de> rodunn at cisco.com (Rodney Dunn) wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? In real-life prices in Germany the ASR1002/AdvEntSvc is some EUR 3K-5K more expensive than a 7201/AdvIPSvc. No idea about a "real" combo. Elmar. From rodunn at cisco.com Thu Nov 13 09:32:55 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 13 Nov 2008 09:32:55 -0500 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <22242.6601.qm@web25503.mail.ukl.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> <22242.6601.qm@web25503.mail.ukl.yahoo.com> Message-ID: <20081113143255.GF4897@rtp-cse-489.cisco.com> When we developed the Embedded Packet Capture for IOS there was a project in the works to do something similar for CAT6k to make elam type captures easier. Seems it shipped with SXI per this: http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/mpa.html and you can dump the buffer to pcap. Rodney On Thu, Nov 13, 2008 at 12:47:19PM +0000, Ozgur Guler wrote: > You can do packet captures with ELAM functionality. > That is generally used for hw forwarding troubleshooting though. > > > --- On Thu, 13/11/08, Gabby wrote: > From: Gabby > Subject: [c-nsp] packet capture on 6509....?? > To: cisco-nsp at puck.nether.net > Date: Thursday, 13 November, 2008, 11:58 AM > > Hello, > > Is it possible to do packet capture or the like on a 6509 (or similar platform) > that doesn't have a FW module. I know I could do span port, but I'm > interested in knowing if there's any other method.... > > > Gabby. > > > > Find your perfect match today at the new Yahoo!7 Dating. Get Started > http://au.dating.yahoo.com/?cid=53151&pid=1012 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gulerozgur at yahoo.co.uk Thu Nov 13 10:03:51 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 13 Nov 2008 15:03:51 +0000 (GMT) Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <501096.94021.qm@web25507.mail.ukl.yahoo.com> Well, that's not the most elegant one but here you go... If you configure vrf-aware NAT to policy NAT your CE addresses so that they are translated into a new address space for that specific source and on the PE route this new translation range out of the link you like it should work. (Obviously your remote site will need to use this new translation range to communicate to your CE network.) --- On Thu, 13/11/08, Rodney Dunn wrote: From: Rodney Dunn Subject: Re: [c-nsp] Policy Based Routing on PE To: "Mateusz B?aszczyk" Cc: "cisco-nsp" Date: Thursday, 13 November, 2008, 2:21 PM hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rubensk at gmail.com Thu Nov 13 10:44:43 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Thu, 13 Nov 2008 13:44:43 -0200 Subject: [c-nsp] SXI out In-Reply-To: <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> Message-ID: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Making the same file for release notes of SXH and SXI makes /me think that SXH4 won't see the light... what do people have heard about it ? About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? (may be too soon to tell, I know) One thing we noticed about promised features lacking is REP(Resilient Ethernet) on Cat6K. Rubens On Thu, Nov 13, 2008 at 12:59 AM, Tolstykh, Andrew wrote: > Link to the release notes / new features etc. > > http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/rel > ease/notes/ol_14271.html#wp4208036 > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jared Mauch > Sent: Wednesday, November 12, 2008 6:53 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] SXI out > > > It appears cisco released SXI already. > > http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner > .cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deplo > yment > -- > Jared Mauch | pgp key available via finger from jared at puck.nether.net > clue++; | http://puck.nether.net/~jared/ My statements are only > mine. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Thu Nov 13 10:47:32 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 10:47:32 -0500 Subject: [c-nsp] SXI out In-Reply-To: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Message-ID: <20081113154732.GA57592@puck.nether.net> On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: > Making the same file for release notes of SXH and SXI makes /me think > that SXH4 won't see the light... what do people have heard about it ? > > About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? > (may be too soon to tell, I know) I suspect SXI is highly deployable. :) It also appears that they now have ssh+ipv6 back in regular ipservices and you can get the lan only image too for those, meaning lots of flash savings. I've done some basic testing in the past ~12 hours of the image and it seems to perform on par with our SXF counterparts. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From dwcarder at wisc.edu Thu Nov 13 11:04:08 2008 From: dwcarder at wisc.edu (Dale W. Carder) Date: Thu, 13 Nov 2008 10:04:08 -0600 Subject: [c-nsp] SXI out In-Reply-To: <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> Message-ID: On Nov 13, 2008, at 9:44 AM, Rubens Kuhl Jr. wrote: > > About SXI, does it look deployable or SXI3 or SXI4 is the version to > look for ? I encourage my competitors to deploy SXI. Now. ;-) Really though, I couldn't imagine touching this stuff before safe-harbor does or at least waiting for SXI attempt 2 or SXI attempt 3. The ipv6 feature set could be compelling for those of us still parked on SXF. DHCPv6 relay should be in there, maybe v6 for HSRP, too. There could be some better v6 mib support (comparable to J?), but I haven't looked yet. Dale From gert at greenie.muc.de Thu Nov 13 11:14:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 13 Nov 2008 17:14:23 +0100 Subject: [c-nsp] SXI out In-Reply-To: <20081113154732.GA57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> Message-ID: <20081113161423.GJ8535@greenie.muc.de> Hi, On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote: > It also appears that they now have ssh+ipv6 back in regular ipservices > and you can get the lan only image too for those, meaning lots of flash > savings. Is there a reasonable IPv6 <-> IOS image package feature matrix somewhere (for SXI)? Jared, have you tried modular SXI as well? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From jared at puck.nether.net Thu Nov 13 11:49:56 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 11:49:56 -0500 Subject: [c-nsp] SXI out In-Reply-To: <20081113161423.GJ8535@greenie.muc.de> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <20081113161423.GJ8535@greenie.muc.de> Message-ID: <20081113164956.GC57592@puck.nether.net> On Thu, Nov 13, 2008 at 05:14:23PM +0100, Gert Doering wrote: > Hi, > > On Thu, Nov 13, 2008 at 10:47:32AM -0500, Jared Mauch wrote: > > It also appears that they now have ssh+ipv6 back in regular ipservices > > and you can get the lan only image too for those, meaning lots of flash > > savings. > > Is there a reasonable IPv6 <-> IOS image package feature matrix somewhere > (for SXI)? > > Jared, have you tried modular SXI as well? Yes I have, but I would recommend doing testing in your environment to determine the exact cpu impact of the modular vs non-modular image set on your configuration. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From mksmith at adhost.com Thu Nov 13 12:04:40 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 13 Nov 2008 09:04:40 -0800 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? Message-ID: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> Hello All: Has anyone ever gotten trunking working between a 3560 and Dell 6248 or similar? The Dell seems only to support GVRP in comparison to Cisco's VTP. Since the 3560 doesn't support GVRP I think I'm out of luck, but I'm hoping someone here has figured out a kludge to get this working. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Thu Nov 13 12:05:37 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 17:05:37 +0000 Subject: [c-nsp] SXI out In-Reply-To: <20081113154732.GA57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> Message-ID: <491C5E61.3020704@imperial.ac.uk> Jared Mauch wrote: > On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: >> Making the same file for release notes of SXH and SXI makes /me think >> that SXH4 won't see the light... what do people have heard about it ? >> >> About SXI, does it look deployable or SXI3 or SXI4 is the version to look for ? >> (may be too soon to tell, I know) > > I suspect SXI is highly deployable. :) Did you mean "deployable" or "deplorable" ;o) Rubens, A briefing we had 18 months or so ago basically said: * SXH - initial release, to be released shortly (hahaha) some 12.2(33) features, each "version" will have 12 months support * SXI - major release, to be released later (hohoho) most features, will have the "extended" 24 months support that some SXF releases had Information is scanty (non-existent?) but I suspect something like the following happened: * Work starts on SXH *and* SXI more or less simultaneously * Problems start in SXH train e.g. they start to slip, finding VSS, sup720-10g and 6708/6716 linecard hardware support are harder * SXH train gets even later - cisco add more manpower making it later still - eventually gets released in a pretty shabby state * Meanwhile all this time SXI has been working on the "other" features and ironically since it's had a later deadline, has been going slower and is more on-track I personally doubt we will see much more of SXH. We'll probably see an SXH4, since there are known crash bugs in SXH3a, but I'd be surprised to see anything beyond that. > > It also appears that they now have ssh+ipv6 back in regular ipservices > and you can get the lan only image too for those, meaning lots of flash > savings. > > I've done some basic testing in the past ~12 hours of the > image and it seems to perform on par with our SXF counterparts. I wonder if people are interested in coordinating their testing and pooling results? From justin at justinshore.com Thu Nov 13 12:37:26 2008 From: justin at justinshore.com (Justin Shore) Date: Thu, 13 Nov 2008 11:37:26 -0600 Subject: [c-nsp] AP1131 crashing Message-ID: <491C65D6.4030600@justinshore.com> This isn't SP related so please forgive the noise. RANCID tipped me off just now that one of my APs had been rebooted. I logged in and found a cryptic error: System returned to ROM by unknown reload cause - reason ptr 0xF, PC 0x4F6768, address 0x0 The code I'm running is c1130-k9w7-mx.124-10b.JA3. I checked all my other APs. I have 2 others running that 12.4 code and 1 of them was rebooted with an identical error several weeks ago. The other 1131AG appears to be fine. All the rest of my APs are 1231s and run 12.3(8)JEC1. It looks like this has been going on for a while and I somehow missed it. I have 3 crashinfo files on 1 AP and 1 on the other. Before I upgrade to the new JDA release (or downgrade to 12.3) does anyone have any thoughts? Thanks Justin From tdurack at gmail.com Thu Nov 13 12:43:23 2008 From: tdurack at gmail.com (Tim Durack) Date: Thu, 13 Nov 2008 12:43:23 -0500 Subject: [c-nsp] SXI out In-Reply-To: <491C5E61.3020704@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> Message-ID: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> On Thu, Nov 13, 2008 at 12:05 PM, Phil Mayers wrote: > Jared Mauch wrote: > >> On Thu, Nov 13, 2008 at 01:44:43PM -0200, Rubens Kuhl Jr. wrote: >> >>> Making the same file for release notes of SXH and SXI makes /me think >>> that SXH4 won't see the light... what do people have heard about it ? >>> >>> About SXI, does it look deployable or SXI3 or SXI4 is the version to look >>> for ? >>> (may be too soon to tell, I know) >>> >> >> I suspect SXI is highly deployable. :) >> > > Did you mean "deployable" or "deplorable" ;o) > > Rubens, > > A briefing we had 18 months or so ago basically said: > > * SXH - initial release, to be released shortly (hahaha) some 12.2(33) > features, each "version" will have 12 months support > > * SXI - major release, to be released later (hohoho) most features, will > have the "extended" 24 months support that some SXF releases had > > Information is scanty (non-existent?) but I suspect something like the > following happened: > > * Work starts on SXH *and* SXI more or less simultaneously > > * Problems start in SXH train e.g. they start to slip, finding VSS, > sup720-10g and 6708/6716 linecard hardware support are harder > > * SXH train gets even later - cisco add more manpower making it later > still - eventually gets released in a pretty shabby state > > * Meanwhile all this time SXI has been working on the "other" features and > ironically since it's had a later deadline, has been going slower and is > more on-track > > I personally doubt we will see much more of SXH. We'll probably see an > SXH4, since there are known crash bugs in SXH3a, but I'd be surprised to see > anything beyond that. > > > > >> It also appears that they now have ssh+ipv6 back in regular >> ipservices >> and you can get the lan only image too for those, meaning lots of flash >> savings. >> >> I've done some basic testing in the past ~12 hours of the >> image and it seems to perform on par with our SXF counterparts. >> > > I wonder if people are interested in coordinating their testing and pooling > results? > Sounds like a good idea. I have four chassis running SXI modular, waiting to go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and working, no load on them at this point though. Survived a bad experience with SXH2 this week, so I'm looking for something better... > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jared at puck.nether.net Thu Nov 13 12:46:25 2008 From: jared at puck.nether.net (Jared Mauch) Date: Thu, 13 Nov 2008 12:46:25 -0500 Subject: [c-nsp] SXI out In-Reply-To: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> Message-ID: <20081113174625.GD57592@puck.nether.net> On Thu, Nov 13, 2008 at 12:43:23PM -0500, Tim Durack wrote: > > I wonder if people are interested in coordinating their testing and pooling > > results? > > > > Sounds like a good idea. I have four chassis running SXI modular, waiting to > go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and > working, no load on them at this point though. > > Survived a bad experience with SXH2 this week, so I'm looking for something > better... If people want to, I can set up a wiki where you can post test cases, results, configurations, feature data, etc.. Would that be of value? - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From p.mayers at imperial.ac.uk Thu Nov 13 12:58:00 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 17:58:00 +0000 Subject: [c-nsp] SXI out In-Reply-To: <20081113174625.GD57592@puck.nether.net> References: <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113174625.GD57592@puck.nether.net> Message-ID: <491C6AA8.702@imperial.ac.uk> Jared Mauch wrote: > On Thu, Nov 13, 2008 at 12:43:23PM -0500, Tim Durack wrote: >>> I wonder if people are interested in coordinating their testing and pooling >>> results? >>> >> Sounds like a good idea. I have four chassis running SXI modular, waiting to >> go into production next week. OSPF/BGP/MPLS/HSRP type stuff configured and >> working, no load on them at this point though. >> >> Survived a bad experience with SXH2 this week, so I'm looking for something >> better... > > If people want to, I can set up a wiki where you can post > test cases, results, configurations, feature data, etc.. I already started to whack some stuff in cluepon: http://cisco.cluepon.net/index.php/Ios_sxi ...but we could move it if people want (I'm not a big MediaWiki fan personally) Hmm. Something seems to be up with the mac aging timer default. From p.mayers at imperial.ac.uk Thu Nov 13 13:14:29 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Thu, 13 Nov 2008 18:14:29 +0000 Subject: [c-nsp] SXI out In-Reply-To: <491C2AA3.6070808@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk> <491C2AA3.6070808@imperial.ac.uk> Message-ID: <491C6E85.7060102@imperial.ac.uk> Phil Mayers wrote: > Hroi Sigurdsson wrote: >> Jared Mauch wrote: >>> It appears cisco released SXI already. >>> >>> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi?release_name=12.2.33-SXI&majorRel=12.2&state=:RL&type=Early%20Deployment >>> >> >> It looks like there is support for multi-AF (v4/v6) VRFs. Is it real >> or just a tease? > > It would appear not: Oh wait - no, it would in fact appear so: mls ipv6 vrf ...sneaky command you have to type in, then the IPv6 vrf commands become available. Neat-o! From raymondh.nsp at gmail.com Thu Nov 13 13:59:18 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 14 Nov 2008 02:59:18 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <70C6A033-934F-4DB1-A2A5-467F8A87391C@gmail.com> If I didn't remember wrongly based on the list price, it's still cheaper to get the G2 combo either on the 7201 or 7206 w/ the bundle and the difference in cost is quite significant for some. Unless Magnus sees that there's a need for the central forwarding engine/esp or he sees that there's a need for him to scale to a few G then the ASR would be a good choice which I'll second to your suggestion. --raymondh at zzz On Nov 13, 2008, at 10:25 PM, Rodney Dunn wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > > From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >> You may want to consider getting either part # CISCO7201 (PSU >> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >> cheap). >> Both the part # for the box, shouldn't be much of a difference or >> same. >> >> >> --raymondh >> >> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >> >>> I'm looking for some pointers on what are the smallest recommeded >>> Cisco >>> boxes to use for a small multihoming solution. >>> >>> 2 full BGP views (approx 260k routes each) >>> 100 Mbps bandwidth requirement. >>> >>> The setup currently uses 2 Juniper M5 but those are in dire need of >>> refresh. >>> >>> >>> What is the appropiate Cisco boxes to go for? Do I need any memory >>> upgrades >>> etc? >>> >>> Any suggestions are welcome. >>> >>> Regards Magnus >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Thu Nov 13 14:03:30 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 13 Nov 2008 21:03:30 +0200 Subject: [c-nsp] SXI out In-Reply-To: <20081113174625.GD57592@puck.nether.net> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> Message-ID: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> At 12:46 PM 13-11-08 -0500, Jared Mauch wrote: > If people want to, I can set up a wiki where you can post >test cases, results, configurations, feature data, etc.. > > Would that be of value? I can't wait for the black T-shirt: "I have SXI - do you?" -Hank > - Jared > >-- >Jared Mauch | pgp key available via finger from jared at puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ From hank at efes.iucc.ac.il Thu Nov 13 14:13:42 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Thu, 13 Nov 2008 21:13:42 +0200 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <70C6A033-934F-4DB1-A2A5-467F8A87391C@gmail.com> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> >I'm looking for some pointers on what are the smallest recommeded >Cisco >boxes to use for a small multihoming solution. > >2 full BGP views (approx 260k routes each) >100 Mbps bandwidth requirement. > >The setup currently uses 2 Juniper M5 but those are in dire need of >refresh. > > >What is the appropiate Cisco boxes to go for? Do I need any memory >upgrades >etc? > >Any suggestions are welcome. If you don't have a lot of traffic go with an 2821. It is the smallest router that can support 1GB (so it can therefore take full RIBs): http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf According to Cisco it can do 87Mb/sec of thruput: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/routerperformance.pdf Knock off 30-50% due to ACLs and other crud and if you only need 50Mb/sec total then a 2821 might be your answer. But if you really need 100Mb/sec then a 3845 which can handle 256Mb/sec of thruput would be the next one that can handle 1GB. -Hank From brandon at sterling.net Thu Nov 13 14:26:52 2008 From: brandon at sterling.net (Brandon Price) Date: Thu, 13 Nov 2008 11:26:52 -0800 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: <20081113142139.GD4897@rtp-cse-489.cisco.com> References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: The tunnel option could work the problem is the SOURCE is behind a Juniper netscreen and I don't think they support gre tunnel termination.. Also I don't want this active all the time, I want it to switch dynamically. Maybe there is something else that would accomplish what I am trying to do. I tried to make a little ASCII diagram, hopefully it comes through ok: SOURCE Voip LAN 206.72.96.0 | FW (juniper) | PE2-------PE1 | | | dsl1| |dsl2 | | | |T1 | | | | +------- | +--------CE1 (cisco) | | CUST LAN 10.10.10.0 Basically My customers primary link to me is a T1 to PE1 with QOS enabled for VOICE traffic to my voip servers and switches at 206.72.96.0. these are accessed via FW (juniper netscreen). In normal operation the route for the CUST LAN through the t1 has the most favourable weight, and traffic never hits PE2. Now if the T1 goes down, dsl1 to PE2 will now have the most favorable route to the lan, HOWEVER at this point I want traffic with a SOURCE of the voip netblock to take dsl2 to get to the lan. This is where I am stuck. How to use PBR on the ingress to PE2.... Brandon -----Original Message----- From: Rodney Dunn [mailto:rodunn at cisco.com] Sent: Thursday, November 13, 2008 6:22 AM To: Mateusz B?aszczyk Cc: Brandon Price; cisco-nsp Subject: Re: [c-nsp] Policy Based Routing on PE hmmm.....interesting question. VRF aware PBR wouldn't help. You had better try it in the lab....but I wonder along Mat's suggestion if you could build a gre tunnel over interface 1 and apply a PBR policy on the tunnel. Thinking that after the mpls disposition the ingress features (pbr) on the tunnel might kick in. Tunnels are different from a feature processing perspective and mpls2ip makes it even more complex. Can he try that just to see if it works? Rodney On Thu, Nov 13, 2008 at 01:34:54PM +0000, Mateusz B?aszczyk wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Brandon, > > 2008/11/12 Brandon Price > > > > > I have a PE with 2 interfaces going to the same CE in vrf CUSTA. > > I would like packets with a certain SOURCE ip to take interface 2 and > > all other packets to follow normal routing in the vrf (interface 1). > > How about GRE tunnel between SOURCE and CE in question, with PBR on > SOURCE side if needed to direct traffic towards the tunnel? > > > Where on the PE would I set up the route-map ? Any configuration > > examples? > > Unless there is some special feature I don't know about, it seems > there is no way. > > Best Regards, > > - -mat > > - -- > pgp-key 0x1C655CAB > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > > iD8DBQFJHCz9+BuaDRxlXKsRAt83AJ9YakWigzpon/8VDJ4s3AL0XvPfHwCeLWWV > 3W4XMbcKq05a0vlCfpc+hdE= > =fLim > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From lsawyer at gci.com Thu Nov 13 14:34:22 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 10:34:22 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> All - I've got two 3750's acting in an HSRP failover environment for some critical services. HSRP is running on a vlan interface. We have a number of appliances that are dual-homed across the switches, living on the particular VLAN. We've been experiencing an issue with one of our appliances, and the vendor has come back and asked us to filter out HSRP messages on the physical interfaces connected to their appliance. Is there a way to filter the HSRP messages from going out a switchport? They're currently configured with portfast and bpdufiltering enabled. Thanks. From gkg at gmx.de Thu Nov 13 14:46:14 2008 From: gkg at gmx.de (Garry) Date: Thu, 13 Nov 2008 20:46:14 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> Message-ID: <491C8406.9000501@gmx.de> Hank Nussbacher wrote: > > But if you really need 100Mb/sec then a 3845 which can handle > 256Mb/sec of thruput would be the next one that can handle 1GB. Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 are nice, too with their dual GigE onboard ... we use a couple of them for DSL L2TP LAC and as Firewall ... running very nicely ... -garry From billf at mu.org Thu Nov 13 14:46:28 2008 From: billf at mu.org (bill fumerola) Date: Thu, 13 Nov 2008 11:46:28 -0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <20081113194628.GV29895@elvis.mu.org> On Thu, Nov 13, 2008 at 11:52:29AM +0100, Magnus Eriksson wrote: > The setup currently uses 2 Juniper M5 but those are in dire need of refresh. i realize this is a cisco list, but the reason i make this suggestion is that it'd be easier to copy your configuration to what's already junos than port to IOS: look into the juniper j-series: http://www.juniper.net/products_and_services/j_series_services_routers/index.html even the lowest end device (w/ 1GB of memory from crucial.com or others) can do what you're asking and w/ discount will be well below the other solutions mentioned in this thread. even if your M5s have service PICs, those are emulated in software on that platform. > What is the appropiate Cisco boxes to go for? Do I need any memory upgrades > etc? others have mentioned the 7301/7201/7200-NPE-G2/ASR100x and those are fine choices as well. i don't know if i'd go for the 28xx/38xx models mentioned unless my budget was severely constrained or if i knew traffic was never going to grow. -- bill From mksmith at adhost.com Thu Nov 13 15:10:35 2008 From: mksmith at adhost.com (Michael K. Smith - Adhost) Date: Thu, 13 Nov 2008 12:10:35 -0800 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> Message-ID: <17838240D9A5544AAA5FF95F8D52031604F28705@ad-exh01.adhost.lan> Hello Leif: > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Leif Sawyer > Sent: Thursday, November 13, 2008 11:34 AM > To: cisco-nsp > Subject: [c-nsp] 3750 HSRP question > > All - > > I've got two 3750's acting in an HSRP failover environment for some > critical services. > > HSRP is running on a vlan interface. > > We have a number of appliances that are dual-homed across the switches, > living on the particular VLAN. > > We've been experiencing an issue with one of our appliances, and the > vendor > has come back and asked us to filter out HSRP messages on the physical > interfaces > connected to their appliance. > > > Is there a way to filter the HSRP messages from going out a switchport? > > They're currently configured with portfast and bpdufiltering enabled. > HSRP uses multicast address 224.0.0.2 so you could filter out that IP on the appliance-facing ports. Regards, Mike -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 474 bytes Desc: not available URL: From booloo at ucsc.edu Thu Nov 13 14:30:03 2008 From: booloo at ucsc.edu (Mark Boolootian) Date: Thu, 13 Nov 2008 11:30:03 -0800 Subject: [c-nsp] SXI out In-Reply-To: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> Message-ID: <20081113193003.GA68285@root.ucsc.edu> > I can't wait for the black T-shirt: > > "I have SXI - do you?" "I'm SXI - are you?" From lsawyer at gci.com Thu Nov 13 16:32:18 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 12:32:18 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604F28705@ad-exh01.adhost.lan> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E94265@FNB1EX01.gci.com> Michael K. Smith writes: > HSRP uses multicast address 224.0.0.2 so you could filter out > that IP on the appliance-facing ports. > if that was an option, we'd be doing that. :-( From achatz at forthnet.gr Thu Nov 13 17:03:42 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 00:03:42 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E941E9@FNB1EX01.gci.com> Message-ID: <491CA43E.4030308@forthnet.gr> If blocking egress multicast doesn't cause any issues in your appliances, you could give "switchport block multicast" a try on their ports. -- Tassos Leif Sawyer wrote on 13/11/2008 21:34: > All - > > I've got two 3750's acting in an HSRP failover environment for some > critical services. > > HSRP is running on a vlan interface. > > We have a number of appliances that are dual-homed across the switches, > living on the particular VLAN. > > We've been experiencing an issue with one of our appliances, and the > vendor > has come back and asked us to filter out HSRP messages on the physical > interfaces > connected to their appliance. > > > Is there a way to filter the HSRP messages from going out a switchport? > > They're currently configured with portfast and bpdufiltering enabled. > > > Thanks. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Thu Nov 13 17:06:18 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Thu, 13 Nov 2008 23:06:18 +0100 Subject: [c-nsp] 4507R-E loosing config Message-ID: <491CA4DA.6050704@buelow-masiak.de> Hi List, we've got two 4507R-E with redundant Supervisor Engine 6-E. To connect these two switches, we're using a X2 Module on each Supervisor Engine. On both switches the Interfaces Te3/1 and Te4/1 are configured as Port-Channel. Config on both Switches: interface Te3/1 description Link1 switchport switchport mode trunk switchport trunk allowed vlans 100 channel-group 1 mode on interface Te4/1 description Link2 switchport switchport mode trunk switchport trunk allowed vlans 100 channel-group 1 mode on interface Po1 descripton Bundled-Link switchport mode trunk switchport trunk allowed vlans 100 If a remove one Supervisor Engine in the first 4507, the Port-Channel only contains interface Te4/1. If I put the removed Engine back, Interface Te3/1 comes back without any configuration. As a result, all vlans are send over this Link, the other switch detects an configuration mismatch an both interfaces are in err-disabled mode. Any thougts on this? Thanks in advance. Regards Sebastian From lsawyer at gci.com Thu Nov 13 17:18:31 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 13:18:31 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <491CA43E.4030308@forthnet.gr> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> Tassos Chatzithomaoglou writes: > If blocking egress multicast doesn't cause any issues in your > appliances, you could give "switchport block multicast" a try > on their ports. > unfortunately, this command only blocks "unknown" m/c addresses. HSRP uses a well-known address, and is not subject to this filtering. I've also looked at vlan access-maps, but as that applies to the whole vlan, that would break HSRP connectivity to the other switch. From ploopster at gmail.com Thu Nov 13 16:34:49 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Thu, 13 Nov 2008 16:34:49 -0500 Subject: [c-nsp] GEIP or PA-GE Message-ID: <491C9D79.50800@gmail.com> Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? I'm running a 7505 at home, and I'm not made of money. 8-) Peace... Sridhar From ltd at cisco.com Thu Nov 13 17:41:21 2008 From: ltd at cisco.com (Lincoln Dale) Date: Fri, 14 Nov 2008 09:41:21 +1100 Subject: [c-nsp] packet capture on 6509....?? In-Reply-To: <300132.18416.qm@web46209.mail.sp1.yahoo.com> References: <300132.18416.qm@web46209.mail.sp1.yahoo.com> Message-ID: <491CAD11.1050604@cisco.com> Gabby wrote: > Hello, > > Is it possible to do packet capture or the like on a 6509 (or similar platform) that doesn't have a FW module. I know I could do span port, but I'm interested in knowing if there's any other method.... > on Nexus 7000, you can do packet-capture of data-plane traffic today. you can create an access-list with 'log' keyword, e.g. "permit tcp host a.b.c.d host e.f.g.h log", apply that as a Port, VLAN or Routed ACL. N7K will forward the packet in hardware (always does), and send a rate-limited copy to the Supervisor for logging. that rate-limiting is tunable, but by default is at a rate that won't ever cause excessive CPU (default is 100 packet/sec for ACL-copy). NX-OS has ethereal/wireshark built in, you can then run that on the inband Sup port, create a .cap file or view the ethereal parsing on the CLI if you wish. cheers, lincoln. From achatz at forthnet.gr Thu Nov 13 17:45:06 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 00:45:06 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E942A8@FNB1EX01.gci.com> Message-ID: <491CADF2.8090205@forthnet.gr> What about the following? mac address-table static 0100.5e00.0002 vlan X int A B ... Just don't include the 2 appliance interfaces into the interface list (or include only the 2 hsrp ports). -- Tassos Leif Sawyer wrote on 14/11/2008 00:18: > Tassos Chatzithomaoglou writes: >> If blocking egress multicast doesn't cause any issues in your >> appliances, you could give "switchport block multicast" a try >> on their ports. >> > > unfortunately, this command only blocks "unknown" m/c addresses. > > HSRP uses a well-known address, and is not subject to this filtering. > > I've also looked at vlan access-maps, but as that applies to the > whole vlan, that would break HSRP connectivity to the other switch. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From tt_745 at yahoo.co.uk Thu Nov 13 17:53:55 2008 From: tt_745 at yahoo.co.uk (tt tt) Date: Thu, 13 Nov 2008 22:53:55 +0000 (GMT) Subject: [c-nsp] Cisco and Extreme Message-ID: <988818.16250.qm@web26703.mail.ukl.yahoo.com> We are currently looking to deploy a number of metro rings (mostly layer 2) with a requirement for basic QOS and rate limiting in 1Mbps increments. The ME3400 looks ideal if only it had decent granularity for policing / shaping. The Metro 3750 and 4900's (for dual 10Gbps uplinks) look more capable but at a significant increse in $$/port. This is leading us towards Extreme switches and linking EAPS rings back to our existing Cisco 7600's. Does anyone have any experience with a similar setup and can comment on compatability between Cisco and Extreme? Looking back over the lists there are many horror stories when venturing to layer 3 on Extreme a few years back but nothing since around 2006. Has any one had any success running OSPF on the currenty X250e / X450 ranges or has everyone been avoiding them lately? Thanks Dave From lsawyer at gci.com Thu Nov 13 17:57:37 2008 From: lsawyer at gci.com (Leif Sawyer) Date: Thu, 13 Nov 2008 13:57:37 -0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <491CADF2.8090205@forthnet.gr> Message-ID: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Tassos Chatzithomaoglou writes: > > What about the following? > > mac address-table static 0100.5e00.0002 vlan X int A B ... > > Just don't include the 2 appliance interfaces into the > interface list (or include only the 2 hsrp ports). Nope. That doesn't seem to do anything -- I'm still seeing the HSRP packets in my sniffer. Sigh. Cisco sure doesn't want to perform outbound MAC-layer filtering on it's interfaces, no matter what the security implications might be. It sure would be nice if they'd figure out that allowing this traffic to be restricted to known/allowed ports, the network would be just a little bit safer. From Moens at carrier2carrier.com Thu Nov 13 17:58:53 2008 From: Moens at carrier2carrier.com (Martin Moens) Date: Thu, 13 Nov 2008 23:58:53 +0100 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491C9D79.50800@gmail.com> Message-ID: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> Tried Ebay? > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Sridhar Ayengar > Sent: Thursday, 13 November, 2008 22:35 > To: Cisco NSPs > Subject: [c-nsp] GEIP or PA-GE > > > Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? > I'm running a > 7505 at home, and I'm not made of money. 8-) > > Peace... Sridhar > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Marques.Johnson at LTSCompany.com Thu Nov 13 17:29:16 2008 From: Marques.Johnson at LTSCompany.com (Marques Johnson) Date: Thu, 13 Nov 2008 14:29:16 -0800 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? Message-ID: I was wondering why there are local IP address in my BGP table? *> 192.100.146.0 207.162.208.221 0 0 26689 3356 i I am trying to figure out the best way to utilize multihomed routing between our two DS3 providors. I am new to the NSP world and trying to get a grasp on what we have. The overall problem stems from one of our DS3's flapping and customers being down for a few minutes while the tables converge and routes update. I would like it to be quicker if possible. Thanks From pwu828 at gmail.com Thu Nov 13 18:01:40 2008 From: pwu828 at gmail.com (Patrick Wu) Date: Fri, 14 Nov 2008 10:01:40 +1100 Subject: [c-nsp] Intermittent 100% backplane utilisation on Cisco 6500 In-Reply-To: <6d72a2a10811122315u731ede53h1c327f9ebc8f0fff@mail.gmail.com> References: <6d72a2a10811122315u731ede53h1c327f9ebc8f0fff@mail.gmail.com> Message-ID: Thanks, so was the SUP module or the GE module that was faulty? On Thu, Nov 13, 2008 at 6:15 PM, Nitzan Tzelniker < nitzan.tzelniker at gmail.com> wrote: > I see this issue in the past on sup720 it was probably faulty module (we > replace some of them and the spikes stop ) > > Nitzan > > On Thu, Nov 13, 2008 at 03:10, Patrick Wu wrote: > >> Hi, >> >> >> >> I'm currently having issues with one of the Cisco 6506 in the network, it >> is >> running HSRP with another 6506 and also running OSPF/BGP. Recently, I this >> 6506 is having intermittent 100% backplane utilisation, which caused >> everything to stop responding for a couple of seconds. >> >> >> >> As a result, spanning tree recalculation and HSRP failover kicked in, and >> caused interruptions in many parts of the network. >> >> >> >> What I don't understand is what caused the 100% utilisation, googling >> reveals that it could be caused by spanning tree loops and broadcast >> storms. >> But I have already tuned down the storm-control on broadcast on all ports >> into the 6506, and I don't think there are any loops in the network. >> >> >> >> Unlike an DDoS attack where the 100% utilisation is continuous, it just >> peaks at 100% for 1 or 2 seconds and comes back down... the logs don't >> seem >> to show much >> >> >> >> Any one have similar experience or is able to point me in the right >> direction would be greatly appreciated! Thanks. >> >> >> >> Here's the show version and show module: >> >> >> >> show version >> >> Cisco Internetwork Operating System Software >> >> IOS (tm) c6sup1_rp Software (c6sup1_rp-PSV-M), Version 12.1(22)E1, EARLY >> DEPLOYMENT RELEASE SOFTWARE (fc1) >> >> Technical Support: >> http://www.cisco.com/techsupport< >> http://www.cisco.com/techsupport%5B/url%5D> >> >> >> Copyright (c) 1986-2004 by cisco Systems, Inc. >> >> Compiled Fri 16-Apr-04 10:13 by pwade >> >> Image text-base: 0x60020F90, data-base: 0x616EA000 >> >> >> >> ROM: System Bootstrap, Version 12.0(3)XE, RELEASE SOFTWARE >> >> BOOTLDR: MSFC Software (C6MSFC-BOOT-M), Version 12.1(3a)E4, EARLY >> DEPLOYMENT >> RELEASE SOFTWARE (fc1) >> >> >> >> xxxxxxxx uptime is 23 weeks, 5 days, 27 minutes >> >> Time since xxxxxxxx switched to active is 23 weeks, 5 days, 29 minutes >> >> System returned to ROM by power-on (SP by reload) >> >> System restarted at 09:34:31 AEST Sat May 31 2008 >> >> System image file is "slot0:c6sup11-psv-mz.121-22.E1" >> >> >> >> cisco WS-C6506 (R5000) processor (revision 3.0) with 114688K/16384K bytes >> of >> memory. >> >> Processor board ID TBA05290886 >> >> R5000 CPU at 200Mhz, Implementation 35, Rev 2.1 >> >> Last reset from power-on >> >> X.25 software, Version 3.0.0. >> >> Bridging software. >> >> 146 Virtual Ethernet/IEEE 802.3 interface(s) >> >> 48 FastEthernet/IEEE 802.3 interface(s) >> >> 10 Gigabit Ethernet/IEEE 802.3 interface(s) >> >> 381K bytes of non-volatile configuration memory. >> >> 4096K bytes of packet SRAM memory. >> >> >> >> 16384K bytes of Flash internal SIMM (Sector size 256K). >> >> Configuration register is 0x2102 >> >> >> >> >> >> show module >> >> Mod Ports Card Type Model Serial >> No. >> >> --- ----- -------------------------------------- ------------------ >> ----------- >> >> 1 2 Cat 6k sup 1 Enhanced QoS (Active) WS-X6K-SUP1A-2GE >> SAD03414219 >> >> 3 48 48 port 10/100 mb RJ-45 ethernet WS-X6248-RJ-45 >> SAD03430896 >> >> 5 8 8 port 1000mb GBIC Enhanced QoS WS-X6408A-GBIC >> SAD05040L5K >> >> >> >> Mod MAC addresses Hw Fw Sw >> Status >> >> --- ---------------------------------- ------ ------------ ------------ >> ------- >> >> 1 00d0.bcee.59a8 to 00d0.bcee.59a9 3.2 5.3(1) 12.1(22)E1 Ok >> >> 3 0030.9613.f314 to 0030.9613.f343 1.1 4.2(0.24)VAI 8.3(0.111)TF Ok >> >> 5 0002.fc25.3224 to 0002.fc25.322b 1.6 5.4(2) 8.3(0.111)TF Ok >> >> >> >> Mod Sub-Module Model Serial Hw >> Status >> >> --- --------------------------- --------------- --------------- ------- >> ------- >> >> 1 Policy Feature Card WS-F6K-PFC SAD03424981 1.0 Ok >> >> 1 MSFC Cat6k daughterboard WS-F6K-MSFC SAD03427635 1.4 Ok >> >> >> >> Mod Online Diag Status >> >> --- ------------------- >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > From streiner at cluebyfour.org Thu Nov 13 18:07:37 2008 From: streiner at cluebyfour.org (Justin M. Streiner) Date: Thu, 13 Nov 2008 18:07:37 -0500 (EST) Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491C9D79.50800@gmail.com> References: <491C9D79.50800@gmail.com> Message-ID: On Thu, 13 Nov 2008, Sridhar Ayengar wrote: > Anyone know where I can GEIP, GEIP+ or PA-GE cards cheap? I'm running a 7505 > at home, and I'm not made of money. 8-) That would depend on how you define cheap :) Your best bet would probably be to check with one of the many places that deal in used Cisco parts. I haven't priced or looked at volumes on the secondary market them in a long time, but I'd think 7500 blades like the GEIP and GEIP+ would be pretty reasonably priced since the 7500 series is end of life. If the resellers know they can sell them (2511s, for example), they'll more expensive, but if the parts aren't in high demand, then you migt have a little more room to haggle on the price. jms From sthaug at nethelp.no Thu Nov 13 18:12:21 2008 From: sthaug at nethelp.no (sthaug at nethelp.no) Date: Fri, 14 Nov 2008 00:12:21 +0100 (CET) Subject: [c-nsp] Cisco and Extreme In-Reply-To: <988818.16250.qm@web26703.mail.ukl.yahoo.com> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> Message-ID: <20081114.001221.74679519.sthaug@nethelp.no> > We are currently looking to deploy a number of metro rings (mostly > layer 2) with a requirement for basic QOS and rate limiting in 1Mbps > increments. The ME3400 looks ideal if only it had decent granularity > for policing / shaping. We have looked at the ME3400 for a similar role. Our biggest concerns have been the rather limited MAC table size (8K entries), no 24xSFP model, and somewhat unpalatable licensing (QinQ requires an extra license, using more than 4 NNI ports requires yet another license). > The Metro 3750 and 4900's (for dual 10Gbps > uplinks) look more capable but at a significant increse in > $$/port. This is leading us towards Extreme switches and linking > EAPS rings back to our existing Cisco 7600's. > > Does anyone have any experience with a similar setup and can comment > on compatability between Cisco and Extreme? We have quite a few metro rings built on Extreme switches and EAPS. These are uplinked either directly to MPLS routers or to other switches, often Cisco. No specific Cisco/Extreme problems, it basically just works. Note that we do *not* depend on any kind of spanning tree interoperability. > Looking back over the lists there are many horror stories when > venturing to layer 3 on Extreme a few years back but nothing since > around 2006. Has any one had any success running OSPF on the > currenty X250e / X450 ranges or has everyone been avoiding them > lately? I'd still stay away from L3 on the Extreme boxes... Steinar Haug, Nethelp consulting, sthaug at nethelp.no From ddunkin at netos.net Thu Nov 13 18:15:17 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Thu, 13 Nov 2008 15:15:17 -0800 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? References: Message-ID: <56F5BC5F404CF84896C447397A1AAF20A0FE79@MAIL.nosi.netos.com> Do you mean local as in private? It is 192.168.0.0/16 that is private not 192.0.0.0/8. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marques Johnson Sent: Thursday, November 13, 2008 14:29 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Why would there be local ip address in my BGP routing table? I was wondering why there are local IP address in my BGP table? *> 192.100.146.0 207.162.208.221 0 0 26689 3356 i I am trying to figure out the best way to utilize multihomed routing between our two DS3 providors. I am new to the NSP world and trying to get a grasp on what we have. The overall problem stems from one of our DS3's flapping and customers being down for a few minutes while the tables converge and routes update. I would like it to be quicker if possible. Thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ariemer at wesenergy.com.au Thu Nov 13 18:42:01 2008 From: ariemer at wesenergy.com.au (Aaron Riemer) Date: Fri, 14 Nov 2008 08:42:01 +0900 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> References: <491CADF2.8090205@forthnet.gr> <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Message-ID: <0867622C64B50C4B878AB45C95F43F110646DB98@MAILWA01.wesenergy.local> Yes it would be nice if you could control where the HSRP advertisements are sent out. Something similar to the passive-interface command with EIGRP would be nice. Let me know if you work this one out. I don't like the idea of HSRP spamming our Ethernet VLAN's either. Aaron Riemer -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Leif Sawyer Sent: Friday, 14 November 2008 7:58 AM To: cisco-nsp Subject: Re: [c-nsp] 3750 HSRP question Tassos Chatzithomaoglou writes: > > What about the following? > > mac address-table static 0100.5e00.0002 vlan X int A B ... > > Just don't include the 2 appliance interfaces into the > interface list (or include only the 2 hsrp ports). Nope. That doesn't seem to do anything -- I'm still seeing the HSRP packets in my sniffer. Sigh. Cisco sure doesn't want to perform outbound MAC-layer filtering on it's interfaces, no matter what the security implications might be. It sure would be nice if they'd figure out that allowing this traffic to be restricted to known/allowed ports, the network would be just a little bit safer. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ LEGAL DISCLAIMER: This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. From peter at rathlev.dk Thu Nov 13 19:17:47 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 01:17:47 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491CA4DA.6050704@buelow-masiak.de> References: <491CA4DA.6050704@buelow-masiak.de> Message-ID: <1226621867.3501.14.camel@abehat> On Thu, 2008-11-13 at 23:06 +0100, Sebastian Ganschow wrote: > If a remove one Supervisor Engine in the first 4507, the Port-Channel > only contains interface Te4/1. > > If I put the removed Engine back, Interface Te3/1 comes back without > any configuration. > > As a result, all vlans are send over this Link, the other switch > detects an configuration mismatch an both interfaces are in > err-disabled mode. > > Any thougts on this? Maybe running LACP on the link ("channel-group 1 mode active") could help avoid the err-disable part. As far as I understand, you would end up with a one-member port-channel on each side, and then a standalone "I" port (independent) on the unchanged side facing a regular switchport on the "supervisor challenged" side. Spanning tree blocks one of the paths. I haven't tested this, just guessing. This doesn't solve the interface config going missing of course. Regards, Peter From peter at rathlev.dk Thu Nov 13 19:42:30 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 01:42:30 +0100 Subject: [c-nsp] IP Cef load sharing, quick question In-Reply-To: References: <1226079151.3474.8.camel@abehat> Message-ID: <1226623350.3501.26.camel@abehat> On Thu, 2008-11-13 at 11:50 -0500, Drew Weaver wrote: > GWIP was substituted for the ip of the 'gateway' or other end of that > interface. > > Sorry, of course the IP would be in the route. I was just > 'obfusticating the output' for the list, as they say ;-) That explains a lot. Overlooked that one. :-) > As far as the GLBP goes, this solution isn't for any particular L4 > application it is just for all network traffic from any server on this > switch to the rest of the network. AFAIK, GLBP would require one L2 segment shared between the three links. In that case you might not be able to take advantage of it at all. If you have redundant paths, e.g. if the three destinations in the other end of the links have L2 connectivity (for this VLAN) other than through your gateway, then spanning tree or an equivalent might block all but one link, thus rendering the load sharing part of GLBP less effective. Making your gateway the STP root would mitigate this, but that might not be desirable/possible. I'd keep the ECMP with static routes and no L2 connectivity between the links and then let CEF do the load-sharing, per destination. Regards, Peter From brett at looney.id.au Thu Nov 13 20:50:04 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 14 Nov 2008 10:50:04 +0900 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> Message-ID: <034e01c945fb$52df6610$f89e3230$@id.au> > Has anyone ever gotten trunking working between a > 3560 and Dell 6248 or similar? The Dell seems only > to support GVRP in comparison to Cisco's VTP. > Since the 3560 doesn't support GVRP I think I'm out > of luck, but I'm hoping someone here has figured out > a kludge to get this working. I've had trunking working between Cisco and Dell switches before. You can configure trunking manually on either end - you don't need VTP/GVRP to build a trunk. For example: interface GigabitEthernet 1/0/1 switchport trunk encapsulation dot1q switchport mode trunk switchport trunk vlan allowed 1-50 Obviously you'd need to define the VLANs manually on each end for this to work. Or am I missing something in your question? B. From ben.steele at internode.on.net Thu Nov 13 22:14:22 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Fri, 14 Nov 2008 13:44:22 +1030 Subject: [c-nsp] SXI out In-Reply-To: <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> References: <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <20081113005318.GA76126@puck.nether.net> <6E31172B4025564D861CD73627500BAC02E2FA94@pru-mail02.pe.net> <6bb5f5b10811130744v3bd600c4y19ec5b53863ae82c@mail.gmail.com> <20081113154732.GA57592@puck.nether.net> <491C5E61.3020704@imperial.ac.uk> <9e246b4d0811130943w2e3d7ed6k32c750f8e3bfbaba@mail.gmail.com> <5.1.0.14.2.20081113210233.00b248c0@efes.iucc.ac.il> Message-ID: <003301c94607$17bc94c0$4735be40$@steele@internode.on.net> You'll have to beat all the girls off with your linecards with a t-shirt that cool! -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Friday, 14 November 2008 5:34 AM To: Jared Mauch; Tim Durack Cc: cisco-nsp at puck.nether.net; Jared Mauch Subject: Re: [c-nsp] SXI out At 12:46 PM 13-11-08 -0500, Jared Mauch wrote: > If people want to, I can set up a wiki where you can post >test cases, results, configurations, feature data, etc.. > > Would that be of value? I can't wait for the black T-shirt: "I have SXI - do you?" -Hank > - Jared > >-- >Jared Mauch | pgp key available via finger from jared at puck.nether.net >clue++; | http://puck.nether.net/~jared/ My statements are only mine. >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ploopster at gmail.com Thu Nov 13 22:27:24 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Thu, 13 Nov 2008 22:27:24 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> Message-ID: <491CF01C.7080104@gmail.com> Martin Moens wrote: > Tried Ebay? Yup. Very expensive. More than some dealer prices. Peace... Sridhar From risnaini at indo.net.id Thu Nov 13 22:33:53 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Fri, 14 Nov 2008 10:33:53 +0700 Subject: [c-nsp] Why would there be local ip address in my BGP routing table? In-Reply-To: References: Message-ID: <491CF1A1.701@indo.net.id> It's not local block.. actually it's public ip address block & belong to US Dept. of Agriculture. OrgName: U.S. Dept. of Agriculture - ARS OrgID: UDAA-2 Address: Agricultural Research Service Address: Plant Sciences Institute Address: Alternate Crops and Systems Laboratory Address: Bldg.001 Room 342 Address: 10300 Baltimore Avenue City: Beltsville StateProv: MD PostalCode: 20707 Country: US NetRange: 192.100.146.0 - 192.100.146.255 CIDR: 192.100.146.0/24 NetName: ARS-GRIN NetHandle: NET-192-100-146-0-1 Parent: NET-192-0-0-0-0 NetType: Direct Assignment NameServer: SUN.ARS-GRIN.GOV NameServer: KNOCK.SER.BBNPLANET.COM Comment: RegDate: 1991-04-17 Updated: 1996-09-12 a. r. isnaini rangkayo sutan Facebook : http://www.facebook.com/home.php?ref=home#/profile.php?v=feed&id=1476655470 Marques Johnson wrote: > I was wondering why there are local IP address in my BGP table? > > > > *> 192.100.146.0 207.162.208.221 0 0 26689 3356 > i > > > > > > I am trying to figure out the best way to utilize multihomed routing > between our two DS3 providors. I am new to the NSP world and trying to > get a grasp on what we have. > > > > The overall problem stems from one of our DS3's flapping and customers > being down for a few minutes while the tables converge and routes > update. I would like it to be quicker if possible. > > > > Thanks > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From risnaini at indo.net.id Thu Nov 13 22:36:41 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Fri, 14 Nov 2008 10:36:41 +0700 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <491CF249.5090809@indo.net.id> IMHO, since we are now running both of Juniper & Cisco, for handling huge of traffic (e.g Flooding) M5 still much better compared to 7206 VXR a. r. isnaini rangkayo sutan Rodney Dunn wrote: > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > >>From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >> You may want to consider getting either part # CISCO7201 (PSU >> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >> cheap). >> Both the part # for the box, shouldn't be much of a difference or same. >> >> >> --raymondh >> >> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >> >>> I'm looking for some pointers on what are the smallest recommeded >>> Cisco >>> boxes to use for a small multihoming solution. >>> >>> 2 full BGP views (approx 260k routes each) >>> 100 Mbps bandwidth requirement. >>> >>> The setup currently uses 2 Juniper M5 but those are in dire need of >>> refresh. >>> >>> >>> What is the appropiate Cisco boxes to go for? Do I need any memory >>> upgrades >>> etc? >>> >>> Any suggestions are welcome. >>> >>> Regards Magnus >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From mtinka at globaltransit.net Thu Nov 13 22:43:03 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 11:43:03 +0800 Subject: [c-nsp] =?iso-8859-1?q?Recommended_Cisco_boxes_for_a_small_multih?= =?iso-8859-1?q?oming=09solution=3F?= In-Reply-To: <491CF249.5090809@indo.net.id> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <491CF249.5090809@indo.net.id> Message-ID: <200811141143.15672.mtinka@globaltransit.net> On Friday 14 November 2008 11:36:41 a. rahman isnaini r.sutan wrote: > IMHO, since we are now running both of Juniper & Cisco, > for handling huge of traffic (e.g Flooding) M5 still much > better compared to 7206 VXR To be fair, it's a different architecture - so an apple-to-apple comparison isn't really possible. One should compare the entry-level M-series to Cisco's ASR1000 series, or the 7200's to Juniper's J-series. Granted, Cisco have finally started playing ball in this hardware forwarding scope for this class of routers (as have Juniper in the software forwarding arena), so no operator can be blamed for past comparisons. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From bandwidth.user at gmail.com Thu Nov 13 22:46:56 2008 From: bandwidth.user at gmail.com (roy) Date: Fri, 14 Nov 2008 11:46:56 +0800 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <491CF4B0.7050006@gmail.com> Brandon Price wrote: > The tunnel option could work the problem is the SOURCE is behind a > Juniper netscreen and I don't think they support gre tunnel > termination.. > Also I don't want this active all the time, I want it to switch > dynamically. > > Maybe there is something else that would accomplish what I am trying to > do. > > I tried to make a little ASCII diagram, hopefully it comes through ok: > > > SOURCE Voip LAN 206.72.96.0 > | > FW (juniper) > | > PE2-------PE1 > | | | > dsl1| |dsl2 | > | | |T1 > | | | > | +------- | > +--------CE1 (cisco) > | > | > CUST LAN 10.10.10.0 > > > Basically My customers primary link to me is a T1 to PE1 with QOS > enabled for VOICE traffic to my voip servers and switches at > 206.72.96.0. these are accessed via FW (juniper netscreen). In normal > operation the route for the CUST LAN through the t1 has the most > favourable weight, and traffic never hits PE2. > > > Now if the T1 goes down, dsl1 to PE2 will now have the most favorable > route to the lan, HOWEVER at this point I want traffic with a SOURCE of > the voip netblock to take dsl2 to get to the lan. This is where I am > stuck. How to use PBR on the ingress to PE2.... With PHP, wouldn't PBR work on PE2? roy From hank at efes.iucc.ac.il Thu Nov 13 23:56:02 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 06:56:02 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <491C8406.9000501@gmx.de> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: On Thu, 13 Nov 2008, Garry wrote: The 3825 can take 1GB? The Cisco ISR link doesn't show that. -Hank > Hank Nussbacher wrote: >> >> But if you really need 100Mb/sec then a 3845 which can handle >> 256Mb/sec of thruput would be the next one that can handle 1GB. > Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 > are nice, too with their dual GigE onboard ... we use a couple of them > for DSL L2TP LAC and as Firewall ... running very nicely ... > > -garry > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ecables at gmail.com Fri Nov 14 00:09:58 2008 From: ecables at gmail.com (Eric Cables) Date: Thu, 13 Nov 2008 21:09:58 -0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: If you look at the interactive model ( http://www.cisco.com/en/US/prod/collateral/routers/ps5855/ps5857/prod_presentation0900aecd80543db9.html) you can see GE0/0 and GE0/1 interfaces. In addition, the data sheet for both the 3825 and 3845 indicates 2 10/100/1000 interfaces: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html -- Eric Cables On Thu, Nov 13, 2008 at 8:56 PM, Hank Nussbacher wrote: > On Thu, 13 Nov 2008, Garry wrote: > > The 3825 can take 1GB? The Cisco ISR link doesn't show that. > > -Hank > > > Hank Nussbacher wrote: >> >>> >>> But if you really need 100Mb/sec then a 3845 which can handle >>> 256Mb/sec of thruput would be the next one that can handle 1GB. >>> >> Actually, 3825 would be the next one ... rated at ~170Mb/sec ... 3825 >> are nice, too with their dual GigE onboard ... we use a couple of them >> for DSL L2TP LAC and as Firewall ... running very nicely ... >> >> -garry >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mtinka at globaltransit.net Fri Nov 14 00:18:27 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 13:18:27 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> Message-ID: <200811141318.31251.mtinka@globaltransit.net> On Friday 14 November 2008 13:09:58 Eric Cables wrote: > If you look at the interactive model ( > http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >/ps5857/prod_presentation0900aecd80543db9.html) you can > see GE0/0 and GE0/1 interfaces. > > In addition, the data sheet for both the 3825 and 3845 > indicates 2 10/100/1000 interfaces: > http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >/product_data_sheet0900aecd8016a8e8.html I think just to avoid any confusion; 1GB as in RAM/flash, and 1Gbps as in bandwidth/interface :-). Oooh, this "B" and "b" thing... Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From hank at efes.iucc.ac.il Fri Nov 14 00:56:43 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 07:56:43 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <200811141318.31251.mtinka@globaltransit.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> Message-ID: And to repeat - to the best of my knowledge the 3825 can't take 1GB of RAM and therefore is not an optimal solution for small multihoming. -Hank On Fri, 14 Nov 2008, Mark Tinka wrote: > On Friday 14 November 2008 13:09:58 Eric Cables wrote: > >> If you look at the interactive model ( >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /ps5857/prod_presentation0900aecd80543db9.html) you can >> see GE0/0 and GE0/1 interfaces. >> >> In addition, the data sheet for both the 3825 and 3845 >> indicates 2 10/100/1000 interfaces: >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /product_data_sheet0900aecd8016a8e8.html > > I think just to avoid any confusion; 1GB as in RAM/flash, > and 1Gbps as in bandwidth/interface :-). > > Oooh, this "B" and "b" thing... > > Mark. > From s.ganschow at buelow-masiak.de Fri Nov 14 02:19:20 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 08:19:20 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <1226621867.3501.14.camel@abehat> References: <491CA4DA.6050704@buelow-masiak.de> <1226621867.3501.14.camel@abehat> Message-ID: <491D2678.6040303@buelow-masiak.de> Peter Rathlev schrieb: > > Maybe running LACP on the link ("channel-group 1 mode active") could > help avoid the err-disable part. As far as I understand, you would end > up with a one-member port-channel on each side, and then a standalone > "I" port (independent) on the unchanged side facing a regular switchport > on the "supervisor challenged" side. Spanning tree blocks one of the > paths. > > I haven't tested this, just guessing. > > This doesn't solve the interface config going missing of course. It wouldn't be the worst, if the interface starts without any config. This would only happen, if one of the Sup's has a defect and is going to be replaced. In this case, we could paste the config. But if the Interface is acting the way described, the whole link is useless. Sebastian From r.tahina at moov.mg Fri Nov 14 02:44:08 2008 From: r.tahina at moov.mg (RAZAFINDRATSIFA Rivo Tahina) Date: Fri, 14 Nov 2008 10:44:08 +0300 Subject: [c-nsp] log PPPoE session on router Message-ID: <7.0.1.0.2.20081114103908.0036ca20@moov.mg> Hi all, I use a 3825 for PPPoE termination, with local authententication, how can I log user session on the router's log? Kind regards. From s.ganschow at buelow-masiak.de Fri Nov 14 03:02:20 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 09:02:20 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491D2678.6040303@buelow-masiak.de> Message-ID: We've just tested it with channel-group 1 mode active. The Sup comes back with no config on the Te Interface. But the other 4507 got no err-disabled state. Works for us. Thanks Sebastian > -----Urspr?ngliche Nachricht----- > Peter Rathlev schrieb: > > > > > Maybe running LACP on the link ("channel-group 1 mode active") could > > help avoid the err-disable part. As far as I understand, you would > end > > up with a one-member port-channel on each side, and then a standalone > > "I" port (independent) on the unchanged side facing a regular > switchport > > on the "supervisor challenged" side. Spanning tree blocks one of the > > paths. > > > > I haven't tested this, just guessing. > > > > This doesn't solve the interface config going missing of course. > > > It wouldn't be the worst, if the interface starts without any config. > This > would only happen, if one of the Sup's has a defect and is going to be > replaced. In this case, we could paste the config. > But if the Interface is acting the way described, the whole link is > useless. > > Sebastian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tomas at soitron.com Fri Nov 14 03:09:34 2008 From: tomas at soitron.com (Tomas Daniska) Date: Fri, 14 Nov 2008 09:09:34 +0100 Subject: [c-nsp] Cisco and Extreme In-Reply-To: <20081114.001221.74679519.sthaug@nethelp.no> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> <20081114.001221.74679519.sthaug@nethelp.no> Message-ID: <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> > > > > Does anyone have any experience with a similar setup and can comment > > on compatability between Cisco and Extreme? > one of our customers had repeated significant problems with running OSPF (from L3 Cisco boxes) over Extreme Summit based L2 infrastructure. The switches were multiplicating OSPF hellos, wreaking havoc to OSPF adjacencies often. The hellos were replicated even in VLANs that were pure L2 on the Extremes. -- deejay From achatz at forthnet.gr Fri Nov 14 03:36:37 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 10:36:37 +0200 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: References: Message-ID: <491D3895.6020102@forthnet.gr> Can you post the errdisable message? You could possibly (if loops aren't the problem) disable the reason regarding it. Also, do you have errdisable recovery turned on? -- Tassos Sebastian Ganschow wrote on 14/11/2008 10:02: > We've just tested it with channel-group 1 mode active. > > The Sup comes back with no config on the Te Interface. But the other > 4507 got no err-disabled state. > > Works for us. > > Thanks > Sebastian > >> -----Urspru"ngliche Nachricht----- >> Peter Rathlev schrieb: >> >>> Maybe running LACP on the link ("channel-group 1 mode active") could >>> help avoid the err-disable part. As far as I understand, you would >> end >>> up with a one-member port-channel on each side, and then a > standalone >>> "I" port (independent) on the unchanged side facing a regular >> switchport >>> on the "supervisor challenged" side. Spanning tree blocks one of the >>> paths. >>> >>> I haven't tested this, just guessing. >>> >>> This doesn't solve the interface config going missing of course. >> >> It wouldn't be the worst, if the interface starts without any config. >> This >> would only happen, if one of the Sup's has a defect and is going to be >> replaced. In this case, we could paste the config. >> But if the Interface is acting the way described, the whole link is >> useless. >> >> Sebastian >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From packetlss at gmail.com Fri Nov 14 04:14:00 2008 From: packetlss at gmail.com (Magnus Eriksson) Date: Fri, 14 Nov 2008 10:14:00 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <20081113142508.GE4897@rtp-cse-489.cisco.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> Message-ID: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> First of all, thank you all for your insights. If we were to go with the ASR track I guess I'd need both the 1002 chassis item (18k USD list price) and the 5k USD IP BASE license aswell. Am I understanding that correctly? Also, I'm a bit hesitant regarding IOS XE, which today only seems to be used for ASRs. Is IOS XE something that is gonna be built upon by Cisco moving ahead? I don't wanna be stuck with a "dead" OS. //Magnus 2008/11/13 Rodney Dunn > I haven't looked at the price list. > > How does an ASR1002 compare to a G2 combo? > > From a growth perspective the ASR1002 would be what I would > consider giving a potential migration to GigE. > > Rodney > > On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: > > You may want to consider getting either part # CISCO7201 (PSU > > included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite > > cheap). > > Both the part # for the box, shouldn't be much of a difference or same. > > > > > > --raymondh > > > > On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: > > > > >I'm looking for some pointers on what are the smallest recommeded > > >Cisco > > >boxes to use for a small multihoming solution. > > > > > >2 full BGP views (approx 260k routes each) > > >100 Mbps bandwidth requirement. > > > > > >The setup currently uses 2 Juniper M5 but those are in dire need of > > >refresh. > > > > > > > > >What is the appropiate Cisco boxes to go for? Do I need any memory > > >upgrades > > >etc? > > > > > >Any suggestions are welcome. > > > > > >Regards Magnus > > >_______________________________________________ > > >cisco-nsp mailing list cisco-nsp at puck.nether.net > > >https://puck.nether.net/mailman/listinfo/cisco-nsp > > >archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From s.ganschow at buelow-masiak.de Fri Nov 14 04:14:05 2008 From: s.ganschow at buelow-masiak.de (Sebastian Ganschow) Date: Fri, 14 Nov 2008 10:14:05 +0100 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: <491D3895.6020102@forthnet.gr> Message-ID: > Can you post the errdisable message? 00:16:09: %EC-5-BUNDLE: Interface TenGigabitEthernet3/1 joined port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Te3/1 in err-disable state 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet3/1 left the port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Te4/1 in err-disable state 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet4/1 left the port-channel Port-channel1 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, putting Po1 in err-disable state Sebastian From gideon at adept.co.za Fri Nov 14 04:19:38 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Fri, 14 Nov 2008 11:19:38 +0200 Subject: [c-nsp] 2610 High CPU Load Message-ID: Good day I have a CPU load problem on a 2610. The router has a X21 Serial interface and Ethernet, and does simple WAN routing. As the amount of traffic increases, the CPU load increases as well, and when the throughput is around 1.2Mbit at about 2000 packet/s, the CPU is running so high that the box becomes unresponsive. This router is theory supposed to be capable of doing 7.68Mbps at 15,000 pps. I've checked that the router isn't doing processor switching, and as far as I can see the vast majority of the traffic is being fast switched, yet I seem to be hitting the documented performance limits for process switching. If I have to replace the router I can, but would like to know why I'm running into trouble when the current router is supposedly well within it's limits. The box is running 12.3(9), but I've had the same issue on a 12.1 version. Below is the output of 'show interfaces stat' and 'show interface switching' . Any ideas/help is appreciated. --- # sh int stat Ethernet0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 97 10200 219 17650 Route cache 760678 57144419 626362 47003211 Total 760775 57154619 626581 47020861 Serial0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 467 37390 337 43569 Route cache 626497 40745693 760817 49520393 Total 626964 40783083 761154 49563962 ----- #sh int switching Ethernet0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 3524 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 3577 283416 3699 340458 Cache misses 96 - - - Fast 20283972 1524355199 16554208 1236628784 Auton/SSE 0 0 0 0 Protocol ARP Switching path Pkts In Chars In Pkts Out Chars Out Process 44 2640 4328 259680 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 435 178350 435 133110 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 869 46926 2601 156060 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. Serial0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 5209 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 17620 1589429 13114 1548222 Cache misses 14327 - - - Fast 16555485 1071171389 20287359 1321039479 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 429 137280 437 122797 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 1 14 238 3784 Cache misses 0 - - - Fast 2750 44000 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. From achatz at forthnet.gr Fri Nov 14 04:30:03 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 11:30:03 +0200 Subject: [c-nsp] 4507R-E loosing config In-Reply-To: References: Message-ID: <491D451B.3050300@forthnet.gr> ok, that was what i was guessing too. lacp/active (as peter said) or pagp/desirable should probably solve the problem. Otherwise you could write an eem applet (if your switch supports it) that shuts down the single port whenever this message appears. btw, is the whole config lost from the sup or only the one under the specific interface? If it's the later, you should probably open a tac case. -- Tassos Sebastian Ganschow wrote on 14/11/2008 11:14: >> Can you post the errdisable message? > > 00:16:09: %EC-5-BUNDLE: Interface TenGigabitEthernet3/1 joined > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Te3/1 in err-disable state > 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet3/1 left the > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Te4/1 in err-disable state > 00:17:58: %EC-5-UNBUNDLE: Interface TenGigabitEthernet4/1 left the > port-channel Port-channel1 > 00:17:58: %PM-4-ERR_DISABLE: channel-misconfig error detected on Po1, > putting Po1 in err-disable state > > Sebastian > > From rekordmeister at gmail.com Fri Nov 14 05:13:44 2008 From: rekordmeister at gmail.com (MKS) Date: Fri, 14 Nov 2008 10:13:44 +0000 Subject: [c-nsp] supervisor reload trap/log Message-ID: Hi We have a few cisco 7600 with dual sup-720s. I would like to get notified somehow when a supervisor failover occurs. Is there a snmp trap for this type of behavior or should I watch the syslog? Regards //MKS From waduloh at gmail.com Fri Nov 14 05:37:15 2008 From: waduloh at gmail.com (herb wadulo) Date: Fri, 14 Nov 2008 05:37:15 -0500 Subject: [c-nsp] Cisco and Extreme In-Reply-To: <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> References: <988818.16250.qm@web26703.mail.ukl.yahoo.com> <20081114.001221.74679519.sthaug@nethelp.no> <6B43981C32F8464CB24CEE209DA32BD301A45891@kenya.tronet.as> Message-ID: <76baa9fb0811140237w718d7711p9fc6126439ddbba0@mail.gmail.com> Extreme running EW 7.6 on the older hardware i think resolved some of the issues that existed when running protocols over a multivendor environment. The X250, X450 devices running XOS dont seem to have any issues yet. Cisco and extreme in L2/L3 redundancy runs well when you consider the strengths of each vendor plus a couple of "keystrokes". Herb On Fri, Nov 14, 2008 at 3:09 AM, Tomas Daniska wrote: > > > > > > > Does anyone have any experience with a similar setup and can comment > > > on compatability between Cisco and Extreme? > > > > one of our customers had repeated significant problems with running OSPF > (from L3 Cisco boxes) over Extreme Summit based L2 infrastructure. The > switches were multiplicating OSPF hellos, wreaking havoc to OSPF > adjacencies often. The hellos were replicated even in VLANs that were > pure L2 on the Extremes. > > -- > > deejay > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From achatz at forthnet.gr Fri Nov 14 05:56:29 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 12:56:29 +0200 Subject: [c-nsp] 3750 HSRP question In-Reply-To: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> References: <38D04BF3A4B7B2499D19EB1DB54285EA08E942D5@FNB1EX01.gci.com> Message-ID: <491D595D.9070403@forthnet.gr> If you use HSRP v2 (which uses 224.0.0.102), will the appliances still have a problem? PS: You need 12.2(46)SE for this. Leif Sawyer wrote on 14/11/2008 00:57: > Tassos Chatzithomaoglou writes: >> What about the following? >> >> mac address-table static 0100.5e00.0002 vlan X int A B ... >> >> Just don't include the 2 appliance interfaces into the >> interface list (or include only the 2 hsrp ports). > > Nope. That doesn't seem to do anything -- I'm still seeing > the HSRP packets in my sniffer. > > Sigh. > > Cisco sure doesn't want to perform outbound MAC-layer filtering > on it's interfaces, no matter what the security implications might be. > It sure would be nice if they'd figure out that allowing this traffic > to be restricted to known/allowed ports, the network would be just a > little bit safer. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Tassos From eric at atlantech.net Fri Nov 14 06:20:25 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 14 Nov 2008 06:20:25 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <491CF01C.7080104@gmail.com> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Sridhar Ayengar > Sent: Thursday, November 13, 2008 10:27 PM > To: Martin Moens > Cc: Cisco NSPs > Subject: Re: [c-nsp] GEIP or PA-GE > > Martin Moens wrote: > > Tried Ebay? > > Yup. Very expensive. More than some dealer prices. > I'd have to agree that ebay prices for 7500 gear are absolutely insane. I recently sold a couple of 7507s (one w/ a GEIP) and looked on ebay for "market prices". One person wanted $35K for their 7507 chassis with no cards?! I put them both up for $5 - one sold for 5 and the other (with the GEIP), sold for $125. I'd keep checking ebay for non-delusional sellers, or contact one of the reputable grey market vendors like NHR. Their prices may be a bit higher than you would expect, but the equipment will come with a 1 year warranty. -evt From j.varaillon at cosmoline.com Fri Nov 14 06:30:24 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 13:30:24 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue Message-ID: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> Hi, The FWSM is set-up with 4 contexts. In this context a "show memory" shows 4 times more used memory than the total amount, is this a known bug? FWSM/context1# show memory Used memory: 4294809328 bytes (400%) ------------- ---------------- Total memory: 1073741824 bytes (100%) About the CPU, I issued both following commands just one after the other. Why the CPU usage of the system context has different values in both output (0.% vs 3%? The CPU of context2 is never changing (stack at 62%) and this does not reflect at all the pattern of traffic/connection/translation that we get during a wotrking day. Why What would keep the CPU so busy given that the amount of traffic is not the issue here? FWSM# sho cpu usage context all 5 sec 1 min 5 min Context Name 0.0% 0.0% 0.0% system 0.2% 0.3% 0.2% context1 62.9% 62.5% 62.6% context2 0.0% 0.0% 0.0% context3 0.0% 0.0% 0.0% context4 FWSM# sho cpu usage CPU utilization for 5 seconds = 3%; 1 minute: 3%; 5 minutes: 2% FWSM# Thank you for your time. Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From gkg at gmx.de Fri Nov 14 06:44:59 2008 From: gkg at gmx.de (Garry) Date: Fri, 14 Nov 2008 12:44:59 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> Message-ID: <491D64BB.9040200@gmx.de> Hank Nussbacher wrote: > On Thu, 13 Nov 2008, Garry wrote: > > The 3825 can take 1GB? The Cisco ISR link doesn't show that. Just checked again - I thought I had put 1GB in our FW-Router, but it's "only" 768 at the moment (added a 512 to the stock 256) ... Anyway, IIRC, the 3825 has two slots, physically identical ... also, Cisco GPL has this item: MEM3800-256U1024D 256 to 1024MB DDR DRAM factory upgrade for Cisco 3800 So I assume that 1GB should also work in 3825, otherwise it should be listed as 3845 only ... As for Flash, just stick in any Name-Brand or No-Name CF card, we've put in 1GB flash to replace the stock 64M cards ... -garry From mtinka at globaltransit.net Fri Nov 14 06:17:14 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Fri, 14 Nov 2008 19:17:14 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <200811141917.15330.mtinka@globaltransit.net> On Friday 14 November 2008 17:14:00 Magnus Eriksson wrote: > Also, I'm a bit hesitant regarding IOS XE, which today > only seems to be used for ASRs. Is IOS XE something that > is gonna be built upon by Cisco moving ahead? I don't > wanna be stuck with a "dead" OS. AFAIK, IOS XE was based on the 12.2SR train. Perhaps Cisco folk on the list can confirm, but I guess that'd mean it'll be actively maintained, as SR is currently where Cisco seem to be going for service provider code, particularly with the 7200 and 7600. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From j.varaillon at cosmoline.com Fri Nov 14 07:06:46 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 14:06:46 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue In-Reply-To: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> References: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> Message-ID: <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> >The CPU of context2 is never changing (stack at 62%) and this does not >reflect at all the pattern of traffic/connection/translation that we get >during a wotrking day. Why What would keep the CPU so busy given that the >amount of traffic is not the issue here? This output shows clearly that the traffic is almost null but still it has 60% of CPU. What could justify such a value? FWSM/context2# show cpu usage CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4% FWSM/context2# show perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 279/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s TCP Intercept 0/s 0/s Thanks, Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From swmike at swm.pp.se Fri Nov 14 07:22:46 2008 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Fri, 14 Nov 2008 13:22:46 +0100 (CET) Subject: [c-nsp] GEIP or PA-GE In-Reply-To: <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> Message-ID: On Fri, 14 Nov 2008, Eric Van Tol wrote: > I'd have to agree that ebay prices for 7500 gear are absolutely insane. > I recently sold a couple of 7507s (one w/ a GEIP) and looked on ebay for > "market prices". One person wanted $35K for their 7507 chassis with no > cards?! I put them both up for $5 - one sold for 5 and the other (with > the GEIP), sold for $125. I'd keep checking ebay for non-delusional > sellers, or contact one of the reputable grey market vendors like NHR. > Their prices may be a bit higher than you would expect, but the > equipment will come with a 1 year warranty. You sold a GEIP (with PA-GE) for $125? I'd say street value of that is more like $500-$600. That's at least what the auctions went for a few months back when I last checked. -- Mikael Abrahamsson email: swmike at swm.pp.se From hank at efes.iucc.ac.il Fri Nov 14 08:06:11 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Fri, 14 Nov 2008 15:06:11 +0200 (IST) Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <491D64BB.9040200@gmx.de> References: <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <5.1.0.14.2.20081113210604.080d62a0@efes.iucc.ac.il> <491C8406.9000501@gmx.de> <491D64BB.9040200@gmx.de> Message-ID: On Fri, 14 Nov 2008, Garry wrote: > Hank Nussbacher wrote: >> On Thu, 13 Nov 2008, Garry wrote: >> >> The 3825 can take 1GB? The Cisco ISR link doesn't show that. > Just checked again - I thought I had put 1GB in our FW-Router, but it's > "only" 768 at the moment (added a 512 to the stock 256) ... Anyway, > IIRC, the 3825 has two slots, physically identical ... also, Cisco GPL > has this item: > > MEM3800-256U1024D 256 to 1024MB DDR DRAM factory upgrade for Cisco 3800 > > So I assume that 1GB should also work in 3825, otherwise it should be > listed as 3845 only ... The Data Sheet agrees with you: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html Am I losing it but the quickref guide: http://www.cisco.com/web/partners/downloads/765/tools/quickreference/isr.pdf shows 1GB for the 3825 now. Was it listed as 1GB a few days ago or am I losing it? I had tried emailing to the address listed a number of other questions - but ask-quickref at cisco.com don't respond and the URL mailto: of quickref at cisco.com doesn't exist. Just par for the course these days with Cisco :-) Thank G-d we have each other to help advance their sales. -Hank > > As for Flash, just stick in any Name-Brand or No-Name CF card, we've put > in 1GB flash to replace the stock 64M cards ... > > -garry > From j.varaillon at cosmoline.com Fri Nov 14 08:07:08 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 15:07:08 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: Message-ID: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> A "sho proc cpu sorted" would display which process(es) is actually eating your resources. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gideon le Grange Sent: Friday, November 14, 2008 11:20 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 2610 High CPU Load Good day I have a CPU load problem on a 2610. The router has a X21 Serial interface and Ethernet, and does simple WAN routing. As the amount of traffic increases, the CPU load increases as well, and when the throughput is around 1.2Mbit at about 2000 packet/s, the CPU is running so high that the box becomes unresponsive. This router is theory supposed to be capable of doing 7.68Mbps at 15,000 pps. I've checked that the router isn't doing processor switching, and as far as I can see the vast majority of the traffic is being fast switched, yet I seem to be hitting the documented performance limits for process switching. If I have to replace the router I can, but would like to know why I'm running into trouble when the current router is supposedly well within it's limits. The box is running 12.3(9), but I've had the same issue on a 12.1 version. Below is the output of 'show interfaces stat' and 'show interface switching' . Any ideas/help is appreciated. --- # sh int stat Ethernet0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 97 10200 219 17650 Route cache 760678 57144419 626362 47003211 Total 760775 57154619 626581 47020861 Serial0/0 Switching path Pkts In Chars In Pkts Out Chars Out Processor 467 37390 337 43569 Route cache 626497 40745693 760817 49520393 Total 626964 40783083 761154 49563962 ----- #sh int switching Ethernet0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 3524 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 3577 283416 3699 340458 Cache misses 96 - - - Fast 20283972 1524355199 16554208 1236628784 Auton/SSE 0 0 0 0 Protocol ARP Switching path Pkts In Chars In Pkts Out Chars Out Process 44 2640 4328 259680 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 435 178350 435 133110 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 869 46926 2601 156060 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. Serial0/0 Throttle count 0 Drops RP 0 SP 0 SPD Flushes Fast 0 SSE 0 SPD Aggress Fast 0 SPD Priority Inputs 5209 Drops 0 Protocol IP Switching path Pkts In Chars In Pkts Out Chars Out Process 17620 1589429 13114 1548222 Cache misses 14327 - - - Fast 16555485 1071171389 20287359 1321039479 Auton/SSE 0 0 0 0 Protocol CDP Switching path Pkts In Chars In Pkts Out Chars Out Process 429 137280 437 122797 Cache misses 0 - - - Fast 0 0 0 0 Auton/SSE 0 0 0 0 Protocol Other Switching path Pkts In Chars In Pkts Out Chars Out Process 1 14 238 3784 Cache misses 0 - - - Fast 2750 44000 0 0 Auton/SSE 0 0 0 0 NOTE: all counts are cumulative and reset only after a reload. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From raymondh.nsp at gmail.com Fri Nov 14 08:32:54 2008 From: raymondh.nsp at gmail.com (raymondh (NSP)) Date: Fri, 14 Nov 2008 21:32:54 +0800 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <9AC8C703-0293-4C65-9CA3-912E34652CFC@gmail.com> You'll need the ESP either the 5/10G too. *thinks* IOS consistency it's something which most of us are keeping our fingers crossed even though there're consistent releases for the SR, XE and XR codes. :) I believe there're lots of folks wanting to knock ITD's door down and the various BUs. --raymondh On Nov 14, 2008, at 5:14 PM, Magnus Eriksson wrote: > First of all, thank you all for your insights. > > If we were to go with the ASR track I guess I'd need both the 1002 > chassis > item (18k USD list price) and the 5k USD IP BASE license aswell. Am I > understanding that correctly? > > Also, I'm a bit hesitant regarding IOS XE, which today only seems to > be used > for ASRs. Is IOS XE something that is gonna be built upon by Cisco > moving > ahead? I don't wanna be stuck with a "dead" OS. > > //Magnus > > 2008/11/13 Rodney Dunn > >> I haven't looked at the price list. >> >> How does an ASR1002 compare to a G2 combo? >> >> From a growth perspective the ASR1002 would be what I would >> consider giving a potential migration to GigE. >> >> Rodney >> >> On Thu, Nov 13, 2008 at 08:52:47PM +0800, raymondh (NSP) wrote: >>> You may want to consider getting either part # CISCO7201 (PSU >>> included) or 7206VXR/NPE-G2 (you need to pay for the PSU, it's quite >>> cheap). >>> Both the part # for the box, shouldn't be much of a difference or >>> same. >>> >>> >>> --raymondh >>> >>> On Nov 13, 2008, at 6:52 PM, Magnus Eriksson wrote: >>> >>>> I'm looking for some pointers on what are the smallest recommeded >>>> Cisco >>>> boxes to use for a small multihoming solution. >>>> >>>> 2 full BGP views (approx 260k routes each) >>>> 100 Mbps bandwidth requirement. >>>> >>>> The setup currently uses 2 Juniper M5 but those are in dire need of >>>> refresh. >>>> >>>> >>>> What is the appropiate Cisco boxes to go for? Do I need any memory >>>> upgrades >>>> etc? >>>> >>>> Any suggestions are welcome. >>>> >>>> Regards Magnus >>>> _______________________________________________ >>>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >>> >>> _______________________________________________ >>> cisco-nsp mailing list cisco-nsp at puck.nether.net >>> https://puck.nether.net/mailman/listinfo/cisco-nsp >>> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From Curtis at GreenKey.net Fri Nov 14 08:39:27 2008 From: Curtis at GreenKey.net (Curtis Doty) Date: Fri, 14 Nov 2008 05:39:27 -0800 (PST) Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <034e01c945fb$52df6610$f89e3230$@id.au> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> <034e01c945fb$52df6610$f89e3230$@id.au> Message-ID: <20081114133928.3C7816F064@alopias.GreenKey.net> 10:50am Brett Looney said: >> Has anyone ever gotten trunking working between a >> 3560 and Dell 6248 or similar? The Dell seems only >> to support GVRP in comparison to Cisco's VTP. >> Since the 3560 doesn't support GVRP I think I'm out >> of luck, but I'm hoping someone here has figured out >> a kludge to get this working. > > I've had trunking working between Cisco and Dell switches before. You can configure trunking manually on either end - you don't need VTP/GVRP to build a trunk. For example: > > interface GigabitEthernet 1/0/1 > switchport trunk encapsulation dot1q > switchport mode trunk > switchport trunk vlan allowed 1-50 > > Obviously you'd need to define the VLANs manually on each end for this to work. Since explicit settings are better in this situation, don't forget to disable DTP grunge... switchport nonegotiate However, the kicker will be properly connecting your spanning trees. Since Cisco prefers a separate spanning tree per-vlan, and the Dell prefers one spanning tree for all vlans. The way out of this mess is to use MST. From eric at atlantech.net Fri Nov 14 08:41:09 2008 From: eric at atlantech.net (Eric Van Tol) Date: Fri, 14 Nov 2008 08:41:09 -0500 Subject: [c-nsp] GEIP or PA-GE In-Reply-To: References: <42F0C766A9A8DB47B5E86CA64738DC8B01905C80@bilbo.bdhz.c2c.local> <491CF01C.7080104@gmail.com> <2C05E949E19A9146AF7BDF9D44085B86350E894F2B@exchange.aoihq.local> Message-ID: <2C05E949E19A9146AF7BDF9D44085B86350E894F2D@exchange.aoihq.local> > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mikael Abrahamsson > Sent: Friday, November 14, 2008 7:23 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] GEIP or PA-GE > > You sold a GEIP (with PA-GE) for $125? I'd say street value of that is > more like $500-$600. That's at least what the auctions went for a few > months back when I last checked. > Yup, they got a very good deal - 2 7507s with dual RSP4+, 4 VIP2-50s, and a GEIP for $130. I just wanted the hardware out of here and other avenues I took to get rid of them didn't pan out. -evt From achatz at forthnet.gr Fri Nov 14 08:43:00 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 14 Nov 2008 15:43:00 +0200 Subject: [c-nsp] supervisor reload trap/log In-Reply-To: References: Message-ID: <491D8064.1030807@forthnet.gr> Although i haven't tested them, you can try these two: snmp-server enable traps chassis snmp-server enable traps module Keep in mind that you can use "snmp-server enable traps syslog" to get ALL syslog messages as snmp traps. -- Tassos MKS wrote on 14/11/2008 12:13: > Hi > > We have a few cisco 7600 with dual sup-720s. I would like to get > notified somehow when a supervisor failover occurs. > > Is there a snmp trap for this type of behavior or should I watch the syslog? > > Regards > //MKS > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From petelists at templin.org Fri Nov 14 08:59:25 2008 From: petelists at templin.org (Pete Templin) Date: Fri, 14 Nov 2008 07:59:25 -0600 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <551611BE-A02B-49BE-ABDC-D402E8F94EF2@gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> Message-ID: <491D843D.8010101@templin.org> Magnus Eriksson wrote: > Also, I'm a bit hesitant regarding IOS XE, which today only seems to be used > for ASRs. Is IOS XE something that is gonna be built upon by Cisco moving > ahead? I don't wanna be stuck with a "dead" OS. Clarification: from what I can see, IOS XE is only used on the ASR 1000 series. XR is used on the new ASR 9k series. I can see some logic in that, as the 1k platform is a fresh attempt at the parallel processing theory, formerly a flop in the PXF platforms. However, being able to start from the ground up in that architecture is probably a much safer start. pt From gideon at adept.co.za Fri Nov 14 09:22:48 2008 From: gideon at adept.co.za (Gideon le Grange) Date: Fri, 14 Nov 2008 16:22:48 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> References: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> Message-ID: On 14 Nov 2008, at 3:07 PM, Varaillon Jean Christophe wrote: > A "sho proc cpu sorted" would display which process(es) is actually > eating > your resources. > > I know, but it doesn't show anything useful. Nothing seems to be taking a noticeable amount of CPU. G From rodunn at cisco.com Fri Nov 14 09:39:14 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Nov 2008 09:39:14 -0500 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: <200811141917.15330.mtinka@globaltransit.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <20081113142508.GE4897@rtp-cse-489.cisco.com> <68a978e90811140114u451e08f3q570ccc6b84b548b@mail.gmail.com> <200811141917.15330.mtinka@globaltransit.net> Message-ID: <20081114143914.GD14907@rtp-cse-489.cisco.com> On Fri, Nov 14, 2008 at 07:17:14PM +0800, Mark Tinka wrote: > On Friday 14 November 2008 17:14:00 Magnus Eriksson wrote: > > > Also, I'm a bit hesitant regarding IOS XE, which today > > only seems to be used for ASRs. Is IOS XE something that > > is gonna be built upon by Cisco moving ahead? I don't > > wanna be stuck with a "dead" OS. > > AFAIK, IOS XE was based on the 12.2SR train. Yes from an IOS feature set perspective. > > Perhaps Cisco folk on the list can confirm, but I guess > that'd mean it'll be actively maintained, as SR is > currently where Cisco seem to be going for service provider > code, particularly with the 7200 and 7600. It will be maintained for a long time for sure so no need to worry on that. The entire product line just shipped a few months back and a lot of focus is on it. Rodney > > Cheers, > > Mark. From rodunn at cisco.com Fri Nov 14 09:58:27 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 14 Nov 2008 09:58:27 -0500 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: Message-ID: <20081114145827.GE14907@rtp-cse-489.cisco.com> It's interrupt probably due to the packet switching. The numbers referenced are almost always FE2FE no features for raw NDR (no drop rate) test. For serial it's going to be less. Add features and it's less also. Rodney On Fri, Nov 14, 2008 at 11:19:38AM +0200, Gideon le Grange wrote: > Good day > > I have a CPU load problem on a 2610. The router has a X21 Serial > interface and Ethernet, and does simple WAN routing. As the amount of > traffic increases, the CPU load increases as well, and when the > throughput is around 1.2Mbit at about 2000 packet/s, the CPU is > running so high that the box becomes unresponsive. This router is > theory supposed to be capable of doing 7.68Mbps at 15,000 pps. > > I've checked that the router isn't doing processor switching, and as > far as I can see the vast majority of the traffic is being fast > switched, yet I seem to be hitting the documented performance limits > for process switching. > > If I have to replace the router I can, but would like to know why I'm > running into trouble when the current router is supposedly well within > it's limits. > > The box is running 12.3(9), but I've had the same issue on a 12.1 > version. Below is the output of 'show interfaces stat' and 'show > interface switching' . > > Any ideas/help is appreciated. > > --- > > > > # sh int stat > > > Ethernet0/0 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 97 10200 219 17650 > Route cache 760678 57144419 626362 47003211 > Total 760775 57154619 626581 47020861 > Serial0/0 > Switching path Pkts In Chars In Pkts Out Chars Out > Processor 467 37390 337 43569 > Route cache 626497 40745693 760817 49520393 > Total 626964 40783083 761154 49563962 > > ----- > > #sh int switching > > > Ethernet0/0 > Throttle count 0 > Drops RP 0 SP 0 > SPD Flushes Fast 0 SSE 0 > SPD Aggress Fast 0 > SPD Priority Inputs 3524 Drops 0 > > Protocol IP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 3577 283416 3699 340458 > Cache misses 96 - - - > Fast 20283972 1524355199 16554208 1236628784 > Auton/SSE 0 0 0 0 > > Protocol ARP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 44 2640 4328 259680 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol CDP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 435 178350 435 133110 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol Other > Switching path Pkts In Chars In Pkts Out Chars Out > Process 869 46926 2601 156060 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > NOTE: all counts are cumulative and reset only after a reload. > Serial0/0 > Throttle count 0 > Drops RP 0 SP 0 > SPD Flushes Fast 0 SSE 0 > SPD Aggress Fast 0 > SPD Priority Inputs 5209 Drops 0 > > Protocol IP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 17620 1589429 13114 1548222 > Cache misses 14327 - - - > Fast 16555485 1071171389 20287359 1321039479 > Auton/SSE 0 0 0 0 > > Protocol CDP > Switching path Pkts In Chars In Pkts Out Chars Out > Process 429 137280 437 122797 > Cache misses 0 - - - > Fast 0 0 0 0 > Auton/SSE 0 0 0 0 > > Protocol Other > Switching path Pkts In Chars In Pkts Out Chars Out > Process 1 14 238 3784 > Cache misses 0 - - - > Fast 2750 44000 0 0 > Auton/SSE 0 0 0 0 > > NOTE: all counts are cumulative and reset only after a reload. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From j.varaillon at cosmoline.com Fri Nov 14 10:31:06 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Fri, 14 Nov 2008 17:31:06 +0200 Subject: [c-nsp] 2610 High CPU Load In-Reply-To: References: <003801c94659$e6aa8ba0$b3ffa2e0$%varaillon@cosmoline.com> Message-ID: <002a01c9466e$044e5880$0ceb0980$%varaillon@cosmoline.com> I suppose that: -cef is enabled -no QoS are in place (including nbar...) -no ACL with 'log' keyword (matching packets would be cpu switched) -no "logging debug" and debugging commands are used (flood of syslog messages) -only necessary routing protocols are used (if you have a stub area, a default route is enough) -no heavy routing protocol (e.g BGP) -if the link is between 2 ciscos, you could use HDLC rather than PPP. (I saw it lighter from a cpu point of view) You can always send us your configuration, removing all your passwords and replacing your public IP addresses by private ones. Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gideon le Grange Sent: Friday, November 14, 2008 4:23 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 2610 High CPU Load On 14 Nov 2008, at 3:07 PM, Varaillon Jean Christophe wrote: > A "sho proc cpu sorted" would display which process(es) is actually > eating > your resources. > > I know, but it doesn't show anything useful. Nothing seems to be taking a noticeable amount of CPU. G _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3614 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3614 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com From jarruda-cnsp at jarruda.com Fri Nov 14 11:41:18 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Fri, 14 Nov 2008 11:41:18 -0500 Subject: [c-nsp] ASR 9000 In-Reply-To: <491AE9AE.7050806@jarruda.com> References: <794962.71625.qm@web905.biz.mail.mud.yahoo.com> <491AE9AE.7050806@jarruda.com> Message-ID: <491DAA2E.8010605@jarruda.com> Julio Arruda wrote: > Kevin Graham wrote: >> >>> Runs IOS XR, while the recent ASR 1000 series runs IOS XE? >>> Consistency >> >> >>> would be nice. >>> >> >> ...or atleast call this a CRS-2 or something. I'm still crossing my >> fingers >> that there's a master plan for consistency (or alternatively, clear >> differentiation) between XR/XE/12.2SX/12.2SR/NX-OS. >> >> >>> Re-uses the RSP nomenclature, just recently put to bed in the 7500 >>> series. >>> >> >> Nope, 7600 already revived it (RSP720). I don't see reference to line >> cards, >> but the photos look like ES40's, which finally gives some credibility >> to the >> 6500/7600 split (where new linecards are shared between ASR9000 and >> 7600). >> > I somewhat doubt this is the case..at least from what I can imagine... > This would imply in the ASR9k cards being able to talk with the 7600 > backplane, that I understand, is quite distinct from the CRS-1 ? Isn't > the ASR9000 based of the CRS-1 hardware ? > Isn't the ASR 9000 based of the CRS-1 Metro packet processors also, > while the packet crunching on the 7600 is based of the EARL, and on the > ASR 1000 is based on the QFP ? > I can't seem to find details on the cards on the ASR 9000, but, just > making some wild guess here.. > (of course, Cisco has been quite effective in getting a clear separation > from control plane to forwarding plane, and IOS-XR sure already runs on > another completely distinct box, the 12K-XR, so, maybe the 7600 will > gain from the ASR 9000 'revamp'). So, eating my own words, seems like the ASR9000 would use the same kind of fwd muscles as the ES (ezchip based) cards in the 7600, not the EARL. Would seems they have the ASR14000 using the SPP, still making the 9k and the 14k 'close', both would run IOS-XR. And I assume this would mean Cisco has now a box that could replace the 7600, running IOS-XR. Not sure about edge features, but I understand the 9k flavor of XR has this covered... Stil can't find details on the 9k on the website, but... From dale.shaw+cisco-nsp at gmail.com Fri Nov 14 13:19:36 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Fri, 14 Nov 2008 10:19:36 -0800 Subject: [c-nsp] Catalyst 3750 stacks with many members Message-ID: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Hi all, We have a few large (>6 member) cat3750 stacks in our environment, most in L2 edge/access roles, and most providing PoE to cisco IP phones. Does anyone have any tips as to how to make large stacks more reliable? We're seeing really high CPU and have found you need to be really careful doing anything that has the potential to swamp the CPU -- the other day I crashed a stack master by clearing the CDP neighbour table (a bit silly in hindsight, given the number of CDP table entries [phones], but I was troubleshooting a stale neighbour problem). Does changing to the 'VLANs' SDM template for switch stacks in this role make any difference? These stacks don't do any routing, or traffic ACLs. We've tried 12.2(40)SE, 12.2(44)SE2 and 12.2(44)SE3. Our biggest stack is 7 members. You're supposed to be able to stack 9 of these things (and I don't recall reading about any caveats), so it's a bit concerning. Disabling certain functionality (e.g. CDP) to stabilise is one thing, but long term it would be nice if it 'just worked'. cheers, Dale From everton at lab.ipaccess.diveo.net.br Fri Nov 14 13:02:40 2008 From: everton at lab.ipaccess.diveo.net.br (Everton da Silva Marques) Date: Fri, 14 Nov 2008 16:02:40 -0200 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? Message-ID: <20081114180240.GA4941@diveo.net.br> Hi, While trying to load-share between routes with same administrative distance from distinct routing protocols, I found this: What if I configure the administrative distance to be the same for two routing protocols? Will the router install routes from each routing protocol and allow me to load balance traffic? ... The answer is NO. ... When there is a tie of configured administrative distance settings the router will use the *default* administrative distance to make the decision. Reference: Two routing protocols, Same administrative distance? http://www.internetworkexpert.org/2007/12/31/two-routing-protocols-same-administrative-distance/ I am wondering: any hint on how to work-around such a behavior (if at all possible) ? Thanks, Everton From cchurc05 at harris.com Fri Nov 14 13:47:42 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 14 Nov 2008 12:47:42 -0600 Subject: [c-nsp] Recommended Cisco boxes for a small multihomingsolution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com><200811141318.31251.mtinka@globaltransit.net> Message-ID: When did a gig of RAM be the new requirement for a full table, with a couple views only? It seems 512 on an ISR will still have 150MB free with a full table. Our 2821 with 12.4(21) with 768MB has 400MB free almost all the time. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: Thursday, November 13, 2008 9:57 PM To: Mark Tinka Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Recommended Cisco boxes for a small multihomingsolution? And to repeat - to the best of my knowledge the 3825 can't take 1GB of RAM and therefore is not an optimal solution for small multihoming. -Hank On Fri, 14 Nov 2008, Mark Tinka wrote: > On Friday 14 November 2008 13:09:58 Eric Cables wrote: > >> If you look at the interactive model ( >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /ps5857/prod_presentation0900aecd80543db9.html) you can >> see GE0/0 and GE0/1 interfaces. >> >> In addition, the data sheet for both the 3825 and 3845 >> indicates 2 10/100/1000 interfaces: >> http://www.cisco.com/en/US/prod/collateral/routers/ps5855 >> /product_data_sheet0900aecd8016a8e8.html > > I think just to avoid any confusion; 1GB as in RAM/flash, > and 1Gbps as in bandwidth/interface :-). > > Oooh, this "B" and "b" thing... > > Mark. > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From David.Lima at alphasys.com.bo Fri Nov 14 14:01:46 2008 From: David.Lima at alphasys.com.bo (David Lima) Date: Fri, 14 Nov 2008 15:01:46 -0400 Subject: [c-nsp] The results of your email commands In-Reply-To: Message-ID: Hi friends, I Have a Catalyst 6509 with a SUP720-3B running Cisco IOS. I have not enough space on my flash card. Is it possible to boot other IOS using TFTP? What could be the correct commands? I tried the command: boot system tftp FILE IP And tried to boot from ROMMON but I don't have the tftpdnld option. Please any suggestion. Thanks in advance. David From j at arpa.com Fri Nov 14 14:54:33 2008 From: j at arpa.com (jamie rishaw) Date: Fri, 14 Nov 2008 13:54:33 -0600 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: Yeah.. Replace them. With Chassis(es). Stacks are just a bad idea. Failure of one part of the stack is a failure of the stack. A 65xx serves just as well, better even; cheaper, more reliably, and with less BS.. I'm in the middle of tossing (however many letters are, inclusive, between a and s) stacks, moving to 65xx chassis(es) with 10/100 // triplespeed blades... moving to paired '09's. Cue the happy singing birds and obama 'yes we chassis' glory in 3.. 2.. 1.. -j On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw > wrote: > Hi all, > > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. -- ..!google!arpa.com!j From billf at mu.org Fri Nov 14 14:57:05 2008 From: billf at mu.org (bill fumerola) Date: Fri, 14 Nov 2008 11:57:05 -0800 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? In-Reply-To: <20081114180240.GA4941@diveo.net.br> References: <20081114180240.GA4941@diveo.net.br> Message-ID: <20081114195705.GC29895@elvis.mu.org> On Fri, Nov 14, 2008 at 04:02:40PM -0200, Everton da Silva Marques wrote: > Two routing protocols, Same administrative distance? > http://www.internetworkexpert.org/2007/12/31/two-routing-protocols-same-administrative-distance/ > > I am wondering: any hint on how to work-around such > a behavior (if at all possible) ? redistribute routes from one protocol into another and use route-maps to change the metrics and route 'type' (protocol dependent) such that the protocol considers them equal cost. the usual warnings about route redistribution apply: using tags so loops don't occur and taking care not to redistribute too many routes. -- bill From bluffmaster4hearts at gmail.com Fri Nov 14 15:10:11 2008 From: bluffmaster4hearts at gmail.com (bharath kondi) Date: Sat, 15 Nov 2008 04:10:11 +0800 Subject: [c-nsp] Non-zero CAN jam reset counter in slot Message-ID: <82957ce50811141210v573f3037v62cd38adb7f4c0e2@mail.gmail.com> Hello, I am getting this type of errors when I restart the GSR, while loading the IOS the alarm on GSR is not shown, once the whole GSR is loaded then I am seeing this error. The led on clock shedular module showing major alarm. Please help me with this errors why i am getting major alarm on last module and these errors in GSR. WARNING: Non-zero CAN jam reset counter in slot 17 WARNING: Non-zero CAN jam reset counter in slot 18 WARNING: Non-zero CAN jam reset counter in slot 20 WARNING: Non-zero CAN jam reset counter in slot 24 WARNING: Non-zero CAN jam reset counter in slot 26 WARNING: Non-zero CAN jam reset counter in slot 28 WARNING: Non-zero CAN jam reset counter in slot 29 thanks alot ... Bharath From peter at rathlev.dk Fri Nov 14 16:19:57 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Fri, 14 Nov 2008 22:19:57 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <1226697597.4569.5.camel@abehat> On Fri, 2008-11-14 at 10:19 -0800, Dale Shaw wrote: > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. > > Does anyone have any tips as to how to make large stacks more > reliable? The largest we've used was a 6 member stack. No CPU wise. No large number of CDP neighbors though. Probably no help, but we've started moving away from stacking. Having to manage X or 2*X switches isn't that different for a non small X -- you need some tools to manage several switches concurrently anyway. The failure scenarios are more clean using stand alone units and regular RSTP for us. It would be very sweet if one could use the stack ports as regular interfaces between switches. That would be a cheap high bandwidth connection in a U topology. Regards, Peter From MLouis at nwnit.com Fri Nov 14 17:01:21 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 14 Nov 2008 17:01:21 -0500 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: split the stacks into smaller groups ________________________________________ From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net] On Behalf Of Dale Shaw [dale.shaw+cisco-nsp at gmail.com] Sent: Friday, November 14, 2008 1:19 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Catalyst 3750 stacks with many members Hi all, We have a few large (>6 member) cat3750 stacks in our environment, most in L2 edge/access roles, and most providing PoE to cisco IP phones. Does anyone have any tips as to how to make large stacks more reliable? We're seeing really high CPU and have found you need to be really careful doing anything that has the potential to swamp the CPU -- the other day I crashed a stack master by clearing the CDP neighbour table (a bit silly in hindsight, given the number of CDP table entries [phones], but I was troubleshooting a stale neighbour problem). Does changing to the 'VLANs' SDM template for switch stacks in this role make any difference? These stacks don't do any routing, or traffic ACLs. We've tried 12.2(40)SE, 12.2(44)SE2 and 12.2(44)SE3. Our biggest stack is 7 members. You're supposed to be able to stack 9 of these things (and I don't recall reading about any caveats), so it's a bit concerning. Disabling certain functionality (e.g. CDP) to stabilise is one thing, but long term it would be nice if it 'just worked'. cheers, Dale _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From blahu77 at gmail.com Fri Nov 14 17:04:27 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Fri, 14 Nov 2008 22:04:27 +0000 Subject: [c-nsp] Policy Based Routing on PE In-Reply-To: References: <383357750811130534r28ea2838r2f354f34aed87506@mail.gmail.com> <20081113142139.GD4897@rtp-cse-489.cisco.com> Message-ID: <383357750811141404m35a5865fn1181cb7cf3f7e5c2@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/13 Brandon Price : > The tunnel option could work the problem is the SOURCE is behind a > Juniper netscreen and I don't think they support gre tunnel > termination.. > Also I don't want this active all the time, I want it to switch > dynamically. > > Maybe there is something else that would accomplish what I am trying to > do. > > I tried to make a little ASCII diagram, hopefully it comes through ok: > > > SOURCE Voip LAN 206.72.96.0 > | > FW (juniper) > | > PE2-------PE1 > | | | > dsl1| |dsl2 | > | | |T1 > | | | > | +------- | > +--------CE1 (cisco) > | > | > CUST LAN 10.10.10.0 > > > Basically My customers primary link to me is a T1 to PE1 with QOS > enabled for VOICE traffic to my voip servers and switches at > 206.72.96.0. these are accessed via FW (juniper netscreen). In normal > operation the route for the CUST LAN through the t1 has the most > favourable weight, and traffic never hits PE2. > > > Now if the T1 goes down, dsl1 to PE2 will now have the most favorable > route to the lan, HOWEVER at this point I want traffic with a SOURCE of > the voip netblock to take dsl2 to get to the lan. This is where I am > stuck. How to use PBR on the ingress to PE2.... > I don't see any other solution but to prioritize (QoS) SOURCE traffic on BOTH dsl links. Best Regards, - -mat -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) iEYEARECAAYFAkkd9eoACgkQIvBv0k5esR4q3wCgrQI7UpuTyDHGg/Nmy0Z9gEos sl4AoKHHsYWqLe/L28q915orGoDHHj/z =/rgz -----END PGP SIGNATURE----- From wberg at swip.net Fri Nov 14 18:15:42 2008 From: wberg at swip.net (=?ISO-8859-1?Q?Alex_W=E5gberg?=) Date: Sat, 15 Nov 2008 00:15:42 +0100 Subject: [c-nsp] Locked VTY sessions on ME3400 Message-ID: <491E069E.2020902@swip.net> Hello! I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, running hsrp and BGP, works good, except I cant access it telnet. And rebooting it is not on the list. When I try to telnet to the switch I get "telnet: Unable to connect to remote host: Connection refused". I've checked the backup-config from this night, and it clearly states that incoming acl's a corrent and snmp-configuration is correct aswell. Running snmpwalk work, I've tried just to be sure to get it to download a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt that, but with no luck. I end up with: No Response from . My guess is that it's hanged VTY sessions, how can I clear them with SNMP ? Thanks! -- Alex W. From bep at whack.org Fri Nov 14 18:27:20 2008 From: bep at whack.org (Bruce Pinsky) Date: Fri, 14 Nov 2008 15:27:20 -0800 Subject: [c-nsp] Locked VTY sessions on ME3400 In-Reply-To: <491E069E.2020902@swip.net> References: <491E069E.2020902@swip.net> Message-ID: <491E0958.30501@whack.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alex W?gberg wrote: > Hello! > > I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, > running hsrp and BGP, works good, except I cant access it telnet. And > rebooting it is not on the list. > > When I try to telnet to the switch I get "telnet: Unable to connect to > remote host: Connection refused". > > I've checked the backup-config from this night, and it clearly states > that incoming acl's a corrent and snmp-configuration is correct aswell. > > Running snmpwalk work, I've tried just to be sure to get it to download > a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt that, > but with no luck. I end up with: No Response from . > > My guess is that it's hanged VTY sessions, how can I clear them with SNMP ? > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_problem_troubleshooting09186a00802b93ef.shtml - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkkeCVgACgkQE1XcgMgrtybGkACghTLh3ifzA6EoE+6FMnxAKuae Y0QAnRFIeq0gglSGLY4RiEFGTYOQPP8i =JM5i -----END PGP SIGNATURE----- From dcp at dcptech.com Fri Nov 14 18:34:11 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 14 Nov 2008 18:34:11 -0500 Subject: [c-nsp] Locked VTY sessions on ME3400 In-Reply-To: <491E0958.30501@whack.org> References: <491E069E.2020902@swip.net> <491E0958.30501@whack.org> Message-ID: <001a01c946b1$808a9010$819fb030$@com> And once your back in, don't forget to enable service tcp-keepalives-in/out, so it doesn't happen again. David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Bruce Pinsky > Sent: Friday, November 14, 2008 6:27 PM > To: Alex W?gberg > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Locked VTY sessions on ME3400 > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Alex W?gberg wrote: > > Hello! > > > > I've got a Cisco ME3400 running 12.2(44)SE. Couple of /30s to it, > > running hsrp and BGP, works good, except I cant access it telnet. And > > rebooting it is not on the list. > > > > When I try to telnet to the switch I get "telnet: Unable to connect > to > > remote host: Connection refused". > > > > I've checked the backup-config from this night, and it clearly states > > that incoming acl's a corrent and snmp-configuration is correct > aswell. > > > > Running snmpwalk work, I've tried just to be sure to get it to > download > > a conf w/o the acl on vty 0 4 and 5 15 just to make sure it isnt > that, > > but with no luck. I end up with: No Response from . > > > > My guess is that it's hanged VTY sessions, how can I clear them with > SNMP ? > > > > http://www.cisco.com/en/US/tech/tk648/tk362/technologies_problem_troubl > eshooting09186a00802b93ef.shtml > > - -- > ========= > bep > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iEYEARECAAYFAkkeCVgACgkQE1XcgMgrtybGkACghTLh3ifzA6EoE+6FMnxAKuae > Y0QAnRFIeq0gglSGLY4RiEFGTYOQPP8i > =JM5i > -----END PGP SIGNATURE----- > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From patrick.viet at gmail.com Fri Nov 14 19:57:19 2008 From: patrick.viet at gmail.com (Patrick Viet) Date: Sat, 15 Nov 2008 01:57:19 +0100 Subject: [c-nsp] sampled netflow on 6500 Message-ID: <947d497f0811141657r48097eabh3fcd8aeabf60978e@mail.gmail.com> Hello everybody, First of all, I'll introduce myself. I'm Patrick, responsible for a small French hosting network. It was formely Foundry-based and now it has been upgraded to Cisco 6500 / SUP720-3BXL routers. I had been using sflow up to now. It's very simplistic - and worked well for me with our in-house analysis software. This is how it works : the headers (source+destination ip/port + packet size + protocol...) of one packet in N packets is sent to the sflow collector. The sflow collector uses this sampled data to get a big picture about what happens in the network. I like this system. It's not super accurate but accurate enough in my case, it's simple, and my software knows how to use it. I have been reading a lot of documentation about Cisco sampled netflow, and trying out a few config parameters. But it doesn't seem to be able to work in the same way as sflow. Is this operating mode available on Cisco ? Do you have any understandable pointers about this ? Up to now, all I found that looked like what I want up to now is outdated stuff about Cisco 12000 and IOS 12.0.x BTW I'm running 12.2(18)SXF15 Thanks, Patrick From lukasz at bromirski.net Fri Nov 14 20:22:51 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 15 Nov 2008 02:22:51 +0100 Subject: [c-nsp] Recommended Cisco boxes for a small multihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> Message-ID: <491E246B.6060306@bromirski.net> Hank Nussbacher wrote: > And to repeat - to the best of my knowledge the 3825 can't take 1GB of > RAM and therefore is not an optimal solution for small multihoming. -Hank Yes it can, table 2 here: http://www.cisco.com/en/US/prod/collateral/routers/ps5855/product_data_sheet0900aecd8016a8e8.html or in the hardware installation guide here: http://www.cisco.com/en/US/docs/routers/access/3800/hardware/installation/guide/38comp.html#wp1008551 Also, 'been there done that - works'. Separate idea is why you need 1GB of RAM to do multihoming, if 512MB of RAM will do even with soft-reconfig. Of course, if You're not running a lot of other things on the box, which You shouldn't. To get to the point - ASR1002 would be the box. -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From mathew.cameron at soulaustralia.com.au Fri Nov 14 20:35:00 2008 From: mathew.cameron at soulaustralia.com.au (Mathew Cameron) Date: Sat, 15 Nov 2008 12:35:00 +1100 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 Message-ID: Guys I am trying to design a failsafe solution for a large amount of customers. The solution is plain ethernet and i was plannning to use 3750-12s switches as a router. However I read the Data Sheet from cisco and found out that it only support 32 HSRP links. I have tried to get the same information regarding the NPE-G1 and have turned up empty. Does anyone know what the maximum amount of HSRP links are on the G1? I think 32 might be a little too restrictive. Many Thanks Mat From mksmith at adhost.com Fri Nov 14 21:26:06 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Fri, 14 Nov 2008 18:26:06 -0800 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 In-Reply-To: Message-ID: Hello Matthew: On 11/14/08 5:35 PM, "Mathew Cameron" wrote: > Guys > > I am trying to design a failsafe solution for a large amount of customers. The > solution is plain ethernet and i was plannning to use 3750-12s switches as a > router. However I read the Data Sheet from cisco and found out that it only > support 32 HSRP links. I have tried to get the same information regarding the > NPE-G1 and have turned up empty. Does anyone know what the maximum amount of > HSRP links are on the G1? I think 32 might be a little too restrictive. This is a YMMV answer, but I think the only limitation is 255 per each interface. By the way, you can do secondary IP addresses on the 32 HSRP ranges to your heart's content. Regards, Mike From MLouis at nwnit.com Fri Nov 14 22:23:29 2008 From: MLouis at nwnit.com (Mike Louis) Date: Fri, 14 Nov 2008 22:23:29 -0500 Subject: [c-nsp] sampled netflow on 6500 Message-ID: You can use sampled netflow to accomplish the same thing as sflow. Netflow v9 is based on the ipix std so it will offer many of its features -----Original Message----- From: Patrick Viet Sent: Friday, November 14, 2008 8:00 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] sampled netflow on 6500 Hello everybody, First of all, I'll introduce myself. I'm Patrick, responsible for a small French hosting network. It was formely Foundry-based and now it has been upgraded to Cisco 6500 / SUP720-3BXL routers. I had been using sflow up to now. It's very simplistic - and worked well for me with our in-house analysis software. This is how it works : the headers (source+destination ip/port + packet size + protocol...) of one packet in N packets is sent to the sflow collector. The sflow collector uses this sampled data to get a big picture about what happens in the network. I like this system. It's not super accurate but accurate enough in my case, it's simple, and my software knows how to use it. I have been reading a lot of documentation about Cisco sampled netflow, and trying out a few config parameters. But it doesn't seem to be able to work in the same way as sflow. Is this operating mode available on Cisco ? Do you have any understandable pointers about this ? Up to now, all I found that looked like what I want up to now is outdated stuff about Cisco 12000 and IOS 12.0.x BTW I'm running 12.2(18)SXF15 Thanks, Patrick _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From sf at lists.esoteric.ca Fri Nov 14 23:16:05 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Fri, 14 Nov 2008 23:16:05 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. Message-ID: <491E4D05.8020100@lists.esoteric.ca> I've got an EoMPLS VC between two devices. Device A is a Cisco 3750 Metro, Device B is a ME6524. There are some intermediary devices in between. The VC is up on the 3750M. The VC is down on the ME6524. There is a targeted LDP session configured on both sides, both are up. Both hosts are in OSPF Area 0, and each's /32 Loopback is seen in both the FIB and RIB. I'm curious why the VC would be seen as up on the 3750M, but down on the ME6524. The only clue I have found is in the following snippet, the Next hop is listed as an Invalid ADDR. ME6524#sh mpls l2transport vc 655 detail Local interface: Vl655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: none, imposed label stack {1491 69} Preferred path: not configured Default path: active Next hop: Invalid ADDR <---- ?? Create time: 00:39:19, last status change time: 00:19:19 Signaling protocol: LDP, peer 10.200.20.1:0 up MPLS VC labels: local 311, remote 69 Group ID: local 0, remote 0 MTU: local 1500, remote 1500 Remote interface description: *Redacted* Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 1130, send 0 byte totals: receive 76832, send 0 packet drops: receive 0, send 0 However, the 3750M's /32 is listed in the proper CEF adjacency, pointing to the correct cross-connect VLAN. The RIB entry is fine. The ME6524 is running SXH 3a, the 3750M is running 12.2(44)SE2. Ideas? -- Stephen From ray at oneunified.net Sat Nov 15 00:09:06 2008 From: ray at oneunified.net (Ray Burkholder) Date: Sat, 15 Nov 2008 01:09:06 -0400 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: <491E246B.6060306@bromirski.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> Message-ID: > > Hank Nussbacher wrote: > > And to repeat - to the best of my knowledge the 3825 can't > take 1GB of > > RAM and therefore is not an optimal solution for small > multihoming. > > -Hank In Cisco's Dynamic configurator, you can upgrade from 256M to 1024M. > > To get to the point - ASR1002 would be the box. > > -- Are ASR1002's actually worth 3x the price of something like a 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can become 5x to 10x the price. Does it push that many extra packets that much faster? Also, in using Cisco's Feature Navigator to compare feature sets, say ADV IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. Sometimes Juniper's supposedly unified feature set across all devices seems like it might have benefits for easing product selection in terms of hardware rather than fighting for software / hardware combinations. Or is that actually a strategy? -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From mtinka at globaltransit.net Sat Nov 15 00:32:34 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 15 Nov 2008 13:32:34 +0800 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <491E246B.6060306@bromirski.net> Message-ID: <200811151332.39563.mtinka@globaltransit.net> On Saturday 15 November 2008 13:09:06 Ray Burkholder wrote: > Sometimes Juniper's supposedly unified feature set across > all devices seems like it might have benefits for easing > product selection in terms of hardware rather than > fighting for software / hardware combinations. Or is > that actually a strategy? It does make life easier. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Sat Nov 15 03:40:10 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 15 Nov 2008 09:40:10 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491E4D05.8020100@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> > I've got an EoMPLS VC between two devices. Device A is a Cisco 3750 > Metro, Device B is a ME6524. There are some intermediary devices in > between. > > The VC is up on the 3750M. The VC is down on the ME6524. There is a > targeted LDP session configured on both sides, both are up. > > Both hosts are in OSPF Area 0, and each's /32 Loopback is seen in > both the FIB and RIB. > > I'm curious why the VC would be seen as up on the 3750M, but down on > the ME6524. The only clue I have found is in the following snippet, > the Next hop is listed as an Invalid ADDR. > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Vl655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: none, imposed label stack {1491 69} > Preferred path: not configured > Default path: active > Next hop: Invalid ADDR <---- ?? you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing linecard, something which isn't possible on the fixed-configuration ME6524.. So you need to move xconnect to the physical port. oli From christian at qunec.net Sat Nov 15 04:09:53 2008 From: christian at qunec.net (Christian Meutes) Date: Sat, 15 Nov 2008 10:09:53 +0100 Subject: [c-nsp] Load-sharing between two routing protocols with same administrative distance? In-Reply-To: <20081114195705.GC29895@elvis.mu.org> References: <20081114180240.GA4941@diveo.net.br> <20081114195705.GC29895@elvis.mu.org> Message-ID: <480A78E89D2F8BC514E48321@tok> Hi, --On Friday, 14. November 2008 11:57 -0800 bill fumerola wrote: > redistribute routes from one protocol into another and use route-maps > to change the metrics and route 'type' (protocol dependent) such that > the protocol considers them equal cost. > > the usual warnings about route redistribution apply: using tags so loops > don't occur and taking care not to redistribute too many routes. wont work in most cases. Routes redistributed from IGP to BGP are better than routes learned from eBGP or iBGP - vice versa routes redistributed from BGP to IGP (OSPF, EIGRP ie.) are seen as external and will loose in route decission if the IGP prefix is native/internal (will work if route is first learned with IGP because local redistributed routes in BGP are better). In the second case you can change metric and metric-type on redistribution to IGP and ecmp could take place then but if the prefix is first learned from BGP and then from IGP - BGP wins and the OSPF prefix can't be used for load-sharing inside of the ASBR. Route selection in these cases is higly depending on timeing and is something I wouldnt recommend. Cheers, christian From oboehmer at cisco.com Sat Nov 15 04:32:30 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 15 Nov 2008 10:32:30 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5BE@xmb-ams-333.emea.cisco.com> Christoph Loibl wrote on Saturday, November 15, 2008 10:24: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In >> order for this to work on Cat65xx/Sup720, you need OSM/SIP as >> core-facing linecard, something which isn't possible on the >> fixed-configuration ME6524.. So you need to move xconnect to the >> physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI- > based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with VLAN- > based (on ME6524) should work. Correct, sorry for ambigous terminology.. oli From c at tix.at Sat Nov 15 04:24:00 2008 From: c at tix.at (Christoph Loibl) Date: Sat, 15 Nov 2008 10:24:00 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: Hi, On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: > > you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In > order > for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing > linecard, something which isn't possible on the fixed-configuration > ME6524.. > So you need to move xconnect to the physical port. Hm. What is the cisco-speak "correct" name now (which in fact is not very intuitive): Vlan-based or SVI-based? Vlan-based is interface gigabitethernet 1/interface.subinterface encapsulation dot1q vlan_id xconnect peer_router_id vcid encapsulation mpls ! This is possible on sup720 even without any fancy linecards. But SVI- based interface vlan 10 xconnect peer_router_id vcid encapsulation mpls ! requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but works fine on ME3750. Thus SVI-based (on ME3750) together with VLAN- based (on ME6524) should work. When configuring SVI-based EoMPLS on the ME6524 usually some kind of warning is logged ("Config not supported", or "MPLS configured on LAN interfaces" as far as I remember). Stoffi -- CHRISTOPH LOIBL ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mailto:c at tix.at |No trees were killed in the creation of this message. http://www.sil.at |However, many electrons were terrible inconvenienced. CL8-RIPE ++++++++++++++++++++++++++++++++++++ PGP-Key-ID: 0x4B2C0055 +++ From chloekcy2000 at yahoo.ca Sat Nov 15 06:57:18 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 06:57:18 -0500 (EST) Subject: [c-nsp] tftp Message-ID: <275687.78482.qm@web57415.mail.re1.yahoo.com> Hi How to copy the falsh to tftp? Can you help? thank you --------------------------------- Looking for the perfect gift? Give the gift of Flickr! From chloekcy2000 at yahoo.ca Sat Nov 15 07:03:30 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 07:03:30 -0500 (EST) Subject: [c-nsp] log failure logon In-Reply-To: <491B0104.7040708@gmail.com> Message-ID: <17285.65927.qm@web57404.mail.re1.yahoo.com> Thank you But I can't find this command ! I am using IOS (tm) 3700 Software (C3725-I-M), Version 12.3(6e), router#config t Enter configuration commands, one per line. End with CNTL/Z. router(config)#line vty 0 4 router(config-line)#login ? local Local password checking tacacs Use tacacs server for password checking router(config-line)#exit router(config)#login ? % Unrecognized command router(config)#login ghostonthewire wrote: Hi! Try to use "login on-failure log" command (Cisco IOS Login Enhancements feature, for futher details look through http://b23.ru/6f5). Also use feature navigator to find if this feauture supported by your software image (surely doesn't work on releases prior to 12.4(19), dunno about 12.2S trains). chloe K wrote: > Hi > > I see there is command autheniticate failure rate but can't find my router > > Now. how I can log the failure logon > > Thank you > > > --------------------------------- > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------- Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! --------------------------------- Ask a question on any topic and get answers from real people. Go to Yahoo! Answers. From lukasz at bromirski.net Sat Nov 15 08:03:41 2008 From: lukasz at bromirski.net (=?ISO-8859-2?Q?=A3ukasz_Bromirski?=) Date: Sat, 15 Nov 2008 14:03:41 +0100 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> Message-ID: <491EC8AD.2000407@bromirski.net> Ray Burkholder wrote: >> To get to the point - ASR1002 would be the box. > Are ASR1002's actually worth 3x the price of something like a > 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can > become 5x to 10x the price. Does it push that many extra packets that much > faster? NPE-G2 is CPU (or - software) router. It does have capability to push 2Mpps in theory, now with new features (even with optimized CEF feature tree) it will grind down to 1.2~1.8Mpps. ASR1002 does switch traffic in hardware (via QFP on ESPs) and adding 'services' doesn't cost either any or significant slowdown in forwarding the traffic. It can push up to 7Mpps (ESP-5) or 15Mpps (ESP-10) without features like IP Multicast QoS, ACLs, QoS, uRPF, and goes down to 'only' around 4Mpps or 8Mpps respectively if those features are configured in switching path. That's a difference. ASR1002-5G/K9, bundle with Advanced Enterprise Services and 4GB of RAM, and 4xGE ports (SFP that is) is 40k$ in GPL, and 7206VXR bundled with NPE-G2 and the same software to have IPv6/etc is 27k$. Which is 13k$ difference, not '5x to 10x the price'. And with NPE-G2 you're limited to 2GB of RAM and software packet processing which of course isn't that bad considering the fact what kind of traffic and how much of the traffic the box has to push through - it's 100Mbit/s as Magnus said on the beginning of the thread. > Also, in using Cisco's Feature Navigator to compare feature sets, say ADV > IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say > SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. Apart from some fancier designs, what for do you need MPLS TE on BGP peering box? It has to push packets fast, store millions of forwarding entries and have ability to protect control plane. Shouldn't that be the priority? -- "Don't expect me to cry for all the | ?ukasz Bromirski reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net From pviet at azuria.net Sat Nov 15 09:09:24 2008 From: pviet at azuria.net (Patrick Viet) Date: Sat, 15 Nov 2008 15:09:24 +0100 Subject: [c-nsp] sampled netflow on 6500 In-Reply-To: References: Message-ID: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> On Sat, Nov 15, 2008 at 4:23 AM, Mike Louis wrote: > You can use sampled netflow to accomplish the same thing as sflow. Netflow > v9 is based on the ipix std so it will offer many of its features > > Hi ; are you sure about this ? From what I've read it's the opposite : IPFIX has based its frame format on Netflow v9. Any ideas about how to configure this on SUP720-3BXL with SXF15 ? Or do I need another IOS (SXH?) Thanks, Patrick From MLouis at nwnit.com Sat Nov 15 09:12:13 2008 From: MLouis at nwnit.com (Mike Louis) Date: Sat, 15 Nov 2008 09:12:13 -0500 Subject: [c-nsp] sampled netflow on 6500 In-Reply-To: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> References: <947d497f0811150609o256e33e4m2e578818cd4dc8da@mail.gmail.com> Message-ID: Sounds like I got that backwards. Here is a link to configuring netflow sampling. I don't see a lot of options in the SXH configuration guide at the moment. I will keep looking. http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/nde.html#wp1143262 From: patrick.viet at gmail.com [mailto:patrick.viet at gmail.com] On Behalf Of Patrick Viet Sent: Saturday, November 15, 2008 9:09 AM To: Mike Louis Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] sampled netflow on 6500 On Sat, Nov 15, 2008 at 4:23 AM, Mike Louis > wrote: You can use sampled netflow to accomplish the same thing as sflow. Netflow v9 is based on the ipix std so it will offer many of its features Hi ; are you sure about this ? From what I've read it's the opposite : IPFIX has based its frame format on Netflow v9. Any ideas about how to configure this on SUP720-3BXL with SXF15 ? Or do I need another IOS (SXH?) Thanks, Patrick No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1789 - Release Date: 11/14/2008 7:32 PM ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From eduardo at intron.com.br Sat Nov 15 11:56:16 2008 From: eduardo at intron.com.br (=?ISO-8859-1?Q?Eduardo_Ascen=E7o_Reis?=) Date: Sat, 15 Nov 2008 14:56:16 -0200 Subject: [c-nsp] Maximum amount of HSRP sessions - NPE-G1 In-Reply-To: References: Message-ID: <45e3c45f0811150856t63d9633dk61e1b534ceca2512@mail.gmail.com> Hi Mathew, 2008/11/14 Mathew Cameron : > Does anyone know what the maximum amount of HSRP links are on the G1? I think 32 might be a little too restrictive. It depends on HSRP version. Version 1 uses 8 bits to address group numbers (0 to 255) and version 2 extends it to 12 bits allowing you to use group number range from 0 to 4095. This extension also helps your life during provisioning and troubleshooting tasks because you can use the same ID for VLAN and HSRP v2 group. For additional information about HSRP v2 take a look in the following URL: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gthsrpv2.html Regards, -- Eduardo Ascen?o Reis From sf at lists.esoteric.ca Sat Nov 15 11:58:07 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 11:58:07 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> Message-ID: <491EFF9F.6070201@lists.esoteric.ca> Thanks Stoffi, Oli.. The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached to the outgoing interface.. The VC is not coming up, so I've included a snippet below, in case I've missed anything. Also, there is a name Cisco refers to adding a sub-interface for xconnect statements, while the main interface can be trunked for passing standard VLAN's. For the life of me I cannot remember what it is. Any ideas there? ME6524#sh run int Gi1/10 Building configuration... Current configuration : 464 bytes ! interface GigabitEthernet1/10 description Trunk to Edge device switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,305,330 switchport mode trunk switchport nonegotiate mtu 9000 logging event link-status logging event trunk-status logging event spanning-tree status logging event subif-link-status ignore-bulk speed 1000 duplex full spanning-tree portfast trunk spanning-tree guard none end ME6524#sh run int gi1/10.655 Building configuration... Current configuration : 112 bytes ! interface GigabitEthernet1/10.655 encapsulation dot1Q 655 xconnect 10.200.1.8 655 encapsulation mpls end ME6524#sh mpls l2transport vc 655 detail Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:05:18, last status change time: 00:05:18 Signaling protocol: LDP, peer 10.200.1.8:0 up MPLS VC labels: local 330, remote 69 Group ID: local 0, remote 0 MTU: local 9000, remote 1500 Remote interface description: MPLS Test VLAN Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Thoughts? -- Stephen Christoph Loibl wrote: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order >> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >> linecard, something which isn't possible on the fixed-configuration >> ME6524.. >> So you need to move xconnect to the physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI-based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with > VLAN-based (on ME6524) should work. > > When configuring SVI-based EoMPLS on the ME6524 usually some kind of > warning is logged ("Config not supported", or "MPLS configured on LAN > interfaces" as far as I remember). > > Stoffi > From michel.renfer at finecom.ch Sat Nov 15 12:09:34 2008 From: michel.renfer at finecom.ch (Michel Renfer) Date: Sat, 15 Nov 2008 18:09:34 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca><70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> Hi Stephen What IOS version do you run on your 6524? Muxed UNI is supported from 12.2SR on 7600. You have to check the availability on the 6524ME Plattform... http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu ide/pfc3mpls.html#wp1406020 cheers, michel -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton Sent: Saturday, November 15, 2008 5:58 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] EoMPLS VC up on one side, not on the other. Thanks Stoffi, Oli.. The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached to the outgoing interface.. The VC is not coming up, so I've included a snippet below, in case I've missed anything. Also, there is a name Cisco refers to adding a sub-interface for xconnect statements, while the main interface can be trunked for passing standard VLAN's. For the life of me I cannot remember what it is. Any ideas there? ME6524#sh run int Gi1/10 Building configuration... Current configuration : 464 bytes ! interface GigabitEthernet1/10 description Trunk to Edge device switchport switchport trunk encapsulation dot1q switchport trunk allowed vlan 16,305,330 switchport mode trunk switchport nonegotiate mtu 9000 logging event link-status logging event trunk-status logging event spanning-tree status logging event subif-link-status ignore-bulk speed 1000 duplex full spanning-tree portfast trunk spanning-tree guard none end ME6524#sh run int gi1/10.655 Building configuration... Current configuration : 112 bytes ! interface GigabitEthernet1/10.655 encapsulation dot1Q 655 xconnect 10.200.1.8 655 encapsulation mpls end ME6524#sh mpls l2transport vc 655 detail Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up Destination address: 10.200.1.8, VC ID: 655, VC status: down Output interface: if-?(0), imposed label stack {} Preferred path: not configured Default path: no route No adjacency Create time: 00:05:18, last status change time: 00:05:18 Signaling protocol: LDP, peer 10.200.1.8:0 up MPLS VC labels: local 330, remote 69 Group ID: local 0, remote 0 MTU: local 9000, remote 1500 Remote interface description: MPLS Test VLAN Sequencing: receive disabled, send disabled VC statistics: packet totals: receive 0, send 0 byte totals: receive 0, send 0 packet drops: receive 0, send 0 Thoughts? -- Stephen Christoph Loibl wrote: > Hi, > > On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >> >> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In order >> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >> linecard, something which isn't possible on the fixed-configuration >> ME6524.. >> So you need to move xconnect to the physical port. > > Hm. What is the cisco-speak "correct" name now (which in fact is not > very intuitive): Vlan-based or SVI-based? Vlan-based is > > interface gigabitethernet 1/interface.subinterface > encapsulation dot1q vlan_id > xconnect peer_router_id vcid encapsulation mpls > ! > > This is possible on sup720 even without any fancy linecards. But SVI-based > > interface vlan 10 > xconnect peer_router_id vcid encapsulation mpls > ! > > requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but > works fine on ME3750. Thus SVI-based (on ME3750) together with > VLAN-based (on ME6524) should work. > > When configuring SVI-based EoMPLS on the ME6524 usually some kind of > warning is logged ("Config not supported", or "MPLS configured on LAN > interfaces" as far as I remember). > > Stoffi > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sf at lists.esoteric.ca Sat Nov 15 12:18:50 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 12:18:50 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> References: <491E4D05.8020100@lists.esoteric.ca><70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <7ABEE57B986BDA429B535673CBE0C623035A9582@xanthe.lan.intra> Message-ID: <491F047A.4000008@lists.esoteric.ca> Michael, Thanks for the term, and yes it is supported according to the documentation on SXH. -- Stephen Michel Renfer wrote: > Hi Stephen > > What IOS version do you run on your 6524? Muxed UNI is supported from > 12.2SR on 7600. You have to > check the availability on the 6524ME Plattform... > > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/gu > ide/pfc3mpls.html#wp1406020 > > cheers, > michel > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephen Fulton > Sent: Saturday, November 15, 2008 5:58 PM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] EoMPLS VC up on one side, not on the other. > > Thanks Stoffi, Oli.. > > The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, > attached to > the outgoing interface.. The VC is not coming up, so I've included a > snippet > below, in case I've missed anything. Also, there is a name Cisco refers > to > adding a sub-interface for xconnect statements, while the main interface > can be > trunked for passing standard VLAN's. For the life of me I cannot > remember what > it is. Any ideas there? > > ME6524#sh run int Gi1/10 > Building configuration... > > Current configuration : 464 bytes > ! > interface GigabitEthernet1/10 > description Trunk to Edge device > switchport > switchport trunk encapsulation dot1q > switchport trunk allowed vlan 16,305,330 > switchport mode trunk > switchport nonegotiate > mtu 9000 > logging event link-status > logging event trunk-status > logging event spanning-tree status > logging event subif-link-status ignore-bulk > speed 1000 > duplex full > spanning-tree portfast trunk > spanning-tree guard none > end > > ME6524#sh run int gi1/10.655 > Building configuration... > > Current configuration : 112 bytes > ! > interface GigabitEthernet1/10.655 > encapsulation dot1Q 655 > xconnect 10.200.1.8 655 encapsulation mpls > end > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: if-?(0), imposed label stack {} > Preferred path: not configured > Default path: no route > No adjacency > Create time: 00:05:18, last status change time: 00:05:18 > Signaling protocol: LDP, peer 10.200.1.8:0 up > MPLS VC labels: local 330, remote 69 > Group ID: local 0, remote 0 > MTU: local 9000, remote 1500 > Remote interface description: MPLS Test VLAN > Sequencing: receive disabled, send disabled > VC statistics: > packet totals: receive 0, send 0 > byte totals: receive 0, send 0 > packet drops: receive 0, send 0 > > Thoughts? > > -- Stephen > > > Christoph Loibl wrote: >> Hi, >> >> On Nov 15, 2008, at 9:40 AM, Oliver Boehmer (oboehmer) wrote: >>> you've configured vlan-based EoMPLS (i.e. xconnect on the SVI). In > order >>> for this to work on Cat65xx/Sup720, you need OSM/SIP as core-facing >>> linecard, something which isn't possible on the fixed-configuration >>> ME6524.. >>> So you need to move xconnect to the physical port. >> Hm. What is the cisco-speak "correct" name now (which in fact is not >> very intuitive): Vlan-based or SVI-based? Vlan-based is >> >> interface gigabitethernet 1/interface.subinterface >> encapsulation dot1q vlan_id >> xconnect peer_router_id vcid encapsulation mpls >> ! >> >> This is possible on sup720 even without any fancy linecards. But > SVI-based >> interface vlan 10 >> xconnect peer_router_id vcid encapsulation mpls >> ! >> >> requires those OSM/SIP modules on cat65xx/Sup720 (as Oli wrote) but >> works fine on ME3750. Thus SVI-based (on ME3750) together with >> VLAN-based (on ME6524) should work. >> >> When configuring SVI-based EoMPLS on the ME6524 usually some kind of >> warning is logged ("Config not supported", or "MPLS configured on LAN >> interfaces" as far as I remember). >> >> Stoffi >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Sat Nov 15 12:34:17 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 15 Nov 2008 17:34:17 +0000 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <383357750811150934j575c936aw9ce53cf9a6620020@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/15 Stephen Fulton : > Thanks Stoffi, Oli.. > > The VLAN was SVI-based on the ME6524. I've switched to VLAN-based, attached > to the outgoing interface.. The VC is not coming up, so I've included a > snippet below, in case I've missed anything. [...] > ME6524#sh run int gi1/10.655 > Building configuration... > > Current configuration : 112 bytes > ! > interface GigabitEthernet1/10.655 > encapsulation dot1Q 655 > xconnect 10.200.1.8 655 encapsulation mpls > end > > ME6524#sh mpls l2transport vc 655 detail > Local interface: Gi1/10.655 up, line protocol up, Eth VLAN 655 up > Destination address: 10.200.1.8, VC ID: 655, VC status: down > Output interface: if-?(0), imposed label stack {} Can you do "show ip route 10.200.1.8"? Also "sh run int X" to which above route resolves? Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJHwgh+BuaDRxlXKsRAt/rAKCUuo7AK0TeFq5rorDt58Its2nBAACeNxjj SeyH0vlXCFzRA06ecHzUM8o= =Z15+ -----END PGP SIGNATURE----- From marcus at gangusinternet.com Sat Nov 15 14:23:25 2008 From: marcus at gangusinternet.com (Marcus Marinelli) Date: Sat, 15 Nov 2008 11:23:25 -0800 Subject: [c-nsp] Recommended Cisco boxes for a smallmultihoming solution? In-Reply-To: <491EC8AD.2000407@bromirski.net> References: <68a978e90811130252o86243d7yb804af67ea7ea755@mail.gmail.com> <200811141318.31251.mtinka@globaltransit.net> <491E246B.6060306@bromirski.net> <491EC8AD.2000407@bromirski.net> Message-ID: ?ukasz, I'm not trying to argue that the ASR is not the "better" box in the "Edge Router" category, but I just want to remind everyone that Magnus originally was looking for: "smallest recommeded[sic] Cisco boxes to use for a small multihoming solution" With the requirements of: - 2 full BGP views (approx 260k routes each) - 100 Mbps bandwidth requirement. (do you have any idea of PPS?) I think we would all agree that for the most part, an ASR 1002 is very likely be overkill in this situation. Sure, the VXR will slow down as you add more features, but as you were alluding to at the end of your email, not a whole lot of features are really likely to be necessary in this case. The VXR route has something going for it in this case that the ASR doesn't - it's been around for a while, and people know them [and 'classic' IOS] very well. You can also pick up a used 7200VXR chassis and NPE-G1 or G2 for super cheap (<$10k for a G1 + chassis + power), and have that as a spare. Marcus 2008/11/15 ?ukasz Bromirski > Ray Burkholder wrote: > > To get to the point - ASR1002 would be the box. >>> >> Are ASR1002's actually worth 3x the price of something like a >> 7206VXR/NPE-G2? When you add appropriate licensing costs, pricing can >> become 5x to 10x the price. Does it push that many extra packets that >> much >> faster? >> > > NPE-G2 is CPU (or - software) router. It does have capability to > push 2Mpps in theory, now with new features (even with optimized CEF > feature tree) it will grind down to 1.2~1.8Mpps. ASR1002 does switch > traffic in hardware (via QFP on ESPs) and adding 'services' doesn't > cost either any or significant slowdown in forwarding the traffic. > It can push up to 7Mpps (ESP-5) or 15Mpps (ESP-10) without features > like IP Multicast QoS, ACLs, QoS, uRPF, and goes down to 'only' > around 4Mpps or 8Mpps respectively if those features are configured > in switching path. That's a difference. > > ASR1002-5G/K9, bundle with Advanced Enterprise Services and 4GB of RAM, > and 4xGE ports (SFP that is) is 40k$ in GPL, and 7206VXR bundled with > NPE-G2 and the same software to have IPv6/etc is 27k$. Which is 13k$ > difference, not '5x to 10x the price'. And with NPE-G2 you're limited to > 2GB of RAM and software packet processing which of course isn't that > bad considering the fact what kind of traffic and how much of the > traffic the box has to push through - it's 100Mbit/s as Magnus said > on the beginning of the thread. > > Also, in using Cisco's Feature Navigator to compare feature sets, say ADV >> IP, the XE 2.2.1 line seems to lack a bunch of stuff that might be in say >> SRD 12.2.33 or SXH 12.2.33 like MPLS TE or further IP6 features. >> > > Apart from some fancier designs, what for do you need MPLS TE on BGP > peering box? It has to push packets fast, store millions of forwarding > entries and have ability to protect control plane. Shouldn't that > be the priority? > > -- > "Don't expect me to cry for all the | ?ukasz Bromirski > reasons you had to die" -- Kurt Cobain | http://lukasz.bromirski.net > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From chloekcy2000 at yahoo.ca Sat Nov 15 15:33:51 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 15:33:51 -0500 (EST) Subject: [c-nsp] tftp In-Reply-To: <200811152253.14374.mtinka@globaltransit.net> Message-ID: <770379.30691.qm@web57402.mail.re1.yahoo.com> yes. it works how can I verify the flash? Thank you Mark Tinka wrote: On Saturday 15 November 2008 19:57:18 chloe K wrote: > Hi > > How to copy the falsh to tftp? #copy flash: tftp: Cheers, Mark. --------------------------------- Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail From eng_mssk at hotmail.com Sat Nov 15 15:38:59 2008 From: eng_mssk at hotmail.com (Mohammad Khalil) Date: Sat, 15 Nov 2008 22:38:59 +0200 Subject: [c-nsp] tftp In-Reply-To: <275687.78482.qm@web57415.mail.re1.yahoo.com> References: <275687.78482.qm@web57415.mail.re1.yahoo.com> Message-ID: You have to install TFTP server on your PC (solarwinds or any other ) and issue the command copy flash: tftp: u have to issue the command dir or show version to take the IOS image u want to copy and make sure of the connectivity between ur pc and the router (disable windows firewall and if u have ASA or PIX or any other firewalls make sure to allow the TFTP UDP Port) Thanks > Date: Sat, 15 Nov 2008 06:57:18 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] tftp > > Hi > > How to copy the falsh to tftp? > > Can you help? > > thank you > > > --------------------------------- > Looking for the perfect gift? Give the gift of Flickr! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ News, entertainment and everything you care about at Live.com. Get it now! http://www.live.com/getstarted.aspx From chloekcy2000 at yahoo.ca Sat Nov 15 15:46:48 2008 From: chloekcy2000 at yahoo.ca (chloe K) Date: Sat, 15 Nov 2008 15:46:48 -0500 (EST) Subject: [c-nsp] tftp In-Reply-To: Message-ID: <308621.39554.qm@web57412.mail.re1.yahoo.com> Thank you but I can verify the flash is good thank you Mohammad Khalil wrote: .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Verdana } You have to install TFTP server on your PC (solarwinds or any other ) and issue the command copy flash: tftp: u have to issue the command dir or show version to take the IOS image u want to copy and make sure of the connectivity between ur pc and the router (disable windows firewall and if u have ASA or PIX or any other firewalls make sure to allow the TFTP UDP Port) Thanks > Date: Sat, 15 Nov 2008 06:57:18 -0500 > From: chloekcy2000 at yahoo.ca > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] tftp > > Hi > > How to copy the falsh to tftp? > > Can you help? > > thank you > > > --------------------------------- > Looking for the perfect gift? Give the gift of Flickr! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ --------------------------------- Get news, entertainment and everything you care about at Live.com. Check it out! --------------------------------- Now with a new friend-happy design! Try the new Yahoo! Canada Messenger From rubensk at gmail.com Sat Nov 15 16:30:19 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Sat, 15 Nov 2008 19:30:19 -0200 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> > Signaling protocol: LDP, peer 10.200.1.8:0 up > MPLS VC labels: local 330, remote 69 > Group ID: local 0, remote 0 > MTU: local 9000, remote 1500 Try matching the MTU of both ends. Be aware that 3750 has both global and local MTU, and global MTU change on the 3750 require reload. Rubens From sf at lists.esoteric.ca Sat Nov 15 16:36:03 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 16:36:03 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> Message-ID: <491F40C3.50805@lists.esoteric.ca> Thanks Rubens, I totally missed that when I reconfigured for mux uni. The VC is now up, and I can pass traffic each way. Thanks :) -- Stephen Rubens Kuhl Jr. wrote: >> Signaling protocol: LDP, peer 10.200.1.8:0 up >> MPLS VC labels: local 330, remote 69 >> Group ID: local 0, remote 0 >> MTU: local 9000, remote 1500 > > Try matching the MTU of both ends. Be aware that 3750 has both global > and local MTU, and global MTU change on the 3750 require reload. > > > Rubens From gert at greenie.muc.de Sat Nov 15 17:09:12 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sat, 15 Nov 2008 23:09:12 +0100 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <491EFF9F.6070201@lists.esoteric.ca> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> Message-ID: <20081115220912.GA8535@greenie.muc.de> Hi, On Sat, Nov 15, 2008 at 11:58:07AM -0500, Stephen Fulton wrote: > MTU: local 9000, remote 1500 Welcome to EoMPLS hell. If MTUs do not match, the VC won't come up. And you can't change the "raw" MTU on a dot1q subinterface. I seem to remember that there is a knob in recent SR* IOS trains that permits you to ignore MTU mismatches, but I have forgot the details - Ytti will know all the details (how to configure it plus availability). Workaround: make sure the "base interface" MTU is the same on both sides ("gig 0/1", with no ".123"). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From sf at lists.esoteric.ca Sat Nov 15 17:53:42 2008 From: sf at lists.esoteric.ca (Stephen Fulton) Date: Sat, 15 Nov 2008 17:53:42 -0500 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <20081115220912.GA8535@greenie.muc.de> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> Message-ID: <491F52F6.1010200@lists.esoteric.ca> Gert, When I decided to get into the networking field, I knew that MTU was the bane of the industry, I just did not realize I'd still be dealing with it years later :) EoMPLS hell, indeed. If Ytti's reading, I'd like to know what those details are too. Right now I have 7600/RSP720's in the core, not the edge, so it is of limited use to me right now, but it's worth knowing, especially when I roll out VPLS. I *do* wish that I could change the MTU of SVI's on the 3750 Metro, like I can do on the 7600/RSP7200 SR train. *hint hint*.. Anyway, thanks all :) -- Stephen Gert Doering wrote: > Hi, > > On Sat, Nov 15, 2008 at 11:58:07AM -0500, Stephen Fulton wrote: >> MTU: local 9000, remote 1500 > > Welcome to EoMPLS hell. > > If MTUs do not match, the VC won't come up. And you can't change the > "raw" MTU on a dot1q subinterface. > > I seem to remember that there is a knob in recent SR* IOS trains that > permits you to ignore MTU mismatches, but I have forgot the details - Ytti > will know all the details (how to configure it plus availability). > > Workaround: make sure the "base interface" MTU is the same on both sides > ("gig 0/1", with no ".123"). > > gert From blahu77 at gmail.com Sat Nov 15 18:22:52 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Sat, 15 Nov 2008 23:22:52 +0000 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> References: <491E4D05.8020100@lists.esoteric.ca> <70B7A1CCBFA5C649BD562B6D9F7ED7840661C5B6@xmb-ams-333.emea.cisco.com> <491EFF9F.6070201@lists.esoteric.ca> <6bb5f5b10811151330k7b5125faic366e0cf16e138fb@mail.gmail.com> Message-ID: <383357750811151522x329525b0i8c26245e6e8ff1be@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 2008/11/15 Rubens Kuhl Jr. : >> Signaling protocol: LDP, peer 10.200.1.8:0 up >> MPLS VC labels: local 330, remote 69 >> Group ID: local 0, remote 0 >> MTU: local 9000, remote 1500 > > Try matching the MTU of both ends. Be aware that 3750 has both global > and local MTU, and global MTU change on the 3750 require reload. Right, I missed that - as the OP listing had the MTU correct. Sometimes you look but you don't see. Best Regards, - -mat - -- pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFJH1nV+BuaDRxlXKsRAhKpAKCJquum/DtIJ1lsomSjIZdAJD1KmACeJ9ib fZr1H8MPRs8aXimLz1m3ALw= =ef80 -----END PGP SIGNATURE----- From mtinka at globaltransit.net Sat Nov 15 09:53:09 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 15 Nov 2008 22:53:09 +0800 Subject: [c-nsp] tftp In-Reply-To: <275687.78482.qm@web57415.mail.re1.yahoo.com> References: <275687.78482.qm@web57415.mail.re1.yahoo.com> Message-ID: <200811152253.14374.mtinka@globaltransit.net> On Saturday 15 November 2008 19:57:18 chloe K wrote: > Hi > > How to copy the falsh to tftp? #copy flash: tftp: Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Sat Nov 15 18:39:28 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sun, 16 Nov 2008 07:39:28 +0800 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <20081115220912.GA8535@greenie.muc.de> References: <491E4D05.8020100@lists.esoteric.ca> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> Message-ID: <200811160739.33412.mtinka@globaltransit.net> On Sunday 16 November 2008 06:09:12 Gert Doering wrote: > I seem to remember that there is a knob in recent SR* IOS > trains that permits you to ignore MTU mismatches, but I > have forgot the details - Ytti will know all the details > (how to configure it plus availability). You might want to check this out: http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From frnkblk at iname.com Sat Nov 15 21:53:44 2008 From: frnkblk at iname.com (Frank Bulk) Date: Sat, 15 Nov 2008 20:53:44 -0600 Subject: [c-nsp] High CPU on 3750G-24-TS In-Reply-To: <20081112131949.GA9101@bts.sk> References: <845941.14812.qm@web25502.mail.ukl.yahoo.com> <20081112131949.GA9101@bts.sk> Message-ID: We did this on a Cisco 7206VXR running 12.2(26) to regain several percentage points of CPU....definitely worth it. Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Marian Durkovic Sent: Wednesday, November 12, 2008 7:20 AM To: William Cc: cisco-nsp Subject: Re: [c-nsp] High CPU on 3750G-24-TS On Wed, Nov 12, 2008 at 11:48:00AM +0000, William wrote: > We currently use ip igmp join-group x.x.x.x under the vlan interface. This is exactly the problem. "ip igmp join-group" causes all multicast packets for this group to be forwarded also to the CPU. You need to use "ip igmp static-group" instead - then the packets are only forwared to the specified interface, but not copied to the CPU. With kind regards, M. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From spinthiras.mario at gmail.com Sun Nov 16 00:00:06 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Sun, 16 Nov 2008 07:00:06 +0200 Subject: [c-nsp] Cisco 3560 to Dell 6248 Trunking? In-Reply-To: <20081114133928.3C7816F064@alopias.GreenKey.net> References: <17838240D9A5544AAA5FF95F8D52031604F28680@ad-exh01.adhost.lan> <034e01c945fb$52df6610$f89e3230$@id.au> <20081114133928.3C7816F064@alopias.GreenKey.net> Message-ID: <4f890e580811152100s36e3c525habfee1387624a728@mail.gmail.com> Do you want to do trunking or manage vlans automatically over a trunk? Dot1Q should take care of the trunk part. I could have sworn Ive used GVRP on a 3560 before but I am not sure , it could have been a 3570 or something. Regards, Mario. From sammw70 at hotmail.com Sun Nov 16 04:05:31 2008 From: sammw70 at hotmail.com (Sim Meng Wai) Date: Sun, 16 Nov 2008 17:05:31 +0800 Subject: [c-nsp] log failure logon In-Reply-To: <17285.65927.qm@web57404.mail.re1.yahoo.com> References: <491B0104.7040708@gmail.com> <17285.65927.qm@web57404.mail.re1.yahoo.com> Message-ID: Hi, I believe you require version 12.4. Rack1R1(config)#login ? block-for Set quiet-mode active time period delay Set delay between successive fail login on-failure Set options for failed login attempt on-success Set options for successful login attempt quiet-mode Set quiet-mode options Rack1R1#sh verCisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(10a), RELEASE SOFTWARE (fc2)Technical Support: http://www.cisco.com/techsupportCopyright (c) 1986-2006 by Cisco Systems, Inc.Compiled Wed 11-Oct-06 20:52 by prod_rel_team ROM: System Bootstrap, Version 11.1(20)AA2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Rack1R1 uptime is 2 weeks, 5 days, 10 hours, 7 minutesSystem returned to ROM by reloadSystem image file is "flash:c3640-jk9o3s-mz[1].124-10a.bin" This product contains cryptographic features and is subject to UnitedStates and local country laws governing import, export, transfer anduse. Delivery of Cisco cryptographic products does not implythird-party authority to import, export, distribute or use encryption.Importers, exporters, distributors and users are responsible forcompliance with U.S. and local country laws. By using this product youagree to comply with applicable laws and regulations. If you are unableto comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at:http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email toexport at cisco.com. Cisco 3640 (R4700) processor (revision 0x00) with 122880K/8192K bytes of memory. Rgds,Sam > Date: Sat, 15 Nov 2008 07:03:30 -0500> From: chloekcy2000 at yahoo.ca> To: ghostonthewire at gmail.com> CC: cisco-nsp at puck.nether.net> Subject: Re: [c-nsp] log failure logon> > Thank you> > But I can't find this command !> > I am using IOS (tm) 3700 Software (C3725-I-M), Version 12.3(6e),> > router#config t> Enter configuration commands, one per line. End with CNTL/Z.> router(config)#line vty 0 4> router(config-line)#login ?> local Local password checking> tacacs Use tacacs server for password checking> > router(config-line)#exit > router(config)#login ?> % Unrecognized command> router(config)#login > > ghostonthewire wrote:> Hi!> > Try to use "login on-failure log" command (Cisco IOS Login Enhancements > feature, for futher details look through http://b23.ru/6f5). Also use > feature navigator to find if this feauture supported by your software > image (surely doesn't work on releases prior to 12.4(19), dunno about > 12.2S trains).> > chloe K wrote:> > Hi> > > > I see there is command autheniticate failure rate but can't find my router> > > > Now. how I can log the failure logon> > > > Thank you > > > > > > ---------------------------------> > Now with a new friend-happy design! Try the new Yahoo! Canada Messenger> > _______________________________________________> > cisco-nsp mailing list cisco-nsp at puck.nether.net> > https://puck.nether.net/mailman/listinfo/cisco-nsp> > archive at http://puck.nether.net/pipermail/cisco-nsp/> > > > > > > ---------------------------------> > > Yahoo! Canada Toolbar : Search from anywhere on the web and bookmark your favourite sites. Download it now! > > > ---------------------------------> Ask a question on any topic and get answers from real people. Go to Yahoo! Answers.> _______________________________________________> cisco-nsp mailing list cisco-nsp at puck.nether.net> https://puck.nether.net/mailman/listinfo/cisco-nsp> archive at http://puck.nether.net/pipermail/cisco-nsp/ _________________________________________________________________ Easily edit your photos like a pro with Photo Gallery. http://get.live.com/photogallery/overview From jabley at hopcount.ca Sun Nov 16 09:36:33 2008 From: jabley at hopcount.ca (Joe Abley) Date: Sun, 16 Nov 2008 09:36:33 -0500 Subject: [c-nsp] c2924XL fail Message-ID: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> Hi all, I have an old, slightly nasty c2924XL switch in my basement. It has been sitting there unplugged for some time, and just got pulled out of the cupboard and powered up because the switch I was using failed. Every hour or so, the switch is rebooting. The following are examples of what I see on the console. Is this switch toast, or is there some software/configuration remedy to whatever is causing this reload? It seems to happen every hour or so that the switch is under any kind of load. Joe isco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino %Software-forced reload Preparing to dump core... Buffered messages: 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Queued messages: 00:19:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Exception (8192)! Debug Exception (Could be NULL pointer dereference) CPU Register Context: Vector = 0x00002000 PC = 0x001E4220 MSR = 0x00029200 CR = 0x22000020 LR = 0x001E4214 CTR = 0x0016057C XER = 0x20000000 R0 = 0x001E4214 R1 = 0x0053CB08 R2 = 0x00000000 R3 = 0x00000000 R4 = 0x0000002F R5 = 0x000003E8 R6 = 0x0053C768 R7 = 0x00000000 R8 = 0x00480000 R9 = 0x00450000 R10 = 0x001200BB R11 = 0x00029200 R12 = 0x001200EA R13 = 0x00000000 R14 = 0x00000000 R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x00000000 R23 = 0x00000000 R24 = 0x00000000 R25 = 0x00000000 R26 = 0x00000000 R27 = 0x00000000 R28 = 0x00000000 R29 = 0x00450000 R30 = 0x00000002 R31 = 0x00000000 Stack trace: PC = 0x001E4220, SP = 0x0053CB08 Frame 00: SP = 0x0053CB18 PC = 0x001E4214 Frame 01: SP = 0x0053CB38 PC = 0x001061DC Frame 02: SP = 0x0053CB58 PC = 0x000E9B64 Frame 03: SP = 0x00000000 PC = 0x001EB510 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino s1.yxu1 uptime is 19 minutes, 40 seconds cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. C2900XL Boot Loader (C2900-HBOOT-M) Version 11.2(8.2)SA6, MAINTENANCE INTERIM SOFTWARE Compiled Wed 23-Jun-99 18:03 by boba starting... Base ethernet MAC Address: 00:30:94:e4:73:40 Xmodem file system is available. Initializing Flash... flashfs[0]: 7 files, 1 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 1827328 flashfs[0]: Bytes available: 1785344 flashfs[0]: flashfs fsck took 4 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:c2900xl-c3h2s-mz. 1205 .WC17 .bin "...##################################################################################################################################################################################### File "flash:c2900xl-c3h2s-mz.120-5.WC17.bin" uncompressed and installed, entry point: 0x3000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino Image text-base: 0x00003000, data-base: 0x00352924 Initializing C2900XL flash... flashfs[1]: 7 files, 1 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 3612672 flashfs[1]: Bytes used: 1827328 flashfs[1]: Bytes available: 1785344 flashfs[1]: flashfs fsck took 6 seconds. flashfs[1]: Initialization complete. ...done Initializing C2900XL flash. C2900XL POST: System Board Test: Passed C2900XL POST: Daughter Card Test: Passed C2900XL POST: CPU Buffer Test: Passed C2900XL POST: CPU Notify RAM Test: Passed C2900XL POST: CPU Interface Test: Passed C2900XL POST: Testing Switch Core: Passed C2900XL POST: Testing Buffer Table: Passed C2900XL POST: Data Buffer Test: Passed C2900XL POST: Configuring Switch Parameters: Passed C2900XL POST: Ethernet Controller Test: Passed C2900XL POST: MII Test: Passed cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. Processor board ID FAA0350H0NF, with hardware revision 0x03 Last reset from warm-reset Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:30:94:E4:73:40 Motherboard assembly number: 73-3425-10 Power supply part number: 34-0920-01 Motherboard serial number: FAA03479HEM Power supply serial number: PAC03460090 Model revision number: A0 Model number: WS-C2924M-XL-EN System serial number: FAA0350H0NF^G Press RETURN to get started! C2900XL INIT: Complete 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino From paul at paulstewart.org Sun Nov 16 11:20:28 2008 From: paul at paulstewart.org (Paul Stewart) Date: Sun, 16 Nov 2008 11:20:28 -0500 Subject: [c-nsp] c2924XL fail In-Reply-To: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> Message-ID: <000001c94807$43fa5520$cbeeff60$@org> Hi Joe ;) Anytime we've ran across this on 2924's we have replaced them. Have seen a couple of instances over time with IOS bugs on them but mainly memory leaks due to SNMP. See you're running the latest code and we have that same code on a couple dozen 2924's at remote sites with no issues. Sorry, sounds like time to replace in my opinion.... Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Joe Abley Sent: November 16, 2008 9:37 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] c2924XL fail Hi all, I have an old, slightly nasty c2924XL switch in my basement. It has been sitting there unplugged for some time, and just got pulled out of the cupboard and powered up because the switch I was using failed. Every hour or so, the switch is rebooting. The following are examples of what I see on the console. Is this switch toast, or is there some software/configuration remedy to whatever is causing this reload? It seems to happen every hour or so that the switch is under any kind of load. Joe isco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino %Software-forced reload Preparing to dump core... Buffered messages: 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Queued messages: 00:19:38: %SYS-3-LOGGER_FLUSHING: System pausing to ensure console debugging output. 00:19:37: Frame Invalid Detected on Del Mar 2 port mask = 0x10 Exception (8192)! Debug Exception (Could be NULL pointer dereference) CPU Register Context: Vector = 0x00002000 PC = 0x001E4220 MSR = 0x00029200 CR = 0x22000020 LR = 0x001E4214 CTR = 0x0016057C XER = 0x20000000 R0 = 0x001E4214 R1 = 0x0053CB08 R2 = 0x00000000 R3 = 0x00000000 R4 = 0x0000002F R5 = 0x000003E8 R6 = 0x0053C768 R7 = 0x00000000 R8 = 0x00480000 R9 = 0x00450000 R10 = 0x001200BB R11 = 0x00029200 R12 = 0x001200EA R13 = 0x00000000 R14 = 0x00000000 R15 = 0x00000000 R16 = 0x00000000 R17 = 0x00000000 R18 = 0x00000000 R19 = 0x00000000 R20 = 0x00000000 R21 = 0x00000000 R22 = 0x00000000 R23 = 0x00000000 R24 = 0x00000000 R25 = 0x00000000 R26 = 0x00000000 R27 = 0x00000000 R28 = 0x00000000 R29 = 0x00450000 R30 = 0x00000002 R31 = 0x00000000 Stack trace: PC = 0x001E4220, SP = 0x0053CB08 Frame 00: SP = 0x0053CB18 PC = 0x001E4214 Frame 01: SP = 0x0053CB38 PC = 0x001061DC Frame 02: SP = 0x0053CB58 PC = 0x000E9B64 Frame 03: SP = 0x00000000 PC = 0x001EB510 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino s1.yxu1 uptime is 19 minutes, 40 seconds cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. C2900XL Boot Loader (C2900-HBOOT-M) Version 11.2(8.2)SA6, MAINTENANCE INTERIM SOFTWARE Compiled Wed 23-Jun-99 18:03 by boba starting... Base ethernet MAC Address: 00:30:94:e4:73:40 Xmodem file system is available. Initializing Flash... flashfs[0]: 7 files, 1 directories flashfs[0]: 0 orphaned files, 0 orphaned directories flashfs[0]: Total bytes: 3612672 flashfs[0]: Bytes used: 1827328 flashfs[0]: Bytes available: 1785344 flashfs[0]: flashfs fsck took 4 seconds. ...done Initializing Flash. Boot Sector Filesystem (bs:) installed, fsid: 3 Parameter Block Filesystem (pb:) installed, fsid: 4 Loading "flash:c2900xl-c3h2s-mz. 1205 .WC17 .bin "...######################################################################## ############################################################################ ################################# File "flash:c2900xl-c3h2s-mz.120-5.WC17.bin" uncompressed and installed, entry point: 0x3000 executing... Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 170 West Tasman Drive San Jose, California 95134-1706 Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino Image text-base: 0x00003000, data-base: 0x00352924 Initializing C2900XL flash... flashfs[1]: 7 files, 1 directories flashfs[1]: 0 orphaned files, 0 orphaned directories flashfs[1]: Total bytes: 3612672 flashfs[1]: Bytes used: 1827328 flashfs[1]: Bytes available: 1785344 flashfs[1]: flashfs fsck took 6 seconds. flashfs[1]: Initialization complete. ...done Initializing C2900XL flash. C2900XL POST: System Board Test: Passed C2900XL POST: Daughter Card Test: Passed C2900XL POST: CPU Buffer Test: Passed C2900XL POST: CPU Notify RAM Test: Passed C2900XL POST: CPU Interface Test: Passed C2900XL POST: Testing Switch Core: Passed C2900XL POST: Testing Buffer Table: Passed C2900XL POST: Data Buffer Test: Passed C2900XL POST: Configuring Switch Parameters: Passed C2900XL POST: Ethernet Controller Test: Passed C2900XL POST: MII Test: Passed cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/ 1024K bytes of memory. Processor board ID FAA0350H0NF, with hardware revision 0x03 Last reset from warm-reset Processor is running Enterprise Edition Software Cluster command switch capable Cluster member switch capable 24 FastEthernet/IEEE 802.3 interface(s) 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:30:94:E4:73:40 Motherboard assembly number: 73-3425-10 Power supply part number: 34-0920-01 Motherboard serial number: FAA03479HEM Power supply serial number: PAC03460090 Model revision number: A0 Model number: WS-C2924M-XL-EN System serial number: FAA0350H0NF^G Press RETURN to get started! C2900XL INIT: Complete 00:00:38: %SYS-5-CONFIG: Configured from NVRAM by console 00:00:38: %SYS-5-RESTART: System restarted -- Cisco Internetwork Operating System Software IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC17, RELEASE SOFTWARE (fc1) Copyright (c) 1986-2007 by cisco Systems, Inc. Compiled Tue 13-Feb-07 15:27 by antonino _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From snar at snar.spb.ru Sun Nov 16 12:05:06 2008 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Sun, 16 Nov 2008 20:05:06 +0300 Subject: [c-nsp] EoMPLS VC up on one side, not on the other. In-Reply-To: <200811160739.33412.mtinka@globaltransit.net> References: <491E4D05.8020100@lists.esoteric.ca> <491EFF9F.6070201@lists.esoteric.ca> <20081115220912.GA8535@greenie.muc.de> <200811160739.33412.mtinka@globaltransit.net> Message-ID: <20081116170506.GA55178@snar.spb.ru> On Sun, Nov 16, 2008 at 07:39:28AM +0800, Mark Tinka wrote: > > > I seem to remember that there is a knob in recent SR* IOS > > trains that permits you to ignore MTU mismatches, but I > > have forgot the details - Ytti will know all the details > > (how to configure it plus availability). > > You might want to check this out: > > http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_any_transport_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047362 Cisco IOS Release 12.2(33)SRC introduces the ability to specify MTU values in xconnect subinterface configuration mode. So, that's for 12.2(33)SRC, and SRC is incompatible with 65xx, mentioned in original question... Welcome to Cisco BU split hell :) From wim.holemans at ua.ac.be Sun Nov 16 13:17:55 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Sun, 16 Nov 2008 19:17:55 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Could you/someone elaborate on 'failure of one part is a failure of the stack' ? I thought Cisco just pushed this construction to get more redundancy/uptime in the network ? We were planning to replace some single switches with a lot of dual-line channels with a cluster of 2 of these 36xx or 37xx switches so we could split the channels over 2 switches and have still connection when one of the switches failed. Reading the recent negative comments on switch stacking I start wondering if this is a wise decision... Wim Holemans Network Services University of Antwerp -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of jamie rishaw Sent: vrijdag 14 november 2008 20:55 To: Dale Shaw Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members Yeah.. Replace them. With Chassis(es). Stacks are just a bad idea. Failure of one part of the stack is a failure of the stack. A 65xx serves just as well, better even; cheaper, more reliably, and with less BS.. I'm in the middle of tossing (however many letters are, inclusive, between a and s) stacks, moving to 65xx chassis(es) with 10/100 // triplespeed blades... moving to paired '09's. Cue the happy singing birds and obama 'yes we chassis' glory in 3.. 2.. 1.. -j On Fri, Nov 14, 2008 at 12:19 PM, Dale Shaw > wrote: > Hi all, > > We have a few large (>6 member) cat3750 stacks in our environment, > most in L2 edge/access roles, and most providing PoE to cisco IP > phones. -- ..!google!arpa.com!j _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From pshem.k at gmail.com Sun Nov 16 16:20:25 2008 From: pshem.k at gmail.com (Pshem Kowalczyk) Date: Mon, 17 Nov 2008 10:20:25 +1300 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Message-ID: <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> Hi, 2008/11/17 Holemans Wim : > Could you/someone elaborate on 'failure of one part is a failure of the > stack' ? Usually it means that if a single device falls over the whole stack goes. > I thought Cisco just pushed this construction to get more > redundancy/uptime in the network ? I believe that despite the idea being quite good the implementation was always troubled with issues and never actually lived up to the expectations. > We were planning to replace some single switches with a lot of dual-line > channels with a cluster of 2 of these 36xx or 37xx switches so we could > split the channels over 2 switches and have still connection when one of > the switches failed. Reading the recent negative comments on switch > stacking I start wondering if this is a wise decision... Over the years we've seen multiple issues with stacked switches: 1. Random reloads of the stack (usually snmp would report a high CPU use just before, but not always) 2. Unidirectional forwarding through vlans spanning multiple elements of the stack. 3. Mac address issues - stale mac not timing out properly, inability to learn a new mac. 4. Master election issues when the stack boots. Whether it was a race condition or wrong alignment of the planets - every now and then we would get a stack with multiple master switches that would refuse to talk to the rest of the stack. As a result of that we do not put stacks any more. If we need more ports we simply join them using ethernet cables (and etherchannels) and manage independently of each other. kind regards Pshem From mtinka at globaltransit.net Sun Nov 16 20:09:48 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 17 Nov 2008 09:09:48 +0800 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> Message-ID: <200811170909.49193.mtinka@globaltransit.net> On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > As a result of that we do not put stacks any more. If we > need more ports we simply join them using ethernet cables > (and etherchannels) and manage independently of each > other. It has always been my personal opinion that inter-switch trunking or migrating to a small, single-chassis, multi-line-card based platform (e.g., 6504-E) would offer far less headache than Stacking, and keep things simple. Given the feedback from folk on this thread so far, I think we did well to avoid stacks. Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From patrick.viet at gmail.com Sun Nov 16 20:23:16 2008 From: patrick.viet at gmail.com (Patrick Viet) Date: Mon, 17 Nov 2008 02:23:16 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> Message-ID: <947d497f0811161723u3ce6d8eq96b85a7684cd631d@mail.gmail.com> 3750 Stacks work pretty well for me. But CDP is definitely crap. I remember forgetting to disable it once on a 6500 ; and the BGP wouldn't work anymore. The problem is not the stack ; the problem is CDP... Patrick From mtinka at globaltransit.net Sun Nov 16 20:40:19 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 17 Nov 2008 09:40:19 +0800 Subject: [c-nsp] c2924XL fail In-Reply-To: <000001c94807$43fa5520$cbeeff60$@org> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> <000001c94807$43fa5520$cbeeff60$@org> Message-ID: <200811170940.24217.mtinka@globaltransit.net> On Monday 17 November 2008 00:20:28 Paul Stewart wrote: > See you're running the latest code and we have that same > code on a couple dozen 2924's at remote sites with no > issues. Sorry, sounds like time to replace in my > opinion.... The 2924XL's have also been notoriously known for losing ports more often that anyone would like (ESD). However, this is a known issue: * CSCdm13915 Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From risnaini at indo.net.id Sun Nov 16 21:41:51 2008 From: risnaini at indo.net.id (a. rahman isnaini r.sutan) Date: Mon, 17 Nov 2008 09:41:51 +0700 Subject: [c-nsp] c2924XL fail In-Reply-To: <200811170940.24217.mtinka@globaltransit.net> References: <048BBEE2-B6DE-4B53-ADA5-7E8860F4BBE6@hopcount.ca> <000001c94807$43fa5520$cbeeff60$@org> <200811170940.24217.mtinka@globaltransit.net> Message-ID: <4920D9EF.7000602@indo.net.id> Other thing, 2924XL is more fragile against power source failure compared to 3508/3524 IOS crash or port will not function normally. a. r. isnaini rangkayo sutan Mark Tinka wrote: > On Monday 17 November 2008 00:20:28 Paul Stewart wrote: > >> See you're running the latest code and we have that same >> code on a couple dozen 2924's at remote sites with no >> issues. Sorry, sounds like time to replace in my >> opinion.... > > The 2924XL's have also been notoriously known for losing > ports more often that anyone would like (ESD). > > However, this is a known issue: > > * CSCdm13915 > > Mark. > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ------------------------------------------------------------------------ > > No virus found in this incoming message. > Checked by AVG. > Version: 7.5.549 / Virus Database: 270.9.2/1782 - Release Date: 11/11/2008 7:32 PM From ianh at chime.net.au Sun Nov 16 22:30:44 2008 From: ianh at chime.net.au (Ian Henderson) Date: Mon, 17 Nov 2008 12:30:44 +0900 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> Message-ID: <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> jamie rishaw wrote on 2008-11-15: > Replace them. With Chassis(es). > > Stacks are just a bad idea. Can not agree more. The problems we've seen with stacks seem mostly related to a master crash. If the master disappears, the slaves wouldn't perform a re-election. Also, the stacking cables seem very fragile - even if they are screwed in properly, a bump can cause the stack to go haywire. As many others have said, use the chassis individually. If you really need more bandwidth between devices than an Etherchannel of two to four GigE can give you, the 3750 is probably not the platform you're after. If you're looking for ease of management, use RANCID's 'clogin' and some crafty bash. For example, create a new VLAN on ten switches (I'll ignore the fact VTP can do this for you): for switch in `seq 1 10` do clogin -C 'conf t; vlan 123; name new_vlan; end; copy run start' sw-$switch.foobar.com done -- Ian Henderson, CCIE #14721 Senior Network Engineer, iiNet Limited From bbasler at cisco.com Sun Nov 16 22:56:54 2008 From: bbasler at cisco.com (Ben Basler (bbasler)) Date: Sun, 16 Nov 2008 19:56:54 -0800 Subject: [c-nsp] SXI out In-Reply-To: <491C6E85.7060102@imperial.ac.uk> References: <20081113005318.GA76126@puck.nether.net> <491C1C3F.405@asdf.dk><491C2AA3.6070808@imperial.ac.uk> <491C6E85.7060102@imperial.ac.uk> Message-ID: 6VPE configuration (6VPE support IS listed in the release notes): http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ov_mpls _6vpe.html#wp1056143 IPv6 feature support overview (to be updated with SXI information): http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-roadmap .html Maintenance support policy SXH/SXI: http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/prod_bu lletin0900aecd804f0694.html Cheers, Ben > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Phil Mayers > Sent: Thursday, November 13, 2008 10:14 AM > To: Hroi Sigurdsson > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] SXI out > > Phil Mayers wrote: > > Hroi Sigurdsson wrote: > >> Jared Mauch wrote: > >>> It appears cisco released SXI already. > >>> > >>> http://www.cisco.com/cgi-bin/Software/Iosplanner/Planner- > tool/iosplanner.cgi?release_name=12.2.33- > SXI&majorRel=12.2&state=:RL&type=Early%20Deployment > >>> > >> > >> It looks like there is support for multi-AF (v4/v6) VRFs. Is it real > >> or just a tease? > > > > It would appear not: > > Oh wait - no, it would in fact appear so: > > mls ipv6 vrf > > ...sneaky command you have to type in, then the IPv6 vrf commands > become > available. > > Neat-o! > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Sun Nov 16 23:02:16 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 16 Nov 2008 22:02:16 -0600 Subject: [c-nsp] routing email domain Message-ID: Hello, Is there any way to route different email traffic by each domain name? eg: make email from @domain1.com go out route 1.1.1.1 and email from @domain2.com go out route 2.2.2.2 All of this email traffic is coming from the same email server. Dan. From p_ambedkar at rediffmail.com Sun Nov 16 23:40:26 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 17 Nov 2008 04:40:26 -0000 Subject: [c-nsp] 6500-sup-stdby Message-ID: <20081117044026.17006.qmail@f4mail-235-134.rediffmail.com> ? Hi, I am using the following confregs, SP RP Main 0x2102 0x2102 Standby 0x102 0x2102 According to 6509 Doc the above confregs are recommended. one more thing, one of our member given the solution to FORMAT the flash. but i am little bit confused with the following... format <[m/]device1:> CAT_1> (enable) sh flash -#- ED --type-- --crc--- -seek-- nlen -length- -----date/time------ name 1 .. ffffffff b0b70a41 cd1ec0 26 12918336 Mar 23 2004 16:48:55 cat6000-sup2cvk9.8-1-3.bin 19063104 bytes available (12918464 bytes used) can anybody guide me, how to format the flash. On Thu, 13 Nov 2008 maureen schaar wrote : >If you still have the problem, maybe you can try something, since I >once had a similar problem. There may a discrepancy between the >confreg on the RP and the SP. You need to set the confreg again. Even >though the remote command switch show bootvar command displayed the >right confreg in the SP in my situation, I was still returned to >rommon. After setting the confreg in the RP, the problem was resolved. >See also http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_no te09186a008072c406.shtml#sup_sub_3 > >Hope this helps. > >Maureen > > >On Tue, Nov 11, 2008 at 4:14 PM, Pete S. wrote: > > Also, make sure the flash was formatted by the chassis its currently in. > > There was an issue where, if formatted in another chassis, the flash could > > be read, but not booted from, resulting in a boot to rommon where you have > > to manually enter the boot command. > > > > > > --Pete > > > > > > On Tue, Nov 11, 2008 at 1:15 AM, ambedkar wrote: > > > >> > >> Hi, i am using cisco 6509 with two sup engines. sup1 is main and sup2 > >> is standby. The problem is sup2 is not booting automatically when the > >> system is switched ON. it is going to rommon mode, where we have to > >> type boot command so that it will boot. after booting, boot variable > >> is missing. if we set the boot variable,it will show the boot variable > >> but it is temporary. > >> > >> Again we switched OFF and ON, The same situation is there. i tried > >> lot, please help me. some details are here... > >> > >> Before sup2: > >> > >> CAT_1> (enable) sh mod > >> Mod Slot Ports Module-Type Model Sub > >> Status > >> --- ---- ----- ------------------------- ------------------- --- ----- > >> --- > >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > >> > >> > >> After sup2: > >> > >> CAT_1> (enable) sh mod > >> Mod Slot Ports Module-Type Model Sub > >> Status > >> --- ---- ----- ------------------------- ------------------- --- ----- > >> --- > >> 1 1 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes ok > >> 15 1 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 2 2 2 1000BaseX Supervisor WS-X6K-S2U-MSFC2 yes > >> standby > >> 16 2 1 Multilayer Switch Feature WS-F6K-MSFC2 no ok > >> 3 3 48 10/100BaseTX Ethernet WS-X6348-RJ-45 yes ok > >> 9 9 8 1000BaseX Ethernet WS-X6408A-GBIC no ok > >> > >> > >> bye. > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From sethm at rollernet.us Mon Nov 17 02:35:54 2008 From: sethm at rollernet.us (Seth Mattinen) Date: Sun, 16 Nov 2008 23:35:54 -0800 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <200811170909.49193.mtinka@globaltransit.net> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be> <20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> <200811170909.49193.mtinka@globaltransit.net> Message-ID: <49211EDA.7020506@rollernet.us> Mark Tinka wrote: > On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > >> As a result of that we do not put stacks any more. If we >> need more ports we simply join them using ethernet cables >> (and etherchannels) and manage independently of each >> other. > > It has always been my personal opinion that inter-switch > trunking or migrating to a small, single-chassis, > multi-line-card based platform (e.g., 6504-E) would offer > far less headache than Stacking, and keep things simple. > > Given the feedback from folk on this thread so far, I think > we did well to avoid stacks. > Out of curiosity, I never see the 4500 chassis mentioned; why is that? ~Seth From elmi at 4ever.de Mon Nov 17 03:10:58 2008 From: elmi at 4ever.de (Elmar K. Bins) Date: Mon, 17 Nov 2008 09:10:58 +0100 Subject: [c-nsp] routing email domain In-Reply-To: References: Message-ID: <20081117081057.GH93039@ronin.4ever.de> Re Dan, danletkeman at gmail.com (Dan Letkeman) wrote: > Is there any way to route different email traffic by each domain name? eg: This is off-topic on this list, so a brief answer: Yes, modern MTAs give you the opportunity to match header fields and envelope info and select a smarthost accordingly. You may want to check out the documentation to, e.g., exim. Elmar. From p_ambedkar at rediffmail.com Mon Nov 17 03:20:47 2008 From: p_ambedkar at rediffmail.com (ambedkar ) Date: 17 Nov 2008 08:20:47 -0000 Subject: [c-nsp] Network Magazine Message-ID: <20081117082047.26415.qmail@f4mail-235-149.rediffmail.com> ? Hi, i want to subscribe to magazine related to NETWORKING. Can anybody tell me which is better and it should be economical also. please suggest me. bye. From wim.holemans at ua.ac.be Mon Nov 17 03:31:19 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 17 Nov 2008 09:31:19 +0100 Subject: [c-nsp] Virtual Routers Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen From wim.holemans at ua.ac.be Mon Nov 17 03:34:55 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 17 Nov 2008 09:34:55 +0100 Subject: [c-nsp] Catalyst 3750 stacks with many members References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com><2F7B70885960AA42BE820036B3A8CDA041EA59@xmail06.ad.ua.ac.be><20fe625b0811161320y3a176f89of18165cccdac1749@mail.gmail.com> <200811170909.49193.mtinka@globaltransit.net> Message-ID: <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> Got some personal mails all in support of the stacking, saw only negative mails on the list, interesting... Price difference between 2x 3750 and a 6504 is not so small and a 6504 with one supervisor is still a single point of failure where a cluster of 2 switches would give me redundancy. Everyone thanks for the answer, still not sure what we are going to do. Wim Holemans -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: maandag 17 november 2008 2:10 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Catalyst 3750 stacks with many members On Monday 17 November 2008 05:20:25 Pshem Kowalczyk wrote: > As a result of that we do not put stacks any more. If we need more > ports we simply join them using ethernet cables (and etherchannels) > and manage independently of each other. It has always been my personal opinion that inter-switch trunking or migrating to a small, single-chassis, multi-line-card based platform (e.g., 6504-E) would offer far less headache than Stacking, and keep things simple. Given the feedback from folk on this thread so far, I think we did well to avoid stacks. Mark. From tseveendorj at gmail.com Mon Nov 17 03:53:42 2008 From: tseveendorj at gmail.com (Tseveendorj Ochirlantuu) Date: Mon, 17 Nov 2008 16:53:42 +0800 Subject: [c-nsp] ISDN Q.931 related question Message-ID: <62c908120811170053x3bb4652bjc003f0ee5a312280@mail.gmail.com> Hi I found a lot of messages from AS5350 gateway. Call awarded and being delivered in an established channel The reason: The user is assigned an incoming call that is being connected to an already-established call channel. Question: 1. Why the call being connected to an established channel ? 3. How to solve? is there any configuration on AS5350XM ? Thanks any help. From erey at ernw.de Mon Nov 17 03:56:41 2008 From: erey at ernw.de (Enno Rey) Date: Mon, 17 Nov 2008 09:56:41 +0100 Subject: [c-nsp] Virtual Routers In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Message-ID: <20081117085641.GE82503@ws25.ernw.de> Hi, you can use Multi-VRF in whatever context, so no need for some "remote/central scenario". BUT: what you want to achieve will most probably mean working with virtual contexts on the FWSM and/or IPS module. Should be doable but presumably not by means of Multi-VRF. can't say more here without understanding of your exact traffic flow. thanks, Enno On Mon, Nov 17, 2008 at 09:31:19AM +0100, Holemans Wim wrote: > Is there a way to divide a 6500 into multiple 'Virtual Routers' with > different routing tables ? I've read about VRF-Lite but it is always > mentioned in a VPN environment with remote and central devices. I need > to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and > back into the same 6500. Maybe PBR would do the trick but I'm still > looking for some good and clear info on virtual routing in a LAN > environment (if existing). > > > > Thanks, > > > > > > Wim Holemans > > Netwerkdienst Universiteit Antwerpen > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- Enno Rey ERNW GmbH - Breslauer Str. 28 - 69124 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 PGP FP 055F B3F3 FE9D 71DD C0D5 444E C611 033E 3296 1CC1 Handelsregister Heidelberg: HRB 7135 Geschaeftsfuehrer: Roland Fiege, Enno Rey From hans at beolink.com Mon Nov 17 04:25:36 2008 From: hans at beolink.com (hans) Date: Mon, 17 Nov 2008 10:25:36 +0100 Subject: [c-nsp] Dear Sender, Message-ID: <10811171025.AA05088@beolink.com> Dear Sender, Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd. Should you need immediate assistance, please call our office at +34 952 817 250. Best regards, Hans-Georg Luna Oesterreich From ben.steele at internode.on.net Mon Nov 17 06:08:33 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 17 Nov 2008 21:38:33 +1030 Subject: [c-nsp] Virtual Routers In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> Message-ID: <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM From j.varaillon at cosmoline.com Mon Nov 17 06:11:47 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Mon, 17 Nov 2008 13:11:47 +0200 Subject: [c-nsp] FWSM (3.1) - Memory and CPU issue In-Reply-To: <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> References: <002101c9464c$643fa040$2cbee0c0$%varaillon@cosmoline.com> <002e01c94651$77de1c30$679a5490$%varaillon@cosmoline.com> Message-ID: <000301c948a5$4bec2260$e3c46720$%varaillon@cosmoline.com> Replying to my own post. Concerning the CPU, this is a known issue: CSCsi63155 "the CPU usage of one of the context goes up to 60% and it stays there " (http://www.cisco.com/en/US/docs/security/fwsm/fwsm31/release/notes/fwsmrn31 .html#wp161596) Christophe -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Varaillon Jean Christophe Sent: Friday, November 14, 2008 2:07 PM To: 'Cisco-nsp' Subject: Re: [c-nsp] FWSM (3.1) - Memory and CPU issue >The CPU of context2 is never changing (stack at 62%) and this does not >reflect at all the pattern of traffic/connection/translation that we get >during a wotrking day. Why What would keep the CPU so busy given that the >amount of traffic is not the issue here? This output shows clearly that the traffic is almost null but still it has 60% of CPU. What could justify such a value? FWSM/context2# show cpu usage CPU utilization for 5 seconds = 60.5%; 1 minute: 62.2%; 5 minutes: 62.4% FWSM/context2# show perfmon PERFMON STATS: Current Average Xlates 0/s 0/s Connections 0/s 0/s TCP Conns 0/s 0/s UDP Conns 0/s 0/s URL Access 0/s 0/s URL Server Req 0/s 0/s TCP Fixup 279/s 0/s HTTP Fixup 0/s 0/s FTP Fixup 0/s 0/s AAA Authen 0/s 0/s AAA Author 0/s 0/s AAA Account 0/s 0/s TCP Intercept 0/s 0/s Thanks, Christophe __________ Information from ESET Smart Security, version of virus signature database 3613 (20081114) __________ The message was checked by ESET Smart Security. http://www.eset.com _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com __________ Information from ESET Smart Security, version of virus signature database 3617 (20081117) __________ The message was checked by ESET Smart Security. http://www.eset.com From p.mayers at imperial.ac.uk Mon Nov 17 04:57:42 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 17 Nov 2008 09:57:42 +0000 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> References: <200811170909.49193.mtinka@globaltransit.net> <2F7B70885960AA42BE820036B3A8CDA041EA69@xmail06.ad.ua.ac.be> Message-ID: <20081117095742.GA30401@wildfire.net.ic.ac.uk> On Mon, Nov 17, 2008 at 09:34:55AM +0100, Holemans Wim wrote: >Got some personal mails all in support of the stacking, saw only >negative mails on the list, interesting... >Price difference between 2x 3750 and a 6504 is not so small and a 6504 Sure, but you were talking about stacks of 7. We've run stacks of 2 for years without trouble. From ben.steele at internode.on.net Mon Nov 17 06:24:20 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Mon, 17 Nov 2008 21:54:20 +1030 Subject: [c-nsp] Virtual Routers In-Reply-To: <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> References: <2F7B70885960AA42BE820036B3A8CDA041EA68@xmail06.ad.ua.ac.be> <000901c948a4$d4c7f380$7e57da80$@steele@internode.on.net> Message-ID: <000c01c948a7$08fc4aa0$1af4dfe0$@steele@internode.on.net> Actually I just realised after I sent this that you will need to PBR the last hop in the 6500 before the inside host too if you haven't brought it into a vrf otherwise the intial route will take hold and loop you back into the FWSM again. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ben Steele Sent: Monday, 17 November 2008 9:39 PM To: 'Holemans Wim'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Virtual Routers You can do what you want without vrf using PBR, as you mentioned. Using the standard svclc vlans the flow of traffic would be: Outside Host ->6500 VLAN 1 -> FWSM -> 6500 VLAN 2(PBR set ip next-hop IPS) -> IPS -> 6500 VLAN 3 -> Inside Host So in this example physically the IPS would be cabled with 2 separate cables (in/out) in 2 different vlans on the 6500. Any reason that wouldn't work? Gives you the option to bypass the IPS by simply not including it in the IPS PBR acl. Ben -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Holemans Wim Sent: Monday, 17 November 2008 7:01 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Virtual Routers Is there a way to divide a 6500 into multiple 'Virtual Routers' with different routing tables ? I've read about VRF-Lite but it is always mentioned in a VPN environment with remote and central devices. I need to get some traffic into a FWSM on a 6500, out of the 6500 to an IPS and back into the same 6500. Maybe PBR would do the trick but I'm still looking for some good and clear info on virtual routing in a LAN environment (if existing). Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1793 - Release Date: 16/11/2008 7:58 PM From dudepron at gmail.com Mon Nov 17 09:51:01 2008 From: dudepron at gmail.com (Aaron) Date: Mon, 17 Nov 2008 09:51:01 -0500 Subject: [c-nsp] tftp In-Reply-To: <770379.30691.qm@web57402.mail.re1.yahoo.com> References: <200811152253.14374.mtinka@globaltransit.net> <770379.30691.qm@web57402.mail.re1.yahoo.com> Message-ID: <480dad640811170651o8f101cfy2ea6af511e11536d@mail.gmail.com> What do you mean verify? Assuming you mean verify the image was copied correctly, you can look at the MD5 signature via the verify command. To verify the checksum of a file on a flash memory file system or compute a Message Digest 5 (MD5) signature for a file, use the *verify* command in privileged EXEC mode. *verify *[*/md5* [*md5-value*]]* filesystem*:[*file-url*] Cisco 7600 Series Router *verify* {*/md5** **flash-filesystem* [*expected-md5-signature*] | */ios ** flash-filesystem* | *flash-filesystem*} On Sat, Nov 15, 2008 at 3:33 PM, chloe K wrote: > yes. it works > > how can I verify the flash? > > Thank you > > Mark Tinka wrote: > On Saturday 15 November 2008 19:57:18 chloe K wrote: > > > Hi > > > > How to copy the falsh to tftp? > > #copy flash: tftp: > > Cheers, > > Mark. > > > > --------------------------------- > Be smarter than spam. See how smart SpamGuard is at giving junk email the > boot with the All-new Yahoo! Mail > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From ib_cims at yahoo.com Mon Nov 17 09:51:23 2008 From: ib_cims at yahoo.com (Ibrahim Alsharif) Date: Mon, 17 Nov 2008 06:51:23 -0800 (PST) Subject: [c-nsp] Cisco ASA ASDM Message-ID: <584081.58404.qm@web63805.mail.re1.yahoo.com> Hello Dears, I'm working on Single ASA 5540 device I've configured it with two security context (C-A) & (C-B) when I accessed the ASA through ASDM it shows only (C-A) Context only one context appear in the ASDM. what I want to know how I can administer the two security contexts from ASDM. Thank you, Ibrahim Alsharif, From pavel.skovajsa at gmail.com Mon Nov 17 10:23:43 2008 From: pavel.skovajsa at gmail.com (Pavel Skovajsa) Date: Mon, 17 Nov 2008 16:23:43 +0100 Subject: [c-nsp] VSS SRND Message-ID: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: "" Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. "" This has been there for almost 6 months now, and still no VSS SRND.... Thanks, Pavel Skovajsa From MLouis at nwnit.com Mon Nov 17 10:47:31 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 10:47:31 -0500 Subject: [c-nsp] BGP Distribute List Message-ID: I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From hans at beolink.com Mon Nov 17 10:52:23 2008 From: hans at beolink.com (hans) Date: Mon, 17 Nov 2008 16:52:23 +0100 Subject: [c-nsp] Dear Sender, Message-ID: <10811171652.AA07388@beolink.com> Dear Sender, Thank you very much for your message. I am currently out of the office and will reply to your e-mail upon my return on Monday, November 24rd. Should you need immediate assistance, please call our office at +34 952 817 250. Best regards, Hans-Georg Luna Oesterreich From luan at netcraftsmen.net Mon Nov 17 10:54:11 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 17 Nov 2008 10:54:11 -0500 Subject: [c-nsp] VSS SRND In-Reply-To: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> References: <323aca890811170723l65655b92p38abd9eb8ecf0cba@mail.gmail.com> Message-ID: <001d01c948cc$bb6beb30$3243c190$@net> Have you looked at the Data Center Design Guide? http://www.cisco.com/en/US/netsol/ns743/networking_solutions_program_home.ht ml There's this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/dc_servchas /service-chassis_design.html And this one: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5 /DCI_SRND.pdf Which give lots of design guides on VSS. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Pavel Skovajsa Sent: Monday, November 17, 2008 10:24 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] VSS SRND Hello all, does anybody have a clue when the VSS Block SRND is going to be published on Design Zone? The Enterprise Campus 3.0 Architecture (http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/campover.html) states that: "" Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. For details on the design of the virtual switching distribution block see the upcoming virtual switch distribution block design, http://www.cisco.com/go/srnd. "" This has been there for almost 6 months now, and still no VSS SRND.... Thanks, Pavel Skovajsa _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ped_dk at hotmail.com Mon Nov 17 11:01:09 2008 From: ped_dk at hotmail.com (Peter Danielsen) Date: Mon, 17 Nov 2008 17:01:09 +0100 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs Message-ID: Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE From RYAN.BRAULT at illinois.gov Mon Nov 17 11:04:30 2008 From: RYAN.BRAULT at illinois.gov (Brault, Ryan) Date: Mon, 17 Nov 2008 10:04:30 -0600 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: router bgp 100 neighbor x.x.230.161 prefix-list routeout out neighbor 172.x.255.252 prefix-list routeout out I think that's what you're looking for... Ryan Brault -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis Sent: Monday, November 17, 2008 9:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP Distribute List I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From MLouis at nwnit.com Mon Nov 17 11:14:33 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 11:14:33 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: Its working fine in other configurations with the Distribute List. Distribute list with prefix-list is supported in IOS. I wonder what the limiting factor is here? -----Original Message----- From: Brault, Ryan [mailto:RYAN.BRAULT at Illinois.gov] Sent: Monday, November 17, 2008 11:05 AM To: Mike Louis; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] BGP Distribute List router bgp 100 neighbor x.x.230.161 prefix-list routeout out neighbor 172.x.255.252 prefix-list routeout out I think that's what you're looking for... Ryan Brault -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis Sent: Monday, November 17, 2008 9:48 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP Distribute List I have a distribute list setup to reference a prefix list in a bgp configuration. However the outbound filtering is not working and I have reset bgp connection with soft outbound reset. Here is the config. Any ideas why this is not working? router bgp 100 no synchronization bgp log-neighbor-changes network x.x.230.160 mask 255.255.255.252 network 172.x.36.0 mask 255.255.254.0 network 172.x.253.152 mask 255.255.255.252 network 172.x.253.156 mask 255.255.255.252 network 172.x.255.0 mask 255.255.255.0 neighbor x.x.230.161 remote-as 65000 neighbor x.x.230.161 weight 500 neighbor x.x.230.161 distribute-list routeout out neighbor 172.x.255.252 remote-as 65535 neighbor 172.x.255.252 distribute-list routeout out no auto-summary I have reset the BGP connections in the outbound with soft reset but still no luck. The router is receiving all routes from neighbors and relaying them to the other EBGP router. I am not worried about inbound received routes, just outbound filtering based on a specific prefix list. Any ideas? ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1792 - Release Date: 11/16/2008 10:04 AM Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From peter at rathlev.dk Mon Nov 17 11:30:24 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Mon, 17 Nov 2008 17:30:24 +0100 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: <1226939424.10572.4.camel@abehat> On Mon, 2008-11-17 at 10:47 -0500, Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I > have reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but > still no luck. The router is receiving all routes from neighbors and > relaying them to the other EBGP router. I am not worried about > inbound received routes, just outbound filtering based on a specific > prefix list. > > Any ideas? It _might_ be: - An incorrectly configured route-map - An incorrectly configured access-list used in the route-map - A bug in IOS (probably unlikely, but who knows :-]) The problem is that no one can make any guesses, since you didn't include any information to help determine the cause. And no example of the not-filtered prefix seen from the neighbor. Regards, Peter From luan at netcraftsmen.net Mon Nov 17 11:38:02 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Mon, 17 Nov 2008 11:38:02 -0500 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs In-Reply-To: References: Message-ID: <004a01c948d2$dbe17e10$93a47a30$@net> Usually, when I use VRF-Lite with hub site DMVPN, it's because I need to backhaul all spokes traffic (send them a default route through the tunnel) and don't want to use policy base routing at the spoke sites. I have to put the LAN(s) and tunnel interface(s) on the spoke into a VRF and leave the WAN in the global so the spoke could have 2 default routes, one for the global to establish DMVPN/IPSEC connection to hubs and other spokes, and one in the VRF to send all LAN traffic to the hub for say...central Internet access. Hubs' tunnels would usually be put into a VRF. If you have a few customers and want to consolidate them into a single hub router, then I would just add the tunnels into their own VRFs, the spokes can be left alone. Depends on the routing protocol you use, and what access you want to give, you need to route inter/intra VRFs accordingly at the hub. Regards, Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Peter Danielsen Sent: Monday, November 17, 2008 11:01 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk _________________________________________________________________ Explore the seven wonders of the world http://search.msn.com/results.aspx?q=7+wonders+world&mkt=en-US&form=QBRE _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kratzers at pa.net Mon Nov 17 12:35:23 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Mon, 17 Nov 2008 12:35:23 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: References: Message-ID: <200811171235.24723.kratzers@pa.net> Probably a mucked up distribute/filter/prefix list. Check 'show ip prefix-list detail' and 'show ip access-list'. It's also possible that the peers don't support route refresh. Can check this with 'show ip bgp neighbor'. On Monday 17 November 2008 10:47:31 Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I have > reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but still > no luck. The router is receiving all routes from neighbors and relaying > them to the other EBGP router. I am not worried about inbound received > routes, just outbound filtering based on a specific prefix list. > > Any ideas? > > ________________________________ > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Mon Nov 17 12:59:58 2008 From: justin at justinshore.com (Justin Shore) Date: Mon, 17 Nov 2008 11:59:58 -0600 Subject: [c-nsp] DMVPN - HUB VRF Aware - Spokes no VRFs In-Reply-To: References: Message-ID: <4921B11E.8080601@justinshore.com> Peter Danielsen wrote: > Hi, Iam trying to consolidat a number of DMVPN HUBs on an VRF Aware HUB, I have some difficulties getting it to work, HUB is a 7200VXR - Spokes are 2841 All configuration examples I can find are with HUB and Spoke running VRF-Lite, and I need to figure out how to build the HUB for VRF-Lite support, I asume that Spoke configurations will not change, due to that the only place i need vrf-lite support is on the HUB Any clues, Hints, whitepapers, Thanks in advance /ped_dk This doc has some great examples. I'm working through some of them myself. I'm trying to use VRFs with MPLS VPN at the hub to connect spokes to our data center downstream. Customers are in their own VRFs. http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_vrf_aware_ipsec_ps6922_TSD_Products_Configuration_Guide_Chapter.html Justin From MLouis at nwnit.com Mon Nov 17 13:05:05 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 17 Nov 2008 13:05:05 -0500 Subject: [c-nsp] BGP Distribute List In-Reply-To: <200811171235.24723.kratzers@pa.net> References: <200811171235.24723.kratzers@pa.net> Message-ID: Thanks for all your help. I will try and lab it up and post the results. Mike -----Original Message----- From: Stephen Kratzer [mailto:kratzers at pa.net] Sent: Monday, November 17, 2008 12:35 PM To: cisco-nsp at puck.nether.net Cc: Mike Louis Subject: Re: [c-nsp] BGP Distribute List Probably a mucked up distribute/filter/prefix list. Check 'show ip prefix-list detail' and 'show ip access-list'. It's also possible that the peers don't support route refresh. Can check this with 'show ip bgp neighbor'. On Monday 17 November 2008 10:47:31 Mike Louis wrote: > I have a distribute list setup to reference a prefix list in a bgp > configuration. However the outbound filtering is not working and I have > reset bgp connection with soft outbound reset. > > Here is the config. > > Any ideas why this is not working? > > router bgp 100 > no synchronization > bgp log-neighbor-changes > network x.x.230.160 mask 255.255.255.252 > network 172.x.36.0 mask 255.255.254.0 > network 172.x.253.152 mask 255.255.255.252 > network 172.x.253.156 mask 255.255.255.252 > network 172.x.255.0 mask 255.255.255.0 > neighbor x.x.230.161 remote-as 65000 > neighbor x.x.230.161 weight 500 > neighbor x.x.230.161 distribute-list routeout out > neighbor 172.x.255.252 remote-as 65535 > neighbor 172.x.255.252 distribute-list routeout out > no auto-summary > > I have reset the BGP connections in the outbound with soft reset but still > no luck. The router is receiving all routes from neighbors and relaying > them to the other EBGP router. I am not worried about inbound received > routes, just outbound filtering based on a specific prefix list. > > Any ideas? > > ________________________________ > Note: This message and any attachments is intended solely for the use of > the individual or entity to which it is addressed and may contain > information that is non-public, proprietary, legally privileged, > confidential, and/or exempt from disclosure. If you are not the intended > recipient, you are hereby notified that any use, dissemination, > distribution, or copying of this communication is strictly prohibited. If > you have received this communication in error, please notify the original > sender immediately by telephone or return email and destroy or delete this > message along with any attachments immediately. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.175 / Virus Database: 270.9.4/1792 - Release Date: 11/16/2008 10:04 AM Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From ross at kallisti.us Mon Nov 17 13:26:09 2008 From: ross at kallisti.us (Ross Vandegrift) Date: Mon, 17 Nov 2008 13:26:09 -0500 Subject: [c-nsp] Catalyst 3750 stacks with many members In-Reply-To: <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> References: <3329cbb40811141019q7bda5c6cv2e0beb04678f0814@mail.gmail.com> <100362309621454DAA534950B17E55DB0111FC1991AA@isp-per-exc01.win2k.iinet.net.au> Message-ID: <20081117182609.GC29082@kallisti.us> On Mon, Nov 17, 2008 at 12:30:44PM +0900, Ian Henderson wrote: > Also, the stacking cables seem very fragile - even if they are > screwed in properly, a bump can cause the stack to go haywire. This is very true. The connectors that Cisco uses for the backplane interconnection are unusually fragile. We only have two switch 3750 stacks and they work great when the stacking cables work. The one foot cables that come with the switches are great. They are short and light enough that the crappy connectors don't cause a problem. However, I've had at least four pairs of the three meter cables for switches located in adjacent racks. Of those four, only one pair ever worked correctly. On the other hand, Juniper's EX-4200 is awesome. The cables use PCI-Express connectors that are far sturdier than Cisco's proprietary connectors. We've using them in production, have hot-extended the chassis, and tested stacking cable failure. Works great. We're only using them for ethernet layer 2 - no layer 3 or MPLS. Lots of 802.3ad aggregation groups and some crazy MSTP mappings. -- Ross Vandegrift ross at kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie From kgraham at industrial-marshmallow.com Mon Nov 17 15:53:46 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Mon, 17 Nov 2008 12:53:46 -0800 (PST) Subject: [c-nsp] Catalyst 3750 stacks with many members Message-ID: <898019.33192.qm@web904.biz.mail.mud.yahoo.com> > The one foot cables that come with the switches are great. They are > short and light enough that the crappy connectors don't cause a > problem. I have a suspicion that Cisco wanted to fix this. The 3750E's were initially a "3780", and were renamed late enough that several product photos had the original name. Note that all of the CBS31xx's use a much different, and simpler connector. This may have been a simple matter of form-factor (certainly the BladeCenter version doesn't have the physical real estate). The different name and different connector suggest that compatibility with StackWise/"3750" was a late-stage change that also necessitated reverting to the older cable. ...with regard to SP CPU, really crude test suggest that the PPC405 on 3750E's is about half of the speed of the MPC8245 common on 4500 sups, so yes, if you're running very large stacks, presumably this will be an issue. (Furthest I've taken them is 6 w/ no CDP/LLDP and simple IGP). Being able to redeploy these into so many different configurations makes these far, far more useful than any of the modular chassis (where you end up having to eat chassis+sup, or chassis+dual-sup to get equ