From CB at nianet.dk Wed Oct 1 03:08:31 2008 From: CB at nianet.dk (Christian Bering) Date: Wed, 1 Oct 2008 09:08:31 +0200 Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? Message-ID: Hi all, When trying to enable the "parser config cache" on a 7600 running SRB3 software, we got struck by CSCsd45386 which TAC confirmed for us. However, at the time we were unable to get a confirmation on a fix in SRB4 (and/or SRC2). Does anyone know if this bug has indeed been fixed in SRB4/SRC2? There is no mention of it in the release notes. Thanks, -- Regards Christian Bering From peter at rathlev.dk Wed Oct 1 03:16:41 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 01 Oct 2008 09:16:41 +0200 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> Message-ID: <1222845401.30603.14.camel@abehat> Hi Bill, On Tue, 2008-09-30 at 17:50 -0500, Murphy, William wrote: > I have a Cat6506 VSS720-3C-XL switch on which I have configured BGP on > a VRF using "address-family ipv4 unicast vrf internet". I am getting > BGP routes and all appears well but I can only display BGP info by > using "show ip bgp vpnv4 ..." commands. I didn't intend to run VPNV4 > and it appears the switch has ignored my address-family ipv4 > statement. Can someone explain what's going on here? That command is _the_ way to show the VRFs BGP table. Remember that VRF comes from the MP-BGP world, and over there belongs under VPNv4. It's just syntax though, you don't run VPNv4 if you haven't configured the "address-family vpnv4". > It also seems like the switch is creating MPLS labels for all my routes > even though I didn't specifically configure any MPLS or tag switching > commands. Any words of wisdom or advice would be appreciated... Are you sure you don't have any MPLS related commands? On a "clean" switch i get: R1# sh mpls ldp bin TIB not enabled R1#sh mpls for Tag switching is not operational. CEF or tag switching has not been enabled. No TFIB currently allocated. R1# (This is SXD though, which was there. It might be different on newer software.) If you have any MPLS command configured, the allocation is expected. The switch will always allocate labels for anything in the FIB, also is e.g. no interfaces are configured for MPLS. (That is unless you're lucky and can use Label Allocation Filtering, http://tinyurl.com/224kv8. On a 6500 you're not at the moment.) Regards, Peter From john at vanoppen.com Wed Oct 1 04:07:02 2008 From: john at vanoppen.com (John van Oppen) Date: Wed, 1 Oct 2008 01:07:02 -0700 Subject: [c-nsp] Transparent LAN over Layer3 References: <000301c92357$910bdb10$b3239130$@org><000b01c9236c$52af7380$f80e5a80$@org> <1222828735_506897@mail1.tellurian.net> Message-ID: I would second that as well. We use l2tpv3 all over the place, with Ethernet. We mostly do it with 7200VXRs as endpoints but I have a few 12000s running with OC48s as "tunnel server cards" and those work nicely as well and it is a quite elegant solution when MPLS is not possible or only rather simple transport functionality is required. John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Boyle Sent: Tuesday, September 30, 2008 7:39 PM To: Paul Stewart; 'Michael K. Smith'; 'cisco-nsp' Subject: Re: [c-nsp] Transparent LAN over Layer3 At 10:20 PM 9/30/2008, Paul Stewart wrote: >Yes, we own the end to end network however it's a routed network in those >segments... >router-->router-->router-->switch-->switch-->router-->router-->router-- >rout >er specifically...;) > >If we could hand them off a few VLAN's we would just do that and not even >use Q-in-Q unless we really needed to... but basically I'm looking for >layer2 transport via layer3 devices... and there's no option for MPLS in >this setup... Take a look at L2TPv3. We use it for all kinds of crazy transport here. Taking a T1 from one city and one carrier and delivering it to a customer in our datacenter, handing ATM PVCs off from one router to another ATM PVC on another router 100 miles away. We haven't used it for Ethernet, but that sure seems a lot less complicated than the things we are doing. Anything you put in on one side is transparently trunked to the other side. It works great and gives you many of the benefits of MPLS without the need to have a network which supports MPLS end to end. It is especially useful for small POPs and locations with older gear. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Wed Oct 1 04:19:04 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 10:19:04 +0200 Subject: [c-nsp] C2960G and output drops Message-ID: <20081001081904.GY17238@greenie.muc.de> Hi, one of our switches is misbehaving, and I'm wondering whether this is a configuration thing, or a hardware limitation. (It's not actually a QoS thing, but it's bordering on it) Setup: WS-C2960G-24TC-L, effectively only 4 ports active: This is where stuff comes in (UDP audio streaming servers): GigabitEthernet0/8 is up, line protocol is up (connected) 5 minute input rate 26179000 bits/sec, 3819 packets/sec 5 minute output rate 3492000 bits/sec, 3295 packets/sec GigabitEthernet0/12 is up, line protocol is up (connected) 5 minute input rate 334588000 bits/sec, 41069 packets/sec 5 minute output rate 14453000 bits/sec, 26859 packets/sec GigabitEthernet0/16 is up, line protocol is up (connected) 5 minute input rate 27730000 bits/sec, 2940 packets/sec 5 minute output rate 1507000 bits/sec, 1976 packets/sec And this is where it leaves the switch: GigabitEthernet0/10 is up, line protocol is up (connected) 5 minute input rate 19432000 bits/sec, 32108 packets/sec 5 minute output rate 380792000 bits/sec, 46406 packets/sec As you see, the ports are far from saturated, and even the load from all "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from the capacity of the "egress" port (G0/10). But still... GigabitEthernet0/10 is up, line protocol is up (connected) Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8731686 ... and this is of course affecting the audio quality. (The output port goes to a Juniper SSG550 firewall, which has no problem keeping up with the load to about 950 Mbits/s - and if only one ingress port is active on the switch, we can see much higher egress load without noticeable drops) IOS version on the switch is 12.2(46)SE, but I had (25)SEE on it before that, and observed the same symptoms (except that (25)SEE does not display the output drops in the counters). Right now, "mls qos" is *deactivated*, because we actually don't want QoS as in "drop specific packets" here - we want "move ahead all packets!". If I enable "mls qos", the packet drops go way up - which I read as "the existing buffers, that are already not really huge, are split into 4 smaller queues, and thus microbursts are causing much higher drops". My theory is that the streaming servers are micro-bursting (send out packets with full wire rate for 1/100s, and then do nothing for 99/100s), and that the switch has too small buffers to join the 4 ingress ports towards the egress ports. But I'm not sure how to validate that. So, here comes the questions: - how much buffer space per port does the 2960G have? - how can I find out why the switch is dropping packets? - what L2 switches are other people using in environments with continuous high load that has "microbursts"? - any other tricks that people are using to make servers more well-behaved regarding packet sending rate? Like "shaping traffic on the servers" (to distribute the packets more evenly along the time scale)? We have other streaming customers, and they are directly connected to 6408A or 6724 ports on 7600s, and not displaying anything unusual, at even higher loads (multiple ingress ports running at >800 Mbit/s for hours, egress via port-channels). So it's something with this 2960G... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Oct 1 04:28:42 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 10:28:42 +0200 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> Message-ID: <20081001082842.GA17238@greenie.muc.de> Hi, On Tue, Sep 30, 2008 at 05:50:17PM -0500, Murphy, William wrote: > I have a Cat6506 VSS720-3C-XL switch on which I have configured BGP on a > VRF using "address-family ipv4 unicast vrf internet". I am getting BGP > routes and all appears well but I can only display BGP info by using > "show ip bgp vpnv4 ..." commands. I didn't intend to run VPNV4 and it Well, if you don't want VPNV4, then don't configure a VPNV4 address family - which you did by configuring "vrf internet". Non-VPNV4-BGP is configured in "address-family ipv4 unicast", without any "vrf" things tacked to it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Oct 1 04:31:00 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 10:31:00 +0200 Subject: [c-nsp] Transparent LAN over Layer3 In-Reply-To: <000b01c9236c$52af7380$f80e5a80$@org> References: <000301c92357$910bdb10$b3239130$@org> <000b01c9236c$52af7380$f80e5a80$@org> Message-ID: <20081001083059.GB17238@greenie.muc.de> Hi, On Tue, Sep 30, 2008 at 10:20:40PM -0400, Paul Stewart wrote: > If we could hand them off a few VLAN's we would just do that and not even > use Q-in-Q unless we really needed to... but basically I'm looking for > layer2 transport via layer3 devices... and there's no option for MPLS in > this setup... EoMPLS would be the way to go - if you can do MPLS. If not, the remaining alternatives are L2TPv3 or "briding over GRE tunnels". The former is meant to be used for this - and the latter will make Rodney Dunn throw spikey things after me (and rightly so). So - go for L2TPv3. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From techconfig at yahoo.com Wed Oct 1 05:15:04 2008 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 1 Oct 2008 02:15:04 -0700 (PDT) Subject: [c-nsp] IP-VPN CE-PE local pref problem Message-ID: <117358.2327.qm@web44814.mail.sp1.yahoo.com> Hi, thanks for all the suggestions I have now changed the route-map are things are looking good. 5.14.93.0/24 is the route in question. In PE2, local pref can now be seen as 90 PE1#show ip bgp vpnv4 rd 894:1 BGP table version is 258, local router ID is 5.14.95.243 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, ????????????? r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) *> 5.14.89.1/32?? 0.0.0.0??????????????? 0???????? 32768 ? *>i5.14.89.2/32?? 5.14.95.244??????????? 0??? 100????? 0 ? *> 5.14.93.0????? 5.14.93..222??????????? 0??? 100????? 0 65535 i PE2#show ip bgp vpnv4 rd 894:1 BGP table version is 285, local router ID is 5.14.95.244 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, ????????????? r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) *>i5.14.89.1/32?? 5.14.95.243??????????? 0??? 100????? 0 ? *> 5.14.89.2/32?? 0..0.0.0??????????????? 0???????? 32768 ? *>i5.14.93.0????? 5.14.95.243??????????? 0??? 100????? 0 65535 i *???????????????? 5.14.93.226??????????? 0???? 90????? 0 65535 i <------------------------------------------------- =========================================================== Going on from this, if I now check the routing installed in the vrf for 5.14.93.0/24, it seems to be installed in PE1 (with high local pref as expected) PE1#sh ip route vrf ipvpn_00000001 Routing Table: ipvpn_00000001 ????? 5.14.89.0/32 is subnetted, 2 subnets B??????? 5.14.89.1 is directly connected, 19:44:47, Loopback2 B??????? 5.14.89.2 [200/0] via 5.14.95.244, 19:43:47 ????? 5.14.93.0/24 is variably subnetted, 3 subnets, 3 masks B??????? 5.14.93.0/24 [20/0] via 5.14.93.222, 00:02:42?? <---------------------------------------- C??????? 5.14.93.220/30 is directly connected, GigabitEthernet3/48 L??????? 5.14.93.221/32 is directly connected, GigabitEthernet3/48 However in PE2, there is no route to 5.14.93.0/24 PE2#sh ip route vrf ipvpn_00000001 Routing Table: ipvpn_00000001 ????? 5.14.89.0/32 is subnetted, 2 subnets B??????? 5.14.89.1 [200/0] via 5.14.95.243, 00:42:11 B??????? 5.14.89.2 is directly connected, 19:47:26, Loopback2 ????? 5.14.93.0/24 is variably subnetted, 2 subnets, 2 masks C??????? 5..14.93.224/30 is directly connected, GigabitEthernet3/48 L??????? 5.14.93.225/32 is directly connected, GigabitEthernet3/48 If I change the local pref in PE2 from 90 to 110 for example, then PE2 becomes the primary route and the exact opposite happens, i.e. the 5.14.93.0/24 route is installed in PE2 and does not exist in PE1; is this normal behaviour? Regards Mark ----- Original Message ---- From: Luan Nguyen To: Mark Tech ; David Freedman ; cisco-nsp at puck.nether.net Sent: Tuesday, September 30, 2008 8:03:38 PM Subject: RE: [c-nsp] IP-VPN CE-PE local pref problem Try changing the route-map to: route-map ipvpn_00000001 permit 10 set extcommunity soo 894:1 set local-preference 90 instead of: route-map ipvpn_00000001 permit 10 set extcommunity soo 894:1 route-map ipvpn_00000001 permit 20 set local-preference 90 Luan ---------------------------------------------------------------------------- ------------------------------------------------------------------------- Luan Nguyen Senior Network Engineer Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net ---------------------------------------------------------------------------- ------------------------------------------------------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech Sent: Tuesday, September 30, 2008 2:55 PM To: David Freedman; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem Here you go PE1#sh ip bgp vpnv4 rd 894:1 5.14.93.0 BGP routing table entry for 894:1:5.14.93.0/24, version 222 Paths: (3 available, best #2, table ipvpn_00000001) ? Advertised to update-groups: ???? 1 ? 65535 ??? 5.14.95.244 (metric 11) from 5.14.95.244 (5.14.95.244) ????? Origin IGP, metric 0, localpref 100, valid, internal ????? Extended Community: SoO:894:1 RT:894:2 ????? mpls labels in/out 26/23 ? 65535 ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) ????? Origin IGP, metric 0, localpref 100, valid, external, best ????? Extended Community: SoO:894:1 RT:894:2 ????? mpls labels in/out 26/nolabel ? 65535, (received-only) ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) ????? Origin IGP, metric 0, localpref 100, valid, external ????? mpls labels in/out 26/nolabel PE2#sh ip bgp vpnv4 rd 894:1 5.14.93.0 BGP routing table entry for 894:1:5.14.93.0/24, version 237 Paths: (3 available, best #1, table ipvpn_00000001) ? Advertised to update-groups: ???? 1 ? 65535 ??? 5.14.93.226 from 5.14.93.226 (5..14.93.254) ????? Origin IGP, metric 0, localpref 100, valid, external, best ????? Extended Community: SoO:894:1 RT:894:2 ????? mpls labels in/out 23/nolabel ? 65535, (received-only) ??? 5.14.93.226 from 5.14.93.226 (5.14.93.254) ????? Origin IGP, metric 0, localpref 100, valid, external ????? mpls labels in/out 23/nolabel ? 65535 ??? 5.14.95.243 (metric 11) from 5.14.95.243 (5.14.95.243) ????? Origin IGP, metric 0, localpref 100, valid, internal ????? Extended Community: SoO:894:1 RT:894:2 ????? mpls labels in/out 23/26 inbound route-map from CE2 to PE2 route-map ipvpn_00000001 permit 10 ?set extcommunity soo 894:1 route-map ipvpn_00000001 permit 20 ?set local-preference 90 ! ----- Original Message ---- From: David Freedman To: cisco-nsp at puck.nether.net Sent: Tuesday, September 30, 2008 5:51:55 PM Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem can you post "show ip bgp vpnv4 rd x.x.x.x/y" from both PEs ? for the prefix in question? Dave Mark Tech wrote: > Hi > I have set up a dual homed IP-VPN network between 2 PE's and 2 CE's using? SoO - thas all working fine. I have added an inbound route-map to the 'backup' PE and CE to reduce the local preference in order to make the other PE and CE the preferred gateways. > > CE1--------PE1 primary > |? ? ? ? ? ? ? ? ? | > CE2--------PE2 backup > > The CE local pref works fine, however on the PE side, local pref doesn't seem to have any affect, i.e. I have reduced the local pref to 90 on the backup link, however if I check the routing in the backup PE, nothing seems to have changed. Can I just check that local pref actually works across an MP-BGP environment? > > If so I must be doing something wrong > > Regards > > Mark > > >? ? ? > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ? ? ? _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From wim.holemans at ua.ac.be Wed Oct 1 06:42:15 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Wed, 1 Oct 2008 12:42:15 +0200 Subject: [c-nsp] FWSM convertion Message-ID: <2F7B70885960AA42BE820036B3A8CDA041E248@xmail06.ad.ua.ac.be> Anyone has a good reference on the steps to take to convert a standalone FWSM to the primary of a FAILOVER FWSM pair. Current FWSM is running 3.2.8 and has 2 transparent contexts. Are there any steps that will influence the current running FWSM (take it down or so) ? Thanks, Wim Holemans Netwerkdienst Universiteit Antwerpen From patrick_mcevilly at harvard.edu Wed Oct 1 07:08:57 2008 From: patrick_mcevilly at harvard.edu (McEvilly, Patrick) Date: Wed, 01 Oct 2008 07:08:57 -0400 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001081904.GY17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> Message-ID: <48E35A49.3000908@harvard.edu> Hi We are having an almost identical problem using a 3750E. We are streaming udp video with an average of about 80Mb/s and the uplink port (in our case one gig) is clocking up output drops and causing video breakup. We too upgraded code but did not resolve the issue. We do have a TAC case opened but thats not going anywhere. I'll let you know if we get any further information that might help. I fear that this is a hardware limitation and the party line from Cisco will be "this is a desktop switch, what do you expect?" Patrick Gert Doering wrote: > Hi, > > one of our switches is misbehaving, and I'm wondering whether this is a > configuration thing, or a hardware limitation. > > (It's not actually a QoS thing, but it's bordering on it) > > Setup: WS-C2960G-24TC-L, effectively only 4 ports active: > > This is where stuff comes in (UDP audio streaming servers): > > GigabitEthernet0/8 is up, line protocol is up (connected) > 5 minute input rate 26179000 bits/sec, 3819 packets/sec > 5 minute output rate 3492000 bits/sec, 3295 packets/sec > GigabitEthernet0/12 is up, line protocol is up (connected) > 5 minute input rate 334588000 bits/sec, 41069 packets/sec > 5 minute output rate 14453000 bits/sec, 26859 packets/sec > GigabitEthernet0/16 is up, line protocol is up (connected) > 5 minute input rate 27730000 bits/sec, 2940 packets/sec > 5 minute output rate 1507000 bits/sec, 1976 packets/sec > > And this is where it leaves the switch: > > GigabitEthernet0/10 is up, line protocol is up (connected) > 5 minute input rate 19432000 bits/sec, 32108 packets/sec > 5 minute output rate 380792000 bits/sec, 46406 packets/sec > > As you see, the ports are far from saturated, and even the load from all > "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from the capacity > of the "egress" port (G0/10). > > But still... > > GigabitEthernet0/10 is up, line protocol is up (connected) > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8731686 > > ... and this is of course affecting the audio quality. > > (The output port goes to a Juniper SSG550 firewall, which has no problem > keeping up with the load to about 950 Mbits/s - and if only one ingress port > is active on the switch, we can see much higher egress load without noticeable > drops) > > > IOS version on the switch is 12.2(46)SE, but I had (25)SEE on it before > that, and observed the same symptoms (except that (25)SEE does not > display the output drops in the counters). > > Right now, "mls qos" is *deactivated*, because we actually don't want > QoS as in "drop specific packets" here - we want "move ahead all packets!". > > If I enable "mls qos", the packet drops go way up - which I read as "the > existing buffers, that are already not really huge, are split into 4 > smaller queues, and thus microbursts are causing much higher drops". > > > My theory is that the streaming servers are micro-bursting (send out > packets with full wire rate for 1/100s, and then do nothing for 99/100s), > and that the switch has too small buffers to join the 4 ingress ports > towards the egress ports. But I'm not sure how to validate that. > > > So, here comes the questions: > > - how much buffer space per port does the 2960G have? > > - how can I find out why the switch is dropping packets? > > - what L2 switches are other people using in environments with > continuous high load that has "microbursts"? > > - any other tricks that people are using to make servers more well-behaved > regarding packet sending rate? Like "shaping traffic on the servers" > (to distribute the packets more evenly along the time scale)? > > > We have other streaming customers, and they are directly connected to > 6408A or 6724 ports on 7600s, and not displaying anything unusual, at > even higher loads (multiple ingress ports running at >800 Mbit/s for > hours, egress via port-channels). So it's something with this 2960G... > > gert > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Wed Oct 1 07:19:41 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 1 Oct 2008 12:19:41 +0100 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001081904.GY17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> Message-ID: <383357750810010419m5c2a72c3k76225176bab3659e@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gert, > > - what L2 switches are other people using in environments with > continuous high load that has "microbursts"? we use pair of stacked c3750 (copper) happily streaming ~500Mbps (multiple inputs, 1 output) Best Regards, - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI41zN+BuaDRxlXKsRAiGHAJ9ZSwf4pBhqGk4iJi66jjUUDhL2/ACeMT3W OsE3GPJ3wtkJZHXkX3CR/Tc= =i2Fw -----END PGP SIGNATURE----- From paul at paulstewart.org Wed Oct 1 07:33:51 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 1 Oct 2008 07:33:51 -0400 Subject: [c-nsp] Transparent LAN over Layer3 In-Reply-To: <20081001083059.GB17238@greenie.muc.de> References: <000301c92357$910bdb10$b3239130$@org> <000b01c9236c$52af7380$f80e5a80$@org> <20081001083059.GB17238@greenie.muc.de> Message-ID: <003201c923b9$9c77d230$d5677690$@org> Lol - thanks...;) I wish EoMPLS was possible for us but it's not.... so we're back to l2tpv3 ... Best, Paul -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: October 1, 2008 4:31 AM To: Paul Stewart Cc: 'Michael K. Smith'; 'cisco-nsp' Subject: Re: [c-nsp] Transparent LAN over Layer3 Hi, On Tue, Sep 30, 2008 at 10:20:40PM -0400, Paul Stewart wrote: > If we could hand them off a few VLAN's we would just do that and not > even use Q-in-Q unless we really needed to... but basically I'm > looking for > layer2 transport via layer3 devices... and there's no option for MPLS > in this setup... EoMPLS would be the way to go - if you can do MPLS. If not, the remaining alternatives are L2TPv3 or "briding over GRE tunnels". The former is meant to be used for this - and the latter will make Rodney Dunn throw spikey things after me (and rightly so). So - go for L2TPv3. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From gert at greenie.muc.de Wed Oct 1 07:36:16 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 13:36:16 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <48E35A49.3000908@harvard.edu> References: <20081001081904.GY17238@greenie.muc.de> <48E35A49.3000908@harvard.edu> Message-ID: <20081001113616.GG17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 07:08:57AM -0400, McEvilly, Patrick wrote: > We are having an almost identical problem using a 3750E. We are > streaming udp video with an average of about 80Mb/s and the uplink port > (in our case one gig) is clocking up output drops and causing video > breakup. We too upgraded code but did not resolve the issue. We do > have a TAC case opened but thats not going anywhere. I'll let you know > if we get any further information that might help. I fear that this is > a hardware limitation and the party line from Cisco will be "this is a > desktop switch, what do you expect?" Thanks for your feedback. I'm a bit unhappy to see that this is happening with the 3750E as well - because that would have been my backup plan, try one of the "more powerful" switches, assuming bigger buffers etc. there. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Oct 1 07:37:31 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 13:37:31 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <383357750810010419m5c2a72c3k76225176bab3659e@mail.gmail.com> References: <20081001081904.GY17238@greenie.muc.de> <383357750810010419m5c2a72c3k76225176bab3659e@mail.gmail.com> Message-ID: <20081001113731.GH17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 12:19:41PM +0100, Mateusz B?aszczyk wrote: > > - what L2 switches are other people using in environments with > > continuous high load that has "microbursts"? > > we use pair of stacked c3750 (copper) happily streaming ~500Mbps > (multiple inputs, 1 output) What are you using as streaming server(s)? Background: we have windows media servers, and those seem to be extremely well-behaved, read: nearly no burstiness. The set of servers that is causing problems is Linux + MP3 and Flash streaming. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From paul at paulstewart.org Wed Oct 1 07:38:38 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 1 Oct 2008 07:38:38 -0400 Subject: [c-nsp] Transparent LAN over Layer3 In-Reply-To: References: <000301c92357$910bdb10$b3239130$@org><000b01c9236c$52af7380$f80e5a80$@org> <1222828735_506897@mail1.tellurian.net> Message-ID: <003401c923ba$3eda1a60$bc8e4f20$@org> Thanks guys... I hadn't head much about l2tpv3 "in the wild" from actual users.... good to hear from folks actually using it a lot - that makes it easier for me to make some decisions... Best regards, thanks to everyone for onlist and offlist replies... Paul -----Original Message----- From: John van Oppen [mailto:john at vanoppen.com] Sent: October 1, 2008 4:07 AM To: Robert Boyle; Paul Stewart; Michael K. Smith; cisco-nsp Subject: RE: [c-nsp] Transparent LAN over Layer3 I would second that as well. We use l2tpv3 all over the place, with Ethernet. We mostly do it with 7200VXRs as endpoints but I have a few 12000s running with OC48s as "tunnel server cards" and those work nicely as well and it is a quite elegant solution when MPLS is not possible or only rather simple transport functionality is required. John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Boyle Sent: Tuesday, September 30, 2008 7:39 PM To: Paul Stewart; 'Michael K. Smith'; 'cisco-nsp' Subject: Re: [c-nsp] Transparent LAN over Layer3 At 10:20 PM 9/30/2008, Paul Stewart wrote: >Yes, we own the end to end network however it's a routed network in those >segments... >router-->router-->router-->switch-->switch-->router-->router-->router-- >rout >er specifically...;) > >If we could hand them off a few VLAN's we would just do that and not even >use Q-in-Q unless we really needed to... but basically I'm looking for >layer2 transport via layer3 devices... and there's no option for MPLS in >this setup... Take a look at L2TPv3. We use it for all kinds of crazy transport here. Taking a T1 from one city and one carrier and delivering it to a customer in our datacenter, handing ATM PVCs off from one router to another ATM PVC on another router 100 miles away. We haven't used it for Ethernet, but that sure seems a lot less complicated than the things we are doing. Anything you put in on one side is transparently trunked to the other side. It works great and gives you many of the benefits of MPLS without the need to have a network which supports MPLS end to end. It is especially useful for small POPs and locations with older gear. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From blahu77 at gmail.com Wed Oct 1 07:45:11 2008 From: blahu77 at gmail.com (=?ISO-8859-2?Q?Mateusz_B=B3aszczyk?=) Date: Wed, 1 Oct 2008 12:45:11 +0100 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001113731.GH17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> <383357750810010419m5c2a72c3k76225176bab3659e@mail.gmail.com> <20081001113731.GH17238@greenie.muc.de> Message-ID: <383357750810010445s1fc457bfxf891e29e84c4e199@mail.gmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Gert, > > What are you using as streaming server(s)? > Optibase IPTV platfrom (www.optibase.com) which is windows based afaik. > Background: we have windows media servers, and those seem to be extremely > well-behaved, read: nearly no burstiness. The set of servers that is causing > problems is Linux + MP3 and Flash streaming. maybe use of shaper (tc) would help? - -- - -mat pgp-key 0x1C655CAB -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFI42LI+BuaDRxlXKsRAtuPAJ9vXeB1BYhKz1bFKWTb0jq1WkoDzACdHwjq GIK8Ll+1Q2ojW7YdKwPzdkM= =Liqn -----END PGP SIGNATURE----- From gert at greenie.muc.de Wed Oct 1 07:47:06 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 13:47:06 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <383357750810010445s1fc457bfxf891e29e84c4e199@mail.gmail.com> References: <20081001081904.GY17238@greenie.muc.de> <383357750810010419m5c2a72c3k76225176bab3659e@mail.gmail.com> <20081001113731.GH17238@greenie.muc.de> <383357750810010445s1fc457bfxf891e29e84c4e199@mail.gmail.com> Message-ID: <20081001114705.GI17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 12:45:11PM +0100, Mateusz B?aszczyk wrote: > > Background: we have windows media servers, and those seem to be extremely > > well-behaved, read: nearly no burstiness. The set of servers that is causing > > problems is Linux + MP3 and Flash streaming. > > maybe use of shaper (tc) would help? This is exactly what I was thinking :-) - I need to read up on it, and test it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Bagosi.Romeo at iqsys.hu Wed Oct 1 09:02:37 2008 From: Bagosi.Romeo at iqsys.hu (=?ISO-8859-2?Q?Bagosi_R=F3me=F3?=) Date: Wed, 1 Oct 2008 15:02:37 +0200 Subject: [c-nsp] Forcing VLAN interface to UP state Message-ID: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> Hi, Is there a way to force a VLAN interface (ex.: interface vlan 400) to UP/UP state on a Cisco UC520 (router, switch...), WITHOUT connecting a device to a port which is in the mentioned VLAN? The current configuration is: int vlan 400 ip address 10.1.1.1 255.255.255.0 show int vlan 400 Vlan300 is up, line protocol is down ... Thanks, Romeo Bagosi From jfitz at Princeton.EDU Wed Oct 1 09:28:36 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Wed, 1 Oct 2008 09:28:36 -0400 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> References: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> Message-ID: <0248553A-4BC1-4209-A8D1-D5F2BFB08BFF@princeton.edu> I believe if you just add the vlan to any trunk it will come up, even if you don't need that vlan on the trunk port. On Oct 1, 2008, at 9:02 AM, Bagosi R?me? wrote: > Hi, > > Is there a way to force a VLAN interface (ex.: interface vlan 400) > to UP/UP state on a Cisco UC520 (router, switch...), WITHOUT > connecting a device to a port which is in the mentioned VLAN? > > The current configuration is: > int vlan 400 > ip address 10.1.1.1 255.255.255.0 > > show int vlan 400 > Vlan300 is up, line protocol is down > ... > > Thanks, > Romeo Bagosi > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From aaronis at people.net.au Wed Oct 1 09:44:35 2008 From: aaronis at people.net.au (Aaron R) Date: Wed, 1 Oct 2008 21:44:35 +0800 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <0248553A-4BC1-4209-A8D1-D5F2BFB08BFF@princeton.edu> Message-ID: <200810011344.m91DipcT075171@puck.nether.net> All vlan's are trunked by default? I know for routing you can put a static in with a high AD pointing to the null interface.. I don?t believe this will bring up the interface though. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Wednesday, October 01, 2008 9:29 PM To: Bagosi R?me? Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Forcing VLAN interface to UP state I believe if you just add the vlan to any trunk it will come up, even if you don't need that vlan on the trunk port. On Oct 1, 2008, at 9:02 AM, Bagosi R?me? wrote: > Hi, > > Is there a way to force a VLAN interface (ex.: interface vlan 400) > to UP/UP state on a Cisco UC520 (router, switch...), WITHOUT > connecting a device to a port which is in the mentioned VLAN? > > The current configuration is: > int vlan 400 > ip address 10.1.1.1 255.255.255.0 > > show int vlan 400 > Vlan300 is up, line protocol is down > ... > > Thanks, > Romeo Bagosi > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.0/1679 - Release Date: 9/18/2008 5:03 PM From MatlockK at exempla.org Wed Oct 1 09:51:34 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Wed, 1 Oct 2008 07:51:34 -0600 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <200810011344.m91DipcT075171@puck.nether.net> References: <0248553A-4BC1-4209-A8D1-D5F2BFB08BFF@princeton.edu> <200810011344.m91DipcT075171@puck.nether.net> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AF866@LMC-MAIL2.exempla.org> By default yes. If a port is in trunking mode it trunks 1-4096, unless you explicitly change the list. Another thing you can do is put a copper Ethernet port into that vlan, and do a 'no keepalive' on that port, which should bring the port up w/o anything hooked up to it. Once the port comes up the vlan should come up. Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Aaron R Sent: Wednesday, October 01, 2008 7:45 AM To: 'Jeff Fitzwater'; 'Bagosi R?me?' Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Forcing VLAN interface to UP state All vlan's are trunked by default? I know for routing you can put a static in with a high AD pointing to the null interface.. I don't believe this will bring up the interface though. Cheers, Aaron. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeff Fitzwater Sent: Wednesday, October 01, 2008 9:29 PM To: Bagosi R?me? Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Forcing VLAN interface to UP state I believe if you just add the vlan to any trunk it will come up, even if you don't need that vlan on the trunk port. On Oct 1, 2008, at 9:02 AM, Bagosi R?me? wrote: > Hi, > > Is there a way to force a VLAN interface (ex.: interface vlan 400) > to UP/UP state on a Cisco UC520 (router, switch...), WITHOUT > connecting a device to a port which is in the mentioned VLAN? > > The current configuration is: > int vlan 400 > ip address 10.1.1.1 255.255.255.0 > > show int vlan 400 > Vlan300 is up, line protocol is down > ... > > Thanks, > Romeo Bagosi > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Internal Virus Database is out of date. Checked by AVG - http://www.avg.com Version: 8.0.169 / Virus Database: 270.7.0/1679 - Release Date: 9/18/2008 5:03 PM _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Wed Oct 1 09:51:33 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 01 Oct 2008 15:51:33 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <48E35A49.3000908@harvard.edu> References: <20081001081904.GY17238@greenie.muc.de> <48E35A49.3000908@harvard.edu> Message-ID: <1222869093.7297.1.camel@dsba-ipso> Bad news :-/ We have an issue here with streming video too. What IOS are you running? What are the steps to verify that we have the same issue? What commands did you execute and what was the result? You tried hold-queue command, didn't you? El mi?, 01-10-2008 a las 07:08 -0400, McEvilly, Patrick escribi?: > Hi > > We are having an almost identical problem using a 3750E. We are > streaming udp video with an average of about 80Mb/s and the uplink port > (in our case one gig) is clocking up output drops and causing video > breakup. We too upgraded code but did not resolve the issue. We do > have a TAC case opened but thats not going anywhere. I'll let you know > if we get any further information that might help. I fear that this is > a hardware limitation and the party line from Cisco will be "this is a > desktop switch, what do you expect?" > > Patrick > > > > Gert Doering wrote: > > Hi, > > > > one of our switches is misbehaving, and I'm wondering whether this is a > > configuration thing, or a hardware limitation. > > > > (It's not actually a QoS thing, but it's bordering on it) > > > > Setup: WS-C2960G-24TC-L, effectively only 4 ports active: > > > > This is where stuff comes in (UDP audio streaming servers): > > > > GigabitEthernet0/8 is up, line protocol is up (connected) > > 5 minute input rate 26179000 bits/sec, 3819 packets/sec > > 5 minute output rate 3492000 bits/sec, 3295 packets/sec > > GigabitEthernet0/12 is up, line protocol is up (connected) > > 5 minute input rate 334588000 bits/sec, 41069 packets/sec > > 5 minute output rate 14453000 bits/sec, 26859 packets/sec > > GigabitEthernet0/16 is up, line protocol is up (connected) > > 5 minute input rate 27730000 bits/sec, 2940 packets/sec > > 5 minute output rate 1507000 bits/sec, 1976 packets/sec > > > > And this is where it leaves the switch: > > > > GigabitEthernet0/10 is up, line protocol is up (connected) > > 5 minute input rate 19432000 bits/sec, 32108 packets/sec > > 5 minute output rate 380792000 bits/sec, 46406 packets/sec > > > > As you see, the ports are far from saturated, and even the load from all > > "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from the capacity > > of the "egress" port (G0/10). > > > > But still... > > > > GigabitEthernet0/10 is up, line protocol is up (connected) > > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 8731686 > > > > ... and this is of course affecting the audio quality. > > > > (The output port goes to a Juniper SSG550 firewall, which has no problem > > keeping up with the load to about 950 Mbits/s - and if only one ingress port > > is active on the switch, we can see much higher egress load without noticeable > > drops) > > > > > > IOS version on the switch is 12.2(46)SE, but I had (25)SEE on it before > > that, and observed the same symptoms (except that (25)SEE does not > > display the output drops in the counters). > > > > Right now, "mls qos" is *deactivated*, because we actually don't want > > QoS as in "drop specific packets" here - we want "move ahead all packets!". > > > > If I enable "mls qos", the packet drops go way up - which I read as "the > > existing buffers, that are already not really huge, are split into 4 > > smaller queues, and thus microbursts are causing much higher drops". > > > > > > My theory is that the streaming servers are micro-bursting (send out > > packets with full wire rate for 1/100s, and then do nothing for 99/100s), > > and that the switch has too small buffers to join the 4 ingress ports > > towards the egress ports. But I'm not sure how to validate that. > > > > > > So, here comes the questions: > > > > - how much buffer space per port does the 2960G have? > > > > - how can I find out why the switch is dropping packets? > > > > - what L2 switches are other people using in environments with > > continuous high load that has "microbursts"? > > > > - any other tricks that people are using to make servers more well-behaved > > regarding packet sending rate? Like "shaping traffic on the servers" > > (to distribute the packets more evenly along the time scale)? > > > > > > We have other streaming customers, and they are directly connected to > > 6408A or 6724 ports on 7600s, and not displaying anything unusual, at > > even higher loads (multiple ingress ports running at >800 Mbit/s for > > hours, egress via port-channels). So it's something with this 2960G... > > > > gert > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From tim at pelican.org Wed Oct 1 09:53:58 2008 From: tim at pelican.org (Tim Franklin) Date: Wed, 1 Oct 2008 14:53:58 +0100 (BST) Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> References: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> Message-ID: <4fbc00576429a1743de08c0d37bc91a2.squirrel@webmail.pelican.org> On Wed, October 1, 2008 2:02 pm, Bagosi R?me? wrote: > Is there a way to force a VLAN interface (ex.: interface vlan 400) to > UP/UP state on a Cisco UC520 (router, switch...), WITHOUT connecting a > device to a port which is in the mentioned VLAN? 'no autostate' on the vlan interface works for 87x. No idea if that's valid or not for the UC520, sorry. Regards, Tim. From dgranzer at gmail.com Wed Oct 1 10:05:34 2008 From: dgranzer at gmail.com (David Granzer) Date: Wed, 1 Oct 2008 16:05:34 +0200 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> References: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> Message-ID: <844ef89c0810010705p1ee38005tef2a43a81c99592a@mail.gmail.com> Hello, I'm not surre how it works on UC520, but with 3750 (for example) when you don't have a spanning tree instance for that vlan then the interface state is up/down. 3750-1#sh spanning-tree vlan 24 Spanning tree instance(s) for vlan 24 does not exist. 3750-1#sh int vlan 24 | i Vlan Vlan24 is up, line protocol is down When enabling spanning tree 3750-1#sh spanning-tree vlan 24 VLAN0024 Spanning tree enabled protocol ieee 3750-1#sh int vlan 24 | i Vlan|Internet address Vlan24 is up, line protocol is up Internet address is 1.2.3.4/24 3750-1#ping 1.2.3.4 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5) Regards, David On 10/1/08, Bagosi R?me? wrote: > Hi, > > Is there a way to force a VLAN interface (ex.: interface vlan 400) to UP/UP state on a Cisco UC520 (router, switch...), WITHOUT connecting a device to a port which is in the mentioned VLAN? > > The current configuration is: > int vlan 400 > ip address 10.1.1.1 255.255.255.0 > > show int vlan 400 > Vlan300 is up, line protocol is down > ... > > Thanks, > Romeo Bagosi > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From j.varaillon at cosmoline.com Wed Oct 1 10:09:37 2008 From: j.varaillon at cosmoline.com (Varaillon Jean Christophe) Date: Wed, 01 Oct 2008 14:09:37 -0000 Subject: [c-nsp] QoS Mapping DSCP-EXP-IPP Message-ID: <00af01c90c3c$82193170$864b9450$%varaillon@cosmoline.com> Hi, Given that the QoS implementation is consistent across the network, can the mapping be done anyway we want? Or is there any mapping that should not be changed due to some restriction (e.g. Network Control class)? Is there any command showing the default mapping on 7200 with 12.3? (I only found for 6509:"show mls qos map") Thank you. Christophe P Please consider your environmental responsibility before printing this e-mail _____ From zeusdadog at gmail.com Wed Oct 1 10:18:06 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Wed, 1 Oct 2008 10:18:06 -0400 Subject: [c-nsp] DS3 problem on PA-T3 Message-ID: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.com> I am stumped on a problem with our Telco here. We have a frame-relay DS3 from Verizon. This is how it's connected from the CO. Verizon CO Frame router/switch <-> DS3 <-> Adtran Opti3 <-> OC3 fiber <-> Adtran Opti3 <-> DS3 <-> our router We started having problem two weeks ago and the circuit started bouncing. We originally had a 7500 router there. Verizon kept insisting the problem is CPE so we have tried second DS3 interface on the 7500, different card in the 7500, then finally swapping out the entire router with a 7200 and PA-T3. Verizon finally figured out there was indeed something wrong on their side and swapped out some cards on the Opti3. Now the circuit isn't going up and down but we are seeing trickling errors on the interface consistantly. They put a T-berd on our side of the dmark and monitored the circuit over the weekend. They are seeing errors coming from our router and FEBE from CO end. From our router, I am seeing errors coming from Verizon. At this point, I can't believe it's our DS3 card. We have changed the DS3 cable as well. Does anyone see any possible problem on my side of the config? Or any other ideas what could be causing this problem? interface Serial1/0 description Verizon DS3 frame-relay no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation frame-relay IETF no ip mroute-cache logging event subif-link-status logging event dlci-status-change framing c-bit cablelength 50 dsu bandwidth 44210 serial restart-delay 0 frame-relay lmi-type ansi #sh controllers ser 1/0 M1T-T3 pa: show controller: PAS unit 0, subunit 0, f/w version 3-92, rev ID 0x2800001, version 3 idb = 0x614754AC, ds = 0x61476FC4, ssb=0x614772F4 Clock mux=0x30, ucmd_ctrl=0x0, port_status=0x1 Serial config=0x8, line config=0x1B0202 maxdgram=4584, bufpool=128Kb, 256 particles rxLOS inactive, rxLOF inactive, rxAIS inactive txAIS inactive, rxRAI inactive, txRAI inactive line state: up cable type : T3 cable, received clockrate 44201430 base0 registers=0x3C800000, base1 registers=0x3C802000 rx_base0 registers=0x3C804000, rx_base1 registers=0x3C806000 mxt_ds=0x61922350, rx ring entries=124, tx ring entries=254 statring=0x3903900, statr shadow=0x61479124, stat_head=175 plus_pa: rx_statring=0x3903D40, rx_statr shadow=0x61479950, rx_stat_head=29 rxring=0x39036C0, rxr shadow=0x61478AF8, rx_head=109 txring=0x3904300, txr shadow=0x61479D7C, tx_head=185, tx_tail=191, tx_count=6 throttled=0, enabled=0 halted=0, last halt reason=0 Microcode fatal errors=0 rx_no_eop_err=0, rx_no_stp_err=0, rx_no_eop_stp_err=0 rx_no_buf=0, rx_soft_overrun_err=23, dump_err= 0, bogus=0, mxt_flags=0x2C tx_underrun_err=18, tx_soft_underrun_err=0, tx_limited=0(254) tx_fullring=538, tx_started=809952433 rx_int_count=870161881, tx_int_count=1611065176 Framing is c-bit, Clock Source is Line Bandwidth limit is 44210, DSU mode 0, Cable length is 50 rx FEBE since last clear counter 1980, since reset 179 Data in current interval (881 seconds elapsed): 1 Line Code Violations, 1 P-bit Coding Violation 1 C-bit Coding Violation 1 P-bit Err Secs, 0 P-bit Sev Err Secs 0 Sev Err Framing Secs, 0 Unavailable Secs 1 Line Errored Secs, 1 C-bit Errored Secs, 0 C-bit Sev Err Secs Total Data (last 24 hours) 2343 Line Code Violations, 637 P-bit Coding Violation, 635 C-bit Coding Violation, 260 P-bit Err Secs, 0 P-bit Sev Err Secs, 0 Sev Err Framing Secs, 0 Unavailable Secs, 418 Line Errored Secs, 260 C-bit Errored Secs, 0 C-bit Sev Err Secs No alarms detected. #sh int ser 1/0 Serial1/0 is up, line protocol is up Hardware is M1T-T3 pa Description: Verizon DS3 frame-relay ######### MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, reliability 255/255, txload 57/255, rxload 13/255 Encapsulation FRAME-RELAY IETF, crc 16, loopback not set Keepalive set (10 sec) Restart-Delay is 0 secs LMI enq sent 41313, LMI stat recvd 41313, LMI upd recvd 0, DTE LMI up LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters 4d18h Input queue: 0/75/0/3084 (size/max/drops/flushes); Total output drops: 4570 Queueing strategy: fifo Output queue :0/40 (size/max) 5 minute input rate 2283000 bits/sec, 1030 packets/sec 5 minute output rate 10030000 bits/sec, 1403 packets/sec 209774076 packets input, 1379501582 bytes, 0 no buffer Received 356689 broadcasts, 0 runts, 0 giants, 0 throttles 0 parity 4829 input errors, 4748 CRC, 0 frame, 79 overrun, 0 ignored, 2 abort 259718552 packets output, 3599585926 bytes, 0 underruns 0 output errors, 0 applique, 4294967295 interface resets 0 output buffer failures, 0 output buffers swapped out 1 carrier transitions rxLOS inactive, rxLOF inactive, rxAIS inactive txAIS inactive, rxRAI inactive, txRAI inactive From harbor235 at gmail.com Wed Oct 1 10:29:22 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 1 Oct 2008 10:29:22 -0400 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <844ef89c0810010705p1ee38005tef2a43a81c99592a@mail.gmail.com> References: <085C022C25FF9C4EBCF76712A2588DCB01024739@X-SPIRIT.integris.hu> <844ef89c0810010705p1ee38005tef2a43a81c99592a@mail.gmail.com> Message-ID: <836bf1f90810010729o36cf8c80o7a87c6eccf431976@mail.gmail.com> Is vlan 400 created on the switch? harbor235 ;} On Wed, Oct 1, 2008 at 10:05 AM, David Granzer wrote: > Hello, > > I'm not surre how it works on UC520, but with 3750 (for example) when > you don't have a spanning tree instance for that vlan then the > interface state is up/down. > > 3750-1#sh spanning-tree vlan 24 > Spanning tree instance(s) for vlan 24 does not exist. > > 3750-1#sh int vlan 24 | i Vlan > Vlan24 is up, line protocol is down > > When enabling spanning tree > > 3750-1#sh spanning-tree vlan 24 > > VLAN0024 > Spanning tree enabled protocol ieee > > 3750-1#sh int vlan 24 | i Vlan|Internet address > Vlan24 is up, line protocol is up > Internet address is 1.2.3.4/24 > > 3750-1#ping 1.2.3.4 > > Type escape sequence to abort. > Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds: > !!!!! > Success rate is 100 percent (5/5) > > > Regards, > David > > > > On 10/1/08, Bagosi R?me? wrote: > > Hi, > > > > Is there a way to force a VLAN interface (ex.: interface vlan 400) to > UP/UP state on a Cisco UC520 (router, switch...), WITHOUT connecting a > device to a port which is in the mentioned VLAN? > > > > The current configuration is: > > int vlan 400 > > ip address 10.1.1.1 255.255.255.0 > > > > show int vlan 400 > > Vlan300 is up, line protocol is down > > ... > > > > Thanks, > > Romeo Bagosi > > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From robert at tellurian.com Wed Oct 1 10:31:51 2008 From: robert at tellurian.com (Robert Boyle) Date: Wed, 01 Oct 2008 10:31:51 -0400 Subject: [c-nsp] DS3 problem on PA-T3 In-Reply-To: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.co m> References: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.com> Message-ID: <1222871511_521431@mail1.tellurian.net> At 10:18 AM 10/1/2008, you wrote: >I am stumped on a problem with our Telco here. Jay, Have you tried an attenuator on the DS3 RECV port on your PA-T3? Try a 10db or a 13db. The signal from the Opti-3 is usually pretty high and overdrives the RECV circuit. Although typically when that happens, it is a PA-MC-T3 and you see tons of LCVs, but I have seen it with a PA-T3 too. R >We have a frame-relay DS3 from Verizon. This is how it's connected from the >CO. > >Verizon CO Frame router/switch <-> DS3 <-> Adtran Opti3 <-> OC3 fiber <-> >Adtran Opti3 <-> DS3 <-> our router > >We started having problem two weeks ago and the circuit started bouncing. >We originally had a 7500 router there. Verizon kept insisting the problem >is CPE so we have tried second DS3 interface on the 7500, different card in >the 7500, then finally swapping out the entire router with a 7200 and >PA-T3. Verizon finally figured out there was indeed something wrong on >their side and swapped out some cards on the Opti3. Now the circuit isn't >going up and down but we are seeing trickling errors on the interface >consistantly. They put a T-berd on our side of the dmark and monitored the >circuit over the weekend. They are seeing errors coming from our router and >FEBE from CO end. From our router, I am seeing errors coming from Verizon. > >At this point, I can't believe it's our DS3 card. We have changed the DS3 >cable as well. Does anyone see any possible problem on my side of the >config? Or any other ideas what could be causing this problem? > >interface Serial1/0 > description Verizon DS3 frame-relay > no ip address > no ip redirects > no ip unreachables > no ip proxy-arp > encapsulation frame-relay IETF > no ip mroute-cache > logging event subif-link-status > logging event dlci-status-change > framing c-bit > cablelength 50 > dsu bandwidth 44210 > serial restart-delay 0 > frame-relay lmi-type ansi > >#sh controllers ser 1/0 >M1T-T3 pa: show controller: >PAS unit 0, subunit 0, f/w version 3-92, rev ID 0x2800001, version 3 >idb = 0x614754AC, ds = 0x61476FC4, ssb=0x614772F4 >Clock mux=0x30, ucmd_ctrl=0x0, port_status=0x1 >Serial config=0x8, line config=0x1B0202 >maxdgram=4584, bufpool=128Kb, 256 particles > > rxLOS inactive, rxLOF inactive, rxAIS inactive > txAIS inactive, rxRAI inactive, txRAI inactive >line state: up >cable type : T3 cable, received clockrate 44201430 > >base0 registers=0x3C800000, base1 registers=0x3C802000 >rx_base0 registers=0x3C804000, rx_base1 registers=0x3C806000 >mxt_ds=0x61922350, rx ring entries=124, tx ring entries=254 >statring=0x3903900, statr shadow=0x61479124, stat_head=175 >plus_pa: rx_statring=0x3903D40, rx_statr shadow=0x61479950, rx_stat_head=29 >rxring=0x39036C0, rxr shadow=0x61478AF8, rx_head=109 >txring=0x3904300, txr shadow=0x61479D7C, tx_head=185, tx_tail=191, >tx_count=6 >throttled=0, enabled=0 >halted=0, last halt reason=0 >Microcode fatal errors=0 >rx_no_eop_err=0, rx_no_stp_err=0, rx_no_eop_stp_err=0 >rx_no_buf=0, rx_soft_overrun_err=23, dump_err= 0, bogus=0, mxt_flags=0x2C >tx_underrun_err=18, tx_soft_underrun_err=0, tx_limited=0(254) >tx_fullring=538, tx_started=809952433 >rx_int_count=870161881, tx_int_count=1611065176 > Framing is c-bit, Clock Source is Line > Bandwidth limit is 44210, DSU mode 0, Cable length is 50 > rx FEBE since last clear counter 1980, since reset 179 > Data in current interval (881 seconds elapsed): > 1 Line Code Violations, 1 P-bit Coding Violation > 1 C-bit Coding Violation > 1 P-bit Err Secs, 0 P-bit Sev Err Secs > 0 Sev Err Framing Secs, 0 Unavailable Secs > 1 Line Errored Secs, 1 C-bit Errored Secs, 0 C-bit Sev Err Secs > Total Data (last 24 hours) > 2343 Line Code Violations, 637 P-bit Coding Violation, > 635 C-bit Coding Violation, > 260 P-bit Err Secs, 0 P-bit Sev Err Secs, > 0 Sev Err Framing Secs, 0 Unavailable Secs, > 418 Line Errored Secs, 260 C-bit Errored Secs, 0 C-bit Sev Err Secs > > No alarms detected. > >#sh int ser 1/0 >Serial1/0 is up, line protocol is up > Hardware is M1T-T3 pa > Description: Verizon DS3 frame-relay ######### > MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, > reliability 255/255, txload 57/255, rxload 13/255 > Encapsulation FRAME-RELAY IETF, crc 16, loopback not set > Keepalive set (10 sec) > Restart-Delay is 0 secs > LMI enq sent 41313, LMI stat recvd 41313, LMI upd recvd 0, DTE LMI up > LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 > LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE > Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts 0 > Last input 00:00:00, output 00:00:00, output hang never > Last clearing of "show interface" counters 4d18h > Input queue: 0/75/0/3084 (size/max/drops/flushes); Total output drops: >4570 > Queueing strategy: fifo > Output queue :0/40 (size/max) > 5 minute input rate 2283000 bits/sec, 1030 packets/sec > 5 minute output rate 10030000 bits/sec, 1403 packets/sec > 209774076 packets input, 1379501582 bytes, 0 no buffer > Received 356689 broadcasts, 0 runts, 0 giants, 0 throttles > 0 parity > 4829 input errors, 4748 CRC, 0 frame, 79 overrun, 0 ignored, 2 abort > 259718552 packets output, 3599585926 bytes, 0 underruns > 0 output errors, 0 applique, 4294967295 interface resets > 0 output buffer failures, 0 output buffers swapped out > 1 carrier transitions > rxLOS inactive, rxLOF inactive, rxAIS inactive > txAIS inactive, rxRAI inactive, txRAI inactive >_______________________________________________ >cisco-nsp mailing list cisco-nsp at puck.nether.net >https://puck.nether.net/mailman/listinfo/cisco-nsp >archive at http://puck.nether.net/pipermail/cisco-nsp/ Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From allan.eising at gmail.com Wed Oct 1 10:32:36 2008 From: allan.eising at gmail.com (Allan Eising) Date: Wed, 1 Oct 2008 16:32:36 +0200 Subject: [c-nsp] Transparent LAN over Layer3 In-Reply-To: <003401c923ba$3eda1a60$bc8e4f20$@org> References: <000301c92357$910bdb10$b3239130$@org> <000b01c9236c$52af7380$f80e5a80$@org> <1222828735_506897@mail1.tellurian.net> <003401c923ba$3eda1a60$bc8e4f20$@org> Message-ID: We're having some of the same thoughts in my company, and are a bit concerned over overhead on L2TPv3 and the following MTU limitations. How do you people deal with this? -Allan On Wed, Oct 1, 2008 at 1:38 PM, Paul Stewart wrote: > Thanks guys... I hadn't head much about l2tpv3 "in the wild" from actual > users.... good to hear from folks actually using it a lot - that makes it > easier for me to make some decisions... > > Best regards, thanks to everyone for onlist and offlist replies... > > Paul > > > -----Original Message----- > From: John van Oppen [mailto:john at vanoppen.com] > Sent: October 1, 2008 4:07 AM > To: Robert Boyle; Paul Stewart; Michael K. Smith; cisco-nsp > Subject: RE: [c-nsp] Transparent LAN over Layer3 > > I would second that as well. We use l2tpv3 all over the place, with > Ethernet. We mostly do it with 7200VXRs as endpoints but I have a few > 12000s running with OC48s as "tunnel server cards" and those work nicely > as well and it is a quite elegant solution when MPLS is not possible or > only rather simple transport functionality is required. > > > > John van Oppen > Spectrum Networks LLC > 206.973.8302 (Direct) > 206.973.8300 (main office) > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Boyle > Sent: Tuesday, September 30, 2008 7:39 PM > To: Paul Stewart; 'Michael K. Smith'; 'cisco-nsp' > Subject: Re: [c-nsp] Transparent LAN over Layer3 > > At 10:20 PM 9/30/2008, Paul Stewart wrote: >>Yes, we own the end to end network however it's a routed network in > those >>segments... >>router-->router-->router-->switch-->switch-->router-->router-->router-- >>rout >>er specifically...;) >> >>If we could hand them off a few VLAN's we would just do that and not > even >>use Q-in-Q unless we really needed to... but basically I'm looking for >>layer2 transport via layer3 devices... and there's no option for MPLS > in >>this setup... > > Take a look at L2TPv3. We use it for all kinds of crazy transport > here. Taking a T1 from one city and one carrier and delivering it to > a customer in our datacenter, handing ATM PVCs off from one router to > another ATM PVC on another router 100 miles away. We haven't used it > for Ethernet, but that sure seems a lot less complicated than the > things we are doing. Anything you put in on one side is transparently > trunked to the other side. It works great and gives you many of the > benefits of MPLS without the need to have a network which supports > MPLS end to end. It is especially useful for small POPs and locations > with older gear. > > -Robert > > > > Tellurian Networks - Global Hosting Solutions Since 1995 > http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 > "Well done is better than well said." - Benjamin Franklin > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pashtuk at gmail.com Wed Oct 1 11:44:01 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Wed, 1 Oct 2008 17:44:01 +0200 Subject: [c-nsp] Cat 3750 StackMaster Selection considerations Message-ID: <6e9dc1350810010844m51fc6084nddf330afb0dfe441@mail.gmail.com> Hi all We're going to use the cat3750 Stacks for the first time soon and I got a question regarding the StackMaster selection. Its not about how the StackMaster gets elected (thats clear enough from the guide) what I ask myself is how much sense does it make to define a StackMaster manually? What are the benefits for that beside knowing which Switch is the Master (nice to have but..)? All switches in a stack will run the same IOS Version and also the same feature sets so there wont be any problems with not available EMI/SMI or crypto/noncrypto features. Beside the core stacks (1x12 port SFP, 1x24 Gig copper) all stacks consist of the same switch type. At the moment I dont see much benefit in setting a Stack Master, only added complexity. Am I missing something? Thank you best regards Michel From jhigham at epri.com Wed Oct 1 11:48:02 2008 From: jhigham at epri.com (Higham, Josh) Date: Wed, 1 Oct 2008 08:48:02 -0700 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001081904.GY17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273013B5582@uspalex02.epri.com> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering > > one of our switches is misbehaving, and I'm wondering whether > this is a > configuration thing, or a hardware limitation. > > GigabitEthernet0/10 is up, line protocol is up (connected) > 5 minute input rate 19432000 bits/sec, 32108 packets/sec > 5 minute output rate 380792000 bits/sec, 46406 packets/sec > > As you see, the ports are far from saturated, and even the > load from all > "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from > the capacity > of the "egress" port (G0/10). As an aside, you can get more accurate numbers by configuring 'load-interval 30' on each interface. In the last discussion on this list I believe there wasn't an significant CPU impact. ciao Josh From p.mayers at imperial.ac.uk Wed Oct 1 11:50:49 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 01 Oct 2008 16:50:49 +0100 Subject: [c-nsp] BGP v4 multicast Message-ID: <48E39C59.1020700@imperial.ac.uk> All, Just a quick question; what's the best syntax for causing an eBGP session with v4 multicast AF to originate routes? We have: router bgp 65000 neighbor 192.168.1.1 remote-as 65001 address-family ipv4 neighbor 192.168.1.1 activate address-family ipv4 multicast neighbor 192.168.1.1 activate The "ipv4" family gets it routes from other iBGP peers, however none of them have (or can support) the "v4 multicast" AF; can I do this: address-family ipv4 multicast neighbor 192.168.1.1 activate network 10.2.0.0 netmask 255.255.0.0 network 10.3.0.0 netmask 255.255.0.0 ...and will it originate 10.2.0.0/16 & 10.3.0.0/16 via multicast to the eBGP peer? Is this recommended? From zeusdadog at gmail.com Wed Oct 1 11:56:26 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Wed, 1 Oct 2008 11:56:26 -0400 Subject: [c-nsp] DS3 problem on PA-T3 In-Reply-To: <1222871511_521431@mail1.tellurian.net> References: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.com> <1222871511_521431@mail1.tellurian.net> Message-ID: <9418aca70810010856o2ba4a160w149b707041cdcf68@mail.gmail.com> It looks like Opti-3 have "Long" and "Short" option for LBO on the DS3 interface. I am going to make sure Verizon set it to short since the coax is only about 15' long. I don't have any attenuators handy to try that out. I did however, changed the DSU mode to Kentrox and errors have gone away for the last hour. I didn't think that really mattered if you were doing full DS3. On Wed, Oct 1, 2008 at 10:31 AM, Robert Boyle wrote: > At 10:18 AM 10/1/2008, you wrote: > >> I am stumped on a problem with our Telco here. >> > > Jay, > > Have you tried an attenuator on the DS3 RECV port on your PA-T3? Try a 10db > or a 13db. The signal from the Opti-3 is usually pretty high and overdrives > the RECV circuit. Although typically when that happens, it is a PA-MC-T3 and > you see tons of LCVs, but I have seen it with a PA-T3 too. > > R > > > > We have a frame-relay DS3 from Verizon. This is how it's connected from >> the >> CO. >> >> Verizon CO Frame router/switch <-> DS3 <-> Adtran Opti3 <-> OC3 fiber <-> >> Adtran Opti3 <-> DS3 <-> our router >> >> We started having problem two weeks ago and the circuit started bouncing. >> We originally had a 7500 router there. Verizon kept insisting the problem >> is CPE so we have tried second DS3 interface on the 7500, different card >> in >> the 7500, then finally swapping out the entire router with a 7200 and >> PA-T3. Verizon finally figured out there was indeed something wrong on >> their side and swapped out some cards on the Opti3. Now the circuit isn't >> going up and down but we are seeing trickling errors on the interface >> consistantly. They put a T-berd on our side of the dmark and monitored >> the >> circuit over the weekend. They are seeing errors coming from our router >> and >> FEBE from CO end. From our router, I am seeing errors coming from >> Verizon. >> >> At this point, I can't believe it's our DS3 card. We have changed the DS3 >> cable as well. Does anyone see any possible problem on my side of the >> config? Or any other ideas what could be causing this problem? >> >> interface Serial1/0 >> description Verizon DS3 frame-relay >> no ip address >> no ip redirects >> no ip unreachables >> no ip proxy-arp >> encapsulation frame-relay IETF >> no ip mroute-cache >> logging event subif-link-status >> logging event dlci-status-change >> framing c-bit >> cablelength 50 >> dsu bandwidth 44210 >> serial restart-delay 0 >> frame-relay lmi-type ansi >> >> #sh controllers ser 1/0 >> M1T-T3 pa: show controller: >> PAS unit 0, subunit 0, f/w version 3-92, rev ID 0x2800001, version 3 >> idb = 0x614754AC, ds = 0x61476FC4, ssb=0x614772F4 >> Clock mux=0x30, ucmd_ctrl=0x0, port_status=0x1 >> Serial config=0x8, line config=0x1B0202 >> maxdgram=4584, bufpool=128Kb, 256 particles >> >> rxLOS inactive, rxLOF inactive, rxAIS inactive >> txAIS inactive, rxRAI inactive, txRAI inactive >> line state: up >> cable type : T3 cable, received clockrate 44201430 >> >> base0 registers=0x3C800000, base1 registers=0x3C802000 >> rx_base0 registers=0x3C804000, rx_base1 registers=0x3C806000 >> mxt_ds=0x61922350, rx ring entries=124, tx ring entries=254 >> statring=0x3903900, statr shadow=0x61479124, stat_head=175 >> plus_pa: rx_statring=0x3903D40, rx_statr shadow=0x61479950, >> rx_stat_head=29 >> rxring=0x39036C0, rxr shadow=0x61478AF8, rx_head=109 >> txring=0x3904300, txr shadow=0x61479D7C, tx_head=185, tx_tail=191, >> tx_count=6 >> throttled=0, enabled=0 >> halted=0, last halt reason=0 >> Microcode fatal errors=0 >> rx_no_eop_err=0, rx_no_stp_err=0, rx_no_eop_stp_err=0 >> rx_no_buf=0, rx_soft_overrun_err=23, dump_err= 0, bogus=0, mxt_flags=0x2C >> tx_underrun_err=18, tx_soft_underrun_err=0, tx_limited=0(254) >> tx_fullring=538, tx_started=809952433 >> rx_int_count=870161881, tx_int_count=1611065176 >> Framing is c-bit, Clock Source is Line >> Bandwidth limit is 44210, DSU mode 0, Cable length is 50 >> rx FEBE since last clear counter 1980, since reset 179 >> Data in current interval (881 seconds elapsed): >> 1 Line Code Violations, 1 P-bit Coding Violation >> 1 C-bit Coding Violation >> 1 P-bit Err Secs, 0 P-bit Sev Err Secs >> 0 Sev Err Framing Secs, 0 Unavailable Secs >> 1 Line Errored Secs, 1 C-bit Errored Secs, 0 C-bit Sev Err Secs >> Total Data (last 24 hours) >> 2343 Line Code Violations, 637 P-bit Coding Violation, >> 635 C-bit Coding Violation, >> 260 P-bit Err Secs, 0 P-bit Sev Err Secs, >> 0 Sev Err Framing Secs, 0 Unavailable Secs, >> 418 Line Errored Secs, 260 C-bit Errored Secs, 0 C-bit Sev Err Secs >> >> No alarms detected. >> >> #sh int ser 1/0 >> Serial1/0 is up, line protocol is up >> Hardware is M1T-T3 pa >> Description: Verizon DS3 frame-relay ######### >> MTU 4470 bytes, BW 44210 Kbit, DLY 200 usec, >> reliability 255/255, txload 57/255, rxload 13/255 >> Encapsulation FRAME-RELAY IETF, crc 16, loopback not set >> Keepalive set (10 sec) >> Restart-Delay is 0 secs >> LMI enq sent 41313, LMI stat recvd 41313, LMI upd recvd 0, DTE LMI up >> LMI enq recvd 0, LMI stat sent 0, LMI upd sent 0 >> LMI DLCI 0 LMI type is ANSI Annex D frame relay DTE >> Broadcast queue 0/256, broadcasts sent/dropped 0/0, interface broadcasts >> 0 >> Last input 00:00:00, output 00:00:00, output hang never >> Last clearing of "show interface" counters 4d18h >> Input queue: 0/75/0/3084 (size/max/drops/flushes); Total output drops: >> 4570 >> Queueing strategy: fifo >> Output queue :0/40 (size/max) >> 5 minute input rate 2283000 bits/sec, 1030 packets/sec >> 5 minute output rate 10030000 bits/sec, 1403 packets/sec >> 209774076 packets input, 1379501582 bytes, 0 no buffer >> Received 356689 broadcasts, 0 runts, 0 giants, 0 throttles >> 0 parity >> 4829 input errors, 4748 CRC, 0 frame, 79 overrun, 0 ignored, 2 abort >> 259718552 packets output, 3599585926 bytes, 0 underruns >> 0 output errors, 0 applique, 4294967295 interface resets >> 0 output buffer failures, 0 output buffers swapped out >> 1 carrier transitions >> rxLOS inactive, rxLOF inactive, rxAIS inactive >> txAIS inactive, rxRAI inactive, txRAI inactive >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > Tellurian Networks - Global Hosting Solutions Since 1995 > http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 > "Well done is better than well said." - Benjamin Franklin > > From gert at greenie.muc.de Wed Oct 1 12:03:28 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 18:03:28 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <4C3B8C75B5899943AEC675BA6DD46273013B5582@uspalex02.epri.com> References: <20081001081904.GY17238@greenie.muc.de> <4C3B8C75B5899943AEC675BA6DD46273013B5582@uspalex02.epri.com> Message-ID: <20081001160328.GU17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 08:48:02AM -0700, Higham, Josh wrote: > > GigabitEthernet0/10 is up, line protocol is up (connected) > > 5 minute input rate 19432000 bits/sec, 32108 packets/sec > > 5 minute output rate 380792000 bits/sec, 46406 packets/sec > > > > As you see, the ports are far from saturated, and even the > > load from all > > "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from > > the capacity > > of the "egress" port (G0/10). > > As an aside, you can get more accurate numbers by configuring > 'load-interval 30' on each interface. In the last discussion on this > list I believe there wasn't an significant CPU impact. Well, yes, of course. It won't make a significant difference here, though - on a macroscopic timescale ("minutes") the traffic is fairly steady, and no big changes during the day. Short bursts (<10 seconds) won't be properly visible in these counters either way. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From achatz at forthnet.gr Wed Oct 1 12:07:59 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 01 Oct 2008 19:07:59 +0300 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001081904.GY17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> Message-ID: <48E3A05F.5000109@forthnet.gr> Gert Doering wrote on 01/10/2008 11:19: > > > - how can I find out why the switch is dropping packets? > You can try the "sh platform port-asic stats" command: 2960#sh platform port-asic stats ? drop Drop Statistics enqueue Enqueue Statistics miscellaneous Miscellaneous Statistics supervisor Supervisor Statistics -- Tassos From gert at greenie.muc.de Wed Oct 1 12:08:09 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 18:08:09 +0200 Subject: [c-nsp] BGP v4 multicast In-Reply-To: <48E39C59.1020700@imperial.ac.uk> References: <48E39C59.1020700@imperial.ac.uk> Message-ID: <20081001160809.GV17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 04:50:49PM +0100, Phil Mayers wrote: > Just a quick question; what's the best syntax for causing an eBGP > session with v4 multicast AF to originate routes? Same way you currently do it with IPv4 unicast, just put the statements under "ipv4 multicast". As in - if you're doing "redistribute static route-map foo", you can just put the same statement under "address-fam ipv4 multicast" as well. > address-family ipv4 multicast > neighbor 192.168.1.1 activate > network 10.2.0.0 netmask 255.255.0.0 > network 10.3.0.0 netmask 255.255.0.0 This will work fine. > ...and will it originate 10.2.0.0/16 & 10.3.0.0/16 via multicast to the > eBGP peer? It will not "originate via multicast", but it will send these two prefixes in the IPv4 multicast address-family - via the normal TCP/IPv4 unicast BGP session. Yes. > Is this recommended? Well, we have just removed all IPv4 multicast BGP from our network, since it doesn't work on "the global Internet" :-) - but technically, use whatever works for you in IPv4 unicast to bring the prefixes into BGP. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From p.mayers at imperial.ac.uk Wed Oct 1 12:18:32 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 01 Oct 2008 17:18:32 +0100 Subject: [c-nsp] BGP v4 multicast In-Reply-To: <20081001160809.GV17238@greenie.muc.de> References: <48E39C59.1020700@imperial.ac.uk> <20081001160809.GV17238@greenie.muc.de> Message-ID: <48E3A2D8.1040805@imperial.ac.uk> Gert Doering wrote: > Hi, > > On Wed, Oct 01, 2008 at 04:50:49PM +0100, Phil Mayers wrote: >> Just a quick question; what's the best syntax for causing an eBGP >> session with v4 multicast AF to originate routes? > > Same way you currently do it with IPv4 unicast, just put the statements > under "ipv4 multicast". > > As in - if you're doing "redistribute static route-map foo", you can > just put the same statement under "address-fam ipv4 multicast" as well. Ok, that's what I wasn't clear on - whether the "v4 multi" AF would read the normal unicast routing table, or whether it required "ip mroute" statements to Null0 or something vile. > >> address-family ipv4 multicast >> neighbor 192.168.1.1 activate >> network 10.2.0.0 netmask 255.255.0.0 >> network 10.3.0.0 netmask 255.255.0.0 > > This will work fine. > >> ...and will it originate 10.2.0.0/16 & 10.3.0.0/16 via multicast to the >> eBGP peer? > > It will not "originate via multicast", but it will send these two prefixes Yes sorry - typo > in the IPv4 multicast address-family - via the normal TCP/IPv4 unicast > BGP session. Yes. > >> Is this recommended? > > Well, we have just removed all IPv4 multicast BGP from our network, since > it doesn't work on "the global Internet" :-) - but technically, use whatever Interesting; does that mean you have abandoned ASM and are pushing SSM, or abandoned multicast completely (although given the lack of SSM-enabled apps, they may be one and the same) Sadly I am stuck supporting use of the "wonderful" AccessGrid technologies (sigh) which more or less mandate multicast. > works for you in IPv4 unicast to bring the prefixes into BGP. > > gert > From gert at greenie.muc.de Wed Oct 1 12:22:45 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 18:22:45 +0200 Subject: [c-nsp] BGP v4 multicast In-Reply-To: <48E3A2A6.1080605@imperial.ac.uk> References: <48E39C59.1020700@imperial.ac.uk> <20081001160809.GV17238@greenie.muc.de> <48E3A2A6.1080605@imperial.ac.uk> Message-ID: <20081001162245.GW17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 05:17:42PM +0100, Phil Mayers wrote: > >Same way you currently do it with IPv4 unicast, just put the statements > >under "ipv4 multicast". > > > >As in - if you're doing "redistribute static route-map foo", you can > >just put the same statement under "address-fam ipv4 multicast" as well. > > Ok, that's what I wasn't clear on - whether the "v4 multi" AF would read > the normal unicast routing table, or whether it required "ip mroute" > statements to Null0 or something vile. Ah. That was the issue :) - no, it doesn't, at least on on IOS (XR might be different). [..] > >>Is this recommended? > > > >Well, we have just removed all IPv4 multicast BGP from our network, since > >it doesn't work on "the global Internet" :-) - but technically, use > >whatever > > Interesting; does that mean you have abandoned ASM and are pushing SSM, > or abandoned multicast completely (although given the lack of > SSM-enabled apps, they may be one and the same) We have, for the time being, abandoned cross-provider multicast completely. > Sadly I am stuck supporting use of the "wonderful" AccessGrid > technologies (sigh) which more or less mandate multicast. Oh, well, if anybody actually starts *using* IPv4 multicast, it might return to a more or less working state. Our problem was that, since it is hardly ever used, providers tend to break it during network changes ("forget to turn on PIM on newly enabled circuits", and things like this) - and when people notice that it's broken, it's 4 weeks later, and nobody remembers that there was a "recent" change... So debugging always was very painful, and had no relation to the amount of users... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From p.mayers at imperial.ac.uk Wed Oct 1 12:24:16 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 01 Oct 2008 17:24:16 +0100 Subject: [c-nsp] BGP v4 multicast In-Reply-To: <20081001162245.GW17238@greenie.muc.de> References: <48E39C59.1020700@imperial.ac.uk> <20081001160809.GV17238@greenie.muc.de> <48E3A2A6.1080605@imperial.ac.uk> <20081001162245.GW17238@greenie.muc.de> Message-ID: <48E3A430.90509@imperial.ac.uk> > > Oh, well, if anybody actually starts *using* IPv4 multicast, it might > return to a more or less working state. > > Our problem was that, since it is hardly ever used, providers tend to > break it during network changes ("forget to turn on PIM on newly enabled > circuits", and things like this) - and when people notice that it's broken, > it's 4 weeks later, and nobody remembers that there was a "recent" change... > > So debugging always was very painful, and had no relation to the amount > of users... Funnily enough, that's exactly the problem I'm facing now ("it broken sometime since May, fix it") :o( From nitzan.tzelniker at gmail.com Wed Oct 1 12:51:01 2008 From: nitzan.tzelniker at gmail.com (Nitzan Tzelniker) Date: Wed, 1 Oct 2008 19:51:01 +0300 Subject: [c-nsp] C2960G and output drops In-Reply-To: <20081001081904.GY17238@greenie.muc.de> References: <20081001081904.GY17238@greenie.muc.de> Message-ID: <6d72a2a10810010951u6eb17610xd10119615084917@mail.gmail.com> We saw similar problem and we solve it by doing etherchannel on the output interface. Nitzan On Wed, Oct 1, 2008 at 11:19, Gert Doering wrote: > Hi, > > one of our switches is misbehaving, and I'm wondering whether this is a > configuration thing, or a hardware limitation. > > (It's not actually a QoS thing, but it's bordering on it) > > Setup: WS-C2960G-24TC-L, effectively only 4 ports active: > > This is where stuff comes in (UDP audio streaming servers): > > GigabitEthernet0/8 is up, line protocol is up (connected) > 5 minute input rate 26179000 bits/sec, 3819 packets/sec > 5 minute output rate 3492000 bits/sec, 3295 packets/sec > GigabitEthernet0/12 is up, line protocol is up (connected) > 5 minute input rate 334588000 bits/sec, 41069 packets/sec > 5 minute output rate 14453000 bits/sec, 26859 packets/sec > GigabitEthernet0/16 is up, line protocol is up (connected) > 5 minute input rate 27730000 bits/sec, 2940 packets/sec > 5 minute output rate 1507000 bits/sec, 1976 packets/sec > > And this is where it leaves the switch: > > GigabitEthernet0/10 is up, line protocol is up (connected) > 5 minute input rate 19432000 bits/sec, 32108 packets/sec > 5 minute output rate 380792000 bits/sec, 46406 packets/sec > > As you see, the ports are far from saturated, and even the load from all > "ingress" ports (380 Mbit + 27 Mbit + 26 Mbit) is far from the capacity > of the "egress" port (G0/10). > > But still... > > GigabitEthernet0/10 is up, line protocol is up (connected) > Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: > 8731686 > > ... and this is of course affecting the audio quality. > > (The output port goes to a Juniper SSG550 firewall, which has no problem > keeping up with the load to about 950 Mbits/s - and if only one ingress > port > is active on the switch, we can see much higher egress load without > noticeable > drops) > > > IOS version on the switch is 12.2(46)SE, but I had (25)SEE on it before > that, and observed the same symptoms (except that (25)SEE does not > display the output drops in the counters). > > Right now, "mls qos" is *deactivated*, because we actually don't want > QoS as in "drop specific packets" here - we want "move ahead all packets!". > > If I enable "mls qos", the packet drops go way up - which I read as "the > existing buffers, that are already not really huge, are split into 4 > smaller queues, and thus microbursts are causing much higher drops". > > > My theory is that the streaming servers are micro-bursting (send out > packets with full wire rate for 1/100s, and then do nothing for 99/100s), > and that the switch has too small buffers to join the 4 ingress ports > towards the egress ports. But I'm not sure how to validate that. > > > So, here comes the questions: > > - how much buffer space per port does the 2960G have? > > - how can I find out why the switch is dropping packets? > > - what L2 switches are other people using in environments with > continuous high load that has "microbursts"? > > - any other tricks that people are using to make servers more well-behaved > regarding packet sending rate? Like "shaping traffic on the servers" > (to distribute the packets more evenly along the time scale)? > > > We have other streaming customers, and they are directly connected to > 6408A or 6724 ports on 7600s, and not displaying anything unusual, at > even higher loads (multiple ingress ports running at >800 Mbit/s for > hours, egress via port-channels). So it's something with this 2960G... > > gert > -- > USENET is *not* the non-clickable part of WWW! > // > www.muc.de/~gert/ > Gert Doering - Munich, Germany > gert at greenie.muc.de > fax: +49-89-35655025 > gert at net.informatik.tu-muenchen.de > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Wed Oct 1 12:54:34 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 18:54:34 +0200 Subject: [c-nsp] BGP v4 multicast In-Reply-To: <48E3A430.90509@imperial.ac.uk> References: <48E39C59.1020700@imperial.ac.uk> <20081001160809.GV17238@greenie.muc.de> <48E3A2A6.1080605@imperial.ac.uk> <20081001162245.GW17238@greenie.muc.de> <48E3A430.90509@imperial.ac.uk> Message-ID: <20081001165434.GX17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 05:24:16PM +0100, Phil Mayers wrote: > >So debugging always was very painful, and had no relation to the amount > >of users... > > Funnily enough, that's exactly the problem I'm facing now ("it broken > sometime since May, fix it") "Look on every single router in the (reverse) path whether you can see sources (MSDP), mroutes (S,G), and traffic is actually flowing". Which is Seriously No Fun if multiple providers are involved. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From snar at paranoia.ru Wed Oct 1 12:41:20 2008 From: snar at paranoia.ru (Alexandre Snarskii) Date: Wed, 1 Oct 2008 20:41:20 +0400 Subject: [c-nsp] C2960G and output drops In-Reply-To: <48E35A49.3000908@harvard.edu> References: <20081001081904.GY17238@greenie.muc.de> <48E35A49.3000908@harvard.edu> Message-ID: <20081001164120.GB3486@paranoia.ru> On Wed, Oct 01, 2008 at 07:08:57AM -0400, McEvilly, Patrick wrote: > > > > IOS version on the switch is 12.2(46)SE, but I had (25)SEE on it before > > that, and observed the same symptoms (except that (25)SEE does not > > display the output drops in the counters). Counters problem is CSCsj53001: The Total output drops field in the show interfaces privileged EXEC command output now displays accurate ASIC drops. fixed-in 12.2(44)SE1. So, looks like we may face the same problem: our TDMoIP people reporting some minor packet loss, and we were just unable to find packet loss point - 12.2(35)SE1 just does not reports packet drops... Interesting enough, that our setup is quite differs with yours: we have no audio/video streaming, that's classic customer (and some colocation) aggregation switch with ~800Mbit of traffic: 5 minute input rate 221500000 bits/sec, 65646 packets/sec 5 minute output rate 607959000 bits/sec, 83542 packets/sec (that's etherchannel, 2x 1Ge, utilisation of both ports is less than half: 5 minute input rate 109153000 bits/sec, 33306 packets/sec 5 minute output rate 342405000 bits/sec, 44080 packets/sec 5 minute input rate 112820000 bits/sec, 31775 packets/sec 5 minute output rate 252582000 bits/sec, 38455 packets/sec ). -- Alexandre Snarskii If you ask a stupid question, you may feel stupid. If you don't ask a stupid question, you remain stupid. -Tony Rothman, Ph.D.U. Chicago, Physics From gert at greenie.muc.de Wed Oct 1 13:16:28 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 19:16:28 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <48E3A05F.5000109@forthnet.gr> References: <20081001081904.GY17238@greenie.muc.de> <48E3A05F.5000109@forthnet.gr> Message-ID: <20081001171627.GA17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 07:07:59PM +0300, Tassos Chatzithomaoglou wrote: > Gert Doering wrote on 01/10/2008 11:19: > > > - how can I find out why the switch is dropping packets? > > You can try the "sh platform port-asic stats" command: > > 2960#sh platform port-asic stats ? > drop Drop Statistics Nothing like good counters... :-) #sh platform port-asic stats drop gi0/10 [... "Frames 0" lines omitted...] Queue 3 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 69425656 #sh platform port-asic stats drop asic 1 ... Port 0 TxQueue Drop Stats: 69447671 Port 1 TxQueue Drop Stats: 0 Port 2 TxQueue Drop Stats: 0 Port 3 TxQueue Drop Stats: 0 #sh platform port-asic stats enq g0/10 Interface Gi0/10 TxQueue Enqueue Statistics Queue 0 Weight 0 Frames 2 Weight 1 Frames 0 Weight 2 Frames 0 Queue 1 Weight 0 Frames 0 Weight 1 Frames 34 Weight 2 Frames 57548 Queue 2 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 0 Queue 3 Weight 0 Frames 0 Weight 1 Frames 0 Weight 2 Frames 3505735486 ... so that basically tells me what I was assuming - "all packets go into the same queue (no QoS marking going on here, all packets are important), and some of them get dropped". I'm not really sure how to start from here towards "*why* is it dropping the packets"? gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Wed Oct 1 13:20:56 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 19:20:56 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <6d72a2a10810010951u6eb17610xd10119615084917@mail.gmail.com> References: <20081001081904.GY17238@greenie.muc.de> <6d72a2a10810010951u6eb17610xd10119615084917@mail.gmail.com> Message-ID: <20081001172055.GB17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 07:51:01PM +0300, Nitzan Tzelniker wrote: > We saw similar problem and we solve it by doing etherchannel on the output > interface. Thanks. I have considered this, but I'm unhappy with this for a number of reasons - the biggest obstacle is that the next-hop device currently cannot do 2xGE port channeling. The other thing is that with the fairly low load on the switch, I don't really think going to a second GE port can be explained to those that have to pay for the costs of upgrading the other end... (we're below 60% load on the egress port). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From rick.martin at arkansas.gov Wed Oct 1 10:44:02 2008 From: rick.martin at arkansas.gov (Rick Martin) Date: Wed, 1 Oct 2008 09:44:02 -0500 Subject: [c-nsp] Cisco IOS firewall and Juniper WAN Optimization Message-ID: Has anybody been successful in implementing Juniper WXC in an all Cisco environment utilizing IOS firewall at the remote site? We are in the evaluation process of various wan optimization appliances, have run Cisco's WAAS but did not really have success with them, we will give them another shot based on what we have learned with the Juniper. The Juniper WXC will create a GRE tunnel from core appliance to remote appliance and send traffic that meets the optimization criteria down that tunnel, some of the non interesting traffic arrives at the campus router naturally - that is - not via the tunnel on the T1 interface (Serial 1/0.1) . This effectively breaks the IOS firewall since some of the traffic originating beyond the core destined to the demo site LAN range is sent down the tunnel. Easy fix for that seems to be apply firewall ACL to the interface the Juniper WXC is connected to...if it were that simple I would not be logging this post J We currently have the Juniper WXC on Ethernet 0/0.11 with the campus LAN on E0/0.10. We have tried both WCCP and PBR to direct traffic to the WXC. We have tested configuration of the IOS firewall IP Inspect statement on both the 0/0.11 and 0/0.10 interfaces. We have tried our outside ACL (inbound) on both the serial interface and the 0/0.11 interface. We have no trouble getting the optimization to function with either PBR or WCCP to redirect traffic from LAN interface to WXC, but we have not yet found the correct combination of IP Inspect and ACL application to keep the LAN protected from the outside. The main problem appears to be with the stateful nature of the firewall (IP Inspect). It appears that the dynamic ACL is applied to either the Serial (WAN) interface or the WXC (0/0.11) interface but not both. If a flow originates on the LAN the IP inspect appears to open traffic on the serial interface, when it shows up on the WXC interface the ACL blocks it - if the ACL is not on applied the WXC interface the traffic flows as expected - but the LAN is unprotected. Installing the WXC in line is not an option as all traffic would then bypass the IOS firewall rules. We also have an issue with NAT in this configuration. Any ideas or suggestions would be greatly appreciated. Juniper seems to be stumped. Thanks Rick Martin Network Engineer State of Arkansas, Department of Information Systems From William.Murphy at uth.tmc.edu Wed Oct 1 15:09:05 2008 From: William.Murphy at uth.tmc.edu (Murphy, William ) Date: Wed, 1 Oct 2008 14:09:05 -0500 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <1222845401.30603.14.camel@abehat> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <1222845401.30603.14.camel@abehat> Message-ID: <164030B85F3A8B40B960817918CB021001A07FF8@UTHEVS4.mail.uthouston.edu> I am saying that there is MPLS going on because "show platform hardware capacity pfc" is showing a lot of TCAM being consumed for MPLS. I tried the commands you mentioned and those commands are not even available in the CLI. I did "show ?" and mpls is not in there. According to Cisco MPLS is not supported under VSS, but perhaps something in the hardware or CEF is still allocating TCAM? Maybe someone from Cisco on this list will have the answer... Thanks for your help... L3 Forwarding Resources FIB TCAM usage: Total Used %Used 72 bits (IPv4, MPLS, EoM) 933888 810511 87% 144 bits (IP mcast, IPv6) 57344 7 1% detail: Protocol Used %Used IPv4 540371 58% MPLS 270139 29% EoM 1 1% IPv6 1 1% IPv4 mcast 3 1% IPv6 mcast 3 1% -----Original Message----- From: Peter Rathlev [mailto:peter at rathlev.dk] Sent: Wednesday, October 01, 2008 2:17 AM To: Murphy, William Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco BGP Running on VRF? Hi Bill, On Tue, 2008-09-30 at 17:50 -0500, Murphy, William wrote: > I have a Cat6506 VSS720-3C-XL switch on which I have configured BGP on > a VRF using "address-family ipv4 unicast vrf internet". I am getting > BGP routes and all appears well but I can only display BGP info by > using "show ip bgp vpnv4 ..." commands. I didn't intend to run VPNV4 > and it appears the switch has ignored my address-family ipv4 > statement. Can someone explain what's going on here? That command is _the_ way to show the VRFs BGP table. Remember that VRF comes from the MP-BGP world, and over there belongs under VPNv4. It's just syntax though, you don't run VPNv4 if you haven't configured the "address-family vpnv4". > It also seems like the switch is creating MPLS labels for all my routes > even though I didn't specifically configure any MPLS or tag switching > commands. Any words of wisdom or advice would be appreciated... Are you sure you don't have any MPLS related commands? On a "clean" switch i get: R1# sh mpls ldp bin TIB not enabled R1#sh mpls for Tag switching is not operational. CEF or tag switching has not been enabled. No TFIB currently allocated. R1# (This is SXD though, which was there. It might be different on newer software.) If you have any MPLS command configured, the allocation is expected. The switch will always allocate labels for anything in the FIB, also is e.g. no interfaces are configured for MPLS. (That is unless you're lucky and can use Label Allocation Filtering, http://tinyurl.com/224kv8. On a 6500 you're not at the moment.) Regards, Peter From William.Murphy at uth.tmc.edu Wed Oct 1 15:12:57 2008 From: William.Murphy at uth.tmc.edu (Murphy, William ) Date: Wed, 1 Oct 2008 14:12:57 -0500 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <20081001082842.GA17238@greenie.muc.de> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <20081001082842.GA17238@greenie.muc.de> Message-ID: <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> Thanks Gert. I suspected that was the case. I am probably displaying my VRF/MP-BGP ignorance here, but is there any technical reason Cisco could not allow you to run BGP in a VRF without doing VPNV4 similar to how you can run an IGP in a VRF? -----Original Message----- From: Gert Doering [mailto:gert at greenie.muc.de] Sent: Wednesday, October 01, 2008 3:29 AM To: Murphy, William Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco BGP Running on VRF? Hi, On Tue, Sep 30, 2008 at 05:50:17PM -0500, Murphy, William wrote: > I have a Cat6506 VSS720-3C-XL switch on which I have configured BGP on > a VRF using "address-family ipv4 unicast vrf internet". I am getting > BGP routes and all appears well but I can only display BGP info by > using "show ip bgp vpnv4 ..." commands. I didn't intend to run VPNV4 > and it Well, if you don't want VPNV4, then don't configure a VPNV4 address family - which you did by configuring "vrf internet". Non-VPNV4-BGP is configured in "address-family ipv4 unicast", without any "vrf" things tacked to it. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From dentonj at gmail.com Wed Oct 1 15:30:45 2008 From: dentonj at gmail.com (Jeffrey Denton) Date: Wed, 1 Oct 2008 21:30:45 +0200 Subject: [c-nsp] Cat 3750 StackMaster Selection considerations In-Reply-To: <6e9dc1350810010844m51fc6084nddf330afb0dfe441@mail.gmail.com> References: <6e9dc1350810010844m51fc6084nddf330afb0dfe441@mail.gmail.com> Message-ID: <8ebbd7f50810011230m662c2531o7232d1312f3a2125@mail.gmail.com> On Wed, Oct 1, 2008 at 5:44 PM, Michel Grossenbacher wrote: > Hi all > We're going to use the cat3750 Stacks for the first time soon and I got a > question regarding the StackMaster selection. Its not about how the > StackMaster gets elected (thats clear enough from the guide) what I ask > myself is how much sense does it make to define a StackMaster manually? What > are the benefits for that beside knowing which Switch is the Master (nice to > have but..)? > All switches in a stack will run the same IOS Version and also the same > feature sets so there wont be any problems with not available EMI/SMI or > crypto/noncrypto features. Beside the core stacks (1x12 port SFP, 1x24 Gig > copper) all stacks consist of the same switch type. > At the moment I dont see much benefit in setting a Stack Master, only added > complexity. > Am I missing something? It's not complex. The only annoying part is having to reload the switches that are renumbered. As to why, the big reason is troubleshooting 6 months or more down the line. Gi1/0/1 does to the first port on the patch panel, etc. Instead of later trying to figure out which one is the master, what order the switches are numbered for each stack, and where a certain port is physically located on the stack. From gert at greenie.muc.de Wed Oct 1 16:49:23 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 1 Oct 2008 22:49:23 +0200 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <20081001082842.GA17238@greenie.muc.de> <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> Message-ID: <20081001204923.GD17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 02:12:57PM -0500, Murphy, William wrote: > Thanks Gert. I suspected that was the case. I am probably displaying > my VRF/MP-BGP ignorance here, but is there any technical reason Cisco > could not allow you to run BGP in a VRF without doing VPNV4 similar to > how you can run an IGP in a VRF? Well - IGP "in a VRF" is a separate process (or at least "something with its own tables etc"), with separate IGP neighbours for each VRF. For BGP, you do not want to configure all your BGP neighbours for each individual VRF - so you configure BGP once, and transmit VRF info as VPNV4 address family infos. Which is usually used together with MPLS, so it's pretty closely tied together. Of course it could have been implemented differently - but I'm not sure how much sense it would make, except for the very special case "no L3 VPN going on, except for one single VRF, called 'internet'". gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peter at rathlev.dk Wed Oct 1 17:36:27 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 01 Oct 2008 23:36:27 +0200 Subject: [c-nsp] Cat 3750 StackMaster Selection considerations In-Reply-To: <8ebbd7f50810011230m662c2531o7232d1312f3a2125@mail.gmail.com> References: <6e9dc1350810010844m51fc6084nddf330afb0dfe441@mail.gmail.com> <8ebbd7f50810011230m662c2531o7232d1312f3a2125@mail.gmail.com> Message-ID: <1222896987.8453.13.camel@abehat> On Wed, 2008-10-01 at 21:30 +0200, Jeffrey Denton wrote: > On Wed, Oct 1, 2008 at 5:44 PM, wrote: > > At the moment I dont see much benefit in setting a Stack Master, only > > added complexity. > > Am I missing something? > > It's not complex. The only annoying part is having to reload the > switches that are renumbered. As to why, the big reason is > troubleshooting 6 months or more down the line. Gi1/0/1 does to the > first port on the patch panel, etc. Instead of later trying to figure > out which one is the master, what order the switches are numbered for > each stack, and where a certain port is physically located on the > stack. Explicitely selecting a master and having sane numbering isn't always the same. We always try to make sure that switch 1 is the top most, switch 2 just below et cetera, but we don't care which switch is the master. We just let the stack decide. Haven't had any problems with that yet. :-) Regards, Peter From achatz at forthnet.gr Wed Oct 1 17:37:22 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Thu, 02 Oct 2008 00:37:22 +0300 Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? In-Reply-To: References: Message-ID: <48E3ED92.4020704@forthnet.gr> We have many 7600 with RSP720/SUP720 running SRB3 and SRB4, but we haven't met this problem. We use this command on everything that supports it. Do you have to enable compression of the configuration too? Besides the error message generated, is there an issue with the saved config? -- Tassos Christian Bering wrote on 01/10/2008 10:08: > Hi all, > > When trying to enable the "parser config cache" on a 7600 running SRB3 > software, we got struck by CSCsd45386 which TAC confirmed for us. > However, at the time we were unable to get a confirmation on a fix in > SRB4 (and/or SRC2). Does anyone know if this bug has indeed been fixed > in SRB4/SRC2? There is no mention of it in the release notes. > > Thanks, > From bstiff at cisco.com Wed Oct 1 17:36:58 2008 From: bstiff at cisco.com (Brian Stiff (bstiff)) Date: Wed, 1 Oct 2008 14:36:58 -0700 Subject: [c-nsp] Cisco IOS firewall and Juniper WAN Optimization In-Reply-To: References: Message-ID: Hi Rick- I reviewed enough of your mail to see that you understand the issues with interoperability between the WXC and IOS Firewall. There is a (somewhat) similar issue with interoperability between Cisco WAAS and IOS FW, but there's fix in the Zone Firewall (specific releases; I can provide details if necessary) for WAAS interop with IOS FW. Long story short, there's nothing you can do to make this work if you inspect the traffic that gets handled by the WAN optimizer. Your observation is correct that the issue's basis is in the firewall's expectations for state behavior. There's no way to circumvent the IOS Firewall state machine (without disabling IOS Firewall); thus, there's no workaround. There is no plan for a functional change to address this issue, but the notion sounds intriguing. Regards, Brian Brian Stiff 720.562.6462 IOS Firewall Technical Marketing Eng. Security Technology Group http://www.cisco.com/go/iosfw Date: Wed, 1 Oct 2008 09:44:02 -0500 From: "Rick Martin" Subject: [c-nsp] Cisco IOS firewall and Juniper WAN Optimization To: Message-ID: Content-Type: text/plain; charset="us-ascii" Has anybody been successful in implementing Juniper WXC in an all Cisco environment utilizing IOS firewall at the remote site? We are in the evaluation process of various wan optimization appliances, have run Cisco's WAAS but did not really have success with them, we will give them another shot based on what we have learned with the Juniper. The Juniper WXC will create a GRE tunnel from core appliance to remote appliance and send traffic that meets the optimization criteria down that tunnel, some of the non interesting traffic arrives at the campus router naturally - that is - not via the tunnel on the T1 interface (Serial 1/0.1) . This effectively breaks the IOS firewall since some of the traffic originating beyond the core destined to the demo site LAN range is sent down the tunnel. Easy fix for that seems to be apply firewall ACL to the interface the Juniper WXC is connected to...if it were that simple I would not be logging this post J We currently have the Juniper WXC on Ethernet 0/0.11 with the campus LAN on E0/0.10. We have tried both WCCP and PBR to direct traffic to the WXC. We have tested configuration of the IOS firewall IP Inspect statement on both the 0/0.11 and 0/0.10 interfaces. We have tried our outside ACL (inbound) on both the serial interface and the 0/0.11 interface. We have no trouble getting the optimization to function with either PBR or WCCP to redirect traffic from LAN interface to WXC, but we have not yet found the correct combination of IP Inspect and ACL application to keep the LAN protected from the outside. The main problem appears to be with the stateful nature of the firewall (IP Inspect). It appears that the dynamic ACL is applied to either the Serial (WAN) interface or the WXC (0/0.11) interface but not both. If a flow originates on the LAN the IP inspect appears to open traffic on the serial interface, when it shows up on the WXC interface the ACL blocks it - if the ACL is not on applied the WXC interface the traffic flows as expected - but the LAN is unprotected. Installing the WXC in line is not an option as all traffic would then bypass the IOS firewall rules. We also have an issue with NAT in this configuration. Any ideas or suggestions would be greatly appreciated. Juniper seems to be stumped. Thanks Rick Martin Network Engineer State of Arkansas, Department of Information Systems From dean at eatworms.org.uk Wed Oct 1 16:52:48 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Wed, 1 Oct 2008 21:52:48 +0100 Subject: [c-nsp] BGP Scaling Message-ID: <000001c92407$a9d8f9b0$fd8aed10$@org.uk> We're looking at ways of providing resilience to individual customer routers with multiple connections. Currently we use RIP which has worked well in the past but we're now concentrating more connections onto aggregator routers and testing has shown that the RIP will limit that....so we're considering other options. Does anyone have experience of running large numbers of BGP peerings on 7200 ? (7201 or NPE-G1) I'm guessing its a little soon for ASR figures. Out stats show the average number of routes are small (default out, average 5 in) but we'd like to do that over 1000-2000 peerings. I'm guessing this might be typical in MPLS style environments etc. Also does anyone know if the BGP Dynamic Neighbor "bgp listen" feature thats n 12.2(33)SXH is coming to the 7200 ? Thanks Dean From mailinglists at unix-scripts.com Wed Oct 1 19:03:41 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 1 Oct 2008 16:03:41 -0700 Subject: [c-nsp] ebgp and ibgp Message-ID: Until today i had the following... Two border routers(7206VXR) connected to a 3750 Stack. the borders do ibgp with each other and the borders and 3750's do OSPF. Here's a quick text network design i created. http://unix-scripts.com/network/design.txt Today i brang on a new provider, since most of my traffic is directed out border1 and decided to add the provider to border2. Now i'm not sure if things are working right. If i do a `sh ip bgp 72.14.207.99` on border1 i see two paths. one path is out ProviderC on border2 and the other path is out ProviderA on border1. Now if i do the same thing on border2 i see 3 paths availible. One out providerC on border2, one out providerB on border2, and other out providerB on border2. All three of these paths are out border2... what happened to the paths out border1? I'm not sure if maybe i have my ibgp configured wrong. If i do a sh ip bgp sum on border2 i see the border1 session but it only shows 71033 prefix's. If i do the same on border1 i see the border2 session and it shows 244993 prefix's. Anybody give me a idea about what may be happening here... My understanding here is that if a packet comes into border1 and the better exit provider is connected to border2 that border1 should send it to border2 and then out the provider and vis verse. ~Shaun From christian.macnevin at gmail.com Wed Oct 1 19:14:09 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 1 Oct 2008 16:14:09 -0700 Subject: [c-nsp] VRF RD/RT... your preferences? In-Reply-To: <48DA5095.5090106@utc.edu> References: <48DA5095.5090106@utc.edu> Message-ID: <8E29882C-6482-48DD-ABA0-E9CD3EC00BF3@gmail.com> For a long time I've preferred unique RDs per VRF per PE. The reason is that the Route Reflector operates as a standard BGP router and will make a single best path decision then propogate that to all its clients. If there is a single RD per VRF per PE, however, then the RR stores each of these as an individual vpnv4 table, and forwards the whole lot to the clients. With this you're able to let each PE make its own best path decision and you can play with anycast (aka 'routing') in your network. You get faster convergence as the PEs are all aware of multiple paths and if they lose an exit point on their own global table (ie a PE goes down) then they'll have potential backup routes already there to choose from rather than waiting for BGP to converge. As for the RTs, I'd organise those based on your topology. Hub and spoke and full mesh are the two normal site-to-site paradigms, but most enterprise networks are (I believe) using overlaid multiregional hub and spoke service models which you can control with secondary sets of RTs if you want to - again - play with anycast for stuff like DNS redundancy. So anyway, uniqueness isn't as important, and should be based on customer/function. All IMO obviously :) On Sep 24, 2008, at 7:37 AM, Jeff Kell wrote: The recent discussion of VRFs, RDs, RTs, VPNv4 labels, etc was interesting, and starting to sink in. I've been in early stages of a VRF-lite deployment for some time. Admittedly, from a VRF-lite perspective, a lot of the configuration is essentially cut-and-paste, and most of the values you can just make up as you go along as long as you're consistent. I'm guilty as charged :-) We have essentially one PE, multiple CEs, and no real MPLS going on anywhere; just VRF-lite and dot1q trunks/dedicated vlans to connect them together. However... one never knows what the future holds, and if the current economic crisis doesn't get us all, we might actually have multiple PEs and/or real MPLS one of these days. If that happens, I would prefer not to have to renumber/relabel/etc everything in a fit of "If I had only known better..." musings under my breath. With that said... what should REALLY be used for RDs / RTs? I'm currently using "ASN:vlan-id" for RTs, this identifies our ASN and the vlan ID used in the VRF-lite trunk mesh to carry the VRF into the CEs. I am using the same label for RD at the moment, but I noticed in an earlier discussion that the RD should be unique across the net (where in my case it's common). Should the RD reference the router IP? The global VRF loopback, or an interface address within the VRF? If I get a request to run an MPLS link out to a new research station halfway across the country, will this numbering scheme fit into an MPLS carrier's scheme? Jeff _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ddunkin at netos.net Wed Oct 1 19:14:57 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Wed, 1 Oct 2008 16:14:57 -0700 Subject: [c-nsp] ebgp and ibgp References: Message-ID: <56F5BC5F404CF84896C447397A1AAF20942ABF@MAIL.nosi.netos.com> IBGP sends the best route to the other IBGP peers, not both. Border2 knows about the multiple routes itself, but only sends the one best path to Border1. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun R. Sent: Wednesday, October 01, 2008 16:04 To: cisco-nsp at puck.nether.net Subject: [c-nsp] ebgp and ibgp Until today i had the following... Two border routers(7206VXR) connected to a 3750 Stack. the borders do ibgp with each other and the borders and 3750's do OSPF. Here's a quick text network design i created. http://unix-scripts.com/network/design.txt Today i brang on a new provider, since most of my traffic is directed out border1 and decided to add the provider to border2. Now i'm not sure if things are working right. If i do a `sh ip bgp 72.14.207.99` on border1 i see two paths. one path is out ProviderC on border2 and the other path is out ProviderA on border1. Now if i do the same thing on border2 i see 3 paths availible. One out providerC on border2, one out providerB on border2, and other out providerB on border2. All three of these paths are out border2... what happened to the paths out border1? I'm not sure if maybe i have my ibgp configured wrong. If i do a sh ip bgp sum on border2 i see the border1 session but it only shows 71033 prefix's. If i do the same on border1 i see the border2 session and it shows 244993 prefix's. Anybody give me a idea about what may be happening here... My understanding here is that if a packet comes into border1 and the better exit provider is connected to border2 that border1 should send it to border2 and then out the provider and vis verse. ~Shaun _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Wed Oct 1 19:15:13 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 1 Oct 2008 16:15:13 -0700 Subject: [c-nsp] Best bet 65 IOS for mcast? In-Reply-To: <48DA0AC6.9070400@imperial.ac.uk> References: <48DA0AC6.9070400@imperial.ac.uk> Message-ID: Well a bit of everything, and I'm going to push them into SSM migration. There'll probably still be SM in the network though. Are there any netflow improvements in SXH for mcast? I remember hearing top talkers was in there for unicast (?) On Sep 24, 2008, at 2:39 AM, Phil Mayers wrote: Christian MacNevin wrote: > Hi > Got a client running 33SXH1 in their network. Is SXF still the best > bet for stable mcast? Or are there necessary widgets in SXH nowadays? Routed or layer2? There are some enhancements in SXH (multicast router guard, IGMP join filtering) which are more relevant at layer2, but IIRC there's nothing especially compelling in SXH versus SXF (unless you need inter-AS MVPN) From robert at tellurian.com Wed Oct 1 19:54:55 2008 From: robert at tellurian.com (Robert Boyle) Date: Wed, 01 Oct 2008 19:54:55 -0400 Subject: [c-nsp] DS3 problem on PA-T3 In-Reply-To: <9418aca70810010856o2ba4a160w149b707041cdcf68@mail.gmail.co m> References: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.com> <1222871511_521431@mail1.tellurian.net> <9418aca70810010856o2ba4a160w149b707041cdcf68@mail.gmail.com> Message-ID: <1222905301_535397@mail1.tellurian.net> At 11:56 AM 10/1/2008, Jay Nakamura wrote: >It looks like Opti-3 have "Long" and "Short" option for LBO on the DS3 >interface. I am going to make sure Verizon set it to short since the coax >is only about 15' long. Even with short LBO, we still need the attenuators sometimes. Look for LCV errors. >I don't have any attenuators handy to try that out. I did however, changed >the DSU mode to Kentrox and errors have gone away for the last hour. I >didn't think that really mattered if you were doing full DS3. It does matter. Verizon does have a lot of ADC/Kentrox DSUs connecting via HSSI to their old frame relay switches in their COs. Be careful of a nasty bug we found which will hang the router on boot if all of the following are true: 1. You have a PA-T3 or PA-2T3 2. You have dsu mode 2? (Kentrox mode whatever that is - I don't have time to look at the config at the moment) 3. A T3 is connected (unplug the T3 RECV and it will boot fine) 4. You reboot (soft or hard) The router will hang right after it lists the RAM during the POST. The problem is with the microcode initialization for the DS3 chip when using Kentrox mode and only if there is carrier detected. They finally fixed this, but it is late in the 12.3 train and I don't think they backported it to 12.2. This is a nasty surprise when you reboot the router at a remote POP at 3AM. Just test for this and if you have the bug, let me know and I'll track down the bug ID in my archives. This problem was reproducible on any 72XX router with any PA-T3 or PA-2T3(+) card. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin From brad.henshaw at qcn.com.au Wed Oct 1 20:55:46 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Thu, 2 Oct 2008 10:55:46 +1000 Subject: [c-nsp] C2960G and output drops Message-ID: <8B25B862BC09784B9B74FB950D4F64D406C9F2@qcnapp01.corp.qcn> Gert Doering wrote: > Queue 3 > Weight 0 Frames 0 > Weight 1 Frames 0 > Weight 2 Frames 3505735486 > > ... so that basically tells me what I was assuming - "all packets go > into the same queue (no QoS marking going on here, all packets are > important), and some of them get dropped". > > I'm not really sure how to start from here towards "*why* is it dropping the packets"? I've gone through this grief before and microbursts + insufficient default buffer drop thresholds were the theory of the day - adjusting the thresholds resolved the problem after TAC spent many weeks looking at the issue - but in our case, we /did/ have mls qos enabled. I have no idea how these switches manage buffer allocations when mls qos is disabled. Existing queue-set parameters can be checked with 'show mls qos queue-set'. The buffers and drop threshold can be adjusted with 'mls qos queue-set output buffers' and 'mls qos queue-set output threshold'. Obviously it's quite possible these won't do anything unless mls qos is enabled so a workaround might be to fiddle with these in the lab (with mls qos enabled and disabled) to see if you can reproduce and resolve the problem. We had to increase the drop thresholds for the affected queue from 50 to 400. Note the queue numbers in these commands are offset by one compared to the 'show mls qos port-asic stat' output. Then again maybe it's not microbursts and is something else entirely. Have fun with the TAC! Regards, Brad From andrew at routeip.net Wed Oct 1 22:21:44 2008 From: andrew at routeip.net (Andy Yerofyeyev) Date: Wed, 1 Oct 2008 22:21:44 -0400 Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controller WS-C3750G-24WS-S25 Message-ID: Hello , We upgraded 1252 to lightweight version but AP still wont register to WS-C3750G-24WS-S25 . Any advises ? Some debug from AP , and sh ver below console messages on AP: %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address 10.0.200.88, mask 255.255.255.0, hostname AP001f.cabd.b508 %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source Translating "CISCO-LWAPP-CONTROLLER.domain.com"...domain server (213.130.0.1) [OK] %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through DHCP %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP. %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for CISCO-LWAPP-CONTROLLER.domain.com %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through DNS %LWAPP-5-CHANGED: LWAPP changed state to JOIN %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: INCOMPATIBLE CONTROLLER VERSION. %LWAPP-5-CHANGED: LWAPP changed state to DOWN sh ver from AP: Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(13d)JA, RELEASE SOFTWARE (fc2) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2008 by Cisco Systems, Inc. Compiled Fri 08-Feb-08 17:33 by prod_rel_team ROM: Bootstrap program is C1250 boot loader BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE SOFTWARE (fc2) AP001f.cabd.b508 uptime is 0 minutes System returned to ROM by power-on System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. A summary of U.S. laws governing Cisco cryptographic products may be found at: http://www.cisco.com/wwl/export/crypto/tool/stqrg.html If you require further assistance please contact us by sending email to export at cisco.com. cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with 49142K/16384K bytes of memory. Processor board ID FTX12189109 PowerPC 8349 CPU at 533Mhz, revision number 0x0031 Last reset from power-on LWAPP image version 3.0.51.0 1 Gigabit Ethernet interface 32K bytes of flash-simulated non-volatile configuration memory. Base ethernet MAC Address: 00:1F:CA:BD:B5:08 Part Number : 73-10425-05 PCA Assembly Number : 800-27630-05 PCA Revision Number : A0 PCB Serial Number : FOC121704DG Top Assembly Part Number : 800-29039-01 Top Assembly Serial Number : FTX12189109 Top Revision Number : A0 Product/Model Number : AIR-AP1252AG-A-K9 Configuration register is 0xF -- Best Regards, Andriy Yerofyeyev CCIE #21607 From jason.koh at webvisions.com Wed Oct 1 22:41:06 2008 From: jason.koh at webvisions.com (Jason Koh) Date: Thu, 2 Oct 2008 10:41:06 +0800 Subject: [c-nsp] Extremely slow performing show running-config In-Reply-To: Message-ID: Hi all Thanks for all the replies. 1) My total network consist of some 100 vlans. I don't think that's a lot right? 2) parser cache can be configured on the router, but it doesn't seem to have any effect. It's still about 7-10 minutes long 3) After some investigation I found that show running config interface is at its usual speed (ie, instantaneous). Not sure why this one works. 4) What do you mean by switching back to non-modular IOS? /Jason -----Original Message----- From: Eric Pedersen [mailto:eric.pedersen at sait.ca] Sent: Tuesday, September 30, 2008 11:42 PM To: cisco-nsp at puck.nether.net; Jason Koh Subject: Re: [c-nsp] Extremely slow performing show running-config We had a problem with really slow config access with modular IOS on sup720s. It took several minutes to do show running-config or write mem. I don't remember the version, but switching back to non-modular IOS fixed it. Hi there I have a strange problem with a pair of cat6509s. Both are connected to each other via OSPF and IBGP, with EBGP with my upstream providers. Whenever I use show running-config, it will pause for an extremely long time after the line "Building Configuration". It happens from either console or telnet sessions. At first I thought it was a CPU or memory problem, but "show proc cpu" and "show proc mem" shows nothing out of the ordinary (cpu less than 20% and memory with more than 256M free). Rebooting both machines doesn't solve the problem either. After further investigations, I found out that the same problem occurs when I do the following as well. 1) copy running-config startup-config 2) write memory Show startup-config does not have this problem. >From what I see, it looks like a problem with NVRAM. Also predictably, >the session doing any of the 3 commands will lock the NVRAM preventing other sessions from doing a show startup-config as well. Killing the session (clear line vty or clear line console) that are doing any of the 3 command doesn't seem to kill the session at all. It doesn't seem to be a hardware issue as both cat6509s display the same problem since early this month at the same time. Any insights on this will be greatly appreciated. Thanks. /Jason From andrew at routeip.net Wed Oct 1 23:08:29 2008 From: andrew at routeip.net (Andy Yerofyeyev) Date: Wed, 1 Oct 2008 23:08:29 -0400 Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controller WS-C3750G-24WS-S25 In-Reply-To: <48E43774.1070208@technicelixir.com> References: <48E43774.1070208@technicelixir.com> Message-ID: David , appreciate your response , below information I gather from controller. debugging on controller itself does NOT noticed any warning about AP, moreover controller shows AP as registered when AP goes to reboot. Any ideas where I can find information about interoperability between controllers and AP ? I digging into cisco.com without any luck :( ny-vts03-wifi(config-if)#do sh ver Load for five secs: 4%/0%; one minute: 5%; five minutes: 5% Time source is NTP, 23:04:51.846 EST Wed Oct 1 2008 Cisco IOS Software, C3750 Software (C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE, RELEASE SOFTWARE (fc3) Copyright (c) 1986-2007 by Cisco Systems, Inc. Compiled Fri 24-Aug-07 00:56 by myl Image text-base: 0x00003000, data-base: 0x01700000 ROM: Bootstrap program is C3750 boot loader BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(25r)FZ2, RELEASE SOFTWARE (fc1) ny-vts03-wifi uptime is 1 day, 6 hours, 10 minutes System returned to ROM by power-on System restarted at 16:54:09 EST Tue Sep 30 2008 System image file is "flash:/c3750-advipservicesk9-mz.122-40.SE.bin" (Cisco Controller) >show sysinfo Manufacturer's Name.............................. Cisco Systems Inc. Product Name..................................... Cisco Controller Product Version.................................. 4.0.179.11 RTOS Version..................................... 4.0.179.11 Bootloader Version............................... 4.0.179.11 Build Type....................................... DATA + WPS System Name...................................... ny-wifi01 System Location.................................. System Contact................................... System ObjectID.................................. 1.3.6.1.4.1.9.1.747 IP Address....................................... 10.0.200.3 System Up Time................................... 0 days 0 hrs 3 mins 4 secs Configured Country............................... United States Operating Environment............................ Commercial (0 to 40 C) Internal Temp Alarm Limits....................... 0 to 65 C Internal Temperature............................. +41 C State of 802.11b Network......................... Enabled State of 802.11a Network......................... Enabled --More-- or (q)uit Number of WLANs.................................. 1 3rd Party Access Point Support................... Disabled Number of Active Clients......................... 0 Burned-in MAC Address............................ 00:1B:53:63:DB:00 Crypto Accelerator 1............................. Absent Crypto Accelerator 2............................. Absent Power Supply 1................................... Present, OK Power Supply 2................................... Present, OK (Cisco Controller) >show inventory NAME: "Chassis" , DESCR: "Cisco Wireless Controller" PID: WS-C3750G-24WS-S25, VID: V01, SN: FOC1117G01F On Wed, Oct 1, 2008 at 10:52 PM, David Rose wrote: > Andy, > > Which version of code you have on your controller? Best guess is the > code you are running on the controller doesn't support the 1252s. > > David > > > > > Andy Yerofyeyev wrote: > > Hello , > > > > We upgraded 1252 to lightweight version but AP still wont register to > > WS-C3750G-24WS-S25 . Any advises ? Some debug from AP , and sh ver below > > > > console messages on AP: > > > > %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address > > 10.0.200.88, mask 255.255.255.0, hostname AP001f.cabd.b508 > > > > %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source > > Translating "CISCO-LWAPP-CONTROLLER.domain.com"...domain server ( > 213.130.0.1) > > [OK] > > > > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through > DHCP > > %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP. > > %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for > > CISCO-LWAPP-CONTROLLER.domain.com > > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through > DNS > > %LWAPP-5-CHANGED: LWAPP changed state to JOIN > > %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: > INCOMPATIBLE > > CONTROLLER VERSION. > > %LWAPP-5-CHANGED: LWAPP changed state to DOWN > > > > sh ver from AP: > > > > Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version > 12.4(13d)JA, > > RELEASE SOFTWARE (fc2) > > Technical Support: http://www.cisco.com/techsupport > > Copyright (c) 1986-2008 by Cisco Systems, Inc. > > Compiled Fri 08-Feb-08 17:33 by prod_rel_team > > > > ROM: Bootstrap program is C1250 boot loader > > BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE > > SOFTWARE (fc2) > > > > AP001f.cabd.b508 uptime is 0 minutes > > System returned to ROM by power-on > > System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" > > > > > > This product contains cryptographic features and is subject to United > > States and local country laws governing import, export, transfer and > > use. Delivery of Cisco cryptographic products does not imply > > third-party authority to import, export, distribute or use encryption. > > Importers, exporters, distributors and users are responsible for > > compliance with U.S. and local country laws. By using this product you > > agree to comply with applicable laws and regulations. If you are unable > > to comply with U.S. and local laws, return this product immediately. > > > > A summary of U.S. laws governing Cisco cryptographic products may be > found > > at: > > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > > > If you require further assistance please contact us by sending email to > > export at cisco.com. > > > > cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with > > 49142K/16384K bytes of memory. > > Processor board ID FTX12189109 > > PowerPC 8349 CPU at 533Mhz, revision number 0x0031 > > Last reset from power-on > > LWAPP image version 3.0.51.0 > > 1 Gigabit Ethernet interface > > > > 32K bytes of flash-simulated non-volatile configuration memory. > > Base ethernet MAC Address: 00:1F:CA:BD:B5:08 > > Part Number : 73-10425-05 > > PCA Assembly Number : 800-27630-05 > > PCA Revision Number : A0 > > PCB Serial Number : FOC121704DG > > Top Assembly Part Number : 800-29039-01 > > Top Assembly Serial Number : FTX12189109 > > Top Revision Number : A0 > > Product/Model Number : AIR-AP1252AG-A-K9 > > > > Configuration register is 0xF > > > > > > > > > > -- Best Regards, Andriy Yerofyeyev CCIE #21607 From ben.steele at internode.on.net Wed Oct 1 23:35:31 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Thu, 2 Oct 2008 13:05:31 +0930 Subject: [c-nsp] netflow issues on WS-F6700-DFC3CXL - 7600 Message-ID: <008b01c9243f$ec307cb0$c4917610$@steele@internode.on.net> I have already lodged a TAC for this (actually on my second TAC for same issue) but I thought i'd throw out here to see if anyone else has seen this as it has me perplexed at the moment. Problem: Netflow collector stops receiving flows from DFC on 7609-S but continues to receive flows from RSP, identical router with same hardware and code has no problems exporting netflow via DFC and RSP, all is well on that chassis. Have tried software upgrade from SRB2 to SRB3, problem still existed, moved 10Gb int onto non DFC line card to let RSP process netflow and it was no problems, pump out netflow all day long, move onto DFC and you get netflow for about 7-10 hours (well it was done at very early hours each time and then would die as the traffic built up in the morning) then it stops exporting flows for the DFC only. Weird thing is a sh mls netflow ip mod 1 (module where dfc is) is full of flows, and the table-contention info is showing it as creating netflows and not having failures, TCAM utilization is nice and low at around 7-10%, I did change mls aging timers to get this but that had no affect on netflow, it was more because I was hitting TCAM limits on the RSP. When the DFC failed exporting again this morning(around 10am) after I powered down the line card and brought it back up at 1am I checked the pps going out the dedicated netflow collector interface, I then turned off "ip flow ingress" on the DFC interface and didn't see a change in that interface output which is leading me to believe that it is indeed not making it out of the router despite the router thinking all is well. So as mentioned software upgrade has occurred, also an entire new line card was sent out via RMA from TAC (WS-X6704-10GE + DFC) and replaced and we still have the same problem, yet I don't have the problem on an exact same model and basically same config sitting next to it. Idprom shows the hardware revision to be different on the DFC's between the 2 chassis but the new RMA card was a different revision again and still have the same issue so...? Any ideas? J Cheers Ben From mailing-list at technicelixir.com Wed Oct 1 22:52:36 2008 From: mailing-list at technicelixir.com (David Rose) Date: Wed, 01 Oct 2008 21:52:36 -0500 Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controller WS-C3750G-24WS-S25 In-Reply-To: References: Message-ID: <48E43774.1070208@technicelixir.com> Andy, Which version of code you have on your controller? Best guess is the code you are running on the controller doesn't support the 1252s. David Andy Yerofyeyev wrote: > Hello , > > We upgraded 1252 to lightweight version but AP still wont register to > WS-C3750G-24WS-S25 . Any advises ? Some debug from AP , and sh ver below > > console messages on AP: > > %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address > 10.0.200.88, mask 255.255.255.0, hostname AP001f.cabd.b508 > > %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source > Translating "CISCO-LWAPP-CONTROLLER.domain.com"...domain server (213.130.0.1) > [OK] > > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through DHCP > %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP. > %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for > CISCO-LWAPP-CONTROLLER.domain.com > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through DNS > %LWAPP-5-CHANGED: LWAPP changed state to JOIN > %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: INCOMPATIBLE > CONTROLLER VERSION. > %LWAPP-5-CHANGED: LWAPP changed state to DOWN > > sh ver from AP: > > Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(13d)JA, > RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2008 by Cisco Systems, Inc. > Compiled Fri 08-Feb-08 17:33 by prod_rel_team > > ROM: Bootstrap program is C1250 boot loader > BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE > SOFTWARE (fc2) > > AP001f.cabd.b508 uptime is 0 minutes > System returned to ROM by power-on > System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found > at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > export at cisco.com. > > cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with > 49142K/16384K bytes of memory. > Processor board ID FTX12189109 > PowerPC 8349 CPU at 533Mhz, revision number 0x0031 > Last reset from power-on > LWAPP image version 3.0.51.0 > 1 Gigabit Ethernet interface > > 32K bytes of flash-simulated non-volatile configuration memory. > Base ethernet MAC Address: 00:1F:CA:BD:B5:08 > Part Number : 73-10425-05 > PCA Assembly Number : 800-27630-05 > PCA Revision Number : A0 > PCB Serial Number : FOC121704DG > Top Assembly Part Number : 800-29039-01 > Top Assembly Serial Number : FTX12189109 > Top Revision Number : A0 > Product/Model Number : AIR-AP1252AG-A-K9 > > Configuration register is 0xF > > > > From tvarriale at comcast.net Wed Oct 1 23:54:34 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Wed, 1 Oct 2008 22:54:34 -0500 Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controllerWS-C3750G-24WS-S25 References: Message-ID: <003601c92442$960a2ae0$0100fea9@flamadam> Andy, Look here: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: INCOMPATIBLE CONTROLLER VERSION. You should upgrade to 4.2 as 4.0 will not support that AP. Try 4.2.130. Read the notes to go up to it. Also note that as you upgrade, if you have any APs registered they will upgrade themselves. So, plan appropriate downtime. tv ----- Original Message ----- From: "Andy Yerofyeyev" To: Sent: Wednesday, October 01, 2008 9:21 PM Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controllerWS-C3750G-24WS-S25 > Hello , > > We upgraded 1252 to lightweight version but AP still wont register to > WS-C3750G-24WS-S25 . Any advises ? Some debug from AP , and sh ver below > > console messages on AP: > > %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address > 10.0.200.88, mask 255.255.255.0, hostname AP001f.cabd.b508 > > %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source > Translating "CISCO-LWAPP-CONTROLLER.domain.com"...domain server > (213.130.0.1) > [OK] > > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through > DHCP > %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP. > %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for > CISCO-LWAPP-CONTROLLER.domain.com > %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through > DNS > %LWAPP-5-CHANGED: LWAPP changed state to JOIN > %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: > INCOMPATIBLE > CONTROLLER VERSION. > %LWAPP-5-CHANGED: LWAPP changed state to DOWN > > sh ver from AP: > > Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(13d)JA, > RELEASE SOFTWARE (fc2) > Technical Support: http://www.cisco.com/techsupport > Copyright (c) 1986-2008 by Cisco Systems, Inc. > Compiled Fri 08-Feb-08 17:33 by prod_rel_team > > ROM: Bootstrap program is C1250 boot loader > BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE > SOFTWARE (fc2) > > AP001f.cabd.b508 uptime is 0 minutes > System returned to ROM by power-on > System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" > > > This product contains cryptographic features and is subject to United > States and local country laws governing import, export, transfer and > use. Delivery of Cisco cryptographic products does not imply > third-party authority to import, export, distribute or use encryption. > Importers, exporters, distributors and users are responsible for > compliance with U.S. and local country laws. By using this product you > agree to comply with applicable laws and regulations. If you are unable > to comply with U.S. and local laws, return this product immediately. > > A summary of U.S. laws governing Cisco cryptographic products may be found > at: > http://www.cisco.com/wwl/export/crypto/tool/stqrg.html > > If you require further assistance please contact us by sending email to > export at cisco.com. > > cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with > 49142K/16384K bytes of memory. > Processor board ID FTX12189109 > PowerPC 8349 CPU at 533Mhz, revision number 0x0031 > Last reset from power-on > LWAPP image version 3.0.51.0 > 1 Gigabit Ethernet interface > > 32K bytes of flash-simulated non-volatile configuration memory. > Base ethernet MAC Address: 00:1F:CA:BD:B5:08 > Part Number : 73-10425-05 > PCA Assembly Number : 800-27630-05 > PCA Revision Number : A0 > PCB Serial Number : FOC121704DG > Top Assembly Part Number : 800-29039-01 > Top Assembly Serial Number : FTX12189109 > Top Revision Number : A0 > Product/Model Number : AIR-AP1252AG-A-K9 > > Configuration register is 0xF > > > > -- > Best Regards, > > Andriy Yerofyeyev CCIE #21607 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From CB at nianet.dk Thu Oct 2 00:52:55 2008 From: CB at nianet.dk (Christian Bering) Date: Thu, 2 Oct 2008 06:52:55 +0200 Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? References: <48E3ED92.4020704@forthnet.gr> Message-ID: Hi Tassos, >We have many 7600 with RSP720/SUP720 running SRB3 and SRB4, >but we haven't met this problem. We use this command on >everything that supports it. Hmm, interesting. I may have to enable it again to test. Thanks. >Do you have to enable compression of the configuration too? I don't know ... we haven't. >Besides the error message generated, is there an issue with >the saved config? I didn't leave the command in long enough to find out, tbh. The message looked bad so I disabled it. -- Regards Christian Bering From andrew at routeip.net Thu Oct 2 02:03:54 2008 From: andrew at routeip.net (Andy Yerofyeyev) Date: Thu, 2 Oct 2008 02:03:54 -0400 Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with controllerWS-C3750G-24WS-S25 In-Reply-To: <003601c92442$960a2ae0$0100fea9@flamadam> References: <003601c92442$960a2ae0$0100fea9@flamadam> Message-ID: Tony, thanks upgrading to 4.2.130.0 fixed the problem On Wed, Oct 1, 2008 at 11:54 PM, Tony Varriale wrote: > Andy, > > Look here: > %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: > INCOMPATIBLE > CONTROLLER VERSION. > > You should upgrade to 4.2 as 4.0 will not support that AP. > > Try 4.2.130. Read the notes to go up to it. Also note that as you > upgrade, if you have any APs registered they will upgrade themselves. So, > plan appropriate downtime. > > tv > ----- Original Message ----- From: "Andy Yerofyeyev" > To: > Sent: Wednesday, October 01, 2008 9:21 PM > Subject: [c-nsp] AIR-AP1252AG-A-K9 wont work with > controllerWS-C3750G-24WS-S25 > > > Hello , >> >> We upgraded 1252 to lightweight version but AP still wont register to >> WS-C3750G-24WS-S25 . Any advises ? Some debug from AP , and sh ver below >> >> console messages on AP: >> >> %DHCP-6-ADDRESS_ASSIGN: Interface GigabitEthernet0 assigned DHCP address >> 10.0.200.88, mask 255.255.255.0, hostname AP001f.cabd.b508 >> >> %CDP_PD-4-POWER_OK: Full power - NEGOTIATED inline power source >> Translating "CISCO-LWAPP-CONTROLLER.domain.com"...domain server ( >> 213.130.0.1) >> [OK] >> >> %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through >> DHCP >> %LWAPP-3-CLIENTEVENTLOG: Did not get log server settings from DHCP. >> %LWAPP-3-CLIENTEVENTLOG: Performing DNS resolution for >> CISCO-LWAPP-CONTROLLER.domain.com >> %LWAPP-3-CLIENTEVENTLOG: Controller address 10.0.200.3 obtained through >> DNS >> %LWAPP-5-CHANGED: LWAPP changed state to JOIN >> %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Reason: >> INCOMPATIBLE >> CONTROLLER VERSION. >> %LWAPP-5-CHANGED: LWAPP changed state to DOWN >> >> sh ver from AP: >> >> Cisco IOS Software, C1250 Software (C1250-RCVK9W8-M), Version 12.4(13d)JA, >> RELEASE SOFTWARE (fc2) >> Technical Support: http://www.cisco.com/techsupport >> Copyright (c) 1986-2008 by Cisco Systems, Inc. >> Compiled Fri 08-Feb-08 17:33 by prod_rel_team >> >> ROM: Bootstrap program is C1250 boot loader >> BOOTLDR: C1250 Boot Loader (C1250-BOOT-M) Version 12.4(10b)JA, RELEASE >> SOFTWARE (fc2) >> >> AP001f.cabd.b508 uptime is 0 minutes >> System returned to ROM by power-on >> System image file is "flash:/c1250-rcvk9w8-mx/c1250-rcvk9w8-mx" >> >> >> This product contains cryptographic features and is subject to United >> States and local country laws governing import, export, transfer and >> use. Delivery of Cisco cryptographic products does not imply >> third-party authority to import, export, distribute or use encryption. >> Importers, exporters, distributors and users are responsible for >> compliance with U.S. and local country laws. By using this product you >> agree to comply with applicable laws and regulations. If you are unable >> to comply with U.S. and local laws, return this product immediately. >> >> A summary of U.S. laws governing Cisco cryptographic products may be found >> at: >> http://www.cisco.com/wwl/export/crypto/tool/stqrg.html >> >> If you require further assistance please contact us by sending email to >> export at cisco.com. >> >> cisco AIR-AP1252AG-A-K9 (PowerPC 8349) processor (revision A0) with >> 49142K/16384K bytes of memory. >> Processor board ID FTX12189109 >> PowerPC 8349 CPU at 533Mhz, revision number 0x0031 >> Last reset from power-on >> LWAPP image version 3.0.51.0 >> 1 Gigabit Ethernet interface >> >> 32K bytes of flash-simulated non-volatile configuration memory. >> Base ethernet MAC Address: 00:1F:CA:BD:B5:08 >> Part Number : 73-10425-05 >> PCA Assembly Number : 800-27630-05 >> PCA Revision Number : A0 >> PCB Serial Number : FOC121704DG >> Top Assembly Part Number : 800-29039-01 >> Top Assembly Serial Number : FTX12189109 >> Top Revision Number : A0 >> Product/Model Number : AIR-AP1252AG-A-K9 >> >> Configuration register is 0xF >> >> >> >> -- >> Best Regards, >> >> Andriy Yerofyeyev CCIE #21607 >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > -- Best Regards, Andriy Yerofyeyev CCIE #21607 From avayner at cisco.com Thu Oct 2 03:09:28 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 2 Oct 2008 09:09:28 +0200 Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501EEB540@xmb-ams-331.emea.cisco.com> Christian, Just checked and I can see that SRB4 does not have the fix yet, but SRC2 does have it. I would assume that SRB5 will have the fix as the fix has been integrated in that code base. If you need an urgent fix SRC2 could be it... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Bering Sent: Wednesday, October 01, 2008 10:09 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? Hi all, When trying to enable the "parser config cache" on a 7600 running SRB3 software, we got struck by CSCsd45386 which TAC confirmed for us. However, at the time we were unable to get a confirmation on a fix in SRB4 (and/or SRC2). Does anyone know if this bug has indeed been fixed in SRB4/SRC2? There is no mention of it in the release notes. Thanks, -- Regards Christian Bering _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Thu Oct 2 03:50:34 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 2 Oct 2008 09:50:34 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <8598977CC92EF44D8A167BB11C5ADB44B0A7C3@SERVER01.winitu.local> References: <20081001171627.GA17238@greenie.muc.de> <8598977CC92EF44D8A167BB11C5ADB44B0A7C3@SERVER01.winitu.local> Message-ID: <20081002075033.GF17238@greenie.muc.de> Hi, On Wed, Oct 01, 2008 at 10:46:18PM +0200, Hans Verkerk wrote: > I faced similar problems on 3750 platform and also resolved it with > etherchannels (under time pressure). I took some time reading QoS > details of 3750 platform, but did not take time to test in real world. OK, I've done quite some testing, tuning "to the extreme"... Queueset: 1 Queue : 1 2 3 4 ---------------------------------------------- buffers : 1 5 93 1 threshold1: 100 200 1600 100 threshold2: 100 200 2400 100 reserved : 50 50 90 50 maximum : 400 400 3200 400 (and all traffic is mapped to queue 3). > *** Maybe *** your problems are caused due to lack of Tx queue buffers. > By default all buffers are equally shared over all four Tx queues: It definitely looks like it - by tuning the buffers, I can change the drop rate between "too high" and "catastrophic". Without mls qos, it seems to just give the port *all* the buffers, with no fancy "take away a few buffers for this and that" schemes going on - so the drop rate is actually lowest if I turn *off* mls qos... As a next test, I'll try to move around machines between port ASICs - maybe things improve if ingress and egress ports are (not) on the same ASIC. We'll see. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From mtinka at globaltransit.net Thu Oct 2 03:30:38 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 2 Oct 2008 15:30:38 +0800 Subject: [c-nsp] ebgp and ibgp In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20942ABF@MAIL.nosi.netos.com> References: <56F5BC5F404CF84896C447397A1AAF20942ABF@MAIL.nosi.netos.com> Message-ID: <200810021530.42896.mtinka@globaltransit.net> On Thursday 02 October 2008 07:14:57 Darryl Dunkin wrote: > IBGP sends the best route to the other IBGP peers, not > both. Border2 knows about the multiple routes itself, but > only sends the one best path to Border1. Just to add, we generally wouldn't prefer such a deployment, because packets could unpredictably bounce between border routers before they figure out which is the best path off-net. What we do (and if it doesn't cost you extra, I'd recommend you do) is make sure eBGP routes learned by one border router aren't learned by another. These eBGP routes should only be learned by your edge routers, to which your customers attach. This way, your edge routers (or a route reflector, if you have one), would install the best path, and traffic destined toward a particular border router will surely exit that border router to the Internet. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From pashtuk at gmail.com Thu Oct 2 04:32:56 2008 From: pashtuk at gmail.com (Michel Grossenbacher) Date: Thu, 2 Oct 2008 10:32:56 +0200 Subject: [c-nsp] Cat 3750 StackMaster Selection considerations In-Reply-To: <1222896987.8453.13.camel@abehat> References: <6e9dc1350810010844m51fc6084nddf330afb0dfe441@mail.gmail.com> <8ebbd7f50810011230m662c2531o7232d1312f3a2125@mail.gmail.com> <1222896987.8453.13.camel@abehat> Message-ID: <6e9dc1350810020132h1aeb4e8m7ba21bfce6565eb8@mail.gmail.com> Thanks guys for your answers. What Peter wrote is actually what I was thinking about, having a sane numbering is more important than knowing which switch is the master. I dont see any benefit in selecting a Stack Master manually in our environment since we have the same feature sets on every switch. Complex was probably the wrong word for it, but having to care about that the stack master is booted within the 20sec time frame for the election and otherwise have to reboot the "new" stack master is nothing I really want to care about. Thank you again best regards Michel 2008/10/1 Peter Rathlev > On Wed, 2008-10-01 at 21:30 +0200, Jeffrey Denton wrote: > > On Wed, Oct 1, 2008 at 5:44 PM, wrote: > > > At the moment I dont see much benefit in setting a Stack Master, only > > > added complexity. > > > Am I missing something? > > > > It's not complex. The only annoying part is having to reload the > > switches that are renumbered. As to why, the big reason is > > troubleshooting 6 months or more down the line. Gi1/0/1 does to the > > first port on the patch panel, etc. Instead of later trying to figure > > out which one is the master, what order the switches are numbered for > > each stack, and where a certain port is physically located on the > > stack. > > Explicitely selecting a master and having sane numbering isn't always > the same. We always try to make sure that switch 1 is the top most, > switch 2 just below et cetera, but we don't care which switch is the > master. We just let the stack decide. Haven't had any problems with that > yet. :-) > > Regards, > Peter > > > From Bagosi.Romeo at iqsys.hu Thu Oct 2 04:38:58 2008 From: Bagosi.Romeo at iqsys.hu (=?ISO-8859-2?Q?Bagosi_R=F3me=F3?=) Date: Thu, 2 Oct 2008 10:38:58 +0200 Subject: [c-nsp] Forcing VLAN interface to UP state In-Reply-To: <4fbc00576429a1743de08c0d37bc91a2.squirrel@webmail.pelican.org> Message-ID: <085C022C25FF9C4EBCF76712A2588DCB01024748@X-SPIRIT.integris.hu> Thank you for all! The no autostate command on the vlan interface helped our problem. Best Regards, Romeo B. -----Original Message----- From: Tim Franklin [mailto:tim at pelican.org] Sent: Wednesday, October 01, 2008 3:54 PM To: Bagosi R?me? Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Forcing VLAN interface to UP state On Wed, October 1, 2008 2:02 pm, Bagosi R?me? wrote: > Is there a way to force a VLAN interface (ex.: interface vlan 400) to > UP/UP state on a Cisco UC520 (router, switch...), WITHOUT connecting a > device to a port which is in the mentioned VLAN? 'no autostate' on the vlan interface works for 87x. No idea if that's valid or not for the UC520, sorry. Regards, Tim. From tim at pelican.org Thu Oct 2 04:42:00 2008 From: tim at pelican.org (Tim Franklin) Date: Thu, 2 Oct 2008 09:42:00 +0100 (BST) Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <20081001082842.GA17238@greenie.muc.de> <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> Message-ID: <2ee90d14e5c9d544f56ccc4bae6213f7.squirrel@webmail.pelican.org> On Wed, October 1, 2008 8:12 pm, Murphy, William wrote: > Thanks Gert. I suspected that was the case. I am probably displaying > my VRF/MP-BGP ignorance here, but is there any technical reason Cisco > could not allow you to run BGP in a VRF without doing VPNV4 similar to > how you can run an IGP in a VRF? Am I missing part of the question here? You can run BGP fine in an addresses family - I do this all the time for vrf-lite on CEs with a session to the PE in each VRF for each VPN. I think it still creates the vpnv4 address family, but you don't have to configure any peers in it. The commands are slightly confusing in this instance though, it *is* still 'show ip bgp vpnv4 vrf ...' to show the bgp table for the VRF, even though you're not using the VPNV4 session. Regards, Tim. From rens at autempspourmoi.be Thu Oct 2 05:27:40 2008 From: rens at autempspourmoi.be (Rens) Date: Thu, 2 Oct 2008 11:27:40 +0200 Subject: [c-nsp] Transparent LAN over Layer3 In-Reply-To: <003401c923ba$3eda1a60$bc8e4f20$@org> References: <000301c92357$910bdb10$b3239130$@org><000b01c9236c$52af7380$f80e5a80$@org><1222828735_506897@mail1.tellurian.net> <003401c923ba$3eda1a60$bc8e4f20$@org> Message-ID: <9AF83BBF4EF1445FB7DA56A780B95D65@EU.corp.clearwire.com> Hi, I'm also looking into using L2TPv3 But I'm looking for a small cheap router that would support this. I guess with either FastE mtu configurable or with GigE ports to avoid fragmentation? Thanks -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: mercredi 1 octobre 2008 13:39 To: 'John van Oppen'; 'Robert Boyle'; 'Michael K. Smith'; 'cisco-nsp' Subject: Re: [c-nsp] Transparent LAN over Layer3 Thanks guys... I hadn't head much about l2tpv3 "in the wild" from actual users.... good to hear from folks actually using it a lot - that makes it easier for me to make some decisions... Best regards, thanks to everyone for onlist and offlist replies... Paul -----Original Message----- From: John van Oppen [mailto:john at vanoppen.com] Sent: October 1, 2008 4:07 AM To: Robert Boyle; Paul Stewart; Michael K. Smith; cisco-nsp Subject: RE: [c-nsp] Transparent LAN over Layer3 I would second that as well. We use l2tpv3 all over the place, with Ethernet. We mostly do it with 7200VXRs as endpoints but I have a few 12000s running with OC48s as "tunnel server cards" and those work nicely as well and it is a quite elegant solution when MPLS is not possible or only rather simple transport functionality is required. John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Robert Boyle Sent: Tuesday, September 30, 2008 7:39 PM To: Paul Stewart; 'Michael K. Smith'; 'cisco-nsp' Subject: Re: [c-nsp] Transparent LAN over Layer3 At 10:20 PM 9/30/2008, Paul Stewart wrote: >Yes, we own the end to end network however it's a routed network in those >segments... >router-->router-->router-->switch-->switch-->router-->router-->router-- >rout >er specifically...;) > >If we could hand them off a few VLAN's we would just do that and not even >use Q-in-Q unless we really needed to... but basically I'm looking for >layer2 transport via layer3 devices... and there's no option for MPLS in >this setup... Take a look at L2TPv3. We use it for all kinds of crazy transport here. Taking a T1 from one city and one carrier and delivering it to a customer in our datacenter, handing ATM PVCs off from one router to another ATM PVC on another router 100 miles away. We haven't used it for Ethernet, but that sure seems a lot less complicated than the things we are doing. Anything you put in on one side is transparently trunked to the other side. It works great and gives you many of the benefits of MPLS without the need to have a network which supports MPLS end to end. It is especially useful for small POPs and locations with older gear. -Robert Tellurian Networks - Global Hosting Solutions Since 1995 http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 "Well done is better than well said." - Benjamin Franklin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sirdexxa at gmail.com Thu Oct 2 05:40:29 2008 From: sirdexxa at gmail.com (Stephan Lochner) Date: Thu, 2 Oct 2008 11:40:29 +0200 Subject: [c-nsp] problem with serial number on cisco 7200 routers / maintenance contract Message-ID: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Hi Group, we have a problem with our 7200 series router. We have a supplier that handles our maintenance contracts. We want now to put some more devices into maintenance. Normally we use the "sh ver" command and get the serial number. But the 7200 series router provide a serial number (I assume of the mainboard) but this is not that one printed on the back of the router. Our problem is now that our maintenance supplier is not able to take the devices into maintenance with this serial. Is there another way to read the serial number from remote? regards Stephan From asadh at comcast.net Thu Oct 2 06:01:09 2008 From: asadh at comcast.net (Asad) Date: Thu, 2 Oct 2008 10:01:09 +0000 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: <1175437980-1222941635-cardhu_decombobulator_blackberry.rim.net-797777412-@bxe252.bisx.prod.on.blackberry> You can try 'sh inventory raw' and see if output has the serial which is printed on back of router. It works on most IOS devices. Asad Sent from my Verizon Wireless BlackBerry -----Original Message----- From: "Stephan Lochner" Date: Thu, 2 Oct 2008 11:40:29 To: Subject: [c-nsp] problem with serial number on cisco 7200 routers / maintenance contract Hi Group, we have a problem with our 7200 series router. We have a supplier that handles our maintenance contracts. We want now to put some more devices into maintenance. Normally we use the "sh ver" command and get the serial number. But the 7200 series router provide a serial number (I assume of the mainboard) but this is not that one printed on the back of the router. Our problem is now that our maintenance supplier is not able to take the devices into maintenance with this serial. Is there another way to read the serial number from remote? regards Stephan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dgranzer at gmail.com Thu Oct 2 06:03:25 2008 From: dgranzer at gmail.com (David Granzer) Date: Thu, 2 Oct 2008 12:03:25 +0200 Subject: [c-nsp] problem with serial number on cisco 7200 routers / maintenance contract In-Reply-To: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: <844ef89c0810020303r4187a4cbme4d68b92e2ea9050@mail.gmail.com> Hello, try sh inventory. Regards, David On 10/2/08, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From CB at nianet.dk Thu Oct 2 06:50:58 2008 From: CB at nianet.dk (Christian Bering) Date: Thu, 2 Oct 2008 12:50:58 +0200 Subject: [c-nsp] CSCsd45386, "parser config cache" fixed in 12.2(33)SRB4? References: <67F7C1FAF83A074AA3520D8F155782A501EEB540@xmb-ams-331.emea.cisco.com> Message-ID: Hi Arie, >Just checked and I can see that SRB4 does not have the fix >yet, but SRC2 does have it. Excellent. Thanks a lot for looking into it for me. -- Regards Christian Bering From ian.mackinnon at lumison.net Thu Oct 2 06:06:57 2008 From: ian.mackinnon at lumison.net (Ian MacKinnon) Date: Thu, 02 Oct 2008 11:06:57 +0100 Subject: [c-nsp] problem with serial number on cisco 7200 routers / maintenance contract In-Reply-To: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: <48E49D41.6030309@lumison.net> On 02/10/2008 10:40, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? Is this a new device? I have seen problems in the past where it seemed manufacturing were not updating serial numbers back to Cisco to load into the maintenance apps. When I tried to register a Smartnet directly it would deny the serial number existed. This was for a 7200 in a remote pop, and even getting remote hands to read everything printed on the chassis didn't help, it was the same number. Eventually the serial number "just worked", we had it escalated to Smartnet support (ie support for Smartnet, not TAC) -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender. Any offers or quotation of service are subject to formal specification. Errors and omissions excepted. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Lumison and nPlusOne. Finally, the recipient should check this email and any attachments for the presence of viruses. Lumison and nPlusOne accept no liability for any damage caused by any virus transmitted by this email. From christian at broknrobot.com Thu Oct 2 07:55:43 2008 From: christian at broknrobot.com (Christian Koch) Date: Thu, 2 Oct 2008 07:55:43 -0400 Subject: [c-nsp] problem with serial number on cisco 7200 routers / maintenance contract In-Reply-To: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: sh inventory will do it sh snmp will also give you the chassis serial On Thu, Oct 2, 2008 at 5:40 AM, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From sheaujiun at gmail.com Thu Oct 2 08:43:19 2008 From: sheaujiun at gmail.com (sheaujiun) Date: Thu, 2 Oct 2008 20:43:19 +0800 Subject: [c-nsp] Telco T5C multicast group In-Reply-To: <2c9e35ed0810020538r63521f3cq2d4a7315aaa106c9@mail.gmail.com> References: <2c9e35ed0810020538r63521f3cq2d4a7315aaa106c9@mail.gmail.com> Message-ID: <2c9e35ed0810020543n4f4937c3v51b3cf24ccdae702@mail.gmail.com> Hi, I not sure if I am going to the right place to ask question. I like to know whether there are sample test cases that show case how to test the maximum number of multicast group on T5 Compact 24G/24GT switches. SJ From csirek at cooler.hu Thu Oct 2 09:26:03 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Thu, 02 Oct 2008 15:26:03 +0200 Subject: [c-nsp] SA-VAM2+ usage problem? In-Reply-To: <01N06OMOEJMI8XCCYC@aua.auc.dk> References: <01N06OMOEJMI8XCCYC@aua.auc.dk> Message-ID: <48E4CBEB.8050603@cooler.hu> Hello, > On my GRE/IPSEC tunnels i have > > ip mtu 1418 > ip tcp adjust-mss 1300 I configured this settings on my tunnel interface. And now: 30 second input rate 16350000 bits/sec, 12387 packets/sec 30 second output rate 229516000 bits/sec, 23053 packets/sec 234 Mbit/sec aggregated traffic with big packet size... wow :) So the performance of a VAM2+ + 7201 is 35.000 packets/sec. So thanks to everybody, this MTU tweak is a big magic :) Laszlo From MatlockK at exempla.org Thu Oct 2 10:00:24 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Thu, 2 Oct 2008 08:00:24 -0600 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C7037AF869@LMC-MAIL2.exempla.org> You can also get it via SNMP. .1.3.6.1.4.1.9.3.6.3.0 = Chassis ID (defaults to the serial number of the chassis unless you've configured the 'snmp-server chassis-id ' command. Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Thursday, October 02, 2008 5:56 AM To: Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract sh inventory will do it sh snmp will also give you the chassis serial On Thu, Oct 2, 2008 at 5:40 AM, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From William.Murphy at uth.tmc.edu Thu Oct 2 10:46:29 2008 From: William.Murphy at uth.tmc.edu (Murphy, William ) Date: Thu, 2 Oct 2008 09:46:29 -0500 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <2ee90d14e5c9d544f56ccc4bae6213f7.squirrel@webmail.pelican.org> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <20081001082842.GA17238@greenie.muc.de> <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> <2ee90d14e5c9d544f56ccc4bae6213f7.squirrel@webmail.pelican.org> Message-ID: <164030B85F3A8B40B960817918CB021001A08099@UTHEVS4.mail.uthouston.edu> Sorry my original question may have been lost... You are exactly right... I was confused that show ip bgp ipv4 did not show anything even though I configured bgp with address-family ipv4... Everything shows up under VPNV4... Thanks to everyone for your input/feedback... -----Original Message----- From: Tim Franklin [mailto:tim at pelican.org] Sent: Thursday, October 02, 2008 3:42 AM To: Murphy, William Cc: Gert Doering; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco BGP Running on VRF? On Wed, October 1, 2008 8:12 pm, Murphy, William wrote: > Thanks Gert. I suspected that was the case. I am probably displaying > my VRF/MP-BGP ignorance here, but is there any technical reason Cisco > could not allow you to run BGP in a VRF without doing VPNV4 similar to > how you can run an IGP in a VRF? Am I missing part of the question here? You can run BGP fine in an addresses family - I do this all the time for vrf-lite on CEs with a session to the PE in each VRF for each VPN. I think it still creates the vpnv4 address family, but you don't have to configure any peers in it. The commands are slightly confusing in this instance though, it *is* still 'show ip bgp vpnv4 vrf ...' to show the bgp table for the VRF, even though you're not using the VPNV4 session. Regards, Tim. From avayner at cisco.com Thu Oct 2 13:05:44 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 2 Oct 2008 19:05:44 +0200 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> Message-ID: <67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> Stephan, With some of the older NPE boards the S/N reported in software is wrong, and does not align with the physical S/N which is written on the sticker on the back of the chassis. Unfortunately, Cisco's DB is based on the physical S/N. There is a way to correlate the info using some other details from the box, and Cisco has a tool and a process to collect this info (actually, Cisco partners have access to this process). If it's a small number of devices, just take a look on the back... If it's a large network, I suggest you have a discussion with your contact... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephan Lochner Sent: Thursday, October 02, 2008 12:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract Hi Group, we have a problem with our 7200 series router. We have a supplier that handles our maintenance contracts. We want now to put some more devices into maintenance. Normally we use the "sh ver" command and get the serial number. But the 7200 series router provide a serial number (I assume of the mainboard) but this is not that one printed on the back of the router. Our problem is now that our maintenance supplier is not able to take the devices into maintenance with this serial. Is there another way to read the serial number from remote? regards Stephan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Thu Oct 2 13:44:41 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 2 Oct 2008 10:44:41 -0700 Subject: [c-nsp] Cisco BGP Running on VRF? In-Reply-To: <164030B85F3A8B40B960817918CB021001A08099@UTHEVS4.mail.uthouston.edu> References: <164030B85F3A8B40B960817918CB021001A07F37@UTHEVS4.mail.uthouston.edu> <20081001082842.GA17238@greenie.muc.de> <164030B85F3A8B40B960817918CB021001A07FFC@UTHEVS4.mail.uthouston.edu> <2ee90d14e5c9d544f56ccc4bae6213f7.squirrel@webmail.pelican.org> <164030B85F3A8B40B960817918CB021001A08099@UTHEVS4.mail.uthouston.edu> Message-ID: That 'feature' has annoyed me for years. Some time back I asked them to fix it under IIRC 12.2(18)S - pre SR or SB or whatever - and they did so, but only for one throttle. 12.2(14) I think was still around at the time and they took that one forward. The reason was that everyone's instrumentation may have been relying on the vpnv4 command so they didn't want to change it to make sense. This is some time ago so forgive my poor memory on the topic. But yeah, it's annoying. On Oct 2, 2008, at 7:46 AM, Murphy, William wrote: Sorry my original question may have been lost... You are exactly right... I was confused that show ip bgp ipv4 did not show anything even though I configured bgp with address-family ipv4... Everything shows up under VPNV4... Thanks to everyone for your input/feedback... -----Original Message----- From: Tim Franklin [mailto:tim at pelican.org] Sent: Thursday, October 02, 2008 3:42 AM To: Murphy, William Cc: Gert Doering; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Cisco BGP Running on VRF? On Wed, October 1, 2008 8:12 pm, Murphy, William wrote: > Thanks Gert. I suspected that was the case. I am probably displaying > my VRF/MP-BGP ignorance here, but is there any technical reason Cisco > could not allow you to run BGP in a VRF without doing VPNV4 similar to > how you can run an IGP in a VRF? Am I missing part of the question here? You can run BGP fine in an addresses family - I do this all the time for vrf-lite on CEs with a session to the PE in each VRF for each VPN. I think it still creates the vpnv4 address family, but you don't have to configure any peers in it. The commands are slightly confusing in this instance though, it *is* still 'show ip bgp vpnv4 vrf ...' to show the bgp table for the VRF, even though you're not using the VPNV4 session. Regards, Tim. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From Michael.Balasko at cityofhenderson.com Thu Oct 2 13:58:16 2008 From: Michael.Balasko at cityofhenderson.com (Michael Balasko) Date: Thu, 2 Oct 2008 10:58:16 -0700 Subject: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> Message-ID: <9AF22D15085E7D409ED5710CBC779E93079D4300@COHNTCS09.ci.henderson.nv.us> Actually I still see this on my NPE-G1's. It's annoying but we just add the sticker serial number into Cisco Works as the managed serial number. Michael Balasko CCSP,MCSE,MCNE,SCP Network Specialist II City of Henderson 240 Water St. Henderson, NV 89015 P: (702) 267-4337 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Arie Vayner (avayner) Sent: Thursday, October 02, 2008 10:06 AM To: Stephan Lochner; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract Stephan, With some of the older NPE boards the S/N reported in software is wrong, and does not align with the physical S/N which is written on the sticker on the back of the chassis. Unfortunately, Cisco's DB is based on the physical S/N. There is a way to correlate the info using some other details from the box, and Cisco has a tool and a process to collect this info (actually, Cisco partners have access to this process). If it's a small number of devices, just take a look on the back... If it's a large network, I suggest you have a discussion with your contact... Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephan Lochner Sent: Thursday, October 02, 2008 12:40 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract Hi Group, we have a problem with our 7200 series router. We have a supplier that handles our maintenance contracts. We want now to put some more devices into maintenance. Normally we use the "sh ver" command and get the serial number. But the 7200 series router provide a serial number (I assume of the mainboard) but this is not that one printed on the back of the router. Our problem is now that our maintenance supplier is not able to take the devices into maintenance with this serial. Is there another way to read the serial number from remote? regards Stephan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From fvd at de.kpn-eurorings.net Thu Oct 2 13:23:44 2008 From: fvd at de.kpn-eurorings.net (Weber, Markus) Date: Thu, 2 Oct 2008 19:23:44 +0200 Subject: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C7037AF869@LMC-MAIL2.exempla.org> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7037AF869@LMC-MAIL2.exempla.org> Message-ID: <7707838BF569B24DBBDB8F54AB67B67F023D2DC0@foo.kpnqwest.de> Are you sure on this, that this is the chassis serial number C likes to get? AFAIK, show inventory gives you only the mid plane ID (same as of show c7200). Probably easy to check: Wasn't it the case, that the physically tagged chassis serial of a e.g. a 7206VXR always starts with a 7? At least TAC claimed that last time I "falsely" reported the number retrieved from show inv ... and none of my boxes report a number starting with a 7 for show inv, but some of them I know for sure have the sticker with the 7 at the back. Markus -- [KPN Eurorings B.V. Darmst?dter Landstra?e 184 D-60598 Frankfurt] [E] Markus Weber [IRC] FvD [T] +49 69 96874-298 [F] -289 [HRB56874/Amtsgericht Frankfurt/GF: Carolien Nijhuis+John van Vianen] -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Thursday, October 02, 2008 4:00 PM To: Christian Koch; Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract You can also get it via SNMP. .1.3.6.1.4.1.9.3.6.3.0 = Chassis ID (defaults to the serial number of the chassis unless you've configured the 'snmp-server chassis-id ' command. Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Thursday, October 02, 2008 5:56 AM To: Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract sh inventory will do it sh snmp will also give you the chassis serial On Thu, Oct 2, 2008 at 5:40 AM, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan From RTeller at deltadentalwa.com Thu Oct 2 14:17:12 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 2 Oct 2008 11:17:12 -0700 Subject: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract In-Reply-To: <7707838BF569B24DBBDB8F54AB67B67F023D2DC0@foo.kpnqwest.de> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7037AF869@LMC-MAIL2.exempla.org> <7707838BF569B24DBBDB8F54AB67B67F023D2DC0@foo.kpnqwest.de> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0145B@tiger.deltadentalwa.com> For my 6509's I use show idprom backplane I don't know if it is the same for 7200's -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Weber, Markus Sent: Thursday, October 02, 2008 10:24 AM To: Matlock, Kenneth L; Christian Koch; Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract Are you sure on this, that this is the chassis serial number C likes to get? AFAIK, show inventory gives you only the mid plane ID (same as of show c7200). Probably easy to check: Wasn't it the case, that the physically tagged chassis serial of a e.g. a 7206VXR always starts with a 7? At least TAC claimed that last time I "falsely" reported the number retrieved from show inv ... and none of my boxes report a number starting with a 7 for show inv, but some of them I know for sure have the sticker with the 7 at the back. Markus -- [KPN Eurorings B.V. Darmst?dter Landstra?e 184 D-60598 Frankfurt] [E] Markus Weber [IRC] FvD [T] +49 69 96874-298 [F] -289 [HRB56874/Amtsgericht Frankfurt/GF: Carolien Nijhuis+John van Vianen] -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matlock, Kenneth L Sent: Thursday, October 02, 2008 4:00 PM To: Christian Koch; Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract You can also get it via SNMP. .1.3.6.1.4.1.9.3.6.3.0 = Chassis ID (defaults to the serial number of the chassis unless you've configured the 'snmp-server chassis-id ' command. Ken Matlock Network Analyst (303) 467-4671 matlockk at exempla.org -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch Sent: Thursday, October 02, 2008 5:56 AM To: Stephan Lochner Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract sh inventory will do it sh snmp will also give you the chassis serial On Thu, Oct 2, 2008 at 5:40 AM, Stephan Lochner wrote: > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices into > maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From christian.macnevin at gmail.com Thu Oct 2 14:59:17 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Thu, 2 Oct 2008 11:59:17 -0700 Subject: [c-nsp] multicast monitoring in a small network? Message-ID: <42005B7F-EF46-4D8D-8232-B986EBB42D89@gmail.com> Hi Wondering if anybody's had much fun investigating mcast monitoring solutions for a small network. It's a content network with only a small number of devices, so I'm not sure if CMM is the way to go for them. CMM always seemed a bit configuration-centric and they're not really big enough to be bothered with the finer details. What exactly I *am* looking for may be a bit harder to describe I'm afraid :) They're taking feeds from a couple of providers which will be a mixture of ASM and SSM in the near future. They're casting out to the internet but I'm not sure of the mechanisms yet - RTSP so I'm assuming it's unicast fallback. They might implement sexier new stuff in the future however such as AMT when that gets done (if I can sell them on the idea I guess). Any advice? Thanks! Christian From notrevebr at gmail.com Thu Oct 2 16:43:08 2008 From: notrevebr at gmail.com (Everton Diniz) Date: Thu, 2 Oct 2008 17:43:08 -0300 Subject: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0145B@tiger.deltadentalwa.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> <4288131ED5E3024C9CD4782CECCAD2C7037AF869@LMC-MAIL2.exempla.org> <7707838BF569B24DBBDB8F54AB67B67F023D2DC0@foo.kpnqwest.de> <06C1E76E03FE9C4B85BFA9C75365D9DA0FC0145B@tiger.deltadentalwa.com> Message-ID: <3cf174360810021343u7c660d36k906c527219afc750@mail.gmail.com> sh diag help you if you want s/n of boards too. On Thu, Oct 2, 2008 at 3:17 PM, Teller, Robert wrote: > For my 6509's I use show idprom backplane I don't know if it is the same for 7200's > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Weber, Markus > Sent: Thursday, October 02, 2008 10:24 AM > To: Matlock, Kenneth L; Christian Koch; Stephan Lochner > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract > > > Are you sure on this, that this is the chassis serial number C > likes to get? AFAIK, show inventory gives you only the mid plane > ID (same as of show c7200). > > Probably easy to check: Wasn't it the case, that the physically > tagged chassis serial of a e.g. a 7206VXR always starts with a 7? > At least TAC claimed that last time I "falsely" reported the > number retrieved from show inv ... and none of my boxes report > a number starting with a 7 for show inv, but some of them I know > for sure have the sticker with the 7 at the back. > > Markus > > -- > [KPN Eurorings B.V. Darmst?dter Landstra?e 184 D-60598 Frankfurt] > [E] Markus Weber [IRC] FvD [T] +49 69 96874-298 [F] -289 > [HRB56874/Amtsgericht Frankfurt/GF: Carolien Nijhuis+John van Vianen] > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matlock, Kenneth L > Sent: Thursday, October 02, 2008 4:00 PM > To: Christian Koch; Stephan Lochner > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers/maintenance contract > > You can also get it via SNMP. > > .1.3.6.1.4.1.9.3.6.3.0 = Chassis ID (defaults to the serial number of > the chassis unless you've configured the 'snmp-server chassis-id ' > command. > > Ken Matlock > Network Analyst > (303) 467-4671 > matlockk at exempla.org > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christian Koch > Sent: Thursday, October 02, 2008 5:56 AM > To: Stephan Lochner > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] problem with serial number on cisco 7200 routers > /maintenance contract > > sh inventory will do it > > sh snmp will also give you the chassis serial > > > On Thu, Oct 2, 2008 at 5:40 AM, Stephan Lochner > wrote: >> Hi Group, >> >> we have a problem with our 7200 series router. We have a supplier that >> handles our maintenance contracts. We want now to put some more > devices into >> maintenance. >> Normally we use the "sh ver" command and get the serial number. >> But the 7200 series router provide a serial number (I assume of the >> mainboard) but this is not that one printed on the back of the router. >> Our problem is now that our maintenance supplier is not able to take > the >> devices into maintenance with this serial. >> Is there another way to read the serial number from remote? >> >> regards >> >> Stephan > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > ######################################################### > The information contained in this e-mail and subsequent attachments may be privileged, > confidential and protected from disclosure. This transmission is intended for the sole > use of the individual and entity to whom it is addressed. If you are not the intended > recipient, any dissemination, distribution or copying is strictly prohibited. If you > think that you have received this message in error, please e-mail the sender at the above > e-mail address. > ######################################################### > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From wjackson at sapphire.gi Thu Oct 2 15:24:48 2008 From: wjackson at sapphire.gi (William Jackson) Date: Thu, 2 Oct 2008 21:24:48 +0200 Subject: [c-nsp] Service provider SLA reporting Software Message-ID: <9D30659ABCA7FB428CF91E386C3A574401357DAF@hermes.sapphire-int.gi> Hi I was wondering what software service providers are using to generate SLA reports. IP transit services and MPLS services? Many thanks From achatz at forthnet.gr Thu Oct 2 17:56:16 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Fri, 03 Oct 2008 00:56:16 +0300 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com> <67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> Message-ID: <48E54380.4000800@forthnet.gr> Arie, We have many 7200s and i guess that if at least one of them displays a wrong serial number (in our case many are), you cannot be sure for the others too. So: 1) There is a way to get the correct S/N without having physical access to the box, but this is available only to partners? 2) Is there a pattern somewhere in a cli/snmp output, that can help you identify these older NPE boards? -- Tassos Arie Vayner (avayner) wrote on 02/10/2008 20:05: > Stephan, > > With some of the older NPE boards the S/N reported in software is wrong, > and does not align with the physical S/N which is written on the sticker > on the back of the chassis. > Unfortunately, Cisco's DB is based on the physical S/N. > > There is a way to correlate the info using some other details from the > box, and Cisco has a tool and a process to collect this info (actually, > Cisco partners have access to this process). > > If it's a small number of devices, just take a look on the back... If > it's a large network, I suggest you have a discussion with your > contact... > > Arie > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Stephan Lochner > Sent: Thursday, October 02, 2008 12:40 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] problem with serial number on cisco 7200 routers > /maintenance contract > > Hi Group, > > we have a problem with our 7200 series router. We have a supplier that > handles our maintenance contracts. We want now to put some more devices > into maintenance. > Normally we use the "sh ver" command and get the serial number. > But the 7200 series router provide a serial number (I assume of the > mainboard) but this is not that one printed on the back of the router. > Our problem is now that our maintenance supplier is not able to take the > devices into maintenance with this serial. > Is there another way to read the serial number from remote? > > regards > > Stephan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dcp at dcptech.com Thu Oct 2 18:11:29 2008 From: dcp at dcptech.com (David Prall) Date: Thu, 2 Oct 2008 18:11:29 -0400 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <48E54380.4000800@forthnet.gr> References: <98ee76d50810020240l3e516002w4ad5347b51f331d9@mail.gmail.com><67F7C1FAF83A074AA3520D8F155782A501EEB8DD@xmb-ams-331.emea.cisco.com> <48E54380.4000800@forthnet.gr> Message-ID: <001501c924db$d4ded1a0$a20b740a@cisco.com> Cisco Product Identification Tool - UPDATE: Instructions Now Available for Electronic Retrieval of Serial Numbers http://www.cisco.com/public/news_training/itsnews/200604.html#newsupdates1 David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Tassos Chatzithomaoglou > Sent: Thursday, October 02, 2008 5:56 PM > To: Arie Vayner (avayner) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] problem with serial number on cisco 7200 > routers /maintenance contract > > Arie, > > We have many 7200s and i guess that if at least one of them > displays a wrong serial number > (in our case many are), you cannot be sure for the others too. > > So: > 1) There is a way to get the correct S/N without having > physical access to the box, but > this is available only to partners? > 2) Is there a pattern somewhere in a cli/snmp output, that > can help you identify these > older NPE boards? > > -- > Tassos > > Arie Vayner (avayner) wrote on 02/10/2008 20:05: > > Stephan, > > > > With some of the older NPE boards the S/N reported in > software is wrong, > > and does not align with the physical S/N which is written > on the sticker > > on the back of the chassis. > > Unfortunately, Cisco's DB is based on the physical S/N. > > > > There is a way to correlate the info using some other > details from the > > box, and Cisco has a tool and a process to collect this > info (actually, > > Cisco partners have access to this process). > > > > If it's a small number of devices, just take a look on the > back... If > > it's a large network, I suggest you have a discussion with your > > contact... > > > > Arie > > > > -----Original Message----- > > From: cisco-nsp-bounces at puck.nether.net > > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of > Stephan Lochner > > Sent: Thursday, October 02, 2008 12:40 PM > > To: cisco-nsp at puck.nether.net > > Subject: [c-nsp] problem with serial number on cisco 7200 routers > > /maintenance contract > > > > Hi Group, > > > > we have a problem with our 7200 series router. We have a > supplier that > > handles our maintenance contracts. We want now to put some > more devices > > into maintenance. > > Normally we use the "sh ver" command and get the serial number. > > But the 7200 series router provide a serial number (I assume of the > > mainboard) but this is not that one printed on the back of > the router. > > Our problem is now that our maintenance supplier is not > able to take the > > devices into maintenance with this serial. > > Is there another way to read the serial number from remote? > > > > regards > > > > Stephan > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From kgraham at industrial-marshmallow.com Thu Oct 2 18:22:17 2008 From: kgraham at industrial-marshmallow.com (Kevin Graham) Date: Thu, 2 Oct 2008 15:22:17 -0700 (PDT) Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract Message-ID: <410976.17287.qm@web908.biz.mail.mud.yahoo.com> > Cisco Product Identification Tool - UPDATE: > Instructions Now Available for Electronic Retrieval of Serial Numbers > http://www.cisco.com/public/news_training/itsnews/200604.html#newsupdates1 Read the rest of it -- "To view these new features, search or browse for the Cisco Catalyst 6509 Switch". I don't think I've ever gotten the CLI (sh inv, sh ver, etc) on a _7200_ w/ any NPE to match up w/ the chassis sticker. From awain567 at yahoo.com Thu Oct 2 17:26:04 2008 From: awain567 at yahoo.com (Alex Wa) Date: Thu, 2 Oct 2008 14:26:04 -0700 (PDT) Subject: [c-nsp] NAT timeout Message-ID: <527316.92636.qm@web58001.mail.re3.yahoo.com> Hi guys, ? We have a router configured to work with 2 ISPs, one of them through a satelite link. This particular link is beeing monitored with a ip sla and track commands. when this link fails the default route is deleted automatically form the routing table, and the backup default route is then installed. We also use automatic nat failover. The problem is that some inside servers that always go to the same destination IP/PORT get NATed in the moment the backup link is up, and when the primary comes up they go to the internet with the source address equal?to the backup outside interface. this NAT "lease" stays for days beacuse this particular servers are doing icmp every 10 seconds. that causes asymetric routing, packets going out through one link and returning through the other. When we flush NAT translations everything returns to normal, of course, but we don't want to have to do it manually.?the question is? do we need to reduce NAT icmp timeout to less than 10 seconds or there is another solution?. I can provide the config if you guys need it. ? regards, Alejandro wainshtok ? ? ? From brad.henshaw at qcn.com.au Thu Oct 2 19:41:10 2008 From: brad.henshaw at qcn.com.au (Brad Henshaw) Date: Fri, 3 Oct 2008 09:41:10 +1000 Subject: [c-nsp] C2960G and output drops Message-ID: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> Gert Doering wrote: > OK, I've done quite some testing, tuning "to the extreme"... > Queueset: 1 > Queue : 1 2 3 4 > ---------------------------------------------- > buffers : 1 5 93 1 > threshold1: 100 200 1600 100 > threshold2: 100 200 2400 100 > reserved : 50 50 90 50 > maximum : 400 400 3200 400 > > (and all traffic is mapped to queue 3). >From the output you provided earlier, most of the traffic as short in the 'sh plat port-asic' output was on queue 3, which corresponds to queue 4 in the above queueset. I assume you changed the mapping? (just asking to be certain) > ...I can change the drop rate between "too high" and "catastrophic". > Without mls qos, it seems to just give the port *all* the buffers... Bugger. I don't know whether setting up srr-queue limiting or shaping might impact the behaviour here, but I'm really clutching at straws. Have you logged a case with the TAC for this one? Regards, Brad From brett at looney.id.au Thu Oct 2 19:40:31 2008 From: brett at looney.id.au (Brett Looney) Date: Fri, 3 Oct 2008 07:40:31 +0800 Subject: [c-nsp] NAT timeout In-Reply-To: <527316.92636.qm@web58001.mail.re3.yahoo.com> References: <527316.92636.qm@web58001.mail.re3.yahoo.com> Message-ID: <012101c924e8$4826ba40$d8742ec0$@id.au> > We have a router configured to work with 2 ISPs, one of > them through a satelite link. This particular link is > beeing monitored with a ip sla and track commands. When > this link fails the default route is deleted automatically > form the routing table, and the backup default route is > then installed. We also use automatic nat failover. The > problem is that some inside servers that always go to > the same destination IP/PORT get NATed in the moment > the backup link is up, and when the primary comes up > they go to the internet with the source address equal > to the backup outside interface. We fixed this with an EEM script that reacts to route or track changes and then executes the "clear ip nat trans *" command to clear the NAT table. B. From rodunn at cisco.com Thu Oct 2 21:20:45 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Thu, 2 Oct 2008 21:20:45 -0400 Subject: [c-nsp] NAT timeout In-Reply-To: <527316.92636.qm@web58001.mail.re3.yahoo.com> References: <527316.92636.qm@web58001.mail.re3.yahoo.com> Message-ID: <20081003012045.GA7069@rtp-cse-489.cisco.com> The only solution is to hook an EEM applet to that IP SLA probe /track as a trigger and do "clear ip nat trans *" when the failover and recovery happens. It's because of the way the translation is used in the forwarding path over the FIB table after the reconvergence. Rodney On Thu, Oct 02, 2008 at 02:26:04PM -0700, Alex Wa wrote: > Hi guys, > ? > We have a router configured to work with 2 ISPs, one of them through a satelite link. This particular link is beeing monitored with a ip sla and track commands. when this link fails the default route is deleted automatically form the routing table, and the backup default route is then installed. We also use automatic nat failover. The problem is that some inside servers that always go to the same destination IP/PORT get NATed in the moment the backup link is up, and when the primary comes up they go to the internet with the source address equal?to the backup outside interface. this NAT "lease" stays for days beacuse this particular servers are doing icmp every 10 seconds. that causes asymetric routing, packets going out through one link and returning through the other. When we flush NAT translations everything returns to normal, of course, but we don't want to have to do it manually.?the question is? do we need to reduce NAT icmp timeout to less than > 10 seconds or there is another solution?. I can provide the config if you guys need it. > ? > regards, > Alejandro wainshtok > ? > ? > ? > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From irfans at ymail.com Thu Oct 2 22:15:19 2008 From: irfans at ymail.com (Irfan Siddiqui) Date: Thu, 2 Oct 2008 19:15:19 -0700 (PDT) Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract Message-ID: <163956.25358.qm@web59510.mail.ac4.yahoo.com> I don't think this is possible on 720X you have to read it of of chassis I Sent from my iPhone On Oct 2, 2008, at 3:22 PM, Kevin Graham wrote: Cisco Product Identification Tool - UPDATE: Instructions Now Available for Electronic Retrieval of Serial Numbers http://www.cisco.com/public/news_training/itsnews/200604.html#newsupdates1 Read the rest of it -- "To view these new features, search or browse for the Cisco Catalyst 6509 Switch". I don't think I've ever gotten the CLI (sh inv, sh ver, etc) on a _7200_ w/ any NPE to match up w/ the chassis sticker. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From ray at oneunified.net Thu Oct 2 23:30:13 2008 From: ray at oneunified.net (Ray Burkholder) Date: Fri, 3 Oct 2008 00:30:13 -0300 Subject: [c-nsp] Virtual Interface to the Internet In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> Message-ID: <01ea01c92508$595a3560$660a0a0a@oneunified.local> I have a customer with two sites. Site 1 connects to Router A. Site 2 connects to Router B. We have an internet connection on Router C. Router A connects to Router C and Router B connects to Router C. The customer wishes to be billed for a total of X amount of bandwidth, regardless of whether it comes from Site 1 or Site 2 or both. Is there some sort of multipoint virtual circuit I can engineer to aggregate two sites, rate-shape or police at Router C, and get them to the internet? VRF's or L2TPV3 come to mind. But how to connect them with a virtual interface on Router C? Use a loopback or ..... ? Ray. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From sforcejr at yahoo.com Thu Oct 2 23:51:35 2008 From: sforcejr at yahoo.com (John Ramz) Date: Thu, 2 Oct 2008 20:51:35 -0700 (PDT) Subject: [c-nsp] Cisco Pix. Global command Message-ID: <312212.683.qm@web110406.mail.gq1.yahoo.com> OS 7 I only have 2 Public Ip addresses: 2.1.1.2: In the ROuter 2.1.1.3 I am configuring this firewall very basic: Ethernet0: outside Ip address: 2.1.1.3 Ethernet1: inside Ip address: 192.168.254.253 global (outside) 1 2.1.1.3 nat (inside) 1 192.168.254.0 255.255.255.0 0 0 route external 0.0.0.0 0.0.0.0 2.1.1.2 1 access-list outbound permit tcp 192.168.254.0 255.255.255.0 any eq 80 access-group outbound in interface inside You might point out something else if you think it is needed. Since I only have 2 Public Ip addresses, can I use the outside interface ip address for the global command? Thanks John From Bagosi.Romeo at iqsys.hu Fri Oct 3 01:08:45 2008 From: Bagosi.Romeo at iqsys.hu (=?ISO-8859-2?Q?Bagosi_R=F3me=F3?=) Date: Fri, 3 Oct 2008 07:08:45 +0200 Subject: [c-nsp] Failed to locate egress interface for UDP Message-ID: <085C022C25FF9C4EBCF76712A2588DCB0102476B@X-SPIRIT.integris.hu> Hi, Anybody ever seen this message: %ASA-6-110002: Failed to locate egress interface for UDP from inside:fe80::21f:29ff:fe1c:fa11/546 to ff02::1:2/547 This message is logged every 2 minutes... I've found the following "explanation" on cisco.com: Explanation .An error occurred when the security appliance tried to find the interface through which to send the packet. *protocol-The protocol of the packet *src interface-The interface from which the packet was received *src IP-The source IP address of the packet *src port-The source port number *dest IP-The destination IP address of the packet *dest port-The destination port number Recommended Action Copy the error message, the configuration, and any details about the events leading up to the error, and contact Cisco TAC. I do not understand what can be the problem. It looks, that the firewall is working correctly... Thanks, Romeo Bagosi From jay at west.net Fri Oct 3 01:28:17 2008 From: jay at west.net (Jay Hennigan) Date: Thu, 02 Oct 2008 22:28:17 -0700 Subject: [c-nsp] Failed to locate egress interface for UDP In-Reply-To: <085C022C25FF9C4EBCF76712A2588DCB0102476B@X-SPIRIT.integris.hu> References: <085C022C25FF9C4EBCF76712A2588DCB0102476B@X-SPIRIT.integris.hu> Message-ID: <48E5AD71.2010307@west.net> Bagosi R?me? wrote: > Hi, > > Anybody ever seen this message: > %ASA-6-110002: Failed to locate egress interface for UDP from inside:fe80::21f:29ff:fe1c:fa11/546 to ff02::1:2/547 > This message is logged every 2 minutes... You have a Hewlett-Packard device with a MAC address 001f:291c:fa11 that has IPv6 enabled. It is trying to autodiscover its network settings. The ASA is probably not properly set up to handle IPv6. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From gert at greenie.muc.de Fri Oct 3 04:20:45 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 3 Oct 2008 10:20:45 +0200 Subject: [c-nsp] C2960G and output drops In-Reply-To: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> References: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> Message-ID: <20081003082044.GP17238@greenie.muc.de> Hi, On Fri, Oct 03, 2008 at 09:41:10AM +1000, Brad Henshaw wrote: > Gert Doering wrote: > > > OK, I've done quite some testing, tuning "to the extreme"... > > Queueset: 1 > > Queue : 1 2 3 4 > > ---------------------------------------------- > > buffers : 1 5 93 1 > > threshold1: 100 200 1600 100 > > threshold2: 100 200 2400 100 > > reserved : 50 50 90 50 > > maximum : 400 400 3200 400 > > > > (and all traffic is mapped to queue 3). > > From the output you provided earlier, most of the traffic as short in > the 'sh plat port-asic' output was on queue 3, which corresponds to > queue 4 in the above queueset. I assume you changed the mapping? (just > asking to be certain) Yes. Forced all into queue 3, to see whether using a different queue might make any difference: mls qos srr-queue output cos-map queue 3 threshold 1 0 1 4 5 6 7 mls qos queue-set output 1 threshold 3 1600 2400 90 3200 mls qos queue-set output 1 buffers 1 5 93 1 > > ...I can change the drop rate between "too high" and "catastrophic". > > Without mls qos, it seems to just give the port *all* the buffers... > > Bugger. I don't know whether setting up srr-queue limiting or shaping > might impact the behaviour here, but I'm really clutching at straws. I tried, and all it does is "make things worse". > Have you logged a case with the TAC for this one? Not yet. (Our L2 switches usually don't come with a maintenance contract, as we have such a huge lot of them that it's much cheaper to replace them if hardware breaks). Given the other comments received in this thread, I'm doubtful whether TAC will help find a solution, though... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From oboehmer at cisco.com Fri Oct 3 05:05:23 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 3 Oct 2008 11:05:23 +0200 Subject: [c-nsp] IP-VPN CE-PE local pref problem In-Reply-To: <117358.2327.qm@web44814.mail.sp1.yahoo.com> References: <117358.2327.qm@web44814.mail.sp1.yahoo.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406204FD3@xmb-ams-333.emea.cisco.com> That's strange... can you show "show ip bgp vpnv4 vrf ipvpn_00000001 ", this shows the resulting vrf BGP table (i.e. after import) which might or might not be identical to the "rd " output (wowever it looks like you're using the same RD on both PEs, so this might not make a difference here). Can you disable soft-reconfiguration inbound from the PE-CE eBGP session and see if it helps? oli Mark Tech <> wrote on Wednesday, October 01, 2008 11:15 AM: > Hi, thanks for all the suggestions > I have now changed the route-map are things are looking good. > 5.14.93.0/24 is the route in question. In PE2, local pref can now be > seen as 90 > > PE1#show ip bgp vpnv4 rd 894:1 > BGP table version is 258, local router ID is 5.14.95.243 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > ????????????? r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path > Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) > *> 5.14.89.1/32?? 0.0.0.0??????????????? 0???????? 32768 ? > *>i5.14.89.2/32?? 5.14.95.244??????????? 0??? 100????? 0 ? > *> 5.14.93.0????? 5.14.93..222??????????? 0??? 100????? 0 65535 i > > PE2#show ip bgp vpnv4 rd 894:1 > BGP table version is 285, local router ID is 5.14.95.244 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > ????????????? r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path > Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) > *>i5.14.89.1/32?? 5.14.95.243??????????? 0??? 100????? 0 ? > *> 5.14.89.2/32?? 0..0.0.0??????????????? 0???????? 32768 ? > *>i5.14.93.0????? 5.14.95.243??????????? 0??? 100????? 0 65535 i > *???????????????? 5.14.93.226??????????? 0???? 90????? 0 65535 i > <------------------------------------------------- > > =========================================================== > > Going on from this, if I now check the routing installed in the vrf > for 5.14.93.0/24, it seems to be installed in PE1 (with high local > pref as expected) > > PE1#sh ip route vrf ipvpn_00000001 > Routing Table: ipvpn_00000001 > ????? 5.14.89.0/32 is subnetted, 2 subnets > B??????? 5.14.89.1 is directly connected, 19:44:47, Loopback2 > B??????? 5.14.89.2 [200/0] via 5.14.95.244, 19:43:47 > ????? 5.14.93.0/24 is variably subnetted, 3 subnets, 3 masks > B??????? 5.14.93.0/24 [20/0] via 5.14.93.222, 00:02:42?? > <---------------------------------------- > C??????? 5.14.93.220/30 is directly connected, GigabitEthernet3/48 > L??????? 5.14.93.221/32 is directly connected, GigabitEthernet3/48 > > > However in PE2, there is no route to 5.14.93.0/24 > > PE2#sh ip route vrf ipvpn_00000001 > Routing Table: ipvpn_00000001 > ????? 5.14.89.0/32 is subnetted, 2 subnets > B??????? 5.14.89.1 [200/0] via 5.14.95.243, 00:42:11 > B??????? 5.14.89.2 is directly connected, 19:47:26, Loopback2 > ????? 5.14.93.0/24 is variably subnetted, 2 subnets, 2 masks > C??????? 5..14.93.224/30 is directly connected, GigabitEthernet3/48 > L??????? 5.14.93.225/32 is directly connected, GigabitEthernet3/48 > > If I change the local pref in PE2 from 90 to 110 for example, then > PE2 becomes the primary route and the exact opposite happens, i.e. > the 5.14.93.0/24 route is installed in PE2 and does not exist in PE1; > is this normal behaviour? > > Regards > > Mark > > ----- Original Message ---- > From: Luan Nguyen > To: Mark Tech ; David Freedman > ; cisco-nsp at puck.nether.net > Sent: Tuesday, September 30, 2008 8:03:38 PM > Subject: RE: [c-nsp] IP-VPN CE-PE local pref problem > > > Try changing the route-map to: > > route-map ipvpn_00000001 permit 10 > set extcommunity soo 894:1 > set local-preference 90 > > instead of: > > route-map ipvpn_00000001 permit 10 > set extcommunity soo 894:1 > > route-map ipvpn_00000001 permit 20 > set local-preference 90 > > Luan > > > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > Luan Nguyen > Senior Network Engineer > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech > Sent: Tuesday, September 30, 2008 2:55 PM > To: David Freedman; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem > > Here you go > > PE1#sh ip bgp vpnv4 rd 894:1 5.14.93.0 > BGP routing table entry for 894:1:5.14.93.0/24, version 222 > Paths: (3 available, best #2, table ipvpn_00000001) > ? Advertised to update-groups: > ???? 1 > ? 65535 > ??? 5.14.95.244 (metric 11) from 5.14.95.244 (5.14.95.244) > ????? Origin IGP, metric 0, localpref 100, valid, internal > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 26/23 > ? 65535 > ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) > ????? Origin IGP, metric 0, localpref 100, valid, external, best > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 26/nolabel > ? 65535, (received-only) > ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) > ????? Origin IGP, metric 0, localpref 100, valid, external > ????? mpls labels in/out 26/nolabel > > > PE2#sh ip bgp vpnv4 rd 894:1 5.14.93.0 > BGP routing table entry for 894:1:5.14.93.0/24, version 237 > Paths: (3 available, best #1, table ipvpn_00000001) > ? Advertised to update-groups: > ???? 1 > ? 65535 > ??? 5.14.93.226 from 5.14.93.226 (5..14.93.254) > ????? Origin IGP, metric 0, localpref 100, valid, external, best > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 23/nolabel > ? 65535, (received-only) > ??? 5.14.93.226 from 5.14.93.226 (5.14.93.254) > ????? Origin IGP, metric 0, localpref 100, valid, external > ????? mpls labels in/out 23/nolabel > ? 65535 > ??? 5.14.95.243 (metric 11) from 5.14.95.243 (5.14.95.243) > ????? Origin IGP, metric 0, localpref 100, valid, internal > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 23/26 > > inbound route-map from CE2 to PE2 > route-map ipvpn_00000001 permit 10 > ?set extcommunity soo 894:1 > > route-map ipvpn_00000001 permit 20 > ?set local-preference 90 > ! > > > > ----- Original Message ---- > From: David Freedman > To: cisco-nsp at puck.nether.net > Sent: Tuesday, September 30, 2008 5:51:55 PM > Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem > > can you post "show ip bgp vpnv4 rd x.x.x.x/y" from both PEs ? for > the prefix in question? > > Dave > > Mark Tech wrote: >> Hi >> I have set up a dual homed IP-VPN network between 2 PE's and 2 CE's >> using SoO - thas all working fine. > > I have added an inbound route-map to the 'backup' PE and CE to reduce > the local preference in order to make the other PE and CE the > preferred > gateways. >> >> CE1--------PE1 primary >>> ? ? ? ? ? ? ? ? ? | >> CE2--------PE2 backup >> >> The CE local pref works fine, however on the PE side, local pref >> doesn't seem to have any affect, > > i.e. I have reduced the local pref to 90 on the backup link, however > if > I check the routing in the backup PE, nothing seems to have changed. > Can > I just check that local pref actually works across an MP-BGP > environment? >> >> If so I must be doing something wrong >> >> Regards >> >> Mark >> >> >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Fri Oct 3 06:24:14 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 3 Oct 2008 12:24:14 +0200 Subject: [c-nsp] Virtual Interface to the Internet In-Reply-To: <01ea01c92508$595a3560$660a0a0a@oneunified.local> References: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> <01ea01c92508$595a3560$660a0a0a@oneunified.local> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840620506D@xmb-ams-333.emea.cisco.com> Ray Burkholder <> wrote on Friday, October 03, 2008 5:30 AM: > I have a customer with two sites. Site 1 connects to Router A. Site > 2 connects to Router B. We have an internet connection on Router C. > Router A connects to Router C and Router B connects to Router C. > > The customer wishes to be billed for a total of X amount of bandwidth, > regardless of whether it comes from Site 1 or Site 2 or both. > > Is there some sort of multipoint virtual circuit I can engineer to > aggregate two sites, rate-shape or police at Router C, and get them > to the internet? VRF's or L2TPV3 come to mind. But how to connect > them with a virtual interface on Router C? Use a loopback or ..... ? Hmm, so your requirement is to limit (shape/police) the amount of BW the customer can use towards the Internet, and impose no limits for Site A<-->B traffic? If that's the case, I guess there is no real nice (and scalable) solution. You could create a MPLS-VPN between A, B and C and create a physical loop at router C connecting this VRF/VPN to the global Routing table and shape/police on this interface. Traffic between the customer sites A and B will not be affected, only everything leaving the egress/looped interface on Router C. But I would not do this, especially if you're offering full routes to the customer as you would need to carry the full routes in the VPN as well... "QoS Policy Propagation via BGP" could actually be a nice solution, however this is not supported on all platforms. I guess there are "non-technical" approaches as well, i.e. account the traffic and have them pay a premium if they exceed the contracted rate/volume.. oli From ray at oneunified.net Fri Oct 3 06:31:31 2008 From: ray at oneunified.net (Ray Burkholder) Date: Fri, 3 Oct 2008 07:31:31 -0300 Subject: [c-nsp] Virtual Interface to the Internet In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840620506D@xmb-ams-333.emea.cisco.com> References: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn> <01ea01c92508$595a3560$660a0a0a@oneunified.local> <70B7A1CCBFA5C649BD562B6D9F7ED7840620506D@xmb-ams-333.emea.cisco.com> Message-ID: <01fc01c92543$33dc4540$660a0a0a@oneunified.local> > > Hmm, so your requirement is to limit (shape/police) the > amount of BW the customer can use towards the Internet, and > impose no limits for Site A<-->B traffic? If that's the case, > I guess there is no real nice (and > scalable) solution. > That is pretty much it in a nutshell. Afterwards, I was doing some reading on BVI. Can a BVI join two L2TPV3 tunnels. And can rate-limit or policy-maps with quality of service statements be used to manage flow into and out of a BVI? I thought of that last night but haven't had a chance to try. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean. From security at cytanet.com.cy Fri Oct 3 07:07:29 2008 From: security at cytanet.com.cy (Michalis Palis) Date: Fri, 3 Oct 2008 14:07:29 +0300 Subject: [c-nsp] Etherchannel Load Balancing Message-ID: <6035F53AE8EC48F281806CA81C52B03C@PCArr2007MP> Hello all We are doing etherchanel between two a Cisco catalyst 4509 switchs but load balancing is not working On the one link we have about 700M and on the other 60M. The configured load balancing method is the default which is (src-dst-ip). Any ideas? From md at bts.sk Fri Oct 3 07:10:39 2008 From: md at bts.sk (Marian =?utf-8?B?xI51cmtvdmnEjQ==?=) Date: Fri, 3 Oct 2008 13:10:39 +0200 Subject: [c-nsp] 10/100/1000 speeds in GE SFP ports Message-ID: <20081003111039.GA2755@bts.sk> On Thu Sep 25 17:20:40 EDT 2008, Saku Ytti wrote: > On (2008-09-25 22:56 +0200), Asbjorn Hojmark - Lists wrote: > > One funny thing is that the 6500 release note now (SXH) says: > > "48-port Gigabit or 10/100/1000 Mbps Ethernet SFP" about the > > 6748-SFP, where the previous (SXF) phrase was: "48-port Gigabit > > Ethernet SFP". > > > > I haven't had a chance to test if anything's actually changed, > > though. > > > > (Yes, I've also heard the 'It's a hardware limitation. Forget > > it' story). > > Someone commented on the list about his 6724 or 6748 being > able to display DOM info, while lot of us had been told > hardware is unable to read the upper half where the data lives. > But he had newer hardware revision than any of mine, so > it's entirely possible that there has been hardware upgrade, > but I couldn't find anything in PCN about that change. > > If there had been, perhaps they added multirate too? Sounds > too good to be true though. Looking forward for someone > to report back with SXI :) DOM support on 6724 is not dependent on IOS version, it only depends on HW revision of the 6724 linecard. HW rev. 3.0 or above is needed to read DOM info. There is no such support on 6748 yet AFAIK. >From the technical point of view, DOM and copper SFPs are all communicating over the same I2C bus where the SFP EEPROM is connected. The only difference is that SFP EEPROM is at I2C address 0xA0, DOM is at 0xA2 and copper SFP PHY-registers at 0xAC. Thus, the change which enabled DOM for 6724 HW 3.0 cards is hardly any hardware change - but more probably just new ASIC microcode. I still don't understand why it's not yet shipped with new 6748 cards... With kind regards, -------------------------------------------------------------------------- ---- ---- ---- Marian ?urkovi? network manager ---- ---- ---- ---- Slovak Technical University Tel: +421 2 571 041 81 ---- ---- Computer Centre, N?m. Slobody 17 Fax: +421 2 524 94 351 ---- ---- 812 43 Bratislava, Slovak Republic E-mail/sip: md at bts.sk ---- ---- ---- -------------------------------------------------------------------------- From A.L.M.Buxey at lboro.ac.uk Fri Oct 3 07:39:31 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Fri, 3 Oct 2008 12:39:31 +0100 Subject: [c-nsp] Etherchannel Load Balancing In-Reply-To: <6035F53AE8EC48F281806CA81C52B03C@PCArr2007MP> References: <6035F53AE8EC48F281806CA81C52B03C@PCArr2007MP> Message-ID: <20081003113931.GE1132@lboro.ac.uk> Hi, > We are doing etherchanel between two a Cisco catalyst 4509 switchs but load balancing is not working On the one link we have about 700M and on the other 60M. The configured load balancing method is the default which is (src-dst-ip). > the method you need to use to get proper/efficient load balancing is dependant on the traffic and configuration of your network... eg, in this case, if a server is on the network and all clients is on a different network, then as far as the cisco is aware, then all traffic in that scenario will look the same to the load balancer (source IP = server, dest IP = router/gateway address). you'll need to find the best method for your case. alan From dr at cluenet.de Fri Oct 3 07:46:40 2008 From: dr at cluenet.de (Daniel Roesen) Date: Fri, 3 Oct 2008 13:46:40 +0200 Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <163956.25358.qm@web59510.mail.ac4.yahoo.com> References: <163956.25358.qm@web59510.mail.ac4.yahoo.com> Message-ID: <20081003114640.GA29831@srv03.cluenet.de> On Thu, Oct 02, 2008 at 07:15:19PM -0700, Irfan Siddiqui wrote: > I don't think this is possible on 720X you have to read it of of chassis Indeed. We resorted to configure the chassis sticker ID as "snmp-server chassis-id" manually. We found no electronic way, not up to NPE-G1. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 From trejrco at gmail.com Fri Oct 3 08:21:43 2008 From: trejrco at gmail.com (trejrco at gmail.com) Date: Fri, 3 Oct 2008 12:21:43 +0000 Subject: [c-nsp] Failed to locate egress interface for UDP Message-ID: <1872284132-1223036404-cardhu_decombobulator_blackberry.rim.net-690591152-@bxe025.bisx.prod.on.blackberry> FWIW - FF02::1:2 to UDP/547 is a DHCPv6 solicit (or information request) ... And the ASA probably doesn't have relaying configured (or, atleast, doesn't know where the server is) HTH /TJ ------Original Message------ From: Jay Hennigan Sender: cisco-nsp-bounces at puck.nether.net To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Failed to locate egress interface for UDP Sent: Oct 3, 2008 01:28 Bagosi R?me? wrote: > Hi, > > Anybody ever seen this message: > %ASA-6-110002: Failed to locate egress interface for UDP from inside:fe80::21f:29ff:fe1c:fa11/546 to ff02::1:2/547 > This message is logged every 2 minutes... You have a Hewlett-Packard device with a MAC address 001f:291c:fa11 that has IPv6 enabled. It is trying to autodiscover its network settings. The ASA is probably not properly set up to handle IPv6. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Sent from my Verizon Wireless BlackBerry From thegameiam at yahoo.com Fri Oct 3 08:03:13 2008 From: thegameiam at yahoo.com (David Barak) Date: Fri, 3 Oct 2008 05:03:13 -0700 (PDT) Subject: [c-nsp] problem with serial number on cisco 7200 routers /maintenance contract In-Reply-To: <20081003114640.GA29831@srv03.cluenet.de> Message-ID: <484628.97711.qm@web31809.mail.mud.yahoo.com> I can confirm that this appears to be true of NPE-G2s as well. David Barak Daniel Roesen wrote: > On Thu, Oct 02, 2008 at 07:15:19PM -0700, Irfan Siddiqui wrote: >> I don't think this is possible on 720X you have to read it of of chassis > Indeed. We resorted to configure the chassis sticker ID as "snmp-server > chassis-id" manually. We found no electronic way, not up to NPE-G1. > Best regards, > Daniel > -- > CLUE-RIPE -- Jabber: dr at cluenet.de -- dr at IRCnet -- PGP: 0xA85C8AA0 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From euang+cisco-nsp at lists.eusahues.co.uk Fri Oct 3 08:35:12 2008 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 3 Oct 2008 13:35:12 +0100 Subject: [c-nsp] Etherchannel Load Balancing In-Reply-To: <20081003113931.GE1132@lboro.ac.uk> References: <6035F53AE8EC48F281806CA81C52B03C@PCArr2007MP> <20081003113931.GE1132@lboro.ac.uk> Message-ID: <20081003123512.GA20494@hyperion.eusahues.co.uk> On Fri, Oct 03, 2008 at 12:39:31PM +0100, A.L.M.Buxey at lboro.ac.uk wrote: > configuration of your network... eg, in this case, > if a server is on the network and all clients > is on a different network, then as far as the cisco > is aware, then all traffic in that scenario will > look the same to the load balancer (source IP = server, > dest IP = router/gateway address). Dest IP wouldn't be router/gateway, it would be the client IPs (multiple client IPs in your example, so should load balance ok with src-dst-ip). Fair point for src/dst MAC when the hash is src-dst-mac though. -- Euan From victor.lyapunov at gmail.com Fri Oct 3 10:54:31 2008 From: victor.lyapunov at gmail.com (Victor Lyapunov) Date: Fri, 3 Oct 2008 17:54:31 +0300 Subject: [c-nsp] ACL vs IP verify unicast: TCAM entries Message-ID: Hello All At work we have a network of BRAS for PPP termination, consisting of Juniper ERX and Cisco 10k. I was wondering what is the most efficient way to filter incoming subscriber traffic. We would like to verify that incoming subscriber traffic is indeed sourced from the IP that we assigned to them. We can achieve this by either: -Creating an ACL that is common for every subscriber (same for all routers) that allows incoming traffic originating from the address ranges that are assigned to us. This would create an incoming ACL with roughly 24 entries that would be applied to the Virtual-Access interfaces. -Activating "ip verify unicast" in the virtual-template interface What is the mechanism employed by "ip verify unicast"? Does it create on-the-fly an ACL for each interface that it is applied to containg in my case just one entry that matches the network address of the interface? In this case in a typical BRAS terminating 16000 users would require 16000 dynamically created unique ACLs (or policy-lists in the ERX). Obviouly from a security perspective "ip verify unicast" seems to be the optimal solution but would consume more memory / CAM entries in ERX case. If our primary concern is keeping the load in the routers low, should "ip verify unicast" be considered the best solution? >From your experience does applying an ACL with one entry creates less load that an ACL with 24? (in theory all entries should be processed in parallel) Any help is welcomed From method at b.astral.ro Fri Oct 3 11:33:07 2008 From: method at b.astral.ro (Dan) Date: Fri, 03 Oct 2008 18:33:07 +0300 Subject: [c-nsp] Cisco Pix. Global command In-Reply-To: <312212.683.qm@web110406.mail.gq1.yahoo.com> References: <312212.683.qm@web110406.mail.gq1.yahoo.com> Message-ID: <48E63B33.9040905@b.astral.ro> global (outside) 2 interface Dan John Ramz wrote: > OS 7 > > I only have 2 Public Ip addresses: > > 2.1.1.2: In the ROuter > 2.1.1.3 > > I am configuring this firewall very basic: > > > Ethernet0: outside Ip address: 2.1.1.3 > Ethernet1: inside Ip address: 192.168.254.253 > > > global (outside) 1 2.1.1.3 > nat (inside) 1 192.168.254.0 255.255.255.0 0 0 > route external 0.0.0.0 0.0.0.0 2.1.1.2 1 > > access-list outbound permit tcp 192.168.254.0 255.255.255.0 any eq 80 > access-group outbound in interface inside > > > You might point out something else if you think it is needed. Since I only have 2 Public Ip addresses, can I use the outside interface ip address for the global command? > > > > > > Thanks > > John > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From euang+cisco-nsp at lists.eusahues.co.uk Fri Oct 3 11:46:16 2008 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 3 Oct 2008 16:46:16 +0100 Subject: [c-nsp] ACL vs IP verify unicast: TCAM entries In-Reply-To: References: Message-ID: <20081003154616.GB20494@hyperion.eusahues.co.uk> On Fri, Oct 03, 2008 at 05:54:31PM +0300, Victor Lyapunov wrote: > -Creating an ACL that is common for every subscriber (same for all routers) > that allows incoming traffic > originating from the address ranges that are assigned to us. This would > create an incoming ACL with > roughly 24 entries that would be applied to the Virtual-Access interfaces. And would allow any user to spoof the IP of any other user. Better than nothing, but not as good as it could be. If you already have an access list there (iACL?), then extending it may / may not be less expensive (for some value of expensive. Devel time / resource utilisation on device / whatever) than depoloying uRPF. > -Activating "ip verify unicast" in the virtual-template interface Yup... ip verify unicast source reachable-via rx on the virtual-template, and you're done. Impact on a 10K... no idea. Like a lot of things on a 10K, probably it works fine with no performance impact, or blows up horribly (no idea). > What is the mechanism employed by "ip verify unicast"? Does it create > on-the-fly an ACL for each > interface that it is applied to containg in my case just one entry that > matches the network address > of the interface? uRPF is not ACLs, and is really well documented. first couple of hits on google for "Cisco uRPF" are good ones. http://www.cisco.com/web/about/security/intelligence/unicast-rpf.html nicely shows the logic of what it does.... To quote (for strict as that's what you would be wanting)... if the source address best path for a prefix is via the source interface pass the packet else if the source is 0.0.0.0 and destination is 255.255.255.255 /* BOOTP and DHCP */ pass the packet else if destination is multicast pass the packet else if packet matches pass the packet else drop the packet > In this case in a typical BRAS terminating 16000 users > would require 16000 dynamically > created unique ACLs (or policy-lists in the ERX). uRPF on the access ports is how you do the anti spoofing without nasty script created (or dynamic from authentication system) ACLs. > Obviouly from a security perspective "ip verify unicast" seems to be the > optimal solution but would > consume more memory / CAM entries in ERX case. If our primary concern is > keeping the load in the Doesn't work like that on the ciscos. Doubt it works like that on an ERX (ip sa-validate ?) > routers low, should "ip verify unicast" be considered the best solution? "Yes" > >From your experience does applying > an ACL with one entry creates less load that an ACL with 24? (in theory all > entries should be processed in parallel) On a 10K - no idea. For the more general case, see the recent discussion on normal vs complied/Turbo ACLs vs "doing it in hardware". DOn't think anyone chipped in on 10K PXF ACL handling in that thread mind you ;-) -- Euan Galloway From p.mayers at imperial.ac.uk Fri Oct 3 12:15:47 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 03 Oct 2008 17:15:47 +0100 Subject: [c-nsp] ACL vs IP verify unicast: TCAM entries In-Reply-To: References: Message-ID: <48E64533.7020702@imperial.ac.uk> > > What is the mechanism employed by "ip verify unicast"? Does it create > on-the-fly an ACL for each > interface that it is applied to containg in my case just one entry that > matches the network address > of the interface? In this case in a typical BRAS terminating 16000 users > would require 16000 dynamically > created unique ACLs (or policy-lists in the ERX). I do not think it works like that on Cisco kit. I think it basically does this: output_interfaces = cef_lookup(src) if input_interface in output_interface: forward else drop ...that is, each packet effectively has 2 route lookups; one on the source IP to check the packet has come in on a valid interface, then a 2nd on the destination IP to actually forward the packet. I have no idea what the ERX does - best ask on a Juniper list. I would recommend using uRPF unless you have a compelling reason not to. From awain567 at yahoo.com Fri Oct 3 12:07:38 2008 From: awain567 at yahoo.com (Alex Wa) Date: Fri, 3 Oct 2008 09:07:38 -0700 (PDT) Subject: [c-nsp] NAT timeout In-Reply-To: <20081003012045.GA7069@rtp-cse-489.cisco.com> Message-ID: <230320.72344.qm@web58006.mail.re3.yahoo.com> Thank you, guys, ?for sharing your knowledge. I will research about EEM applet and will apply the solution. ? alejandro wainshtok ? --- On Thu, 10/2/08, Rodney Dunn wrote: From: Rodney Dunn Subject: Re: [c-nsp] NAT timeout To: "Alex Wa" Cc: cisco-nsp at puck.nether.net Date: Thursday, October 2, 2008, 6:20 PM The only solution is to hook an EEM applet to that IP SLA probe /track as a trigger and do "clear ip nat trans *" when the failover and recovery happens. It's because of the way the translation is used in the forwarding path over the FIB table after the reconvergence. Rodney On Thu, Oct 02, 2008 at 02:26:04PM -0700, Alex Wa wrote: > Hi guys, > ? > We have a router configured to work with 2 ISPs, one of them through a satelite link. This particular link is beeing monitored with a ip sla and track commands. when this link fails the default route is deleted automatically form the routing table, and the backup default route is then installed. We also use automatic nat failover. The problem is that some inside servers that always go to the same destination IP/PORT get NATed in the moment the backup link is up, and when the primary comes up they go to the internet with the source address equal?to the backup outside interface. this NAT "lease" stays for days beacuse this particular servers are doing icmp every 10 seconds. that causes asymetric routing, packets going out through one link and returning through the other. When we flush NAT translations everything returns to normal, of course, but we don't want to have to do it manually.?the question is? do we need to reduce NAT icmp timeout to less than > 10 seconds or there is another solution?. I can provide the config if you guys need it. > ? > regards, > Alejandro wainshtok > ? > ? > ? > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From James.Munroe at gnb.ca Fri Oct 3 15:13:29 2008 From: James.Munroe at gnb.ca (Munroe, James (DSS/MAS)) Date: Fri, 3 Oct 2008 16:13:29 -0300 Subject: [c-nsp] looking for ideas on configuring HQos egress shaping on ES20G cards in 7600 Message-ID: <458B3EC21E4A3044998E917199AACB2FE12586@GNBEX02.gnb.ca> Hello, I'm looking for anyone who might have any recommendations from similar setups they've done with H-Qos on ES20 linecards providing aggregate shaping to remote sites made up of multiple VLANs. Here's my scenario, looking to create H-Qos egress service policy on an ES20G 1GE interface to shape multiple sub-interfaces as a single aggregate shaper per site. Basically each site is a combination of multiple assigned VLANs with a 1GE headend and the remotes are either 10 or 100Mbps accesses. For example: interface GigabitEthernet8/0/1 description * Main Interface * ! interface GigabitEthernet8/0/1.10 description * Site # 1 - VLAN 10 # encapsulation dot1Q 10 ip vrf forwarding site1 ip address 10.1.10.1 255.255.255.0 ! interface GigabitEthernet8/0/1.11 description * Site # 1 - VLAN 11 # encapsulation dot1Q 11 ip vrf forwarding site1 ip address 10.1.11.1 255.255.255.0 ! interface GigabitEthernet8/0/1.12 description * Site # 1 - VLAN 12 # encapsulation dot1Q 12 ip vrf forwarding site1 ip address 10.1.12.1 255.255.255.0 ! interface GigabitEthernet8/0/1.20 description * Site # 2 - VLAN 20 # encapsulation dot1Q 20 ip vrf forwarding site2 ip address 10.1.20.1 255.255.255.0 ! interface GigabitEthernet8/0/1.21 description * Site # 2 - VLAN 21 # encapsulation dot1Q 11 ip vrf forwarding site2 ! interface GigabitEthernet8/0/1.22 description * Site # 2 - VLAN 22 # encapsulation dot1Q 22 ip vrf forwarding site2 ip address 10.1.22.1 255.255.255.0 ! Site #1 is made up of VLAN 10,11,12 and Site #2 is made of VLAN 20,21,22. My goal is to apply a H-Qos service policy that shapes the site VLAN groups to not exceed the access speed to the remote. VLANs 10-12 for site #1 would not exceed a combined shaper of 10Mbps where VLANs 20-22 for site #2 would not exceed a combined shaper of 100Mbps. The main interface Gi8/0/1 is a 1GE interface. Any input or suggestions would be greatly appreciated. Thanks, Jim From jmb287 at gmail.com Fri Oct 3 17:11:51 2008 From: jmb287 at gmail.com (Mike Brown) Date: Fri, 3 Oct 2008 15:11:51 -0600 Subject: [c-nsp] Need urgent help with a Cisco/StrataCom BPX 8600 Message-ID: <1a85d2430810031411r1afd761clda9258e6d08f56da@mail.gmail.com> Hi, We have an 8600 that has a 12 port DS3 card and at present we split up various VPI's to different DS3 ports. This has been working for some time. We just added a OC3 card to the unit and that will tie to the Qwest cloud. When trying to build a connection between a PVC on the OC3 card to a DS3 port we can't seem to pass traffic. I'd really appreciated if anyone on the list has experience with this box and could help with troubleshooting this problem. I'd be willing to paypal or similar for the time spent. thanks john From ml at t-b-o-h.net Fri Oct 3 16:52:18 2008 From: ml at t-b-o-h.net (Tuc at T-B-O-H) Date: Fri, 3 Oct 2008 16:52:18 -0400 (EDT) Subject: [c-nsp] NAT timeout In-Reply-To: <230320.72344.qm@web58006.mail.re3.yahoo.com> from "Alex Wa" at Oct 03, 2008 09:07:38 AM Message-ID: <200810032052.m93KqI30044420@vjofn.tucs-beachin-obx-house.com> We do something like that, except its linked to the syslog pattern.... event manager applet TRACKING_CHANGE event syslog pattern "TRACKING-5-STATE" action 1.0 cli command "enable" action 1.1 cli command "clear ip nat translation forced" action 2.0 syslog msg "Change ocurred on NAT TRANS" ! Works nice for the most part. Our VPNs get pissy for a bit, but oh well. Tuc/TBOH > > Thank you, guys, =A0for sharing your knowledge. I will research about EEM a= > pplet and will apply the solution. = > > =A0 > alejandro wainshtok > =A0 > > --- On Thu, 10/2/08, Rodney Dunn wrote: > > From: Rodney Dunn > Subject: Re: [c-nsp] NAT timeout > To: "Alex Wa" > Cc: cisco-nsp at puck.nether.net > Date: Thursday, October 2, 2008, 6:20 PM > > The only solution is to hook an EEM applet to that IP SLA probe > /track as a trigger and do "clear ip nat trans *" when the failover > and recovery happens. > > It's because of the way the translation is used in the forwarding path > over the FIB table after the reconvergence. > > Rodney > > On Thu, Oct 02, 2008 at 02:26:04PM -0700, Alex Wa wrote: > > Hi guys, > > =A0 > > We have a router configured to work with 2 ISPs, one of them through a > satelite link. This particular link is beeing monitored with a ip sla and t= > rack > commands. when this link fails the default route is deleted automatically f= > orm > the routing table, and the backup default route is then installed. We also = > use > automatic nat failover. The problem is that some inside servers that always= > go > to the same destination IP/PORT get NATed in the moment the backup link is = > up, > and when the primary comes up they go to the internet with the source addre= > ss > equal=A0to the backup outside interface. this NAT "lease" stays for > days beacuse this particular servers are doing icmp every 10 seconds. that > causes asymetric routing, packets going out through one link and returning > through the other. When we flush NAT translations everything returns to nor= > mal, > of course, but we don't want to have to do it manually.=A0the question is? = > do > we need to reduce NAT icmp timeout to less than > > 10 seconds or there is another solution?. I can provide the config if you > guys need it. > > =A0 > > regards, > > Alejandro wainshtok > > =A0 > > =A0 > > =A0 > > = > > > = > > > = > > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > = > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From philxor at gmail.com Sat Oct 4 01:26:43 2008 From: philxor at gmail.com (Phil Bedard) Date: Sat, 4 Oct 2008 01:26:43 -0400 Subject: [c-nsp] L2 control protocol tunneling Message-ID: Hi, does anyone know if there is a way to get a Cisco switch to ignore STP BPDUs and simply pass them through the box, apart from L2CP tunneling? We have a scenario where we have a customer 6500 connected to an Ethernet NID device which is doing QinQ that is then connected to a 4507 which aggregates VLANs to another device that does EoMPLS on a per-vlan basis. The customer would like to run PVST+ across this connection. We cannot participate in their STP since the NID is adding another VLAN tag to their incoming packets. This doesn't seem like enough to make the Cisco pass the BPDUs through the switch... Phil From oboehmer at cisco.com Sat Oct 4 05:07:28 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 4 Oct 2008 11:07:28 +0200 Subject: [c-nsp] Virtual Interface to the Internet In-Reply-To: <01fc01c92543$33dc4540$660a0a0a@oneunified.local> References: <8B25B862BC09784B9B74FB950D4F64D406C9FB@qcnapp01.corp.qcn><01ea01c92508$595a3560$660a0a0a@oneunified.local><70B7A1CCBFA5C649BD562B6D9F7ED7840620506D@xmb-ams-333.emea.cisco.com> <01fc01c92543$33dc4540$660a0a0a@oneunified.local> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784062052FF@xmb-ams-333.emea.cisco.com> Ray Burkholder <> wrote on Friday, October 03, 2008 12:32 PM: >> Hmm, so your requirement is to limit (shape/police) the >> amount of BW the customer can use towards the Internet, and >> impose no limits for Site A<-->B traffic? If that's the case, >> I guess there is no real nice (and >> scalable) solution. >> > > That is pretty much it in a nutshell. > > Afterwards, I was doing some reading on BVI. Can a BVI join two > L2TPV3 tunnels. Not directly, you would need to terminate the tunnels on the neighbor and put each of them into an Ethernet interface, and run this to the BVI router. However: You would then also carry all Site A<-->B traffic across this node, which could be sub-optimal. I would solve this using accounting.. oli From kharananda at subisu.net.np Sun Oct 5 03:19:23 2008 From: kharananda at subisu.net.np (kharananda) Date: Sun, 05 Oct 2008 13:04:23 +0545 Subject: [c-nsp] MPLS L2vpn problem (vlan impossition) Message-ID: <48E86A7B.8010309@subisu.net.np> Dear All, I have been trying to do MPLS L2VPN Over GRE for few days. It is subinterface based l2vpn. Below goes my Network senario. ------------------------------------------------------------------- OSPF Over GRE Tunnel ..................... ..................... ................................ ... VXR-7200-A ......................................Cisco 2600 ............................. VXR-7200-B .... ......................... ....................... .............................. . dot1q -------------------------------------------------------------------- .dot1q . mpls l2transport route lo VXR -B . mpls l2transport route lo-VXR (route carried by OSPF Through Tunnel) . . . . . . --------------- ----------------- - Cisco 2950 - - Cisco 2950 - ---------------- -------------------- . . . . PC1(192.168.1.1/30) PC2 (192.168.1.2/30) I am getting a weird problem.* *I can ping the VLAN network across MPLS l2vpn i.e from PC1 to PC2 for about 5 to 7 minutes and it *stops automatically* and ever comes up back. Everything else seems OK. mpls ldp neighbor, mpls forwarding database, VCs status, GRE Tunnels, OSPF routes are all Ok even when i am unable to ping PCs. I am using Cisco IOS 12.4-2(T) on the VXRs. Is there any BUG for Cisco IOS i am using. If so, please suggest me the bug free IOS for its implamentation. 'debug mpls l2trasport packets error' showed error report of "*ATOM-Eth VLAN imposition: in Nu0, ciruit id 110 size 68 packet dropped, Fixup fauled*". But this report persists even when when i am able to ping PC1 to PC2 (for 5 to 7 minutes) My MPLS L2VPN is sub-interface based. Any help in this regards is highly appreciable. _*Configuration detals.*_ * _At VXR-7200-A_ *mpls ip* *mpls label protocol ldp mpls ldp router-id loopback 0 interface Loopback0 ip address 172.22.0.129 255.255.255.255 ip ospf 1 area 20 ! interface Tunnel0 description #### GRE Tunnel #### ip address 172.22.15.129 255.255.255.252 ip ospf cost 100 ip ospf 1 area 20 mpls label protocol ldp mpls ip tunnel source FastEthernet1/0 tunnel destination 202.70.75.165 Interface fa 1/0 des ### Connected To Cisco 2600 #### ip address 202.70.77.14 255.255.255.248 Interface fa 1/1.110 des ### Connected Cisco Switch ### encap dot1q 110 mpls l2transport route 172.22.16.1 110 ip route 202.70.75.164 255.255.255.252 202.70.77.9 *_At VXR-7200-B_ *mpls ip* *mpls label protocol ldp mpls ldp router-id loopback 0 interface Loopback0 ip address 172.22.16.1 255.255.255.255 ip ospf 1 area 20 ! interface Tunnel0 description #### GRE Tunnel #### ip address 172.22.15.130 255.255.255.252 ip ospf cost 100 ip ospf 1 area 20 mpls label protocol ldp mpls ip tunnel source FastEthernet1/1 tunnel destination 202.70.77.14 ! interface FastEthernet 1/1 description **** Connected To Cisco 2600 **** ip address 202.70.75.165 255.255.255.248 ip route-cache flow duplex full no cdp enable ! ! interface FastEthernet1/0.110 des ### Connected To Cisco Switch Below ### encapsulation dot1Q 90 mpls l2transport route 172.22.0.129 110 ip route 202.70.77.8 255.255.255.248 202.70.75.166 _* At Cisco 2600 *_ interface FastEthernet 1/1 description **** Connected To VXR-7200-A **** ip address 202.70.77.9 255.255.255.248 interface FastEthernet 0/0 description **** Connected To VXR-7200-B **** ip address 202.70.75.166 255.255.255.252 Regards, Khara Nanda Luitel Subisu Cable Net Pvt Ltd Nepal. From steven_mark_99 at yahoo.com Sun Oct 5 07:03:55 2008 From: steven_mark_99 at yahoo.com (Steven Mark) Date: Sun, 5 Oct 2008 04:03:55 -0700 (PDT) Subject: [c-nsp] Modifying ACLs on production router Message-ID: <773303.33048.qm@web63403.mail.re1.yahoo.com> Does anyone know if modifying ACLs (RACL/VACL) that are applied to an interface will cause any traffic disruption? On a different note, does using lock-and-key ACL cause the packet to be sent to software instead of it being completely switched in hardware? Thanks Steve From kharananda at subisu.net.np Sun Oct 5 07:19:59 2008 From: kharananda at subisu.net.np (kharananda at subisu.net.np) Date: Sun, 5 Oct 2008 17:04:59 +0545 (NPT) Subject: [c-nsp] MPLS L2VPN Problem (Vlan Imposition) Message-ID: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> Dear All, I have been trying to do MPLS L2VPN Over GRE for few days. It is sub-interface(dot1Q) based l2vpn. Below goes my Network senario. ..................... ..................... ... VXR-7200-A ... MPLS over GRE .. VXR-7200-B .. ....................... .................... ------------------------------------------------------ MPLS L2VPN Across I am getting a weird problem. I can ping the VLAN network across MPLS l2vpn for about 5 to 7 minutes and it *stops automatically* and ever comes up back. Everything else seems OK. mpls ldp neighbor, mpls forwarding database, VCs status, GRE Tunnels, OSPF routes are all Ok even when i am unable to ping vlan network(IPs) through l2vpn . "Debug mpls l2trasport packets error" showed error report of "ATOM-Eth VLAN imposition: in Nu0, ciruit id 110 size 68 packet dropped, Fixup failed". WHAT ACTUALLY IT IS ??? I am using Cisco IOS 12.4-2(T) on the VXR 7200 (NPE 300). Is there any BUG for Cisco IOS i am using? If so, please suggest me the bug free IOS for its implamentation. But this error report (Vlan Imposition) persists even when when I am able to ping vlan across l2vpn (for 5 to 7 minutes) My MPLS L2VPN is sub-interface (dot1Q on sub-interface) based. Any help in this regards is highly appreciable. Configuration details are given below At VXR-7200-A mpls ip mpls label protocol ldp mpls ldp router-id loopback 0 interface Loopback0 ip address 172.22.0.129 255.255.255.255 ip ospf 1 area 20 ! interface Tunnel0 description #### GRE Tunnel #### ip address 172.22.15.129 255.255.255.252 ip ospf cost 100 ip ospf 1 area 20 mpls label protocol ldp mpls ip tunnel source FastEthernet1/0 tunnel destination 202.70.75.165 Interface fa 1/1.110 des ### Connected Cisco Switch trunk ### encapsulation dot1q 110 mpls l2transport route 172.22.16.1 110 At VXR-7200-B mpls ip mpls label protocol ldp mpls ldp router-id loopback 0 interface Loopback0 ip address 172.22.16.1 255.255.255.255 ip ospf 1 area 20 ! interface Tunnel0 description #### GRE Tunnel #### ip address 172.22.15.130 255.255.255.252 ip ospf cost 100 ip ospf 1 area 20 mpls label protocol ldp mpls ip tunnel source FastEthernet1/1 tunnel destination 202.70.77.14 ! interface FastEthernet1/0.110 des ### Connected To Cisco Switch trunk ### encapsulation dot1Q 90 mpls l2transport route 172.22.0.129 110 Regards, Khara Nanda Luitel Subisu Cable Net Pvt Ltd Nepal. From eravin at panix.com Sun Oct 5 08:21:40 2008 From: eravin at panix.com (Ed Ravin) Date: Sun, 5 Oct 2008 08:21:40 -0400 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <773303.33048.qm@web63403.mail.re1.yahoo.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> Message-ID: <20081005122140.GA923@panix.com> On Sun, Oct 05, 2008 at 04:03:55AM -0700, Steven Mark wrote: > Does anyone know if modifying ACLs (RACL/VACL) that are applied > to an interface will cause any traffic disruption? Depends on how you do it and what you call "traffic disruption". If you append to the ACL while it is still applied to an interface, then that might not disrupt anything. If you delete the ACL and then begin adding statements back in one by one while it is still applied to the interface, then you may have periods of too much or too little traffic being passed across the interface until the ACL is complete. If the ACL affects the interface that you're managing the router from, you might find yourself locked out of the router when the partial ACL blocks more traffic than you want. My "aclmaker" script, which lets you manage Cisco ACLS by editing local files on a Unix system, automatically updates ACLs for you with the minimum disruption. Requires Unix/Linux, Perl, and a couple of Perl modules: http://www.panix.com/~eravin/aclmaker-1.04rc1 aclmaker updates an ACL by first uploading the new ACL into the router with a "test-xxxx" name. If the router doesn't complain about syntax problems, the script then removes the original ACL from any interfaces it is applied to and applies the test ACL. Then the script deletes the original ACL and uploads the new ACL with the original name, and then it removes the test-xxxx ACL from the interface(s) and applies the original ACL. This leaves two short windows when the interface has no ACL applied, but since the script is doing all the work automatically those windows are as brief as possible. -- Ed From gert at greenie.muc.de Sun Oct 5 12:24:12 2008 From: gert at greenie.muc.de (Gert Doering) Date: Sun, 5 Oct 2008 18:24:12 +0200 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <20081005122140.GA923@panix.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> <20081005122140.GA923@panix.com> Message-ID: <20081005162412.GF17238@greenie.muc.de> Hi, On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote: > If the router doesn't complain about syntax > problems, the script then removes the original ACL from any interfaces > it is applied to and applies the test ACL. Then the script deletes the > original ACL and uploads the new ACL with the original name, and then it > removes the test-xxxx ACL from the interface(s) and applies the original ACL. > > This leaves two short windows when the interface has no ACL applied, but I'm wondering if there is any deeper necessity for removing the old ACL from the interface? In the cases that I've changed ACLs on an interface, I normally just configure the new ACL - and given that Cisco can only have one IP ACL (per direction) on each interface, this automatically and atomically removes the old ACL... But you might have seen more pathological cases, where things fail in interesting ways - which is why I'm curious. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From zivl at gilat.net Sun Oct 5 12:54:18 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 5 Oct 2008 18:54:18 +0200 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <20081005162412.GF17238@greenie.muc.de> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> <20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> Message-ID: Also, in relatively new IOS (last 2-3 years) there's always a possibility to edit an active ACL, I also do it when I need to change/remove/add a line. When you want to see what an ACL contains you do "sh access-list 99" right? And you get something like access-list 99 deny x.x.x.x access-list 99 permit y.y.y.y Or "sh access-list 100" gives you access-list 100 deny ip host x.x.x.x any access-list 100 permit ip host y.y.y.y any If you use the command "sh ip access-list 99" or "sh ip access-list 100" instead, you'll get something like this: Standard IP access list 99 10 deny x.x.x.x 20 permit y.y.y.y Extended IP access list 100 10 deny ip host x.x.x.x any 20 permit ip host y.y.y.y any And so on... Now, if you want to delete a line, all you need is to do this: conf t ip access-list standard 99 no 20 or if you want to add something that MUST be logically inserted in between the two existing lines you can begin the line with any number that is between the current lines numbers, e.g. ip access list extended 100 15 permit ip x.x.x.0 0.0.0.255 any 21 permit udp z.z.z.z 0.0.0.255 any eq 53 This will shield a "on the fly" edited ACL that looks like this: sh ip access-list 100 Extended IP access list 100 10 deny ip host x.x.x.x any 15 permit ip x.x.x.0 0.0.0.255 any 20 permit ip host y.y.y.y any 21 permit udp z.z.z.z 0.0.0.255 eq 53 I hope I've made myself clear enough and that this helps someone. Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Sunday, October 05, 2008 6:24 PM To: Ed Ravin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Modifying ACLs on production router Hi, On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote: > If the router doesn't complain about syntax problems, the script then > removes the original ACL from any interfaces it is applied to and > applies the test ACL. Then the script deletes the original ACL and > uploads the new ACL with the original name, and then it removes the > test-xxxx ACL from the interface(s) and applies the original ACL. > > This leaves two short windows when the interface has no ACL applied, > but I'm wondering if there is any deeper necessity for removing the old ACL from the interface? In the cases that I've changed ACLs on an interface, I normally just configure the new ACL - and given that Cisco can only have one IP ACL (per direction) on each interface, this automatically and atomically removes the old ACL... But you might have seen more pathological cases, where things fail in interesting ways - which is why I'm curious. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From eravin at panix.com Sun Oct 5 14:38:26 2008 From: eravin at panix.com (Ed Ravin) Date: Sun, 5 Oct 2008 14:38:26 -0400 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <20081005162412.GF17238@greenie.muc.de> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> <20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> Message-ID: <20081005183826.GA24902@panix.com> On Sun, Oct 05, 2008 at 06:24:12PM +0200, Gert Doering wrote: > On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote: > > If the router doesn't complain about syntax > > problems, the script then removes the original ACL from any interfaces > > it is applied to and applies the test ACL. Then the script deletes the > > original ACL and uploads the new ACL with the original name, and then it > > removes the test-xxxx ACL from the interface(s) and applies the original ACL. > > > > This leaves two short windows when the interface has no ACL applied, but > > I'm wondering if there is any deeper necessity for removing the old ACL > from the interface? In the cases that I've changed ACLs on an interface, > I normally just configure the new ACL - and given that Cisco can only > have one IP ACL (per direction) on each interface, this automatically > and atomically removes the old ACL... Hmmm. Has that always worked, even in IOS 11 and early 12.1 environments? I don't remember whether I tried that when I first started developing aclmaker back in 2002. -- Ed From MatlockK at exempla.org Sun Oct 5 14:37:34 2008 From: MatlockK at exempla.org (Matlock, Kenneth L) Date: Sun, 5 Oct 2008 12:37:34 -0600 Subject: [c-nsp] Modifying ACLs on production router References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> Message-ID: <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> I'm not sure about these days, but I got bit before when changing an ACL on a remote device. If you have an access-list on an interface, and that access-list didn't exist then it got interpreted as a 'permit ip any any'. As soon as you add the first line of the ACL, it then becomes a default of 'deny ip any any' after the line you put in. So if you remove an access-list, and put the lines back in, during the timeframe between the first line, and the last, it will affect production traffic. (Or in my case, I was modifying an ACL in the interface 'closest' to me, and when the first line got added it cut off all my management traffic....) So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in. Ken Matlock Network Analyst Exempla Healthcare matlockk at exempla.org ________________________________ From: cisco-nsp-bounces at puck.nether.net on behalf of Gert Doering Sent: Sun 10/5/2008 10:24 AM To: Ed Ravin Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Modifying ACLs on production router Hi, On Sun, Oct 05, 2008 at 08:21:40AM -0400, Ed Ravin wrote: > If the router doesn't complain about syntax > problems, the script then removes the original ACL from any interfaces > it is applied to and applies the test ACL. Then the script deletes the > original ACL and uploads the new ACL with the original name, and then it > removes the test-xxxx ACL from the interface(s) and applies the original ACL. > > This leaves two short windows when the interface has no ACL applied, but I'm wondering if there is any deeper necessity for removing the old ACL from the interface? In the cases that I've changed ACLs on an interface, I normally just configure the new ACL - and given that Cisco can only have one IP ACL (per direction) on each interface, this automatically and atomically removes the old ACL... But you might have seen more pathological cases, where things fail in interesting ways - which is why I'm curious. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From Grzegorz at Janoszka.pl Sun Oct 5 14:58:41 2008 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Sun, 05 Oct 2008 20:58:41 +0200 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> Message-ID: <48E90E61.9010109@Janoszka.pl> Matlock, Kenneth L wrote: > So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in. The simplest thing is to prepare a file containing "no acl XXX" and then redefinition of the acl, put it of tftp server and load it using: copy tftp://I.P.I.P/acl running-config You do not need any extra tricks to do it, like temporary acl's and do on. -- Grzegorz Janoszka From chunt at reachone.com Sun Oct 5 15:00:58 2008 From: chunt at reachone.com (Christopher Hunt) Date: Sun, 05 Oct 2008 12:00:58 -0700 Subject: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) Message-ID: <48E90EEA.5090305@reachone.com> For simplicity's sake let's say that i have 2 7206VXRs running advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed plus a L2 feed between them. Each one is a PE, and running L3VPNs for customers. I use OSPF as an IGP. Everything's working great, but I want to build VPN failover in case the L2 feed between them goes down. Since the backup is a L3 service, MPLSoGRE seems the best option for me. At the same time, I want to encrypt ***at least the customer vrf traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec unfortunately an am struggling to understand the process. I've got the GRE Tunnels up and failing over but can't seem to understand how to encrypt the customer data. See attached configs. Anyone have any pointers? See http://markmail.org/message/lob467v2oxc6my5x for original thread onward through the fog, Christopher Hunt -------- Original Message -------- Subject: [c-nsp] MPLS and IPSEC co-workingLink to this message From: Oliver Boehmer (oboehmer) (oboe... at cisco.com) Date: 08/16/2007 09:31:25 AM List: net.nether.puck.cisco-nsp >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM: > >Hi, > >Network setup is pretty trivial - three routers running MPLS (LDP >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is >asking to secure that infrastructure by running IPSEC (3DES). As far >as I know, I can not run LDP over Tunnel interfaces, and crypto-maps >will not help also. Concept of running IPSEC between CPEs doesn't >make sense, as there are no CPEs :( > >Question is - is VRF-Lite plus back-to-back connectivity, like option >A for inter AS MPLS, the only viable option I have, or Im missing >something and there are other, more scalable ways to do it? > well, you can run MPLSoGRE at least on SW-based platforms (like the 7200), haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps.. Not a complete solution, I know.. oli -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: MPLSoGRE-san.txt URL: From eravin at panix.com Sun Oct 5 15:03:08 2008 From: eravin at panix.com (Ed Ravin) Date: Sun, 5 Oct 2008 15:03:08 -0400 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> References: <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> Message-ID: <20081005190308.GA11904@panix.com> On Sun, Oct 05, 2008 at 12:37:34PM -0600, Matlock, Kenneth L wrote: > If you have an access-list on an interface, and that access-list > didn't exist then it got interpreted as a 'permit ip any any'. As > soon as you add the first line of the ACL, it then becomes a default > of 'deny ip any any' after the line you put in. So if you remove > an access-list, and put the lines back in, during the timeframe > between the first line, and the last, it will affect production > traffic. (Or in my case, I was modifying an ACL in the interface > 'closest' to me, and when the first line got added it cut off all > my management traffic....) Yes, the aclmaker script was written with those scenarios in mind and is very careful to not let that happen when it updates ACLs. > So from then on, I've always removed the ACL from the interface, > removed the ACL, rebuilt it, and re-applied it to the interface. > If you have the lines copied into a clipboard, you can paste the > stuff in fairly quickly, and not really allow much 'bad' traffic > in. The limitations of cut-and-paste were what provoked me to write aclmaker. I had an ACL that kept getting longer and longer - after it got to 150 lines I realized there had to be a better way. Another better way, especially if you prefer point-and-click stuff, is Telconi Terminal - see http://www.telconi.com/ . They provide a GUI or "craft terminal" interface to Cisco routers. According to the docs, the most recent versions do some smart synchronization with access lists - I recall emailing them about one of the beta versions suggesting they copy aclmaker's strategies. From steven_mark_99 at yahoo.com Sun Oct 5 16:45:33 2008 From: steven_mark_99 at yahoo.com (Steven Mark) Date: Sun, 5 Oct 2008 13:45:33 -0700 (PDT) Subject: [c-nsp] Modifying ACLs on production router Message-ID: <220682.25297.qm@web63408.mail.re1.yahoo.com> Folks, Thanks very useful information. I like the 'aclmaker' script... intend to use this extensively! Very cool! >From responses, I see 2 main issues I see with Cisco ACL implementation: 1. Loosing connection on the interface you are working on If one connects to the router using management console (port on MSFC), then this problem would not be there. Isnt it? 2. Erratic behavior when ACLs are being updated I wonder if IOS can start supporting 'config commit' process (as I suppose JUNOS does), then applying ACLs on interfaces will become a much easier task. As I understand, in JUNOS if you have to modify/change an ACL, you go to the CLI, make necessary changes and then just commit. Since JUNOS does make-before-break, in the ASIC, new ACL is installed first and in just one quick swoop, the ACL pointer (if you will) is moved to the newly installed ACL. Not sure what folks think... Nonetheless, really appreciate folks sharing useful info (incl. Telconi terminal). Will give that a shot as well. Cheers, Steve --- On Sun, 10/5/08, Ed Ravin wrote: > From: Ed Ravin > Subject: Re: [c-nsp] Modifying ACLs on production router > To: "Matlock, Kenneth L" > Cc: cisco-nsp at puck.nether.net > Date: Sunday, October 5, 2008, 12:03 PM > On Sun, Oct 05, 2008 at 12:37:34PM -0600, Matlock, Kenneth L > wrote: > > If you have an access-list on an interface, and that > access-list > > didn't exist then it got interpreted as a > 'permit ip any any'. As > > soon as you add the first line of the ACL, it then > becomes a default > > of 'deny ip any any' after the line you put > in. So if you remove > > an access-list, and put the lines back in, during the > timeframe > > between the first line, and the last, it will affect > production > > traffic. (Or in my case, I was modifying an ACL in the > interface > > 'closest' to me, and when the first line got > added it cut off all > > my management traffic....) > > Yes, the aclmaker script was written with those scenarios > in mind and > is very careful to not let that happen when it updates > ACLs. > > > So from then on, I've always removed the ACL from > the interface, > > removed the ACL, rebuilt it, and re-applied it to the > interface. > > If you have the lines copied into a clipboard, you can > paste the > > stuff in fairly quickly, and not really allow much > 'bad' traffic > > in. > > The limitations of cut-and-paste were what provoked me to > write aclmaker. > I had an ACL that kept getting longer and longer - after it > got to 150 > lines I realized there had to be a better way. > > Another better way, especially if you prefer > point-and-click stuff, is > Telconi Terminal - see http://www.telconi.com/ . They > provide a GUI or > "craft terminal" interface to Cisco routers. > According to the docs, the > most recent versions do some smart synchronization with > access lists - I > recall emailing them about one of the beta versions > suggesting they copy > aclmaker's strategies. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at netcraftsmen.net Sun Oct 5 22:21:31 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Sun, 5 Oct 2008 22:21:31 -0400 Subject: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) In-Reply-To: <48E90EEA.5090305@reachone.com> References: <48E90EEA.5090305@reachone.com> Message-ID: <001501c9275a$3f35f350$bda1d9f0$@net> You could encrypt the GRE tunnel. Everything traverse the tunnel will get encrypted. On CORE-DIA-1 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key cisco address 172.16.0.98 crypto isakmp keepalive 10 4 periodic ! ! crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac mode transport ! crypto ipsec profile foo set transform-set TEST set pfs group5 ! ! interface Tunnel0 ip address 10.0.0.2 255.255.255.252 ip mtu 1420 ip tcp adjust-mss 1436 mpls ip mpls mtu 1508 keepalive 1 3 tunnel source FastEthernet0/0 tunnel destination 172.16.0.98 tunnel protection ipsec profile foo Just the reverse on the other side. You, and the original poster, could do IPSEC encryption between CEs of the MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3 suggestion :)) http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7 180/product_data_sheet0900aecd80582067.html. The CE-to-CE routing remains the same, with added security. ---------------------------------------------------------------------------- ------------------------------------------------------------------------- Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net ---------------------------------------------------------------------------- ------------------------------------------------------------------------- -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt Sent: Sunday, October 05, 2008 3:01 PM To: cisco-nsp Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) For simplicity's sake let's say that i have 2 7206VXRs running advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed plus a L2 feed between them. Each one is a PE, and running L3VPNs for customers. I use OSPF as an IGP. Everything's working great, but I want to build VPN failover in case the L2 feed between them goes down. Since the backup is a L3 service, MPLSoGRE seems the best option for me. At the same time, I want to encrypt ***at least the customer vrf traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec unfortunately an am struggling to understand the process. I've got the GRE Tunnels up and failing over but can't seem to understand how to encrypt the customer data. See attached configs. Anyone have any pointers? See http://markmail.org/message/lob467v2oxc6my5x for original thread onward through the fog, Christopher Hunt -------- Original Message -------- Subject: [c-nsp] MPLS and IPSEC co-workingLink to this message From: Oliver Boehmer (oboehmer) (oboe... at cisco.com) Date: 08/16/2007 09:31:25 AM List: net.nether.puck.cisco-nsp >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM: > >Hi, > >Network setup is pretty trivial - three routers running MPLS (LDP >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is >asking to secure that infrastructure by running IPSEC (3DES). As far >as I know, I can not run LDP over Tunnel interfaces, and crypto-maps >will not help also. Concept of running IPSEC between CPEs doesn't >make sense, as there are no CPEs :( > >Question is - is VRF-Lite plus back-to-back connectivity, like option >A for inter AS MPLS, the only viable option I have, or Im missing >something and there are other, more scalable ways to do it? > well, you can run MPLSoGRE at least on SW-based platforms (like the 7200), haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps.. Not a complete solution, I know.. oli From justin at justinshore.com Sun Oct 5 22:54:16 2008 From: justin at justinshore.com (Justin Shore) Date: Sun, 05 Oct 2008 21:54:16 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> Message-ID: <48E97DD8.8080207@justinshore.com> Matlock, Kenneth L wrote: > I'm not sure about these days, but I got bit before when changing an ACL on a remote device. > > If you have an access-list on an interface, and that access-list didn't exist then it got interpreted as a 'permit ip any any'. As soon as you add the first line of the ACL, it then becomes a default of 'deny ip any any' after the line you put in. So if you remove an access-list, and put the lines back in, during the timeframe between the first line, and the last, it will affect production traffic. (Or in my case, I was modifying an ACL in the interface 'closest' to me, and when the first line got added it cut off all my management traffic....) > > So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in. This is what I was going to bring up if no one else said it. An empty ACL does nothing. But as soon as you create the ACL it appends a deny ip any any to the ass end of it. Now I suppose that it's possible to create an IP ACL with line 1 being a permit ip any any and then remove line 1 as soon as everything else is added. That would work. Personally I remove the ACL from each interface that it's applied to, then remove the ACL, re-add the updated ACL and reapply it to all the right interfaces. I keep my major ACLs in text files on my NOC server. I store them in CVS. In these text files I start off with the config needed to remove the ACLs from all the associated interfaces (ready copy and paste to eliminate errors). Then below that is the lines removing the ACL (critical step so that you aren't adding crap to the end of the old ACL, almost certainly with duplicate lines). Then comes the ACL contents. I make a significant amount of comments and notes inline with the config, all commented out with a "!" so I can copy and paste right through the comments without causing any problems. The files ends with the reversal of the first block of config; adding the ACLs back to the interfaces. Were I worried about security and in a situation where I couldn't have any interface unsecured for even a few seconds, I'd do what Gert said and have a pair of ACLs that I swap between. In that case when I add and ACL, "ftth-in" for example, I'd also add a duplicate of it as "temp-ftth-in". Then when I needed to make a change I'd switch the interface to the temp ACL without removing the old access-group lines, modify or replace the regular ACL, and then switch back so I always know what ACL I have on the interface. Then replace the temp ACL with a copy of the current ACL so it's ready to go the next time. All scriptable, all easily doable. The biggest thing is keeping track of which interfaces have been assigned the ACLs you're modifying. FEATURE REQUEST We need a sub-command of 'show ip access-list' that tells us what interfaces a given ACL is applied to. Something simple like show ip access-list interfaces We already have 'sh ip access-list interface ' but that requires one to increment through all the interfaces. I just want to know the name/number and direction of an ACL. That's all. That's what we need for easy script processing. Justin From ltd at cisco.com Sun Oct 5 23:10:20 2008 From: ltd at cisco.com (Lincoln Dale) Date: Mon, 06 Oct 2008 14:10:20 +1100 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <773303.33048.qm@web63403.mail.re1.yahoo.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> Message-ID: <48E9819C.8050303@cisco.com> Steve, Steven Mark wrote: > Does anyone know if modifying ACLs (RACL/VACL) that are applied to an interface will cause any traffic disruption? > it depends on the Cisco platform and the type of ACL (named/numbered). generally speaking, for "named ACLs", you make changes to them as you wish, and when you 'exit' out of the ACL submode for a named ACL, it gets applied in one hit. the differences in platforms may also cause differences here - particularly if they are h/w based forwarding platforms. for example, NX-OS on N7K by default does "atomic ACL commits", that is, an ACL is applied atomically all at once. there is no 'in between' time between the old ACL being in place & the new one being applied. not all platforms can perform atomic ACLs. some platforms also have a tunable knob for what the default behavior should be while ACL programming is taking place. should it be 'permit' or 'deny'? you decide. some platforms also have the ability to do a 'dry run' or 'verify' that an ACL is possible (h/w table space exists, TCAM resources exist etc, then 'commit' that ACL in one hit. finally, if we were looking at what may constitute "best practice", i think its always advisable to NOT be applying an ACL on the same inband interface that you may be using to manage the box. out-of-band or side-band mgmt paths are advisable here. :) so .. the short answer is "it depends". if you can be more specific on the platform / router / swtich model, a more specific answer can be given. :) > On a different note, does using lock-and-key ACL cause the packet to be sent to software instead of it being completely switched in hardware? > not sure what you mean by "lock and key". can you elaborate? cheers, lincoln. From gerry at tape.net Sun Oct 5 23:13:10 2008 From: gerry at tape.net (Gerry Boudreaux) Date: Sun, 5 Oct 2008 22:13:10 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <773303.33048.qm@web63403.mail.re1.yahoo.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> Message-ID: <3E9500D6-5FA1-4BF3-92EF-EEA16187DDE1@tape.net> On Oct 5, 2008, at 06:03 , Steven Mark wrote: > Does anyone know if modifying ACLs (RACL/VACL) that are applied to > an interface will cause any traffic disruption? My solution of choice is to leave gaps in ACL numbers, like even/odd spacing, every 5 spacing, etc, so that if you are using ACL 100 on an interface, then 101 is the replacement ACL. That way you can create 101 as the replacement to 100, review it for correctness, then go to the interface/instance where it is applied, and simply change the ACL applied. The other advantage is that you can easily revert to the previous (last known good, ACL) by simply re- applying the ACL, knowing it was unchanged. This totally avoids the implicit DENY, and any "timing" issues, as well as never leaving you with any, even micro-second non-protected, situations, and gives you an easy rollback position. Then the next update simply reuses ACL 100, the one that was last "replaced" Just my $0.02, and I am always interested in better "best" practices! G From justin at justinshore.com Sun Oct 5 23:42:31 2008 From: justin at justinshore.com (Justin Shore) Date: Sun, 05 Oct 2008 22:42:31 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <48E90E61.9010109@Janoszka.pl> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E90E61.9010109@Janoszka.pl> Message-ID: <48E98927.7060209@justinshore.com> Grzegorz Janoszka wrote: > Matlock, Kenneth L wrote: >> So from then on, I've always removed the ACL from the interface, >> removed the ACL, rebuilt it, and re-applied it to the interface. If >> you have the lines copied into a clipboard, you can paste the stuff in >> fairly quickly, and not really allow much 'bad' traffic in. > > The simplest thing is to prepare a file containing "no acl XXX" and then > redefinition of the acl, put it of tftp server and load it using: > copy tftp://I.P.I.P/acl running-config > > You do not need any extra tricks to do it, like temporary acl's and do on. I don't believe that this is instantaneous. This still has the problem of blocking at least some traffic while the lines of config are loaded. While this may not be perceived as a big problem for some networks and some traffic patterns, this will kill TCP sessions when the either end receives a TCP reset. I suspect that it will also jack with SIP and MGCP sessions when an ICMP port unreachable is sent in response to reject RTP datagrams. That wouldn't be good. What's needed is to not reject any packets. The only ways I can see that happening is to either switch ACLs or remove the ACL from interface before you add the first line to it. That is until Cisco adds a way to let us make ACL changes and control when they are committed and compiled. It seems like I read something about something added to the later 12.4T code to make ACL updates easier. I'll have to dig out the release notes to read up on it. Justin From gert at greenie.muc.de Mon Oct 6 02:37:03 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 6 Oct 2008 08:37:03 +0200 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <20081005183826.GA24902@panix.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> <20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <20081005183826.GA24902@panix.com> Message-ID: <20081006063703.GG17238@greenie.muc.de> Hi, On Sun, Oct 05, 2008 at 02:38:26PM -0400, Ed Ravin wrote: > > I'm wondering if there is any deeper necessity for removing the old ACL > > from the interface? In the cases that I've changed ACLs on an interface, > > I normally just configure the new ACL - and given that Cisco can only > > have one IP ACL (per direction) on each interface, this automatically > > and atomically removes the old ACL... > > Hmmm. Has that always worked, even in IOS 11 and early 12.1 > environments? I don't remember whether I tried that when I first > started developing aclmaker back in 2002. This is why I was asking :-) Everywhere I can *remember* having changed ACLs "on the fly" (replace old ACL with new ACL in the interface config), it worked without nasty side effects. OTOH, our use of ACLs on IOS 11 was quite limited, so I really can't say. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From Grzegorz at Janoszka.pl Mon Oct 6 03:28:16 2008 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Mon, 06 Oct 2008 09:28:16 +0200 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <48E98927.7060209@justinshore.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E90E61.9010109@Janoszka.pl> <48E98927.7060209@justinshore.com> Message-ID: <48E9BE10.2080405@Janoszka.pl> Justin Shore wrote: >> The simplest thing is to prepare a file containing "no acl XXX" and >> then redefinition of the acl, put it of tftp server and load it using: >> copy tftp://I.P.I.P/acl running-config >> >> You do not need any extra tricks to do it, like temporary acl's and do >> on. > > I don't believe that this is instantaneous. This still has the problem > of blocking at least some traffic while the lines of config are loaded. > While this may not be perceived as a big problem for some networks and > some traffic patterns, this will kill TCP sessions when the either end > receives a TCP reset. I suspect that it will also jack with SIP and > MGCP sessions when an ICMP port unreachable is sent in response to > reject RTP datagrams. That wouldn't be good. So, configure the port not to send any icmp, not tcp rst packets and you will not loose any connection. -- Grzegorz Janoszka From rdobbins at cisco.com Mon Oct 6 03:51:29 2008 From: rdobbins at cisco.com (Roland Dobbins) Date: Mon, 6 Oct 2008 15:51:29 +0800 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <48E9BE10.2080405@Janoszka.pl> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E90E61.9010109@Janoszka.pl> <48E98927.7060209@justinshore.com> <48E9BE10.2080405@Janoszka.pl> Message-ID: On Oct 6, 2008, at 3:28 PM, Grzegorz Janoszka wrote: > So, configure the port not to send any icmp, not tcp rst packets and > you will not loose any connection. As Lincoln Dale indicated in an earlier reply to this thread, this behavior is platform-/linecard-/train-/release-specific. One technique I've used and seen used on some platforms is to 'leapfrog' ACL names/numbers - i.e., editing an offline copy with a different name/number utilizing whatever scripts/tools one uses, copying the updated ACL to the box, then switching out the ACL that's applied to the interface (i.e., it rotates). Again, this is very situationally dependent based upon the box/LC/code. ----------------------------------------------------------------------- Roland Dobbins // +852.9133.2844 mobile History is a great teacher, but it also lies with impunity. -- John Robb From ygauteron at gmail.com Mon Oct 6 06:44:26 2008 From: ygauteron at gmail.com (Yann Gauteron) Date: Mon, 6 Oct 2008 12:44:26 +0200 Subject: [c-nsp] Netflow collection problem with AS traffic Message-ID: <8097baf0810060344t78cb8d63jfe589bfed7511fcc@mail.gmail.com> Hello the list, I am a new talker here, but an attentive reader and I appreciate the level of your discussions, guys. As I am having some suspect behaviour with one of my (in fact one of my customer's) border router, I'd like to read about your experience and maybe you already have had such a misbehavior. I use as a BGP border router a Cisco uBR10012 CMTS (Cable Modem Termination System). This device is close to Cisco 10000 Series routers, but with dedicated interfaces for CATV operators offering Internet services. Initially, this BGP border (AS65100) had 2 BGP peerings with AS65001 (these are not the actual ASN) : - one peering is the main and active peering; - the second one is the backup with no traffic exchanged. I installed by this customer a nice free software, called AS-stats ( https://neon1.net/as-stats/, a presentation of this tool is here https://neon1.net/as-stats/as-stats-presentation-swinog16.pdf) permitting to visualize the traffic received from / sent to an AS on a given peering. This tool works based on the Netflow data. We succesfully used this tool for weeks without noticing reporting problems. Last week, an additional peering was established with AS65002. No special policy were defined in the route-map for the routes learned from this new AS. So BGP should have been able to route traffic according to the AS-Path length. Since that time, we noticed that the reporting on the AS-stats were not updated for the AS which were routed to that new AS65002 peer! We rerouted (filtered in the route-maps) most of the AS back to the older BGP peer, but 2 (the ASN for the provider we already peered and the ASN for a network where we have a lot of traffic). We expected to have back the reporting for all AS that were rerouted back. We were wrong... Reporting is not present for these AS, only for the ASs that always remained on the initial peering. The problem is not located on the AS-stats tool, as I did some trace points in the code and noticed that it receives Netflow data, but not for the AS that lacks reporting. For your information, you have attached a diagram of the simple BGP topology, and a partial show running (anonymized and focusing on Netflow configuration + BGP). So come my question: Does some of you already encountered some bad experience with Netflow on Cisco routers (especially 10000 Series or uBR10012) when dealing with BGP AS information? Have you already such a Netflow blocking of information? Is there any suggested workaround according to your experience? Before opening the case by Cisco, I'd like to know if some people already noticed this particular behavior. As I did not find any related bug to my problem, maybe some are already created but with a description that did not match my search keys. Thanks for this living and great list. Have a nice week, guys. Yann -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: bgp.txt URL: -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: partial-show-run-rewritten.txt URL: From david.freedman at uk.clara.net Mon Oct 6 07:57:00 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 06 Oct 2008 12:57:00 +0100 Subject: [c-nsp] MPLS L2VPN Problem (Vlan Imposition) In-Reply-To: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> References: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> Message-ID: <48E9FD0C.1010308@uk.clara.net> > I am using Cisco IOS 12.4-2(T) on the VXR 7200 (NPE 300). Is there any BUG > for Cisco IOS i am using? If so, please suggest me the bug free IOS for > its > implamentation. Well, quoting from http://puck.nether.net/pipermail/cisco-nsp/2007-May/040893.html "if you browse cisco.com -> products -> routers -> 7200 you will find a page showing some datasheets etc but also "end-of-life and end-of-sale notices". for the particular npe-300, it went eos dec 31 2001, and eol dec 31 2006. software supports ends in: 12.2(15)T, 12.0(29)S, 12.1(19)E, and 12.3(10b)." Running 12.4 on this processor is quite ambitious, due to your RAM constraints for the features you need, you will be limited to old versions which in turn will harbour many bugs (just searching for AToM related bugs in your version reveals nine alone) Dave. > > But this error report (Vlan Imposition) persists even when when I am able > to ping vlan across l2vpn (for 5 to 7 minutes) > > My MPLS L2VPN is sub-interface (dot1Q on sub-interface) based. > > Any help in this regards is highly appreciable. > > Configuration details are given below > > At VXR-7200-A > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.0.129 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.129 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/0 > tunnel destination 202.70.75.165 > > Interface fa 1/1.110 > des ### Connected Cisco Switch trunk ### > encapsulation dot1q 110 > mpls l2transport route 172.22.16.1 110 > > > At VXR-7200-B > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.16.1 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.130 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/1 > tunnel destination 202.70.77.14 > ! > > interface FastEthernet1/0.110 > des ### Connected To Cisco Switch trunk ### > encapsulation dot1Q 90 > mpls l2transport route 172.22.0.129 110 > > > Regards, > Khara Nanda Luitel > Subisu Cable Net Pvt Ltd > Nepal. > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From david.freedman at uk.clara.net Mon Oct 6 07:57:00 2008 From: david.freedman at uk.clara.net (David Freedman) Date: Mon, 06 Oct 2008 12:57:00 +0100 Subject: [c-nsp] MPLS L2VPN Problem (Vlan Imposition) In-Reply-To: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> References: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> Message-ID: <48E9FD0C.1010308@uk.clara.net> > I am using Cisco IOS 12.4-2(T) on the VXR 7200 (NPE 300). Is there any BUG > for Cisco IOS i am using? If so, please suggest me the bug free IOS for > its > implamentation. Well, quoting from http://puck.nether.net/pipermail/cisco-nsp/2007-May/040893.html "if you browse cisco.com -> products -> routers -> 7200 you will find a page showing some datasheets etc but also "end-of-life and end-of-sale notices". for the particular npe-300, it went eos dec 31 2001, and eol dec 31 2006. software supports ends in: 12.2(15)T, 12.0(29)S, 12.1(19)E, and 12.3(10b)." Running 12.4 on this processor is quite ambitious, due to your RAM constraints for the features you need, you will be limited to old versions which in turn will harbour many bugs (just searching for AToM related bugs in your version reveals nine alone) Dave. > > But this error report (Vlan Imposition) persists even when when I am able > to ping vlan across l2vpn (for 5 to 7 minutes) > > My MPLS L2VPN is sub-interface (dot1Q on sub-interface) based. > > Any help in this regards is highly appreciable. > > Configuration details are given below > > At VXR-7200-A > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.0.129 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.129 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/0 > tunnel destination 202.70.75.165 > > Interface fa 1/1.110 > des ### Connected Cisco Switch trunk ### > encapsulation dot1q 110 > mpls l2transport route 172.22.16.1 110 > > > At VXR-7200-B > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.16.1 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.130 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/1 > tunnel destination 202.70.77.14 > ! > > interface FastEthernet1/0.110 > des ### Connected To Cisco Switch trunk ### > encapsulation dot1Q 90 > mpls l2transport route 172.22.0.129 110 > > > Regards, > Khara Nanda Luitel > Subisu Cable Net Pvt Ltd > Nepal. > > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From domintefamily at yahoo.co.uk Mon Oct 6 10:22:06 2008 From: domintefamily at yahoo.co.uk (C and C Dominte) Date: Mon, 6 Oct 2008 14:22:06 +0000 (GMT) Subject: [c-nsp] BGP over Etherchannel Issue Message-ID: <761706.57733.qm@web27906.mail.ukl.yahoo.com> Hi all, I am having a rather unusual issue, and I have no idea on how or where to find any info about it. ? Basically, a bgp session configured over an etherchannel (2x10G ports) goes down, if one cable is removed. This should not happen under normal circumstances, as the physical disconnection, should not affect the Etherchannel operation, as long as there is at least one connected port in operation. The IP addresses are configured over a VLAN, which is then allowed on the etherchannel trunk. When I removed one of the two fibers, the bgp session went down, and in the reset log the reason was peer closed the session, on both sides. ? Any help would be appreciated. ? Catalin From paul at paulstewart.org Mon Oct 6 10:26:29 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 6 Oct 2008 10:26:29 -0400 Subject: [c-nsp] Route View Router Config Message-ID: <000801c927bf$86691440$933b3cc0$@org> I'm looking at firing up a router that will become a public route view box.... Folks could telnet to it and view our BGP tables, run traceroutes etc.... same deal as route-views.routeviews.org on a much smaller scale specific to our own tables.... Anyone have a pre-built Cisco config for such purpose they could share? If not I'll have to build a secure version but thought it's worth asking first...;) Take care, Paul From oboehmer at cisco.com Mon Oct 6 10:34:19 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 6 Oct 2008 16:34:19 +0200 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <761706.57733.qm@web27906.mail.ukl.yahoo.com> References: <761706.57733.qm@web27906.mail.ukl.yahoo.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406205888@xmb-ams-333.emea.cisco.com> C and C Dominte <> wrote on Monday, October 06, 2008 4:22 PM: > > I am having a rather unusual issue, and I have no idea on > how or where to find any info about it. > > Basically, a bgp session configured over an etherchannel > (2x10G ports) goes down, if one cable is removed. This should not > happen under normal circumstances, as the physical disconnection, should not > affect the Etherchannel operation, as long as there is at least one connected > port in operation. > The IP addresses are configured over a VLAN, which is then allowed on > the etherchannel trunk. > When I removed one of the two fibers, the bgp session went down, and > in the reset log the reason was peer closed the session, on both > sides. Are you running LACP or PaGP across the channel? If you're not, the remote end might not have noticed the member leaving the bundle and continued transmitting data over it, and if the BGP control packets happened to hash to this member link, the session will go down.. oli From Chris.Kilian at aolbb.co.uk Mon Oct 6 10:40:34 2008 From: Chris.Kilian at aolbb.co.uk (Chris Kilian) Date: Mon, 6 Oct 2008 15:40:34 +0100 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406205888@xmb-ams-333.emea.cisco.com> References: <761706.57733.qm@web27906.mail.ukl.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406205888@xmb-ams-333.emea.cisco.com> Message-ID: <589977100D803D4E8EA5A17F9C7641AF990941B609@SGBS201V1.CPWBB.LOCAL> You could also look at possibly using a combination of pagp as well as BFD which is very good if you have not used it before Regards Chris Kilian Tier 2 Network Engineer AOL Broadband 80 Hammersmith Road, London, UK, W14 8UD Tel: +44 207 348 4762 Mobile: +44 07515031780 AIM: chriskilianck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Oliver Boehmer (oboehmer) Sent: 06 October 2008 15:34 To: domintefamily at yahoo.co.uk; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] BGP over Etherchannel Issue C and C Dominte <> wrote on Monday, October 06, 2008 4:22 PM: > > I am having a rather unusual issue, and I have no idea on how or where > to find any info about it. > > Basically, a bgp session configured over an etherchannel (2x10G ports) > goes down, if one cable is removed. This should not happen under > normal circumstances, as the physical disconnection, should not > affect the Etherchannel operation, as long as there is at least one connected > port in operation. > The IP addresses are configured over a VLAN, which is then allowed on > the etherchannel trunk. > When I removed one of the two fibers, the bgp session went down, and > in the reset log the reason was peer closed the session, on both > sides. Are you running LACP or PaGP across the channel? If you're not, the remote end might not have noticed the member leaving the bundle and continued transmitting data over it, and if the BGP control packets happened to hash to this member link, the session will go down.. oli _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ This mail was sent via Mail-SeCure System. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From Chris.Kilian at aolbb.co.uk Mon Oct 6 10:31:03 2008 From: Chris.Kilian at aolbb.co.uk (Chris Kilian) Date: Mon, 6 Oct 2008 15:31:03 +0100 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <761706.57733.qm@web27906.mail.ukl.yahoo.com> References: <761706.57733.qm@web27906.mail.ukl.yahoo.com> Message-ID: <589977100D803D4E8EA5A17F9C7641AF990941B600@SGBS201V1.CPWBB.LOCAL> Catalin Does the peer come back up right away on the other link or does it remain down until you re-connect both the ports? Regards Chris Kilian Tier 2 Network Engineer AOL Broadband -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of C and C Dominte Sent: 06 October 2008 15:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP over Etherchannel Issue Hi all, I am having a rather unusual issue, and I have no idea on how or where to find any info about it. Basically, a bgp session configured over an etherchannel (2x10G ports) goes down, if one cable is removed. This should not happen under normal circumstances, as the physical disconnection, should not affect the Etherchannel operation, as long as there is at least one connected port in operation. The IP addresses are configured over a VLAN, which is then allowed on the etherchannel trunk. When I removed one of the two fibers, the bgp session went down, and in the reset log the reason was peer closed the session, on both sides. Any help would be appreciated. Catalin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ This mail was sent via Mail-SeCure System. ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From jason at lixfeld.ca Mon Oct 6 12:27:22 2008 From: jason at lixfeld.ca (Jason Lixfeld) Date: Mon, 6 Oct 2008 12:27:22 -0400 Subject: [c-nsp] 3825 sending DSCP in one direction, not receiving in the other. Message-ID: Still looking for any insights on this problem. The topology: (hopefully my ASCII drawing formats correctly) ------------- [IPTube1]--[2970]--[3825]--[1811]-- [IPTube2] The IPTubes are from Engage and are TDM to IP devices that have been configured to mark packets with ToS 0x08 (DSCP 2). The problem: ------------ The 3825 either isn't receiving DSCP 2 from IPTube2 or it's not sending DSCP 2 from IPTube 2 on to IPTube 1: 1811#show policy-map interface vlan42 Vlan42 Service-policy output: IPTube Class-map: IPTube (match-all) 111036374 packets, 68953588269 bytes 5 minute offered rate 1656000 bps, drop rate 0 bps Match: dscp 2 Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 2000 (kbps) Burst 50000 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 1584 packets, 224640 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 3825#show policy-map interface vlan11 output Vlan11 Service-policy output: IPTube Class-map: IPTube (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: dscp 2 Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 2000 (kbps) Burst 50000 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 565011 packets, 31043926 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any In the other direction, everything is fine. The 1811 is seeing DSCP 2 from IPTube 1 all the way through the network without a problem: 3825#show policy-map int vlan42 output Vlan42 Service-policy output: IPTube Class-map: IPTube (match-all) 256763715 packets, 159450264603 bytes 5 minute offered rate 1655000 bps, drop rate 0 bps Match: dscp 2 Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 2000 (kbps) Burst 50000 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 554345 packets, 319306444 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any 1811#show policy-map interface vlan31 Vlan31 Service-policy output: IPTube Class-map: IPTube (match-all) 111002338 packets, 68932451910 bytes 5 minute offered rate 1655000 bps, drop rate 0 bps Match: dscp 2 Queueing Strict Priority Output Queue: Conversation 264 Bandwidth 2000 (kbps) Burst 50000 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 10599 packets, 635940 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Anyone see anything fishy in the configs or in the software versions that might explain this? Only the non-working bits are included below, but in both the working and non-working cases, the same class- map and policy-map are used. SW versions: ---------- 3825: 12.4(10) (Advanced IP Services) 1811: 12.4(6)T11 (Advanced IP Services) Configs: ------- ! 1811 ! interface FastEthernet9 description ** TLS to 3825 switchport access vlan 42 ! interface Vlan42 ip address 10.79.253.6 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip tcp adjust-mss 1412 service-policy output IPTube ! class-map match-all IPTube match dscp 2 ! ! policy-map IPTube class IPTube priority 2000 ! ! 3825 ! interface FastEthernet0/1/0 description ** 2970 switchport mode trunk ! interface Vlan11 ip address 10.79.11.250 255.255.255.0 service-policy output IPTube ! class-map match-all IPTube match dscp 2 ! policy-map IPTube class IPTube priority 2000 ! Thanks in advance for any insight folks. From peter.nyamukusa at africaonline.co.tz Mon Oct 6 12:49:04 2008 From: peter.nyamukusa at africaonline.co.tz (Peter Nyamukusa) Date: Mon, 6 Oct 2008 19:49:04 +0300 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <761706.57733.qm@web27906.mail.ukl.yahoo.com> References: <761706.57733.qm@web27906.mail.ukl.yahoo.com> Message-ID: <019001c927d3$72341b50$569c51f0$@nyamukusa@africaonline.co.tz> Are you peering with interface IPs or Loopback IPs? Regards, Peter Nyamukusa - CCIP, JNCIS, MCSE, Linux+ Technical Manager Africa Online (T) Ltd Tel: +255 (22) 211 6090 Fax: +255 (22) 211 6089 Email: peter.nyamukusa at africaonline.co.tz AIM: petenya A member of the Telkom South Africa Group -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of C and C Dominte Sent: Monday, October 06, 2008 5:22 PM To: cisco-nsp at puck.nether.net Subject: [?? Probable Spam] [c-nsp] BGP over Etherchannel Issue Hi all, I am having a rather unusual issue, and I have no idea on how or where to find any info about it. Basically, a bgp session configured over an etherchannel (2x10G ports) goes down, if one cable is removed. This should not happen under normal circumstances, as the physical disconnection, should not affect the Etherchannel operation, as long as there is at least one connected port in operation. The IP addresses are configured over a VLAN, which is then allowed on the etherchannel trunk. When I removed one of the two fibers, the bgp session went down, and in the reset log the reason was peer closed the session, on both sides. Any help would be appreciated. Catalin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nachocheeze at gmail.com Mon Oct 6 14:51:02 2008 From: nachocheeze at gmail.com (nachocheeze at gmail.com) Date: Mon, 6 Oct 2008 13:51:02 -0500 Subject: [c-nsp] VRF customers (ISP plus IP VPN) Message-ID: I'm in the process of deploying a small SP network that will provide *regular* Internet connectivity, as well as provide L3 VPNs for a multitude of services. In our design, we're thinking to keep the global internet in the "master" routing instance (i.e. non-VRF), just using plain BGP routing, and having separate connectivity (intranets, private and semi-private services) in VRFs and using route-target import/exports. Small example; Cust-A connects to PE1, Cust-B connects to PE2, both with dot1Q tagged sub-interfaces. In addition to this connection, they both have another logical connection to the same PE routers across the same interface on a different VLAN thats in the "master" instance for regular Internet. In the case of their VRF sub-interface, here's how we do the forwarding: PE1 === ip vrf Cust-A rd 65001:100 route-target export 65001:100 route-target import 65001:100 route-target import 65001:200 interface FastEthernet2/1.10 description Cust-A Internet encapsulation dot1Q 10 ip address x.x..x.x 255.255.255.252 interface FastEthernet2/1.20 description Cust-A VPN encapsulation dot1Q 20 ip vrf forwarding Cust-A ip address x.x..x.x 255.255.255.252 PE2 === ip vrf Cust-B rd 65001:200 route-target export 65001:200 route-target import 65001:200 route-target import 65001:100 interface FastEthernet2/1.10 description Cust-B Internet encapsulation dot1Q 10 ip address x.x..x.x 255.255.255.252 interface FastEthernet2/1.20 description Cust-B VPN encapsulation dot1Q 20 ip vrf forwarding Cust-B ip address x.x..x.x 255.255.255.252 In this case, both customers run BGP (as they're multihomed to other ISPs), and are advertising their Arin-assigned network to both the "Internet" link in the regular BGP unicast address family and to the VRF links on the BGP VRF address family. Because of this, they are both learning each others' networks across the *regular* BGP link as well as the VRF BGP link. For political and billing reasons, this may not be ideal, mainly because they are "paying" for connectivity to the Internet service, but the VRF/VPN connectivity is 'free', so they want to be sure that forwarding between each other chooses the VPN path. I haven't been able to find any "best practice" that addresses this issue. What do people normally do in this setup? Send MED on the customer routes across the Internet peering so they will prefer the "intranet" path? Use a combo of tags/communities to filter the CE routes on the Internet peering? I can think of a couple of ways to do it, but I'm looking for some recommendations. From tahir.uddin at alliancebernstein.com Mon Oct 6 15:34:44 2008 From: tahir.uddin at alliancebernstein.com (Uddin, Tahir) Date: Mon, 6 Oct 2008 15:34:44 -0400 Subject: [c-nsp] 65xx QOS question In-Reply-To: <1a85d2430810031411r1afd761clda9258e6d08f56da@mail.gmail.com> References: <1a85d2430810031411r1afd761clda9258e6d08f56da@mail.gmail.com> Message-ID: <1E79A7919A9B16468E407A8DEAB65A43064CB71D@METROEVS3.ac.lp.acml.com> Hi All I have a 6708 8 port 10 Gig module which has a transmit queue structure of 1p7q4t. By default, the transmit queue mapping are done by cos values on these modules and in most modules/switches. I was contemplating changing the queuing mode to dscp because it provides more granularity. Does anyone know of any potential issues with this strategy.? Does any one know a reason why Cisco does not use the dscp queuing mode by default?. It seems to make sense to me. Thanks ----------------------------------------- The information contained in the linked e-mail transmission and any attachments may be privileged and confidential and is intended only for the use of the person(s) named in the linked e-mail transmission. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you should not review, disseminate, distribute or duplicate this e-mail transmission or any attachments . If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. We do not accept account orders and/or instructions related to AllianceBernstein products or services by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. The linked e-mail transmission and any attachments are provided for informational purposes only and should not be construed in any manner as any solicitation or offer to buy or sell any investment opportunities or any related financial instruments and should not be construed in any manner as a public offer of any investment opportunities or any related financial instruments. If you, as the intended recipient of the linked e-mail transmission, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please "reply" to the sender indicating your wishes. Although we attempt to sweep e-mail and attachments for viruses, we will not be liable for any damages arising from the alteration of the contents of this linked e-mail transmission and any attachments by a third party or as a result of any virus being passed on. Please note: Trading instructions sent electronically to Bernstein shall not be deemed accepted until a representative of Bernstein acknowledges receipt electronically or by telephone. Comments in the linked e-mail transmission and any attachments are part of a larger body of investment analysis. For our research reports, which contain information that may be used to support investment decisions, and disclosures, see our website at www.bernsteinresearch.com. From jarruda-cnsp at jarruda.com Mon Oct 6 15:46:17 2008 From: jarruda-cnsp at jarruda.com (Julio Arruda) Date: Mon, 06 Oct 2008 15:46:17 -0400 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406205888@xmb-ams-333.emea.cisco.com> References: <761706.57733.qm@web27906.mail.ukl.yahoo.com> <70B7A1CCBFA5C649BD562B6D9F7ED78406205888@xmb-ams-333.emea.cisco.com> Message-ID: <48EA6B09.7030908@jarruda.com> Oliver Boehmer (oboehmer) wrote: > C and C Dominte <> wrote on Monday, October 06, 2008 4:22 PM: > >> I am having a rather unusual issue, and I have no idea on >> how or where to find any info about it. >> >> Basically, a bgp session configured over an etherchannel >> (2x10G ports) goes down, if one cable is removed. This should not >> happen under normal circumstances, as the physical disconnection, > should not >> affect the Etherchannel operation, as long as there is at least one > connected >> port in operation. >> The IP addresses are configured over a VLAN, which is then allowed on >> the etherchannel trunk. >> When I removed one of the two fibers, the bgp session went down, and >> in the reset log the reason was peer closed the session, on both >> sides. > > Are you running LACP or PaGP across the channel? If you're not, the > remote end might not have noticed the member leaving the bundle and > continued transmitting data over it, and if the BGP control packets > happened to hash to this member link, the session will go down.. Not sure....he is talking fiber links, so, even without any 'link-detection-tricks', the fiber port would go down if he unplugged it fully. But yes, I agree some LACP/PaGP/UDLD/whatever of sorts is a good idea :-) PS: Unless "removed one of the two fibers" means removing 'one strand' of the fiber interface, and if you add on top of this no RFI/Autonegotation, you could have the port becoming a black-hole from the sender-side point of view.. From frnkblk at iname.com Mon Oct 6 17:12:11 2008 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 6 Oct 2008 16:12:11 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <48E90E61.9010109@Janoszka.pl> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E90E61.9010109@Janoszka.pl> Message-ID: What if access to that TFTP server is cut off by an incomplete ACL? Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Grzegorz Janoszka Sent: Sunday, October 05, 2008 1:59 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Modifying ACLs on production router Matlock, Kenneth L wrote: > So from then on, I've always removed the ACL from the interface, removed the ACL, rebuilt it, and re-applied it to the interface. If you have the lines copied into a clipboard, you can paste the stuff in fairly quickly, and not really allow much 'bad' traffic in. The simplest thing is to prepare a file containing "no acl XXX" and then redefinition of the acl, put it of tftp server and load it using: copy tftp://I.P.I.P/acl running-config You do not need any extra tricks to do it, like temporary acl's and do on. -- Grzegorz Janoszka _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Mon Oct 6 17:12:16 2008 From: frnkblk at iname.com (Frank Bulk) Date: Mon, 6 Oct 2008 16:12:16 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <20081005122140.GA923@panix.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com> <20081005122140.GA923@panix.com> Message-ID: If that ACL is doing PBR, you could get cut off when it's removed.... Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ed Ravin Sent: Sunday, October 05, 2008 7:22 AM To: Steven Mark Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Modifying ACLs on production router On Sun, Oct 05, 2008 at 04:03:55AM -0700, Steven Mark wrote: > Does anyone know if modifying ACLs (RACL/VACL) that are applied > to an interface will cause any traffic disruption? Depends on how you do it and what you call "traffic disruption". If you append to the ACL while it is still applied to an interface, then that might not disrupt anything. If you delete the ACL and then begin adding statements back in one by one while it is still applied to the interface, then you may have periods of too much or too little traffic being passed across the interface until the ACL is complete. If the ACL affects the interface that you're managing the router from, you might find yourself locked out of the router when the partial ACL blocks more traffic than you want. My "aclmaker" script, which lets you manage Cisco ACLS by editing local files on a Unix system, automatically updates ACLs for you with the minimum disruption. Requires Unix/Linux, Perl, and a couple of Perl modules: http://www.panix.com/~eravin/aclmaker-1.04rc1 aclmaker updates an ACL by first uploading the new ACL into the router with a "test-xxxx" name. If the router doesn't complain about syntax problems, the script then removes the original ACL from any interfaces it is applied to and applies the test ACL. Then the script deletes the original ACL and uploads the new ACL with the original name, and then it removes the test-xxxx ACL from the interface(s) and applies the original ACL. This leaves two short windows when the interface has no ACL applied, but since the script is doing all the work automatically those windows are as brief as possible. -- Ed _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From petelists at templin.org Mon Oct 6 17:21:41 2008 From: petelists at templin.org (Pete Templin) Date: Mon, 06 Oct 2008 16:21:41 -0500 Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E90E61.9010109@Janoszka.pl> Message-ID: <48EA8165.5070906@templin.org> Frank Bulk wrote: > What if access to that TFTP server is cut off by an incomplete ACL? The whole batch of changes (ACLs and whatever else you've composed) is pulled via TFTP into RAM before any of the changes are applied. pt From farhan at cyber.net.pk Tue Oct 7 01:09:21 2008 From: farhan at cyber.net.pk (Farhan Ali Khan) Date: Tue, 07 Oct 2008 10:09:21 +0500 Subject: [c-nsp] BGP over Etherchannel Issue In-Reply-To: <589977100D803D4E8EA5A17F9C7641AF990941B600@SGBS201V1.CPWBB.LOCAL> Message-ID: <0K8C00M3OOWITM10@smtp.cyber.net.pk> Dear Chris Did u check , does the etherchannel goes down when any of the link fails ? if yes then check the minimum link configured for the bundle set it to 1 Regards Farhan Ali Khan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of C and C Dominte Sent: 06 October 2008 15:22 To: cisco-nsp at puck.nether.net Subject: [c-nsp] BGP over Etherchannel Issue Hi all, I am having a rather unusual issue, and I have no idea on how or where to find any info about it. Basically, a bgp session configured over an etherchannel (2x10G ports) goes down, if one cable is removed. This should not happen under normal circumstances, as the physical disconnection, should not affect the Etherchannel operation, as long as there is at least one connected port in operation. The IP addresses are configured over a VLAN, which is then allowed on the etherchannel trunk. When I removed one of the two fibers, the bgp session went down, and in the reset log the reason was peer closed the session, on both sides. Any help would be appreciated. Catalin _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ **************************************************************************** ******** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. **************************************************************************** ******** This mail was sent via Mail-SeCure System. **************************************************************************** ******** This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. **************************************************************************** ******** _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Tue Oct 7 01:54:56 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 7 Oct 2008 07:54:56 +0200 Subject: [c-nsp] VRF customers (ISP plus IP VPN) In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406205A81@xmb-ams-333.emea.cisco.com> nachocheeze at gmail.com <> wrote on Monday, October 06, 2008 8:51 PM: > I'm in the process of deploying a small SP network that will provide > *regular* Internet connectivity, as well as provide L3 VPNs for a > multitude of services. In our design, we're thinking to keep the > global internet in the "master" routing instance (i.e. non-VRF), just > using plain BGP routing, and having separate connectivity (intranets, > private and semi-private services) in VRFs and using route-target > import/exports. > [...] > > PE1 > === > ip vrf Cust-A > rd 65001:100 > route-target export 65001:100 > route-target import 65001:100 > route-target import 65001:200 > [...] > ip vrf Cust-B > rd 65001:200 > route-target export 65001:200 > route-target import 65001:200 > route-target import 65001:100 > > > In this case, both customers run BGP (as they're multihomed to other > ISPs), and are advertising their Arin-assigned network to both the > "Internet" link in the regular BGP unicast address family and to the > VRF links on the BGP VRF address family. Because of this, they are > both learning each others' networks across the *regular* BGP link as > well as the VRF BGP link. For political and billing reasons, this may > not be ideal, mainly because they are "paying" for connectivity to the > Internet service, but the VRF/VPN connectivity is 'free', so they want > to be sure that forwarding between each other chooses the VPN path. What is the VPN connection for? Why do the two customers have to see each other via the VPN link as well? You say you want to offer the VPN/VRF for internal services.. Then I would expect a different route-target import/export policy, i.e. something like a central services VPN: ip vrf Cust-A route-target export 65001:100 route-target import 65001:100 route-target import 65001:900 ip vrf Cust-B route-target export 65001:200 route-target import 65001:200 route-target import 65001:900 ip vrf services route-target export 65001:900 route-target import 65001:900 route-target import 65001:100 route-target import 65001:200 so both customers can communicate with your "services", but they don't see each other via the VPN.. > I haven't been able to find any "best practice" that addresses this > issue. What do people normally do in this setup? Send MED on the > customer routes across the Internet peering so they will prefer the > "intranet" path? Use a combo of tags/communities to filter the CE > routes on the Internet peering? I can think of a couple of ways to do > it, but I'm looking for some recommendations. I would question the overall VPN design. Why build a VPN where your customers have full connectivity between each other? Why don't you just let them communicate via the global routing table? oli From nimal at fnbs.net Tue Oct 7 04:38:04 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Tue, 07 Oct 2008 16:38:04 +0800 Subject: [c-nsp] VPN Routing vs Static Routing Message-ID: <48EB1FEC.9080008@fnbs.net> Hi guys, Assume that i have a VPN link from Cisco Pix to remote network 10.10.10.0/24. What would happen if i set another static route on the Cisco PIX to this same network 10.10.10.0/24. What would happen? Would the static routing take precedent? Will the VPN link break? Will the PIX IOS detect the conflict? Ideally, i'd love to test this out on a test network, but i can't, so perhaps if anyone has any experience with this, can you enlighten me? Thanks! Nimal From brett at looney.id.au Tue Oct 7 05:04:50 2008 From: brett at looney.id.au (Brett Looney) Date: Tue, 7 Oct 2008 17:04:50 +0800 Subject: [c-nsp] VPN Routing vs Static Routing In-Reply-To: <48EB1FEC.9080008@fnbs.net> References: <48EB1FEC.9080008@fnbs.net> Message-ID: <06a201c9285b$c40d7100$4c285300$@id.au> > Assume that i have a VPN link from Cisco Pix to remote network > 10.10.10.0/24. > > What would happen if i set another static route on the Cisco PIX > to this same network 10.10.10.0/24. What would happen? Would the > static routing take precedent? Will the VPN link break? Will the > PIX IOS detect the conflict? What *should* happen is that the static route takes priority (IMHO). But, the PIX is not a router - it is a stateful firewall. So if there is traffic flowing on the VPN side then the static route *may* be ignored. Or not. We attempted to do pretty much this - have a backup link via a VPN and have other known routes direct traffic. What we found was that sometimes the routes would work and sometimes the VPN would work but not really reliably. YMMV. Will the PIX let you configure this? Yes. Will it warn you there is a potential issue? No. Will it work the way you expect it to (whatever that is)? Probably not. B. From nimal at fnbs.net Tue Oct 7 05:12:02 2008 From: nimal at fnbs.net (Nimal David Sirimanne) Date: Tue, 07 Oct 2008 17:12:02 +0800 Subject: [c-nsp] VPN Routing vs Static Routing In-Reply-To: <06a201c9285b$c40d7100$4c285300$@id.au> References: <48EB1FEC.9080008@fnbs.net> <06a201c9285b$c40d7100$4c285300$@id.au> Message-ID: <48EB27E2.2060608@fnbs.net> Thanks Brett, So basically the PIX doesn't handle this very well. I will assume that even if i change the metric value of the static route, it will probably still take precedent over the VPN routing? Does the ASA or Cisco routers handle this better than the PIX? Brett Looney wrote: >> Assume that i have a VPN link from Cisco Pix to remote network >> 10.10.10.0/24. >> >> What would happen if i set another static route on the Cisco PIX >> to this same network 10.10.10.0/24. What would happen? Would the >> static routing take precedent? Will the VPN link break? Will the >> PIX IOS detect the conflict? >> > > What *should* happen is that the static route takes priority (IMHO). But, > the PIX is not a router - it is a stateful firewall. So if there is traffic > flowing on the VPN side then the static route *may* be ignored. Or not. > > We attempted to do pretty much this - have a backup link via a VPN and have > other known routes direct traffic. What we found was that sometimes the > routes would work and sometimes the VPN would work but not really reliably. > YMMV. > > Will the PIX let you configure this? Yes. Will it warn you there is a > potential issue? No. Will it work the way you expect it to (whatever that > is)? Probably not. > > B. > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mailinglist at bangky.net Tue Oct 7 06:05:38 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Tue, 7 Oct 2008 18:05:38 +0800 Subject: [c-nsp] BGP route flap damping Message-ID: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> Hi all on both lists (this question applies to both Juniper and Cisco gear, thus the cross post), In a situation where a router has multiple RIB entries for the same prefix and one of the entries is suppressed due to flapping, will connectivity be maintained via the remaining non-flapping paths in the following situations? 1) The flapping advertisement is the Best Path (presumably shortest AS-path) - will there be a seamless transition to the new best path or will there be any temporary loss of connectivity? 2) The flapping advertisement is not the Best Path - will traffic continue to flow without any disruption while the advertisement is damped? In theory, it's supposed to work, but thought it might be better to ask for advice and things to watch out for before deploying in the real world. Thanks in advance. -- Ang Kah Yik (bangky) - http://blog.bangky.net From perc69 at gmail.com Tue Oct 7 06:58:59 2008 From: perc69 at gmail.com (Pelle) Date: Tue, 7 Oct 2008 12:58:59 +0200 Subject: [c-nsp] BGP route flap damping In-Reply-To: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> Message-ID: <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> Hi. I don't have an answer to your question, but a thought about dampening. > In theory, it's supposed to work, but thought it might be better to > ask for advice and things to watch out for before deploying in the > real world. BGP dampening is no longer regarded as "a good thing", but something to turn off. In fact the Cisco BCP is to disable dampening. Here are some arguments against dampening: * Today's routers' performance can easily cope with route flaps. * RFD implementations may differ in RFD parameter values. This inconsistency may result in inconsistent path selection. * Modality of route advertisement may differ. Some implementations pass on the update without waiting at all, others wait for 30 seconds, etc. This will likely result in a different best-path offering to neighbors as message updates arrive. -- Pelle From mailinglist at bangky.net Tue Oct 7 07:40:11 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Tue, 7 Oct 2008 19:40:11 +0800 Subject: [c-nsp] BGP route flap damping In-Reply-To: <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> Message-ID: <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> Hi, Thanks for sharing your opinion on the disabling of damping as a BCP. Yes, this is something that we've taken into consideration. However, route flap damping is still in use in a number of networks out there. Thus, we would like to obtain feedback on how the damping of a flap by a transit provider may affect our connectivity. Thanks once again for your opinion. On Tue, Oct 7, 2008 at 6:58 PM, Pelle wrote: > Hi. > > I don't have an answer to your question, but a thought about dampening. > >> In theory, it's supposed to work, but thought it might be better to >> ask for advice and things to watch out for before deploying in the >> real world. > > BGP dampening is no longer regarded as "a good thing", but something > to turn off. In fact the Cisco BCP is to disable dampening. > > Here are some arguments against dampening: > > * Today's routers' performance can easily cope with route flaps. > * RFD implementations may differ in RFD parameter values. This > inconsistency may result in inconsistent path selection. > * Modality of route advertisement may differ. Some implementations > pass on the update without waiting at all, others wait for 30 seconds, > etc. This will likely result in a different best-path offering to > neighbors as message updates arrive. > > -- > Pelle > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Ang Kah Yik (bangky) - http://blog.bangky.net From jzp-cnsp at rsuc.gweep.net Tue Oct 7 07:53:31 2008 From: jzp-cnsp at rsuc.gweep.net (Joe Provo) Date: Tue, 7 Oct 2008 07:53:31 -0400 Subject: [c-nsp] BGP route flap damping In-Reply-To: <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> Message-ID: <20081007115331.GA83952@gweep.net> On Tue, Oct 07, 2008 at 12:58:59PM +0200, Pelle wrote: > Hi. > > I don't have an answer to your question, but a thought about dampening. > > > In theory, it's supposed to work, but thought it might be better to > > ask for advice and things to watch out for before deploying in the > > real world. > > BGP dampening is no longer regarded as "a good thing", but something > to turn off. In fact the Cisco BCP is to disable dampening. ...precisely because the implementation dampens *all* paths for a prefix, not just the flapping path. Given an implementation which dampens just the flapping path[s] for a prefix, then the originally- intended result would occur and only penalize the misbehaving paths. The other concerns pale in comparison, and would easily be mitigated in the case of corrected implementations. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE From ivan at ig.sk Tue Oct 7 09:43:15 2008 From: ivan at ig.sk (Ivan Gasparik) Date: Tue, 7 Oct 2008 15:43:15 +0200 Subject: [c-nsp] CoPP Hardware Counters on RSP720/7600 In-Reply-To: <844ef89c0809230015g2abbadbcl75283bf86ef71c49@mail.gmail.com> References: <20080920150516.GA12916@danton.fire-world.de> <20080922190508.GA16204@danton.fire-world.de> <844ef89c0809230015g2abbadbcl75283bf86ef71c49@mail.gmail.com> Message-ID: <200810071543.15425.ivan@ig.sk> Hi, I have been facing the same issue these days too, the result is very simple and sad: CoPP can't handle broadcast and multicast traffic in hardware More detailed explanation is here: http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/dos.html#wp1141802 I'm still trying to configure some kind of protection of router's CPU against broadcast storms. The most aggressive traffic hitting the CPU during broadcast storm are OSPF and HSRP multicast packets in my case. Policing through mls qos protocol police is not usable because it cannot distinguish between good ospf packets coming from routed interfaces and bad ospf packets from SVI's multiplied by storm. It looks I will have to do combine storm-control applied on the physical layer 2 interface and then make a smarter policing using CoPP on control-plane for the rest of traffic that got through the storm-control. Even thought CoPP will do that in software, my SUP720's can handle almost 100k pps, which could be quite enough. Ivan On Tuesday 23 September 2008, David Granzer wrote: > Hello, > > with CoPP enabled and flood ping to the RSP720 I don't have higher > CPU utilization than is normal on my box. Without CoPP and ICMP > flood (ping -f -s 1400) the CPU util goes to 90% - 99%. > > CPU utilization for five seconds: 96%/21%; one minute: 44%; five > minutes: 20% > > PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY > Process 194 23910192 426932747 56 46.38% 20.81% 5.12% > 0 IP Input > > The CPU utilization with CoPP enabled is depend on what rate you > doing policing for particular class, e.g. how many ICMP packet you > are conforming to the RSP. > > Regards, > David > > On 9/22/08, Sebastian Wiesinger wrote: > > * Ozgur Guler [2008-09-22 14:31]: > > > Hi Sebastian, > > > > > > Have you confirmed that mls qos is enabled globally? > > > CoPP needs mls qos in order to work in HW. > > > > Yes, "mls qos" is enabled. I tried doing a flood-ping with hping3 > > and have around 30-40% of CPU usage. This seems a little bit > > high, but I heard from others that without CoPP the session to > > the RSP720 would just freeze. With my CoPP enabled I was able to > > work without delay on the RSP720. > > > > I couldn't test the situation without CoPP but I hope I can do > > so tonight. > > > > > > > > Regards, > > > > Sebastian > > > > -- > > GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) > > 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS > > NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at cisco.com Tue Oct 7 10:20:20 2008 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Tue, 7 Oct 2008 16:20:20 +0200 (CEST) Subject: [c-nsp] Modifying ACLs on production router In-Reply-To: <48E97DD8.8080207@justinshore.com> References: <773303.33048.qm@web63403.mail.re1.yahoo.com><20081005122140.GA923@panix.com> <20081005162412.GF17238@greenie.muc.de> <4288131ED5E3024C9CD4782CECCAD2C70489E75E@LMC-MAIL2.exempla.org> <48E97DD8.8080207@justinshore.com> Message-ID: On Sun, 5 Oct 2008, Justin Shore wrote: > FEATURE REQUEST > We need a sub-command of 'show ip access-list' that tells us what interfaces > a given ACL is applied to. Something simple like > > show ip access-list interfaces > > We already have 'sh ip access-list interface ' but that requires one to > increment through all the interfaces. I just want to know the name/number > and direction of an ACL. That's all. That's what we need for easy script > processing. Justin, how about something like this: Router#conf t Enter configuration commands, one per line. End with CNTL/Z. Router(config)#alias exec where-acl show ip int | inc ine pro|list is Router(config)#^Z Router#where-acl Ethernet0/0 is up, line protocol is up Outgoing access list is 124 Inbound access list is 123 Ethernet1/0 is administratively down, line protocol is down Outgoing access list is 124 Inbound access list is foobar Serial2/0 is administratively down, line protocol is down Serial3/0 is administratively down, line protocol is down Router#where-acl foobar Ethernet0/0 is up, line protocol is up Ethernet1/0 is administratively down, line protocol is down Inbound access list is foobar Serial2/0 is administratively down, line protocol is down Serial3/0 is administratively down, line protocol is down Router# Router#where-acl 123 Ethernet0/0 is up, line protocol is up Inbound access list is 123 Ethernet1/0 is administratively down, line protocol is down Serial2/0 is administratively down, line protocol is down Serial3/0 is administratively down, line protocol is down Router# Router#where-acl 124 Ethernet0/0 is up, line protocol is up Outgoing access list is 124 Ethernet1/0 is administratively down, line protocol is down Outgoing access list is 124 Serial2/0 is administratively down, line protocol is down Serial3/0 is administratively down, line protocol is down Router# Admittedly, the output of this "command" is not the prettiest one around (the linenoise of "empty" interfaces, and the fact that the interface name and ACL number/direction are not on the same line would require an additional regexp match branch and accumulator variable - but this has the advantage of being quite portable, since "show ip interface" was there for quite a while. Obviously within the script you'd issue the pipeline combo itself, rather than defining the alias. cheers, andrew From jhigham at epri.com Tue Oct 7 11:02:15 2008 From: jhigham at epri.com (Higham, Josh) Date: Tue, 7 Oct 2008 08:02:15 -0700 Subject: [c-nsp] VPN Routing vs Static Routing In-Reply-To: <48EB1FEC.9080008@fnbs.net> References: <48EB1FEC.9080008@fnbs.net> Message-ID: <4C3B8C75B5899943AEC675BA6DD46273013B5E7F@uspalex02.epri.com> Traffic is encrypted for a VPN based on the output interface; the VPN policy is applied to the interface the traffic goes out (often the public interface). Static routes apply to inbound traffic to determine the outbound interface. If the static route (default route or more specific) doesn't point the traffic out the interface with the VPN policy, the VPN won't come into play. You may be able to test this outside the lab by utilizing an unused interface, or at least an interface without a VPN. Create a VPN there for some generic network (some random website) not routed through that interface, then check that traffic continues to flow normally. Add a static route for the network and verify that it does hit the VPN tunnel (you won't see the tunnel come up, but you can watch debugs to see when the Pix tries to establish it). Thanks, Josh > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nimal > David Sirimanne > Sent: Tuesday, October 07, 2008 1:38 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] VPN Routing vs Static Routing > > Hi guys, > > Assume that i have a VPN link from Cisco Pix to remote network > 10.10.10.0/24. > > What would happen if i set another static route on the Cisco > PIX to this > same network 10.10.10.0/24. What would happen? Would the > static routing > take precedent? Will the VPN link break? Will the PIX IOS detect the > conflict? > > Ideally, i'd love to test this out on a test network, but i can't, so > perhaps if anyone has any experience with this, can you enlighten me? > Thanks! > > Nimal > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From bennetb at gmail.com Tue Oct 7 11:22:08 2008 From: bennetb at gmail.com (Brandon Bennett) Date: Tue, 7 Oct 2008 09:22:08 -0600 Subject: [c-nsp] 65xx QOS question In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A43064CB71D@METROEVS3.ac.lp.acml.com> References: <1a85d2430810031411r1afd761clda9258e6d08f56da@mail.gmail.com> <1E79A7919A9B16468E407A8DEAB65A43064CB71D@METROEVS3.ac.lp.acml.com> Message-ID: > I have a 6708 8 port 10 Gig module which has a transmit queue structure > of 1p7q4t. By default, the transmit queue mapping are done by cos values > on these modules and in most modules/switches. I was contemplating > changing the queuing mode to dscp because it provides more granularity. There should be no risk to moving to dscp queuing mode. Just be mindful of what to do with unknown DSCP values you may forget to assign to a queue. > Does anyone know of any potential issues with this strategy.? Currently only the 6708, 6716, and the VS-S720 10G ports support dscp queing and I imagine that it is CoS by default to match the rest of the blades available in the 6500. -Brandon From nachocheeze at gmail.com Tue Oct 7 11:27:27 2008 From: nachocheeze at gmail.com (nachocheeze at gmail.com) Date: Tue, 7 Oct 2008 10:27:27 -0500 Subject: [c-nsp] VRF customers (ISP plus IP VPN) In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406205A81@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED78406205A81@xmb-ams-333.emea.cisco.com> Message-ID: On Tue, Oct 7, 2008 at 12:54 AM, Oliver Boehmer (oboehmer) wrote: > What is the VPN connection for? It's not just the one VPN; there's likely to be a need for several. Long story short; the backbone network is going to be connected to several different services (the Internet and various restricted networks), and each downstream connector will be accessing probably two or more of the restricted services (Customer A gets service X and Y but not Z, Customer B gets service X and Z but not Y, Customer C gets service Z only). One of the 'common' services among all is likely to be a local 'intranet' providing connectivity between all the customers. The customers (as well as the PEs) are in multiple geographic locations, but the backbone network will be connected directly over dark fiber. > Why do the two customers have to see > each other via the VPN link as well? Well, they don't *have* to in this particular VPN. I was thinking of the above described Intranet service. If they're communicating already over the 'Intranet' service, is there any reason for them to also learn routes to each other via the 'Internet' service? > >You say you want to offer the > VPN/VRF for internal services.. Then I would expect a different > route-target import/export policy, i.e. something like a central > services VPN: > > ip vrf Cust-A > route-target export 65001:100 > route-target import 65001:100 > route-target import 65001:900 > > ip vrf Cust-B > route-target export 65001:200 > route-target import 65001:200 > route-target import 65001:900 > > ip vrf services > route-target export 65001:900 > route-target import 65001:900 > route-target import 65001:100 > route-target import 65001:200 > > so both customers can communicate with your "services", but they don't > see each other via the VPN.. I think the central services idea may be what I'm looking for. > > I would question the overall VPN design. Why build a VPN where your > customers have full connectivity between each other? Why don't you just > let them communicate via the global routing table? They may not both subscribe to the *regular* Internet service, so having them communicate via the local Intranet service will be desired. From bagga_ajeet at emc.com Tue Oct 7 11:56:41 2008 From: bagga_ajeet at emc.com (Ajeet Bagga) Date: Tue, 7 Oct 2008 11:56:41 -0400 Subject: [c-nsp] BGP route flap damping In-Reply-To: <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> Message-ID: On Oct 7, 2008, at 7:40 AM, Ang Kah Yik wrote: > Hi, > > Thanks for sharing your opinion on the disabling of damping as a BCP. > Yes, this is something that we've taken into consideration. > > However, route flap damping is still in use in a number of networks > out there. > Thus, we would like to obtain feedback on how the damping of a flap by > a transit provider may affect our connectivity. Are you multihomed to this transit? To other upstreams? Depending on the RFD implementation, withdrawal triggered suppression will indeed affect your connectivity. For analysis of arguments against RFD, specifically how it applies to your case, read the sigcomm presentation, . White paper is available via the ACM portal, . ~ Ajeet Bagga Sr. Network Engineer Cloud Computing Infrastructure and Services EMC From harbor235 at gmail.com Tue Oct 7 13:17:17 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Tue, 7 Oct 2008 13:17:17 -0400 Subject: [c-nsp] BGP route flap damping In-Reply-To: References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> Message-ID: <836bf1f90810071017n17062274u299ffa957102be23@mail.gmail.com> Stand up a router in your AS that is dedicated for information collection. harbor235 ;} On Tue, Oct 7, 2008 at 11:56 AM, Ajeet Bagga wrote: > On Oct 7, 2008, at 7:40 AM, Ang Kah Yik wrote: > > Hi, >> >> Thanks for sharing your opinion on the disabling of damping as a BCP. >> Yes, this is something that we've taken into consideration. >> >> However, route flap damping is still in use in a number of networks out >> there. >> Thus, we would like to obtain feedback on how the damping of a flap by >> a transit provider may affect our connectivity. >> > > Are you multihomed to this transit? To other upstreams? Depending on the > RFD implementation, withdrawal triggered suppression will indeed affect your > connectivity. For analysis of arguments against RFD, specifically how it > applies to your case, read the sigcomm presentation, < > http://conferences.sigcomm.org/sigcomm/2002/papers/routedampening.html>. > White paper is available via the ACM portal, < > http://portal.acm.org/citation.cfm?id=633047>. > > ~ > Ajeet Bagga > Sr. Network Engineer > Cloud Computing Infrastructure and Services > EMC > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From pdavis at i2k.com Tue Oct 7 15:02:57 2008 From: pdavis at i2k.com (Phil Davis) Date: Tue, 07 Oct 2008 15:02:57 -0400 Subject: [c-nsp] ATM Problem Message-ID: <48EBB261.107@i2k.com> Hello, I am having a frustrating problem with a new ATM line we are putting in. After some shenanigans from the provider in getting the line up on the right port, we find that we are able to loop OAMs across (at least one) PVC on the line, but no actual data is able to pass on any PVC. In debugging, I can see the router complaining of a 'Bad correlation tag.'. When I OAM ping, I can see the CTags incrementing properly, but when regular data (PPPoE authentication) comes across the link, the provider side expects 0x00 and receives 0x10, 0x20, 0x30, etc... Here is the relevant configuration for the ATM interface/subinterface: interface ATM2/0 no ip address no ip mroute-cache atm scrambling cell-payload no atm auto-configuration no atm ilmi-keepalive no atm address-registration no atm ilmi-enable no clns route-cache end interface ATM2/0.100 multipoint range pvc 1/35 1/99 ubr 848 encapsulation aal5snap protocol pppoe ! end I believe since the OAM loopback is making it, the circuit is good. I feel like I am missing some obvious step, and it is driving me crazy! Any insight would be greatly appreciated Thanks, Phil From brett at looney.id.au Tue Oct 7 19:46:26 2008 From: brett at looney.id.au (Brett Looney) Date: Wed, 8 Oct 2008 07:46:26 +0800 Subject: [c-nsp] VPN Routing vs Static Routing In-Reply-To: <48EB27E2.2060608@fnbs.net> References: <48EB1FEC.9080008@fnbs.net> <06a201c9285b$c40d7100$4c285300$@id.au> <48EB27E2.2060608@fnbs.net> Message-ID: <07a601c928d6$ec24b1f0$c46e15d0$@id.au> > So basically the PIX doesn't handle this very well. I will assume > that even if i change the metric value of the static route, it will > probably still take precedent over the VPN routing? In my experience, yes - it's because the PIX already has a stateful entry for traffic going to that destination, it ignores other routing information. > Does the ASA or Cisco routers handle this better than the PIX? The ASA behaves as the PIX does. Routers will behave as you expect. B. From mcpick at us.net Tue Oct 7 23:40:53 2008 From: mcpick at us.net (McLean Pickett) Date: Tue, 07 Oct 2008 23:40:53 -0400 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-lite environment Message-ID: <6BD8EAF375994062B414882927BDCB17@mcpick.net> Hello - I am working on a large campus design and I am on the fence between using a VRF-lite implementation (802.1q trunks carrying ospf instances between devices) and an MPLS VPN deployment. If I only have a few VRF's then the VRF-lite implementation wouldn't be too overbearing and would require much less training for the support staff. However if the number of VRF's where to greatly increase then it seems like a full blown MPLS network is the better solution. Are there any Cisco guidelines or does anyone have any hands-on experience with the maximum number of VRF's\OSPF instances in a VRF-lite deployment? I am dealing with Sup720-3B's, RFC1918 address space and default routes. None of the routing tables will be carrying Internet routes. Thanks, McLean From oboehmer at cisco.com Wed Oct 8 02:29:03 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 8 Oct 2008 08:29:03 +0200 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-lite environment In-Reply-To: <6BD8EAF375994062B414882927BDCB17@mcpick.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840627D598@xmb-ams-333.emea.cisco.com> McLean Pickett <> wrote on Wednesday, October 08, 2008 5:41 AM: > I am working on a large campus design and I am on the fence between > using a VRF-lite implementation (802.1q trunks carrying ospf > instances between devices) and an MPLS VPN deployment. > > If I only have a few VRF's then the VRF-lite implementation wouldn't > be too overbearing and would require much less training for the > support staff. However if the number of VRF's where to greatly > increase then it seems like a full blown MPLS network is the better > solution. right.. > Are there any Cisco guidelines or does anyone have any hands-on > experience with the maximum number of VRF's\OSPF instances in a > VRF-lite deployment? This is a typical "it depends" question, i.e. #of routes/links/nodes/churn/etc. However we've tested > 100 OSPF instances on NPE400/12000-GRP as PE-CE protocol in a rather simple topology (requires the feature "OSPF Support for Unlimited Software VRFs per Provider Edge (PE) Router"), so I would expect the number of OSPF processes not being the limiting factor in your design. I guess you want to explore MPLS-VPN when you need more than 10 or so VRFs as provisioning will become very cumbersome with end-to-end VRF-lite.. oli From arla at rn.dk Wed Oct 8 02:54:17 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 8 Oct 2008 08:54:17 +0200 Subject: [c-nsp] vs cpompac flas for Sup720 Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F778408A@SRVEXC02.aas.its.nja.dk> Hi Folks. I've got a problem with 6 WS-SUP720-3BXL, I can't get them to read compaqflash modules. I've tried Kingston and Sandisk. Is there somthing I should be aware off ?? /Arne From mtinka at globaltransit.net Wed Oct 8 02:22:06 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 8 Oct 2008 14:22:06 +0800 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-lite environment In-Reply-To: <6BD8EAF375994062B414882927BDCB17@mcpick.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> Message-ID: <200810081422.06876.mtinka@globaltransit.net> On Wednesday 08 October 2008 11:40:53 McLean Pickett wrote: > Are there any Cisco guidelines or does anyone have any > hands-on experience with the maximum number of VRF's\OSPF > instances in a VRF-lite deployment? At the time I first read about l3vpn's (a couple of years back), Cisco said the RDB (Routing Descriptor Block) supported only 32 instances (including the defaults, i.e., Static, Connected and IGP). But I should say that this was a fairly old IOS at the time (and different/older platform too), plus we never did quite have OSPF-based VRF's, so I can't claim with full certainty that this holds true today. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From saku+cisco-nsp at ytti.fi Wed Oct 8 03:30:34 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 8 Oct 2008 10:30:34 +0300 Subject: [c-nsp] CoPP Hardware Counters on RSP720/7600 In-Reply-To: <200810071543.15425.ivan@ig.sk> References: <20080920150516.GA12916@danton.fire-world.de> <20080922190508.GA16204@danton.fire-world.de> <844ef89c0809230015g2abbadbcl75283bf86ef71c49@mail.gmail.com> <200810071543.15425.ivan@ig.sk> Message-ID: <20081008073034.GB13381@mx.ytti.net> On (2008-10-07 15:43 +0200), Ivan Gasparik wrote: Hey Ivan, > I'm still trying to configure some kind of protection of router's CPU > against broadcast storms. The most aggressive traffic hitting the CPU .. > It looks I will have to do combine storm-control applied on the > physical layer 2 interface and then make a smarter policing using I have some bad news for you, if you run 6704 :). Lowest possible working number for storm-control is 0.34%. And this is WAY too high to protect the control-plane from say L2 broadcast of valid L3 IPv4 unicast to your router. There is no way to thoroughly protect yourself from this, in this platform. Your best bet is, to apply aggressive storm-controls in the L2 connected to the 6704. Thanks, -- ++ytti From c at tix.at Wed Oct 8 03:59:57 2008 From: c at tix.at (Christoph Loibl) Date: Wed, 8 Oct 2008 09:59:57 +0200 Subject: [c-nsp] vs cpompac flas for Sup720 In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F778408A@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F778408A@SRVEXC02.aas.its.nja.dk> Message-ID: Hi Arne, Try to format them after first inserting them into the switch (format disk1:). This may help. Christoph On Oct 8, 2008, at 8:54 AM, Arne Larsen / Region Nordjylland wrote: > Hi Folks. > > I've got a problem with 6 WS-SUP720-3BXL, I can't get them to read > compaqflash modules. > I've tried Kingston and Sandisk. Is there somthing I should be aware > off ?? > > /Arne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- CHRISTOPH LOIBL ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mailto:c at tix.at |No trees were killed in the creation of this message. http://www.sil.at |However, many electrons were terrible inconvenienced. CL8-RIPE ++++++++++++++++++++++++++++++++++++ PGP-Key-ID: 0x4B2C0055 +++ From p.mayers at imperial.ac.uk Wed Oct 8 04:57:02 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 08 Oct 2008 09:57:02 +0100 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-lite environment In-Reply-To: <6BD8EAF375994062B414882927BDCB17@mcpick.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> Message-ID: <48EC75DE.5080608@imperial.ac.uk> McLean Pickett wrote: > Hello - > > > > I am working on a large campus design and I am on the fence between using a > VRF-lite implementation (802.1q trunks carrying ospf instances between > devices) and an MPLS VPN deployment. > > > > If I only have a few VRF's then the VRF-lite implementation wouldn't be too > overbearing and would require much less training for the support staff. > However if the number of VRF's where to greatly increase then it seems like > a full blown MPLS network is the better solution. Sure. I would agree with Oli in that >10 and you want to be looking to MPLS. We did the exact same thing - started off with vrf-lite and multi-ospf, then eventually migrated to L3VPN when the overhead of managing the VRFs got too big. > > > > Are there any Cisco guidelines or does anyone have any hands-on experience > with the maximum number of VRF's\OSPF instances in a VRF-lite deployment? > > > > I am dealing with Sup720-3B's, RFC1918 address space and default routes. > None of the routing tables will be carrying Internet routes. You can certainly run ~15, we did on the exact same hardware. From arla at rn.dk Wed Oct 8 05:10:51 2008 From: arla at rn.dk (Arne Larsen / Region Nordjylland) Date: Wed, 8 Oct 2008 11:10:51 +0200 Subject: [c-nsp] vs cpompac flas for Sup720 In-Reply-To: References: <8D68760F464FFD40A01BF2FB374E4A28C6F778408A@SRVEXC02.aas.its.nja.dk> Message-ID: <8D68760F464FFD40A01BF2FB374E4A28C6F71EC862@SRVEXC02.aas.its.nja.dk> Tried that didn't work. /Arne -----Original Message----- From: Christoph Loibl [mailto:c at tix.at] Sent: 8. oktober 2008 10:00 To: Arne Larsen / Region Nordjylland Cc: 'cisco-nsp at puck.nether.net' Subject: Re: [c-nsp] vs cpompac flas for Sup720 Hi Arne, Try to format them after first inserting them into the switch (format disk1:). This may help. Christoph On Oct 8, 2008, at 8:54 AM, Arne Larsen / Region Nordjylland wrote: > Hi Folks. > > I've got a problem with 6 WS-SUP720-3BXL, I can't get them to read > compaqflash modules. > I've tried Kingston and Sandisk. Is there somthing I should be aware > off ?? > > /Arne > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -- CHRISTOPH LOIBL ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mailto:c at tix.at |No trees were killed in the creation of this message. http://www.sil.at |However, many electrons were terrible inconvenienced. CL8-RIPE ++++++++++++++++++++++++++++++++++++ PGP-Key-ID: 0x4B2C0055 +++ From oboehmer at cisco.com Wed Oct 8 05:12:07 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 8 Oct 2008 11:12:07 +0200 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-liteenvironment In-Reply-To: <200810081422.06876.mtinka@globaltransit.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> <200810081422.06876.mtinka@globaltransit.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> Mark Tinka <> wrote on Wednesday, October 08, 2008 8:22 AM: > On Wednesday 08 October 2008 11:40:53 McLean Pickett wrote: > >> Are there any Cisco guidelines or does anyone have any >> hands-on experience with the maximum number of VRF's\OSPF >> instances in a VRF-lite deployment? > > At the time I first read about l3vpn's (a couple of years > back), Cisco said the RDB (Routing Descriptor Block) > supported only 32 instances (including the defaults, i.e., > Static, Connected and IGP). > > But I should say that this was a fairly old IOS at the time > (and different/older platform too), plus we never did quite > have OSPF-based VRF's, so I can't claim with full certainty > that this holds true today. right, this got changed in 12.3(4)T, 12.0(27)S, 12.2(25)S, 12.2(18)SXE and others where IOS no longer allocates a PDB per OSPF vrf instance, so you are not limited by the 32 PDB instances any longer.. oli From gary.ciscomail at gmail.com Wed Oct 8 05:13:15 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Wed, 8 Oct 2008 10:13:15 +0100 Subject: [c-nsp] NAT in VRF Message-ID: Can someone please confirm for me that you can have the same IP address in different VRFs natted to different destinations. In other words; 217.1.1.1 nat to 10.1.1.1 in VRF A 217.1.1.1 nat to 192.168.1.1 in VRF B I can't see any reason why not. What about if using VRF-Lite on a 3845, does that make any difference? Its a funny question but I have been asked this and have no access to the kit to prove it working and I have to have a solid answer. Thanks. Gary From cisco-nsp at tracker.fire-world.de Wed Oct 8 05:40:08 2008 From: cisco-nsp at tracker.fire-world.de (Sebastian Wiesinger) Date: Wed, 8 Oct 2008 11:40:08 +0200 Subject: [c-nsp] 4500E/SUP6-E uRPF counters Message-ID: <20081008094008.GA24371@danton.fire-world.de> Hello, I activated and tested the uRPF feature on a Catalyst 4500E with SUP6-E. It works fine but the RPF drop counters don't work and stay at 0 packets. IOS is 12.2(46)SG. Drop: 13800605 encapsulation failed, 0 unresolved, 0 no adjacency 1012 no route, 0 unicast RPF, 0 forced drop 0 options denied, 0 source IP address zero This is after I sent a few packets which where successfully dropped by uRPF. Same thing with the SNMP counters: CISCO-IP-URPF-MIB::cipUrpfIfDrops.114.ipv4 = Counter32: 0 packets CISCO-IP-URPF-MIB::cipUrpfIfSuppressedDrops.114.ipv4 = Counter32: 0 packets CISCO-IP-URPF-MIB::cipUrpfIfDropRate.114.ipv4 = Gauge32: 0 packets/second CISCO-IP-URPF-MIB::cipUrpfIfDiscontinuityTime.114.ipv4 = Timeticks: (131668749) 15 days, 5:44:47.49 Can anyone confirm that the counters don't work? Another thing, is there any performance impact when activating uRPF on a large number of vlans? Regards, Sebastian -- GPG Key-ID: 0x76B79F20 (0x1B6034F476B79F20) 'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE. -- Terry Pratchett, The Fifth Elephant From gert at greenie.muc.de Wed Oct 8 07:11:13 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 8 Oct 2008 13:11:13 +0200 Subject: [c-nsp] 4500E/SUP6-E uRPF counters In-Reply-To: <20081008094008.GA24371@danton.fire-world.de> References: <20081008094008.GA24371@danton.fire-world.de> Message-ID: <20081008111113.GX17238@greenie.muc.de> Hi, On Wed, Oct 08, 2008 at 11:40:08AM +0200, Sebastian Wiesinger wrote: > Can anyone confirm that the counters don't work? This is cisco-nsp, isn't it? SCNR, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From oboehmer at cisco.com Wed Oct 8 07:33:36 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Wed, 8 Oct 2008 13:33:36 +0200 Subject: [c-nsp] VRF customers (ISP plus IP VPN) In-Reply-To: References: <70B7A1CCBFA5C649BD562B6D9F7ED78406205A81@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840627D7C2@xmb-ams-333.emea.cisco.com> nachocheeze at gmail.com wrote on Tuesday, October 07, 2008 5:27 PM: > On Tue, Oct 7, 2008 at 12:54 AM, Oliver Boehmer (oboehmer) > wrote: > >> What is the VPN connection for? > > It's not just the one VPN; there's likely to be a need for several. > > Long story short; the backbone network is going to be connected to > several different services (the Internet and various restricted > networks), and each downstream connector will be accessing probably > two or more of the restricted services (Customer A gets service X and > Y but not Z, Customer B gets service X and Z but not Y, Customer C > gets service Z only). Ok, this makes sense. > One of the 'common' services among all is > likely to be a local 'intranet' providing connectivity between all the > customers. Why would this be different from the "Internet" service? see also next comment. >> Why do the two customers have to see >> each other via the VPN link as well? > > Well, they don't *have* to in this particular VPN. I was thinking of > the above described Intranet service. If they're communicating > already over the 'Intranet' service, is there any reason for them to > also learn routes to each other via the 'Internet' service? As mentioned above: I don't fully understand the reasoning for this "Intranet" service. What type of "customers" are they, and what is your business? If you indeed need/want to differentiate them (maybe because the "customers" are actually internal departments/business units where connectivty between them is actually quite different from "Internet" connectivity, especially from a security perspective), you would need to implement some routing policy to make one advertisment (i.e. from the "Internet") better than the other (MED, AS-path prepend, something else).. It's obviously the discretion of the customer which exit he or she chooses, so all you can give are hints.. oli From howie at thingy.com Wed Oct 8 06:38:09 2008 From: howie at thingy.com (Howard Jones) Date: Wed, 08 Oct 2008 11:38:09 +0100 Subject: [c-nsp] Recommend IOS for 7200? Message-ID: <48EC8D91.4040400@thingy.com> Oh fount of hard-won experience, For a general dogsbody (LNS, BGP, OSPF) SP router, what is the current recommended IOS version for stability? I am looking to upgrade a couple of ancient NPE-225 routers to a current IOS. Should it be 12.2(25)S15? or is there something else I should look at. Aside from the LNS, there's nothing particularly special it needs. L2TPv3 might be nice, I guess. Can anyone suggest/recommend any other release to look at? Best Regards, Howie From kiwi at oav.net Wed Oct 8 07:59:46 2008 From: kiwi at oav.net (Xavier Beaudouin) Date: Wed, 8 Oct 2008 13:59:46 +0200 Subject: [c-nsp] Cisco 65xx and ip forward... Message-ID: <5F1BEE4E-33BF-4964-BAF4-AFC7C137BB8C@oav.net> Hello, I am facing to a strange behavior with a Cisco 6513 connected like this way : host A ---[3560G EMI]---(Dark fiber)---[Cisco 6513]---[3560G EMI]-- Host B Host A is in the network 10.2.0.0/25 Host B is in the network 172.17.180.0/24 Host A in VLAN 300 connected thru 3560G EMI and this vlan is terminated on Gi 1/1 of our Cisco 6513. Host B in VLAN 450 connected thru 3560G EMI and this vlan is terminated on Gi 9/48 of out Cisco 6513. Routing is done on each host with simple static route... But mtr show us about 80% of packet loss... and some strange things... Configuration is like this : http://6meat.net/z/51880 Any good ideas ? What did I get wrong ? Thanks, /Xavier From p.mayers at imperial.ac.uk Wed Oct 8 08:29:56 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Wed, 08 Oct 2008 13:29:56 +0100 Subject: [c-nsp] vs cpompac flas for Sup720 In-Reply-To: <8D68760F464FFD40A01BF2FB374E4A28C6F71EC862@SRVEXC02.aas.its.nja.dk> References: <8D68760F464FFD40A01BF2FB374E4A28C6F778408A@SRVEXC02.aas.its.nja.dk> <8D68760F464FFD40A01BF2FB374E4A28C6F71EC862@SRVEXC02.aas.its.nja.dk> Message-ID: <48ECA7C4.504@imperial.ac.uk> Arne Larsen / Region Nordjylland wrote: > Tried that didn't work. There is some discussion about this in the list archives in the last month or so. Short version: some CF cards just don't work. From peter.nyamukusa at africaonline.co.tz Wed Oct 8 08:48:12 2008 From: peter.nyamukusa at africaonline.co.tz (Peter Nyamukusa) Date: Wed, 8 Oct 2008 15:48:12 +0300 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <48EC8D91.4040400@thingy.com> References: <48EC8D91.4040400@thingy.com> Message-ID: <021901c92944$21d79020$6586b060$@nyamukusa@africaonline.co.tz> Hi Howard, Why do you have a look at the Software Advisor tool http://tools.cisco.com/Support/Fusion/FusionHome.do cheers ___________________________________________ Peter Nyamukusa - CCIP, JNCIS, MCSE, Linux+ -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Howard Jones Sent: Wednesday, October 08, 2008 1:38 PM To: cisco-nsp at puck.nether.net Subject: [?? Probable Spam] [c-nsp] Recommend IOS for 7200? Oh fount of hard-won experience, For a general dogsbody (LNS, BGP, OSPF) SP router, what is the current recommended IOS version for stability? I am looking to upgrade a couple of ancient NPE-225 routers to a current IOS. Should it be 12.2(25)S15? or is there something else I should look at. Aside from the LNS, there's nothing particularly special it needs. L2TPv3 might be nice, I guess. Can anyone suggest/recommend any other release to look at? Best Regards, Howie _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kharananda at subisu.net.np Wed Oct 8 09:01:00 2008 From: kharananda at subisu.net.np (kharananda) Date: Wed, 08 Oct 2008 18:46:00 +0545 Subject: [c-nsp] [Noc] MPLS L2VPN Problem (Vlan Imposition) In-Reply-To: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> References: <2945.116.66.192.39.1223205599.squirrel@mail.subisu.net.np> Message-ID: <48ECAF0C.4060509@subisu.net.np> Dear All, I tried with many (Older/Newest) IOSes. What I found is unless I do GRE there is no problem for MPLS L2VPN. It works absolutely fine until and unless I do GRE. The moment I do GRE the error reports "ATOM-Eth VLAN imposition: in Nu0, circuit id 110, size 68, packet dropped, Fixup failed". I hope this could be fixed if I can tune some GRE parameters. My GRE configuration is : interface Tunnel0 description #### GRE Tunnel #### ip address 172.22.15.129 255.255.255.252 keepalive 5 tunnel mode gre ip tunnel source FastEthernet1/0 tunnel destination 202.70.75.165 Can you please help me on tunning some GRE parameters which could solve my problem. Regards, Khara Nanda Luitel. kharananda at subisu.net.np wrote: > Dear All, > > I have been trying to do MPLS L2VPN Over GRE for few days. It is > sub-interface(dot1Q) based l2vpn. > > Below goes my Network senario. > > > > > > ..................... ..................... > ... VXR-7200-A ... MPLS over GRE .. VXR-7200-B .. > ....................... .................... > > > ------------------------------------------------------ > MPLS L2VPN Across > > > I am getting a weird problem. I can ping the VLAN network across MPLS > l2vpn for about 5 to 7 minutes and it *stops automatically* and ever > comes up back. > > Everything else seems OK. mpls ldp neighbor, mpls forwarding database, > VCs status, GRE Tunnels, OSPF routes are all Ok even when i am unable to > ping vlan network(IPs) through l2vpn . > > > "Debug mpls l2trasport packets error" showed error report of "ATOM-Eth > VLAN imposition: in Nu0, ciruit id 110 size 68 packet dropped, Fixup > failed". WHAT ACTUALLY IT IS ??? > > I am using Cisco IOS 12.4-2(T) on the VXR 7200 (NPE 300). Is there any BUG > for Cisco IOS i am using? If so, please suggest me the bug free IOS for > its > implamentation. > > But this error report (Vlan Imposition) persists even when when I am able > to ping vlan across l2vpn (for 5 to 7 minutes) > > My MPLS L2VPN is sub-interface (dot1Q on sub-interface) based. > > Any help in this regards is highly appreciable. > > Configuration details are given below > > At VXR-7200-A > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.0.129 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.129 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/0 > tunnel destination 202.70.75.165 > > Interface fa 1/1.110 > des ### Connected Cisco Switch trunk ### > encapsulation dot1q 110 > mpls l2transport route 172.22.16.1 110 > > > At VXR-7200-B > > mpls ip > mpls label protocol ldp > mpls ldp router-id loopback 0 > > interface Loopback0 > ip address 172.22.16.1 255.255.255.255 > ip ospf 1 area 20 > ! > interface Tunnel0 > description #### GRE Tunnel #### > ip address 172.22.15.130 255.255.255.252 > ip ospf cost 100 > ip ospf 1 area 20 > mpls label protocol ldp > mpls ip > tunnel source FastEthernet1/1 > tunnel destination 202.70.77.14 > ! > > interface FastEthernet1/0.110 > des ### Connected To Cisco Switch trunk ### > encapsulation dot1Q 90 > mpls l2transport route 172.22.0.129 110 > > > Regards, > Khara Nanda Luitel > Subisu Cable Net Pvt Ltd > Nepal. > > > > > > > > > _______________________________________________ > Noc mailing list > Noc at system.subisu.net.np > https://lists.subisu.net.np/mailman/listinfo/noc > > > From alex.wilkinson at dsto.defence.gov.au Wed Oct 8 09:01:17 2008 From: alex.wilkinson at dsto.defence.gov.au (Wilkinson, Alex) Date: Wed, 8 Oct 2008 21:01:17 +0800 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <48EC8D91.4040400@thingy.com> References: <48EC8D91.4040400@thingy.com> Message-ID: <20081008130117.GB23866@stlux503.dsto.defence.gov.au> 0n Wed, Oct 08, 2008 at 11:38:09AM +0100, Howard Jones wrote: >For a general dogsbody (LNS, BGP, OSPF) SP router, what is the current >recommended IOS version for stability? I am looking to upgrade a couple >of ancient NPE-225 routers to a current IOS. Should it be 12.2(25)S15? >or is there something else I should look at. Aside from the LNS, there's >nothing particularly special it needs. L2TPv3 might be nice, I guess. > >Can anyone suggest/recommend any other release to look at? I am running Version 12.4(3) on a Cisco 7204VXR (NPE-G1) processor (revision B). No problems at all. The one thing to watch out for is that you need enough memory in your NPE-225 to fit version 12.4(3). -aW IMPORTANT: This email remains the property of the Australian Defence Organisation and is subject to the jurisdiction of section 70 of the CRIMES ACT 1914. If you have received this email in error, you are requested to contact the sender and delete the email. From howie at thingy.com Wed Oct 8 09:05:16 2008 From: howie at thingy.com (Howard Jones) Date: Wed, 08 Oct 2008 14:05:16 +0100 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <021901c92944$21d79020$6586b060$@nyamukusa@africaonline.co.tz> References: <48EC8D91.4040400@thingy.com> <021901c92944$21d79020$6586b060$@nyamukusa@africaonline.co.tz> Message-ID: <48ECB00C.8070204@thingy.com> Peter Nyamukusa wrote: > Hi Howard, > > Why do you have a look at the Software Advisor tool > http://tools.cisco.com/Support/Fusion/FusionHome.do > Because that doesn't have a column for "does what you want, but crashes mysteriously". 12.2(25)S15 is the latest 12.2S release. It has the features I want. What I don't know is if it's also buggy, like some other latest releases apparently are. That's why I was asking for experience. Best Regards, Howie From perc69 at gmail.com Wed Oct 8 10:01:48 2008 From: perc69 at gmail.com (Pelle) Date: Wed, 8 Oct 2008 16:01:48 +0200 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <48EC8D91.4040400@thingy.com> References: <48EC8D91.4040400@thingy.com> Message-ID: <746ca6da0810080701l1615337la8ad37968df1636c@mail.gmail.com> Hi. > For a general dogsbody (LNS, BGP, OSPF) SP router, what is the current > recommended IOS version for stability? We are running 12.2(31)SB10 with success (on NPE-400), though with IS-IS instead of OSPF. > I am looking to upgrade a couple > of ancient NPE-225 routers to a current IOS. Should it be 12.2(25)S15? 12.2S is "End of software maintanence" since 12/12/2007, see: http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/prod_eol_notice0900aecd804be5cf.html. The recommended migration paths is 12.2SB or 12.4T. -- Pelle From jeff-kell at utc.edu Wed Oct 8 10:16:25 2008 From: jeff-kell at utc.edu (Jeff Kell) Date: Wed, 08 Oct 2008 10:16:25 -0400 Subject: [c-nsp] lite versus base Message-ID: <48ECC0B9.9030003@utc.edu> Can anyone explain what "exactly" are the differences between the 2950/2960 LAN "base" versus "lite" versions, other than the 33% price hike? Jeff From saku+cisco-nsp at ytti.fi Wed Oct 8 10:39:47 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Wed, 8 Oct 2008 17:39:47 +0300 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <746ca6da0810080701l1615337la8ad37968df1636c@mail.gmail.com> References: <48EC8D91.4040400@thingy.com> <746ca6da0810080701l1615337la8ad37968df1636c@mail.gmail.com> Message-ID: <20081008143947.GA15959@mx.ytti.net> On (2008-10-08 16:01 +0200), Pelle wrote: > We are running 12.2(31)SB10 with success (on NPE-400), though with > IS-IS instead of OSPF. > > > I am looking to upgrade a couple > > of ancient NPE-225 routers to a current IOS. Should it be 12.2(25)S15? > > 12.2S is "End of software maintanence" since 12/12/2007, see: > http://www.cisco.com/en/US/products/sw/iosswrel/ps1838/prod_eol_notice0900aecd804be5cf.html. > The recommended migration paths is 12.2SB or 12.4T. And to make it more existing migration path from 12.2SB is to 12.2SR :). So might as well jump to 12.2SRC while at it. SB will live for 7304 and 10k for quite some time though. -- ++ytti From dwinkworth at att.net Wed Oct 8 09:46:13 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Wed, 08 Oct 2008 08:46:13 -0500 Subject: [c-nsp] Recommend IOS for 7200? In-Reply-To: <48ECB00C.8070204@thingy.com> References: <48EC8D91.4040400@thingy.com> <021901c92944$21d79020$6586b060$@nyamukusa@africaonline.co.tz> <48ECB00C.8070204@thingy.com> Message-ID: <48ECB9A5.60803@att.net> We've been having good luck with 12.4(15)T6 and T7. I wouldn't recommend any other 12.4 release. Howard Jones wrote: > Peter Nyamukusa wrote: > >> Hi Howard, >> >> Why do you have a look at the Software Advisor tool >> http://tools.cisco.com/Support/Fusion/FusionHome.do >> >> > Because that doesn't have a column for "does what you want, but crashes > mysteriously". 12.2(25)S15 is the latest 12.2S release. It has the > features I want. What I don't know is if it's also buggy, like some > other latest releases apparently are. > > That's why I was asking for experience. > > Best Regards, > > Howie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.173 / Virus Database: 270.7.6/1712 - Release Date: 10/7/2008 9:41 AM > > From peter at rathlev.dk Wed Oct 8 11:29:11 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 08 Oct 2008 17:29:11 +0200 Subject: [c-nsp] lite versus base In-Reply-To: <48ECC0B9.9030003@utc.edu> References: <48ECC0B9.9030003@utc.edu> Message-ID: <1223479751.14694.4.camel@abehat> Hi Jeff, On Wed, 2008-10-08 at 10:16 -0400, Jeff Kell wrote: > Can anyone explain what "exactly" are the differences between the > 2950/2960 LAN "base" versus "lite" versions, other than the 33% price > hike? It's probably only the Cisco engineers that can tell you *exactly* what the difference is, but Feature Navigator can take you some of the way. http://www.cisco.com/go/fn Comparing 12.2(46)SE LAN Base with 12.2(46)SE LAN Lite gives the LAN Base release the following unique features: DHCP Snooping DHCP Snooping Counters Flex Link VLAN Load-Balancing Flex Links Interface Preemption IEEE 802.1x - Auth Fail VLAN IEEE 802.3af PoE (Power over Ethernet) IP SLAs - SNMP Support IP SLAs Responder IPv6 Default Router Preference Lock and Key MLD Snooping Trunk Failover Direct link to the comparison: http://tinyurl.com/3o3yoe Or were you looking for more specific details? Regards, Peter From psirt at cisco.com Wed Oct 8 12:18:26 2008 From: psirt at cisco.com (Cisco Systems Product Security Incident Response Team) Date: Wed, 8 Oct 2008 12:18:26 -0400 Subject: [c-nsp] Cisco Security Advisory: Authentication Bypass in Cisco Unity Message-ID: <200810081230.unity@psirt.cisco.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cisco Security Advisory: Authentication Bypass in Cisco Unity Advisory ID: cisco-sa-20081008-unity http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml Revision 1.0 For Public Release 2008 October 08 1600 UTC (GMT) Summary ======= A vulnerability exists in Cisco Unity that could allow an unauthenticated user to view or modify some of the configuration parameters of the Cisco Unity server. Cisco has released free software updates that address this vulnerability. A workaround that mitigates this vulnerability is available. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml. Affected Products ================= Cisco Unity is a voice and unified messaging platform. Cisco Unity can be configured to interoperate with Microsoft Exchange or IBM Lotus Domino enabling users to access e-mail, voice, and fax messages from a single inbox. Vulnerable Products +------------------ All Cisco Unity versions, 4.x, 5.x and 7.x, may be affected by this vulnerability. Products Confirmed Not Vulnerable +-------------------------------- No other Cisco products are currently known to be affected by this vulnerability. Details ======= Cisco Unity servers may be affected by an authentication bypass when they are configured for anonymous authentication. Anonymous authentication is used when Cisco Unity servers are authenticated to the subscriber instead of Microsoft Windows (Integrated Windows authentication). By default, Cisco Unity is configured so that the administrator uses the Integrated Windows authentication method for authentication. Details on authentication mechanisms can be found in the Installation Guide for Cisco Unity in the "Authentication Methods Available for the Cisco Unity Administrator" section, located at: http://www.cisco.com/en/US/docs/voice_ip_comm/unity/5x/installation/guide/umexnofo/5xcuigumenofo100.html#wp1533581 This authentication bypass vulnerability allows an unauthenticated user the ability to view or modify some system configuration parameters. No credentials, personally identifiable, or user information can be obtained through exploitation of this vulnerability. This vulnerability is documented in Cisco Bug ID CSCsr86943 and has been assigned Common Vulnerability and Exposures (CVE) ID CVE-2008-3814. Vulnerability Scoring Details +---------------------------- Cisco has provided scores for the vulnerabilities in this advisory based on the Common Vulnerability Scoring System (CVSS). The CVSS scoring in this Security Advisory is done in accordance with CVSS version 2.0. CVSS is a standards-based scoring method that conveys vulnerability severity and helps determine urgency and priority of response. Cisco has provided a base and temporal score. Customers can then compute environmental scores to assist in determining the impact of the vulnerability in individual networks. Cisco has provided an FAQ to answer additional questions regarding CVSS at: http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html Cisco has also provided a CVSS calculator to help compute the environmental impact for individual networks at http://intellishield.cisco.com/security/alertmanager/cvss. * Authentication bypass w/ anonymous auth (CSCsr86943) CVSS Base Score - 5.8 Access Vector - Network Access Complexity - Medium Authentication - None Confidentiality Impact - Partial Integrity Impact - Partial Availability Impact - None CVSS Temporal Score - 5.2 Exploitability - Functional Remediation Level - Official-Fix Report Confidence - Confirmed Impact ====== Successful exploitation of the vulnerability may result in an unauthenticated user viewing or altering some configuration parameters of the Cisco Unity server. Software Versions and Fixes =========================== This vulnerability will be fixed in Cisco Unity software version 4.0ES161 for the 4.x release, 5.0ES53 for the 5.x release, and 7.0ES8 for the 7.x release. The latest versions of Cisco Unity software can be downloaded from http://tools.cisco.com/support/downloads/go/Redirect.x?mdfid=274246502. Software for each releases is available at: 4.2(1) ES release, 5.0(1) ES release, 7.0(2) ES release. When considering software upgrades, also consult http://www.cisco.com/go/psirt and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) or your contracted maintenance provider for assistance. Workarounds =========== Integrated Windows authentication is not affected by this vulnerability and may be used as an alternative to Anonymous Authentication. Details on authentication mechanisms and how to configure them can be found in the Installation Guide for Cisco Unity in the "Setting Up Authentication for the Cisco Unity Administrator" section, located at: http://www.cisco.com/en/US/docs/voice_ip_comm/unity/5x/installation/guide/umexnofo/5xcuigumenofo100.html Obtaining Fixed Software ======================== Cisco has released free software updates that address this vulnerability. Prior to deploying software, customers should consult their maintenance provider or check the software for feature set compatibility and known issues specific to their environment. Customers may only install and expect support for the feature sets they have purchased. By installing, downloading, accessing or otherwise using such software upgrades, customers agree to be bound by the terms of Cisco's software license terms found at http://www.cisco.com/en/US/products/prod_warranties_item09186a008088e31f.html, or as otherwise set forth at Cisco.com Downloads at http://www.cisco.com/public/sw-center/sw-usingswc.shtml. Do not contact psirt at cisco.com or security-alert at cisco.com for software upgrades. Customers with Service Contracts +------------------------------- Customers with contracts should obtain upgraded software through their regular update channels. For most customers, this means that upgrades should be obtained through the Software Center on Cisco's worldwide website at http://www.cisco.com. Customers using Third Party Support Organizations +------------------------------------------------ Customers whose Cisco products are provided or maintained through prior or existing agreements with third-party support organizations, such as Cisco Partners, authorized resellers, or service providers should contact that support organization for guidance and assistance with the appropriate course of action in regards to this advisory. The effectiveness of any workaround or fix is dependent on specific customer situations, such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround or fix is the most appropriate for use in the intended network before it is deployed. Customers without Service Contracts +---------------------------------- Customers who purchase direct from Cisco but do not hold a Cisco service contract, and customers who purchase through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should acquire upgrades by contacting the Cisco Technical Assistance Center (TAC). TAC contacts are as follows. * +1 800 553 2447 (toll free from within North America) * +1 408 526 7209 (toll call from anywhere in the world) * e-mail: tac at cisco.com Customers should have their product serial number available and be prepared to give the URL of this notice as evidence of entitlement to a free upgrade. Free upgrades for non-contract customers must be requested through the TAC. Refer to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for additional TAC contact information, including localized telephone numbers, and instructions and e-mail addresses for use in various languages. Exploitation and Public Announcements ===================================== This vulnerability was reported to Cisco by VoIPShield Systems. Status of this Notice: FINAL ============================ THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME. A stand-alone copy or Paraphrase of the text of this document that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Distribution ============ This advisory is posted on Cisco's worldwide website at: http://www.cisco.com/warp/public/707/cisco-sa-20081008-unity.shtml In addition to worldwide web posting, a text version of this notice is clear-signed with the Cisco PSIRT PGP key and is posted to the following e-mail and Usenet news recipients. * cust-security-announce at cisco.com * first-bulletins at lists.first.org * bugtraq at securityfocus.com * vulnwatch at vulnwatch.org * cisco at spot.colorado.edu * cisco-nsp at puck.nether.net * full-disclosure at lists.grok.org.uk * comp.dcom.sys.cisco at newsgate.cisco.com Future updates of this advisory, if any, will be placed on Cisco's worldwide website, but may or may not be actively announced on mailing lists or newsgroups. Users concerned about this problem are encouraged to check the above URL for any updates. Revision History ================ +------------------------------------------------------------+ | Revision 1.0 | 2008-Oct-8 | Initial public release | +------------------------------------------------------------+ Cisco Security Procedures ========================= Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt. +-------------------------------------------------------------------- Copyright 2007-2008 Cisco Systems, Inc. All rights reserved. +-------------------------------------------------------------------- Updated: Oct 08, 2008 Document ID: 108036 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkjs3N8ACgkQ86n/Gc8U/uBCMACcC7UX1BUzBt6/RYNhK16p4NKJ e9AAmgIIbr76NlUb50u2oXQjx7ITFWpP =P/iv -----END PGP SIGNATURE----- From felixnkansah at gmail.com Wed Oct 8 14:05:11 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Wed, 8 Oct 2008 18:05:11 +0000 Subject: [c-nsp] DMVPN IPSEC Issue Message-ID: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> Hi All, I have a lab setup of 3 routers in a hub-and-spoke topology. I have configured DMVPN with R1 being the hub. These routers all connect through a switch. The problem I experience is that, if the hub router goes off (because I reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations remain active on the spokes. As such when the hub router comes back up, the spokes try to use the existing SAs to communicate with it, which results in 'Invalid SPI errors' on the Hub with no connectivity as such. I resolve this problem manually by clearing crypto sessions on the spokes. I would like to know if there is a way to let the spokes time-out their SA sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes unavailable for some seconds. Waiting on your reply. Thanks, Felix From mailinglists at unix-scripts.com Wed Oct 8 14:04:57 2008 From: mailinglists at unix-scripts.com (Shaun R.) Date: Wed, 8 Oct 2008 11:04:57 -0700 Subject: [c-nsp] Route View Router Config In-Reply-To: <000801c927bf$86691440$933b3cc0$@org> References: <000801c927bf$86691440$933b3cc0$@org> Message-ID: I would be interested in this too. ~Shaun "Paul Stewart" wrote in message news:000801c927bf$86691440$933b3cc0$@org... > I'm looking at firing up a router that will become a public route view > box.... > > Folks could telnet to it and view our BGP tables, run traceroutes etc.... > same deal as route-views.routeviews.org on a much smaller scale specific > to > our own tables.... > > Anyone have a pre-built Cisco config for such purpose they could share? > If > not I'll have to build a secure version but thought it's worth asking > first...;) > > Take care, > > Paul > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From harbor235 at gmail.com Wed Oct 8 14:34:36 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Wed, 8 Oct 2008 14:34:36 -0400 Subject: [c-nsp] Route View Router Config In-Reply-To: References: <000801c927bf$86691440$933b3cc0$@org> Message-ID: <836bf1f90810081134i5b8fdfdfv434d18829df45e28@mail.gmail.com> Could be any router with AAA authentication and authorization specifying a seperate login for this activity as well as defining a seperate priviledge level and command authorization with a limited command set(show ip bgp summ, show ip route, etc .... Pretty straifght forward, however, I agree it would best to implement this on a router specific for this task, some older router that could take a full feed mike j On Wed, Oct 8, 2008 at 2:04 PM, Shaun R. wrote: > I would be interested in this too. > > > ~Shaun > > "Paul Stewart" wrote in message > news:000801c927bf$86691440$933b3cc0$@org... > >> I'm looking at firing up a router that will become a public route view >> box.... >> >> Folks could telnet to it and view our BGP tables, run traceroutes etc.... >> same deal as route-views.routeviews.org on a much smaller scale specific >> to >> our own tables.... >> >> Anyone have a pre-built Cisco config for such purpose they could share? If >> not I'll have to build a secure version but thought it's worth asking >> first...;) >> >> Take care, >> >> Paul >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From paul at paulstewart.org Wed Oct 8 14:19:46 2008 From: paul at paulstewart.org (Paul Stewart) Date: Wed, 8 Oct 2008 14:19:46 -0400 Subject: [c-nsp] Route View Router Config In-Reply-To: References: <000801c927bf$86691440$933b3cc0$@org> Message-ID: <000101c92972$71a1a7c0$54e4f740$@org> Thanks.... I believe I may have not quite explained it properly what I was looking at.... got some offline replies but they were not what I'm after... Have a spare router that I was going to fire up and make reachable via telnet - this router was going to talk iBGP to our core routers I was hoping someone had a config they could share for this router - from a security perspective and command levels primarily.... understand the BGP part ;) Thanks, Paul -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Shaun R. Sent: Wednesday, October 08, 2008 2:05 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Route View Router Config I would be interested in this too. ~Shaun "Paul Stewart" wrote in message news:000801c927bf$86691440$933b3cc0$@org... > I'm looking at firing up a router that will become a public route view > box.... > > Folks could telnet to it and view our BGP tables, run traceroutes etc.... > same deal as route-views.routeviews.org on a much smaller scale specific > to > our own tables.... > > Anyone have a pre-built Cisco config for such purpose they could share? > If > not I'll have to build a secure version but thought it's worth asking > first...;) > > Take care, > > Paul > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rodunn at cisco.com Wed Oct 8 16:04:49 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Wed, 8 Oct 2008 16:04:49 -0400 Subject: [c-nsp] DMVPN IPSEC Issue In-Reply-To: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> References: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> Message-ID: <20081008200449.GA5373@rtp-cse-489.cisco.com> I think you need DPD on the spokes for that to happen. crypto isakmp keepalive 10 2 Rodney On Wed, Oct 08, 2008 at 06:05:11PM +0000, Felix Nkansah wrote: > Hi All, > I have a lab setup of 3 routers in a hub-and-spoke topology. I have > configured DMVPN with R1 being the hub. These routers all connect through a > switch. > > The problem I experience is that, if the hub router goes off (because I > reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations > remain active on the spokes. > > As such when the hub router comes back up, the spokes try to use the > existing SAs to communicate with it, which results in 'Invalid SPI errors' > on the Hub with no connectivity as such. > > I resolve this problem manually by clearing crypto sessions on the spokes. > > I would like to know if there is a way to let the spokes time-out their SA > sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes > unavailable for some seconds. > > Waiting on your reply. > > Thanks, > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From leonardo.souza at nec.com.br Wed Oct 8 15:47:04 2008 From: leonardo.souza at nec.com.br (Leonardo Gama Souza) Date: Wed, 8 Oct 2008 16:47:04 -0300 Subject: [c-nsp] RES: DMVPN IPSEC Issue In-Reply-To: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> References: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> Message-ID: <9E07F8717FE8BC4FBAE6860F61EA6C1D01B0D40D@spsrvmail03.nec.br> Hi ! Decrease the ISAKMP keepalive. For example: crypto isakmp keepalive 10 Cheers, Leonardo Gama -----Mensagem original----- De: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Em nome de Felix Nkansah Enviada em: quarta-feira, 8 de outubro de 2008 15:05 Para: cisco-nsp at puck.nether.net Assunto: [c-nsp] DMVPN IPSEC Issue Hi All, I have a lab setup of 3 routers in a hub-and-spoke topology. I have configured DMVPN with R1 being the hub. These routers all connect through a switch. The problem I experience is that, if the hub router goes off (because I reboot it or shut down the WAN interface), the ISAKMP and IPSEC associations remain active on the spokes. As such when the hub router comes back up, the spokes try to use the existing SAs to communicate with it, which results in 'Invalid SPI errors' on the Hub with no connectivity as such. I resolve this problem manually by clearing crypto sessions on the spokes. I would like to know if there is a way to let the spokes time-out their SA sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes unavailable for some seconds. Waiting on your reply. Thanks, Felix _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From kristian at spritelink.net Wed Oct 8 17:32:04 2008 From: kristian at spritelink.net (Kristian Larsson) Date: Wed, 8 Oct 2008 23:32:04 +0200 Subject: [c-nsp] Netflow collection problem with AS traffic In-Reply-To: <8097baf0810060344t78cb8d63jfe589bfed7511fcc@mail.gmail.com> References: <8097baf0810060344t78cb8d63jfe589bfed7511fcc@mail.gmail.com> Message-ID: <20081008213204.GE49596@spritelink.se> On Mon, Oct 06, 2008 at 12:44:26PM +0200, Yann Gauteron wrote: > Hello the list, > > I am a new talker here, but an attentive reader and I appreciate the level > of your discussions, guys. > > As I am having some suspect behaviour with one of my (in fact one of my > customer's) border router, I'd like to read about your experience and maybe > you already have had such a misbehavior. > > I use as a BGP border router a Cisco uBR10012 CMTS (Cable Modem Termination > System). This device is close to Cisco 10000 Series routers, but with > dedicated interfaces for CATV operators offering Internet services. > > Initially, this BGP border (AS65100) had 2 BGP peerings with AS65001 (these > are not the actual ASN) : - one peering is the main and active peering; - > the second one is the backup with no traffic exchanged. > > I installed by this customer a nice free software, called AS-stats ( > https://neon1.net/as-stats/, a presentation of this tool is here > https://neon1.net/as-stats/as-stats-presentation-swinog16.pdf) permitting to > visualize the traffic received from / sent to an AS on a given peering. This > tool works based on the Netflow data. We succesfully used this tool for > weeks without noticing reporting problems. > > Last week, an additional peering was established with AS65002. No special > policy were defined in the route-map for the routes learned from this new > AS. So BGP should have been able to route traffic according to the AS-Path > length. > > Since that time, we noticed that the reporting on the AS-stats were not > updated for the AS which were routed to that new AS65002 peer! We rerouted > (filtered in the route-maps) most of the AS back to the older BGP peer, but > 2 (the ASN for the provider we already peered and the ASN for a network > where we have a lot of traffic). We expected to have back the reporting for > all AS that were rerouted back. We were wrong... Reporting is not present > for these AS, only for the ASs that always remained on the initial peering. > > The problem is not located on the AS-stats tool, as I did some trace points > in the code and noticed that it receives Netflow data, but not for the AS > that lacks reporting. > > For your information, you have attached a diagram of the simple BGP > topology, and a partial show running (anonymized and focusing on Netflow > configuration + BGP). > > So come my question: Does some of you already encountered some bad > experience with Netflow on Cisco routers (especially 10000 Series or > uBR10012) when dealing with BGP AS information? Have you already such a > Netflow blocking of information? Is there any suggested workaround according > to your experience? Perhaps not what you want to hear.. but when I've hacked together tools to parse NetFlow data I've tended to use a separate BGP table on the collector to lookup information. That way you can get more than just the src/dst as which you usually get with via NetFlow. I could probably provide you with some sample code if you're interested. Kind regards, Kristian. -- Kristian Larsson KLL-RIPE Network Engineer / Internet Core Tele2 / SWIPnet [AS1257] +46 704 910401 kll at spritelink.net From tbaranski at mail.com Wed Oct 8 18:03:39 2008 From: tbaranski at mail.com (Terry Baranski) Date: Wed, 8 Oct 2008 18:03:39 -0400 Subject: [c-nsp] DMVPN IPSEC Issue In-Reply-To: <20081008200449.GA5373@rtp-cse-489.cisco.com> Message-ID: <001201c92991$b9094900$0200000a@pleth0ra> Yep -- though on both sides, right? My understanding is DPD is negotiated and only used if both sides support it. -Terry > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Rodney Dunn > Sent: Wednesday, October 08, 2008 4:05 PM > To: Felix Nkansah > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] DMVPN IPSEC Issue > > > I think you need DPD on the spokes for that to happen. > > crypto isakmp keepalive 10 2 > > Rodney > > On Wed, Oct 08, 2008 at 06:05:11PM +0000, Felix Nkansah wrote: > > Hi All, > > I have a lab setup of 3 routers in a hub-and-spoke topology. I have > > configured DMVPN with R1 being the hub. These routers all > connect through a > > switch. > > > > The problem I experience is that, if the hub router goes > off (because I > > reboot it or shut down the WAN interface), the ISAKMP and > IPSEC associations > > remain active on the spokes. > > > > As such when the hub router comes back up, the spokes try to use the > > existing SAs to communicate with it, which results in > 'Invalid SPI errors' > > on the Hub with no connectivity as such. > > > > I resolve this problem manually by clearing crypto sessions > on the spokes. > > > > I would like to know if there is a way to let the spokes > time-out their SA > > sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes > > unavailable for some seconds. > > > > Waiting on your reply. > > > > Thanks, > > > > Felix > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dlists95 at gmail.com Wed Oct 8 22:28:27 2008 From: dlists95 at gmail.com (d lists) Date: Wed, 8 Oct 2008 20:28:27 -0600 Subject: [c-nsp] DMVPN IPSEC Issue In-Reply-To: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> References: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> Message-ID: <7383823e0810081928r3a7eb9dco177fbfc4802f56e9@mail.gmail.com> crypto isakmp invalid-spi-recovery http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_ispir.html -dlists On Wed, Oct 8, 2008 at 12:05 PM, Felix Nkansah wrote: > Hi All, > I have a lab setup of 3 routers in a hub-and-spoke topology. I have > configured DMVPN with R1 being the hub. These routers all connect through a > switch. > > The problem I experience is that, if the hub router goes off (because I > reboot it or shut down the WAN interface), the ISAKMP and IPSEC > associations > remain active on the spokes. > > As such when the hub router comes back up, the spokes try to use the > existing SAs to communicate with it, which results in 'Invalid SPI errors' > on the Hub with no connectivity as such. > > I resolve this problem manually by clearing crypto sessions on the spokes. > > I would like to know if there is a way to let the spokes time-out their SA > sessions and re-initiate Phase 1 & 2 negotiations if the Hub becomes > unavailable for some seconds. > > Waiting on your reply. > > Thanks, > > Felix > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mailinglist at bangky.net Wed Oct 8 22:32:08 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Thu, 9 Oct 2008 10:32:08 +0800 Subject: [c-nsp] BGP route flap damping In-Reply-To: References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> Message-ID: <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> Hi Ajeet, Thank you for your reply. Yes, we are multi-homed to our main upstream AS, as well another upstream provider. I have taken a brief look at the paper you recommended but have not yet had the time to digest the information in it. Meanwhile, can we assume (in general) that the conclusion to my original post is that route flap damping is more of a "legacy feature" these days and we can, to a larger extent, disregard it? On Tue, Oct 7, 2008 at 11:56 PM, Ajeet Bagga wrote: > On Oct 7, 2008, at 7:40 AM, Ang Kah Yik wrote: > > Hi, >> >> Thanks for sharing your opinion on the disabling of damping as a BCP. >> Yes, this is something that we've taken into consideration. >> >> However, route flap damping is still in use in a number of networks out >> there. >> Thus, we would like to obtain feedback on how the damping of a flap by >> a transit provider may affect our connectivity. >> > > Are you multihomed to this transit? To other upstreams? Depending on the > RFD implementation, withdrawal triggered suppression will indeed affect your > connectivity. For analysis of arguments against RFD, specifically how it > applies to your case, read the sigcomm presentation, < > http://conferences.sigcomm.org/sigcomm/2002/papers/routedampening.html>. > White paper is available via the ACM portal, < > http://portal.acm.org/citation.cfm?id=633047>. > > ~ > Ajeet Bagga > Sr. Network Engineer > Cloud Computing Infrastructure and Services > EMC > -- Ang Kah Yik (bangky) - http://blog.bangky.net From xdsgrrr at consultcommerce.com Thu Oct 9 03:23:12 2008 From: xdsgrrr at consultcommerce.com (xdsgrrr) Date: Thu, 09 Oct 2008 10:23:12 +0300 Subject: [c-nsp] BGP route flap damping In-Reply-To: <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> Message-ID: <1223536992.65523.10.camel@so1-ay279.globul.bg> No we can't say this is a legacy feature because ISPs still use this feature and only a few small ISP is disabled this because they dont't have a time to read RFC and RIPE documents or for other reasons ;)) . br, Atanas Yankov On Thu, 2008-10-09 at 10:32 +0800, Ang Kah Yik wrote: > Hi Ajeet, > Thank you for your reply. > Yes, we are multi-homed to our main upstream AS, as well another upstream > provider. > > I have taken a brief look at the paper you recommended but have not yet had > the time to digest the information in it. > > Meanwhile, can we assume (in general) that the conclusion to my original > post is that route flap damping is more of a "legacy feature" these days and > we can, to a larger extent, disregard it? > > On Tue, Oct 7, 2008 at 11:56 PM, Ajeet Bagga wrote: > > > On Oct 7, 2008, at 7:40 AM, Ang Kah Yik wrote: > > > > Hi, > >> > >> Thanks for sharing your opinion on the disabling of damping as a BCP. > >> Yes, this is something that we've taken into consideration. > >> > >> However, route flap damping is still in use in a number of networks out > >> there. > >> Thus, we would like to obtain feedback on how the damping of a flap by > >> a transit provider may affect our connectivity. > >> > > > > Are you multihomed to this transit? To other upstreams? Depending on the > > RFD implementation, withdrawal triggered suppression will indeed affect your > > connectivity. For analysis of arguments against RFD, specifically how it > > applies to your case, read the sigcomm presentation, < > > http://conferences.sigcomm.org/sigcomm/2002/papers/routedampening.html>. > > White paper is available via the ACM portal, < > > http://portal.acm.org/citation.cfm?id=633047>. > > > > ~ > > Ajeet Bagga > > Sr. Network Engineer > > Cloud Computing Infrastructure and Services > > EMC > > > > > From peter at rathlev.dk Thu Oct 9 04:24:30 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 09 Oct 2008 10:24:30 +0200 Subject: [c-nsp] BGP route flap damping In-Reply-To: <1223536992.65523.10.camel@so1-ay279.globul.bg> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> <1223536992.65523.10.camel@so1-ay279.globul.bg> Message-ID: <1223540670.21975.2.camel@abehat> On Thu, 2008-10-09 at 10:32 +0800, Ang Kah Yik wrote: > > Meanwhile, can we assume (in general) that the conclusion to my > > original post is that route flap damping is more of a "legacy > > feature" these days and we can, to a larger extent, disregard it? On Thu, 2008-10-09 at 10:23 +0300, xdsgrrr wrote: > No we can't say this is a legacy feature because ISPs still use this > feature and only a few small ISP is disabled this because they dont't > have a time to read RFC and RIPE documents or for other reasons ;)) . Like for example http://www.ripe.net/docs/ripe-378.txt, which states in its "4.0 Recommendations": """ 4.0 Recommendation This Routing Working Group document proposes that with the current implementations of BGP flap damping, the application of flap damping in ISP networks is NOT recommended. The recommendations given in ripe-229 and previous documents [2] are considered obsolete henceforth. If flap damping is implemented, the ISP operating that network will cause side-effects to their customers and the Internet users of their customers' content and services as described in the previous sections. These side-effects would quite likely be worse than the impact caused by simply not running flap damping at all. """ It's not completely wrong to say that new installations can disregard RFD. AFAIK it's no longer considered Best Practice. Regards, Peter From extrememasta at gmail.com Thu Oct 9 04:26:33 2008 From: extrememasta at gmail.com (xdsgrrr) Date: Thu, 9 Oct 2008 11:26:33 +0300 Subject: [c-nsp] BGP route flap damping Message-ID: <6c78cd10810090126r766db51akbb1be5d8d25a507c@mail.gmail.com> There is no over-generalizations in this dude statments its true only a little ISP don't use this route-views.oregon-ix.net>sh ip bgp fl reg _17992_ BGP table version is 7792882, local router ID is 198.32.162.100 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network From Flaps Duration Reuse Path * 203.223.128.0/19 134.55.200.1 2 00:21:52 293 7473 24218 17992 * 216.218.252.164 2 00:21:52 6939 7473 24218 17992 can you explain to me this ? or this is not happen to you right now I past you several route server info do you need more ? route-server.ip.tiscali.net>sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Decay Time : 2320 secs Max suppress penalty: 12000 Max suppress time: 60 mins Suppress penalty : 2000 Reuse penalty : 750 route-views.oregon-ix.net>sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Decay Time : 2320 secs Max suppress penalty: 12000 Max suppress time: 60 mins Suppress penalty : 2000 Reuse penalty : 750 Swisscom-IP>sh ip bgp dampening parameters dampening 15 750 2000 60 (route-map ipp-damping 30) Half-life time : 15 mins Decay Time : 2320 secs Max suppress penalty: 12000 Max suppress time: 60 mins Suppress penalty : 2000 Reuse penalty : 750 route-server.ip.att.net> sh ip bgp dampening parameters dampening 15 750 2000 60 (DEFAULT) Half-life time : 15 mins Decay Time : 2320 secs Max suppress penalty: 12000 Max suppress time: 60 mins Suppress penalty : 2000 Reuse penalty : 750 From mtinka at globaltransit.net Thu Oct 9 03:32:29 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 9 Oct 2008 15:32:29 +0800 Subject: [c-nsp] BGP route flap damping In-Reply-To: <1223536992.65523.10.camel@so1-ay279.globul.bg> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> <1223536992.65523.10.camel@so1-ay279.globul.bg> Message-ID: <200810091532.30252.mtinka@globaltransit.net> On Thursday 09 October 2008 15:23:12 xdsgrrr wrote: > No we can't say this is a legacy feature because ISPs > still use this feature and only a few small ISP is > disabled this because they dont't have a time to read RFC > and RIPE documents or for other reasons ;)) . br, > Atanas Yankov I think that's an over-generalization, and you probably need to ask around a lot more before you make a blanket claim. We worked with RFD many years back. It caused more harm than good. We stopped working with RFD and won't ever work with it again. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From mtinka at globaltransit.net Thu Oct 9 03:18:46 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Thu, 9 Oct 2008 15:18:46 +0800 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-liteenvironment In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> <200810081422.06876.mtinka@globaltransit.net> <70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> Message-ID: <200810091518.51811.mtinka@globaltransit.net> On Wednesday 08 October 2008 17:12:07 Oliver Boehmer (oboehmer) wrote: > right, this got changed in 12.3(4)T, 12.0(27)S, > 12.2(25)S, 12.2(18)SXE and others where IOS no longer > allocates a PDB per OSPF vrf instance, so you are not > limited by the 32 PDB instances any longer.. Great news! We focus mostly on l2vpn's, but it's good to know this limitation no longer exists if we do get customers insistent on OSPF for a PE-CE routing protocol. I recall IS-IS had the same issue in IOS. Do the new train revisions also include this fix? We are on SRC1 (moving to SRC2). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Thu Oct 9 05:44:33 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 9 Oct 2008 11:44:33 +0200 Subject: [c-nsp] Maximum number of OSPF instances in a VRF-liteenvironment In-Reply-To: <200810091518.51811.mtinka@globaltransit.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net> <200810081422.06876.mtinka@globaltransit.net> <70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> <200810091518.51811.mtinka@globaltransit.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840627DCF7@xmb-ams-333.emea.cisco.com> Mark Tinka wrote on Thursday, October 09, 2008 9:19 AM: > On Wednesday 08 October 2008 17:12:07 Oliver Boehmer > (oboehmer) wrote: > >> right, this got changed in 12.3(4)T, 12.0(27)S, >> 12.2(25)S, 12.2(18)SXE and others where IOS no longer >> allocates a PDB per OSPF vrf instance, so you are not >> limited by the 32 PDB instances any longer.. > > Great news! > > We focus mostly on l2vpn's, but it's good to know this > limitation no longer exists if we do get customers > insistent on OSPF for a PE-CE routing protocol. ack, this makes it very attractive.. and using per-process spf/lsa-gen timers also adds some level of "protection" (i.e. not converge as aggressively as in the core) > We are on SRC1 (moving to SRC2). SRC also has this enhancement.. > I recall IS-IS had the same issue in IOS. Do the new train > revisions also include this fix? Well, IIRC, IS-IS as PE-CE routing protocol isn't available, the "IS-IS Support for an IS-IS Instance per VRF for IP" feature is only suitable in a vrf-lite environment (i.e. the redistribution from and to MP-iBGP is not implemented).. I think each ISIS vrf instances takes up a PDB (so you'd be limited here). oli From gary.ciscomail at gmail.com Thu Oct 9 07:27:00 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Thu, 9 Oct 2008 12:27:00 +0100 Subject: [c-nsp] NAT in VRF In-Reply-To: References: Message-ID: Can someone please confirm for me that you can have the same IP address in different VRFs natted to different destinations. In other words; 217.1.1.1 nat to 10.1.1.1 in VRF A 217.1.1.1 nat to 192.168.1.1 in VRF B I can't see any reason why not. What about if using VRF-Lite on a 3845, does that make any difference? Its a funny question but I have been asked this and have no access to the kit to prove it working and I have to have a solid answer. Thanks. Gary From gary.ciscomail at gmail.com Thu Oct 9 07:27:40 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Thu, 9 Oct 2008 12:27:40 +0100 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Gary Roberton Date: Wed, Oct 8, 2008 at 10:13 AM Subject: NAT in VRF To: "cisco-nsp at puck.nether.net" Can someone please confirm for me that you can have the same IP address in different VRFs natted to different destinations. In other words; 217.1.1.1 nat to 10.1.1.1 in VRF A 217.1.1.1 nat to 192.168.1.1 in VRF B I can't see any reason why not. What about if using VRF-Lite on a 3845, does that make any difference? Its a funny question but I have been asked this and have no access to the kit to prove it working and I have to have a solid answer. Thanks. Gary From mailinglist at bangky.net Thu Oct 9 08:38:35 2008 From: mailinglist at bangky.net (Ang Kah Yik) Date: Thu, 9 Oct 2008 20:38:35 +0800 Subject: [c-nsp] [j-nsp] BGP route flap damping In-Reply-To: <48EDC2EB.3040804@heanet.ie> References: <2ad168fd0810070305o6e5295f9v9be590e6adc6727@mail.gmail.com> <746ca6da0810070358y1ef1f399q53819cd5e514348c@mail.gmail.com> <2ad168fd0810070440h24b63b48he546340fec137380@mail.gmail.com> <2ad168fd0810081932n353fd7d1o4a2614c2649efe73@mail.gmail.com> <48EDC2EB.3040804@heanet.ie> Message-ID: <2ad168fd0810090538y1cc240b8nbb24f0c769f30210@mail.gmail.com> Hi all on list, Thanks to all who have replied. I have taken a look at the RIPE documents and some of the presentations from the NANOG archive. Admittedly, I'm not well acquainted with the discrete mathematics used in some of the recommend reading materials. However, considering the inputs from the replies on-list as well as the materials I have looked through, I think the general discussion about route flap damping can be summarized as the following: - Vendor implementations tend to dampen entire prefixes instead of the specific paths that are flapping - Vendor default thresholds/penalties are far too strict - Disabling RFD is probably better for routing stability and troubleshooting than enabling the current vendor implementations of RFD. - Disabling RFD should be highly considered if router CPUs can handle it If there are any more points to add to this list, please feel free to do so. Otherwise, thanks once more to all on list who have shared their views. On Thu, Oct 9, 2008 at 4:38 PM, Daniel Lete wrote: > Hello Ang, > For what is worth and adding to Ajeet pointers, this is the RIPE > recommendation on the subject. > > http://www.ripe.net/ripe/docs/ripe-378.html#recommendation > > Regards, > Daniel > > > > > > > "Ang Kah Yik" wrote the following on 09/10/2008 03:32: > > Hi Ajeet, >> Thank you for your reply. >> Yes, we are multi-homed to our main upstream AS, as well another upstream >> provider. >> >> I have taken a brief look at the paper you recommended but have not yet >> had >> the time to digest the information in it. >> >> Meanwhile, can we assume (in general) that the conclusion to my original >> post is that route flap damping is more of a "legacy feature" these days >> and >> we can, to a larger extent, disregard it? >> >> On Tue, Oct 7, 2008 at 11:56 PM, Ajeet Bagga wrote: >> >> On Oct 7, 2008, at 7:40 AM, Ang Kah Yik wrote: >>> >>> Hi, >>> >>>> Thanks for sharing your opinion on the disabling of damping as a BCP. >>>> Yes, this is something that we've taken into consideration. >>>> >>>> However, route flap damping is still in use in a number of networks out >>>> there. >>>> Thus, we would like to obtain feedback on how the damping of a flap by >>>> a transit provider may affect our connectivity. >>>> >>>> Are you multihomed to this transit? To other upstreams? Depending on >>> the >>> RFD implementation, withdrawal triggered suppression will indeed affect >>> your >>> connectivity. For analysis of arguments against RFD, specifically how it >>> applies to your case, read the sigcomm presentation, < >>> http://conferences.sigcomm.org/sigcomm/2002/papers/routedampening.html>. >>> White paper is available via the ACM portal, < >>> http://portal.acm.org/citation.cfm?id=633047>. >>> >>> ~ >>> Ajeet Bagga >>> Sr. Network Engineer >>> Cloud Computing Infrastructure and Services >>> EMC >>> >>> >> >> >> > -- > Don't Forget to register for our 8th Annual Networking Conference > 13th and 14th November 2008: http://www.heanet.ie/conferences/2008/ > - > Daniel Lete Murugarren > HEAnet Limited, Ireland's Education and Research Network > 1st Floor, 5 George's Dock, IFSC, Dublin 1 > Registered in Ireland, no 275301 tel: +353-1-660 9040 fax: +353-1-660 > 3666 > web: http://www.heanet.ie/ > -- Ang Kah Yik (bangky) - http://blog.bangky.net From luan at netcraftsmen.net Thu Oct 9 09:04:51 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Thu, 9 Oct 2008 09:04:51 -0400 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: References: Message-ID: <03dc01c92a0f$9d903700$d8b0a500$@net> Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. Platform doesn't make any different. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton Sent: Thursday, October 09, 2008 7:28 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Fwd: NAT in VRF ---------- Forwarded message ---------- From: Gary Roberton Date: Wed, Oct 8, 2008 at 10:13 AM Subject: NAT in VRF To: "cisco-nsp at puck.nether.net" Can someone please confirm for me that you can have the same IP address in different VRFs natted to different destinations. In other words; 217.1.1.1 nat to 10.1.1.1 in VRF A 217.1.1.1 nat to 192.168.1.1 in VRF B I can't see any reason why not. What about if using VRF-Lite on a 3845, does that make any difference? Its a funny question but I have been asked this and have no access to the kit to prove it working and I have to have a solid answer. Thanks. Gary _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From timothy.arnold at uksolutions.co.uk Thu Oct 9 09:54:15 2008 From: timothy.arnold at uksolutions.co.uk (Timothy Arnold) Date: Thu, 9 Oct 2008 14:54:15 +0100 Subject: [c-nsp] Maximum number of OSPF instances in aVRF-liteenvironment In-Reply-To: <200810091518.51811.mtinka@globaltransit.net> References: <6BD8EAF375994062B414882927BDCB17@mcpick.net><200810081422.06876.mtinka@globaltransit.net><70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> <200810091518.51811.mtinka@globaltransit.net> Message-ID: Slightly off the topic. Is there any advantages for using OSPF for PE-CE routing? Or is it down to what the customer wants? I assume that most operators will use BGP (or maybe EIGRP?) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: 09 October 2008 08:19 To: Oliver Boehmer (oboehmer) Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Maximum number of OSPF instances in a VRF-liteenvironment On Wednesday 08 October 2008 17:12:07 Oliver Boehmer (oboehmer) wrote: > right, this got changed in 12.3(4)T, 12.0(27)S, > 12.2(25)S, 12.2(18)SXE and others where IOS no longer > allocates a PDB per OSPF vrf instance, so you are not > limited by the 32 PDB instances any longer.. Great news! We focus mostly on l2vpn's, but it's good to know this limitation no longer exists if we do get customers insistent on OSPF for a PE-CE routing protocol. I recall IS-IS had the same issue in IOS. Do the new train revisions also include this fix? We are on SRC1 (moving to SRC2). Cheers, Mark. Timothy Arnold Senior Engineer, Network & Security Group, UKSolutions Telephone: 0845 004 1333, option 2 Email: timothy.arnold at uksolutions.co.uk Web: http://www.uksolutions.co.uk/ UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered in England Number 3036806 This email must be read in conjunction with the legal & service notices on http://www.uksolutions.co.uk/disclaimer From oboehmer at cisco.com Thu Oct 9 10:40:08 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Thu, 9 Oct 2008 16:40:08 +0200 Subject: [c-nsp] Maximum number of OSPF instances in aVRF-liteenvironment In-Reply-To: References: <6BD8EAF375994062B414882927BDCB17@mcpick.net><200810081422.06876.mtinka@globaltransit.net><70B7A1CCBFA5C649BD562B6D9F7ED7840627D6BB@xmb-ams-333.emea.cisco.com> <200810091518.51811.mtinka@globaltransit.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840627DF28@xmb-ams-333.emea.cisco.com> Timothy Arnold wrote on Thursday, October 09, 2008 3:54 PM: > Slightly off the topic. > > Is there any advantages for using OSPF for PE-CE routing? Or is it > down to what the customer wants? I assume that most operators will > use BGP (or maybe EIGRP?) I guess most prefer eBGP due to it's scalability and level of control, but at the end it's the customer's requirements (or the product marketing's requirements) which dictate that.. Another aspect is the fact that many (most?) PE-CE links actually terminate on a managed CE (managed by the same entity as the PE), so the protocol between the two is up to the MPLS provider's discretion (and most often ends up being eBGP). The CE then can redistribute BGP into the customer's IGP (whatever it uses) without all the scalability issues you need to consider on a PE possibly hosting hundreds or more PE-CE links.. oli > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: 09 October 2008 08:19 > To: Oliver Boehmer (oboehmer) > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Maximum number of OSPF instances in a > VRF-liteenvironment > > On Wednesday 08 October 2008 17:12:07 Oliver Boehmer > (oboehmer) wrote: > >> right, this got changed in 12.3(4)T, 12.0(27)S, >> 12.2(25)S, 12.2(18)SXE and others where IOS no longer >> allocates a PDB per OSPF vrf instance, so you are not >> limited by the 32 PDB instances any longer.. > > Great news! > > We focus mostly on l2vpn's, but it's good to know this > limitation no longer exists if we do get customers > insistent on OSPF for a PE-CE routing protocol. > > I recall IS-IS had the same issue in IOS. Do the new train > revisions also include this fix? > > We are on SRC1 (moving to SRC2). > > Cheers, > > Mark. > > > Timothy Arnold > Senior Engineer, Network & Security Group, UKSolutions > > Telephone: 0845 004 1333, option 2 > Email: timothy.arnold at uksolutions.co.uk > Web: http://www.uksolutions.co.uk/ > UKS Ltd, Birmingham Road, Studley, Warwickshire, B80 7BG Registered > in England Number 3036806 > This email must be read in conjunction with the legal & service > notices on http://www.uksolutions.co.uk/disclaimer From peterkcc2001 at gmail.com Thu Oct 9 13:59:27 2008 From: peterkcc2001 at gmail.com (kcc) Date: Thu, 9 Oct 2008 13:59:27 -0400 Subject: [c-nsp] command or third party software about switch port Message-ID: Hi all ls any software / command to find out the ip address of the computer which is connecting to switch portxx I want to check this ip of server when the switch portxx is using high bandwidth? thanks From avayner at cisco.com Thu Oct 9 14:34:13 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Thu, 9 Oct 2008 20:34:13 +0200 Subject: [c-nsp] command or third party software about switch port In-Reply-To: References: Message-ID: <67F7C1FAF83A074AA3520D8F155782A501F9AE11@xmb-ams-331.emea.cisco.com> The way to do it is to check the MAC address learned on that port (show mac-address), and then use the "show ip arp" command using that MAC address on the 1st layer 3 hop (the router which used as L3 default gateway for that VLAN. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kcc Sent: Thursday, October 09, 2008 19:59 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] command or third party software about switch port Hi all ls any software / command to find out the ip address of the computer which is connecting to switch portxx I want to check this ip of server when the switch portxx is using high bandwidth? thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From sgranger at randfinancial.com Thu Oct 9 14:42:49 2008 From: sgranger at randfinancial.com (Sean Granger) Date: Thu, 09 Oct 2008 13:42:49 -0500 Subject: [c-nsp] command or third party software about switch port Message-ID: Solarwinds packages this up, nice and pretty, with it's "Switch Port Mapper". You don't want to know how much that costs ... But if you already own the Engineer's toolset, go for it. >>> "Arie Vayner (avayner)" 10/09/08 01:34PM >>> The way to do it is to check the MAC address learned on that port (show mac-address), and then use the "show ip arp" command using that MAC address on the 1st layer 3 hop (the router which used as L3 default gateway for that VLAN. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kcc Sent: Thursday, October 09, 2008 19:59 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] command or third party software about switch port Hi all ls any software / command to find out the ip address of the computer which is connecting to switch portxx I want to check this ip of server when the switch portxx is using high bandwidth? thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From RTeller at deltadentalwa.com Thu Oct 9 14:23:10 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Thu, 9 Oct 2008 11:23:10 -0700 Subject: [c-nsp] command or third party software about switch port In-Reply-To: References: Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01506@tiger.deltadentalwa.com> One way is to connect to the device and type show mac address-table interface gigabitEthernet 1/12 This will give you all mac addresses associated to an interface, copy the mac address and connect to your core router and type show ip arp 000b.cd42.4a1c this will then give you the ip address that goes with that mac address. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of kcc Sent: Thursday, October 09, 2008 10:59 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] command or third party software about switch port Hi all ls any software / command to find out the ip address of the computer which is connecting to switch portxx I want to check this ip of server when the switch portxx is using high bandwidth? thanks _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From gordon at suncircle.org Thu Oct 9 15:20:18 2008 From: gordon at suncircle.org (gordon) Date: Thu, 9 Oct 2008 15:20:18 -0400 Subject: [c-nsp] command or third party software about switch port In-Reply-To: References: Message-ID: <20081009152018.3cc1ed91@ngohj6-----wkay> Cacti has a plugin called mactrack that will do this. On Thu, 9 Oct 2008 13:59:27 -0400 kcc wrote: > Hi all > > ls any software / command to find out the ip address of the computer > which is connecting to switch portxx > > I want to check this ip of server when the switch portxx is using high > bandwidth? > > thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dlists95 at gmail.com Thu Oct 9 16:58:15 2008 From: dlists95 at gmail.com (d lists) Date: Thu, 9 Oct 2008 14:58:15 -0600 Subject: [c-nsp] Cisco 877 DSL Sync issue Message-ID: <7383823e0810091358u4236f5adwf4cc5112f72dba12@mail.gmail.com> Anyone have any experience getting the Cisco 877 to (not) sync with a Covad DSL circuit? I've tried the built-in firmware in 12.4(15)Tx, along with several versions of the external firmware (3.0.10, 3.0.33, 2.6.4). I've tried hard setting the DSL mode, along with trying a different router and no luck. DSL will not sync up with the Cisco. I've tried a Netopia & Siemens and things sync up no problem. I'm in the process of opening a TAC case & gathering whatever information I'll need from Covad (DSLAM type, firmware, port settings etc.) , but figured I'd ping the list to see if anyone else has ran into this while I wait. Thanks! -dlists From howie at thingy.com Thu Oct 9 18:37:26 2008 From: howie at thingy.com (Howard Jones) Date: Thu, 09 Oct 2008 23:37:26 +0100 Subject: [c-nsp] command or third party software about switch port In-Reply-To: References: Message-ID: <48EE87A6.4050304@thingy.com> kcc wrote: > Hi all > > ls any software / command to find out the ip address of the computer which > is connecting to switch portxx > > I want to check this ip of server when the switch portxx is using high > bandwidth? > I believe nedi (nedi.ch) will do this for you. Howie From v_date at indiatimes.com Fri Oct 10 03:04:06 2008 From: v_date at indiatimes.com (v_date at indiatimes.com) Date: Fri, 10 Oct 2008 12:34:06 +0530 (IST) Subject: [c-nsp] Dark fiber Termination requirements Message-ID: <852298343.104081223622246195.JavaMail.root@mbv2.indiatimes.com> Dear all, We are in process of implementing dark fiber in japan for our office in Tokyo and I would require this information if anyone can provide me . The scenario is as follows: Service provider's hub is 20kms away from our office .he will be laying dark fiber from his hub to our office. How can we terminate this fiber in our network? what type of equipments will be required ? Is it possible to terminate this fiber without CWDM equipments.? Hope someone will reply back on this Vinod Date -- Will the all new Indica Vista zip ahead of the Suzuki Swift? Read the expert review on Zigwheels.com http://zigwheels.com/b2cam/reviewsDetails.action?name=Ro11_20080829&path=/INDT/Reviews/Ro11_20080829&page=1&pagecount=9 From felixnkansah at gmail.com Fri Oct 10 04:55:15 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Fri, 10 Oct 2008 08:55:15 +0000 Subject: [c-nsp] DMVPN IPSEC Issue In-Reply-To: <7383823e0810081928r3a7eb9dco177fbfc4802f56e9@mail.gmail.com> References: <18dba4e50810081105r21935166kd3f10f7a1b8e9a60@mail.gmail.com> <7383823e0810081928r3a7eb9dco177fbfc4802f56e9@mail.gmail.com> Message-ID: <18dba4e50810100155i13818c11o4153aecfed2c7a14@mail.gmail.com> Thanks to you all for your comments. I would apply them as suggested. From p.mayers at imperial.ac.uk Fri Oct 10 04:55:58 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 10 Oct 2008 09:55:58 +0100 Subject: [c-nsp] command or third party software about switch port In-Reply-To: References: Message-ID: <48EF189E.1060404@imperial.ac.uk> kcc wrote: > Hi all > > ls any software / command to find out the ip address of the computer which > is connecting to switch portxx Google "netdisco" > > I want to check this ip of server when the switch portxx is using high > bandwidth? > > thanks > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From dirkjan at os3.nl Fri Oct 10 05:55:12 2008 From: dirkjan at os3.nl (Dirk-Jan van Helmond) Date: Fri, 10 Oct 2008 11:55:12 +0200 (CEST) Subject: [c-nsp] Dark fiber Termination requirements In-Reply-To: <852298343.104081223622246195.JavaMail.root@mbv2.indiatimes.com> References: <852298343.104081223622246195.JavaMail.root@mbv2.indiatimes.com> Message-ID: > Dear all, > We are in process of implementing dark fiber in japan for our office in > Tokyo and I would require this information if anyone can provide me . > The scenario is as follows: > Service provider's hub is 20kms away from our office .he will be laying > dark fiber from his hub to our office. > > How can we terminate this fiber in our network? Jou need dark-routers ;) > what type of equipments will be required ? > Is it possible to terminate this fiber without CWDM equipments.? Dark Fiber is just a cable. I suppose its singlemode. So you can use regular optics. There are some things that you need tot take into account: - What is the end-to-end distance in KM? - Is there active or passive equipment in between? How much dB? - What do you want to transport? FC? Ethernet? 1G? 10G? SONET? Regards, Dirk-Jan From v_date at indiatimes.com Fri Oct 10 06:08:27 2008 From: v_date at indiatimes.com (v_date at indiatimes.com) Date: Fri, 10 Oct 2008 15:38:27 +0530 (IST) Subject: [c-nsp] Dark fiber Termination requirements In-Reply-To: Message-ID: <929668884.121911223633307482.JavaMail.root@mbv2.indiatimes.com> We will be using single mode fiber as per the service provider.No idea about the passive equipments as the service provider will only be providing the fiber upto our office and we are supposed to get it terminated on to our network We will be wanting ethernet output and will want to transfer upto 10Gb of data thru that fiber. We will be using this dark fiber as a Leased line from head office to data center. ----- Original Message ----- From: Dirk-Jan van Helmond To: v date Cc: cisco-nsp at puck.nether.net Sent: Fri, 10 Oct 2008 15:25:12 +0530 (IST) Subject: Re: [c-nsp] Dark fiber Termination requirements > Dear all, > We are in process of implementing dark fiber in japan for our office in > Tokyo and I would require this information if anyone can provide me . > The scenario is as follows: > Service provider's hub is 20kms away from our office .he will be laying > dark fiber from his hub to our office. > > How can we terminate this fiber in our network? Jou need dark-routers ;) > what type of equipments will be required ? > Is it possible to terminate this fiber without CWDM equipments.? Dark Fiber is just a cable. I suppose its singlemode. So you can use regular optics. There are some things that you need tot take into account: - What is the end-to-end distance in KM? - Is there active or passive equipment in between? How much dB? - What do you want to transport? FC? Ethernet? 1G? 10G? SONET? Regards, Dirk-Jan -- Will the all new Indica Vista zip ahead of the Suzuki Swift? Read the expert review on Zigwheels.com http://zigwheels.com/b2cam/reviewsDetails.action?name=Ro11_20080829&path=/INDT/Reviews/Ro11_20080829&page=1&pagecount=9 From gary.ciscomail at gmail.com Fri Oct 10 06:40:46 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 10 Oct 2008 11:40:46 +0100 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: <03dc01c92a0f$9d903700$d8b0a500$@net> References: <03dc01c92a0f$9d903700$d8b0a500$@net> Message-ID: Thanks Luan Can anyone else confirm this also? Thanks On Thu, Oct 9, 2008 at 2:04 PM, Luan Nguyen wrote: > Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. > Platform doesn't make any different. > > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton > Sent: Thursday, October 09, 2008 7:28 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Fwd: NAT in VRF > > ---------- Forwarded message ---------- > From: Gary Roberton > Date: Wed, Oct 8, 2008 at 10:13 AM > Subject: NAT in VRF > To: "cisco-nsp at puck.nether.net" > > > Can someone please confirm for me that you can have the same IP address in > different VRFs natted to different destinations. In other words; > > 217.1.1.1 nat to 10.1.1.1 in VRF A > 217.1.1.1 nat to 192.168.1.1 in VRF B > > I can't see any reason why not. > > What about if using VRF-Lite on a 3845, does that make any difference? > > Its a funny question but I have been asked this and have no access to the > kit to prove it working and I have to have a solid answer. > > Thanks. > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From dirkjan at os3.nl Fri Oct 10 07:04:38 2008 From: dirkjan at os3.nl (Dirk-Jan van Helmond) Date: Fri, 10 Oct 2008 13:04:38 +0200 (CEST) Subject: [c-nsp] Dark fiber Termination requirements In-Reply-To: <929668884.121911223633307482.JavaMail.root@mbv2.indiatimes.com> References: <929668884.121911223633307482.JavaMail.root@mbv2.indiatimes.com> Message-ID: <780ba68ef3240c803f48f51cba3f6114.squirrel@a61.nl> > We will be using single mode fiber as per the service provider.No idea > about the passive equipments as the service provider will only be > providing the fiber upto our office and we are supposed to get it > terminated on to our network > We will be wanting ethernet output and will want to transfer upto 10Gb of > data thru that fiber. > We will be using this dark fiber as a Leased line from head office to data > center. You'll probably get an end-to-end fiber. When the fiber is ready, youll get a measurement rapport with the distance of the fiber and the attenuation. With this information you can buy your optics. For ethernet: 10GBase-LR - 10Km 10GBase-ER - 40Km 10GBase-ZR - 80Km If the distances are bigger, you want SONET or specialized WDM optics. We use MRV optics. They have optics that can transport Ethernet over 200Km. Regards, Dirk-Jan > ----- Original Message ----- > From: Dirk-Jan van Helmond > To: v date > Cc: cisco-nsp at puck.nether.net > Sent: Fri, 10 Oct 2008 15:25:12 +0530 (IST) > Subject: Re: [c-nsp] Dark fiber Termination requirements > >> Dear all, >> We are in process of implementing dark fiber in japan for our office in >> Tokyo and I would require this information if anyone can provide me . >> The scenario is as follows: >> Service provider's hub is 20kms away from our office .he will be laying >> dark fiber from his hub to our office. >> >> How can we terminate this fiber in our network? > > Jou need dark-routers ;) > >> what type of equipments will be required ? >> Is it possible to terminate this fiber without CWDM equipments.? > > Dark Fiber is just a cable. I suppose its singlemode. > So you can use regular optics. > > There are some things that you need tot take into account: > - What is the end-to-end distance in KM? > - Is there active or passive equipment in between? How much dB? > - What do you want to transport? FC? Ethernet? 1G? 10G? SONET? > > > Regards, > Dirk-Jan > > > > > > > > > -- > Will the all new Indica Vista zip ahead of the Suzuki Swift? Read the > expert review on Zigwheels.com > http://zigwheels.com/b2cam/reviewsDetails.action?name=Ro11_20080829&path=/INDT/Reviews/Ro11_20080829&page=1&pagecount=9 > From dwinkworth at att.net Fri Oct 10 08:09:30 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Fri, 10 Oct 2008 07:09:30 -0500 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: References: <03dc01c92a0f$9d903700$d8b0a500$@net> Message-ID: <48EF45FA.6090506@att.net> http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatvpn.html Here are two different ways to do what you are asking for, I hope! Gary Roberton wrote: > Thanks Luan > > Can anyone else confirm this also? > > Thanks > > On Thu, Oct 9, 2008 at 2:04 PM, Luan Nguyen wrote: > > >> Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. >> Platform doesn't make any different. >> >> >> Luan Nguyen >> Chesapeake NetCraftsmen, LLC. >> www.NetCraftsmen.net >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton >> Sent: Thursday, October 09, 2008 7:28 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Fwd: NAT in VRF >> >> ---------- Forwarded message ---------- >> From: Gary Roberton >> Date: Wed, Oct 8, 2008 at 10:13 AM >> Subject: NAT in VRF >> To: "cisco-nsp at puck.nether.net" >> >> >> Can someone please confirm for me that you can have the same IP address in >> different VRFs natted to different destinations. In other words; >> >> 217.1.1.1 nat to 10.1.1.1 in VRF A >> 217.1.1.1 nat to 192.168.1.1 in VRF B >> >> I can't see any reason why not. >> >> What about if using VRF-Lite on a 3845, does that make any difference? >> >> Its a funny question but I have been asked this and have no access to the >> kit to prove it working and I have to have a solid answer. >> >> Thanks. >> >> Gary >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.173 / Virus Database: 270.8.0/1717 - Release Date: 10/9/2008 4:56 PM > > From networking.stuff at googlemail.com Fri Oct 10 09:31:14 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Fri, 10 Oct 2008 19:01:14 +0530 Subject: [c-nsp] FWSM 4.x with RHI support Message-ID: <1e7e04890810100631p6c908b15id6fb19313a2b7bd7@mail.gmail.com> Hi Guys, I understand that FWSM 4.X software support RHI to inject any static ,NAT Pool in to MSFC for severs behind Firewall. I have set up like this : servers------(a)FW-context(b)-----vrf---- Idea is like this : The FWSM's have multiple interfaces. They inject these networks as routes into the VRF-lite. Then the VRF-lite has routes to these networks via the associated FW context. Now RHI is a way for telling the vrf about a via b without configuring a static route on the vrf. So can FWSM inject routes via RHI in to VRF-lite ?? Regards, Chintan From peterkcc2001 at gmail.com Fri Oct 10 10:22:57 2008 From: peterkcc2001 at gmail.com (kcc) Date: Fri, 10 Oct 2008 10:22:57 -0400 Subject: [c-nsp] grep route from many routes and ASA redundant Message-ID: Hi all how can I only check some routes from many routes in command lines eg: sh ip routes |grep 192.168.3.0/24 and Can I have doc / website to know about ASA redundant setup Thank you From gary.ciscomail at gmail.com Fri Oct 10 11:03:23 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Fri, 10 Oct 2008 16:03:23 +0100 Subject: [c-nsp] Why can't I NAT the same address in different VRFs? Message-ID: Anyone help me understand why I can't NAT the same address in two different VRFS according to the config below; !! ip cef ! ip vrf one rd 1:1 route-target export 1:1 route-target import 1:1 ! ip vrf two rd 2:2 route-target export 2:2 route-target import 2:2 ! interface FastEthernet0/0 no ip address ! interface FastEthernet0/0.1 encapsulation dot1Q 1 native ip vrf forwarding one ip address 10.0.0.1 255.0.0.0 ip nat inside no snmp trap link-status ! interface FastEthernet0/0.2 encapsulation dot1Q 2 ip vrf forwarding two ip address 10.0.0.1 255.0.0.0 ip nat inside no snmp trap link-status ! interface FastEthernet0/1 no ip address ! interface FastEthernet0/1.1 encapsulation dot1Q 1 native ip vrf forwarding one ip address 217.0.0.1 255.0.0.0 ip nat outside no snmp trap link-status ! interface FastEthernet0/1.2 encapsulation dot1Q 2 ip vrf forwarding two ip address 217.0.0.1 255.0.0.0 ip nat outside no snmp trap link-status ! ip nat source static 217.1.1.1 10.0.0.5 vrf one ! Router(config)#ip nat source static 217.1.1.1 10.0.0.5 vrf two % 217.1.1.1 already mapped (217.1.1.1 -> 10.0.0.5) Router(config)# Thanks From peterkcc2001 at gmail.com Fri Oct 10 11:47:14 2008 From: peterkcc2001 at gmail.com (kcc) Date: Fri, 10 Oct 2008 11:47:14 -0400 Subject: [c-nsp] grep route from many routes and ASA redundant In-Reply-To: References: Message-ID: sorry. it can't work 6513#sh ip route|i 192.168.0.0 ^ % Invalid input detected at '^' marker On Fri, Oct 10, 2008 at 10:20 AM, Adam Maloney wrote: > In recent IOS you can do: > > show ip route | include xxxxx > > Or shorten to: show ip route | i xxxxxx > > Regards, > > Adam Maloney > > > On Fri, 10 Oct 2008, kcc wrote: > > Hi all >> >> how can I only check some routes from many routes in command lines >> >> eg: sh ip routes |grep 192.168.3.0/24 >> >> and Can I have doc / website to know about ASA redundant setup >> >> Thank you >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> From rodunn at cisco.com Fri Oct 10 12:27:31 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Fri, 10 Oct 2008 12:27:31 -0400 Subject: [c-nsp] grep route from many routes and ASA redundant In-Reply-To: References: Message-ID: <20081010162731.GC25019@rtp-cse-489.cisco.com> On Fri, Oct 10, 2008 at 11:47:14AM -0400, kcc wrote: > sorry. it can't work > > 6513#sh ip route|i 192.168.0.0 > ^ > % Invalid input detected at '^' marker You need a space in there: CaptureRouter#sh ip ro | incl 1 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 10.0.0.0/8 is variably subnetted, 4 subnets, 4 masks C 10.10.10.0/24 is directly connected, Ethernet0/0 L 10.10.10.2/32 is directly connected, Ethernet0/0 S 10.80.0.0/13 is directly connected, Null0 S 10.153.0.0/16 [1/0] via 10.87.177.254 > > > > On Fri, Oct 10, 2008 at 10:20 AM, Adam Maloney wrote: > > > In recent IOS you can do: > > > > show ip route | include xxxxx > > > > Or shorten to: show ip route | i xxxxxx > > > > Regards, > > > > Adam Maloney > > > > > > On Fri, 10 Oct 2008, kcc wrote: > > > > Hi all > >> > >> how can I only check some routes from many routes in command lines > >> > >> eg: sh ip routes |grep 192.168.3.0/24 > >> > >> and Can I have doc / website to know about ASA redundant setup > >> > >> Thank you > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From p.mayers at imperial.ac.uk Fri Oct 10 12:50:24 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 10 Oct 2008 17:50:24 +0100 Subject: [c-nsp] grep route from many routes and ASA redundant In-Reply-To: References: Message-ID: <48EF87D0.9000405@imperial.ac.uk> kcc wrote: > Hi all > > how can I only check some routes from many routes in command lines > > eg: sh ip routes |grep 192.168.3.0/24 sh ip route | inc 192.168.3. ..as others have mentioned you MUST have spaces. Or you can do this: sh ip route 192.168.3.0 255.255.255.0 longer-prefixes From tahir.uddin at alliancebernstein.com Fri Oct 10 15:49:30 2008 From: tahir.uddin at alliancebernstein.com (Uddin, Tahir) Date: Fri, 10 Oct 2008 15:49:30 -0400 Subject: [c-nsp] Internet Routing Table Size Message-ID: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> Hi All Does anyone have a rough idea on the current internet routing table size. I see about 115K prefixes from one of my providers. Thanks ----------------------------------------- The information contained in the linked e-mail transmission and any attachments may be privileged and confidential and is intended only for the use of the person(s) named in the linked e-mail transmission. If you are not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you should not review, disseminate, distribute or duplicate this e-mail transmission or any attachments . If you are not the intended recipient, please contact the sender immediately by reply e-mail and destroy all copies of the original message. We do not accept account orders and/or instructions related to AllianceBernstein products or services by e-mail, and therefore will not be responsible for carrying out such orders and/or instructions. The linked e-mail transmission and any attachments are provided for informational purposes only and should not be construed in any manner as any solicitation or offer to buy or sell any investment opportunities or any related financial instruments and should not be construed in any manner as a public offer of any investment opportunities or any related financial instruments. If you, as the intended recipient of the linked e-mail transmission, the purpose of which is to inform and update our clients, prospects and consultants of developments relating to our services and products, would not like to receive further e-mail correspondence from the sender, please "reply" to the sender indicating your wishes. Although we attempt to sweep e-mail and attachments for viruses, we will not be liable for any damages arising from the alteration of the contents of this linked e-mail transmission and any attachments by a third party or as a result of any virus being passed on. Please note: Trading instructions sent electronically to Bernstein shall not be deemed accepted until a representative of Bernstein acknowledges receipt electronically or by telephone. Comments in the linked e-mail transmission and any attachments are part of a larger body of investment analysis. For our research reports, which contain information that may be used to support investment decisions, and disclosures, see our website at www.bernsteinresearch.com. From jared at puck.nether.net Fri Oct 10 15:55:04 2008 From: jared at puck.nether.net (Jared Mauch) Date: Fri, 10 Oct 2008 15:55:04 -0400 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> Message-ID: <20081010195504.GA19732@puck.nether.net> On Fri, Oct 10, 2008 at 03:49:30PM -0400, Uddin, Tahir wrote: > Hi All > > > > Does anyone have a rough idea on the current internet routing table > size. I see about 115K prefixes from one of my providers. ~270k is the current table size. - Jared -- Jared Mauch | pgp key available via finger from jared at puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine. From r.engehausen at gmail.com Fri Oct 10 15:59:25 2008 From: r.engehausen at gmail.com (Roy) Date: Fri, 10 Oct 2008 12:59:25 -0700 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> Message-ID: <48EFB41D.9000704@gmail.com> http://www.cidr-report.org/as2.0/#General_Status 284K as of today Uddin, Tahir wrote: > Hi All > > > > Does anyone have a rough idea on the current internet routing table > size. I see about 115K prefixes from one of my providers. > > > > Thanks > > From mtinka at globaltransit.net Fri Oct 10 16:00:55 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Sat, 11 Oct 2008 04:00:55 +0800 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> Message-ID: <200810110401.00587.mtinka@globaltransit.net> On Saturday 11 October 2008 03:49:30 Uddin, Tahir wrote: > Does anyone have a rough idea on the current internet > routing table size. I see about 115K prefixes from one of > my providers. I'd suggest keeping a weekly eye on: http://www.cidr-report.org/as2.0/#General_Status http://thyme.apnic.net/current/data-summary We are seeing an average of about 265,000 routes (south east Asia). Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rgolodner at infratection.com Fri Oct 10 17:01:57 2008 From: rgolodner at infratection.com (Richard Golodner) Date: Fri, 10 Oct 2008 16:01:57 -0500 Subject: [c-nsp] Routing Table Size delivered to you.... In-Reply-To: <200810110401.00587.mtinka@globaltransit.net> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> <200810110401.00587.mtinka@globaltransit.net> Message-ID: <8CA2574DC40A4FE99E3D0FFF46283947@Antares> I forgot how, but there exists a weekly digest of the table sizes that you can have emailed to you, or you can look at cidr or apnic too. If anybody remembers the link to the weekly digest please post it so others who may be interested can obtain it as well. most sincerely, Richard -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tinka Sent: Friday, October 10, 2008 3:01 PM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Internet Routing Table Size On Saturday 11 October 2008 03:49:30 Uddin, Tahir wrote: > Does anyone have a rough idea on the current internet > routing table size. I see about 115K prefixes from one of > my providers. I'd suggest keeping a weekly eye on: http://www.cidr-report.org/as2.0/#General_Status http://thyme.apnic.net/current/data-summary We are seeing an average of about 265,000 routes (south east Asia). Cheers, Mark. From ras at e-gerbil.net Fri Oct 10 17:26:27 2008 From: ras at e-gerbil.net (Richard A Steenbergen) Date: Fri, 10 Oct 2008 16:26:27 -0500 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <20081010195504.GA19732@puck.nether.net> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> <20081010195504.GA19732@puck.nether.net> Message-ID: <20081010212627.GT72019@gerbil.cluepon.net> On Fri, Oct 10, 2008 at 03:55:04PM -0400, Jared Mauch wrote: > > Does anyone have a rough idea on the current internet routing table > > size. I see about 115K prefixes from one of my providers. > > ~270k is the current table size. You guys need to control your deaggreates, I'm announcing 264114 to customers currently. :) -- Richard A Steenbergen http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) From ploopster at gmail.com Fri Oct 10 23:15:40 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Fri, 10 Oct 2008 23:15:40 -0400 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <20081010212627.GT72019@gerbil.cluepon.net> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> <20081010195504.GA19732@puck.nether.net> <20081010212627.GT72019@gerbil.cluepon.net> Message-ID: <48F01A5C.2060905@gmail.com> Richard A Steenbergen wrote: > On Fri, Oct 10, 2008 at 03:55:04PM -0400, Jared Mauch wrote: >>> Does anyone have a rough idea on the current internet routing table >>> size. I see about 115K prefixes from one of my providers. >> ~270k is the current table size. > > You guys need to control your deaggreates, I'm announcing 264114 to > customers currently. :) I don't get it. Peace... Sridhar From gustavo at acmesecurity.org Fri Oct 10 23:37:45 2008 From: gustavo at acmesecurity.org (Gustavo Rodrigues Ramos) Date: Sat, 11 Oct 2008 00:37:45 -0300 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <48F01A5C.2060905@gmail.com> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> <20081010195504.GA19732@puck.nether.net> <20081010212627.GT72019@gerbil.cluepon.net> <48F01A5C.2060905@gmail.com> Message-ID: <73d1f88a0810102037g5893d89di3cbbec664cb31613@mail.gmail.com> On Sat, Oct 11, 2008 at 12:15 AM, Sridhar Ayengar wrote: > Richard A Steenbergen wrote: >> >> You guys need to control your deaggreates, I'm announcing 264114 to >> customers currently. :) > > I don't get it. > I think Richard mean that instead of announcing four /22 prefixes, you can announce just one /20 with no big issues. And if you apply that idea throughout the 270k prefixes, you should get a smaller table. In theory, with maximum aggregation we should see only ~ 130 k prefixes :-). Gustavo. From bandhani at gmail.com Sat Oct 11 00:36:32 2008 From: bandhani at gmail.com (Farhan Jaffer) Date: Sat, 11 Oct 2008 09:36:32 +0500 Subject: [c-nsp] Fwd: Internet Routing Table Size Message-ID: <11b0f2da0810102136lc3251ckbcfd5c7a77e6581c@mail.gmail.com> You can register yourself for weekly routing table. -FJ ---------- Forwarded message ---------- From: Routing Analysis Role Account Date: Fri, Oct 10, 2008 at 11:09 PM Subject: [SANOG] Weekly Routing Table Report To: apops at apops.net, nanog at nanog.org, routing-wg at ripe.net, afnog at afnog.org, ausnog at ausnog.net, sanog at sanog.org This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-stats at lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith . Routing Table Report 04:00 +10GMT Sat 11 Oct, 2008 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 270790 Prefixes after maximum aggregation: 130670 Deaggregation factor: 2.07 Unique aggregates announced to Internet: 131713 Total ASes present in the Internet Routing Table: 29477 Prefixes per ASN: 9.19 Origin-only ASes present in the Internet Routing Table: 25621 Origin ASes announcing only one prefix: 12506 Transit ASes present in the Internet Routing Table: 3856 Transit-only ASes present in the Internet Routing Table: 82 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 18 Max AS path prepend of ASN ( 3816) 15 Prefixes from unregistered ASNs in the Routing Table: 569 Unregistered ASNs in the Routing Table: 208 Number of 32-bit ASNs allocated by the RIRs: 61 Prefixes from 32-bit ASNs in the Routing Table: 10 Special use prefixes present in the Routing Table: 0 Prefixes being announced from unallocated address space: 755 Number of addresses announced to Internet: 1911844672 Equivalent to 113 /8s, 244 /16s and 111 /24s Percentage of available address space announced: 51.6 Percentage of allocated address space announced: 62.6 Percentage of available address space allocated: 82.3 Percentage of address space in use by end-sites: 73.7 Total number of prefixes smaller than registry allocations: 132945 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 62393 Total APNIC prefixes after maximum aggregation: 23186 APNIC Deaggregation factor: 2.69 Prefixes being announced from the APNIC address blocks: 59270 Unique aggregates announced from the APNIC address blocks: 26697 APNIC Region origin ASes present in the Internet Routing Table: 3402 APNIC Prefixes per ASN: 17.42 APNIC Region origin ASes announcing only one prefix: 903 APNIC Region transit ASes present in the Internet Routing Table: 543 Average APNIC Region AS path length visible: 3.5 Max APNIC Region AS path length visible: 17 Number of APNIC addresses announced to Internet: 378110880 Equivalent to 22 /8s, 137 /16s and 131 /24s Percentage of available APNIC address space announced: 80.5 APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 APNIC Address Blocks 58/8, 59/8, 60/8, 61/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 123078 Total ARIN prefixes after maximum aggregation: 64823 ARIN Deaggregation factor: 1.90 Prefixes being announced from the ARIN address blocks: 92344 Unique aggregates announced from the ARIN address blocks: 35062 ARIN Region origin ASes present in the Internet Routing Table: 12519 ARIN Prefixes per ASN: 7.38 ARIN Region origin ASes announcing only one prefix: 4856 ARIN Region transit ASes present in the Internet Routing Table: 1197 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 16 Number of ARIN addresses announced to Internet: 365498400 Equivalent to 21 /8s, 201 /16s and 16 /24s Percentage of available ARIN address space announced: 75.1 ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 ARIN Address Blocks 24/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 173/8, 174/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 58965 Total RIPE prefixes after maximum aggregation: 35511 RIPE Deaggregation factor: 1.66 Prefixes being announced from the RIPE address blocks: 54163 Unique aggregates announced from the RIPE address blocks: 36250 RIPE Region origin ASes present in the Internet Routing Table: 12011 RIPE Prefixes per ASN: 4.51 RIPE Region origin ASes announcing only one prefix: 6332 RIPE Region transit ASes present in the Internet Routing Table: 1842 Average RIPE Region AS path length visible: 4.0 Max RIPE Region AS path length visible: 18 Number of RIPE addresses announced to Internet: 375037856 Equivalent to 22 /8s, 90 /16s and 159 /24s Percentage of available RIPE address space announced: 86.0 RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-49151 RIPE Address Blocks 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 21825 Total LACNIC prefixes after maximum aggregation: 5399 LACNIC Deaggregation factor: 4.04 Prefixes being announced from the LACNIC address blocks: 19874 Unique aggregates announced from the LACNIC address blocks: 11074 LACNIC Region origin ASes present in the Internet Routing Table: 1010 LACNIC Prefixes per ASN: 19.68 LACNIC Region origin ASes announcing only one prefix: 332 LACNIC Region transit ASes present in the Internet Routing Table: 170 Average LACNIC Region AS path length visible: 4.0 Max LACNIC Region AS path length visible: 18 Number of LACNIC addresses announced to Internet: 57342720 Equivalent to 3 /8s, 106 /16s and 251 /24s Percentage of available LACNIC address space announced: 57.0 LACNIC AS Blocks 26592-26623, 27648-28671, plus ERX transfers LACNIC Address Blocks 186/8, 187/8, 189/8, 190/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 3963 Total AfriNIC prefixes after maximum aggregation: 1310 AfriNIC Deaggregation factor: 3.03 Prefixes being announced from the AfriNIC address blocks: 4229 Unique aggregates announced from the AfriNIC address blocks: 2056 AfriNIC Region origin ASes present in the Internet Routing Table: 261 AfriNIC Prefixes per ASN: 16.20 AfriNIC Region origin ASes announcing only one prefix: 83 AfriNIC Region transit ASes present in the Internet Routing Table: 56 Average AfriNIC Region AS path length visible: 3.9 Max AfriNIC Region AS path length visible: 14 Number of AfriNIC addresses announced to Internet: 12835328 Equivalent to 0 /8s, 195 /16s and 218 /24s Percentage of available AfriNIC address space announced: 38.3 AfriNIC AS Blocks 36864-37887 & ERX transfers AfriNIC Address Blocks 41/8, 196/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 4755 1476 522 197 TATA Communications formerly 17488 1420 96 103 Hathway IP Over Cable Interne 9583 1108 87 476 Sify Limited 4766 885 6407 362 Korea Telecom (KIX) 4134 843 13664 346 CHINANET-BACKBONE 23577 811 34 694 Korea Telecom (ATM-MPLS) 18101 781 167 26 Reliance Infocom Ltd Internet 4780 716 355 61 Digital United Inc. 9498 686 295 54 BHARTI BT INTERNET LTD. 4808 627 1164 142 CNCGROUP IP network: China169 Complete listing at http://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 4296 3416 339 bellsouth.net, inc. 209 2938 4033 621 Qwest 6298 2011 319 711 Cox Communicatons 20115 1878 1424 715 Charter Communications 1785 1670 717 154 PaeTec Communications, Inc. 2386 1558 699 896 AT&T Data Communications Serv 4323 1553 1084 376 Time Warner Telecom 7018 1410 5859 988 AT&T WorldNet Services 6478 1312 273 197 AT&T Worldnet Services 11492 1216 152 11 Cable One Complete listing at http://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 3292 435 1777 384 TDC Tele Danmark 30890 348 94 188 SC Kappa Invexim SRL 3215 328 2756 107 France Telecom Transpac 3301 328 1428 299 TeliaNet Sweden 3320 325 7063 274 Deutsche Telekom AG 8866 324 79 22 Bulgarian Telecommunication C 8452 308 188 11 TEDATA 5462 301 794 27 Telewest Broadband 8551 287 270 37 Bezeq International 680 275 2047 265 DFN-IP service G-WiN Complete listing at http://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 1419 2849 219 UniNet S.A. de C.V. 11830 669 299 9 Instituto Costarricense de El 22047 564 270 14 VTR PUNTO NET S.A. 10620 504 122 61 TVCABLE BOGOTA 7303 490 241 69 Telecom Argentina Stet-France 16814 426 27 10 NSS, S.A. 6471 420 85 49 ENTEL CHILE S.A. 11172 407 118 71 Servicios Alestra S.A de C.V 28573 372 460 23 NET Servicos de Comunicao S.A 14117 343 23 9 Telefonica del Sur S.A. Complete listing at http://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 24863 543 71 39 LINKdotNET AS number 3741 267 856 225 The Internet Solution 2018 235 215 139 Tertiary Education Network 20858 194 34 3 EgyNet 6713 143 135 11 Itissalat Al-MAGHRIB 33783 137 10 13 EEPAD TISP TELECOM & INTERNET 5536 120 8 17 Internet Egypt Network 5713 119 555 69 Telkom SA Ltd 33776 116 6 3 Starcomms Nigeria Limited 29571 109 13 9 Ci Telecom Autonomous system Complete listing at http://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 6389 4296 3416 339 bellsouth.net, inc. 209 2938 4033 621 Qwest 6298 2011 319 711 Cox Communicatons 20115 1878 1424 715 Charter Communications 1785 1670 717 154 PaeTec Communications, Inc. 2386 1558 699 896 AT&T Data Communications Serv 4323 1553 1084 376 Time Warner Telecom 4755 1476 522 197 TATA Communications formerly 17488 1420 96 103 Hathway IP Over Cable Interne 8151 1419 2849 219 UniNet S.A. de C.V. Complete listing at http://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggr summary ---------------------------------- ASN No of nets Net Savings Description 209 2938 2317 Qwest 1785 1670 1516 PaeTec Communications, Inc. 17488 1420 1317 Hathway IP Over Cable Interne 6298 2011 1300 Cox Communicatons 4755 1476 1279 TATA Communications formerly 11492 1216 1205 Cable One 8151 1419 1200 UniNet S.A. de C.V. 4323 1553 1177 Time Warner Telecom 20115 1878 1163 Charter Communications 6478 1312 1115 AT&T Worldnet Services Complete listing at http://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Network Transit AS Description 16927 UNALLOCATED 12.0.252.0/23 7018 AT&T WorldNet Servic 22492 UNALLOCATED 12.2.46.0/24 7018 AT&T WorldNet Servic 15132 UNALLOCATED 12.9.150.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.14.170.0/24 7018 AT&T WorldNet Servic 13746 UNALLOCATED 12.24.56.0/24 7018 AT&T WorldNet Servic 32567 UNALLOCATED 12.25.107.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.152.0/24 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.154.0/23 7018 AT&T WorldNet Servic 26973 UNALLOCATED 12.39.159.0/24 7018 AT&T WorldNet Servic 32326 UNALLOCATED 12.40.49.0/24 3549 Global Crossing Complete listing at http://thyme.apnic.net/current/data-badAS Advertised Unallocated Addresses -------------------------------- Network Origin AS Description 24.75.116.0/22 10796 ServiceCo LLC - Road Runner 24.142.40.0/21 7018 AT&T WorldNet Services 24.142.160.0/19 7018 AT&T WorldNet Services 24.246.0.0/17 7018 AT&T WorldNet Services 24.246.128.0/18 7018 AT&T WorldNet Services 62.61.220.0/24 24974 Tachyon Europe BV - Wireless 62.61.221.0/24 24974 Tachyon Europe BV - Wireless 63.140.213.0/24 22555 Universal Talkware Corporatio 63.143.71.0/24 701 UUNET Technologies, Inc. 63.143.115.0/24 701 UUNET Technologies, Inc. Complete listing at http://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:18 /9:9 /10:17 /11:46 /12:148 /13:297 /14:536 /15:1063 /16:10150 /17:4411 /18:7643 /19:16360 /20:19220 /21:18775 /22:23634 /23:24603 /24:141184 /25:820 /26:989 /27:763 /28:87 /29:9 /30:1 /31:0 /32:7 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 6389 2843 4296 bellsouth.net, inc. 6298 1985 2011 Cox Communicatons 209 1696 2938 Qwest 2386 1238 1558 AT&T Data Communications Serv 17488 1213 1420 Hathway IP Over Cable Interne 11492 1192 1216 Cable One 1785 1131 1670 PaeTec Communications, Inc. 6478 1098 1312 AT&T Worldnet Services 18566 1043 1062 Covad Communications 20115 987 1878 Charter Communications Complete listing at http://thyme.apnic.net/current/data/sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 4:8 8:140 12:2182 13:2 15:22 16:3 17:5 18:13 20:35 24:1135 31:1 32:58 38:508 40:92 41:710 43:1 44:2 47:12 52:3 55:3 56:3 57:26 58:517 59:527 60:452 61:980 62:1098 63:2032 64:3227 65:2407 66:3518 67:1277 68:802 69:2320 70:861 71:275 72:2030 73:7 74:1239 75:188 76:275 77:816 78:843 79:266 80:907 81:871 82:600 83:392 84:553 85:1008 86:400 87:708 88:340 89:1376 90:22 91:1582 92:274 93:895 94:235 95:3 96:79 97:97 98:340 99:8 113:10 114:95 115:118 116:1007 117:374 118:237 119:517 120:93 121:599 122:855 123:440 124:867 125:1193 128:356 129:204 130:135 131:415 132:72 133:9 134:184 135:32 136:223 137:97 138:143 139:81 140:509 141:108 142:403 143:301 144:327 145:50 146:373 147:156 148:529 149:211 150:128 151:181 152:148 153:136 154:10 155:282 156:174 157:301 158:170 159:304 160:275 161:138 162:255 163:133 164:519 165:510 166:364 167:337 168:637 169:143 170:450 171:33 172:10 173:50 187:16 188:1 189:325 190:2299 192:5750 193:4130 194:3243 195:2584 196:1009 198:3740 199:3294 200:5553 201:1422 202:7771 203:8077 204:3923 205:2143 206:2341 207:2757 208:3666 209:3433 210:2564 211:1100 212:1482 213:1544 214:169 215:50 216:4393 217:1237 218:346 219:440 220:1054 221:416 222:290 End of report -- This is the SANOG (http://www.sanog.org/) mailing list. From lowen at pari.edu Sat Oct 11 11:52:41 2008 From: lowen at pari.edu (Lamar Owen) Date: Sat, 11 Oct 2008 11:52:41 -0400 Subject: [c-nsp] Routing Table Size delivered to you.... In-Reply-To: <8CA2574DC40A4FE99E3D0FFF46283947@Antares> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> Message-ID: <200810111152.41596.lowen@pari.edu> On Friday 10 October 2008 17:01:57 Richard Golodner wrote: > I forgot how, but there exists a weekly digest of the table sizes > that you can have emailed to you, or you can look at cidr or apnic too. If > anybody remembers the link to the weekly digest please post it so others > who may be interested can obtain it as well. it's e-mailed the the NANOG list weekly, along with lots of other operational content.... :-) See http://www.nanog.org/mailinglist/howtojoin/ From mustafa.golam at gmail.com Sat Oct 11 12:04:07 2008 From: mustafa.golam at gmail.com (Mustafa Golam -) Date: Sat, 11 Oct 2008 22:04:07 +0600 Subject: [c-nsp] What is the Entry Limit in the ACL or of ACL? Message-ID: I'm just wondering to know if there is any entry limit for ACL i.e. number of entry in a ACL and also number of maximum ACL that can be configured in cisco gears. Googling through QPG/univercd/cisco site was not fruitful. Any good links? -- -- *??) ?.???.?*??) ?.?*?) (?.?? (?.?` *Mustafa Golam Fedora Ambassador, Bangladesh -.*.-`,`.*RHCE,CC{D,I,N,V..}P`.CCIE(..)'.'`,. http://fedoraproject.org/wiki/MustafaGolam http://mustafa.golam.googlepages.com/home "Winners never quit------Quiters never win" From vinny at tellurian.com Sat Oct 11 15:18:30 2008 From: vinny at tellurian.com (Vinny Abello) Date: Sat, 11 Oct 2008 15:18:30 -0400 Subject: [c-nsp] Cisco 877 DSL Sync issue In-Reply-To: <7383823e0810091358u4236f5adwf4cc5112f72dba12@mail.gmail.com> References: <7383823e0810091358u4236f5adwf4cc5112f72dba12@mail.gmail.com> Message-ID: <15CEC87F00BB7B4CA0E904C5FCF0564633800E56@exchangenj1> The 877 is for ADSL. Last I knew, I thought Covad's DSLAMs only did SDSL. What Netopia model does it work with? I can confirm if the 877 is incompatible if you let me know what does work with it. -Vinny > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of d lists > Sent: Thursday, October 09, 2008 4:58 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Cisco 877 DSL Sync issue > > Anyone have any experience getting the Cisco 877 to (not) sync with a > Covad > DSL circuit? I've tried the built-in firmware in 12.4(15)Tx, along > with > several versions of the external firmware (3.0.10, 3.0.33, 2.6.4). > I've > tried hard setting the DSL mode, along with trying a different router > and no > luck. DSL will not sync up with the Cisco. I've tried a Netopia & > Siemens > and things sync up no problem. > I'm in the process of opening a TAC case & gathering whatever > information > I'll need from Covad (DSLAM type, firmware, port settings etc.) , but > figured I'd ping the list to see if anyone else has ran into this while > I > wait. > Thanks! > > -dlists > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From furry13 at gmail.com Sat Oct 11 17:19:06 2008 From: furry13 at gmail.com (Jen Linkova) Date: Sun, 12 Oct 2008 01:19:06 +0400 Subject: [c-nsp] grep route from many routes and ASA redundant In-Reply-To: References: Message-ID: <6b86f99d0810111419j15a9abc0k50ee899d0210e25a@mail.gmail.com> Hi! On Fri, Oct 10, 2008 at 6:22 PM, kcc wrote: > Hi all > > how can I only check some routes from many routes in command lines > > eg: sh ip routes |grep 192.168.3.0/24 > > and Can I have doc / website to know about ASA redundant setup Sure you can ;-) http://www.cisco.com http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml Hope it helps.. -- SY, Jen Linkova aka Furry From ploopster at gmail.com Sat Oct 11 18:39:56 2008 From: ploopster at gmail.com (Sridhar Ayengar) Date: Sat, 11 Oct 2008 18:39:56 -0400 Subject: [c-nsp] Cisco 877 DSL Sync issue In-Reply-To: <15CEC87F00BB7B4CA0E904C5FCF0564633800E56@exchangenj1> References: <7383823e0810091358u4236f5adwf4cc5112f72dba12@mail.gmail.com> <15CEC87F00BB7B4CA0E904C5FCF0564633800E56@exchangenj1> Message-ID: <48F12B3C.1000308@gmail.com> Vinny Abello wrote: > The 877 is for ADSL. Last I knew, I thought Covad's DSLAMs only did > SDSL. What Netopia model does it work with? I can confirm if the 877 > is incompatible if you let me know what does work with it. I have had ADSL service from Covad in the past. Peace... Sridhar From p.mayers at imperial.ac.uk Sun Oct 12 06:41:40 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Sun, 12 Oct 2008 11:41:40 +0100 Subject: [c-nsp] What is the Entry Limit in the ACL or of ACL? In-Reply-To: References: Message-ID: <48F1D464.2090402@imperial.ac.uk> Mustafa Golam - wrote: > I'm just wondering to know if there is any entry limit for ACL i.e. > number of entry in a ACL and also number of maximum ACL > that can be configured in cisco gears. > > Googling through QPG/univercd/cisco site was not fruitful. > Any good links? It's platform specific. What platform are you asking about? From danletkeman at gmail.com Sun Oct 12 11:18:58 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Sun, 12 Oct 2008 10:18:58 -0500 Subject: [c-nsp] 1131ag vs 521 Message-ID: Hello, I'm wondering what the main differences between an 1131ag access point and a 521 express access point is? I know the 1131ag has a 5ghz card in it and supports telnet. Are there any other differences between the two? I'm interested in buying about 15-20 access points for one building. Thanks, Dan. From strandloof at bredband.net Sun Oct 12 12:02:18 2008 From: strandloof at bredband.net (=?iso-8859-1?Q?Johan_Strandl=F6=F6f?=) Date: Sun, 12 Oct 2008 18:02:18 +0200 Subject: [c-nsp] 1131ag vs 521 In-Reply-To: dcbb85870810120818r58ff2e4bn2117e262323037bc@mail.gmail.com Message-ID: <20081012160218.464e32ab@strandloof.zapto.org> A key point would be: "Q. How many access points can a single controller manage? A. A single controller can manage up to 6 Cisco 521 Wireless Express Access Points. A second controller can be added to the network to support redundancy or to increase capacity, meaning that any given SMB network built with the Cisco Mobility Express Solution can support up to 12 access points." Brgds /Johan ----- Original Message ----- From: Dan Letkeman [mailto:danletkeman at gmail.com] To: cisco-nsp at puck.nether.net Sent: Sun, 12 Oct 2008 17:18:58 +0200 Subject: [c-nsp] 1131ag vs 521 > Hello, > > I'm wondering what the main differences between an 1131ag access point > and a 521 express access point is? I know the 1131ag has a 5ghz card > in it and supports telnet. Are there any other differences between > the two? I'm interested in buying about 15-20 access points for one > building. > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From peterkcc2001 at gmail.com Sun Oct 12 17:44:35 2008 From: peterkcc2001 at gmail.com (kcc) Date: Sun, 12 Oct 2008 14:44:35 -0700 Subject: [c-nsp] catalyst 3500xl Message-ID: Hi all Thank you so much for your help Now I have trade-in catalyst 3500xl how can I check this catalyst is working proplery? i also use sh ip ? it is only showing the following without bgp / rip ls it just layer2? Switch#sh ip ? access-lists List IP access lists accounting The active IP accounting database aliases IP alias table arp IP ARP table igmp IGMP information interface IP interface status and configuration local IP local options nat IP NAT information redirects IP redirects sockets Open IP sockets traffic IP protocol statistics | Output modifiers thanks Peter From mksmith at adhost.com Sun Oct 12 18:16:59 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Sun, 12 Oct 2008 15:16:59 -0700 Subject: [c-nsp] catalyst 3500xl In-Reply-To: Message-ID: Hello Peter: On 10/12/08 2:44 PM, "kcc" wrote: > Hi all > > Thank you so much for your help > > Now I have trade-in catalyst 3500xl > > how can I check this catalyst is working proplery? > > i also use sh ip ? > it is only showing the following without bgp / rip > ls it just layer2? > Yes, the 3500 XL is L2 only. Regards, Mike From adriankok2000 at yahoo.com.hk Sun Oct 12 19:04:07 2008 From: adriankok2000 at yahoo.com.hk (adrian kok) Date: Mon, 13 Oct 2008 07:04:07 +0800 (CST) Subject: [c-nsp] write mem vs copy run start Message-ID: <948194.23329.qm@web33304.mail.mud.yahoo.com> Hi Can I know what is the different between write mem and copy run start Thank you for your help Send instant messages to your online friends http://uk.messenger.yahoo.com From zeusdadog at gmail.com Sun Oct 12 20:25:48 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Sun, 12 Oct 2008 20:25:48 -0400 Subject: [c-nsp] DS3 problem on PA-T3 In-Reply-To: <1222905301_535397@mail1.tellurian.net> References: <9418aca70810010718j69c6a0ecj5acfe8122a6b80d1@mail.gmail.com> <1222871511_521431@mail1.tellurian.net> <9418aca70810010856o2ba4a160w149b707041cdcf68@mail.gmail.com> <1222905301_535397@mail1.tellurian.net> Message-ID: <9418aca70810121725v29d5daa7j6d90025e5b52671e@mail.gmail.com> Just an update, I installed 10db attenuator and errors have gone away. Thank you all for the suggestion! On Wed, Oct 1, 2008 at 7:54 PM, Robert Boyle wrote: > At 11:56 AM 10/1/2008, Jay Nakamura wrote: > >> It looks like Opti-3 have "Long" and "Short" option for LBO on the DS3 >> interface. I am going to make sure Verizon set it to short since the coax >> is only about 15' long. >> > > Even with short LBO, we still need the attenuators sometimes. Look for LCV > errors. > > I don't have any attenuators handy to try that out. I did however, >> changed >> the DSU mode to Kentrox and errors have gone away for the last hour. I >> didn't think that really mattered if you were doing full DS3. >> > > It does matter. Verizon does have a lot of ADC/Kentrox DSUs connecting via > HSSI to their old frame relay switches in their COs. Be careful of a nasty > bug we found which will hang the router on boot if all of the following are > true: > > 1. You have a PA-T3 or PA-2T3 > 2. You have dsu mode 2? (Kentrox mode whatever that is - I don't have time > to look at the config at the moment) > 3. A T3 is connected (unplug the T3 RECV and it will boot fine) > 4. You reboot (soft or hard) > > The router will hang right after it lists the RAM during the POST. The > problem is with the microcode initialization for the DS3 chip when using > Kentrox mode and only if there is carrier detected. They finally fixed this, > but it is late in the 12.3 train and I don't think they backported it to > 12.2. This is a nasty surprise when you reboot the router at a remote POP at > 3AM. Just test for this and if you have the bug, let me know and I'll track > down the bug ID in my archives. This problem was reproducible on any 72XX > router with any PA-T3 or PA-2T3(+) card. > > -Robert > > > > > Tellurian Networks - Global Hosting Solutions Since 1995 > http://www.tellurian.com | 888-TELLURIAN | 973-300-9211 > "Well done is better than well said." - Benjamin Franklin > > From matt at iseek.com.au Sun Oct 12 21:01:25 2008 From: matt at iseek.com.au (Matt Carter) Date: Mon, 13 Oct 2008 11:01:25 +1000 Subject: [c-nsp] Internet Routing Table Size In-Reply-To: <200810110401.00587.mtinka@globaltransit.net> References: <1E79A7919A9B16468E407A8DEAB65A4306666665@METROEVS3.ac.lp.acml.com> <200810110401.00587.mtinka@globaltransit.net> Message-ID: <7FEDD455961B164D8C4EEA60E22914205B78D57067@EXCHANGE1.intranet.iseek.com.au> maybe also of interest to those that aren't aware http://bgp.potaroo.net/ > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Mark Tinka > Sent: Saturday, 11 October 2008 6:01 AM > To: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] Internet Routing Table Size > > On Saturday 11 October 2008 03:49:30 Uddin, Tahir wrote: > > > Does anyone have a rough idea on the current internet routing table > > size. I see about 115K prefixes from one of my providers. > > I'd suggest keeping a weekly eye on: > > http://www.cidr-report.org/as2.0/#General_Status > http://thyme.apnic.net/current/data-summary > > We are seeing an average of about 265,000 routes (south east Asia). > > Cheers, > > Mark. From mtinka at globaltransit.net Sun Oct 12 22:13:37 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Mon, 13 Oct 2008 10:13:37 +0800 Subject: [c-nsp] write mem vs copy run start In-Reply-To: <948194.23329.qm@web33304.mail.mud.yahoo.com> References: <948194.23329.qm@web33304.mail.mud.yahoo.com> Message-ID: <200810131013.37801.mtinka@globaltransit.net> On Monday 13 October 2008 07:04:07 adrian kok wrote: > Can I know what is the different between write mem and > copy run start One is the old format (write memory), while the other is the new format (copy run start). I prefer to use the newer one, others prefer the older one. Both do the same thing. Choose your poison. I would, however, encourage you to use the new one if it's not too much trouble. By having both, I'm not sure whether Cisco will phase 'write memory' out (that'd probably cause more harm than good, in the short term at least). What I do know is that Cisco will test for the 'copy' command in their exams instead. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From jimmy at pacnet.net Sun Oct 12 23:01:34 2008 From: jimmy at pacnet.net (Jimmy Halim) Date: Mon, 13 Oct 2008 11:01:34 +0800 Subject: [c-nsp] %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" Message-ID: <007801c92ce0$0084f620$6605820a@asianetcom.com> Hi guys, I am encountering crashes on Cisco 2811 router running IOS version 12.4(18b) with the following errors: %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" I have checked from website that it is probably due to Cisco Bug CSCed28542 which doesn't have workaround except upgrade. However I notice that 12.4(18b) is not inside the affected list. Do you guys have any comment on this? Any idea on the workaround? Many Thanks, Jimmy From rgallagh at cisco.com Sun Oct 12 23:19:27 2008 From: rgallagh at cisco.com (Richard Gallagher) Date: Mon, 13 Oct 2008 14:19:27 +1100 Subject: [c-nsp] %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" In-Reply-To: <007801c92ce0$0084f620$6605820a@asianetcom.com> References: <007801c92ce0$0084f620$6605820a@asianetcom.com> Message-ID: <623066C6-B2CA-43B5-BF22-0583BFA60045@cisco.com> Looks like you're actually hitting CSCso19662, this is fixed in 12.4(18c) There is no workaround though. Rich On 13/10/2008, at 2:01 PM, Jimmy Halim wrote: > Hi guys, > > I am encountering crashes on Cisco 2811 router running IOS version > 12.4(18b) > with the following errors: > > %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" > > I have checked from website that it is probably due to Cisco Bug > CSCed28542 > which doesn't have workaround except upgrade. > However I notice that 12.4(18b) is not inside the affected list. > > Do you guys have any comment on this? Any idea on the workaround? > > Many Thanks, > Jimmy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From jimmy at pacnet.net Sun Oct 12 23:38:25 2008 From: jimmy at pacnet.net (Jimmy Halim) Date: Mon, 13 Oct 2008 11:38:25 +0800 Subject: [c-nsp] %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" In-Reply-To: <623066C6-B2CA-43B5-BF22-0583BFA60045@cisco.com> References: <007801c92ce0$0084f620$6605820a@asianetcom.com> <623066C6-B2CA-43B5-BF22-0583BFA60045@cisco.com> Message-ID: <008001c92ce5$26906520$6605820a@asianetcom.com> Hi Richard, Thanks for your great info. Let me check on it. Probably need to upgrade ios to 18c :( Cheers, Jimmy -----Original Message----- From: Richard Gallagher [mailto:rgallagh at cisco.com] Sent: Monday, October 13, 2008 11:19 AM To: Jimmy Halim Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" Looks like you're actually hitting CSCso19662, this is fixed in 12.4(18c) There is no workaround though. Rich On 13/10/2008, at 2:01 PM, Jimmy Halim wrote: > Hi guys, > > I am encountering crashes on Cisco 2811 router running IOS version > 12.4(18b) > with the following errors: > > %SYS-2-INTSCHED: 'suspend' at level 3 -Process= "IP NAT Ager" > > I have checked from website that it is probably due to Cisco Bug > CSCed28542 > which doesn't have workaround except upgrade. > However I notice that 12.4(18b) is not inside the affected list. > > Do you guys have any comment on this? Any idea on the workaround? > > Many Thanks, > Jimmy > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Oct 13 02:21:00 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 13 Oct 2008 08:21:00 +0200 Subject: [c-nsp] write mem vs copy run start In-Reply-To: <948194.23329.qm@web33304.mail.mud.yahoo.com> References: <948194.23329.qm@web33304.mail.mud.yahoo.com> Message-ID: <20081013062100.GC18780@greenie.muc.de> Hi, On Mon, Oct 13, 2008 at 07:04:07AM +0800, adrian kok wrote: > Can I know what is the different between write mem and > copy run start Lots of different letters being used. Regarding actual effect: both commands do the very same thing. "wr mem" is the "IOS 10.x style" command, while "copy X Y" is the grand unified way of moving things that has been introduced later on. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Mon Oct 13 02:33:18 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 13 Oct 2008 08:33:18 +0200 Subject: [c-nsp] SXH3 ghost bugs - resolved In-Reply-To: <20080924180137.GD6014@greenie.muc.de> References: <48CFC183.4060401@bytemark.co.uk> <20080916165849.GA20288@greenie.muc.de> <20080918201316.GD20288@greenie.muc.de> <20080919003643.GB79009@puck.nether.net> <20080919165126.GA11635@greenie.muc.de> <1221845016.11349.15.camel@abehat> <20080920192953.GD7160@greenie.muc.de> <20080922130445.GB12859@rtp-cse-489.cisco.com> <20080923204638.GM24139@rtp-cse-489.cisco.com> <20080924180137.GD6014@greenie.muc.de> Message-ID: <20081013063318.GD18780@greenie.muc.de> Hi, just to follow up on the "Ghost route" issue in SXH3. The two relevant bug IDs are CSCsu03167 and CSCsu59917 (duplicate). It affects IPv4 and IPv6. The bug is fixed in SXH3a, which we have running since about 12 days, and since then, we have not observed a single route getting "stuck" due to lack of withdraw (= ghost). So -> it's fixed for good. Thanks to Rodney for providing insights and for helping to get the interim rebuild out of the door. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gkg at gmx.de Mon Oct 13 03:02:56 2008 From: gkg at gmx.de (Garry) Date: Mon, 13 Oct 2008 09:02:56 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <200809302350.01918.mtinka@globaltransit.net> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> Message-ID: <48F2F2A0.3020603@gmx.de> Mark Tinka wrote: > On Tuesday 30 September 2008 22:59:34 Dan Armstrong wrote: > > >> In an "all iBGP" network - what do you do with customer's >> that are using your address space? Do you redistribute >> Connected (& static routes) on your access routers into >> iBGP? I assume that's about all you can do, right? >> > > You can originate prefixes off the edge router in question > via the 'network' statement. This is what we prefer to do. > Still trying to get this figured out ... take this setup e.g.: ROUTER1 ---- ROUTER2 ------ Backbone ROUTER2 would be an iBGP capable router, connecting a POP site to the backbone. ROUTER1 would be a dial-in router that nowadays hooks into the WAN-wide OSPF area 0 ... originating IPs from both a local IP pool as well as static IPs and networks assigned for dial backups and the likes ... ROUTER1 is not able to speak BGP of any kind, so the only choice that remains is keep up the OSPF to ROUTER2 ... But if I do that, I have all the routes it announces back in the Backbone OSPF which I want to only carry the infrastructure IPs ... I've already attempted to set up a second OSPF process in order to keep the routes learned from one box out of the backbone area, but somehow I must be missing something essential, as the router belonging to multiple areas keeps mixing them together ... So, any hint as to what I'm missing here? Or how I should go at it? Worst case (though not really _that_ bad, as there are only a very limited number of routes/prefixes affected) would be I just keep the OSPF-only stuff in my backbone Area0, while moving everything else into iBGP ... not a very clean/consistent setup, but would work none the less ... Tnx! From scorpianbiz at hotmail.com Mon Oct 13 03:22:55 2008 From: scorpianbiz at hotmail.com (Muhammad Farooq) Date: Mon, 13 Oct 2008 07:22:55 +0000 Subject: [c-nsp] (no subject) Message-ID: Hi, we are having packet drops issue due to rate limit on fastethernet of 3845 router. We are using dot1q on that interface. If we remove rate-limit then packet drop issue solves. Please note that with increase in rate limit packet drop interval also increases and it make a pattern. Output of show interface is pasted below. Running IOS of router is c3845-advipservicesk9-mz.123-14.T7.bin and interface utilization is not more that 35% interface FastEthernet3/0 no ip address load-interval 30 duplex full speed 100 sh interfaces fastEthernet 3/0 FastEthernet3/0 is up, line protocol is up Hardware is AmdFE, address is 001b.0c2a.1ba1 (bia 001b.0c2a.1ba1) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 81/255, rxload 23/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2975550 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 9021000 bits/sec, 3533 packets/sec 30 second output rate 32156000 bits/sec, 4109 packets/sec 1330094782 packets input, 2898978448 bytes Received 2829907 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 1708820647 packets output, 2432520678 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Please help me out to diagnose and fix this issue. Thanks in advance. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From scorpianbiz at hotmail.com Mon Oct 13 03:37:24 2008 From: scorpianbiz at hotmail.com (Muhammad Farooq) Date: Mon, 13 Oct 2008 07:37:24 +0000 Subject: [c-nsp] packet drop due ti CAR (rate-limit) Message-ID: Hi, we are having packet drops issue due to rate limit on fastethernet of 3845 router. We are using dot1q on that interface. If we remove rate-limit then packet drop issue solves. Please note that with increase in rate limit packet drop interval also increases and it make a pattern. Output of show interface is pasted below. Running IOS of router is c3845-advipservicesk9-mz.123-14.T7.bin and interface utilization is not more that 35% interface FastEthernet3/0 no ip address load-interval 30 duplex full speed 100 sh interfaces fastEthernet 3/0 FastEthernet3/0 is up, line protocol is up Hardware is AmdFE, address is 001b.0c2a.1ba1 (bia 001b.0c2a.1ba1) MTU 1500 bytes, BW 100000 Kbit, DLY 100 usec, reliability 255/255, txload 81/255, rxload 23/255 Encapsulation ARPA, loopback not set Keepalive set (10 sec) Full-duplex, 100Mb/s, 100BaseTX/FX ARP type: ARPA, ARP Timeout 04:00:00 Last input 00:00:00, output 00:00:00, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 2975550 Queueing strategy: fifo Output queue: 0/40 (size/max) 30 second input rate 9021000 bits/sec, 3533 packets/sec 30 second output rate 32156000 bits/sec, 4109 packets/sec 1330094782 packets input, 2898978448 bytes Received 2829907 broadcasts, 0 runts, 0 giants, 0 throttles 1 input errors, 0 CRC, 0 frame, 1 overrun, 0 ignored 0 watchdog 0 input packets with dribble condition detected 1708820647 packets output, 2432520678 bytes, 0 underruns 0 output errors, 0 collisions, 3 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer failures, 0 output buffers swapped out Please help me out to diagnose and fix this issue. Thanks in advance. _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From zivl at gilat.net Mon Oct 13 02:42:59 2008 From: zivl at gilat.net (Ziv Leyes) Date: Mon, 13 Oct 2008 08:42:59 +0200 Subject: [c-nsp] write mem vs copy run start In-Reply-To: <20081013062100.GC18780@greenie.muc.de> References: <948194.23329.qm@web33304.mail.mud.yahoo.com> <20081013062100.GC18780@greenie.muc.de> Message-ID: I use just "wr" for saving configuration, much shorter, and I'll keep using it until it stops doing what I need, the day Cisco makes this command obsolete I'll start using the longer ones... Same case with "wr net" which I use to manually save configurations to a tftp server, for about 5 years now, every time I use this command I get this warning: This command has been replaced by the command: 'copy system:/running-config ' And I say, as long as this command is still available, why should I start using the new, longer one? To Cisco guys I'd say If you want to stop supporting a certain command and want to move on to new commands format, why keep stucking the old commands in the new IOSes??? I know that you need backward compatibility, but geesh, I'm talking about 5 years since I'ev got the first warning about the tftp write command... Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gert Doering Sent: Monday, October 13, 2008 8:21 AM To: adrian kok Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] write mem vs copy run start Hi, On Mon, Oct 13, 2008 at 07:04:07AM +0800, adrian kok wrote: > Can I know what is the different between write mem and copy run start Lots of different letters being used. Regarding actual effect: both commands do the very same thing. "wr mem" is the "IOS 10.x style" command, while "copy X Y" is the grand unified way of moving things that has been introduced later on. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From oboehmer at cisco.com Mon Oct 13 04:08:53 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 13 Oct 2008 10:08:53 +0200 Subject: [c-nsp] packet drop due ti CAR (rate-limit) In-Reply-To: References: Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784062CE397@xmb-ams-333.emea.cisco.com> Muhammad Farooq <> wrote on Monday, October 13, 2008 9:37 AM: > Hi, > > we are having packet drops issue due to rate limit on fastethernet of > 3845 router. We are using dot1q on that interface. If we remove > rate-limit then packet drop issue solves. Please note that with > increase in rate limit packet drop interval also increases and it > make a pattern. Output of show interface is pasted below. Running IOS > of router is c3845-advipservicesk9-mz.123-14.T7.bin and interface > utilization is not more that 35% > > interface FastEthernet3/0 > no ip address > load-interval 30 > duplex full > speed 100 can you show some iterations of "show int rate-limit" (best after "clear counter") Please bear in mind that TCP traffic can be very bursty and CAR/rate-limit can drop these bursts.. oli From p.mayers at imperial.ac.uk Mon Oct 13 06:06:44 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 13 Oct 2008 11:06:44 +0100 Subject: [c-nsp] write mem vs copy run start In-Reply-To: <948194.23329.qm@web33304.mail.mud.yahoo.com> References: <948194.23329.qm@web33304.mail.mud.yahoo.com> Message-ID: <48F31DB4.9050301@imperial.ac.uk> adrian kok wrote: > Hi > > Can I know what is the different between write mem and > copy run start None. *Except* "wr mem" can be easily used from TCL scripts. "copy" commands often want CLI input. From scorpianbiz at hotmail.com Mon Oct 13 06:08:36 2008 From: scorpianbiz at hotmail.com (Muhammad Farooq) Date: Mon, 13 Oct 2008 10:08:36 +0000 Subject: [c-nsp] packet drop due ti CAR (rate-limit) In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED784062CE397@xmb-ams-333.emea.cisco.com> References: <70B7A1CCBFA5C649BD562B6D9F7ED784062CE397@xmb-ams-333.emea.cisco.com> Message-ID: We have 24 subinterfaces on this Fastethernet link and we are facing problem on all sub interfaces. We have other gigi interfaces on this router on which we are using dot1q but they are running perfectly. Please find below show rate-limit output for one of problematic interfaces. FastEthernet3/0.8 Alfalah GHP Input matches: all traffic params: 512000 bps, 48000 limit, 96000 extended limit conformed 31000 packets, 23768856 bytes; action: transmit exceeded 310 packets, 287635 bytes; action: drop last packet: 32ms ago, current burst: 34513 bytes last cleared 00:06:55 ago, conformed 457000 bps, exceeded 5000 bps Output matches: all traffic params: 512000 bps, 48000 limit, 96000 extended limit conformed 24550 packets, 14268239 bytes; action: transmit exceeded 3 packets, 354 bytes; action: drop last packet: 44ms ago, current burst: 58 bytes last cleared 00:06:55 ago, conformed 274000 bps, exceeded 0 bps ---------------------------------------- > Subject: RE: [c-nsp] packet drop due ti CAR (rate-limit) > Date: Mon, 13 Oct 2008 10:08:53 +0200 > From: oboehmer at cisco.com > To: scorpianbiz at hotmail.com; cisco-nsp at puck.nether.net > > Muhammad Farooq <> wrote on Monday, October 13, 2008 9:37 AM: > >> Hi, >> >> we are having packet drops issue due to rate limit on fastethernet of >> 3845 router. We are using dot1q on that interface. If we remove >> rate-limit then packet drop issue solves. Please note that with >> increase in rate limit packet drop interval also increases and it >> make a pattern. Output of show interface is pasted below. Running IOS >> of router is c3845-advipservicesk9-mz.123-14.T7.bin and interface >> utilization is not more that 35% >> >> interface FastEthernet3/0 >> no ip address >> load-interval 30 >> duplex full >> speed 100 > > can you show some iterations of "show int rate-limit" (best after "clear > counter") Please bear in mind that TCP traffic can be very bursty and > CAR/rate-limit can drop these bursts.. > > oli > _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From oboehmer at cisco.com Mon Oct 13 08:04:11 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 13 Oct 2008 14:04:11 +0200 Subject: [c-nsp] packet drop due ti CAR (rate-limit) In-Reply-To: References: <70B7A1CCBFA5C649BD562B6D9F7ED784062CE397@xmb-ams-333.emea.cisco.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED784062CE68B@xmb-ams-333.emea.cisco.com> Muhammad Farooq wrote on Monday, October 13, 2008 12:09 PM: > We have 24 subinterfaces on this Fastethernet link and we are facing > problem on all sub interfaces. We have other gigi interfaces on this > router on which we are using dot1q but they are running perfectly. > Please find below show rate-limit output for one of problematic > interfaces. > > FastEthernet3/0.8 Alfalah GHP > Input > matches: all traffic > params: 512000 bps, 48000 limit, 96000 extended limit > conformed 31000 packets, 23768856 bytes; action: transmit > exceeded 310 packets, 287635 bytes; action: drop > last packet: 32ms ago, current burst: 34513 bytes > last cleared 00:06:55 ago, conformed 457000 bps, exceeded 5000 > bps Output > matches: all traffic > params: 512000 bps, 48000 limit, 96000 extended limit > conformed 24550 packets, 14268239 bytes; action: transmit > exceeded 3 packets, 354 bytes; action: drop > last packet: 44ms ago, current burst: 58 bytes > last cleared 00:06:55 ago, conformed 274000 bps, exceeded 0 bps Well, CAR drops traffic, which counts up in the interface output drops.. The first interface drops 1% of the traffic as excess traffic, the overall drop rate (from the initial "show int") is in the range of 0.2%, so I would consider this "expected" behaviour due to traffic bursts which are rate-limited by CAR.. oli > > ---------------------------------------- >> Subject: RE: [c-nsp] packet drop due ti CAR (rate-limit) >> Date: Mon, 13 Oct 2008 10:08:53 +0200 >> From: oboehmer at cisco.com >> To: scorpianbiz at hotmail.com; cisco-nsp at puck.nether.net >> >> Muhammad Farooq <> wrote on Monday, October 13, 2008 9:37 AM: >> >>> Hi, >>> >>> we are having packet drops issue due to rate limit on fastethernet >>> of 3845 router. We are using dot1q on that interface. If we remove >>> rate-limit then packet drop issue solves. Please note that with >>> increase in rate limit packet drop interval also increases and it >>> make a pattern. Output of show interface is pasted below. Running >>> IOS of router is c3845-advipservicesk9-mz.123-14.T7.bin and >>> interface utilization is not more that 35% >>> >>> interface FastEthernet3/0 >>> no ip address >>> load-interval 30 >>> duplex full >>> speed 100 >> >> can you show some iterations of "show int rate-limit" (best after >> "clear counter") Please bear in mind that TCP traffic can be very >> bursty and CAR/rate-limit can drop these bursts.. >> >> oli >> > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's > FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From rodunn at cisco.com Mon Oct 13 10:02:33 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 13 Oct 2008 10:02:33 -0400 Subject: [c-nsp] SXH3 ghost bugs - resolved In-Reply-To: <20081013063318.GD18780@greenie.muc.de> References: <20080916165849.GA20288@greenie.muc.de> <20080918201316.GD20288@greenie.muc.de> <20080919003643.GB79009@puck.nether.net> <20080919165126.GA11635@greenie.muc.de> <1221845016.11349.15.camel@abehat> <20080920192953.GD7160@greenie.muc.de> <20080922130445.GB12859@rtp-cse-489.cisco.com> <20080923204638.GM24139@rtp-cse-489.cisco.com> <20080924180137.GD6014@greenie.muc.de> <20081013063318.GD18780@greenie.muc.de> Message-ID: <20081013140233.GA22482@rtp-cse-489.cisco.com> I'd like to claim some responsibility but it was really a peer of mine Preston Chilcote that got the BU to do it. I just provided him some supplemenatal ammo. ;) Glad to know we got a quick turnaround on it. Rodney On Mon, Oct 13, 2008 at 08:33:18AM +0200, Gert Doering wrote: > Hi, > > just to follow up on the "Ghost route" issue in SXH3. > > The two relevant bug IDs are CSCsu03167 and CSCsu59917 (duplicate). > > It affects IPv4 and IPv6. > > The bug is fixed in SXH3a, which we have running since about 12 days, and > since then, we have not observed a single route getting "stuck" due to > lack of withdraw (= ghost). > > So -> it's fixed for good. > > Thanks to Rodney for providing insights and for helping to get the interim > rebuild out of the door. > > gert > > -- > USENET is *not* the non-clickable part of WWW! > //www.muc.de/~gert/ > Gert Doering - Munich, Germany gert at greenie.muc.de > fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Oct 13 14:22:31 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 13 Oct 2008 20:22:31 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <48F2F2A0.3020603@gmx.de> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> <48F2F2A0.3020603@gmx.de> Message-ID: <20081013182231.GB8535@greenie.muc.de> Hi, On Mon, Oct 13, 2008 at 09:02:56AM +0200, Garry wrote: > But if I do that, I have all the routes it announces back in the > Backbone OSPF which I want to only carry the infrastructure IPs ... I've > already attempted to set up a second OSPF process in order to keep the > routes learned from one box out of the backbone area, but somehow I must > be missing something essential, as the router belonging to multiple > areas keeps mixing them together ... Well, that's the canonical way to do it - run two separate OSPF processes, one for "router1 <-> router2 -> BGP" and the other one for "router2 <-> backbone". And make sure that the active interfaces don't overlap. I currently have no setup where I can verify that it does work, but I remember that I did this some time ago, and it did seem to do the right thing. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From networking.stuff at googlemail.com Mon Oct 13 15:39:15 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Tue, 14 Oct 2008 01:09:15 +0530 Subject: [c-nsp] Qos : LLQ Message-ID: <1e7e04890810131239jc9b54e6k2d8ecd77c228926d@mail.gmail.com> Hi, I have one doubt on LLQ. Say for example I have LLQ with 60% BW and remaining 40% is assigned to 4 CBWFQ. If LLQ is not utilizining it ful bandwdith say 60% then the remaining one will be part fo CBWFQ queue ??. i.e LLQ is using 40% then remaining 20 % will be divided among the other CBWFQ classes on proportionate basis ???? Regards, Chintan From gkg at gmx.de Mon Oct 13 15:49:29 2008 From: gkg at gmx.de (Garry) Date: Mon, 13 Oct 2008 21:49:29 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <20081013182231.GB8535@greenie.muc.de> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> <48F2F2A0.3020603@gmx.de> <20081013182231.GB8535@greenie.muc.de> Message-ID: <48F3A649.5050504@gmx.de> Gert Doering wrote: > Hi, > > On Mon, Oct 13, 2008 at 09:02:56AM +0200, Garry wrote: > >> But if I do that, I have all the routes it announces back in the >> Backbone OSPF which I want to only carry the infrastructure IPs ... I've >> already attempted to set up a second OSPF process in order to keep the >> routes learned from one box out of the backbone area, but somehow I must >> be missing something essential, as the router belonging to multiple >> areas keeps mixing them together ... >> > Well, that's the canonical way to do it - run two separate OSPF > processes, one for "router1 <-> router2 -> BGP" and the other one for > "router2 <-> backbone". And make sure that the active interfaces don't > overlap. > Hm ... not sure what I did when I set up my last lab - when I did, routes received through one OSPF process were redistributed through the other process ... when I recreated the setup (two CE connected to a PE, which is connected to a P router), redistribution stopped at PE, as I had originally expected ... So, in essence, I run a separate OSPF process per Interface (with "default-information originate" towards the CE router), each with its own area, then move all the customer routes into BGP via appropriate network commands ... > I currently have no setup where I can verify that it does work, but I > remember that I did this some time ago, and it did seem to do the right > thing. > GNS3/Dynamips really does make Labs a lot easier to set up ;) From what I can tell, my original idea and understanding of doing this works after all ... too bad the files that I had tried it with originally have been cleaned up due to temp directory ... :( Tnx, -garry From rodunn at cisco.com Mon Oct 13 16:02:30 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Mon, 13 Oct 2008 16:02:30 -0400 Subject: [c-nsp] Qos : LLQ In-Reply-To: <1e7e04890810131239jc9b54e6k2d8ecd77c228926d@mail.gmail.com> References: <1e7e04890810131239jc9b54e6k2d8ecd77c228926d@mail.gmail.com> Message-ID: <20081013200230.GX22482@rtp-cse-489.cisco.com> For ASR1000 see: http://supportwiki.cisco.com/wiki/index.php/ASR1000_CBWFQ_QOS_Configuration_Example Rodney On Tue, Oct 14, 2008 at 01:09:15AM +0530, Chintan Shah wrote: > Hi, > > I have one doubt on LLQ. Say for example I have LLQ with 60% BW and > remaining 40% is assigned to 4 CBWFQ. > If LLQ is not utilizining it ful bandwdith say 60% then the remaining one > will be part fo CBWFQ queue ??. > i.e LLQ is using 40% then remaining 20 % will be divided among the other > CBWFQ classes on proportionate basis ???? > > Regards, > > Chintan > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Mon Oct 13 17:01:45 2008 From: gert at greenie.muc.de (Gert Doering) Date: Mon, 13 Oct 2008 23:01:45 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <48F3A649.5050504@gmx.de> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> <48F2F2A0.3020603@gmx.de> <20081013182231.GB8535@greenie.muc.de> <48F3A649.5050504@gmx.de> Message-ID: <20081013210145.GC8535@greenie.muc.de> Hi, On Mon, Oct 13, 2008 at 09:49:29PM +0200, Garry wrote: > > Well, that's the canonical way to do it - run two separate OSPF > > processes, one for "router1 <-> router2 -> BGP" and the other one for > > "router2 <-> backbone". And make sure that the active interfaces don't > > overlap. > > > Hm ... not sure what I did when I set up my last lab - when I did, > routes received through one OSPF process were redistributed through the > other process ... I would expect this to require something along the lines of: router ospf 1 ... router ospf 2 redist ospf 2 ... > So, in essence, I run a separate OSPF process per Interface (with > "default-information originate" towards the CE router), each with its > own area, then move all the customer routes into BGP via appropriate > network commands ... ... it *should* work... > > I currently have no setup where I can verify that it does work, but I > > remember that I did this some time ago, and it did seem to do the right > > thing. > > GNS3/Dynamips really does make Labs a lot easier to set up ;) Indeed :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From peter at rathlev.dk Mon Oct 13 18:40:40 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 14 Oct 2008 00:40:40 +0200 Subject: [c-nsp] SNMP / CISCO-FLASH-MIB questions Message-ID: <1223937640.18261.21.camel@abehat> Hello all, I have a small SNMP question regarding some scripts I'm writing for automation of file services on a bunch of small routers and access switches (C2600/2800 and Cat3560 primarily). I'd like to automate the deletion of e.g. anything with a name containing "html" or maybe old images after an upgrade, and for that I figured using a combination of walking ciscoFlashFileName and using ciscoFlashMiscOpEntry commands would do the trick. I can delete all the regular files with no problems, but I can't seem to figure out how to delete directories. If I specify the directory name with the trailing slash, as ciscoFlashFileName gives it to me, it returns "miscOpInvalidDestName", and if I try without the trailing slash I get "miscOpFileOpenError". With the slash: [prathlev at einstein ~]# TARGET="test-c3560.net.rm.dk" [prathlev at einstein ~]# RND=$RANDOM [prathlev at einstein ~]# snmpset $SNMP_OPTS $TARGET \ > CISCO-FLASH-MIB::ciscoFlashMiscOpCommand.$RND i delete \ > CISCO-FLASH-MIB::ciscoFlashMiscOpDestinationName.$RND s flash:/c3560-ipbase-mz.122-25.SEE3/html/ \ > CISCO-FLASH-MIB::ciscoFlashMiscOpEntryStatus.$RND i createAndGo CISCO-FLASH-MIB::ciscoFlashMiscOpCommand.32433 = INTEGER: delete(3) CISCO-FLASH-MIB::ciscoFlashMiscOpDestinationName.32433 = STRING: flash:/c3560-ipbase-mz.122-25.SEE3/html/ CISCO-FLASH-MIB::ciscoFlashMiscOpEntryStatus.32433 = INTEGER: createAndGo(4) [prathlev at einstein ~]# snmpget $SNMP_OPTS $TARGET \ > CISCO-FLASH-MIB::ciscoFlashMiscOpStatus.$RND CISCO-FLASH-MIB::ciscoFlashMiscOpStatus.32433 = INTEGER: miscOpInvalidDestName(4) [prathlev at einstein ~]# Without the slash: [prathlev at einstein ~]# RND=$RANDOM [prathlev at einstein ~]# snmpset $SNMP_OPTS $TARGET \ > CISCO-FLASH-MIB::ciscoFlashMiscOpCommand.$RND i delete \ > CISCO-FLASH-MIB::ciscoFlashMiscOpDestinationName.$RND s flash:/c3560-ipbase-mz.122-25.SEE3/html \ > CISCO-FLASH-MIB::ciscoFlashMiscOpEntryStatus.$RND i createAndGo CISCO-FLASH-MIB::ciscoFlashMiscOpCommand.17488 = INTEGER: delete(3) CISCO-FLASH-MIB::ciscoFlashMiscOpDestinationName.17488 = STRING: flash:/c3560-ipbase-mz.122-25.SEE3/html CISCO-FLASH-MIB::ciscoFlashMiscOpEntryStatus.17488 = INTEGER: createAndGo(4) [prathlev at einstein ~]# snmpget $SNMP_OPTS $TARGET \ > CISCO-FLASH-MIB::ciscoFlashMiscOpStatus.$RND CISCO-FLASH-MIB::ciscoFlashMiscOpStatus.17488 = INTEGER: miscOpFileOpenError(9) [prathlev at einstein ~]# I can't seem to find anything in CISCO-FLASH-MIB that would point at directories being special or what to do with them. :-| Is there any way to delete directories using CISCO-FLASH-MIB, or maybe another MIB? Or will expect scripts have to do? TIA, Peter From caesar at starkreality.com Mon Oct 13 20:02:50 2008 From: caesar at starkreality.com (William S. Duncanson) Date: Mon, 13 Oct 2008 19:02:50 -0500 Subject: [c-nsp] Rate-limit call-home? Message-ID: Does anyone know offhand if call-home can be rate-limited? We had a situation on a 6500 where call-home wound up sending out a couple hundred messages in the space of about 2 minutes before we could turn call-home off... -- William S. Duncanson caesar at starkreality.com From zeusdadog at gmail.com Mon Oct 13 23:01:01 2008 From: zeusdadog at gmail.com (Jay Nakamura) Date: Mon, 13 Oct 2008 23:01:01 -0400 Subject: [c-nsp] Best practice for lowest convergence time when rebooting router Message-ID: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> Quick question, Does anyone do anything special before rebooting/shutting down a core or border router so routes on other routers converge faster around the rebooted router? I was thinking if it would be better if I heavily BGP prepend to upstream first so bordering peer router will still route to me until the better route from the other upstream propagated to that peer. What about OSPF inside our network? Putting the interfaces in passive mode first? Thanks! -Jay From petelists at templin.org Mon Oct 13 23:15:38 2008 From: petelists at templin.org (Pete Templin) Date: Mon, 13 Oct 2008 20:15:38 -0700 Subject: [c-nsp] Best practice for lowest convergence time when rebooting router In-Reply-To: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> References: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> Message-ID: <48F40EDA.4030102@templin.org> Jay Nakamura wrote: > Quick question, > > Does anyone do anything special before rebooting/shutting down a core or > border router so routes on other routers converge faster around the rebooted > router? I was thinking if it would be better if I heavily BGP prepend to > upstream first so bordering peer router will still route to me until the > better route from the other upstream propagated to that peer. What about > OSPF inside our network? Putting the interfaces in passive mode first? On our "edge" routers (nodes that handle upstream connectivity), we have pre-made route maps for each provider in multiple forms: normal, "high med", and maintenance. We switch out the route maps ahead of provider maintenance or internal operations, and restore when we feel comfortable that the work is complete and stable. Do note that for most transit connections, prepends aren't sufficient to push inbound traffic off the link; you'll normally need to signal peer-level or peer-backup local preference with communities. On our "core" routers (nodes that interconnect POPs as well as edge and distribution routers within the POPs), we do "max-metric router-lsa" within OSPF to push traffic off the affected node before maintenance/reboot. Once complete, we return to "max-metric router-lsa on-startup 900", so that the router won't take transitory traffic (unless necessary) for 15 minutes after a reboot, providing an opportunity to assess conditions. For reloads, we schedule the reload, then change the config to the simple form of "max-metric router-lsa" but don't re-save the config. This way, the router returns to service unattended. pt From gkg at gmx.de Mon Oct 13 23:49:21 2008 From: gkg at gmx.de (Garry) Date: Tue, 14 Oct 2008 05:49:21 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <20081013210145.GC8535@greenie.muc.de> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> <48F2F2A0.3020603@gmx.de> <20081013182231.GB8535@greenie.muc.de> <48F3A649.5050504@gmx.de> <20081013210145.GC8535@greenie.muc.de> Message-ID: <48F416C1.6000804@gmx.de> Gert Doering wrote: >> Hm ... not sure what I did when I set up my last lab - when I did, >> routes received through one OSPF process were redistributed through the >> other process ... > > I would expect this to require something along the lines of: > > router ospf 1 > ... > > router ospf 2 > redist ospf 2 Don't think so, as I was trying to avoid exactly that ;) Oh well ... Lab setup is working, so I guess I will use our next maintenance window to move a smaller pop over to this kind of setup ... see if everything works as expected in Real Life ... ;) Tnx @all ... -garry From gert at greenie.muc.de Tue Oct 14 03:07:45 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 14 Oct 2008 09:07:45 +0200 Subject: [c-nsp] Best practice for lowest convergence time when rebooting router In-Reply-To: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> References: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> Message-ID: <20081014070745.GF8535@greenie.muc.de> Hi, On Mon, Oct 13, 2008 at 11:01:01PM -0400, Jay Nakamura wrote: > Quick question, > > Does anyone do anything special before rebooting/shutting down a core or > border router so routes on other routers converge faster around the rebooted > router? I was thinking if it would be better if I heavily BGP prepend to > upstream first so bordering peer router will still route to me until the > better route from the other upstream propagated to that peer. What about > OSPF inside our network? Putting the interfaces in passive mode first? What we do is: - shutdown all eBGP sessions (but leave the interfaces "up") - so while the control plane converges, packets can still travel via that router [this could be made a bit smoother by prepending / de-local-pref'ing the routes first, but shutting down the BGP session before bringing down the interface is smoother already than hard reloading] - make internal routing 'passive' on all but one interface - so the iBGP sessions can still be up, but other routers won't consider this router for packets, as there are not IGP paths "across" it - reload - wait for iBGP to come back and converge - bring back eBGP - bring back IGP (now this is something why I'm really really really tempted to switch to IS-IS, the "overload" bit, making the 'bootup smoothly' process automatic) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From mtinka at globaltransit.net Tue Oct 14 03:31:08 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Tue, 14 Oct 2008 15:31:08 +0800 Subject: [c-nsp] Best practice for lowest convergence time when rebooting router In-Reply-To: <20081014070745.GF8535@greenie.muc.de> References: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com> <20081014070745.GF8535@greenie.muc.de> Message-ID: <200810141531.13246.mtinka@globaltransit.net> On Tuesday 14 October 2008 15:07:45 Gert Doering wrote: > (now this is something why I'm really really really > tempted to switch to IS-IS, the "overload" bit, making > the 'bootup smoothly' process automatic) A very compelling feature for the core during bootup. We like it. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From oboehmer at cisco.com Tue Oct 14 04:34:51 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Tue, 14 Oct 2008 10:34:51 +0200 Subject: [c-nsp] Best practice for lowest convergence time whenrebooting router In-Reply-To: <200810141531.13246.mtinka@globaltransit.net> References: <9418aca70810132001h258837fj67f98651289a9fe7@mail.gmail.com><20081014070745.GF8535@greenie.muc.de> <200810141531.13246.mtinka@globaltransit.net> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406325793@xmb-ams-333.emea.cisco.com> Mark Tinka <> wrote on Tuesday, October 14, 2008 9:31 AM: > On Tuesday 14 October 2008 15:07:45 Gert Doering wrote: > >> (now this is something why I'm really really really >> tempted to switch to IS-IS, the "overload" bit, making >> the 'bootup smoothly' process automatic) > > A very compelling feature for the core during bootup. We > like it. OSPF's max-metric can achieve something similar, can't it? oli From gert at greenie.muc.de Tue Oct 14 04:43:38 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 14 Oct 2008 10:43:38 +0200 Subject: [c-nsp] Best practice for lowest convergence time whenrebooting router In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED78406325793@xmb-ams-333.emea.cisco.com> References: <200810141531.13246.mtinka@globaltransit.net> <70B7A1CCBFA5C649BD562B6D9F7ED78406325793@xmb-ams-333.emea.cisco.com> Message-ID: <20081014084338.GI8535@greenie.muc.de> Hi, On Tue, Oct 14, 2008 at 10:34:51AM +0200, Oliver Boehmer (oboehmer) wrote: > > On Tuesday 14 October 2008 15:07:45 Gert Doering wrote: > >> (now this is something why I'm really really really > >> tempted to switch to IS-IS, the "overload" bit, making > >> the 'bootup smoothly' process automatic) > OSPF's max-metric can achieve something similar, can't it? We're still using EIGRP... (and we're actually much more happy with the fine grained control and flexibility of EIGRP as opposed to those pesky link state protocols that want no filtering, no per-prefix link costs, and such...) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gkg at gmx.de Tue Oct 14 05:27:33 2008 From: gkg at gmx.de (Garry) Date: Tue, 14 Oct 2008 11:27:33 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <20081013182231.GB8535@greenie.muc.de> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48E23ED6.60304@beanfield.com> <200809302350.01918.mtinka@globaltransit.net> <48F2F2A0.3020603@gmx.de> <20081013182231.GB8535@greenie.muc.de> Message-ID: <48F46605.1090805@gmx.de> Oh, and some more (final?) thoughts/questions: On core/backbone routers, I use "redistribute connected subnets" to ensure link (transfer) networks being made known throughout area 0, while the other processes/areas do not have any redistribute activated on P(E) routers. This will, of course, also insert LAN links into the OSPF announcements. I'm trying to find a reason for or against that being problem or undesirable ... :) But another thing is more of a problem I guess. Gert stated correctly that overlapping OSPF areas on a single interface need to be avoided (most likely as it won't work ;) )... so then how do I keep OSPF routes from non-BGP-speaking devices out of my area 0? As mentioned earlier in the thread, I have some devices (namely ISDN PRI routers) that do not speak BGP (and due to low volume, I do not intend to replace them with Cisco gear), as well as leased-line xDSL routers, usually hooked up into our POP LANs via OSPF. For leased lines, I could still go static routes, but that would cause problems for sites that have a backup link via another DSL link. For the ISDN dialins, with the devices being hooked up to our POP LAN, and the (i)BGP speakers also communicating there with OSPF in order to distribute link IP networks, it would result in all dialins being moved into area 0 ... so what to do? Set up a separate VLAN just for those kinds of devices? Or just take them in (I mean, we're probably talking about a maximum of 20 or so dynamic routes peak, plus another 20-30 from the leased lines ...)? Tnx, -garry From scubacuda at gmail.com Tue Oct 14 06:51:10 2008 From: scubacuda at gmail.com (Rogelio) Date: Tue, 14 Oct 2008 03:51:10 -0700 Subject: [c-nsp] will L2TP break Kerberos? Message-ID: <48F4799E.3050907@gmail.com> Will Kerberos break if it goes through an L2TP tunnel? I have these handheld wireless devices that are currently talk Kerberos back to a Symbol access point. I'm looking to replace these Symbol units with BelAir access points. These BelAir access points will L2TP tunnel back to a central Cisco router so that I can manage all of these handheld wireless devices with one DHCP and one RADIUS server. In theory, I would think that L2TP tunneling works fine (the only difference being that your pipe gets smaller as go across a WAN), but I was hoping to get some feedback from others here before I put this in production. (I'm a little gun shy b/c I've seen things like NAT break IPsec) From gary.ciscomail at gmail.com Tue Oct 14 07:56:45 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Tue, 14 Oct 2008 12:56:45 +0100 Subject: [c-nsp] Basic MPLS 7200 Message-ID: I want to put together a basic 7206 for MPLS. Anyone got a build handy that they have used? I am just after Chassis, IOS, memory, not interfaces. Cheers From zorglub421 at gmail.com Tue Oct 14 10:31:47 2008 From: zorglub421 at gmail.com (Zorg 421) Date: Tue, 14 Oct 2008 16:31:47 +0200 Subject: [c-nsp] ip flow egress on c76k Message-ID: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> Hello, Is anyone able to make "ip flow egress" works on cisco 7604? 12.2.33 SRB4 and SRC2, not working, only some flows processor switched comes out. global config: mls aging fast time 4 threshold 2 mls aging long 900 mls aging normal 32 mls flow ip interface-full no mls flow ipv6 mls nde sender version 5 interface: ip flow ingress ip flow egress (I cannot do ingress on another interface: it has HSRP and traffic coming in going out which would be duplicated) Regards. From dwinkworth at att.net Tue Oct 14 09:47:36 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 14 Oct 2008 08:47:36 -0500 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: <1223991606.8686.1.camel@R2D2> References: <1223991606.8686.1.camel@R2D2> Message-ID: <1223992056.8686.2.camel@R2D2> NAT NVI. That would be the first doc, qtnatvi. There is no inside/outside that way. On Tue, 2008-10-14 at 15:37 +0200, Jan van den Berg wrote: > This touches a problem I am currently working on. > I need to access services in one VPN from multiple other VPNs. > > I read in the ftnatvpn doc this: > "Inside VPN to VPN with NAT is not supported." > > Since it is necessary that different VPNs can access the services from one > VPN; using NAT will be probably be required. > > So does anyone have any pointers on how to go about this? > > Cheers, > > Jan > > -----Oorspronkelijk bericht----- > Van: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] Namens Derick Winkworth > Verzonden: vrijdag 10 oktober 2008 14:09 > Aan: cisco-nsp at puck.nether.net >> Cisco NSP > Onderwerp: Re: [c-nsp] Fwd: NAT in VRF > > http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html > http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatvpn.htm > l > > Here are two different ways to do what you are asking for, I hope! > > > > Gary Roberton wrote: > > Thanks Luan > > > > Can anyone else confirm this also? > > > > Thanks > > > > On Thu, Oct 9, 2008 at 2:04 PM, Luan Nguyen wrote: > > > > > >> Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. > >> Platform doesn't make any different. > >> > >> > >> Luan Nguyen > >> Chesapeake NetCraftsmen, LLC. > >> www.NetCraftsmen.net > >> > >> > >> -----Original Message----- > >> From: cisco-nsp-bounces at puck.nether.net > >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton > >> Sent: Thursday, October 09, 2008 7:28 AM > >> To: cisco-nsp at puck.nether.net > >> Subject: [c-nsp] Fwd: NAT in VRF > >> > >> ---------- Forwarded message ---------- > >> From: Gary Roberton > >> Date: Wed, Oct 8, 2008 at 10:13 AM > >> Subject: NAT in VRF > >> To: "cisco-nsp at puck.nether.net" > >> > >> > >> Can someone please confirm for me that you can have the same IP address > in > >> different VRFs natted to different destinations. In other words; > >> > >> 217.1.1.1 nat to 10.1.1.1 in VRF A > >> 217.1.1.1 nat to 192.168.1.1 in VRF B > >> > >> I can't see any reason why not. > >> > >> What about if using VRF-Lite on a 3845, does that make any difference? > >> > >> Its a funny question but I have been asked this and have no access to the > >> kit to prove it working and I have to have a solid answer. > >> > >> Thanks. > >> > >> Gary > >> _______________________________________________ > >> cisco-nsp mailing list cisco-nsp at puck.nether.net > >> https://puck.nether.net/mailman/listinfo/cisco-nsp > >> archive at http://puck.nether.net/pipermail/cisco-nsp/ > >> > >> > >> > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > ------------------------------------------------------------------------ > > > > > > No virus found in this incoming message. > > Checked by AVG - http://www.avg.com > > Version: 8.0.173 / Virus Database: 270.8.0/1717 - Release Date: 10/9/2008 > 4:56 PM > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From jan.vandenberg at isp.solcon.nl Tue Oct 14 09:37:14 2008 From: jan.vandenberg at isp.solcon.nl (Jan van den Berg) Date: Tue, 14 Oct 2008 15:37:14 +0200 Subject: [c-nsp] Fwd: NAT in VRF In-Reply-To: <48EF45FA.6090506@att.net> Message-ID: <200810141454.m9EEsFOO096474@puck.nether.net> This touches a problem I am currently working on. I need to access services in one VPN from multiple other VPNs. I read in the ftnatvpn doc this: "Inside VPN to VPN with NAT is not supported." Since it is necessary that different VPNs can access the services from one VPN; using NAT will be probably be required. So does anyone have any pointers on how to go about this? Cheers, Jan -----Oorspronkelijk bericht----- Van: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] Namens Derick Winkworth Verzonden: vrijdag 10 oktober 2008 14:09 Aan: cisco-nsp at puck.nether.net >> Cisco NSP Onderwerp: Re: [c-nsp] Fwd: NAT in VRF http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gtnatvi.html http://www.cisco.com/en/US/docs/ios/12_2t/12_2t13/feature/guide/ftnatvpn.htm l Here are two different ways to do what you are asking for, I hope! Gary Roberton wrote: > Thanks Luan > > Can anyone else confirm this also? > > Thanks > > On Thu, Oct 9, 2008 at 2:04 PM, Luan Nguyen wrote: > > >> Yes you can. I used to do that with 2 VRF-Lites on 2 DMVPN tunnels. >> Platform doesn't make any different. >> >> >> Luan Nguyen >> Chesapeake NetCraftsmen, LLC. >> www.NetCraftsmen.net >> >> >> -----Original Message----- >> From: cisco-nsp-bounces at puck.nether.net >> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Gary Roberton >> Sent: Thursday, October 09, 2008 7:28 AM >> To: cisco-nsp at puck.nether.net >> Subject: [c-nsp] Fwd: NAT in VRF >> >> ---------- Forwarded message ---------- >> From: Gary Roberton >> Date: Wed, Oct 8, 2008 at 10:13 AM >> Subject: NAT in VRF >> To: "cisco-nsp at puck.nether.net" >> >> >> Can someone please confirm for me that you can have the same IP address in >> different VRFs natted to different destinations. In other words; >> >> 217.1.1.1 nat to 10.1.1.1 in VRF A >> 217.1.1.1 nat to 192.168.1.1 in VRF B >> >> I can't see any reason why not. >> >> What about if using VRF-Lite on a 3845, does that make any difference? >> >> Its a funny question but I have been asked this and have no access to the >> kit to prove it working and I have to have a solid answer. >> >> Thanks. >> >> Gary >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.173 / Virus Database: 270.8.0/1717 - Release Date: 10/9/2008 4:56 PM > > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian.macnevin at gmail.com Tue Oct 14 11:06:56 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Tue, 14 Oct 2008 08:06:56 -0700 Subject: [c-nsp] ip flow egress on c76k In-Reply-To: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> References: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> Message-ID: ip flow commands are only relative to the MSFC, unless I'm mistaken. So is there an mls command for this? On Oct 14, 2008, at 7:31 AM, Zorg 421 wrote: Hello, Is anyone able to make "ip flow egress" works on cisco 7604? 12.2.33 SRB4 and SRC2, not working, only some flows processor switched comes out. global config: mls aging fast time 4 threshold 2 mls aging long 900 mls aging normal 32 mls flow ip interface-full no mls flow ipv6 mls nde sender version 5 interface: ip flow ingress ip flow egress (I cannot do ingress on another interface: it has HSRP and traffic coming in going out which would be duplicated) Regards. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From zorglub421 at gmail.com Tue Oct 14 11:11:58 2008 From: zorglub421 at gmail.com (Zorg 421) Date: Tue, 14 Oct 2008 17:11:58 +0200 Subject: [c-nsp] ip flow egress on c76k In-Reply-To: References: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> Message-ID: <6b546c750810140811n453fde85r95388c3667482a83@mail.gmail.com> Do you mean, an mls command for egress netflow?It seems SRB and later changed a bit the behaviour, ip flow ingress and egress should also configure the MSFC http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/nde.html#wp1131066 (if my understanding is correct). Regards. On Tue, Oct 14, 2008 at 5:06 PM, Christian MacNevin < christian.macnevin at gmail.com> wrote: > ip flow commands are only relative to the MSFC, unless I'm mistaken. So is > there an mls command for this? > > > > On Oct 14, 2008, at 7:31 AM, Zorg 421 wrote: > > Hello, > Is anyone able to make "ip flow egress" works on cisco 7604? > > 12.2.33 SRB4 and SRC2, not working, only some flows processor switched > comes > out. > > global config: > > mls aging fast time 4 threshold 2 > mls aging long 900 > mls aging normal 32 > mls flow ip interface-full > no mls flow ipv6 > mls nde sender version 5 > > interface: > > ip flow ingress > ip flow egress > > > (I cannot do ingress on another interface: it has HSRP and traffic coming > in > going out which would be duplicated) > > Regards. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > From dudepron at gmail.com Tue Oct 14 11:44:57 2008 From: dudepron at gmail.com (Aaron) Date: Tue, 14 Oct 2008 11:44:57 -0400 Subject: [c-nsp] Dark fiber Termination requirements In-Reply-To: <780ba68ef3240c803f48f51cba3f6114.squirrel@a61.nl> References: <929668884.121911223633307482.JavaMail.root@mbv2.indiatimes.com> <780ba68ef3240c803f48f51cba3f6114.squirrel@a61.nl> Message-ID: <480dad640810140844p45da049fu8736571c780840e4@mail.gmail.com> you also might require licensing to use transmission equipment. It has been awhile since I dealt with this issue in AsiaPac. I remember some countries had requirements to light fiber. On Fri, Oct 10, 2008 at 7:04 AM, Dirk-Jan van Helmond wrote: > > We will be using single mode fiber as per the service provider.No idea > > about the passive equipments as the service provider will only be > > providing the fiber upto our office and we are supposed to get it > > terminated on to our network > > We will be wanting ethernet output and will want to transfer upto 10Gb of > > data thru that fiber. > > We will be using this dark fiber as a Leased line from head office to > data > > center. > > > You'll probably get an end-to-end fiber. > When the fiber is ready, youll get a measurement rapport with the distance > of the fiber and the attenuation. With this information you can buy your > optics. > > For ethernet: > > 10GBase-LR - 10Km > 10GBase-ER - 40Km > 10GBase-ZR - 80Km > > > If the distances are bigger, you want SONET or specialized WDM optics. > We use MRV optics. They have optics that can transport Ethernet over 200Km. > > Regards, > Dirk-Jan > > > > > > > > > ----- Original Message ----- > > From: Dirk-Jan van Helmond > > To: v date > > Cc: cisco-nsp at puck.nether.net > > Sent: Fri, 10 Oct 2008 15:25:12 +0530 (IST) > > Subject: Re: [c-nsp] Dark fiber Termination requirements > > > >> Dear all, > >> We are in process of implementing dark fiber in japan for our office in > >> Tokyo and I would require this information if anyone can provide me . > >> The scenario is as follows: > >> Service provider's hub is 20kms away from our office .he will be laying > >> dark fiber from his hub to our office. > >> > >> How can we terminate this fiber in our network? > > > > Jou need dark-routers ;) > > > >> what type of equipments will be required ? > >> Is it possible to terminate this fiber without CWDM equipments.? > > > > Dark Fiber is just a cable. I suppose its singlemode. > > So you can use regular optics. > > > > There are some things that you need tot take into account: > > - What is the end-to-end distance in KM? > > - Is there active or passive equipment in between? How much dB? > > - What do you want to transport? FC? Ethernet? 1G? 10G? SONET? > > > > > > Regards, > > Dirk-Jan > > > > > > > > > > > > > > > > > > -- > > Will the all new Indica Vista zip ahead of the Suzuki Swift? Read the > > expert review on Zigwheels.com > > > http://zigwheels.com/b2cam/reviewsDetails.action?name=Ro11_20080829&path=/INDT/Reviews/Ro11_20080829&page=1&pagecount=9 > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From dmitry at dmitry.net Tue Oct 14 11:18:34 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Tue, 14 Oct 2008 18:18:34 +0300 Subject: [c-nsp] ip flow egress on c76k In-Reply-To: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> References: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> Message-ID: <20081014151834.GH73762@f17.dmitry.net> Hello! On Tue, Oct 14, 2008 at 04:31:47PM +0200, Zorg 421 wrote: > Is anyone able to make "ip flow egress" works on cisco 7604? As some Cisco guy says, egress netflow for unicast does not supported by PFC hardware. "ip flow egress" command is related to multicast flows replicated within PFC and of couse to unicast switched by MSFC. AFAIK, next Earl will support unicast egress netflow. -- Dmitry Kiselev From achatz at forthnet.gr Tue Oct 14 12:04:32 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Tue, 14 Oct 2008 19:04:32 +0300 Subject: [c-nsp] shut interfaces become enabled for some secs while reloading In-Reply-To: <48DB6311.8050100@forthnet.gr> References: <48DB6311.8050100@forthnet.gr> Message-ID: <48F4C310.8090505@forthnet.gr> just a note here....official answer from Cisco is : "This is common to all interface and the problem is due to the IOS init code implementation... ...during reload time, it will consider them as new interface so to put them in shutdown mode we have to include the 'no ip addr' instead of relying on the shut command". interesting...this means at least 2 things: 1) you shouldn't keep a router with shut interfaces and identical config on your network 2) a shut interface is actually shut during a reload, only if it doesn't have an ip address -- Tassos Tassos Chatzithomaoglou wrote on 25/9/2008 1:08 ??: > Has anyone met the above problem? > > I'm trying a 7200/G2 with 12.2(31)SB13 and i noticed that while > reloading it, the shuted interfaces come up for 2 secs, which is more > than enough time to send packets through them (having portfast enabled > on the switch port). > > I guess the config is parsed sequentially, so if the "shutdown" command > follows the "ip address x.x.x.x" command (which they do when doing "sh > run"), ip connectivity is established first. > > The problem with the above is that if you have to prepare a second > router having identical config with another one (keeping the interfaces > of the second router in the shutdown state), you end up having duplicate > ips for a while (in my case 2 secs) when reloading the second router. > This small time is more than enough to make the hell out of arp/mac > tables!!! > > I know there are many ways to avoid all this mess (remove/change ips, > shut switch ports instead of router ports, etc), but i was mainly > wondering if all this is expected/normal behavior. > From gary.ciscomail at gmail.com Tue Oct 14 12:20:59 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Tue, 14 Oct 2008 17:20:59 +0100 Subject: [c-nsp] 6500 and MPLS Message-ID: Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE duties (including NAT)? If so, what are the pros and cons you have experienced. Thanks. Gary From petelists at templin.org Tue Oct 14 12:26:59 2008 From: petelists at templin.org (Pete Templin) Date: Tue, 14 Oct 2008 09:26:59 -0700 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <48F4C853.50103@templin.org> Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. We have one 6509/Sup720-3BXL in full production, and a second one with one customer and soon to inherit the rest of our customers in that POP. So far, I'm VERY happy with it. A few minor rules (EoMPLS has to be on the port, not on a VLAN), but quite bulletproof. Easy to comprehend, even for our junior NOC folks. Admittedly, no NAT, but very good at everything we've asked it to do. pt From p.mayers at imperial.ac.uk Tue Oct 14 12:42:33 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Tue, 14 Oct 2008 17:42:33 +0100 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <48F4CBF9.9070405@imperial.ac.uk> Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. We use MPLS on 6500s (but not NAT - ugh). It works fine. No real surprises. There's no VPLS support. Someone else has already mentioned the EoMPLS being port-based (or sub-int based, which if you have SXH and above you can combine with other non-EoMPLS SVIs on the port) From euang+cisco-nsp at lists.eusahues.co.uk Tue Oct 14 11:56:54 2008 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Tue, 14 Oct 2008 16:56:54 +0100 Subject: [c-nsp] ip flow egress on c76k In-Reply-To: <6b546c750810140811n453fde85r95388c3667482a83@mail.gmail.com> References: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> <6b546c750810140811n453fde85r95388c3667482a83@mail.gmail.com> Message-ID: <20081014155654.GA16333@hyperion.eusahues.co.uk> On Tue, Oct 14, 2008 at 05:11:58PM +0200, Zorg 421 wrote: > Do you mean, an mls command for egress netflow?It seems SRB and later > changed a bit the behaviour, ip flow ingress and egress should also > configure the MSFC > > http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SR/configuration/guide/nde.html#wp1131066 ip flow egress isn't mentioned in that document. http://puck.nether.net/pipermail/cisco-nsp/2008-April/049938.html -- Euan Galloway From peter at rathlev.dk Tue Oct 14 13:41:34 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 14 Oct 2008 19:41:34 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <1224006094.29436.4.camel@abehat> On Tue, 2008-10-14 at 17:20 +0100, Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. We also have very good experience with 6500/Sup720-3B. We have a dozen or so acting as PE units. We've had no problems with them, using SXF for several years. We don't use NAT though. Just MPLS L3VPN and port based EoMPLS. Steady as rocks, even/especially the old ones (HW rev 2.1). Much better experience with these than 7600s with SRB{,1} regarding "just working" with a simple setup. :-) Regards, Peter From CB at nianet.dk Tue Oct 14 13:57:41 2008 From: CB at nianet.dk (Christian Bering) Date: Tue, 14 Oct 2008 19:57:41 +0200 Subject: [c-nsp] 6500 and MPLS References: <1224006094.29436.4.camel@abehat> Message-ID: Hi, >Much better experience with these than 7600s with SRB{,1} regarding >"just working" with a simple setup. :-) Agreed. But to be fair, SRB4 seems rock solid for us so far. -- Regards Christian Bering From lists at memetic.org Tue Oct 14 13:37:43 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 14 Oct 2008 18:37:43 +0100 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <48F4D8E7.7010908@memetic.org> Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. > > Thanks. > I have a lot of 7600s (pretty much a 6500) and 6524s. They're great for pseudowires and layer 3 VPNs. Don't do NAT on them. They don't like it very much. adam. From lists at memetic.org Tue Oct 14 14:20:03 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 14 Oct 2008 19:20:03 +0100 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: References: Message-ID: <48F4E2D3.4020307@memetic.org> Gary Roberton wrote: > I want to put together a basic 7206 for MPLS. Anyone got a build handy that > they have used? I am just after Chassis, IOS, memory, not interfaces. > > I'd only recommend the 7206vxr + NPE-G1 or 7206vxr + NPE-G2 Choice is between 3 Cu/Gbic and 1Mpps and 4 Cu/SFP and 2Mpps adam. From icox at cisco.com Tue Oct 14 14:55:01 2008 From: icox at cisco.com (Ian Cox) Date: Tue, 14 Oct 2008 11:55:01 -0700 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <48F4EB05.3080209@cisco.com> NAT is not supported in VRFs on Supervisor 720, VRF-Lite or PE. If you need NAT for VRFs then please use either a firewall module, or an external NAT appliance Firewall/ASR1000/7200 to provide the NAT functionality. Ian Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. > > Thanks. > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From rubensk at gmail.com Tue Oct 14 15:09:27 2008 From: rubensk at gmail.com (Rubens Kuhl Jr.) Date: Tue, 14 Oct 2008 17:09:27 -0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <6bb5f5b10810141209p2ef761f5n5ef11268a50191ea@mail.gmail.com> Our gear are mostly 6524s, Layer 3 VPNs are rock solid (but we were lucky enough not to use SHX3 and its ghost route bug), very few Layer 2 VPNs due to MTU limitations we are only now removing. No NAT on 6524s. When customer requires NAT, we deploy CPE-based NAT; many customers already have NAT/firewalling on their Linux boxes or SOHO routers and are not willing to pay for managed security services, so the demand for NAT is very limited. Rubens On Tue, Oct 14, 2008 at 2:20 PM, Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. > > Thanks. > > Gary > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From gert at greenie.muc.de Tue Oct 14 15:20:19 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 14 Oct 2008 21:20:19 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: Message-ID: <20081014192019.GP8535@greenie.muc.de> Hi, On Tue, Oct 14, 2008 at 05:20:59PM +0100, Gary Roberton wrote: > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > duties (including NAT)? If so, what are the pros and cons you have > experienced. PE yes, NAT no. Works. Sup720-3B or better - no MPLS with Sup1 or Sup2. (The usual caveats apply, regarding 6500/7600 and Cisco BUs that should be making you a happy customer but are preferring to fight other BUs instead. To hell with them all.) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Tue Oct 14 15:22:15 2008 From: gert at greenie.muc.de (Gert Doering) Date: Tue, 14 Oct 2008 21:22:15 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <48F4C853.50103@templin.org> References: <48F4C853.50103@templin.org> Message-ID: <20081014192215.GQ8535@greenie.muc.de> Hi, On Tue, Oct 14, 2008 at 09:26:59AM -0700, Pete Templin wrote: > A few minor rules (EoMPLS has to be on the port, not on a VLAN), VLAN mode EoMPLS works fine, as long as that VLAN number is not use for other purposes in the box. The usual problem of "it's a switch". (VLAN IDs have global significance, and can not be defined as 'vlan n' when used as subif 'encaps dot1q n'). With SXH, you can even mix and match routed/bridged VLANs and EoMPLS subifs on the same port - search for "mux-uni" in the release notes. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lists at memetic.org Tue Oct 14 16:23:21 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 14 Oct 2008 21:23:21 +0100 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: <48F4E2D3.4020307@memetic.org> References: <48F4E2D3.4020307@memetic.org> Message-ID: <48F4FFB9.4050808@memetic.org> Adam Armstrong wrote: > Gary Roberton wrote: >> I want to put together a basic 7206 for MPLS. Anyone got a build >> handy that >> they have used? I am just after Chassis, IOS, memory, not interfaces. >> >> > I'd only recommend the 7206vxr + NPE-G1 or 7206vxr + NPE-G2 > > Choice is between 3 Cu/Gbic and 1Mpps and 4 Cu/SFP and 2Mpps Oh, and 7201 of you don't need extra interfaces. Or 7301. 7201 is a 1U NPE-G2 (4x Cu/SFP) and 7301 is a 1U NPE-G1 (3x Cu/GBIC). adam. From c at tix.at Tue Oct 14 16:37:13 2008 From: c at tix.at (Christoph Loibl) Date: Tue, 14 Oct 2008 22:37:13 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <20081014192215.GQ8535@greenie.muc.de> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> Message-ID: Hi Gert, On Oct 14, 2008, at 9:22 PM, Gert Doering wrote: > On Tue, Oct 14, 2008 at 09:26:59AM -0700, Pete Templin wrote: >> A few minor rules (EoMPLS has to be on the port, not on a VLAN), > > VLAN mode EoMPLS works fine, as long as that VLAN number is not use > for other purposes in the box. The usual problem of "it's a switch". When I configure something like this on a sup720-3bxl (with only LAN interfaces like WS-6704-10GE or WS-6724-xx facing the MPLS-Core + some variant of SXFxx software running): vlan 23 int vlan 23 xconnect 1.2.3.4 5 enc mpls This pops up in my log: Oct 14 20:25:18 UTC: %C6K_MPLS_COMMON-3-L3_CONFIG_NOT_RECOMMENDED: LAN interfaces have MPLS configured. Do not configure xconnect on interface vlans. I actually did not try whether it still works or not. But at least it makes me worry... Is this what you meant by Vlan mode EoMPLS or did you mean the subinterface thingy (which definitely works)? int gi2/10.23 enc dot1q 23 xconnect 1.2.3.4 5 enc mpls Stoffi -- CHRISTOPH LOIBL ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ mailto:c at tix.at |No trees were killed in the creation of this message. http://www.sil.at |However, many electrons were terrible inconvenienced. CL8-RIPE ++++++++++++++++++++++++++++++++++++ PGP-Key-ID: 0x4B2C0055 +++ From peter at rathlev.dk Tue Oct 14 17:02:21 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Tue, 14 Oct 2008 23:02:21 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> Message-ID: <1224018141.31143.4.camel@abehat> On Tue, 2008-10-14 at 22:37 +0200, Christoph Loibl wrote: > When I configure something like this on a sup720-3bxl (with only LAN > interfaces like WS-6704-10GE or WS-6724-xx facing the MPLS-Core + some > variant of SXFxx software running): > > vlan 23 > > int vlan 23 > xconnect 1.2.3.4 5 enc mpls > > This pops up in my log: > > Oct 14 20:25:18 UTC: %C6K_MPLS_COMMON-3-L3_CONFIG_NOT_RECOMMENDED: LAN > interfaces have MPLS configured. Do not configure xconnect on > interface vlans. This would be SVI mode "EoMPLS", where one would expect local switching. Remember that "interface Vlan1005" isn't the same as "vlan 1005". It would be VERY nice if the PFC3 could do this, but unfortunately it can't. You need more expensive equipment for that. :-) > I actually did not try whether it still works or not. But at least it > makes me worry... Is this what you meant by Vlan mode EoMPLS or did > you mean the subinterface thingy (which definitely works)? > > int gi2/10.23 > enc dot1q 23 > xconnect 1.2.3.4 5 enc mpls This is VLAN mode EoMPLS. The PFC3 supports this and (physical) port mode. Regards, Peter From RTeller at deltadentalwa.com Tue Oct 14 17:16:22 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 14 Oct 2008 14:16:22 -0700 Subject: [c-nsp] Wireless Spectrum Analyzers Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01573@tiger.deltadentalwa.com> I am getting ready to deploy a wireless networking and was curious which spectrum analyzer people have had better luck with. I will be using 4402 WCS (With the location software add-on) and 1131AG lwapp. It looks like the Cisco spectrum analyzer integrates with the WCS but I'm not sure how user friendly it will be. I was also considering fluke's spectrum analyzer. Any recommendations for one over the other? ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From asturluismi at gmail.com Tue Oct 14 18:38:03 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 15 Oct 2008 00:38:03 +0200 Subject: [c-nsp] Strange bug doing telnet to a switch Message-ID: <1224023883.12653.2.camel@dsba-ipso> Every time I do telnet I obtain the same result. Is there anyone here with some similar experience? $ telnet sw1 Trying 10.10.10.156... Connected to sw1.hispasat.local. Escape character is '^]'. peed 100 duplex full no cdp e User Access Verification Username: From RTeller at deltadentalwa.com Tue Oct 14 18:47:49 2008 From: RTeller at deltadentalwa.com (Teller, Robert) Date: Tue, 14 Oct 2008 15:47:49 -0700 Subject: [c-nsp] Strange bug doing telnet to a switch In-Reply-To: <1224023883.12653.2.camel@dsba-ipso> References: <1224023883.12653.2.camel@dsba-ipso> Message-ID: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01580@tiger.deltadentalwa.com> What is in your banner for that switch? -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, October 14, 2008 3:38 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Strange bug doing telnet to a switch Every time I do telnet I obtain the same result. Is there anyone here with some similar experience? $ telnet sw1 Trying 10.10.10.156... Connected to sw1.hispasat.local. Escape character is '^]'. peed 100 duplex full no cdp e User Access Verification Username: _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### From ddunkin at netos.net Tue Oct 14 18:51:23 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 14 Oct 2008 15:51:23 -0700 Subject: [c-nsp] Strange bug doing telnet to a switch References: <1224023883.12653.2.camel@dsba-ipso> Message-ID: <56F5BC5F404CF84896C447397A1AAF2094312D@MAIL.nosi.netos.com> It is likely someone pasted a configuration improperly. You probably have a banner section in the config like this: banner motd ^C peed 100 duplex full no cdp e ^C Run a 'no banner motd' in config mode to clear the banner. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi Sent: Tuesday, October 14, 2008 15:38 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Strange bug doing telnet to a switch Every time I do telnet I obtain the same result. Is there anyone here with some similar experience? $ telnet sw1 Trying 10.10.10.156... Connected to sw1.hispasat.local. Escape character is '^]'. peed 100 duplex full no cdp e User Access Verification Username: _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From asturluismi at gmail.com Tue Oct 14 19:02:27 2008 From: asturluismi at gmail.com (luismi) Date: Wed, 15 Oct 2008 01:02:27 +0200 Subject: [c-nsp] Strange bug doing telnet to a switch In-Reply-To: <56F5BC5F404CF84896C447397A1AAF2094312D@MAIL.nosi.netos.com> References: <1224023883.12653.2.camel@dsba-ipso> <56F5BC5F404CF84896C447397A1AAF2094312D@MAIL.nosi.netos.com> Message-ID: <1224025347.12653.5.camel@dsba-ipso> Yeah! it was the banner!! xDDDDDDDDDDD Too late for me now, go to bed now, I need to sleep. Thanks all for the fast replies. :-) El mar, 14-10-2008 a las 15:51 -0700, Darryl Dunkin escribi?: > It is likely someone pasted a configuration improperly. > > You probably have a banner section in the config like this: > banner motd ^C > peed 100 > duplex full > no cdp e > ^C > > Run a 'no banner motd' in config mode to clear the banner. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of luismi > Sent: Tuesday, October 14, 2008 15:38 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Strange bug doing telnet to a switch > > Every time I do telnet I obtain the same result. > > Is there anyone here with some similar experience? > > $ telnet sw1 > Trying 10.10.10.156... > Connected to sw1.hispasat.local. > Escape character is '^]'. > peed 100 > duplex full > no cdp e > User Access Verification > > Username: > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From danletkeman at gmail.com Tue Oct 14 19:53:47 2008 From: danletkeman at gmail.com (Dan Letkeman) Date: Tue, 14 Oct 2008 18:53:47 -0500 Subject: [c-nsp] route-map ftp connection Message-ID: Hello, I have a route-map on my 2811 router that sets the next hop for ftp traffic: route-map inet permit 100 match ip address ftp set ip next-hop 192.168.11.101 The access list looks like this: 1 permit tcp any any eq ftp 2 permit tcp any any eq ftp-data 3 deny ip any any This seem's to work well for active ftp connections but passive ftp connections don't seem to make a connection. Is there something else I can do to make this work with passive ftp connections? Thanks, Dan. From ddunkin at netos.net Tue Oct 14 20:24:26 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Tue, 14 Oct 2008 17:24:26 -0700 Subject: [c-nsp] route-map ftp connection Message-ID: <56F5BC5F404CF84896C447397A1AAF20943143@MAIL.nosi.netos.com> This is a good reference for matching active vs passive FTP connections: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_e xample09186a0080100548.shtml#passiveftp Basically: permit tcp any any eq ftp permit tcp any any gt 1024 However, this has the potential to grab traffic destined to other ports that is not FTP traffic (if you can stand some mis-matching, this is acceptable). It would be safer if you knew the destination FTP server to specify it instead: permit tcp any host a.b.c.d eq ftp permit tcp any host a.b.c.d gt 1024 -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dan Letkeman Sent: Tuesday, October 14, 2008 16:54 To: cisco-nsp at puck.nether.net Subject: [c-nsp] route-map ftp connection Hello, I have a route-map on my 2811 router that sets the next hop for ftp traffic: route-map inet permit 100 match ip address ftp set ip next-hop 192.168.11.101 The access list looks like this: 1 permit tcp any any eq ftp 2 permit tcp any any eq ftp-data 3 deny ip any any This seem's to work well for active ftp connections but passive ftp connections don't seem to make a connection. Is there something else I can do to make this work with passive ftp connections? Thanks, Dan. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mksmith at adhost.com Tue Oct 14 21:09:19 2008 From: mksmith at adhost.com (Michael K. Smith) Date: Tue, 14 Oct 2008 18:09:19 -0700 Subject: [c-nsp] will L2TP break Kerberos? In-Reply-To: <48F4799E.3050907@gmail.com> Message-ID: Hello: On 10/14/08 3:51 AM, "Rogelio" wrote: > Will Kerberos break if it goes through an L2TP tunnel? > > I have these handheld wireless devices that are currently talk Kerberos > back to a Symbol access point. I'm looking to replace these Symbol > units with BelAir access points. > > These BelAir access points will L2TP tunnel back to a central Cisco > router so that I can manage all of these handheld wireless devices with > one DHCP and one RADIUS server. > > In theory, I would think that L2TP tunneling works fine (the only > difference being that your pipe gets smaller as go across a WAN), but I > was hoping to get some feedback from others here before I put this in > production. > > (I'm a little gun shy b/c I've seen things like NAT break IPsec) The main issue, AFAIK, is NAT translation, which is a no-no for Kerberos. As long as you are going native IP to IP, even if they are RFC 1918, Kerberos should work fine. However, if you need to NAT it anywhere on either side of the tunnel, it will fail. Regards, Mike From mtinka at globaltransit.net Tue Oct 14 21:11:24 2008 From: mtinka at globaltransit.net (Mark Tinka) Date: Wed, 15 Oct 2008 09:11:24 +0800 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: <48F4E2D3.4020307@memetic.org> References: <48F4E2D3.4020307@memetic.org> Message-ID: <200810150911.25019.mtinka@globaltransit.net> On Wednesday 15 October 2008 02:20:03 Adam Armstrong wrote: > ...and 4 Cu/SFP and > 2Mpps The NPE-G2, like the NPE-G1, has only 3x copper/SFP transit interfaces. It's the 7201 with 4x. Cheers, Mark. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: This is a digitally signed message part. URL: From rlucas at nz1.ibm.com Tue Oct 14 21:19:12 2008 From: rlucas at nz1.ibm.com (Raymond Lucas) Date: Wed, 15 Oct 2008 14:19:12 +1300 Subject: [c-nsp] AUTO: Raymond Lucas is out of the office. (returning 27/10/2008) Message-ID: I am out of the office until 27/10/2008. I am on training until Friday the 17th and will be responding to email. After that I will be on leave, returning on Monday the 27th. Note: This is an automated response to your message "cisco-nsp Digest, Vol 71, Issue 46" sent on 15/10/08 12:02:35. This is the only notification you will receive while this person is away. From dwinkworth at att.net Tue Oct 14 21:41:04 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Tue, 14 Oct 2008 20:41:04 -0500 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: <200810150911.25019.mtinka@globaltransit.net> References: <48F4E2D3.4020307@memetic.org> <200810150911.25019.mtinka@globaltransit.net> Message-ID: <48F54A30.5090604@att.net> Don't these interfaces share a controller? So they are 3-to-1 oversubscribed on the NPE??? Mark Tinka wrote: > On Wednesday 15 October 2008 02:20:03 Adam Armstrong wrote: > > >> ...and 4 Cu/SFP and >> 2Mpps >> > > The NPE-G2, like the NPE-G1, has only 3x copper/SFP transit > interfaces. > > It's the 7201 with 4x. > > Cheers, > > Mark. > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.173 / Virus Database: 270.8.0/1724 - Release Date: 10/14/2008 2:02 AM > > From ben.steele at internode.on.net Tue Oct 14 23:12:14 2008 From: ben.steele at internode.on.net (Ben Steele) Date: Wed, 15 Oct 2008 13:42:14 +1030 Subject: [c-nsp] Explanation on mls aging timer affects Message-ID: <000601c92e73$d38e12b0$7aaa3810$@steele@internode.on.net> Hi All, Recently I changed some mls aging timers to a fairly aggressive (low) setting to fix a TCAM threshold issue we were hitting which was breaking netflow creation/export. I understand the different timers and how they affect the length of time a flow will stay in TCAM but i'm curious as to the possible negative side affects caused by having low timers with netflow(or anything else for that matter)? Would it just result in more flows being generated? This is what i'm currently running: mls aging fast time 5 threshold 32 mls aging long 300 mls aging normal 60 TCAM utilization is sitting nice at around 10-20% with these values, default had it hitting upwards of 90%+ Cheers Ben From gert at greenie.muc.de Wed Oct 15 01:45:53 2008 From: gert at greenie.muc.de (Gert Doering) Date: Wed, 15 Oct 2008 07:45:53 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> Message-ID: <20081015054552.GU8535@greenie.muc.de> Hi, On Tue, Oct 14, 2008 at 10:37:13PM +0200, Christoph Loibl wrote: > On Oct 14, 2008, at 9:22 PM, Gert Doering wrote: > >On Tue, Oct 14, 2008 at 09:26:59AM -0700, Pete Templin wrote: > >>A few minor rules (EoMPLS has to be on the port, not on a VLAN), > > > >VLAN mode EoMPLS works fine, as long as that VLAN number is not use > >for other purposes in the box. The usual problem of "it's a switch". > > When I configure something like this on a sup720-3bxl (with only LAN > interfaces like WS-6704-10GE or WS-6724-xx facing the MPLS-Core + some > variant of SXFxx software running): > > vlan 23 > > int vlan 23 > xconnect 1.2.3.4 5 enc mpls OK, I misunderstood Pete, regarding "port mode" and "vlan mode" EoMPLS. What you can do is: int g3/7 xconnect 1.2.3.4 5 enc mpls or int g3/8 encaps dot1q 23 xconnect 1.2.3.4 6 enc mpls but indeed, configuring EoMPLS on an "int vlan" won't work. [..] > I actually did not try whether it still works or not. But at least it > makes me worry... Is this what you meant by Vlan mode EoMPLS or did > you mean the subinterface thingy (which definitely works)? > > int gi2/10.23 > enc dot1q 23 > xconnect 1.2.3.4 5 enc mpls This is what I had in mind. sorry for the confusion, gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From ulises.alonso at gmail.com Wed Oct 15 02:41:28 2008 From: ulises.alonso at gmail.com (Ulises Alonso) Date: Wed, 15 Oct 2008 07:41:28 +0100 Subject: [c-nsp] RSTP/MSTP convergence time Message-ID: Hi I found hard to find online references of RSTP/MSTP convergence time (when not interacting with STP) I'm interested in how to calculate or estimate it for a given topology Can somebody give pointers to docs or books? Thanks in advance Ulises From andy.saykao at staff.netspace.net.au Wed Oct 15 02:22:33 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Wed, 15 Oct 2008 17:22:33 +1100 Subject: [c-nsp] Strange Radius Debug seen with SB Release Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365497A@vic-cr-ex1.staff.netspace.net.au> Hi All, I'm doing some testing with the SB release of 12.2(31)SB13 on a 7301 that we plan to put into production to terminate L2TP connections for our MPLS VPN customers. The SB release was chosen because it has the LSP Ping and Traceroute command which is required if we want to take full advantage of Cisco's MPLS Diagnostics Expert software. What I've found is that when I debug radius no Framed-Route and Framed-IP-Address are being sent in the start packet of the radius accounting packet. When I reload the 7301 with an IOS we use in production (12.3(14)T7) , the Framed-Route and Framed-IP-Address are included in the start packet. Is this the desired behaviour of the SB release??? Below are the debugs taken with the different IOS. Using 12.2(31)SB13: *Oct 15 11:54:00.720 AEST: RADIUS(0000000C): Received from id 21646/1 *Oct 15 11:54:00.740 AEST: RADIUS/ENCODE(0000000C):Orig. component type = PPoE *Oct 15 11:54:00.740 AEST: RADIUS/ENCODE(0000000C): Acct-session-id pre-pended with Nas Port = 0/0/1/21 *Oct 15 11:54:00.740 AEST: RADIUS(0000000C): Config NAS IP: 203.17.101.50 *Oct 15 11:54:00.740 AEST: RADIUS(0000000C): sending *Oct 15 11:54:00.740 AEST: RADIUS(0000000C): Send Accounting-Request to 203.10.110.74:1646 id 21646/2, len 200 *Oct 15 11:54:00.740 AEST: RADIUS: authenticator 5B 5A 8A E3 C2 3D C2 17 - A4 9D 6A 3D 45 80 4A C4 *Oct 15 11:54:00.740 AEST: RADIUS: Acct-Session-Id [44] 19 "0/0/1/21_00000002" *Oct 15 11:54:00.740 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1] *Oct 15 11:54:00.740 AEST: RADIUS: User-Name [1] 22 "mplstest at dbtest@adsl" *Oct 15 11:54:00.740 AEST: RADIUS: Vendor, Cisco [26] 32 *Oct 15 11:54:00.740 AEST: RADIUS: Cisco AVpair [1] 26 "connect-progress=Call Up" *Oct 15 11:54:00.744 AEST: RADIUS: Acct-Authentic [45] 6 RADIUS [1] *Oct 15 11:54:00.744 AEST: RADIUS: Acct-Status-Type [40] 6 Start [1] *Oct 15 11:54:00.744 AEST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] *Oct 15 11:54:00.744 AEST: RADIUS: NAS-Port [5] 6 16777237 *Oct 15 11:54:00.744 AEST: RADIUS: NAS-Port-Id [87] 10 "0/0/1/21" *Oct 15 11:54:00.744 AEST: RADIUS: Vendor, Cisco [26] 41 *Oct 15 11:54:00.744 AEST: RADIUS: Cisco AVpair [1] 35 "client-mac-address=fa00.0008.0802" *Oct 15 11:54:00.744 AEST: RADIUS: Connect-Info [77] 8 "NSTEST" *Oct 15 11:54:00.744 AEST: RADIUS: Service-Type [6] 6 Framed [2] *Oct 15 11:54:00.744 AEST: RADIUS: NAS-IP-Address [4] 6 203.17.101.50 *Oct 15 11:54:00.744 AEST: RADIUS: Acct-Delay-Time [41] 6 0 *Oct 15 11:54:00.744 AEST: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up *Oct 15 11:54:00.868 AEST: RADIUS: Received from id 21646/2 203.10.110.74:1646, Accounting-response, len 20 *Oct 15 11:54:00.868 AEST: RADIUS: authenticator CB 94 DA 84 96 FE 18 FC - 8C 1B 71 4D 9E E6 52 AB *Oct 15 11:54:01.744 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up Using 12.3(14)T7: Oct 15 11:47:01.594 AEST: RADIUS/ENCODE(00000004):Orig. component type = PPoE Oct 15 11:47:01.594 AEST: RADIUS/ENCODE(00000004): Acct-session-id pre-pended with Nas Port = 0/0/1/21 Oct 15 11:47:01.594 AEST: RADIUS(00000004): Config NAS IP: 203.17.101.50 Oct 15 11:47:01.594 AEST: RADIUS(00000004): sending Oct 15 11:47:01.594 AEST: RADIUS(00000004): Send Accounting-Request to 203.10.110.74:1646 id 21646/5, len 253 Oct 15 11:47:01.594 AEST: RADIUS: authenticator F5 40 CD 3D 39 CC A8 A9 - E9 75 78 4E 0E 10 9B 03 Oct 15 11:47:01.594 AEST: RADIUS: Acct-Session-Id [44] 19 "0/0/1/21_00000005" Oct 15 11:47:01.594 AEST: RADIUS: Vendor, Cisco [26] 41 Oct 15 11:47:01.594 AEST: RADIUS: Cisco AVpair [1] 35 "client-mac-address=fa00.0008.0802" Oct 15 11:47:01.594 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1] Oct 15 11:47:01.594 AEST: RADIUS: Framed-Route [22] 52 "vrf NSTEST 192.168.1.0 255.255.255.0 203.17.103.50" Oct 15 11:47:01.594 AEST: RADIUS: Framed-IP-Address [8] 6 203.17.103.50 Oct 15 11:47:01.594 AEST: RADIUS: User-Name [1] 22 "mplstest at dbtest@adsl" Oct 15 11:47:01.594 AEST: RADIUS: Vendor, Cisco [26] 35 Oct 15 11:47:01.594 AEST: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up" Oct 15 11:47:01.594 AEST: RADIUS: Acct-Authentic [45] 6 RADIUS [1] Oct 15 11:47:01.594 AEST: RADIUS: Acct-Status-Type [40] 6 Start [1] Oct 15 11:47:01.594 AEST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Oct 15 11:47:01.594 AEST: RADIUS: NAS-Port [5] 6 16777237 Oct 15 11:47:01.594 AEST: RADIUS: NAS-Port-Id [87] 10 "0/0/1/21" Oct 15 11:47:01.594 AEST: RADIUS: Service-Type [6] 6 Framed [2] Oct 15 11:47:01.594 AEST: RADIUS: NAS-IP-Address [4] 6 203.17.101.50 Oct 15 11:47:01.594 AEST: RADIUS: Acct-Delay-Time [41] 6 0 Oct 15 11:47:01.810 AEST: RADIUS: Received from id 21646/5 203.10.110.74:1646, Accounting-response, len 20 Oct 15 11:47:01.810 AEST: RADIUS: authenticator 74 8F 4E 47 AF 96 4E 67 - E9 C4 33 D9 92 8B B0 8E Oct 15 11:47:02.582 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up I've tested this using Radius flat files which places the session into the appropriate VRF and sets up a static route. mplstest Password = "xxxxxx" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 203.17.103.50, Framed-Netmask = 255.255.255.255, cisco-avpair = "lcp:interface-config=ip vrf forwarding NSTEST\nip unnumbered lo100", cisco-avpair = "ip:route=vrf NSTEST 192.168.1.0 255.255.255.0 203.17.103.50" If I remove the cisco-avpair lines referring to the set up of the VRF details for the session from the flat file, the Framed-IP-Address shows up in the radius accounting packet. Given that the debug looks ok when using a different IOS, I'm starting to believe that has something to do with the SB release. When the session is terminated, the stop packet contains the Framed-Route and Framed-IP-Address. Oct 15 11:56:24.473 AEST: RADIUS/ENCODE(0000000D):Orig. component type = PPoE Oct 15 11:56:24.473 AEST: RADIUS/ENCODE(0000000D): Acct-session-id pre-pended with Nas Port = 0/0/1/21 Oct 15 11:56:24.473 AEST: RADIUS(0000000D): Config NAS IP: 203.17.101.50 Oct 15 11:56:24.473 AEST: RADIUS(0000000D): sending Oct 15 11:56:24.473 AEST: RADIUS(0000000D): Send Accounting-Request to 203.10.110.74:1646 id 21646/6, len 457 Oct 15 11:56:24.473 AEST: RADIUS: authenticator 89 89 6D 1B 45 77 20 8B - 9C 45 46 C5 02 F8 AE 2D Oct 15 11:56:24.473 AEST: RADIUS: Acct-Session-Id [44] 19 "0/0/1/21_00000004" Oct 15 11:56:24.473 AEST: RADIUS: Framed-Protocol [7] 6 PPP [1] Oct 15 11:56:24.473 AEST: RADIUS: Framed-Route [22] 52 "vrf NSTEST 192.168.1.0 255.255.255.0 203.17.103.50" Oct 15 11:56:24.473 AEST: RADIUS: Framed-IP-Address [8] 6 203.17.103.50 Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 59 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer" Oct 15 11:56:24.473 AEST: RADIUS: User-Name [1] 22 "mplstest at dbtest@adsl" Oct 15 11:56:24.473 AEST: RADIUS: Acct-Authentic [45] 6 RADIUS [1] Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 35 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up" Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 31 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 25 "nas-tx-speed=1000000000" Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 31 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 25 "nas-rx-speed=1000000000" Oct 15 11:56:24.473 AEST: RADIUS: Acct-Session-Time [46] 6 46 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Input-Octets [42] 6 2773 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Output-Octets [43] 6 1340 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Input-Packets [47] 6 45 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Output-Packets [48] 6 29 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1] Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 39 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term" Oct 15 11:56:24.473 AEST: RADIUS: Acct-Status-Type [40] 6 Stop [2] Oct 15 11:56:24.473 AEST: RADIUS: NAS-Port-Type [61] 6 Ethernet [15] Oct 15 11:56:24.473 AEST: RADIUS: NAS-Port [5] 6 16777237 Oct 15 11:56:24.473 AEST: RADIUS: NAS-Port-Id [87] 10 "0/0/1/21" Oct 15 11:56:24.473 AEST: RADIUS: Vendor, Cisco [26] 41 Oct 15 11:56:24.473 AEST: RADIUS: Cisco AVpair [1] 35 "client-mac-address=fa00.0008.0802" Oct 15 11:56:24.473 AEST: RADIUS: Connect-Info [77] 8 "NSTEST" Oct 15 11:56:24.473 AEST: RADIUS: Service-Type [6] 6 Framed [2] Oct 15 11:56:24.473 AEST: RADIUS: NAS-IP-Address [4] 6 203.17.101.50 Oct 15 11:56:24.473 AEST: RADIUS: Acct-Delay-Time [41] 6 0 Oct 15 11:56:24.489 AEST: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down Oct 15 11:56:24.637 AEST: RADIUS: Received from id 21646/6 203.10.110.74:1646, Accounting-response, len 20 Oct 15 11:56:24.637 AEST: RADIUS: authenticator 14 20 2C BA 26 4E BE 4A - 6B A2 33 43 E8 AC D2 16 Oct 15 11:56:25.489 AEST: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down I've spent all day looking for answers but can't find any. I'm just not sure when using the SB release why the start packet would not include these two attributes and if it really matters? Hope somebody can help. Many Thanks. Andy From Reinhold.Fischer at gmx.net Wed Oct 15 03:59:05 2008 From: Reinhold.Fischer at gmx.net (Reinhold Fischer) Date: Wed, 15 Oct 2008 09:59:05 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <1224018141.31143.4.camel@abehat> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> <1224018141.31143.4.camel@abehat> Message-ID: <20081015075905.GA5659@susi> On Tue, Oct 14, 2008 at 11:02:21PM +0200, Peter Rathlev wrote: ... > > This would be SVI mode "EoMPLS", where one would expect local switching. > Remember that "interface Vlan1005" isn't the same as "vlan 1005". It > would be VERY nice if the PFC3 could do this, but unfortunately it > can't. You need more expensive equipment for that. :-) > ... A dirty hack can be done to have VLAN-based EoMPLS without expensive cards. Just configure an additional VLAN on the box, assign a port to it and connect this single port in the new VLAN to a port the VLAN for which you want to have VLAN-based EoMPLS with a short cable. Then do PORT mode EoMPLS on this single port. Did not try it myself but according to my SE this is used by some customers. hth reinhold From peter at rathlev.dk Wed Oct 15 04:13:46 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Wed, 15 Oct 2008 10:13:46 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <20081015075905.GA5659@susi> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> <1224018141.31143.4.camel@abehat> <20081015075905.GA5659@susi> Message-ID: <1224058426.3378.3.camel@abehat> On Wed, 2008-10-15 at 09:59 +0200, Reinhold Fischer wrote: > A dirty hack can be done to have VLAN-based EoMPLS without > expensive cards. Just configure an additional VLAN on the box, > assign a port to it and connect this single port in the new > VLAN to a port the VLAN for which you want to have VLAN-based > EoMPLS with a short cable. > > Then do PORT mode EoMPLS on this single port. Did not try it > myself but according to my SE this is used by some customers. We use this extensively to connect several locations L2 wise across an MPLS core. We use local SVIs, and a loop cable between a trunk port with all the relevant SVIs and a physical xconnect'ed port ending up in another location. It works very well (in SXF at least), but it does waste a lot of physical ports. Since PFC3 EoMPLS is still point-to-point you need 2x2 physical ports for fully redundant connections from A to B, not counting the actual connections. :-| Regards, Peter From c at tix.at Wed Oct 15 04:33:02 2008 From: c at tix.at (Christoph Loibl) Date: Wed, 15 Oct 2008 10:33:02 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <20081015075905.GA5659@susi> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> <1224018141.31143.4.camel@abehat> <20081015075905.GA5659@susi> Message-ID: <0D7CBC7A-AA21-456D-9992-1EB7F1CE4902@tix.at> On Oct 15, 2008, at 9:59 AM, Reinhold Fischer wrote: > On Tue, Oct 14, 2008 at 11:02:21PM +0200, Peter Rathlev wrote: > ... >> >> This would be SVI mode "EoMPLS", where one would expect local >> switching. >> Remember that "interface Vlan1005" isn't the same as "vlan 1005". It >> would be VERY nice if the PFC3 could do this, but unfortunately it >> can't. You need more expensive equipment for that. :-) >> > ... > > A dirty hack can be done to have VLAN-based EoMPLS without > expensive cards. Just configure an additional VLAN on the box, > assign a port to it and connect this single port in the new > VLAN to a port the VLAN for which you want to have VLAN-based > EoMPLS with a short cable. Funny that for some features the PFC3 can't do in one-pass Cisco implemented packet "recirculation". I wonder whether this can't be done for SVI based EoMPLS as well. Stoffi From techconfig at yahoo.com Wed Oct 15 05:48:10 2008 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 15 Oct 2008 02:48:10 -0700 (PDT) Subject: [c-nsp] GSR not allowing policy map Message-ID: <122265.32759.qm@web44809.mail.sp1.yahoo.com> Hi I have a simple rate limit policy map that I would like to attach to a sub-interface on a port channel however I get the following error: VLAN loadsharing is not enabled, policymap cannot be attached My policy map is as follows: class-map match-any Default_rate_policing_class_map ? match any policy-map 2Mbps_rate_policing_policy ? class Default_rate_policing_class_map ?? police cir 2000000 bc 250000 be 250000 ???? conform-action transmit ???? exceed-action drop then: router(config)#interface Port-channel4.2 router(config-subif)# service-policy input 2Mbps_rate_policing_policy VLAN loadsharing is not enabled, policymap cannot be attached router(config-subif)# service-policy output 2Mbps_rate_policing_policy VLAN loadsharing is not enabled, policymap cannot be attached How can I enable VLAN loadsharing? Regards Mark From techconfig at yahoo.com Wed Oct 15 05:49:32 2008 From: techconfig at yahoo.com (Mark Tech) Date: Wed, 15 Oct 2008 02:49:32 -0700 (PDT) Subject: [c-nsp] IP-VPN CE-PE local pref problem Message-ID: <469966.49198.qm@web44806.mail.sp1.yahoo.com> Sorted, seems there was a rogue rt that was not being imported. All fixed now Thanks for all your help ----- Original Message ---- From: Oliver Boehmer (oboehmer) To: Mark Tech ; Luan Nguyen ; David Freedman ; cisco-nsp at puck.nether.net Sent: Friday, October 3, 2008 10:05:23 AM Subject: RE: [c-nsp] IP-VPN CE-PE local pref problem That's strange... can you show "show ip bgp vpnv4 vrf ipvpn_00000001 ", this shows the resulting vrf BGP table (i.e. after import) which might or might not be identical to the "rd " output (wowever it looks like you're using the same RD on both PEs, so this might not make a difference here). Can you disable soft-reconfiguration inbound from the PE-CE eBGP session and see if it helps? ??? oli Mark Tech <> wrote on Wednesday, October 01, 2008 11:15 AM: > Hi, thanks for all the suggestions > I have now changed the route-map are things are looking good.. > 5.14.93.0/24 is the route in question. In PE2, local pref can now be > seen as 90? > > PE1#show ip bgp vpnv4 rd 894:1 > BGP table version is 258, local router ID is 5.14.95.243 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > ????????????? r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path > Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) > *> 5.14.89.1/32?? 0.0.0.0??????????????? 0???????? 32768 ? > *>i5.14.89.2/32?? 5.14.95.244??????????? 0??? 100????? 0 ? > *> 5.14.93.0????? 5.14.93..222??????????? 0??? 100????? 0 65535 i > > PE2#show ip bgp vpnv4 rd 894:1 > BGP table version is 285, local router ID is 5.14.95.244 > Status codes: s suppressed, d damped, h history, * valid, > best, i - > internal, > ????????????? r RIB-failure, S Stale > Origin codes: i - IGP, e - EGP, ? - incomplete > ?? Network????????? Next Hop??????????? Metric LocPrf Weight Path > Route Distinguisher: 894:1 (default for vrf ipvpn_00000001) > *>i5.14.89..1/32?? 5.14.95.243??????????? 0??? 100????? 0 ? > *> 5.14.89.2/32?? 0..0.0.0??????????????? 0???????? 32768 ? > *>i5.14.93.0????? 5.14.95.243??????????? 0??? 100????? 0 65535 i > *???????????????? 5.14.93.226??????????? 0???? 90????? 0 65535 i > <------------------------------------------------- > > =========================================================== > > Going on from this, if I now check the routing installed in the vrf > for 5.14.93.0/24, it seems to be installed in PE1 (with high local > pref as expected)? > > PE1#sh ip route vrf ipvpn_00000001 > Routing Table: ipvpn_00000001 > ????? 5.14.89.0/32 is subnetted, 2 subnets > B??????? 5..14.89.1 is directly connected, 19:44:47, Loopback2 > B??????? 5.14.89.2 [200/0] via 5.14.95.244, 19:43:47 > ????? 5.14.93..0/24 is variably subnetted, 3 subnets, 3 masks > B??????? 5.14.93.0/24 [20/0] via 5.14.93.222, 00:02:42?? > <---------------------------------------- > C??????? 5.14.93.220/30 is directly connected, GigabitEthernet3/48 > L??????? 5.14.93.221/32 is directly connected, GigabitEthernet3/48 > > > However in PE2, there is no route to 5.14.93.0/24 > > PE2#sh ip route vrf ipvpn_00000001 > Routing Table: ipvpn_00000001 > ????? 5.14.89.0/32 is subnetted, 2 subnets > B??????? 5.14.89.1 [200/0] via 5.14.95.243, 00:42:11 > B??????? 5.14.89.2 is directly connected, 19:47:26, Loopback2 > ????? 5.14.93.0/24 is variably subnetted, 2 subnets, 2 masks > C??????? 5..14.93.224/30 is directly connected, GigabitEthernet3/48 > L??????? 5.14.93.225/32 is directly connected, GigabitEthernet3/48 > > If I change the local pref in PE2 from 90 to 110 for example, then > PE2 becomes the primary route and the exact opposite happens, i.e. > the 5.14.93.0/24 route is installed in PE2 and does not exist in PE1; > is this normal behaviour?? > > Regards > > Mark > > ----- Original Message ---- > From: Luan Nguyen > To: Mark Tech ; David Freedman > ; cisco-nsp at puck.nether.net > Sent: Tuesday, September 30, 2008 8:03:38 PM > Subject: RE: [c-nsp] IP-VPN CE-PE local pref problem > > > Try changing the route-map to: > > route-map ipvpn_00000001 permit 10 > set extcommunity soo 894:1 > set local-preference 90 > > instead of: > > route-map ipvpn_00000001 permit 10 > set extcommunity soo 894:1 > > route-map ipvpn_00000001 permit 20 > set local-preference 90 > > Luan > > > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > Luan Nguyen > Senior Network Engineer > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Tech > Sent: Tuesday, September 30, 2008 2:55 PM > To: David Freedman; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem > > Here you go > > PE1#sh ip bgp vpnv4 rd 894:1 5.14.93.0 > BGP routing table entry for 894:1:5.14.93.0/24, version 222 > Paths: (3 available, best #2, table ipvpn_00000001) > ? Advertised to update-groups: > ???? 1 > ? 65535 > ??? 5.14.95.244 (metric 11) from 5.14.95.244 (5.14..95.244) > ????? Origin IGP, metric 0, localpref 100, valid, internal > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 26/23 > ? 65535 > ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) > ????? Origin IGP, metric 0, localpref 100, valid, external, best > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 26/nolabel > ? 65535, (received-only) > ??? 5.14.93.222 from 5.14.93.222 (5.14.93.253) > ????? Origin IGP, metric 0, localpref 100, valid, external > ????? mpls labels in/out 26/nolabel > > > PE2#sh ip bgp vpnv4 rd 894:1 5.14.93.0 > BGP routing table entry for 894:1:5..14.93.0/24, version 237 > Paths: (3 available, best #1, table ipvpn_00000001) > ? Advertised to update-groups: > ???? 1 > ? 65535 > ??? 5.14.93.226 from 5.14.93.226 (5..14.93.254) > ????? Origin IGP, metric 0, localpref 100, valid, external, best > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 23/nolabel > ? 65535, (received-only) > ??? 5.14.93.226 from 5.14.93.226 (5.14.93.254) > ????? Origin IGP, metric 0, localpref 100, valid, external > ????? mpls labels in/out 23/nolabel > ? 65535 > ??? 5.14.95.243 (metric 11) from 5.14.95.243 (5.14.95.243) > ????? Origin IGP, metric 0, localpref 100, valid, internal > ????? Extended Community: SoO:894:1 RT:894:2 > ????? mpls labels in/out 23/26 > > inbound route-map from CE2 to PE2 > route-map ipvpn_00000001 permit 10 > ?set extcommunity soo 894:1 > > route-map ipvpn_00000001 permit 20 > ?set local-preference 90 > ! > > > > ----- Original Message ---- > From: David Freedman > To: cisco-nsp at puck.nether.net > Sent: Tuesday, September 30, 2008 5:51:55 PM > Subject: Re: [c-nsp] IP-VPN CE-PE local pref problem > > can you post "show ip bgp vpnv4 rd x.x.x.x/y" from both PEs ? for > the prefix in question? > > Dave > > Mark Tech wrote: >> Hi >> I have set up a dual homed IP-VPN network between 2 PE's and 2 CE's >> using SoO - thas all working fine. > > I have added an inbound route-map to the 'backup' PE and CE to reduce > the local preference in order to make the other PE and CE the > preferred > gateways. >> >> CE1--------PE1 primary >>> ? ? ? ? ? ? ? ? ? | >> CE2--------PE2 backup >> >> The CE local pref works fine, however on the PE side, local pref >> doesn't seem to have any affect, > > i.e. I have reduced the local pref to 90 on the backup link, however > if > I check the routing in the backup PE, nothing seems to have changed. > Can > I just check that local pref actually works across an MP-BGP > environment? >> >> If so I must be doing something wrong >> >> Regards >> >> Mark >> >> >> >> _______________________________________________ >> cisco-nsp mailing list? cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list? cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From euang+cisco-nsp at lists.eusahues.co.uk Wed Oct 15 07:02:54 2008 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Wed, 15 Oct 2008 12:02:54 +0100 Subject: [c-nsp] Strange Radius Debug seen with SB Release In-Reply-To: <56F211C5E3F24F47B103EA1B253822BE0365497A@vic-cr-ex1.staff.netspace.net.au> References: <56F211C5E3F24F47B103EA1B253822BE0365497A@vic-cr-ex1.staff.netspace.net.au> Message-ID: <20081015110254.GA23826@hyperion.eusahues.co.uk> On Wed, Oct 15, 2008 at 05:22:33PM +1100, Andy Saykao wrote: > What I've found is that when I debug radius no Framed-Route and > Framed-IP-Address are being sent in the start packet of the radius > accounting packet. When I reload the 7301 with an IOS we use in > production (12.3(14)T7) , the Framed-Route and Framed-IP-Address are > included in the start packet. Is this the desired behaviour of the SB > release??? > If I remove the cisco-avpair lines referring to the set up of the VRF > details for the session from the flat file, the Framed-IP-Address shows > up in the radius accounting packet. Given that the debug looks ok when > using a different IOS, I'm starting to believe that has something to do > with the SB release. The fact that you are getting Framed-IP-Address/Route when you don't return the vrf config problably answers my next question, but anyway... delay-start configured (or does it default to it on either version?)? http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_rad_frame_rte.html "The Framed-Route information is returned in Stop and Interim accounting records and in Start accounting records when accounting Delay-Start is configured." > I've spent all day looking for answers but can't find any. I'm just not > sure when using the SB release why the start packet would not include > these two attributes and if it really matters? Hope somebody can help. That you get it in the stop is re-assuring ;-) At least an indication that it thinks it was using it. -- Euan Galloway From csirek at cooler.hu Wed Oct 15 06:25:22 2008 From: csirek at cooler.hu (Nemeth Laszlo) Date: Wed, 15 Oct 2008 12:25:22 +0200 Subject: [c-nsp] SUP720-3BXL gigabit uplink port limit? Message-ID: <48F5C512.7020501@cooler.hu> Hi All, On the Sup720-3BXL card has 2 gigabit uplink port. Does speed or any limit on this ports? I use 2 CPU card in my 6500 switch and 2+1 uplink ports in use. Yesterday I reached the 950Mbit/sec on this ports (summarized data, 300Mbit, 300Mbit and 350Mbit was the traffic). But this 950Mbit was the maximum and i think i reached a limit, because i had more traffic but i couldn't put more on this interfaces. Thanks Laszlo From gary.ciscomail at gmail.com Wed Oct 15 07:32:44 2008 From: gary.ciscomail at gmail.com (Gary Roberton) Date: Wed, 15 Oct 2008 12:32:44 +0100 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <48F4EB05.3080209@cisco.com> References: <48F4EB05.3080209@cisco.com> Message-ID: Ian Am I right in that you said NAT is not supported in VRF-Lite on any platform? Regards Gary On Tue, Oct 14, 2008 at 7:55 PM, Ian Cox wrote: > NAT is not supported in VRFs on Supervisor 720, VRF-Lite or PE. If you > need NAT for VRFs then please use either a firewall module, or an > external NAT appliance Firewall/ASR1000/7200 to provide the NAT > functionality. > > > Ian > > Gary Roberton wrote: > > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > > duties (including NAT)? If so, what are the pros and cons you have > > experienced. > > > > Thanks. > > > > Gary > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > From tedm at toybox.placo.com Wed Oct 15 07:31:19 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Wed, 15 Oct 2008 04:31:19 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port Message-ID: Hi All, I have an 8 port PA-8T serial card in a router. The card has an octopus cable that is plugged into a rack of card DSU's. Most of the DSU's have T1's into them. One T1 has developed a problem where it runs for a few hours and then the router serial interface it is on goes down. When it's down, from the carrier side the carrier can issue a loop command to the CSU on the port, and the CSU will loop up, and the carrier can run patterns on it all day long just fine. I have replaced both the 8 port card and the DSU card in the rack on that specific port with no change. If I momentararily flip the loopback switch on the DSU to throw a loop towards the carrier, facing away from the router, when the switch returns the router port enables and the T1 runs for a few more hours just fine. I didn't believe this when I first saw it, but I've done it several times since. I actually don't think the looping has anything to do with anything though - if I pull the DSU card and replace it, the circuit comes back up also. So I went and moved the T1 to another DSU and port on the router and inserted a physical loopback plug into the problem DSU network port. The router port of course sees this as a looped port now. My question, is there a way I can configure the router port so that I can throw a massive amount of (bogus, naturally) traffic to it, and the traffic will go out the port, through the DSU, loopback through the hard loopback plug, then come back into the router and go into the bit bucket? If I simply assign something like IP 127.0.0.5/30 to the port and throw a ton of traffic to 127.0.0.6, will the packets actually go out the port? Or will the router see that the port is looped and just discard the traffic? Ted From fraglet at gmail.com Wed Oct 15 08:57:43 2008 From: fraglet at gmail.com (John R) Date: Wed, 15 Oct 2008 13:57:43 +0100 Subject: [c-nsp] POC Nexus 7000 anybody? Message-ID: <5c374d9a0810150557y22f332f4h1bc38a3bf0383a95@mail.gmail.com> I`m guessing this really shouldnt have found its way to ebay.... http://cgi.ebay.co.uk/Prototype-Cisco-DS-3-Data-Center-3-Nexus-7000_W0QQitemZ220288308033QQihZ012QQcategoryZ11175QQcmdZViewItemQQ_trksidZp1742.m153.l1262#ebayphotohosting From scubacuda at gmail.com Wed Oct 15 09:22:58 2008 From: scubacuda at gmail.com (Rogelio) Date: Wed, 15 Oct 2008 06:22:58 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: References: Message-ID: <48F5EEB2.8000508@gmail.com> Ted Mittelstaedt wrote: > My question, is there a way I can configure the router port > so that I can throw a massive amount of (bogus, naturally) > traffic to it, and the traffic will go out the port, through the > DSU, loopback through the hard loopback plug, then come back > into the router and go into the bit bucket? Try iperf on either Windows or Linux. Either that or rent a Smartbit for a few days. :) From howie at thingy.com Wed Oct 15 09:34:06 2008 From: howie at thingy.com (Howard Jones) Date: Wed, 15 Oct 2008 14:34:06 +0100 Subject: [c-nsp] 3750, QinQ & Jumbo Frames? Message-ID: <48F5F14E.5060506@thingy.com> We're just looking at running QinQ over a network of 3750G switches, and while I was investigating enabling jumbo frames, I came across this document: http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#c3 which contains: "*Note: *If Gigabit Ethernet interfaces are configured to accept frames greater than the 10/100 interfaces, jumbo frames that ingress on a Gigabit Ethernet interface and egress on a 10/100 interface are dropped." It seems to me that I want to have jumbo frames enabled on the trunks to 'make room' for the extra dotq header, but if that means that user ports can't run at 10/100 that seems like a severe limitation. Also, the document is from 2005, and doesn't mention QinQ at all. Is this still really the case with a modern 3750G? Is there anything that can be done? There's a sort-of middle area where actually the frame that leaves the 10/100 port would have had the extra layer of dotQ stripped off... is that what I'm missing in the above? Thanks in advance for any light anyone can shed. Howie From felixnkansah at gmail.com Wed Oct 15 09:36:19 2008 From: felixnkansah at gmail.com (Felix Nkansah) Date: Wed, 15 Oct 2008 13:36:19 +0000 Subject: [c-nsp] Visibility Monitoring Software for Mobile Carriers? Message-ID: <18dba4e50810150636j4a6abdeai3aa911bfec75fddf@mail.gmail.com> Hi, A client of mine (a gsm mobile carrier) with over 3 million subscribers is looking for a solution that allows them to have an end-to-end visibility into their network. Portions of their requirements appear below: Basically, we need a solution that is deployed in the NOC (Network Operations Centre), whereby the entire network operation can be projected so that the technicians monitoring can react proactively. These include but are not limited to: 1) Monitoring of the Network Cores (Ericsson & Huawei in this case) 2) Monitoring of the BTS's 3) Monitoring of the Fibre/MPLS network 4) Monitoring of leased circuits to customers. 5) Monitoring Data Traffic (GPRS/EDGE, 3G, LTE, WiMax) If you are familiar with any commercial product that meets such requirements, I would be glad to know. Thanks, Felix From b.turnbow at twt.it Wed Oct 15 09:49:40 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Wed, 15 Oct 2008 15:49:40 +0200 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: References: Message-ID: If I simply assign something like IP 127.0.0.5/30 to the port and throw a ton of traffic to 127.0.0.6, will the packets actually go out the port? Or will the router see that the port is looped and just discard the traffic? >From the router running extended pings to the 127.0.0.5 address (the interface physical address) Wil ldo it for you. http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a 00800a7599.shtml Regards Brian From achatz at forthnet.gr Wed Oct 15 10:04:45 2008 From: achatz at forthnet.gr (Tassos Chatzithomaoglou) Date: Wed, 15 Oct 2008 17:04:45 +0300 Subject: [c-nsp] 3750, QinQ & Jumbo Frames? In-Reply-To: <48F5F14E.5060506@thingy.com> References: <48F5F14E.5060506@thingy.com> Message-ID: <48F5F87D.1060208@forthnet.gr> Howard, 3750Gs usually do not have any 10/100BaseT ports. They have 10/100/1000BaseT and SFP ones. As long as the port is 10/100/1000, the actual speed that is running (10 or 100 or 1000) doesn't have any effect on the MTU. So you can have it running in 10/100 and use the full mtu. 3750G>sh int gi1/0/22 | i media|MTU MTU 1600 bytes, BW 100000 Kbit, DLY 100 usec, Full-duplex, 100Mb/s, media type is 10/100/1000BaseTX Also, as you can see below, you can go up to 1998 for FastEthernet ports on 3750Gs, which should be more than enough for most applications: 3750G(config)#system mtu ? <1500-1998> MTU size in bytes jumbo Set Jumbo MTU value for GigabitEthernet or TenGigabitEthernet interfaces routing Set the Routing MTU for the system 3750G(config)#system mtu jumbo ? <1500-9000> Jumbo MTU size in bytes -- Tassos Howard Jones wrote on 15/10/2008 4:34 ??: > We're just looking at running QinQ over a network of 3750G switches, and > while I was investigating enabling jumbo frames, I came across this > document: > > http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#c3 > which contains: > "*Note: *If Gigabit Ethernet interfaces are configured to accept frames > greater than the 10/100 interfaces, jumbo frames that ingress on a > Gigabit Ethernet interface and egress on a 10/100 interface are dropped." > > It seems to me that I want to have jumbo frames enabled on the trunks to > 'make room' for the extra dotq header, but if that means that user ports > can't run at 10/100 that seems like a severe limitation. Also, the > document is from 2005, and doesn't mention QinQ at all. > > Is this still really the case with a modern 3750G? Is there anything > that can be done? > > There's a sort-of middle area where actually the frame that leaves the > 10/100 port would have had the extra layer of dotQ stripped off... is > that what I'm missing in the above? > > Thanks in advance for any light anyone can shed. > > Howie > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From luan at netcraftsmen.net Wed Oct 15 10:22:17 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 15 Oct 2008 10:22:17 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: References: Message-ID: <002d01c92ed1$6d8fe840$48afb8c0$@net> Is it a Verizon circuit? We have a T1 circuit with Verizon and have the same problem. We have a point to point circuit, so one side has clocking set to internal to provide the clocking and the other side feeds from the line. I wrote the problem up at http://ccie-security.blogspot.com/ But basically, it will be up for a some hours then down, then I call them to test and it's good again. Sometime it's good just by unplug the cable and plug it back. Like you, we changed everything and that didn't help. Finally, we talked to a knowledgeable Verizon tester and he mentioned the rate on the line is ~17 which is high. It should be around 0 or negative. He said that's because of mismatch clocking between our hardware and the central office crossover equipment. The normal tester won't look at this, they only do the loopback pattern testing, so you should ask them about the rate of your line. They swapped one smart jack, but that didn't help, so they will swap the other today. Hopefully that will do it. Good information here about troubleshooting T1 http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access &seqNum=61 Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ted Mittelstaedt Sent: Wednesday, October 15, 2008 7:31 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port Hi All, I have an 8 port PA-8T serial card in a router. The card has an octopus cable that is plugged into a rack of card DSU's. Most of the DSU's have T1's into them. One T1 has developed a problem where it runs for a few hours and then the router serial interface it is on goes down. When it's down, from the carrier side the carrier can issue a loop command to the CSU on the port, and the CSU will loop up, and the carrier can run patterns on it all day long just fine. I have replaced both the 8 port card and the DSU card in the rack on that specific port with no change. If I momentararily flip the loopback switch on the DSU to throw a loop towards the carrier, facing away from the router, when the switch returns the router port enables and the T1 runs for a few more hours just fine. I didn't believe this when I first saw it, but I've done it several times since. I actually don't think the looping has anything to do with anything though - if I pull the DSU card and replace it, the circuit comes back up also. So I went and moved the T1 to another DSU and port on the router and inserted a physical loopback plug into the problem DSU network port. The router port of course sees this as a looped port now. My question, is there a way I can configure the router port so that I can throw a massive amount of (bogus, naturally) traffic to it, and the traffic will go out the port, through the DSU, loopback through the hard loopback plug, then come back into the router and go into the bit bucket? If I simply assign something like IP 127.0.0.5/30 to the port and throw a ton of traffic to 127.0.0.6, will the packets actually go out the port? Or will the router see that the port is looped and just discard the traffic? Ted _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From r.engehausen at gmail.com Wed Oct 15 10:35:58 2008 From: r.engehausen at gmail.com (Roy) Date: Wed, 15 Oct 2008 07:35:58 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <002d01c92ed1$6d8fe840$48afb8c0$@net> References: <002d01c92ed1$6d8fe840$48afb8c0$@net> Message-ID: <48F5FFCE.40904@gmail.com> Just because its a point to point circuit doesn't mean one side has to have internal clocking. This is only true if the circuit is copper all the way. There are lots of reasons that the telco would have its own equipment installed on the circuit and you would need network timing. Roy Luan Nguyen wrote: > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal to provide > the clocking and the other side feeds from the line. > I wrote the problem up at http://ccie-security.blogspot.com/ > But basically, it will be up for a some hours then down, then I call them to > test and it's good again. Sometime it's good just by unplug the cable and > plug it back. Like you, we changed everything and that didn't help. > Finally, we talked to a knowledgeable Verizon tester and he mentioned the > rate on the line is ~17 which is high. It should be around 0 or negative. > He said that's because of mismatch clocking between our hardware and the > central office crossover equipment. The normal tester won't look at this, > they only do the loopback pattern testing, so you should ask them about the > rate of your line. > They swapped one smart jack, but that didn't help, so they will swap the > other today. Hopefully that will do it. > Good information here about troubleshooting T1 > http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access > &seqNum=61 > > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > ... > From lowen at pari.edu Wed Oct 15 10:36:46 2008 From: lowen at pari.edu (Lamar Owen) Date: Wed, 15 Oct 2008 10:36:46 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <002d01c92ed1$6d8fe840$48afb8c0$@net> References: Message-ID: <200810151036.47008.lowen@pari.edu> On Wednesday 15 October 2008 10:22:17 Luan Nguyen wrote: > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal to provide > the clocking and the other side feeds from the line. Have you tried setting the clock to line on the side where you have the clock set to internal? Some point to point T1's still need both CPE's to have clock set to line. I don't have a point to point T1, but I do have a point to point OC3, and in that case clock must be set to line on both ends, as the network provides the clock. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu From luan at netcraftsmen.net Wed Oct 15 10:51:21 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 15 Oct 2008 10:51:21 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <48F5FFCE.40904@gmail.com> References: <002d01c92ed1$6d8fe840$48afb8c0$@net> <48F5FFCE.40904@gmail.com> Message-ID: <003d01c92ed5$7cc4e500$764eaf00$@net> It's on fiber. I asked if we could get network timing from them, but they said no, not on this type of circuit. Also, this circuit has been working for years with the same setting :) Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roy Sent: Wednesday, October 15, 2008 10:36 AM Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port Just because its a point to point circuit doesn't mean one side has to have internal clocking. This is only true if the circuit is copper all the way. There are lots of reasons that the telco would have its own equipment installed on the circuit and you would need network timing. Roy Luan Nguyen wrote: > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal to provide > the clocking and the other side feeds from the line. > I wrote the problem up at http://ccie-security.blogspot.com/ > But basically, it will be up for a some hours then down, then I call them to > test and it's good again. Sometime it's good just by unplug the cable and > plug it back. Like you, we changed everything and that didn't help. > Finally, we talked to a knowledgeable Verizon tester and he mentioned the > rate on the line is ~17 which is high. It should be around 0 or negative. > He said that's because of mismatch clocking between our hardware and the > central office crossover equipment. The normal tester won't look at this, > they only do the loopback pattern testing, so you should ask them about the > rate of your line. > They swapped one smart jack, but that didn't help, so they will swap the > other today. Hopefully that will do it. > Good information here about troubleshooting T1 > http://www.informit.com/library/content.aspx?b=Troubleshooting_Remote_Access > &seqNum=61 > > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > ... > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From luan at netcraftsmen.net Wed Oct 15 10:57:18 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 15 Oct 2008 10:57:18 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <200810151036.47008.lowen@pari.edu> References: <200810151036.47008.lowen@pari.edu> Message-ID: <003e01c92ed6$518094b0$f481be10$@net> They claimed they don't provide clocking on point to point circuit...not even for testing sake! We did played around with both side getting network timing, with switching the side providing clocking, with both going internal...etc, but nothing worked. It only works for some hours after they break in the circuit for testing. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lamar Owen Sent: Wednesday, October 15, 2008 10:37 AM To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port On Wednesday 15 October 2008 10:22:17 Luan Nguyen wrote: > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal to provide > the clocking and the other side feeds from the line. Have you tried setting the clock to line on the side where you have the clock set to internal? Some point to point T1's still need both CPE's to have clock set to line. I don't have a point to point T1, but I do have a point to point OC3, and in that case clock must be set to line on both ends, as the network provides the clock. -- Lamar Owen Chief Information Officer Pisgah Astronomical Research Institute 1 PARI Drive Rosman, NC 28772 http://www.pari.edu _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From have.an.email at gmail.com Wed Oct 15 11:32:48 2008 From: have.an.email at gmail.com (Nathan) Date: Wed, 15 Oct 2008 17:32:48 +0200 Subject: [c-nsp] question about service provider network design Message-ID: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> Hi, I'm re-designing a service provider MPLS network, and I'd appreciate some macro-level input. I have two major sites connected by two gigabit WAN lines. I have or will have about a dozen Cisco switches (3508, 2960, 3548, 3550...), half a dozen C7206s for customer termination, four J4350s for eBGP, and miscellaneous junk, all routers connected with OSPF and MP-BGP. Currently I have no layer2 loops, so only "accidental" STP, and no VTP. Basically the WANs each come in on one of two switches, and all routers have one link to each of the two switches, (with as needed further links to access/distribution switches). Off the cuff only about half the WAN link outages have been accompanied by L1 ethernet link loss. I've done without STP and VTP because I'm not completely comfortable with them, due to lack of experience and scary stories about spanning tree loops and such (at least one of the WAN links is over fiber so one-way communication is very possible). All switches are L2 only even though I know that some are capable of L3, I've never really understood or seen documentation on how an L3 ospf-running switch actually works in a production network. To get cross-site L2 service I've envisaged running multiple vlans over the WAN lines, or setting up VPLS (not on 7206) or pseudo-wires (not multipoint), but I've never actually done either. I know how to do the first, I'm not sure about the last two. As I move to Gbit bandwidths and multicast and want to reduce failover times, use both WAN links, and provide cross-site L2 service for myself and for clients, and having been bitten by NPE300s not forwarding at 100M line speed, I thought I'd replace that with an L2 square running some sort of STP and VTP. I documented myself on VTP, on MST, and then I found the "Cisco Campus Network for High Availability Design Guide" which among many other things says "avoid L2" and "avoid square", "avoid STP", and "avoid VTP". The only square in there is that they're very squarely recommending not to do what I was thinking to do. I didn't find any service provider version BTW. So what would be state of the art with room for expansion for my quite limited network? I do not have four inter-site Gbit links as recommended; the two I have are costly, and if I go adding more directly to my routers I soon won't have enough interfaces (a third site would be a projected expansion). Can L3 OSPF on WAN-connected switches help me detect link loss instantly even though the switches are connecting routers running MPLS and BGP? If I connect the WAN links directly to routers, I'll have four expensive routers mainly passing packets for the other routers, that doesn't seem cost-effective. Am I missing or misunderstanding some crucial documentation or insight? Thanks for any comments, -- Nathan From tedm at toybox.placo.com Wed Oct 15 11:50:57 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Wed, 15 Oct 2008 08:50:57 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <48F5FFCE.40904@gmail.com> Message-ID: Before everyone goes off, I've dealt with clocking issues before and am well aware of these. This particular circuit when it first started acting up, was pinned one side internal, the other side recieve clock from the network. After replacing the DSU card didn't help, I pinned both sides to recieve clock from the network. It made no difference. Incidentally all of the other spans going to the router (which are working) are pinned both sides recieve clock. Ted > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Roy > Sent: Wednesday, October 15, 2008 7:36 AM > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port > > > Just because its a point to point circuit doesn't mean one side has to > have internal clocking. This is only true if the circuit is copper all > the way. There are lots of reasons that the telco would have its own > equipment installed on the circuit and you would need network timing. > > Roy > > Luan Nguyen wrote: > > Is it a Verizon circuit? > > We have a T1 circuit with Verizon and have the same problem. We have a > > point to point circuit, so one side has clocking set to > internal to provide > > the clocking and the other side feeds from the line. > > I wrote the problem up at http://ccie-security.blogspot.com/ > > But basically, it will be up for a some hours then down, then I > call them to > > test and it's good again. Sometime it's good just by unplug > the cable and > > plug it back. Like you, we changed everything and that didn't help. > > Finally, we talked to a knowledgeable Verizon tester and he > mentioned the > > rate on the line is ~17 which is high. It should be around 0 > or negative. > > He said that's because of mismatch clocking between our hardware and the > > central office crossover equipment. The normal tester won't > look at this, > > they only do the loopback pattern testing, so you should ask > them about the > > rate of your line. > > They swapped one smart jack, but that didn't help, so they will swap the > > other today. Hopefully that will do it. > > Good information here about troubleshooting T1 > > > http://www.informit.com/library/content.aspx?b=Troubleshooting_Rem ote_Access > &seqNum=61 > > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > ... > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From tedm at toybox.placo.com Wed Oct 15 12:01:00 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Wed, 15 Oct 2008 09:01:00 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: Message-ID: > -----Original Message----- > From: Brian Turnbow [mailto:b.turnbow at twt.it] > Sent: Wednesday, October 15, 2008 6:50 AM > To: Ted Mittelstaedt; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port > > > > > > > If I simply assign something like IP 127.0.0.5/30 to the port and > throw a ton of traffic to 127.0.0.6, will the packets actually > go out the port? Or will the router see that the port is looped > and just discard the traffic? > > > >From the router running extended pings to the 127.0.0.5 address (the > interface physical address) > Wil ldo it for you. > > http://www.cisco.com/en/US/tech/tk713/tk628/technologies_tech_note09186a > 00800a7599.shtml > > Regards > > Brian > > Thanks, I should have looked at the documentation! Ted From tedm at toybox.placo.com Wed Oct 15 12:00:59 2008 From: tedm at toybox.placo.com (Ted Mittelstaedt) Date: Wed, 15 Oct 2008 09:00:59 -0700 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <002d01c92ed1$6d8fe840$48afb8c0$@net> Message-ID: > -----Original Message----- > From: Luan Nguyen [mailto:luan at netcraftsmen.net] > Sent: Wednesday, October 15, 2008 7:22 AM > To: 'Ted Mittelstaedt'; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port > > > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal > to provide > the clocking and the other side feeds from the line. > I wrote the problem up at http://ccie-security.blogspot.com/ > But basically, it will be up for a some hours then down, then I > call them to > test and it's good again. Sometime it's good just by unplug the cable and > plug it back. Like you, we changed everything and that didn't help. > Finally, we talked to a knowledgeable Verizon tester and he mentioned the > rate on the line is ~17 which is high. It should be around 0 or negative. > He said that's because of mismatch clocking between our hardware and the > central office crossover equipment. Luan, We have several spans going through Verizon. One thing I have found is that Verizon uses different make and model of NIUs at the remote sites. The newest make and model of NIU they use (I have it documented somewhere but I cannot find it) is not compatible with certain make and model of CSU/DSUs. I found that out with one of our customer spans that was the first span delivered through one of these newer NIUs. We fortunately never standardized on DSU/CSUs (I get them off Ebay nowadays for cents on the dollar) and I have always favored use of -external- DSU's coupled to a serial port on the router rather than the integrated Cisco WIC with DSU. So with that span I had 5 different make and model DSU's to experiment with. The problem I believe is that certain DSU's are particular on the frequency clock they slave to. If the clock is too far off frequency from what the CSU/DSU thinks it is supposed to be, even if the CSU is set to slave clock from the span, it will slip anyway. Unfortunately I wish it were that simple with my own problem. In my instance, the spans are actually going into a m13 mux from the DSU bank (most are, at any rate) So it is consistent environment on all spans going into the router. Ted From ptimmins at clearrate.com Wed Oct 15 12:02:30 2008 From: ptimmins at clearrate.com (Paul G. Timmins) Date: Wed, 15 Oct 2008 12:02:30 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <003d01c92ed5$7cc4e500$764eaf00$@net> References: <002d01c92ed1$6d8fe840$48afb8c0$@net><48F5FFCE.40904@gmail.com> <003d01c92ed5$7cc4e500$764eaf00$@net> Message-ID: Most modern sonet gear does not provide clocking to individual DS1s running it. The only reason clocking ever existed on point to point circuits was that the older gear couldn't avoid being an active participant in the circuit. It's possible the carrier you're using has upgraded the equipment, and where it was once providing the clocking (which it couldn't avoid previously), it's now on gear that can now act indistinguishably from a straight piece of wire (of course, it has to follow T1 line encoding and framing, but beyond that..). I've seen this plenty over the last 5 years as carriers upgrade, and roll DS3s onto newer gear. One night, the clocking gets funky, and you have to enable clock, which was causing problems before, but now works fine. (Of course, we don't feel it as much, because we are syncing our gear off the BITS in our CO, so we'd be in sync with the ILEC whether we provide clocking or not, so we just provide clocking on our end of all loops, and slave the customer sites.) It's also possible for two devices set to clock off line to work for a while, without anyone providing external clock. Since there's not really a "clock signal" per se, but just a directive that says whether your internal source is authorative, or whether you should be sending your own frames in sync with the frames you're getting off the line, both devices can feed off of each other (a device without line clock will fall back to internal clock, and start sending frames. The other device will see the clock signal on the line, and sync with it. Then the original device sees the framing on the line, and syncs with that. The devices then sync off whatever each other are sending. Because this isn't precise (but can be precise "enough"), it's possible for the line to work for a while like that, until power blips, line hits, or random cosmic noise cause the whole thing to fall apart). Anyway, the network has to actively participate in the circuit to "provide clock", and the field has been running away from this for years. Set one side to line clock, and one to internal, and forget it. It's a single line of config. :) -Paul PS: I'm using the term "providing clock" because that's what we're calling it in this thread. The way you should actually think about it though, is using your own clock reference, or using the reference coming from the line. In the PSTN world, everyone "provides clock" (uses their own clock reference) and you don't trust the line clock from anywhere. Because your clock references are in sync with each other (because you're syncing off a cesium reference, using GPS, or CDMA, or you have a BITS T1 from the local LEC, or some combination of those) everything works flawlessly (insofar as that's possible in real life). CPE aren't expected to have their own stratum 1 reference clock, so they just trust the line signal. If you're connecting CPE to CPE, you're going to have to provide your own reference clock, and it doesn't have to be stratum 1 since you're not interfacing with anyone else (unless you're passing through some real old DACS or Mux gear that actively participates in the circuit, rather than just encapsulating it in a DS3 and sending it on its way through the network) it doesn't have to be in sync. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen > Sent: Wednesday, October 15, 2008 10:51 AM > To: 'Roy' > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port > > It's on fiber. I asked if we could get network timing from > them, but they > said no, not on this type of circuit. > Also, this circuit has been working for years with the same setting :) > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roy > Sent: Wednesday, October 15, 2008 10:36 AM > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port > > Just because its a point to point circuit doesn't mean one side has to > have internal clocking. This is only true if the circuit is > copper all > the way. There are lots of reasons that the telco would have its own > equipment installed on the circuit and you would need network timing. > > Roy > > Luan Nguyen wrote: > > Is it a Verizon circuit? > > We have a T1 circuit with Verizon and have the same > problem. We have a > > point to point circuit, so one side has clocking set to internal to > provide > > the clocking and the other side feeds from the line. > > I wrote the problem up at http://ccie-security.blogspot.com/ > > But basically, it will be up for a some hours then down, > then I call them > to > > test and it's good again. Sometime it's good just by > unplug the cable and > > plug it back. Like you, we changed everything and that > didn't help. > > Finally, we talked to a knowledgeable Verizon tester and he > mentioned the > > rate on the line is ~17 which is high. It should be around > 0 or negative. > > He said that's because of mismatch clocking between our > hardware and the > > central office crossover equipment. The normal tester won't > look at this, > > they only do the loopback pattern testing, so you should > ask them about > the > > rate of your line. > > They swapped one smart jack, but that didn't help, so they > will swap the > > other today. Hopefully that will do it. > > Good information here about troubleshooting T1 > > > http://www.informit.com/library/content.aspx?b=Troubleshooting _Remote_Access > > &seqNum=61 > > > > > > Luan Nguyen > > Chesapeake NetCraftsmen, LLC. > > www.NetCraftsmen.net > > > > ... > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From have.an.email at gmail.com Wed Oct 15 12:26:19 2008 From: have.an.email at gmail.com (Nathan) Date: Wed, 15 Oct 2008 18:26:19 +0200 Subject: [c-nsp] 3750, QinQ & Jumbo Frames? In-Reply-To: <48F5F14E.5060506@thingy.com> References: <48F5F14E.5060506@thingy.com> Message-ID: <9f785d120810150926k6ddefe15m66414b193a0253da@mail.gmail.com> On Wed, Oct 15, 2008 at 3:34 PM, Howard Jones wrote: > "*Note: *If Gigabit Ethernet interfaces are configured to accept frames > greater than the 10/100 interfaces, jumbo frames that ingress on a > Gigabit Ethernet interface and egress on a 10/100 interface are dropped." Well, yes, they have to be. You have two kinds of packets called "jumbo", the FE kind of jumbo configured with "system mtu XXXX" which can have limits like 1546 or 1998 or 2018 and probably lots more, depending on how far the hardware designer stretched the FE specs, and GE jumbo which is mostly 9000 and is configured with "system mtu jumbo XXXX" but only works on gigabit interfaces. I believe your switches have an FE maximum MTU of 1998, so if you are just making room for some QinQ headers on a 1500-byte packet then you have nothing to worry about :-) -- HTH, Nathan From icox at cisco.com Wed Oct 15 12:40:57 2008 From: icox at cisco.com (Ian Cox) Date: Wed, 15 Oct 2008 09:40:57 -0700 Subject: [c-nsp] 6500 and MPLS In-Reply-To: References: <48F4EB05.3080209@cisco.com> Message-ID: <48F61D19.9070007@cisco.com> Gary Roberton wrote: > Ian > > Am I right in that you said NAT is not supported in VRF-Lite on any > platform? > I was only speaking or the Sup720 on the 6500 and 7600 platforms that it is not supported. Ian > Regards > > Gary > > On Tue, Oct 14, 2008 at 7:55 PM, Ian Cox > wrote: > > NAT is not supported in VRFs on Supervisor 720, VRF-Lite or PE. If you > need NAT for VRFs then please use either a firewall module, or an > external NAT appliance Firewall/ASR1000/7200 to provide the NAT > functionality. > > > Ian > > Gary Roberton wrote: > > Is anyone currently using a 6500 for MPLS duties? Not VRF-Lite but PE > > duties (including NAT)? If so, what are the pros and cons you have > > experienced. > > > > Thanks. > > > > Gary > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp at puck.nether.net > > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > From luan at netcraftsmen.net Wed Oct 15 14:57:53 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 15 Oct 2008 14:57:53 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: References: <002d01c92ed1$6d8fe840$48afb8c0$@net><48F5FFCE.40904@gmail.com> <003d01c92ed5$7cc4e500$764eaf00$@net> Message-ID: <00cc01c92ef7$edb63170$c9229450$@net> Paul, Thanks. We do have one side set to internal and the other to line and did forget about it for years. I believe one side of our circuit is encapsulated in a DS3, since one tester said they couldn't loop since they had to loop the whole DS3. The other side must be just a regular T1 and they are cross connected by the DACS at the central office. Verizon said they have to be in sync. Something must have happen for them to be out of sync after all these years. Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: Paul G. Timmins [mailto:ptimmins at clearrate.com] Sent: Wednesday, October 15, 2008 12:03 PM To: Luan Nguyen; Roy Cc: cisco-nsp at puck.nether.net Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port Most modern sonet gear does not provide clocking to individual DS1s running it. The only reason clocking ever existed on point to point circuits was that the older gear couldn't avoid being an active participant in the circuit. It's possible the carrier you're using has upgraded the equipment, and where it was once providing the clocking (which it couldn't avoid previously), it's now on gear that can now act indistinguishably from a straight piece of wire (of course, it has to follow T1 line encoding and framing, but beyond that..). I've seen this plenty over the last 5 years as carriers upgrade, and roll DS3s onto newer gear. One night, the clocking gets funky, and you have to enable clock, which was causing problems before, but now works fine. (Of course, we don't feel it as much, because we are syncing our gear off the BITS in our CO, so we'd be in sync with the ILEC whether we provide clocking or not, so we just provide clocking on our end of all loops, and slave the customer sites.) It's also possible for two devices set to clock off line to work for a while, without anyone providing external clock. Since there's not really a "clock signal" per se, but just a directive that says whether your internal source is authorative, or whether you should be sending your own frames in sync with the frames you're getting off the line, both devices can feed off of each other (a device without line clock will fall back to internal clock, and start sending frames. The other device will see the clock signal on the line, and sync with it. Then the original device sees the framing on the line, and syncs with that. The devices then sync off whatever each other are sending. Because this isn't precise (but can be precise "enough"), it's possible for the line to work for a while like that, until power blips, line hits, or random cosmic noise cause the whole thing to fall apart). Anyway, the network has to actively participate in the circuit to "provide clock", and the field has been running away from this for years. Set one side to line clock, and one to internal, and forget it. It's a single line of config. :) -Paul PS: I'm using the term "providing clock" because that's what we're calling it in this thread. The way you should actually think about it though, is using your own clock reference, or using the reference coming from the line. In the PSTN world, everyone "provides clock" (uses their own clock reference) and you don't trust the line clock from anywhere. Because your clock references are in sync with each other (because you're syncing off a cesium reference, using GPS, or CDMA, or you have a BITS T1 from the local LEC, or some combination of those) everything works flawlessly (insofar as that's possible in real life). CPE aren't expected to have their own stratum 1 reference clock, so they just trust the line signal. If you're connecting CPE to CPE, you're going to have to provide your own reference clock, and it doesn't have to be stratum 1 since you're not interfacing with anyone else (unless you're passing through some real old DACS or Mux gear that actively participates in the circuit, rather than just encapsulating it in a DS3 and sending it on its way through the network) it doesn't have to be in sync. > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Luan Nguyen > Sent: Wednesday, October 15, 2008 10:51 AM > To: 'Roy' > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port > > It's on fiber. I asked if we could get network timing from > them, but they > said no, not on this type of circuit. > Also, this circuit has been working for years with the same setting :) > > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Roy > Sent: Wednesday, October 15, 2008 10:36 AM > Cc: cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] OK, what is a cheap and dirty hack to test a port > > Just because its a point to point circuit doesn't mean one side has to > have internal clocking. This is only true if the circuit is > copper all > the way. There are lots of reasons that the telco would have its own > equipment installed on the circuit and you would need network timing. > > Roy > > Luan Nguyen wrote: > > Is it a Verizon circuit? > > We have a T1 circuit with Verizon and have the same > problem. We have a > > point to point circuit, so one side has clocking set to internal to > provide > > the clocking and the other side feeds from the line. > > I wrote the problem up at http://ccie-security.blogspot.com/ > > But basically, it will be up for a some hours then down, > then I call them > to > > test and it's good again. Sometime it's good just by > unplug the cable and > > plug it back. Like you, we changed everything and that > didn't help. > > Finally, we talked to a knowledgeable Verizon tester and he > mentioned the > > rate on the line is ~17 which is high. It should be around > 0 or negative. > > He said that's because of mismatch clocking between our > hardware and the > > central office crossover equipment. The normal tester won't > look at this, > > they only do the loopback pattern testing, so you should > ask them about > the > > rate of your line. > > They swapped one smart jack, but that didn't help, so they > will swap the > > other today. Hopefully that will do it. > > Good information here about troubleshooting T1 > > > http://www.informit.com/library/content.aspx?b=Troubleshooting _Remote_Access > > &seqNum=61 > > > > > > Luan Nguyen > > Chesapeake NetCraftsmen, LLC. > > www.NetCraftsmen.net > > > > ... > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From howie at thingy.com Wed Oct 15 14:58:56 2008 From: howie at thingy.com (Howard Jones) Date: Wed, 15 Oct 2008 19:58:56 +0100 Subject: [c-nsp] 3750, QinQ & Jumbo Frames? In-Reply-To: <48F5F14E.5060506@thingy.com> References: <48F5F14E.5060506@thingy.com> Message-ID: <48F63D70.7000803@thingy.com> Howard Jones wrote: > We're just looking at running QinQ over a network of 3750G switches, and > while I was investigating enabling jumbo frames, I came across this > document: > > http://www.cisco.com/en/US/products/hw/switches/ps700/products_configuration_example09186a008010edab.shtml#c3 > which contains: > "*Note: *If Gigabit Ethernet interfaces are configured to accept frames > greater than the 10/100 interfaces, jumbo frames that ingress on a > Gigabit Ethernet interface and egress on a 10/100 interface are dropped." > > Replying to my own post, for the sake of the archive. Thanks to everyone who replied to me directly. The key thing I was missing is that "10/100 interface" in the above really *means* 10/100 interface, and not 1000baseT running at 100mbit/s. So on a 3750G there aren't any 10/100 interfaces. Problem gone away. Thanks for the quick replies. Howie From luan at netcraftsmen.net Wed Oct 15 15:12:28 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Wed, 15 Oct 2008 15:12:28 -0400 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: References: <002d01c92ed1$6d8fe840$48afb8c0$@net> Message-ID: <00cd01c92ef9$f7778770$e6669650$@net> -----Original Message----- From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] Sent: Wednesday, October 15, 2008 12:01 PM To: Luan Nguyen; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port > -----Original Message----- > From: Luan Nguyen [mailto:luan at netcraftsmen.net] > Sent: Wednesday, October 15, 2008 7:22 AM > To: 'Ted Mittelstaedt'; cisco-nsp at puck.nether.net > Subject: RE: [c-nsp] OK, what is a cheap and dirty hack to test a port > > > Is it a Verizon circuit? > We have a T1 circuit with Verizon and have the same problem. We have a > point to point circuit, so one side has clocking set to internal > to provide > the clocking and the other side feeds from the line. > I wrote the problem up at http://ccie-security.blogspot.com/ > But basically, it will be up for a some hours then down, then I > call them to > test and it's good again. Sometime it's good just by unplug the cable and > plug it back. Like you, we changed everything and that didn't help. > Finally, we talked to a knowledgeable Verizon tester and he mentioned the > rate on the line is ~17 which is high. It should be around 0 or negative. > He said that's because of mismatch clocking between our hardware and the > central office crossover equipment. Luan, We have several spans going through Verizon. One thing I have found is that Verizon uses different make and model of NIUs at the remote sites. The newest make and model of NIU they use (I have it documented somewhere but I cannot find it) is not compatible with certain make and model of CSU/DSUs. I found that out with one of our customer spans that was the first span delivered through one of these newer NIUs. We fortunately never standardized on DSU/CSUs (I get them off Ebay nowadays for cents on the dollar) and I have always favored use of -external- DSU's coupled to a serial port on the router rather than the integrated Cisco WIC with DSU. So with that span I had 5 different make and model DSU's to experiment with. The problem I believe is that certain DSU's are particular on the frequency clock they slave to. If the clock is too far off frequency from what the CSU/DSU thinks it is supposed to be, even if the CSU is set to slave clock from the span, it will slip anyway. Unfortunately I wish it were that simple with my own problem. In my instance, the spans are actually going into a m13 mux from the DSU bank (most are, at any rate) So it is consistent environment on all spans going into the router. Ted Ted, I was also told by one of the tech that their NIU isn't compatible with the VWIC card we have in the router. But our circuit has been working for years. I tested 4 different types of Wan Interface Cards and none worked. Verizon somehow agreed to replace their NIUs at both ends. And that seems to work so far. 3 hours and counting... Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net From cboyd at gizmopartners.com Wed Oct 15 14:43:31 2008 From: cboyd at gizmopartners.com (Chris Boyd) Date: Wed, 15 Oct 2008 13:43:31 -0500 Subject: [c-nsp] OK, what is a cheap and dirty hack to test a port In-Reply-To: <48F5FFCE.40904@gmail.com> References: <002d01c92ed1$6d8fe840$48afb8c0$@net> <48F5FFCE.40904@gmail.com> Message-ID: <69D2A993-17EA-4B03-8AD8-3755759C2734@gizmopartners.com> On Oct 15, 2008, at 9:35 AM, Roy wrote: > Just because its a point to point circuit doesn't mean one side has to > have internal clocking. This is only true if the circuit is copper > all > the way. There are lots of reasons that the telco would have its own > equipment installed on the circuit and you would need network timing. I'll second what Roy says. Both sides should be clocking from the network. The T-1 is going to get muxed and/or go through a telco digital cross connect so the telco will be providing their clock on the line. --Chris From zorglub421 at gmail.com Wed Oct 15 15:46:30 2008 From: zorglub421 at gmail.com (Zorg 421) Date: Wed, 15 Oct 2008 21:46:30 +0200 Subject: [c-nsp] ip flow egress on c76k In-Reply-To: <20081014151834.GH73762@f17.dmitry.net> References: <6b546c750810140731v710c7664g42af4db0b051570c@mail.gmail.com> <20081014151834.GH73762@f17.dmitry.net> Message-ID: <6b546c750810151246s2a118176vbc185fb9b30c3a38@mail.gmail.com> Thank you, good to know!Oh actually there's a way to do with all in ingress, so that's not a big concern. Regards. On Tue, Oct 14, 2008 at 5:18 PM, Dmitry Kiselev wrote: > Hello! > > On Tue, Oct 14, 2008 at 04:31:47PM +0200, Zorg 421 wrote: > > > Is anyone able to make "ip flow egress" works on cisco 7604? > > As some Cisco guy says, egress netflow for unicast does not > supported by PFC hardware. "ip flow egress" command is related > to multicast flows replicated within PFC and of couse to unicast > switched by MSFC. > > AFAIK, next Earl will support unicast egress netflow. > > -- > Dmitry Kiselev > From christian.macnevin at gmail.com Wed Oct 15 18:02:40 2008 From: christian.macnevin at gmail.com (Christian MacNevin) Date: Wed, 15 Oct 2008 15:02:40 -0700 Subject: [c-nsp] host availability monitoring / OER Message-ID: <8A00BD63-7007-4DF8-939C-CE97FD9E0138@gmail.com> Hi I have a requirement to provide source redundancy for an SSM multicast feed. In terms of routing, an anycast routing setup seems to make sense, with two sources sending a stream with the same source address and the routing table sorting it out. So what I'm thinking is that each of the directly connected ciscos (3560s in this case) need to have static routes pointing to the physical addresses of directly attached hosts. Their common next hop with which they speak ospf would then make the best path decision. All fine. The issue of course becomes when we expect to see failover, how does the route get withdrawn from the table? If I make the access ports into routed ports, then a link-down event will result in a withdrawn route, which is fine. But obviously this is less than optimal, as I'd like to have a vlan here for scalability. So is there another option somebody can think of? What I'm thinking of is something like OER on either the directly-connected devices or the next hop doing ip sla echo responses to influence the metric of a route or something to that effect. Any thoughts? Thanks Christian From kajtzu at basen.net Wed Oct 15 18:34:53 2008 From: kajtzu at basen.net (Kaj Niemi) Date: Thu, 16 Oct 2008 01:34:53 +0300 Subject: [c-nsp] route-map ftp connection In-Reply-To: References: Message-ID: <163BE499-FA97-4974-9956-598CAFC0D8DC@basen.net> Hi, You could try using NBAR on your 2811, for example: route-map inet permit 100 match protocol ftp set ... See http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t8/dtnbarad.htm for more info :) On Oct 15, 2008, at 02:53, Dan Letkeman wrote: > Hello, > > I have a route-map on my 2811 router that sets the next hop for ftp > traffic: > > route-map inet permit 100 > match ip address ftp > set ip next-hop 192.168.11.101 > > The access list looks like this: > > 1 permit tcp any any eq ftp > 2 permit tcp any any eq ftp-data > 3 deny ip any any > > > This seem's to work well for active ftp connections but passive ftp > connections don't seem to make a connection. Is there something else > I can do to make this work with passive ftp connections? > > Thanks, > Dan. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ Kaj -- Kaj J. Niemi +358 45 63 12000 From s00664233 at gmail.com Thu Oct 16 01:59:35 2008 From: s00664233 at gmail.com (cc loo) Date: Thu, 16 Oct 2008 13:59:35 +0800 Subject: [c-nsp] Troubleshooting Cisco Terminal Server Message-ID: <49999c420810152259v61b2600ta256cbf06a12a721@mail.gmail.com> Hi , Im recently stuck in a configuration with a 2800s ISR with a HWIC-16a plugged in . An octal cable was plugged in, and afew ports were tested. I mainly follow the guide at http://www.cisco.com/en/US/tech/tk801/tk36/technologies_configuration_example09186a008014f8e7.shtml ip host box1 2002 172.21.1.1 int loopback0 ip address 172.21.1.1 255.255.255. line 0 15 transport input all When i proceed to telnet 172.21.1.1 at port 2002, a login screen of this router (2800) appears. (seems to indicate the port is working?). However after typing my username and password and hit enter , the session froze (seems like console port has no response?) I tried jacking the console cable into AUX but same problems. Anyone has experience with this HWIC-16a ? From matts at internode.com.au Thu Oct 16 02:06:11 2008 From: matts at internode.com.au (Matt Saint) Date: Thu, 16 Oct 2008 16:36:11 +1030 Subject: [c-nsp] Multilink Bundle Name Problems Message-ID: Hi, We have 2 LNS that are part of a SGBP group. Users can connect with multiple same type interfaces no problem. For example the customer may have 2 ADSL wics in an 1841. So looks to be functioning correctly. However we have another style of customer who has an ISDN bri and an ADSL wic in an 1841. The ISDN is backing up the ADSL with a dialer watch command. When the watched route disappears the ISDN comes up fine. So the first part of the job seems to be working okay. However when the ADSL interface comes back and tries to reconnect this fails. The usernames are different and different IP addresses are assigned. From the debug it would appear that the remote router is trying to join the interfaces into the one multilink bundle because the mppp bundle-name discriminator is the same. I have tried influencing the discriminator at both ends but it always uses the SGBP group name on the customers router. We don't want both interfaces in the same bundle for various reasons but we do require mppp on both links. *Oct 16 04:32:15.139: ppp13 PPP: Phase is FORWARDING, Attempting Forward *Oct 16 04:32:15.139: ppp13 PPP: Send Message[Connect Local] *Oct 16 04:32:15.139: Vi3 MLP: Added interface to multilink group Mu1 *Oct 16 04:32:15.139: Vi3 PPP: Phase is DOWN, Setup *Oct 16 04:32:15.139: ppp13 PPP: Bind to [Virtual-Access3] *Oct 16 04:32:15.139: Vi3 PPP: Send Message[Static Bind Response] *Oct 16 04:32:15.143: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up *Oct 16 04:32:15.143: Vi3 PPP: Phase is ESTABLISHING, Finish LCP *Oct 16 04:32:15.143: Vi3 MLP: Request add link to bundle *Oct 16 04:32:15.143: Vi3 PPP: Phase is VIRTUALIZED *Oct 16 04:32:15.143: Vi3 MLP: Adding link to bundle *Oct 16 04:32:15.143: Vi3 MLP: Bundle Di2(ibclnstestSGBP) in different multilink group *Oct 16 04:32:15.143: Vi3 MLP: Link not added to bundle *Oct 16 04:32:15.143: Vi3 PPP: Sending Acct Event[Down] id[E] *Oct 16 04:32:15.143: Vi3 PPP: Phase is TERMINATING *Oct 16 04:32:15.143: Vi3 LCP: O TERMREQ [Open] id 2 len 4 *Oct 16 04:32:15.167: Vi3 PPP: LCP not open, discarding IPCP packet *Oct 16 04:32:15.167: Vi3 LCP: I TERMACK [TERMsent] id 2 len 4 *Oct 16 04:32:15.171: Vi3 LCP: State is Closed *Oct 16 04:32:15.171: Vi3 PPP: Phase is DOWN *Oct 16 04:32:15.171: Vi3 PPP: Send Message[Disconnect] *Oct 16 04:32:15.175: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down *Oct 16 04:32:15.175: Vi3 MLP: Destroying member subblock, remove from group *Oct 16 04:32:15.175: Vi3 MLP: Removed interface from multilink group Mu1 Anyone seen this before? Is there a way around it? Regards Matt From jimmy at pacnet.net Thu Oct 16 02:51:38 2008 From: jimmy at pacnet.net (Jimmy Halim) Date: Thu, 16 Oct 2008 14:51:38 +0800 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: References: Message-ID: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> Hi guys, Recently I am getting the following log messages every 2 mins on the 3750 switch. Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 403 is flapping between port Fa1/0/3 and port Gi1/0/1 Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 This is non service impacting so far. However, I would like to know whether we can disable this logging or not. Anyone has any suggestions? Many Thanks, Jimmy From ddunkin at netos.net Thu Oct 16 02:56:00 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Wed, 15 Oct 2008 23:56:00 -0700 Subject: [c-nsp] Multilink Bundle Name Problems References: Message-ID: <56F5BC5F404CF84896C447397A1AAF20943222@MAIL.nosi.netos.com> Look at the global config option 'multilink bundle-name authenticated' to avoid using the endpoint names. Some more details are here: https://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186 a0080093c49.shtml#authen -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Saint Sent: Wednesday, October 15, 2008 23:06 To: cisco-nsp at puck.nether.net Subject: [c-nsp] Multilink Bundle Name Problems Hi, We have 2 LNS that are part of a SGBP group. Users can connect with multiple same type interfaces no problem. For example the customer may have 2 ADSL wics in an 1841. So looks to be functioning correctly. However we have another style of customer who has an ISDN bri and an ADSL wic in an 1841. The ISDN is backing up the ADSL with a dialer watch command. When the watched route disappears the ISDN comes up fine. So the first part of the job seems to be working okay. However when the ADSL interface comes back and tries to reconnect this fails. The usernames are different and different IP addresses are assigned. From the debug it would appear that the remote router is trying to join the interfaces into the one multilink bundle because the mppp bundle-name discriminator is the same. I have tried influencing the discriminator at both ends but it always uses the SGBP group name on the customers router. We don't want both interfaces in the same bundle for various reasons but we do require mppp on both links. *Oct 16 04:32:15.139: ppp13 PPP: Phase is FORWARDING, Attempting Forward *Oct 16 04:32:15.139: ppp13 PPP: Send Message[Connect Local] *Oct 16 04:32:15.139: Vi3 MLP: Added interface to multilink group Mu1 *Oct 16 04:32:15.139: Vi3 PPP: Phase is DOWN, Setup *Oct 16 04:32:15.139: ppp13 PPP: Bind to [Virtual-Access3] *Oct 16 04:32:15.139: Vi3 PPP: Send Message[Static Bind Response] *Oct 16 04:32:15.143: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up *Oct 16 04:32:15.143: Vi3 PPP: Phase is ESTABLISHING, Finish LCP *Oct 16 04:32:15.143: Vi3 MLP: Request add link to bundle *Oct 16 04:32:15.143: Vi3 PPP: Phase is VIRTUALIZED *Oct 16 04:32:15.143: Vi3 MLP: Adding link to bundle *Oct 16 04:32:15.143: Vi3 MLP: Bundle Di2(ibclnstestSGBP) in different multilink group *Oct 16 04:32:15.143: Vi3 MLP: Link not added to bundle *Oct 16 04:32:15.143: Vi3 PPP: Sending Acct Event[Down] id[E] *Oct 16 04:32:15.143: Vi3 PPP: Phase is TERMINATING *Oct 16 04:32:15.143: Vi3 LCP: O TERMREQ [Open] id 2 len 4 *Oct 16 04:32:15.167: Vi3 PPP: LCP not open, discarding IPCP packet *Oct 16 04:32:15.167: Vi3 LCP: I TERMACK [TERMsent] id 2 len 4 *Oct 16 04:32:15.171: Vi3 LCP: State is Closed *Oct 16 04:32:15.171: Vi3 PPP: Phase is DOWN *Oct 16 04:32:15.171: Vi3 PPP: Send Message[Disconnect] *Oct 16 04:32:15.175: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down *Oct 16 04:32:15.175: Vi3 MLP: Destroying member subblock, remove from group *Oct 16 04:32:15.175: Vi3 MLP: Removed interface from multilink group Mu1 Anyone seen this before? Is there a way around it? Regards Matt _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From zhuifeng0426 at gmail.com Thu Oct 16 02:57:00 2008 From: zhuifeng0426 at gmail.com (zhuifeng0426) Date: Thu, 16 Oct 2008 14:57:00 +0800 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF References: , <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> Message-ID: <200810161456563902572@gmail.com> Hi May be your network have loops because of HUBs.. 2008-10-16 Best regards? YiFeng Zhou Mail:zhuifeng0426 at gmail.com MSN:zhuifeng0426 at hotmail.com Mobile:+86 (0)15905171724 ???? Jimmy Halim ????? 2008-10-16 14:54:14 ???? cisco-nsp at puck.nether.net ??? ??? [c-nsp] %SW_MATM-4-MACFLAP_NOTIF Hi guys, Recently I am getting the following log messages every 2 mins on the 3750 switch. Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 403 is flapping between port Fa1/0/3 and port Gi1/0/1 Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 This is non service impacting so far. However, I would like to know whether we can disable this logging or not. Anyone has any suggestions? Many Thanks, Jimmy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From matts at internode.com.au Thu Oct 16 03:11:16 2008 From: matts at internode.com.au (Matt Saint) Date: Thu, 16 Oct 2008 17:41:16 +1030 Subject: [c-nsp] Multilink Bundle Name Problems In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20943222@MAIL.nosi.netos.com> References: <56F5BC5F404CF84896C447397A1AAF20943222@MAIL.nosi.netos.com> Message-ID: <66F8A6B4-88D1-4E98-AC90-AA38B42479F8@internode.com.au> Hi, On 16/10/2008, at 5:26 PM, Darryl Dunkin wrote: > Look at the global config option 'multilink bundle-name authenticated' > to avoid using the endpoint names. > > Some more details are here: > https://www.cisco.com/en/US/tech/tk713/tk507/technologies_tech_note09186 > a0080093c49.shtml#authen Yep tried that at both ends. For some reason on the customers router changing this does not influence the bundle-name. Regards Matt > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matt Saint > Sent: Wednesday, October 15, 2008 23:06 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Multilink Bundle Name Problems > > Hi, > > We have 2 LNS that are part of a SGBP group. Users can connect with > multiple same type interfaces no problem. For example the customer may > have 2 ADSL wics in an 1841. So looks to be functioning correctly. > > However we have another style of customer who has an ISDN bri and an > ADSL wic in an 1841. The ISDN is backing up the ADSL with a dialer > watch command. When the watched route disappears the ISDN comes up > fine. So the first part of the job seems to be working okay. However > when the ADSL interface comes back and tries to reconnect this fails. > The usernames are different and different IP addresses are assigned. > > > From the debug it would appear that the remote router is trying to > join the interfaces into the one multilink bundle because the mppp > bundle-name discriminator is the same. I have tried influencing the > discriminator at both ends but it always uses the SGBP group name on > the customers router. We don't want both interfaces in the same bundle > for various reasons but we do require mppp on both links. > > *Oct 16 04:32:15.139: ppp13 PPP: Phase is FORWARDING, Attempting > Forward > *Oct 16 04:32:15.139: ppp13 PPP: Send Message[Connect Local] > *Oct 16 04:32:15.139: Vi3 MLP: Added interface to multilink group Mu1 > *Oct 16 04:32:15.139: Vi3 PPP: Phase is DOWN, Setup > *Oct 16 04:32:15.139: ppp13 PPP: Bind to [Virtual-Access3] > *Oct 16 04:32:15.139: Vi3 PPP: Send Message[Static Bind Response] > *Oct 16 04:32:15.143: %LINK-3-UPDOWN: Interface Virtual-Access3, > changed state to up > *Oct 16 04:32:15.143: Vi3 PPP: Phase is ESTABLISHING, Finish LCP > *Oct 16 04:32:15.143: Vi3 MLP: Request add link to bundle > *Oct 16 04:32:15.143: Vi3 PPP: Phase is VIRTUALIZED > *Oct 16 04:32:15.143: Vi3 MLP: Adding link to bundle > *Oct 16 04:32:15.143: Vi3 MLP: Bundle Di2(ibclnstestSGBP) in different > multilink group > *Oct 16 04:32:15.143: Vi3 MLP: Link not added to bundle > *Oct 16 04:32:15.143: Vi3 PPP: Sending Acct Event[Down] id[E] > *Oct 16 04:32:15.143: Vi3 PPP: Phase is TERMINATING > *Oct 16 04:32:15.143: Vi3 LCP: O TERMREQ [Open] id 2 len 4 > *Oct 16 04:32:15.167: Vi3 PPP: LCP not open, discarding IPCP packet > *Oct 16 04:32:15.167: Vi3 LCP: I TERMACK [TERMsent] id 2 len 4 > *Oct 16 04:32:15.171: Vi3 LCP: State is Closed > *Oct 16 04:32:15.171: Vi3 PPP: Phase is DOWN > *Oct 16 04:32:15.171: Vi3 PPP: Send Message[Disconnect] > *Oct 16 04:32:15.175: %LINK-3-UPDOWN: Interface Virtual-Access3, > changed state to down > *Oct 16 04:32:15.175: Vi3 MLP: Destroying member subblock, remove from > group > *Oct 16 04:32:15.175: Vi3 MLP: Removed interface from multilink group > Mu1 > > Anyone seen this before? Is there a way around it? > > Regards > Matt > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Matt Saint Internode Corporate Projects Team Leader PO Box 284, Rundle Mall 5000 Level 3 132 Grenfell Street Adelaide South Australia, AUSTRALIA Ph: 13 0078 8233 Ph: +61 8 8228 2999 Fax: +61 8 8235 6999 Web: http://www.internode.on.net Straight.Forward From zorglub421 at gmail.com Thu Oct 16 04:38:55 2008 From: zorglub421 at gmail.com (Zorg 421) Date: Thu, 16 Oct 2008 10:38:55 +0200 Subject: [c-nsp] netflow only on ingress and HSRP setup Message-ID: <6b546c750810160138v54e697f5sfe0835d2e30f2013@mail.gmail.com> (was: ip flow egress on c76k).Hello c-nsp, My setup is pretty simple: two routers running BGP and getting full routes, having some kind of backbone LAN on which are connected devices who don't run dynamic routing protocol. Hence we run HSRP on the backbone LAN so the static default of firewalls can always get out to the internet (in case of B1 or B2 failing). One border, B2, is c76k. The other is a NPE-G2. The HSRP primary is on B2. with netflow beeing available only on ingress, I'm forced to run netflow on the c76k, B2, on the backbone interface. A big chunk of this trafic is sent to B1 to go out thru others upstream or peerings. On B1 I run "ip flow ingress" and "ip flow egress" on interfaces to the outside world, upstreams and peers, but not on the backbone. I get trafic duplication in my netflow app (nfsen) because trafic that go to the default, HSRP on B2, redirected to B1 and getting out to the net is counted on backbone interface on B2 and outside interface on B1. By some kind of "law of kirschoff" I could disable "ip flow egress" on external interfaces on B1, but would loose some information like output interface and nexthop for the peerings of B1. Is there a know workaround to not count this trafic twice? (I cannot see one on my own). Regards. From gulerozgur at yahoo.co.uk Thu Oct 16 04:55:16 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Thu, 16 Oct 2008 08:55:16 +0000 (GMT) Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> Message-ID: <264224.35800.qm@web25504.mail.ukl.yahoo.com> "no mac address-table notification mac-move" might help. --- On Thu, 16/10/08, Jimmy Halim wrote: From: Jimmy Halim Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF To: cisco-nsp at puck.nether.net Date: Thursday, 16 October, 2008, 7:51 AM Hi guys, Recently I am getting the following log messages every 2 mins on the 3750 switch. Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 403 is flapping between port Fa1/0/3 and port Gi1/0/1 Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan 402 is flapping between port Fa1/0/2 and port Gi1/0/1 This is non service impacting so far. However, I would like to know whether we can disable this logging or not. Anyone has any suggestions? Many Thanks, Jimmy _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From wyatt.eliasson at gmail.com Thu Oct 16 06:27:14 2008 From: wyatt.eliasson at gmail.com (Wyatt Mattias Gyllenvarg) Date: Thu, 16 Oct 2008 12:27:14 +0200 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: <264224.35800.qm@web25504.mail.ukl.yahoo.com> References: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> <264224.35800.qm@web25504.mail.ukl.yahoo.com> Message-ID: <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> Hi all We have seen 3 instances of this the last days where a host (probably infected with a virus) has been broadcasting the mac of the local GW. Effectivly switching alla outbound traffic too his port. Fix has been too shutdown the offending port. So far this has only effected older setups. //Mattias Gyllenvarg 2008/10/16 Ozgur Guler : > > "no mac address-table notification mac-move" might help. > > > > --- On Thu, 16/10/08, Jimmy Halim wrote: > From: Jimmy Halim > Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF > To: cisco-nsp at puck.nether.net > Date: Thursday, 16 October, 2008, 7:51 AM > > Hi guys, > > Recently I am getting the following log messages every 2 mins on the 3750 > switch. > > Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 403 is flapping between port Fa1/0/3 and port Gi1/0/1 > Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 402 is flapping between port Fa1/0/2 and port Gi1/0/1 > Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 402 is flapping between port Fa1/0/2 and port Gi1/0/1 > > This is non service impacting so far. However, I would like to know whether > we can disable this logging or not. Anyone has any suggestions? > > Many Thanks, > Jimmy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From cchurc05 at harris.com Thu Oct 16 06:56:23 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 16 Oct 2008 05:56:23 -0500 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> References: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com><264224.35800.qm@web25504.mail.ukl.yahoo.com> <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> Message-ID: Sounds like an attempt at a man in the middle attack, where an infected host attempts to act as the gateway to see all the network traffic, analyze it, then forward it to the real gateway. Definitely not a good thing. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wyatt Mattias Gyllenvarg Sent: Thursday, October 16, 2008 6:27 AM To: Ozgur Guler; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF Hi all We have seen 3 instances of this the last days where a host (probably infected with a virus) has been broadcasting the mac of the local GW. Effectivly switching alla outbound traffic too his port. Fix has been too shutdown the offending port. So far this has only effected older setups. //Mattias Gyllenvarg 2008/10/16 Ozgur Guler : > > "no mac address-table notification mac-move" might help. > > > > --- On Thu, 16/10/08, Jimmy Halim wrote: > From: Jimmy Halim > Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF > To: cisco-nsp at puck.nether.net > Date: Thursday, 16 October, 2008, 7:51 AM > > Hi guys, > > Recently I am getting the following log messages every 2 mins on the 3750 > switch. > > Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 403 is flapping between port Fa1/0/3 and port Gi1/0/1 > Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 402 is flapping between port Fa1/0/2 and port Gi1/0/1 > Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in vlan > 402 is flapping between port Fa1/0/2 and port Gi1/0/1 > > This is non service impacting so far. However, I would like to know whether > we can disable this logging or not. Anyone has any suggestions? > > Many Thanks, > Jimmy > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From allan.eising at gmail.com Thu Oct 16 07:27:39 2008 From: allan.eising at gmail.com (Allan Eising) Date: Thu, 16 Oct 2008 13:27:39 +0200 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: References: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> <264224.35800.qm@web25504.mail.ukl.yahoo.com> <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> Message-ID: I've seen this trap a few times, and it can mean a lot of things depending on the service being provided over the vlan. In my experience, it can happen in large layer-2 service provider networks, where a vlan will carry a customer point-to-point link, and two links are bundled outside of your layer-2 network. If you are providing layer-2 circuits through these vlans, it would indicate that your vlans 402 and 403 are bundled by the end user and load-sharing is performed between the two links. If spanning-tree takes these two vlans through different paths, it could confuse the CAM table, and make it see that mac address coming from two different ports thus giving you an error like this. This mostly happens in larger layer-2 service provider networks. Does this make sense to you? Allan On Thu, Oct 16, 2008 at 12:56 PM, Church, Charles wrote: > Sounds like an attempt at a man in the middle attack, where an infected > host attempts to act as the gateway to see all the network traffic, > analyze it, then forward it to the real gateway. Definitely not a good > thing. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wyatt Mattias > Gyllenvarg > Sent: Thursday, October 16, 2008 6:27 AM > To: Ozgur Guler; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF > > > Hi all > > We have seen 3 instances of this the last days where a host (probably > infected with a virus) has been broadcasting the mac of the local GW. > > Effectivly switching alla outbound traffic too his port. > > Fix has been too shutdown the offending port. > > So far this has only effected older setups. > > //Mattias Gyllenvarg > > > > 2008/10/16 Ozgur Guler : >> >> "no mac address-table notification mac-move" might help. >> >> >> >> --- On Thu, 16/10/08, Jimmy Halim wrote: >> From: Jimmy Halim >> Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF >> To: cisco-nsp at puck.nether.net >> Date: Thursday, 16 October, 2008, 7:51 AM >> >> Hi guys, >> >> Recently I am getting the following log messages every 2 mins on the > 3750 >> switch. >> >> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 403 is flapping between port Fa1/0/3 and port Gi1/0/1 >> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 402 is flapping between port Fa1/0/2 and port Gi1/0/1 >> Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 402 is flapping between port Fa1/0/2 and port Gi1/0/1 >> >> This is non service impacting so far. However, I would like to know > whether >> we can disable this logging or not. Anyone has any suggestions? >> >> Many Thanks, >> Jimmy >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From spinthiras.mario at gmail.com Thu Oct 16 07:47:25 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Thu, 16 Oct 2008 14:47:25 +0300 Subject: [c-nsp] route-map ftp connection In-Reply-To: <163BE499-FA97-4974-9956-598CAFC0D8DC@basen.net> References: <163BE499-FA97-4974-9956-598CAFC0D8DC@basen.net> Message-ID: <4f890e580810160447o43c0b1b6k59502edb6ffbe346@mail.gmail.com> Nbar is more sensible since you don't only have to pass ftp via your access-list to match the route-map but ftp-data also. Regards, Mario From borgtinderne at btinternet.com Thu Oct 16 06:55:29 2008 From: borgtinderne at btinternet.com (Borg Tinderne) Date: Thu, 16 Oct 2008 10:55:29 +0000 (GMT) Subject: [c-nsp] netflow only on ingress and HSRP setup Message-ID: <291790.51763.qm@web87015.mail.ird.yahoo.com> Raw netflow is a box centric view of network traffic,??the few netflow display products I have played with over the last decade or so continue with this box-centric view , can't comment on nfsen.?? As interesting as a box-centric view is,? I generally find I want a network-centric view of network traffic,? so post processing of flow data with something ,?for me this has been RYO, so?choose your own poison ( perl / sql / tcl?/ awk ..?)?.? ----- Original Message ---- From: Zorg 421 To: cisco-nsp at puck.nether.net Sent: Thursday, 16 October, 2008 9:38:55 AM Subject: [c-nsp] netflow only on ingress and HSRP setup (was: ip flow egress on c76k).Hello c-nsp, My setup is pretty simple: two routers running BGP and getting full routes, having some kind of backbone LAN on which are connected devices who don't run dynamic routing protocol. Hence we run HSRP on the backbone LAN so the static default of firewalls can always get out to the internet (in case of B1 or B2 failing). One border, B2, is c76k. The other is a NPE-G2. The HSRP primary is on B2. with netflow beeing available only on ingress, I'm forced to run netflow on the c76k, B2, on the backbone interface. A big chunk of this trafic is sent to B1 to go out thru others upstream or peerings. On B1 I run "ip flow ingress" and "ip flow egress" on interfaces to the outside world, upstreams and peers, but not on the backbone. I get trafic duplication in my netflow app (nfsen) because trafic that go to the default, HSRP on B2, redirected to B1 and getting out to the net is counted on backbone interface on B2 and outside interface on B1. By some kind of "law of kirschoff" I could disable "ip flow egress" on external interfaces on B1, but would loose some information like output interface and nexthop for the peerings of B1. Is there a know workaround to not count this trafic twice? (I cannot see one on my own). Regards. _______________________________________________ cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From torresgi at mail.nih.gov Thu Oct 16 08:46:51 2008 From: torresgi at mail.nih.gov (Giovanni Torres) Date: Thu, 16 Oct 2008 08:46:51 -0400 Subject: [c-nsp] snmp oid for sh int output Message-ID: <48F737BB.5050100@mail.nih.gov> Does anyone know the SNMP MIB and OID for each of the following when you issue the show interface command: "reliability 255/255, txload 1/255, rxload 1/255" Thanks. Giovanni -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 7587 bytes Desc: S/MIME Cryptographic Signature URL: From newton at atdot.dotat.org Thu Oct 16 08:56:52 2008 From: newton at atdot.dotat.org (Mark Newton) Date: Thu, 16 Oct 2008 23:26:52 +1030 Subject: [c-nsp] snmp oid for sh int output In-Reply-To: <48F737BB.5050100@mail.nih.gov> References: <48F737BB.5050100@mail.nih.gov> Message-ID: On 16/10/2008, at 11:16 PM, Giovanni Torres wrote: > Does anyone know the SNMP MIB and OID for each of the following when > you issue the show interface command: > "reliability 255/255, txload 1/255, rxload 1/255" They're in OLD-CISCO-INTERFACES-MIB. Not supported on all interface types on all platforms, though. - mark -------------------------------------------------------------------- I tried an internal modem, newton at atdot.dotat.org but it hurt when I walked. Mark Newton ----- Voice: +61-4-1620-2223 ------------- Fax: +61-8-82231777 ----- From snar at snar.spb.ru Thu Oct 16 09:20:40 2008 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Thu, 16 Oct 2008 17:20:40 +0400 Subject: [c-nsp] c2960g: flash gone mad ? Message-ID: <20081016132040.GA81547@snar.spb.ru> Hi! While trying to upgrade IOS on one of ours c2960g, I got strange message: SW088-022#verify flash:c2960-lanbase-mz.122-46.SE.bin File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). however, MD5 verification of the same file succeeded: SW088-022#verify /md5 flash:c2960-lanbase-mz.122-46.SE.bin [....] ...................Done! verify /md5 (flash:c2960-lanbase-mz.122-46.SE.bin) = 27ad87f2c90595f3e682633c7985099a Well, I tried to format flash:, and re-upload IOS image - results were the same. And then switch refused to reload 'by command': SW088-022#reload %ERROR: Not able to process Signature in flash:. %ERROR: Aborting reload. so, I had to visit equipment room and reboot it by power cycle (booted normally, looks like that there are no signature check on boot). What is it ? Faulty flash ? Does not looks like - md5 check is just fine... And what to do with that switch ? Is it safe to leave it in network (on office one, without remote reboot ability it not qualified to remote installations) or better to RMA it ? From peter at rathlev.dk Thu Oct 16 10:08:31 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 16 Oct 2008 16:08:31 +0200 Subject: [c-nsp] Troubleshooting Cisco Terminal Server In-Reply-To: <49999c420810152259v61b2600ta256cbf06a12a721@mail.gmail.com> References: <49999c420810152259v61b2600ta256cbf06a12a721@mail.gmail.com> Message-ID: <1224166111.15889.7.camel@abehat> On Thu, 2008-10-16 at 13:59 +0800, cc loo wrote: > Im recently stuck in a configuration with a 2800s ISR with a HWIC-16a > plugged in . > An octal cable was plugged in, and afew ports were tested. > When i proceed to telnet 172.21.1.1 at port 2002, a login screen of this > router (2800) appears. (seems to indicate the port is working?). > However after typing my username and password and hit enter , the session > froze (seems like console port has no response?) What's at the other end of your octopus cable? If it's not connected to anything you'd get exactly what you tell: A login screen, but nothing afterwards. Otherwise a "show line" can give you information on the lines themselves. TTY speed of the line must match what is in the other end of course. Same with parity and so on. Regards, Peter From have.an.email at gmail.com Thu Oct 16 10:23:24 2008 From: have.an.email at gmail.com (Nathan) Date: Thu, 16 Oct 2008 16:23:24 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <48DA0FDC.2020202@imperial.ac.uk> References: <48D9F1AD.8010607@gmx.de> <200809241619.34647.mtinka@globaltransit.net> <48DA0B66.6000609@gmx.de> <48DA0FDC.2020202@imperial.ac.uk> Message-ID: <9f785d120810160723s41b7af7bwd7e5dc4575ccb38f@mail.gmail.com> On Wed, Sep 24, 2008 at 12:01 PM, Phil Mayers wrote: > You can import from OSPF to BGP, but it has some risks and complexities that > are best avoided if at all possible. Much worse is distributing BGP into > OSPF - don't do that. In case someone even thinks of ever doing that, please note: rtr(config)# router ospf 10 rtr(config-rtr)# redistribute bgp 65000 subnets route-map JustATeensyFiftyRoutesOrSo certainly does works as advertised (no idea if it consumes a lot of CPU to filter out all those routes) . . . but trying to remove that using rtr(config-rtr)# no redistribute bgp 65000 subnets route-map JustATeensyFiftyRoutesOrSo results in redistribute bgp 65000 subnets and that *hurts* -- HTH Nathan From cchurc05 at harris.com Thu Oct 16 10:33:33 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 16 Oct 2008 09:33:33 -0500 Subject: [c-nsp] c2960g: flash gone mad ? In-Reply-To: <20081016132040.GA81547@snar.spb.ru> References: <20081016132040.GA81547@snar.spb.ru> Message-ID: I believe the IOS is to blame. I saw a similar thing with 12.2(44)SE2 on 3550, I believe. The verify never worked, but MD5 verify did. I don't remember the reload and signature issue though. I'm willing to bet it'll work ok from here on out. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexandre Snarskii Sent: Thursday, October 16, 2008 9:21 AM To: Cisco-NSP Mailing List Subject: [c-nsp] c2960g: flash gone mad ? Hi! While trying to upgrade IOS on one of ours c2960g, I got strange message: SW088-022#verify flash:c2960-lanbase-mz.122-46.SE.bin File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). however, MD5 verification of the same file succeeded: SW088-022#verify /md5 flash:c2960-lanbase-mz.122-46.SE.bin [....] ...................Done! verify /md5 (flash:c2960-lanbase-mz.122-46.SE.bin) = 27ad87f2c90595f3e682633c7985099a Well, I tried to format flash:, and re-upload IOS image - results were the same. And then switch refused to reload 'by command': SW088-022#reload %ERROR: Not able to process Signature in flash:. %ERROR: Aborting reload. so, I had to visit equipment room and reboot it by power cycle (booted normally, looks like that there are no signature check on boot). What is it ? Faulty flash ? Does not looks like - md5 check is just fine... And what to do with that switch ? Is it safe to leave it in network (on office one, without remote reboot ability it not qualified to remote installations) or better to RMA it ? _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From paul at paulstewart.org Thu Oct 16 11:15:29 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 16 Oct 2008 11:15:29 -0400 Subject: [c-nsp] NAT - SIP Problem Message-ID: <000601c92fa2$07081f30$15185d90$@org> Hi folks... Have a customer who has two ATA devices behind a Cisco Soho91 and having a problem - trying to figure out if this is an IOS issue, a platform issue or a Session Border Controller issue.... With the "original" ATA in place, things worked fine. With a second ATA hooked up, first one still works - second one doesn't. With only the second ATA in place it doesn't work. When I say it doesn't work, the SIP registration will not occur. XYZ#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp xx.xx.111.3:5060 192.168.0.3:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 udp xx.xx.111.3:1029 192.168.0.6:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 I'm working on the hunch that the SBC is getting confused with this newer ATA on the return traffic as the session stays in the NAT translations table forever. The "old" ATA is 192.168.0.3 and new is 192.168.0.6 - notice the .6 ATA can't use 5060 on the outside interface as it's already in use. A similar problem came up at another site a while ago (against the same SBC's) and we converted it over to firewalled public IP space and worked fine - kind of points me back to the way NAT is behaving on these routers but could be an issue between the NAT and the way the SBC sees the traffic.... Cisco Internetwork Operating System Software IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Any input appreciated... Paul From cchurc05 at harris.com Thu Oct 16 11:30:33 2008 From: cchurc05 at harris.com (Church, Charles) Date: Thu, 16 Oct 2008 10:30:33 -0500 Subject: [c-nsp] NAT - SIP Problem In-Reply-To: <000601c92fa2$07081f30$15185d90$@org> References: <000601c92fa2$07081f30$15185d90$@org> Message-ID: Paul, Do you have "no ip nat service sip udp port 5060" in the config? We had all sorts of registration issues involving NAT until we were told to try that. The documentation for it isn't that good, but what it does is turn off the NAT translation of addresses in the SIP payload. That interferes with an ATA already doing things to get around NAT (as most ATAs do these days). Although that old an IOS may not even be doing the payload translation, or support the command. It's worth a try though. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Thursday, October 16, 2008 11:15 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT - SIP Problem Hi folks... Have a customer who has two ATA devices behind a Cisco Soho91 and having a problem - trying to figure out if this is an IOS issue, a platform issue or a Session Border Controller issue.... With the "original" ATA in place, things worked fine. With a second ATA hooked up, first one still works - second one doesn't. With only the second ATA in place it doesn't work. When I say it doesn't work, the SIP registration will not occur. XYZ#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp xx.xx.111.3:5060 192.168.0.3:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 udp xx.xx.111.3:1029 192.168.0.6:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 I'm working on the hunch that the SBC is getting confused with this newer ATA on the return traffic as the session stays in the NAT translations table forever. The "old" ATA is 192.168.0.3 and new is 192.168.0.6 - notice the .6 ATA can't use 5060 on the outside interface as it's already in use. A similar problem came up at another site a while ago (against the same SBC's) and we converted it over to firewalled public IP space and worked fine - kind of points me back to the way NAT is behaving on these routers but could be an issue between the NAT and the way the SBC sees the traffic.... Cisco Internetwork Operating System Software IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Any input appreciated... Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From snar at snar.spb.ru Thu Oct 16 11:32:23 2008 From: snar at snar.spb.ru (Alexandre Snarskii) Date: Thu, 16 Oct 2008 19:32:23 +0400 Subject: [c-nsp] c2960g: flash gone mad ? In-Reply-To: References: <20081016132040.GA81547@snar.spb.ru> Message-ID: <20081016153223.GC81690@snar.spb.ru> On Thu, Oct 16, 2008 at 09:33:33AM -0500, Church, Charles wrote: > I believe the IOS is to blame. I saw a similar thing with 12.2(44)SE2 > on 3550, I believe. The verify never worked, but MD5 verify did. I > don't remember the reload and signature issue though. I'm willing to > bet it'll work ok from here on out. Well, it really looks like some 'new and cool IOS feature', "reload /verify", which is broken in 12.2(46)SE. Tested that in lab: got another 2960 (non-g), running 12.2(35)SE5, uploaded and successfully verified 12.2(46)SE, reloaded, and got Switch#verify flash:c2960-lanbase-mz.122-46.SE.bin File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). However, it reloaded just fine, so, it looks like there are two _different_ defaults: 2960 has default to reload /noverify and 2960g to reload /verify > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Alexandre > Snarskii > Sent: Thursday, October 16, 2008 9:21 AM > To: Cisco-NSP Mailing List > Subject: [c-nsp] c2960g: flash gone mad ? > > > > Hi! > > While trying to upgrade IOS on one of ours c2960g, I got strange > message: > > SW088-022#verify flash:c2960-lanbase-mz.122-46.SE.bin > File system hash verification failed for file > flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). > > however, MD5 verification of the same file succeeded: > > SW088-022#verify /md5 flash:c2960-lanbase-mz.122-46.SE.bin > [....] > ....................Done! > verify /md5 (flash:c2960-lanbase-mz.122-46.SE.bin) = > 27ad87f2c90595f3e682633c7985099a > > Well, I tried to format flash:, and re-upload IOS image - results > were the same. > > And then switch refused to reload 'by command': > > SW088-022#reload > %ERROR: Not able to process Signature in flash:. > %ERROR: Aborting reload. > > so, I had to visit equipment room and reboot it by power cycle > (booted normally, looks like that there are no signature check > on boot). > > What is it ? Faulty flash ? Does not looks like - md5 check is just > fine... > And what to do with that switch ? Is it safe to leave it in network > (on office one, without remote reboot ability it not qualified to remote > > installations) or better to RMA it ? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From peter at rathlev.dk Thu Oct 16 11:50:27 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Thu, 16 Oct 2008 17:50:27 +0200 Subject: [c-nsp] c2960g: flash gone mad ? In-Reply-To: <20081016153223.GC81690@snar.spb.ru> References: <20081016132040.GA81547@snar.spb.ru> <20081016153223.GC81690@snar.spb.ru> Message-ID: <1224172227.15889.36.camel@abehat> On Thu, 2008-10-16 at 19:32 +0400, Alexandre Snarskii wrote: > Switch#verify flash:c2960-lanbase-mz.122-46.SE.bin > File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). I just stumbled upon a C3560G with 12.2(40)SE that has the same problem: 211-xf1-asw-10#verify flash:/c3560-ipbasek9-mz.122-40.SE/c3560-ipbasek9-mz.122-40.SE.bin %Error verifying flash:/c3560-ipbasek9-mz.122-40.SE/c3560-ipbasek9-mz.122-40.SE.bin (No such file or directory) 211-xf1-asw-10# The device also cannot do a verify operation via SNMP as CISCO-FLASH-MIB describes it. Both things work fine on devices with 12.2(35)SE5. Regards, Peter From paul at paulstewart.org Thu Oct 16 12:09:12 2008 From: paul at paulstewart.org (Paul Stewart) Date: Thu, 16 Oct 2008 12:09:12 -0400 Subject: [c-nsp] NAT - SIP Problem In-Reply-To: References: <000601c92fa2$07081f30$15185d90$@org> Message-ID: <000d01c92fa9$88474380$98d5ca80$@org> Thanks Chuck - didn't know about that command... was discussing internally here and the ATA that doesn't want to work at all has a newer firmware on it which might explain this better too... both ATA's are same (Tilgin 322) hardware wise... We'll give it a shot and I'll post back for others if it works ;) Paul -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: Thursday, October 16, 2008 11:31 AM To: Paul Stewart; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT - SIP Problem Paul, Do you have "no ip nat service sip udp port 5060" in the config? We had all sorts of registration issues involving NAT until we were told to try that. The documentation for it isn't that good, but what it does is turn off the NAT translation of addresses in the SIP payload. That interferes with an ATA already doing things to get around NAT (as most ATAs do these days). Although that old an IOS may not even be doing the payload translation, or support the command. It's worth a try though. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Thursday, October 16, 2008 11:15 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT - SIP Problem Hi folks... Have a customer who has two ATA devices behind a Cisco Soho91 and having a problem - trying to figure out if this is an IOS issue, a platform issue or a Session Border Controller issue.... With the "original" ATA in place, things worked fine. With a second ATA hooked up, first one still works - second one doesn't. With only the second ATA in place it doesn't work. When I say it doesn't work, the SIP registration will not occur. XYZ#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp xx.xx.111.3:5060 192.168.0.3:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 udp xx.xx.111.3:1029 192.168.0.6:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 I'm working on the hunch that the SBC is getting confused with this newer ATA on the return traffic as the session stays in the NAT translations table forever. The "old" ATA is 192.168.0.3 and new is 192.168.0.6 - notice the .6 ATA can't use 5060 on the outside interface as it's already in use. A similar problem came up at another site a while ago (against the same SBC's) and we converted it over to firewalled public IP space and worked fine - kind of points me back to the way NAT is behaving on these routers but could be an issue between the NAT and the way the SBC sees the traffic.... Cisco Internetwork Operating System Software IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Any input appreciated... Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From frnkblk at iname.com Thu Oct 16 12:11:22 2008 From: frnkblk at iname.com (Frank Bulk) Date: Thu, 16 Oct 2008 11:11:22 -0500 Subject: [c-nsp] Wireless Spectrum Analyzers In-Reply-To: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01573@tiger.deltadentalwa.com> References: <06C1E76E03FE9C4B85BFA9C75365D9DA0FC01573@tiger.deltadentalwa.com> Message-ID: Robert: Cisco bought Cognio, and Fluke's product is an OEM from Cognio. So product selection will be based on how much integration you want and vendor relationships. Regards, Frank -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Teller, Robert Sent: Tuesday, October 14, 2008 4:16 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] Wireless Spectrum Analyzers I am getting ready to deploy a wireless networking and was curious which spectrum analyzer people have had better luck with. I will be using 4402 WCS (With the location software add-on) and 1131AG lwapp. It looks like the Cisco spectrum analyzer integrates with the WCS but I'm not sure how user friendly it will be. I was also considering fluke's spectrum analyzer. Any recommendations for one over the other? ######################################################### The information contained in this e-mail and subsequent attachments may be privileged, confidential and protected from disclosure. This transmission is intended for the sole use of the individual and entity to whom it is addressed. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this message in error, please e-mail the sender at the above e-mail address. ######################################################### _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jcposeidon at cantv.net Thu Oct 16 12:01:52 2008 From: jcposeidon at cantv.net (Juan C. Crespo R.) Date: Thu, 16 Oct 2008 11:31:52 -0430 Subject: [c-nsp] FXO doesn't detect end of call in Venezuela Message-ID: <48F76570.3080106@cantv.net> Dears I have a lots of day trying to set how to make my FXO VoiceGateway (3660) detect the end of the call, I try a lot of things the last one was with supervisory disconnect anytone but when the people call from a mobile phone the call automatically hang up, this one its not good :( I already try to set cptone VE If anyone could send me any Idea it will be very good :) Thanks From michaelfox100 at gmail.com Thu Oct 16 13:19:27 2008 From: michaelfox100 at gmail.com (Michael Fox) Date: Thu, 16 Oct 2008 12:19:27 -0500 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: References: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> <264224.35800.qm@web25504.mail.ukl.yahoo.com> <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> Message-ID: <1224177567.14306.20.camel@notebook> I have seen this with a Netapp SAN that has NIC teaming configured and no port-channel configured on the switch. I don't know if that applies since it is flapping between Fa and Gi. Unless someone just plugged it in the wrong port. Michael -----Original Message----- From: Allan Eising To: Church, Charles Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF Date: Thu, 16 Oct 2008 13:27:39 +0200 I've seen this trap a few times, and it can mean a lot of things depending on the service being provided over the vlan. In my experience, it can happen in large layer-2 service provider networks, where a vlan will carry a customer point-to-point link, and two links are bundled outside of your layer-2 network. If you are providing layer-2 circuits through these vlans, it would indicate that your vlans 402 and 403 are bundled by the end user and load-sharing is performed between the two links. If spanning-tree takes these two vlans through different paths, it could confuse the CAM table, and make it see that mac address coming from two different ports thus giving you an error like this. This mostly happens in larger layer-2 service provider networks. Does this make sense to you? Allan On Thu, Oct 16, 2008 at 12:56 PM, Church, Charles wrote: > Sounds like an attempt at a man in the middle attack, where an infected > host attempts to act as the gateway to see all the network traffic, > analyze it, then forward it to the real gateway. Definitely not a good > thing. > > Chuck > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Wyatt Mattias > Gyllenvarg > Sent: Thursday, October 16, 2008 6:27 AM > To: Ozgur Guler; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF > > > Hi all > > We have seen 3 instances of this the last days where a host (probably > infected with a virus) has been broadcasting the mac of the local GW. > > Effectivly switching alla outbound traffic too his port. > > Fix has been too shutdown the offending port. > > So far this has only effected older setups. > > //Mattias Gyllenvarg > > > > 2008/10/16 Ozgur Guler : >> >> "no mac address-table notification mac-move" might help. >> >> >> >> --- On Thu, 16/10/08, Jimmy Halim wrote: >> From: Jimmy Halim >> Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF >> To: cisco-nsp at puck.nether.net >> Date: Thursday, 16 October, 2008, 7:51 AM >> >> Hi guys, >> >> Recently I am getting the following log messages every 2 mins on the > 3750 >> switch. >> >> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 403 is flapping between port Fa1/0/3 and port Gi1/0/1 >> Oct 16 06:45:50 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 402 is flapping between port Fa1/0/2 and port Gi1/0/1 >> Oct 16 06:46:43 UTC: %SW_MATM-4-MACFLAP_NOTIF: Host 0017.cbb3.08fc in > vlan >> 402 is flapping between port Fa1/0/2 and port Gi1/0/1 >> >> This is non service impacting so far. However, I would like to know > whether >> we can disable this logging or not. Anyone has any suggestions? >> >> Many Thanks, >> Jimmy >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> >> >> >> >> _______________________________________________ >> cisco-nsp mailing list cisco-nsp at puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-nsp >> archive at http://puck.nether.net/pipermail/cisco-nsp/ >> > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From gert at greenie.muc.de Thu Oct 16 14:26:35 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 16 Oct 2008 20:26:35 +0200 Subject: [c-nsp] c2960g: flash gone mad ? In-Reply-To: <1224172227.15889.36.camel@abehat> References: <20081016132040.GA81547@snar.spb.ru> <20081016153223.GC81690@snar.spb.ru> <1224172227.15889.36.camel@abehat> Message-ID: <20081016182635.GF8535@greenie.muc.de> Hi, On Thu, Oct 16, 2008 at 05:50:27PM +0200, Peter Rathlev wrote: > On Thu, 2008-10-16 at 19:32 +0400, Alexandre Snarskii wrote: > > Switch#verify flash:c2960-lanbase-mz.122-46.SE.bin > > File system hash verification failed for file flash:c2960-lanbase-mz.122-46.SE.bin(No such file or directory). > > I just stumbled upon a C3560G with 12.2(40)SE that has the same problem: Indeed... sw10-XXXX#verify 2960-lanbase-mz.122-46.SE/c2960-lanbase-mz.122-46.SE.bin %ERROR: Unable to process embedded hash in flash:2960-lanbase-mz.122-46.SE/c2960-lanbase-mz.122-46.SE.bin. File system hash verification failed for file 2960-lanbase-mz.122-46.SE/c2960-lanbase-mz.122-46.SE.bin(No such file or directory). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From networking.stuff at googlemail.com Thu Oct 16 15:22:28 2008 From: networking.stuff at googlemail.com (Chintan Shah) Date: Fri, 17 Oct 2008 00:52:28 +0530 Subject: [c-nsp] BGP Convergance Message-ID: <1e7e04890810161222q4b37975fvd9f8c4014314c382@mail.gmail.com> Hi Guys, I havd setup like this : IPV4 : PE ---P(RR) ------P(RR)-----PE P is core router of each country and act as RR for IPV4. VPNV4 : PE---P----P---PE ! ! ! ! RR RR VPNV4 peering from each PE is with seperate RR for MP-BGP.... Now question is , If I have BGP NHT enable on all P/VRR/PE I will have BGP convergance IGP + 5 sec NHT default if any remote PE fails.... But If I don't have NHT enable across all and has partial, Can Advertisement Interval be useful ? Assume RR are having BGP NHT enable but not some of PE. REgards, Chintan From dale.shaw+cisco-nsp at gmail.com Thu Oct 16 15:44:11 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Thu, 16 Oct 2008 15:44:11 -0400 Subject: [c-nsp] Help: Lost ACS Solution Engine recovery CD (base image 4.1.x) Message-ID: <3329cbb40810161244k17d77caau937885ddd60db7e5@mail.gmail.com> Hi all, I have a broken ACS-SE (CSACSE-1113-K9) running base image release 4.1.1.4 with appliance management release 4.1.1.23. It's not a production device so it's not urgent, but in the process of attempting to patch it to address the ACS DoS vulnerability, I busted it good and proper. Turns out I needed a 4.1.4 base image first -- it's not very clearly spelled out in the documentation and I thought (hoped) there would be better sanity checking before applying the 4.1.4.13.11 patch. Anyway, it's quite broken (can't even add users), so I want to take this thing back to factory defaults but I cannot find the recovery CD (this is a customer's device so I personally have no hope of finding it) and for some reason, the 4.x recovery CD images can't be downloaded from CCO. Is anyone out there willing to cut a .ISO of the 4.1.1 recovery CD and let me download it? Any other options? The customer doesn't have a SAS contract, so TAC won't have a bar of it. Unfortunately I incorrectly assumed that because it was a security vulnerability, fixed software would be provided for free. The advisory actually explicitly states that the upgrade is _not_ free. I'm not sure why the 4.x recovery CD images aren't available for download -- the 3.2.3 recovery CD image is. cheers, Dale From dale.shaw+cisco-nsp at gmail.com Thu Oct 16 15:59:58 2008 From: dale.shaw+cisco-nsp at gmail.com (Dale Shaw) Date: Thu, 16 Oct 2008 15:59:58 -0400 Subject: [c-nsp] %SW_MATM-4-MACFLAP_NOTIF In-Reply-To: <1224177567.14306.20.camel@notebook> References: <002801c92f5b$a3d1b9d0$6605820a@asianetcom.com> <264224.35800.qm@web25504.mail.ukl.yahoo.com> <994752fe0810160327u6c32b1e0rf23d21cf5c48d96e@mail.gmail.com> <1224177567.14306.20.camel@notebook> Message-ID: <3329cbb40810161259v2feca080t5a05681987aa4f1b@mail.gmail.com> Similarly, I've seen this on new Solaris hosts with "local-mac-address" set to false. # eeprom | grep mac local-mac-address?=false # Needs to be changed to 'true', otherwise all interfaces use the same MAC. # eeprom local-mac-address?=true # cheers, Dale On Thu, Oct 16, 2008 at 1:19 PM, Michael Fox wrote: > I have seen this with a Netapp SAN that has NIC teaming configured and > no port-channel configured on the switch. I don't know if that applies > since it is flapping between Fa and Gi. Unless someone just plugged it > in the wrong port. > > Michael From mrz at velvet.org Thu Oct 16 15:01:53 2008 From: mrz at velvet.org (matthew zeier) Date: Thu, 16 Oct 2008 12:01:53 -0700 Subject: [c-nsp] Sup720, SXH or SXF? Message-ID: <48F78FA1.40607@velvet.org> Upgrading a couple 6503s from Sup32s to Sup720-3BXLs. TAC is recommending one of the following images: -- s72033-adventerprisek9_wan-mz.122-33.SXH3a.bin -- s72033-adventerprisek9_wan-mz.122-18.SXF15.bin When asked what the difference was, the best I got back was: > Their only main difference is on the naming convention for IOS. SXF15 is > the latest on the SXF train where the patches and sotware fixed for > documented bugs were integrated while SHX3a is the latest on the SXH > train. The new name designed our development Engineers for new code train. Any recommendations on which train I should be on? The Sup32s are running SXF5. From gert at greenie.muc.de Thu Oct 16 16:38:56 2008 From: gert at greenie.muc.de (Gert Doering) Date: Thu, 16 Oct 2008 22:38:56 +0200 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48F78FA1.40607@velvet.org> References: <48F78FA1.40607@velvet.org> Message-ID: <20081016203856.GG8535@greenie.muc.de> Hi, On Thu, Oct 16, 2008 at 12:01:53PM -0700, matthew zeier wrote: > Upgrading a couple 6503s from Sup32s to Sup720-3BXLs. TAC is > recommending one of the following images: > > -- s72033-adventerprisek9_wan-mz.122-33.SXH3a.bin > -- s72033-adventerprisek9_wan-mz.122-18.SXF15.bin > > When asked what the difference was, the best I got back was: > > > Their only main difference is on the naming convention for IOS. SXF15 is > > the latest on the SXF train where the patches and sotware fixed for > > documented bugs were integrated while SHX3a is the latest on the SXH > > train. The new name designed our development Engineers for new code > train. Oh, amazing, this level of detail :-o If you search on www.cisco.com for "SXH3 release notes", you should find a (very very long) page that details all the new features in SXH as compared to SXF. > Any recommendations on which train I should be on? The Sup32s are > running SXF5. I'd go for SXF13a or SXF14. Those have been very reliable for us. Regarding SXF15, there have been "interesting" reports on this list. SXH3a has tons of new features, many of them are quite cool, but I'm not sure I fully trust it yet - SXH3 has bitten us with a nasty BGP bug (which is fixed in SXH3a). See the page mentioned above if there is anything you want/need to have - otherwise, I'd stay with SXF. (SXF5, on the other hand, has memory leaks in BGP, if I remember correctly... :) ). gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From adrian.minta at gmail.com Thu Oct 16 16:52:41 2008 From: adrian.minta at gmail.com (Adrian Minta) Date: Thu, 16 Oct 2008 23:52:41 +0300 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <20081016203856.GG8535@greenie.muc.de> References: <48F78FA1.40607@velvet.org> <20081016203856.GG8535@greenie.muc.de> Message-ID: <48F7A999.4050008@gmail.com> Gert Doering wrote: > Hi, > > On Thu, Oct 16, 2008 at 12:01:53PM -0700, matthew zeier wrote: ... > If you search on www.cisco.com for "SXH3 release notes", you should find > a (very very long) page that details all the new features in SXH as > compared to SXF. > > > Perhaps providing extensive changelogs will not make them look very good. From tvarriale at comcast.net Thu Oct 16 19:07:35 2008 From: tvarriale at comcast.net (Tony Varriale) Date: Thu, 16 Oct 2008 18:07:35 -0500 Subject: [c-nsp] Sup720, SXH or SXF? References: <48F78FA1.40607@velvet.org> Message-ID: <002801c92fe3$fa2d3c40$0100fea9@flamadam> I would probably try SXF14 or SXH1. It really depends on what you are doing. SXH3 hasn't really receive great praise from what I've heard so far. tv ----- Original Message ----- From: "matthew zeier" To: Sent: Thursday, October 16, 2008 2:01 PM Subject: [c-nsp] Sup720, SXH or SXF? > Upgrading a couple 6503s from Sup32s to Sup720-3BXLs. TAC is recommending > one of the following images: > > -- s72033-adventerprisek9_wan-mz.122-33.SXH3a.bin > -- s72033-adventerprisek9_wan-mz.122-18.SXF15.bin > > When asked what the difference was, the best I got back was: > > > Their only main difference is on the naming convention for IOS. SXF15 is > > the latest on the SXF train where the patches and sotware fixed for > > documented bugs were integrated while SHX3a is the latest on the SXH > > train. The new name designed our development Engineers for new code > train. > > Any recommendations on which train I should be on? The Sup32s are running > SXF5. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From andy.saykao at staff.netspace.net.au Thu Oct 16 21:05:51 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Fri, 17 Oct 2008 12:05:51 +1100 Subject: [c-nsp] Strange Radius Debug seen with SB Release Message-ID: <56F211C5E3F24F47B103EA1B253822BE0365498A@vic-cr-ex1.staff.netspace.net.au> Good pickup Euan. Added "aaa accounting delay-start all" to fix the problem. test-lns-mel(config)#aaa accounting delay-start ? all Delay start records for all vrf and non-vrf users. vrf VPN Routing/Forwarding parameters If using "aaa accounting delay-start", it doesn't delay the accounting packet for VRF's on the SB release. Works fine for other IOS I tested w/o needing to add the word "all" to the end of the command. Cheers. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From mb at adv.gcomm.com.au Thu Oct 16 20:38:11 2008 From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au) Date: Fri, 17 Oct 2008 10:38:11 +1000 Subject: [c-nsp] ACL's on policy-map - No hits? Message-ID: <20081017103811.iucvvq9mkicgko4s@webmail.datafx.com.au> Hi, We have the following policy-map setup on 2960's and 3750's for customer facing ports: class-map match-any LAN_MANAGEMENT match access-group name LAN_MANAGEMENT class-map match-any SERVER_MANAGEMENT match access-group name SERVER_MANAGEMENT policy-map ACCESS_PORT class LAN_MANAGEMENT set ip dscp af31 class SERVER_MANAGEMENT set ip dscp af31 class class-default set ip dscp default police 10000000 16000 exceed-action policed-dscp-transmit ip access-list extended LAN_MANAGEMENT remark telnet traffic permit tcp any any eq telnet permit tcp any eq telnet any remark ssh traffic permit tcp any any eq 22 permit tcp any eq 22 any remark snmp traffic permit udp any any eq snmp permit udp any eq snmp any permit udp any any eq snmptrap permit udp any eq snmptrap any ip access-list extended SERVER_MANAGEMENT remark RDP traffic permit tcp any any eq 3389 permit tcp any eq 3389 any interface FastEthernet0/1 switchport access vlan 191 switchport mode access switchport port-security maximum 10 switchport port-security switchport port-security aging time 10 storm-control broadcast level 20.00 storm-control action trap spanning-tree portfast spanning-tree guard root service-policy input ACCESS_PORT We see the policer is working(Formatting will prob. be terrible - Apologies!): #show mls qos interface fastEthernet 0/1 statistics FastEthernet0/1 (All statistics are in packets) dscp: incoming ------------------------------- 0 - 4 : 477175 0 0 0 0 5 - 9 : 0 0 0 0 0 10 - 14 : 0 0 0 0 0 15 - 19 : 0 0 0 0 0 20 - 24 : 0 0 0 0 0 25 - 29 : 0 0 0 0 0 30 - 34 : 0 0 0 0 0 35 - 39 : 0 0 0 0 0 40 - 44 : 0 0 0 0 0 45 - 49 : 0 0 0 0 0 50 - 54 : 0 0 0 0 0 55 - 59 : 0 0 0 0 0 60 - 64 : 0 0 0 0 dscp: outgoing ------------------------------- 0 - 4 : 932319 0 0 0 0 5 - 9 : 0 0 0 0 0 10 - 14 : 0 0 0 0 0 15 - 19 : 0 0 0 0 0 20 - 24 : 0 0 0 0 0 25 - 29 : 0 0 0 0 0 30 - 34 : 0 0 0 0 0 35 - 39 : 0 0 0 0 0 40 - 44 : 0 0 0 0 0 45 - 49 : 0 0 0 0 0 50 - 54 : 0 0 0 0 0 55 - 59 : 0 0 0 0 0 60 - 64 : 0 0 0 0 cos: incoming ------------------------------- 0 - 4 : 477191 0 0 0 0 5 - 7 : 0 0 0 cos: outgoing ------------------------------- 0 - 4 : 932333 0 0 0 0 5 - 7 : 0 0 0 Policer: Inprofile: 29413 OutofProfile: 19101 But, when performing RDP/SSH etc to/from server connected to port, ACL's show no hits? #sh access-lists Extended IP access list LAN_MANAGEMENT 10 permit tcp any any eq telnet 20 permit tcp any eq telnet any 30 permit tcp any any eq 22 40 permit tcp any eq 22 any 50 permit udp any any eq snmp 60 permit udp any eq snmp any 70 permit udp any any eq snmptrap 80 permit udp any eq snmptrap any Extended IP access list SERVER_MANAGEMENT 10 permit tcp any any eq 3389 20 permit tcp any eq 3389 any Is this to be expected? ------------------------------------------------------------------------- This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ From zhuifeng0426 at gmail.com Thu Oct 16 23:30:40 2008 From: zhuifeng0426 at gmail.com (zhuifeng0426) Date: Fri, 17 Oct 2008 11:30:40 +0800 Subject: [c-nsp] About CISCO ACS UCP References: <200810171126065936069@gmail.com>, <200810171129422181310@gmail.com> Message-ID: <200810171130383122130@gmail.com> Hi all: may be previos e-mail is too big for mail. I'm facing a problem with UCP(user change password). I've already installed ACS 4.0 for windows on my windows 2000 server. also, I do all things for ucp(prepare IIS, add ACS server, etc.)..when I install UCP on the same PC, problem appears: 1,if i install UCP on ACS CD, I can't finish it because of UCP can't communicate with ACS.. 2,but with the same config, if i install UCP v3.3.1 or 3.3.4, I can finish UCP install. but when I open IE with UCP's ip address and try to login with my username and password, it always appear "invalid user" any ideas? Thanks in advance! 2008-10-17 Best regards? YiFeng Zhou Mail:zhuifeng0426 at gmail.com MSN:zhuifeng0426 at hotmail.com Mobile:+86 (0)15905171724 From oboehmer at cisco.com Fri Oct 17 02:17:33 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Fri, 17 Oct 2008 08:17:33 +0200 Subject: [c-nsp] BGP Convergance In-Reply-To: <1e7e04890810161222q4b37975fvd9f8c4014314c382@mail.gmail.com> References: <1e7e04890810161222q4b37975fvd9f8c4014314c382@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406378ED8@xmb-ams-333.emea.cisco.com> Chintan Shah <> wrote on Thursday, October 16, 2008 9:22 PM: > Hi Guys, > > I havd setup like this : > > IPV4 : > > PE ---P(RR) ------P(RR)-----PE > > P is core router of each country and act as RR for IPV4. > [...] > VPNV4 peering from each PE is with seperate RR for MP-BGP.... > > Now question is , If I have BGP NHT enable on all P/VRR/PE I will > have BGP convergance IGP + 5 sec NHT default if any remote PE > fails.... sort of, depending on vpnv4 table size on PEs, you need to add some time for table scans and stuff.. and this also assumes the alternate path (to the "other" PE) is already imported in your VRF. > But If I don't have NHT enable across all and has partial, Can > Advertisement Interval be useful ? Assume RR are having BGP NHT > enable but not some of PE. Yes, NHT on the RR would also help to speed up convergence for the cases where not all PEs have NHT capability.. Have you tuned your IGP for faster convergence? oli From gert at greenie.muc.de Fri Oct 17 03:32:09 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 17 Oct 2008 09:32:09 +0200 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48F7A88C.9020508@Janoszka.pl> References: <48F78FA1.40607@velvet.org> <20081016203856.GG8535@greenie.muc.de> <48F7A88C.9020508@Janoszka.pl> Message-ID: <20081017073209.GH8535@greenie.muc.de> Hi, On Thu, Oct 16, 2008 at 10:48:12PM +0200, Grzegorz Janoszka wrote: > Gert Doering wrote: > >SXH3a has tons of new features, many of them are quite cool, but I'm not > >sure I fully trust it yet - SXH3 has bitten us with a nasty BGP bug (which > >is fixed in SXH3a). See the page mentioned above if there is anything > >you want/need to have - otherwise, I'd stay with SXF. > > Could you point me any web page describing this bug? Or maybe please > describe me, how and when it occurs. See the archives of this mailing list, subject "ghost bug". http://www.gossamer-threads.com/lists/cisco/nsp/93863?do=post_view_threaded gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de From gert at greenie.muc.de Fri Oct 17 03:34:19 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 17 Oct 2008 09:34:19 +0200 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48F7A999.4050008@gmail.com> References: <48F78FA1.40607@velvet.org> <20081016203856.GG8535@greenie.muc.de> <48F7A999.4050008@gmail.com> Message-ID: <20081017073419.GI8535@greenie.muc.de> Hi, On Thu, Oct 16, 2008 at 11:52:41PM +0300, Adrian Minta wrote: > Gert Doering wrote: > >On Thu, Oct 16, 2008 at 12:01:53PM -0700, matthew zeier wrote: > ... > >If you search on www.cisco.com for "SXH3 release notes", you should find > >a (very very long) page that details all the new features in SXH as > >compared to SXF. > > Perhaps providing extensive changelogs will not make them look very good. Actually the change logs are quite detailed. What I dislike about that page is that it lumps together all sorts of stuff that is vaguely SXH release related - "new features", "resolved caveats", and "in-depth description of supported hardware". Especially the latter one is usually not what you want to see (and what you want your browser to wait for) if you're looking for resolved caveats... I think web designers should be forced to view their own products over a 64k ISDN line, with a browser that runs on a 500MHz machine. That would make them feel the pain... gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From gert at greenie.muc.de Fri Oct 17 03:35:14 2008 From: gert at greenie.muc.de (Gert Doering) Date: Fri, 17 Oct 2008 09:35:14 +0200 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <002801c92fe3$fa2d3c40$0100fea9@flamadam> References: <48F78FA1.40607@velvet.org> <002801c92fe3$fa2d3c40$0100fea9@flamadam> Message-ID: <20081017073514.GJ8535@greenie.muc.de> Hi, On Thu, Oct 16, 2008 at 06:07:35PM -0500, Tony Varriale wrote: > SXH3 hasn't really receive great praise from what I've heard so far. Just to make that clear: except for the BGP ghosts and the scp crash bug, we have *not* seen any nasties in SXH3/SXH3a yet (SXH3 non-modular). We might have been lucky, though :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From dmitry at dmitry.net Fri Oct 17 04:39:27 2008 From: dmitry at dmitry.net (Dmitry Kiselev) Date: Fri, 17 Oct 2008 11:39:27 +0300 Subject: [c-nsp] TwinGig on Cat4900M Message-ID: <20081017083927.GI73762@f17.dmitry.net> Hello! Could anybody in the list confirm thats TwinGig convertors are work fine in 8 onboard 10G ports in 4900M? I heard strange rumors thats only 8-port half-cards are support TwinGigs, no support for onboard ports and 4-port half-card due to lack of special ASICs. Thanks! -- Dmitry Kiselev From pete at bytemark.co.uk Fri Oct 17 04:09:01 2008 From: pete at bytemark.co.uk (Peter Taphouse) Date: Fri, 17 Oct 2008 09:09:01 +0100 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48F78FA1.40607@velvet.org> References: <48F78FA1.40607@velvet.org> Message-ID: <48F8481D.6090901@bytemark.co.uk> matthew zeier wrote: > Upgrading a couple 6503s from Sup32s to Sup720-3BXLs. TAC is > recommending one of the following images: > > -- s72033-adventerprisek9_wan-mz.122-33.SXH3a.bin > -- s72033-adventerprisek9_wan-mz.122-18.SXF15.bin > > When asked what the difference was, the best I got back was: > >> Their only main difference is on the naming convention for IOS. SXF15 is >> the latest on the SXF train where the patches and sotware fixed for >> documented bugs were integrated while SHX3a is the latest on the SXH >> train. The new name designed our development Engineers for new code > train. > > Any recommendations on which train I should be on? The Sup32s are > running SXF5. I'd stick with the SXF that you know and love, if it works on the sup32 chances are it'll go fine on the older sup720. We ran SXF9 for >1 year without a reload, but on purchasing a couple more 6500/7600s decided to move to SXH for some features that we thought were nice, but weren't absolutely necessary. This yielded the following ios path over couple of months: * SXH2a looked good, but had every week or two a router would spontaeously reload. Was due to a load of netflow bugs which were fixed in... * SXH3 fixed the netflow bug, but introduced a bgp ghosting bug (as mentioned previously on this thread) , so to the safe haven of... * SXF15 which has a bug in BFD that caused a router to reload when it detects a link flap, turning a sub-second blip into a 10 minute brown out whilst the router reloaded. We're now still running SXF15, and we've not had any problems since we disabled bfd everywhere. Unless you *need* the SXH features, stick with an IOS you know works for what you do. Cheers, -- Peter Taphouse Bytemark Hosting http://www.bytemark-hosting.co.uk tel. +44 (0) 845 004 3 004 From nishal at is.co.za Fri Oct 17 07:30:53 2008 From: nishal at is.co.za (Nishal Goburdhan) Date: Fri, 17 Oct 2008 13:30:53 +0200 Subject: [c-nsp] TwinGig on Cat4900M In-Reply-To: <20081017083927.GI73762@f17.dmitry.net> References: <20081017083927.GI73762@f17.dmitry.net> Message-ID: On 17 Oct 2008, at 10:39 AM, Dmitry Kiselev wrote: > Hello! > > Could anybody in the list confirm thats TwinGig convertors are > work fine in 8 onboard 10G ports in 4900M? I heard strange rumors > thats only 8-port half-cards are support TwinGigs, http://tinyurl.com/2hj3zk only mentions supports for the 8-port. > no support > for onboard ports and 4-port half-card due to lack of special > ASICs. to get the TwinGig working, you need to: hw-module module x port-group y select gigabitethernet as at 122-46.SG, 1 (ie. onboard) is not a selectable option for x. --n. From cfriacas at fccn.pt Fri Oct 17 08:00:09 2008 From: cfriacas at fccn.pt (Carlos Friacas) Date: Fri, 17 Oct 2008 13:00:09 +0100 (WEST) Subject: [c-nsp] TwinGig on Cat4900M In-Reply-To: <20081017083927.GI73762@f17.dmitry.net> References: <20081017083927.GI73762@f17.dmitry.net> Message-ID: On Fri, 17 Oct 2008, Dmitry Kiselev wrote: > Hello! > > Could anybody in the list confirm thats TwinGig convertors are > work fine in 8 onboard 10G ports in 4900M? I heard strange rumors > thats only 8-port half-cards are support TwinGigs, no support > for onboard ports and 4-port half-card due to lack of special > ASICs. Yes, already read about that in the documentation. :-) That's why we bought two 8-port cards. The backplane bandwidth per slot is still just 40Gbps, but the ability to support twingig adapters was essential to interconnect the 4900M box to 1GE only boxes. > Thanks! > > -- > Dmitry Kiselev > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > Best Regards, ------------------------------------------------------------------------- Carlos Friac,as See: Wide Area Network Working Group (WAN) www.gigapix.pt FCCN - Fundacao para a Computacao Cientifica Nacional www.6deploy.org Av. do Brasil, n.101 www.ipv6.eu 1700-066 Lisboa, Portugal, Europe Tel: +351 218440100 Fax: +351 218472167 www.fccn.pt ------------------------------------------------------------------------- The end is near........ see http://ipv4.potaroo.net "Internet is just routes (282391/1511), naming (billions) and... people!" Esta mensagem foi enviada de: / This message was sent from: 2001:690:2080:8004:250:daff:fe3b:2830 Aviso de Confidencialidade Esta mensagem e' exclusivamente destinada ao seu destinatario, podendo conter informacao CONFIDENCIAL, cuja divulgacao esta' expressamente vedada nos termos da lei. Caso tenha recepcionado indevidamente esta mensagem, solicitamos-lhe que nos comunique esse mesmo facto por esta via ou para o telefone +351 218440100 devendo apagar o seu conteudo de imediato. Warning This message is intended exclusively for its addressee. It may contain CONFIDENTIAL information protected by law. If this message has been received due to any error, please notify us via e-mail or by telephone +351 218440100 and delete it immediately. From luan at netcraftsmen.net Fri Oct 17 08:31:32 2008 From: luan at netcraftsmen.net (Luan Nguyen) Date: Fri, 17 Oct 2008 08:31:32 -0400 Subject: [c-nsp] ACL's on policy-map - No hits? In-Reply-To: <20081017103811.iucvvq9mkicgko4s@webmail.datafx.com.au> References: <20081017103811.iucvvq9mkicgko4s@webmail.datafx.com.au> Message-ID: <010d01c93054$49a1dae0$dce590a0$@net> Yeah, that's QOS limitation on those switches:" The display for the show policy-map interface user EXEC command shows zeros for the counters associated with class-map match criteria. There is no workaround. (CSCec08205)" http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/releas e/12.2_37_se/release/notes/OL12616.html Luan Nguyen Chesapeake NetCraftsmen, LLC. www.NetCraftsmen.net -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of mb at adv.gcomm.com.au Sent: Thursday, October 16, 2008 8:38 PM To: cisco-nsp at puck.nether.net Subject: [c-nsp] ACL's on policy-map - No hits? Hi, We have the following policy-map setup on 2960's and 3750's for customer facing ports: class-map match-any LAN_MANAGEMENT match access-group name LAN_MANAGEMENT class-map match-any SERVER_MANAGEMENT match access-group name SERVER_MANAGEMENT policy-map ACCESS_PORT class LAN_MANAGEMENT set ip dscp af31 class SERVER_MANAGEMENT set ip dscp af31 class class-default set ip dscp default police 10000000 16000 exceed-action policed-dscp-transmit ip access-list extended LAN_MANAGEMENT remark telnet traffic permit tcp any any eq telnet permit tcp any eq telnet any remark ssh traffic permit tcp any any eq 22 permit tcp any eq 22 any remark snmp traffic permit udp any any eq snmp permit udp any eq snmp any permit udp any any eq snmptrap permit udp any eq snmptrap any ip access-list extended SERVER_MANAGEMENT remark RDP traffic permit tcp any any eq 3389 permit tcp any eq 3389 any interface FastEthernet0/1 switchport access vlan 191 switchport mode access switchport port-security maximum 10 switchport port-security switchport port-security aging time 10 storm-control broadcast level 20.00 storm-control action trap spanning-tree portfast spanning-tree guard root service-policy input ACCESS_PORT We see the policer is working(Formatting will prob. be terrible - Apologies!): #show mls qos interface fastEthernet 0/1 statistics FastEthernet0/1 (All statistics are in packets) dscp: incoming ------------------------------- 0 - 4 : 477175 0 0 0 0 5 - 9 : 0 0 0 0 0 10 - 14 : 0 0 0 0 0 15 - 19 : 0 0 0 0 0 20 - 24 : 0 0 0 0 0 25 - 29 : 0 0 0 0 0 30 - 34 : 0 0 0 0 0 35 - 39 : 0 0 0 0 0 40 - 44 : 0 0 0 0 0 45 - 49 : 0 0 0 0 0 50 - 54 : 0 0 0 0 0 55 - 59 : 0 0 0 0 0 60 - 64 : 0 0 0 0 dscp: outgoing ------------------------------- 0 - 4 : 932319 0 0 0 0 5 - 9 : 0 0 0 0 0 10 - 14 : 0 0 0 0 0 15 - 19 : 0 0 0 0 0 20 - 24 : 0 0 0 0 0 25 - 29 : 0 0 0 0 0 30 - 34 : 0 0 0 0 0 35 - 39 : 0 0 0 0 0 40 - 44 : 0 0 0 0 0 45 - 49 : 0 0 0 0 0 50 - 54 : 0 0 0 0 0 55 - 59 : 0 0 0 0 0 60 - 64 : 0 0 0 0 cos: incoming ------------------------------- 0 - 4 : 477191 0 0 0 0 5 - 7 : 0 0 0 cos: outgoing ------------------------------- 0 - 4 : 932333 0 0 0 0 5 - 7 : 0 0 0 Policer: Inprofile: 29413 OutofProfile: 19101 But, when performing RDP/SSH etc to/from server connected to port, ACL's show no hits? #sh access-lists Extended IP access list LAN_MANAGEMENT 10 permit tcp any any eq telnet 20 permit tcp any eq telnet any 30 permit tcp any any eq 22 40 permit tcp any eq 22 any 50 permit udp any any eq snmp 60 permit udp any eq snmp any 70 permit udp any any eq snmptrap 80 permit udp any eq snmptrap any Extended IP access list SERVER_MANAGEMENT 10 permit tcp any any eq 3389 20 permit tcp any eq 3389 any Is this to be expected? ------------------------------------------------------------------------- This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From avayner at cisco.com Fri Oct 17 08:50:37 2008 From: avayner at cisco.com (Arie Vayner (avayner)) Date: Fri, 17 Oct 2008 14:50:37 +0200 Subject: [c-nsp] TwinGig on Cat4900M In-Reply-To: <20081017083927.GI73762@f17.dmitry.net> References: <20081017083927.GI73762@f17.dmitry.net> Message-ID: <67F7C1FAF83A074AA3520D8F155782A502041FAB@xmb-ams-331.emea.cisco.com> Yes, the TwinGig modules work only on the extension modules, and would not work on the onboard ports. Arie -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Dmitry Kiselev Sent: Friday, October 17, 2008 10:39 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] TwinGig on Cat4900M Hello! Could anybody in the list confirm thats TwinGig convertors are work fine in 8 onboard 10G ports in 4900M? I heard strange rumors thats only 8-port half-cards are support TwinGigs, no support for onboard ports and 4-port half-card due to lack of special ASICs. Thanks! -- Dmitry Kiselev _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From harbor235 at gmail.com Fri Oct 17 09:50:01 2008 From: harbor235 at gmail.com (Mike Johnson) Date: Fri, 17 Oct 2008 09:50:01 -0400 Subject: [c-nsp] RSP720-10G Message-ID: <836bf1f90810170650k69b5bdeeyaae9a776c11cc7d8@mail.gmail.com> Does anyone know the details of the problems they are having with the RSP720-10G? Specifically, RPR+ and IPSEC? I hope a new software release will fix the problems. Any details or experiences would be greatly appreciated. harbor235 ;} From cchurc05 at harris.com Fri Oct 17 09:53:52 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 17 Oct 2008 08:53:52 -0500 Subject: [c-nsp] Typical BGP operational policies Message-ID: Hey all, I support a small network, with own ASN. They use address space given by provider A, and are dual homed to providers A and B. We take full routes from each, and announce that address space (a /23) to both. In looking at a variety of looking glass sites out there, I see most only see that network via provider A's AS. One I found did see it via provider B only. Is filtering being done by provider B outbound to it's peers the only explanation for this (or the most likely one)? One particular looking glass didn't have a path to us via provider B, yet does see our serial interface address (last hop that's still part of provider B AS) as reachable via provider B. For what it's worth, address space is 75.77.38.0/23, ASN is 26296. Provider A is 11456, B is 6389. Just wondering if there is a real issue here, or if this partial reachability depending on where you are is normal... Thanks in advance, Chuck From simestd at netexpress.com Fri Oct 17 10:55:57 2008 From: simestd at netexpress.com (Tom Simes) Date: Fri, 17 Oct 2008 06:55:57 -0800 Subject: [c-nsp] Typical BGP operational policies In-Reply-To: References: Message-ID: <20081017065557.4558f53f.simestd@netexpress.com> On Fri, 17 Oct 2008 08:53:52 -0500 "Church, Charles" wrote: > Hey all, > > I support a small network, with own ASN. They use address space > given by provider A, and are dual homed to providers A and B. We take > full routes from each, and announce that address space (a /23) to > both. In looking at a variety of looking glass sites out there, I see > most only see that network via provider A's AS. One I found did see > it via provider B only. Is filtering being done by provider B > outbound to it's peers the only explanation for this (or the most > likely one)? One particular looking glass didn't have a path to us > via provider B, yet does see our serial interface address (last hop > that's still part of provider B AS) as reachable via provider B. For > what it's worth, address space is 75.77.38.0/23, ASN is 26296. > Provider A is 11456, B is 6389. Just wondering if there is a real > issue here, or if this partial reachability depending on where you are > is normal... Hi Chuck, >From my little corner of the net (AS7782) this is what your address space looks like. ! show me what's making it upstream via AS11456 (provider A) gsr1.sea#sh ip bgp 75.77.38.0 | include 11456 26296 4323 11456 26296, (received-only) 3356 11456 26296, (received & used) 2914 3356 11456 26296, (received & used) ! show me what's making it upstream via AS6389 (provider B) gsr1.sea#sh ip bgp 75.77.38.0 | include 6389 26296 174 6389 26296, (received & used) gsr1.sea# Ok, so both providers are advertising the space to at least one of their upstreams - so let's compare your advertisement with how providers A & B's own space is advertised: ! provider A gsr1.sea#sh ip bgp 70.43.63.21 | include 11456 4323 11456, (received-only) 174 4323 11456, (received & used) 3356 1239 4323 11456, (received & used) 2914 4323 11456, (received & used) gsr1.sea# Ok, so it looks like provider A only has AS4323 as a transit peer (immediate upstream). ! provider B gsr1.sea#sh ip bgp 205.152.6.20 | include 6389 4323 7018 6389, (received-only) 174 6389, (received & used) 3356 7018 6389, (received & used) 2914 7018 6389, (received & used) gsr1.sea# Provider B has both AS7018 and AS174 as transit peers, but I'm not seeing your advertisement via the 7018 6389 path from provider B. >From this quick look, I would guess that your advertisement via provider A is more widespread simply because your /23 block is a small part of their larger aggregate address space. While it's possible provider B is only showing your /23 block to AS174, it's much more likely that AS7018 is filtering out your advertisement based on prefix length because the /23 block is so small. Tom ====================================================================== "Z-80 system stack overflow. Shut 'er down Scotty, the system's sucking mud" - Error message on TRS 80 Model-16B Tom Simes simestd at netexpress.com ====================================================================== From justin at justinshore.com Fri Oct 17 11:01:21 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 17 Oct 2008 10:01:21 -0500 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: <48F4E2D3.4020307@memetic.org> References: <48F4E2D3.4020307@memetic.org> Message-ID: <48F8A8C1.1030507@justinshore.com> Adam Armstrong wrote: > Gary Roberton wrote: >> I want to put together a basic 7206 for MPLS. Anyone got a build >> handy that >> they have used? I am just after Chassis, IOS, memory, not interfaces. >> >> > I'd only recommend the 7206vxr + NPE-G1 or 7206vxr + NPE-G2 > > Choice is between 3 Cu/Gbic and 1Mpps and 4 Cu/SFP and 2Mpps I would recommend against the NPE-G1. The price difference between the G1 and G2 at list is $4k. At discount that's chump change for twice the throughput. Justin From p.mayers at imperial.ac.uk Fri Oct 17 11:43:29 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Fri, 17 Oct 2008 16:43:29 +0100 Subject: [c-nsp] SCP bug in SXH3 i.e. CSCsr86489 Message-ID: <48F8B2A1.6090900@imperial.ac.uk> All, Just FYI, the above bug (a "catastrophic" sup-crasher in SXH3) is not fixed in SXH3a. Pathetic. From cisco at peakpeak.com Fri Oct 17 11:09:38 2008 From: cisco at peakpeak.com (Networkers) Date: Fri, 17 Oct 2008 09:09:38 -0600 Subject: [c-nsp] 7206VXR and CBWFQ Message-ID: Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass From cchurc05 at harris.com Fri Oct 17 12:19:03 2008 From: cchurc05 at harris.com (Church, Charles) Date: Fri, 17 Oct 2008 11:19:03 -0500 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: I believe the priority queuing can only be applied to a main interface, not a subint. Create a second policy, and do the priority queuing on that one, and apply that to the main int. The VOIP class/policy can remain on the subint. I'm not totally sure about ATM, but that's how I've seen it work on Ethernet. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: Friday, October 17, 2008 11:10 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From b.turnbow at twt.it Fri Oct 17 12:19:57 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Fri, 17 Oct 2008 18:19:57 +0200 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: venerd? 17 ottobre 2008 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From justin at justinshore.com Fri Oct 17 12:29:41 2008 From: justin at justinshore.com (Justin Shore) Date: Fri, 17 Oct 2008 11:29:41 -0500 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <1224018141.31143.4.camel@abehat> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> <1224018141.31143.4.camel@abehat> Message-ID: <48F8BD75.8000505@justinshore.com> Peter Rathlev wrote: > This would be SVI mode "EoMPLS", where one would expect local switching. > Remember that "interface Vlan1005" isn't the same as "vlan 1005". It > would be VERY nice if the PFC3 could do this, but unfortunately it > can't. You need more expensive equipment for that. :-) I wish we could do this. 6700 series cards... > This is VLAN mode EoMPLS. The PFC3 supports this and (physical) port > mode. I still haven't been able to get this to work. I tried this between 2 7600s running SRB1 and between the same 7600s to 2 6524s, one running SXH and the other running ZU code. The thing just won't come up. I wish we could do SVI-based EoMPLS on at least the 6524 end. Justin From vcappuccio at gmail.com Fri Oct 17 12:52:23 2008 From: vcappuccio at gmail.com (Victor Cappuccio) Date: Fri, 17 Oct 2008 18:52:23 +0200 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. * *router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces * *1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 2000000 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent *Cisco Page: http://tinyurl.com/ytt8ge **Note: *Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: > Your pvc needs to be abr/vbr/cbr > You can't do it on ubr > > Regards > > Brian > > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto: > cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers > Sent: venerd? 17 ottobre 2008 17.10 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 7206VXR and CBWFQ > > Whenever I try to apply the following I get an error message about how > CBWFQ can't be applied to subinterfaces. What is the correct way to do > this? > > Thanks, > Chris > > class-map match-any VOIP > match ip dscp ef > match precedence 5 > class-map match-all CRITICAL > match access-group 100 > > policy-map MyCBWFQ > class CRITICAL > priority 48 > class VOIP > bandwidth 320 > set precedence 6 > > vc-class atm MyClass > ubr 1536 > encapsulation aal5mux ppp Virtual-Template5 > > interface Virtual-Template5 > ip unnumbered Loopback0 > service-policy output MyCBWFQ > peer default ip address pool default > ppp authentication pap callin > > interface ATM2/0.1921 point-to-point > pvc 1/1921 > class-vc MyClass > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- From peterkcc2001 at gmail.com Fri Oct 17 13:28:35 2008 From: peterkcc2001 at gmail.com (kcc) Date: Fri, 17 Oct 2008 13:28:35 -0400 Subject: [c-nsp] can I know what is this command issue and want to learn about cisco best practice In-Reply-To: References: Message-ID: > Hi all > > I am new in cisco > > 1/ Can I know what is this command issue? > > cisco6513(config)#username peter privilege 15 password 7 peterpassword > Invalid encrypted password: peterpassword > > 2/ I want to learn about best practice when doing the cisco config? > eg: > I heard it is better to issue command "eg: shutdown xx sec" when doing the > remote configure critical routes > it can avoid the lost connection. the router can reload the startup config > even though loss the connection > > Thank you for your help > From jay at west.net Fri Oct 17 13:48:51 2008 From: jay at west.net (Jay Hennigan) Date: Fri, 17 Oct 2008 10:48:51 -0700 Subject: [c-nsp] can I know what is this command issue and want to learn about cisco best practice In-Reply-To: References: Message-ID: <48F8D003.1090408@west.net> kcc wrote: >> Hi all >> >> I am new in cisco >> >> 1/ Can I know what is this command issue? >> >> cisco6513(config)#username peter privilege 15 password 7 peterpassword >> Invalid encrypted password: peterpassword Because you have the number "7" after the keyword "password", IOS is expecting an obfuscated (encrypted is too strong a word here) password to follow. You have supplied a plaintext password. Try: username peter privilege 15 password peterpassword Or for more security if your IOS supports it: username peter privilege 15 secret peterpassword >> 2/ I want to learn about best practice when doing the cisco config? >> eg: >> I heard it is better to issue command "eg: shutdown xx sec" when doing the >> remote configure critical routes >> it can avoid the lost connection. the router can reload the startup config >> even though loss the connection Yes, if you're configuring remotely, you can type: reload in 30 which tells the router to reload in 30 minutes. Then make your configuration changes. If you lock yourself out, the changes won't be written to memory and when the timer expires you can get back in with the old configuration. If you are successful in modifying the configuration without locking yourself out, after saving your changes type: reload cancel to stop the countdown and cancel the reload process. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From kratzers at pa.net Fri Oct 17 14:30:36 2008 From: kratzers at pa.net (Stephen Kratzer) Date: Fri, 17 Oct 2008 14:30:36 -0400 Subject: [c-nsp] can I know what is this command issue and want to learn about cisco best practice In-Reply-To: References: Message-ID: <200810171430.36824.kratzers@pa.net> On Friday 17 October 2008 13:28:35 kcc wrote: > > Hi all > > > > I am new in cisco > > > > 1/ Can I know what is this command issue? > > > > cisco6513(config)#username peter privilege 15 password 7 peterpassword > > Invalid encrypted password: peterpassword This command is invalid because the string 'peterpassword' is plaintext. Change the 7 to 0. > > 2/ I want to learn about best practice when doing the cisco config? > > eg: > > I heard it is better to issue command "eg: shutdown xx sec" when doing > > the remote configure critical routes > > it can avoid the lost connection. the router can reload the startup > > config even though loss the connection If you are making changes that could potentially cause loss of remote connectivity, and you do not have physical access to the box, it is best practice to issue 'reload in x' where x is the minutes until reload. You want to ensure that x is long enough to make and verify your changes but short enough not to cause extended downtime if you make a mistake. Five to ten minutes is usually good for us. And remember to issue 'reload cancel' if your changes are made successfully. > > Thank you for your help From peterkcc2001 at gmail.com Fri Oct 17 15:15:57 2008 From: peterkcc2001 at gmail.com (kcc) Date: Fri, 17 Oct 2008 15:15:57 -0400 Subject: [c-nsp] can I know what is this command issue and want to learn about cisco best practice In-Reply-To: <200810171430.36824.kratzers@pa.net> References: <200810171430.36824.kratzers@pa.net> Message-ID: Thank you so much. Good learning for me ls there any best practice tip also? I heard some AAA model. but I don't know exactly Thank you On Fri, Oct 17, 2008 at 2:30 PM, Stephen Kratzer wrote: > On Friday 17 October 2008 13:28:35 kcc wrote: > > > Hi all > > > > > > I am new in cisco > > > > > > 1/ Can I know what is this command issue? > > > > > > cisco6513(config)#username peter privilege 15 password 7 peterpassword > > > Invalid encrypted password: peterpassword > > This command is invalid because the string 'peterpassword' is plaintext. > Change the 7 to 0. > > > > 2/ I want to learn about best practice when doing the cisco config? > > > eg: > > > I heard it is better to issue command "eg: shutdown xx sec" when doing > > > the remote configure critical routes > > > it can avoid the lost connection. the router can reload the startup > > > config even though loss the connection > > If you are making changes that could potentially cause loss of remote > connectivity, and you do not have physical access to the box, it is best > practice to issue 'reload in x' where x is the minutes until reload. You > want > to ensure that x is long enough to make and verify your changes but short > enough not to cause extended downtime if you make a mistake. Five to ten > minutes is usually good for us. And remember to issue 'reload cancel' if > your > changes are made successfully. > > > > Thank you for your help > > From billf at mu.org Fri Oct 17 14:40:55 2008 From: billf at mu.org (bill fumerola) Date: Fri, 17 Oct 2008 11:40:55 -0700 Subject: [c-nsp] netflow only on ingress and HSRP setup In-Reply-To: <291790.51763.qm@web87015.mail.ird.yahoo.com> References: <291790.51763.qm@web87015.mail.ird.yahoo.com> Message-ID: <20081017184054.GP37824@elvis.mu.org> On Thu, Oct 16, 2008 at 10:55:29AM +0000, Borg Tinderne wrote: > Raw netflow is a box centric view of network traffic,????the few netflow > display products I have played with over the last decade or so continue > with this box-centric view , can't comment on nfsen.???? As interesting > as a box-centric view is,?? I generally find I want a network-centric > view of network traffic,?? so post processing of flow data with something > ,??for me this has been RYO, so??choose your own poison ( perl / sql / > tcl??/ awk ..??)??.?? w/ flow-tools you can write flow-nfilter such that you aggregate networks into abstractions and tag them. then you generate your rrd (or whatever) by-tag instead of by-host. not hard. - bill From euang+cisco-nsp at lists.eusahues.co.uk Fri Oct 17 15:31:23 2008 From: euang+cisco-nsp at lists.eusahues.co.uk (Euan Galloway) Date: Fri, 17 Oct 2008 20:31:23 +0100 Subject: [c-nsp] Basic MPLS 7200 In-Reply-To: <48F8A8C1.1030507@justinshore.com> References: <48F4E2D3.4020307@memetic.org> <48F8A8C1.1030507@justinshore.com> Message-ID: <20081017193123.GA7473@hyperion.eusahues.co.uk> On Fri, Oct 17, 2008 at 10:01:21AM -0500, Justin Shore wrote: > I would recommend against the NPE-G1. The price difference between the G1 > and G2 at list is $4k. At discount that's chump change for twice the > throughput. Upgrade (from Cisco) the NPE-G1 to the same RAM (1G) as the NPE-G2 has by default and the G2 is actually CHEAPER as well as "twice the thoughput". Much more limited IOS selection though. -- Euan Galloway From rich.davies at gmail.com Fri Oct 17 15:39:13 2008 From: rich.davies at gmail.com (Rich Davies) Date: Fri, 17 Oct 2008 15:39:13 -0400 Subject: [c-nsp] can I know what is this command issue and want to learn about cisco best practice In-Reply-To: References: <200810171430.36824.kratzers@pa.net> Message-ID: <3e4b8fe10810171239pe9b10c2y16d6985bbcec68c7@mail.gmail.com> kcc, Best practice would be to setup an authentication server (TACACS/RADIUS) and point your gear to that for your AAA, then setup a failsafe userid for when the device can not talk to the authentication server you still have a backup account. Having an auth server is great because you can manage users in 1 place (much easier for long-term administration). In addition to managing the user accounts you can get accounting logs which will provide you tracking for what commands/config changes that user makes). Also you should consider using level 5 encryption on your userids versus level 7. Level 5 password encryption uses an MD5 hash (stronger) whereas level 7 passwords can be easily broken. Example: username test secret mypassword Using the "secret" option versus "password" will cause it to use the stronger encryption (MD5). Another thing regarding best practices - your privilege level in your example is 15: > cisco6513(config)#username peter privilege 15 password 7 peterpassword Do you want that userid to have level 15 access immediately? You could skip specifying a privilege level and have an "enable secret" setup which would require the user to enter a second password (enable) before being granted FULL level 15 access. Having multiple levels of passwords is stronger security versus 1 password then full access (depends on your security needs really). Also regarding best practices you should setup a syslog server to start logging your devices to it. Makes it much easier to track/troubleshoot an issue (and be able to pull that data long term i.e., a year or so after the event happened...) -Rich On Fri, Oct 17, 2008 at 3:15 PM, kcc wrote: > Thank you so much. Good learning for me > ls there any best practice tip also? > I heard some AAA model. but I don't know exactly > > Thank you > > > On Fri, Oct 17, 2008 at 2:30 PM, Stephen Kratzer wrote: > > > On Friday 17 October 2008 13:28:35 kcc wrote: > > > > Hi all > > > > > > > > I am new in cisco > > > > > > > > 1/ Can I know what is this command issue? > > > > > > > > cisco6513(config)#username peter privilege 15 password 7 > peterpassword > > > > Invalid encrypted password: peterpassword > > > > This command is invalid because the string 'peterpassword' is plaintext. > > Change the 7 to 0. > > > > > > 2/ I want to learn about best practice when doing the cisco config? > > > > eg: > > > > I heard it is better to issue command "eg: shutdown xx sec" when > doing > > > > the remote configure critical routes > > > > it can avoid the lost connection. the router can reload the startup > > > > config even though loss the connection > > > > If you are making changes that could potentially cause loss of remote > > connectivity, and you do not have physical access to the box, it is best > > practice to issue 'reload in x' where x is the minutes until reload. You > > want > > to ensure that x is long enough to make and verify your changes but short > > enough not to cause extended downtime if you make a mistake. Five to ten > > minutes is usually good for us. And remember to issue 'reload cancel' if > > your > > changes are made successfully. > > > > > > Thank you for your help > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From mb at adv.gcomm.com.au Fri Oct 17 15:42:24 2008 From: mb at adv.gcomm.com.au (mb at adv.gcomm.com.au) Date: Sat, 18 Oct 2008 05:42:24 +1000 Subject: [c-nsp] ACL's on policy-map - No hits? In-Reply-To: <010d01c93054$49a1dae0$dce590a0$@net> References: <20081017103811.iucvvq9mkicgko4s@webmail.datafx.com.au> <010d01c93054$49a1dae0$dce590a0$@net> Message-ID: <20081018054224.rt8a6ut22b48ogc4@webmail.datafx.com.au> Quoting Luan Nguyen : > Yeah, that's QOS limitation on those switches:" The display for the show > policy-map interface user EXEC command shows zeros for the counters > associated with class-map match criteria. There is no workaround. > (CSCec08205)" > http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/releas > e/12.2_37_se/release/notes/OL12616.html > Thanks - Shame there's no workaround.. ------------------------------------------------------------------------- This e-mail was sent via Data FX Online WebMail http://www.datafx.com.au/ From jfitz at Princeton.EDU Fri Oct 17 16:00:15 2008 From: jfitz at Princeton.EDU (Jeff Fitzwater) Date: Fri, 17 Oct 2008 16:00:15 -0400 Subject: [c-nsp] FWSM loading shuns Message-ID: <038DE895-6E83-4D1D-9FA0-00526AC5BEF2@princeton.edu> We use the FWSM "shun" command in a script to automatically load shuns as needed, but it takes forever to load because of the time it takes the FWSM to do it job. Our FWSM runs version 4.0.2 in transparent mode and has three bridge groups, each of which has an inside and outside interface. The shun command runs through all 6 interfaces when it loads and takes about 10s per shun; So a list of around 120 would take about 20 min. Not to mention there is no way to save them in the FWSM and are lost after reset. Q. Has anybody found a way around this or even use SHUN? I thought that using the SHUN would be simpler than modifying an ACL, but it might be faster. Jeff Fitzwater OIT Network Systems Princeton University From mh+cisco-nsp at zugschlus.de Fri Oct 17 15:48:10 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Fri, 17 Oct 2008 21:48:10 +0200 Subject: [c-nsp] Debugging IPSEC VPN from Clients Message-ID: <20081017194810.GH31720@torres.zugschlus.de> Hi, I have a bunch of users using the Cisco VPN Client to connect to an 1841 router (running IOS 12.4(9)T4). Is there any show command to show the actual user names that are connected right now? I didn't find any appropriate show crypto foo command. Additionally, can I configure the 1841 to log session establishment and termination to syslog, preferably including the IP address of the peer? Any hints will be appreciated. Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From mh+cisco-nsp at zugschlus.de Fri Oct 17 15:46:23 2008 From: mh+cisco-nsp at zugschlus.de (Marc Haber) Date: Fri, 17 Oct 2008 21:46:23 +0200 Subject: [c-nsp] VPN Client to 1841, default route into tunnel with exceptions In-Reply-To: <20080829110141.GB27253@torres.zugschlus.de> References: <20080826140124.GA26261@torres.zugschlus.de> <000101c907d8$fe2f68a0$fa8e39e0$@id.au> <20080827111208.GA2482@torres.zugschlus.de> <020201c908a8$130cbe60$39263b20$@id.au> <20080828102945.GB12177@torres.zugschlus.de> <01c601c90971$d61b5640$825202c0$@id.au> <20080829110141.GB27253@torres.zugschlus.de> Message-ID: <20081017194623.GG31720@torres.zugschlus.de> Hi, On Fri, Aug 29, 2008 at 01:01:41PM +0200, Marc Haber wrote: > On Fri, Aug 29, 2008 at 08:54:48AM +0800, Brett Looney wrote: > > > ip access-list extended DefaultrouteWithoutListedNetsTunnel > > > deny ip 192.168.8.0 0.0.0.255 10.2.60.0 0.0.0.255 > > > permit ip any 10.2.60.0 0.0.0.255 > > > > > > But packets to 192.168.8.1 still go out through the tunnel. > > > > Well, yeah. Because it matches the access list. From the sounds of it, you > > need to list each local network specifically in the access list so it won't > > match. That will be tricky. > > The following perl script will generate the appropriate access list: > #!/usr/bin/perl -w I need to re-hash the issue, I am afraid. As a reminder: I want to use the Cisco VPN Client to connect to an 1841 router (running IOS 12.4(9)T4), while routing everything into the tunnel with the exception of a few nets. My configuration: crypto isakmp client configuration group InternClient key dns 10.1.2.11 10.1.2.15 wins 10.1.2.11 10.1.2.15 pool ippool acl DefaultRouteWithoutListedNetsTunnelWorkaround ip access-list extended DefaultRouteWithoutListedNetsTunnelWorkaround remark - this should be deny ip 10.20.30.0 0.0.0.31 any remark - this should be deny ip 10.1.10.0 0.0.0.255 any remark - this should be deny ip 192.168.8.0 0.0.0.255 any permit ip 0.0.0.0 7.255.255.255 any permit ip 8.0.0.0 1.255.255.255 any permit ip 10.0.0.0 0.0.255.255 any permit ip 10.1.0.0 0.0.7.255 any permit ip 10.1.8.0 0.0.1.255 any permit ip 10.1.11.0 0.0.0.255 any permit ip 10.1.12.0 0.0.3.255 any Unfortunately, the ACL cannot contain any "deny" statements (evaluation seems to stop after the first deny", so I wrote a script to generate an access list that permits everything but the few nets. However, it looks like only the first 50 entries of the ACL are actually transmitted to the client and show up in its routing table, so everything "permitted" in the "late" steps of the ACL ends up outside of the tunnel. Is there any possibility to increase that 50 limit? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 2323190 From jloiacon at csc.com Fri Oct 17 17:19:30 2008 From: jloiacon at csc.com (Joe Loiacono) Date: Fri, 17 Oct 2008 17:19:30 -0400 Subject: [c-nsp] netflow only on ingress and HSRP setup In-Reply-To: <20081017184054.GP37824@elvis.mu.org> Message-ID: cisco-nsp-bounces at puck.nether.net wrote on 10/17/2008 02:40:55 PM: > On Thu, Oct 16, 2008 at 10:55:29AM +0000, Borg Tinderne wrote: > > Raw netflow is a box centric view of network traffic,????the few netflow > > display products I have played with over the last decade or so continue > > with this box-centric view , can't comment on nfsen.???? As interesting > > as a box-centric view is,?? I generally find I want a network-centric > > view of network traffic,?? so post processing of flow data with something > > ,??for me this has been RYO, so??choose your own poison ( perl / sql / > > tcl??/ awk ..??)??.?? > > w/ flow-tools you can write flow-nfilter such that you aggregate > networks into abstractions and tag them. then you generate your rrd > (or whatever) by-tag instead of by-host. not hard. ^^^^^^^^^^^^^ Yep. You could substitute the directory name, which you used to store the tagged aggregate, for a device-name in FlowViewer, and you will have access to the whole set of those web tools. Joe From kajtzu at basen.net Fri Oct 17 17:09:54 2008 From: kajtzu at basen.net (Kaj Niemi) Date: Sat, 18 Oct 2008 00:09:54 +0300 Subject: [c-nsp] Debugging IPSEC VPN from Clients In-Reply-To: <20081017194810.GH31720@torres.zugschlus.de> References: <20081017194810.GH31720@torres.zugschlus.de> Message-ID: <391FDA1B-C7EE-44B4-9287-E8386415EC20@basen.net> Hi, On Oct 17, 2008, at 22:48, Marc Haber wrote: > I have a bunch of users using the Cisco VPN Client to connect to an > 1841 router (running IOS 12.4(9)T4). > > Is there any show command to show the actual user names that are > connected right now? I didn't find any appropriate show crypto foo > command. Yes but you need a more recent IOS. "show crypto session brief" came in 12.4(11)T. > Additionally, can I configure the 1841 to log session establishment > and termination to syslog, preferably including the IP address of the > peer? Yes, in this case you want "crypto logging ezvpn", as of 12.4(4)T. You could also look at "crypto logging session". HTH :) Kaj -- Kaj J. Niemi +358 45 63 12000 From Crist.Clark at globalstar.com Fri Oct 17 18:00:12 2008 From: Crist.Clark at globalstar.com (Crist Clark) Date: Fri, 17 Oct 2008 15:00:12 -0700 Subject: [c-nsp] Learning a Multicast Ethernet for Unicast IP via ARP Message-ID: <48F8A879.33E4.0097.0@globalstar.com> I'm having a problem with a Check Point firewall cluster and a Cisco router. The cluster is operating in "multicast load sharing mode." In this mode, the unicast IP address of the cluster is associated with all cluster machines by handing out a multicast Ethernet address when the cluster gets an ARP request for the address. In a lab setup, I have a Cisco 851 connected to my two firewall machines in the cluster. However, the Cisco router seems to ignore the ARP responses containing the multicast Ethernet address. If I sniff the connection between the two, 13:33:41.633395 arp who-has 192.168.111.42 tell 192.168.111.41 13:33:41.633403 arp reply 192.168.111.42 is-at 1:0:5e:28:6f:2a 13:33:44.462616 arp who-has 192.168.111.42 tell 192.168.111.41 13:33:44.462622 arp reply 192.168.111.42 is-at 1:0:5e:28:6f:2a 192.168.111.41 is the router. 192.168.111.42 is the firewall. I've run, #debug arp On the router, and nothing interesting. I see it sending the ARP requests, but it never mentions anything about seeing the responses. If I add a static ARP entry, #arp 192.168.111.42 0100.5e28.6f2a ARPA Everything works fine. Is there a way to tell the router to accept the ARP responses or is the static entry the best option? From dsinn at dsinn.com Fri Oct 17 18:49:05 2008 From: dsinn at dsinn.com (David Sinn) Date: Fri, 17 Oct 2008 15:49:05 -0700 Subject: [c-nsp] Learning a Multicast Ethernet for Unicast IP via ARP In-Reply-To: <48F8A879.33E4.0097.0@globalstar.com> References: <48F8A879.33E4.0097.0@globalstar.com> Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ignoring ARP responses that return multicast (or broadcast) MAC addresses is required by the RFC1812 Section 3.3.2. Static ARP's are the only options (or working on getting the RFC changed). David On Oct 17, 2008, at 3:00 PM, Crist Clark wrote: > I'm having a problem with a Check Point firewall cluster and > a Cisco router. The cluster is operating in "multicast load > sharing mode." In this mode, the unicast IP address of the > cluster is associated with all cluster machines by handing > out a multicast Ethernet address when the cluster gets an > ARP request for the address. > > In a lab setup, I have a Cisco 851 connected to my two firewall > machines in the cluster. However, the Cisco router seems to > ignore the ARP responses containing the multicast Ethernet > address. If I sniff the connection between the two, > > 13:33:41.633395 arp who-has 192.168.111.42 tell 192.168.111.41 > 13:33:41.633403 arp reply 192.168.111.42 is-at 1:0:5e:28:6f:2a > 13:33:44.462616 arp who-has 192.168.111.42 tell 192.168.111.41 > 13:33:44.462622 arp reply 192.168.111.42 is-at 1:0:5e:28:6f:2a > > 192.168.111.41 is the router. 192.168.111.42 is the firewall. > > I've run, > > #debug arp > > On the router, and nothing interesting. I see it sending the ARP > requests, but it never mentions anything about seeing the responses. > > If I add a static ARP entry, > > #arp 192.168.111.42 0100.5e28.6f2a ARPA > > Everything works fine. > > Is there a way to tell the router to accept the ARP responses or > is the static entry the best option? > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkj5FmEACgkQLa9jIE3ZamPUOQCgjdZVW50mMcp7hDOIaXjNXU+Q MVwAnj4Dp3de2lDUrNdUtGFDETHDiJwg =vb8u -----END PGP SIGNATURE----- From dcp at dcptech.com Fri Oct 17 17:37:26 2008 From: dcp at dcptech.com (David Prall) Date: Fri, 17 Oct 2008 17:37:26 -0400 Subject: [c-nsp] Debugging IPSEC VPN from Clients In-Reply-To: <20081017194810.GH31720@torres.zugschlus.de> References: <20081017194810.GH31720@torres.zugschlus.de> Message-ID: <000e01c930a0$8fe945a0$afbbd0e0$@com> Show aaa user is where I would start, couldn't play with it to see if it is right or not. -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Marc Haber > Sent: Friday, October 17, 2008 3:48 PM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] Debugging IPSEC VPN from Clients > > Hi, > > I have a bunch of users using the Cisco VPN Client to connect to an > 1841 router (running IOS 12.4(9)T4). > > Is there any show command to show the actual user names that are > connected right now? I didn't find any appropriate show crypto foo > command. > > Additionally, can I configure the 1841 to log session establishment > and termination to syslog, preferably including the IP address of the > peer? > > Any hints will be appreciated. > > Greetings > Marc > > -- > ----------------------------------------------------------------------- > ------ > Marc Haber | "I don't trust Computers. They | Mailadresse im > Header > Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 > 72739834 > Nordisch by Nature | How to make an American Quilt | Fax: *49 3221 > 2323190 > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From chunt at reachone.com Fri Oct 17 19:27:51 2008 From: chunt at reachone.com (Christopher Hunt) Date: Fri, 17 Oct 2008 16:27:51 -0700 Subject: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) In-Reply-To: <001501c9275a$3f35f350$bda1d9f0$@net> References: <48E90EEA.5090305@reachone.com> <001501c9275a$3f35f350$bda1d9f0$@net> Message-ID: <48F91F77.8080301@reachone.com> Luan, Thanks for your excellent and detailed reply. I was able to get the tunnels up and passing encrypted traffic (after adding the "tunnel mode ipsec ipv4" command to the tunnel). LDP and OSPF came right up too. The interesting bit is that I have no end-to-end vrf connectivity. In other words: CORE-DIA-1#sh ip ro vrf CustA Routing Table: CustA ..... Gateway of last resort is not set 10.0.0.0/32 is subnetted, 2 subnets B 10.1.1.1 [200/0] via 192.168.255.252, 00:23:06 C 10.0.0.1 is directly connected, Loopback100 CORE-DIA-1#ping vrf CustA 10.1.1.1 source 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 ..... Success rate is 0 percent (0/5) CORE-DIA-1#sho ip ro 192.168.255.252 Routing entry for 192.168.252/32 Known via "ospf 100", distance 110, metric 11112, type intra area Last update from 10.0.0.2 on Tunnel0, 00:02:34 ago Routing Descriptor Blocks: * 10.0.0.2, from 192.168.255.252, 00:02:34 ago, via Tunnel0 Route metric is 11112, traffic share count is 1 It worked until i added the "tunnel protection ipsec profile foo" bit. I can still ping loopbacks etc. in the Default-IP-Routing-Table. I had it working in an alternate config, with a crypto map applied to the physical interface that is the tunnel-source. Any idea why this might be? Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Luan Nguyen wrote: > You could encrypt the GRE tunnel. Everything traverse the tunnel will get > encrypted. > On CORE-DIA-1 > > crypto isakmp policy 10 > encr aes 256 > authentication pre-share > group 5 > crypto isakmp key cisco address 172.16.0.98 > crypto isakmp keepalive 10 4 periodic > ! > ! > crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac > mode transport > ! > crypto ipsec profile foo > set transform-set TEST > set pfs group5 > ! > ! > interface Tunnel0 > ip address 10.0.0.2 255.255.255.252 > ip mtu 1420 > ip tcp adjust-mss 1436 > mpls ip > mpls mtu 1508 > keepalive 1 3 > tunnel source FastEthernet0/0 > tunnel destination 172.16.0.98 > tunnel protection ipsec profile foo > > Just the reverse on the other side. > > You, and the original poster, could do IPSEC encryption between CEs of the > MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3 > suggestion :)) > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7 > 180/product_data_sheet0900aecd80582067.html. > The CE-to-CE routing remains the same, with added security. > > > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt > Sent: Sunday, October 05, 2008 3:01 PM > To: cisco-nsp > Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) > > For simplicity's sake let's say that i have 2 7206VXRs running > advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed > plus a L2 feed between them. Each one is a PE, and running L3VPNs for > customers. I use OSPF as an IGP. Everything's working great, but I want to > build VPN failover in case the L2 feed between them goes down. > > Since the backup is a L3 service, MPLSoGRE seems the best option for me. > At the same time, I want to encrypt ***at least the customer vrf > traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec > unfortunately an am struggling to understand the process. > > I've got the GRE Tunnels up and failing over but can't seem to understand > how to encrypt the customer data. See attached configs. > Anyone have any pointers? See > http://markmail.org/message/lob467v2oxc6my5x for original thread > > > onward through the fog, > Christopher Hunt > > -------- Original Message -------- > Subject: [c-nsp] MPLS and IPSEC co-workingLink to this message > From: Oliver Boehmer (oboehmer) (oboe... at cisco.com) > Date: 08/16/2007 09:31:25 AM > List: net.nether.puck.cisco-nsp > > >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM: > > > >Hi, > > > >Network setup is pretty trivial - three routers running MPLS (LDP > >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is >> asking to secure that infrastructure by running IPSEC (3DES). As far >as I > know, I can not run LDP over Tunnel interfaces, and crypto-maps >will not > help also. Concept of running IPSEC between CPEs doesn't >make sense, as > there are no CPEs :( > >Question is - is VRF-Lite plus back-to-back > connectivity, like option >A for inter AS MPLS, the only viable option I > have, or Im missing >something and there are other, more scalable ways to > do it? > well, you can run MPLSoGRE at least on SW-based platforms (like the 7200), > haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over > L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps.. > > Not a complete solution, I know.. > > oli > > From nvoth at estreet.com Fri Oct 17 20:49:56 2008 From: nvoth at estreet.com (Nick Voth) Date: Fri, 17 Oct 2008 18:49:56 -0600 Subject: [c-nsp] QoS help on Cisco 1841 from Covad Message-ID: Hello folks, I'm having some trouble getting my QoS policies for VoIP to work on a Covad supplied T1 router. It looks like it's a Frame Relay interface. I have applied the rules as I normally do on our Point-to-Point circuits, but I don't see the rules catching any traffic. Can someone loan me another set of eyes to see what I'm doing wrong here? I didn't do the config for the Frame Interface. That's from Covad so I can't really mess with that much. I'm only allowed to implement the QoS policies. Thanks very much: Config snippet ------> class-map match-all VoIP-Data match protocol rtp match access-group 101 class-map match-all VoIP-Control match protocol sip match access-group 101 ! ! policy-map QoS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 90 class class-default fair-queue 2048 ! ! interface Serial0/0/0 bandwidth 1536 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi max-reserved-bandwidth 95 service-policy output QoS-OUT ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname 5411955 at bz8 ppp chap password 7 14xxxxxxxxxxx ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ! ! access-list 101 permit ip any host xxx.xxx.xxx.xxx Output of "show policy-map"-------> Router#show policy-map interface Serial0/0/0 Serial0/0/0 Service-policy output: QoS-OUT Class-map: VoIP-Control (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol sip Queueing Output Queue: Conversation 2057 Bandwidth 60 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 Class-map: VoIP-Data (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol rtp Queueing Strict Priority Output Queue: Conversation 2056 Bandwidth 90 (%) Bandwidth 1382 (kbps) Burst 34550 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 838 packets, 182315 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 2048 (total queued/total drops/no-buffer drops) 0/0/0 Thanks very much! -Nick Voth From ddunkin at netos.net Fri Oct 17 21:49:27 2008 From: ddunkin at netos.net (Darryl Dunkin) Date: Fri, 17 Oct 2008 18:49:27 -0700 Subject: [c-nsp] QoS help on Cisco 1841 from Covad References: Message-ID: <56F5BC5F404CF84896C447397A1AAF20943342@MAIL.nosi.netos.com> What host is xxx.xxx.xxx.xxx? Is that your VOIP gateway? You are matching both protocol and the destination IP address (match-all). If this is not the destination of your packets, they won't match and go to the class-default. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Voth Sent: Friday, October 17, 2008 17:50 To: cisco-nsp at puck.nether.net Subject: [c-nsp] QoS help on Cisco 1841 from Covad Hello folks, I'm having some trouble getting my QoS policies for VoIP to work on a Covad supplied T1 router. It looks like it's a Frame Relay interface. I have applied the rules as I normally do on our Point-to-Point circuits, but I don't see the rules catching any traffic. Can someone loan me another set of eyes to see what I'm doing wrong here? I didn't do the config for the Frame Interface. That's from Covad so I can't really mess with that much. I'm only allowed to implement the QoS policies. Thanks very much: Config snippet ------> class-map match-all VoIP-Data match protocol rtp match access-group 101 class-map match-all VoIP-Control match protocol sip match access-group 101 ! ! policy-map QoS-OUT class VoIP-Control bandwidth 60 class VoIP-Data priority percent 90 class class-default fair-queue 2048 ! ! interface Serial0/0/0 bandwidth 1536 no ip address encapsulation frame-relay IETF no ip mroute-cache service-module t1 timeslots 1-24 service-module t1 fdl both frame-relay lmi-type ansi max-reserved-bandwidth 95 service-policy output QoS-OUT ! interface Serial0/0/0.1 point-to-point frame-relay interface-dlci 16 ppp Virtual-Template1 ! interface Virtual-Template1 ip address negotiated ppp chap hostname 5411955 at bz8 ppp chap password 7 14xxxxxxxxxxx ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ! ! access-list 101 permit ip any host xxx.xxx.xxx.xxx Output of "show policy-map"-------> Router#show policy-map interface Serial0/0/0 Serial0/0/0 Service-policy output: QoS-OUT Class-map: VoIP-Control (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol sip Queueing Output Queue: Conversation 2057 Bandwidth 60 (kbps)Max Threshold 64 (packets) (pkts matched/bytes matched) 0/0 (depth/total drops/no-buffer drops) 0/0/0 Class-map: VoIP-Data (match-all) 0 packets, 0 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: protocol rtp Queueing Strict Priority Output Queue: Conversation 2056 Bandwidth 90 (%) Bandwidth 1382 (kbps) Burst 34550 (Bytes) (pkts matched/bytes matched) 0/0 (total drops/bytes drops) 0/0 Class-map: class-default (match-any) 838 packets, 182315 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing Flow Based Fair Queueing Maximum Number of Hashed Queues 2048 (total queued/total drops/no-buffer drops) 0/0/0 Thanks very much! -Nick Voth _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From nvoth at estreet.com Fri Oct 17 22:49:13 2008 From: nvoth at estreet.com (Nick Voth) Date: Fri, 17 Oct 2008 20:49:13 -0600 Subject: [c-nsp] QoS help on Cisco 1841 from Covad In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20943342@MAIL.nosi.netos.com> Message-ID: Yes, the "host" in the access-list is the VoIP proxy that all traffic goes to and from. Yes I am doing a "match-all". The really odd thing here is that I have an almost identical setup with another Covad circuit and the QoS is working fine. The only difference is that other location is doing NAT in the Cisco gateway where this location is statically addressed and doing NAT in a firewall behind the Cisco gateway. Very odd stuff since I've basically compared both configs at both locations and they are basically identical except for the NAT stuff at the other, (working), location. Thanks, -Nick > From: Darryl Dunkin > Date: Fri, 17 Oct 2008 18:49:27 -0700 > To: Nick Voth , > Conversation: [c-nsp] QoS help on Cisco 1841 from Covad > Subject: RE: [c-nsp] QoS help on Cisco 1841 from Covad > > What host is xxx.xxx.xxx.xxx? Is that your VOIP gateway? > > You are matching both protocol and the destination IP address > (match-all). If this is not the destination of your packets, they won't > match and go to the class-default. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Voth > Sent: Friday, October 17, 2008 17:50 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] QoS help on Cisco 1841 from Covad > > Hello folks, > > I'm having some trouble getting my QoS policies for VoIP to work on a > Covad > supplied T1 router. It looks like it's a Frame Relay interface. I have > applied the rules as I normally do on our Point-to-Point circuits, but I > don't see the rules catching any traffic. Can someone loan me another > set of > eyes to see what I'm doing wrong here? > > I didn't do the config for the Frame Interface. That's from Covad so I > can't > really mess with that much. I'm only allowed to implement the QoS > policies. > > Thanks very much: > > > Config snippet ------> > > > class-map match-all VoIP-Data > match protocol rtp > match access-group 101 > class-map match-all VoIP-Control > match protocol sip > match access-group 101 > ! > ! > policy-map QoS-OUT > class VoIP-Control > bandwidth 60 > class VoIP-Data > priority percent 90 > class class-default > fair-queue 2048 > ! > ! > interface Serial0/0/0 > bandwidth 1536 > no ip address > encapsulation frame-relay IETF > no ip mroute-cache > service-module t1 timeslots 1-24 > service-module t1 fdl both > frame-relay lmi-type ansi > max-reserved-bandwidth 95 > service-policy output QoS-OUT > ! > interface Serial0/0/0.1 point-to-point > frame-relay interface-dlci 16 ppp Virtual-Template1 > ! > interface Virtual-Template1 > ip address negotiated > ppp chap hostname 5411955 at bz8 > ppp chap password 7 14xxxxxxxxxxx > ppp ipcp dns request > ppp ipcp route default > ppp ipcp address accept > ! > ! > ! > access-list 101 permit ip any host xxx.xxx.xxx.xxx > > > > Output of "show policy-map"-------> > > Router#show policy-map interface Serial0/0/0 > > Serial0/0/0 > > Service-policy output: QoS-OUT > > Class-map: VoIP-Control (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol sip > Queueing > Output Queue: Conversation 2057 > Bandwidth 60 (kbps)Max Threshold 64 (packets) > (pkts matched/bytes matched) 0/0 > (depth/total drops/no-buffer drops) 0/0/0 > > Class-map: VoIP-Data (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol rtp > Queueing > Strict Priority > Output Queue: Conversation 2056 > Bandwidth 90 (%) > Bandwidth 1382 (kbps) Burst 34550 (Bytes) > (pkts matched/bytes matched) 0/0 > (total drops/bytes drops) 0/0 > > Class-map: class-default (match-any) > 838 packets, 182315 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > Queueing > Flow Based Fair Queueing > Maximum Number of Hashed Queues 2048 > (total queued/total drops/no-buffer drops) 0/0/0 > > Thanks very much! > > -Nick Voth > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From nvoth at estreet.com Fri Oct 17 23:24:07 2008 From: nvoth at estreet.com (Nick Voth) Date: Fri, 17 Oct 2008 21:24:07 -0600 Subject: [c-nsp] QoS help on Cisco 1841 from Covad In-Reply-To: <56F5BC5F404CF84896C447397A1AAF20943342@MAIL.nosi.netos.com> Message-ID: I think I found the cause. No packets were being marked by: class-map match-all VoIP-Data match protocol rtp match access-group 101 class-map match-all VoIP-Control match protocol sip match access-group 101 I removed the "match protocol rtp" and "match protocol sip" and then packets started to be marked. No clue why it's not recognizing sip or rtp as the packet protocols, but it's 100% reproducible. If I add those matches back in, packets stop being recognized... Thanks, -Nick > From: Darryl Dunkin > Date: Fri, 17 Oct 2008 18:49:27 -0700 > To: Nick Voth , > Conversation: [c-nsp] QoS help on Cisco 1841 from Covad > Subject: RE: [c-nsp] QoS help on Cisco 1841 from Covad > > What host is xxx.xxx.xxx.xxx? Is that your VOIP gateway? > > You are matching both protocol and the destination IP address > (match-all). If this is not the destination of your packets, they won't > match and go to the class-default. > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Nick Voth > Sent: Friday, October 17, 2008 17:50 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] QoS help on Cisco 1841 from Covad > > Hello folks, > > I'm having some trouble getting my QoS policies for VoIP to work on a > Covad > supplied T1 router. It looks like it's a Frame Relay interface. I have > applied the rules as I normally do on our Point-to-Point circuits, but I > don't see the rules catching any traffic. Can someone loan me another > set of > eyes to see what I'm doing wrong here? > > I didn't do the config for the Frame Interface. That's from Covad so I > can't > really mess with that much. I'm only allowed to implement the QoS > policies. > > Thanks very much: > > > Config snippet ------> > > > class-map match-all VoIP-Data > match protocol rtp > match access-group 101 > class-map match-all VoIP-Control > match protocol sip > match access-group 101 > ! > ! > policy-map QoS-OUT > class VoIP-Control > bandwidth 60 > class VoIP-Data > priority percent 90 > class class-default > fair-queue 2048 > ! > ! > interface Serial0/0/0 > bandwidth 1536 > no ip address > encapsulation frame-relay IETF > no ip mroute-cache > service-module t1 timeslots 1-24 > service-module t1 fdl both > frame-relay lmi-type ansi > max-reserved-bandwidth 95 > service-policy output QoS-OUT > ! > interface Serial0/0/0.1 point-to-point > frame-relay interface-dlci 16 ppp Virtual-Template1 > ! > interface Virtual-Template1 > ip address negotiated > ppp chap hostname 5411955 at bz8 > ppp chap password 7 14xxxxxxxxxxx > ppp ipcp dns request > ppp ipcp route default > ppp ipcp address accept > ! > ! > ! > access-list 101 permit ip any host xxx.xxx.xxx.xxx > > > > Output of "show policy-map"-------> > > Router#show policy-map interface Serial0/0/0 > > Serial0/0/0 > > Service-policy output: QoS-OUT > > Class-map: VoIP-Control (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol sip > Queueing > Output Queue: Conversation 2057 > Bandwidth 60 (kbps)Max Threshold 64 (packets) > (pkts matched/bytes matched) 0/0 > (depth/total drops/no-buffer drops) 0/0/0 > > Class-map: VoIP-Data (match-all) > 0 packets, 0 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: protocol rtp > Queueing > Strict Priority > Output Queue: Conversation 2056 > Bandwidth 90 (%) > Bandwidth 1382 (kbps) Burst 34550 (Bytes) > (pkts matched/bytes matched) 0/0 > (total drops/bytes drops) 0/0 > > Class-map: class-default (match-any) > 838 packets, 182315 bytes > 5 minute offered rate 0 bps, drop rate 0 bps > Match: any > Queueing > Flow Based Fair Queueing > Maximum Number of Hashed Queues 2048 > (total queued/total drops/no-buffer drops) 0/0/0 > > Thanks very much! > > -Nick Voth > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From sforcejr at yahoo.com Fri Oct 17 23:54:24 2008 From: sforcejr at yahoo.com (JR Colmenares) Date: Fri, 17 Oct 2008 20:54:24 -0700 (PDT) Subject: [c-nsp] Restric access in a VPN tunnel Message-ID: <878511.7085.qm@web110414.mail.gq1.yahoo.com> Cisco 506e 6.3.4 I am configuring a tunnel and I have this access list that allows traffic from the remote site to our whole subnet access-list nonat permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 access-list remote_site permit ip 10.0.0.0 255.0.0.0 192.168.16.0 255.255.255.0 sysopt connection permit-ipsec Our users are going to access an database server on the remote site 1- How can I restrict the access to particular hosts in our network? 2- Is it possible to configure the tunnel so the IP traffic goes just in one direction? It seems to me that if our users need to access their servers, they should not need to access any hosts on our side? Or if it is done this way, our users would not be able to pull any data from those servers because the traffic just goes in one direction. Please provide some insight here. I am a little paranoid with this company wanting to establish this kind of open access __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From peter at rathlev.dk Sat Oct 18 02:38:42 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 18 Oct 2008 08:38:42 +0200 Subject: [c-nsp] Learning a Multicast Ethernet for Unicast IP via ARP In-Reply-To: References: <48F8A879.33E4.0097.0@globalstar.com> Message-ID: <1224311922.15578.3.camel@abehat> On Fri, 2008-10-17 at 15:49 -0700, David Sinn wrote: > On Oct 17, 2008, at 3:00 PM, Crist Clark wrote: > > Is there a way to tell the router to accept the ARP responses or > > is the static entry the best option? > > Ignoring ARP responses that return multicast (or broadcast) MAC > addresses is required by the RFC1812 Section 3.3.2. Static ARP's are > the only options (or working on getting the RFC changed). Exactly. Microsoft NLB also has this problem. You would need a command similar to: arp 192.0.2.10 03bf.0a55.151e ARPA to make it work. Regards, Peter From oboehmer at cisco.com Sat Oct 18 07:47:16 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Sat, 18 Oct 2008 13:47:16 +0200 Subject: [c-nsp] Converting OSPF backbone to iBGP In-Reply-To: <9f785d120810160723s41b7af7bwd7e5dc4575ccb38f@mail.gmail.com> References: <48D9F1AD.8010607@gmx.de><200809241619.34647.mtinka@globaltransit.net><48DA0B66.6000609@gmx.de> <48DA0FDC.2020202@imperial.ac.uk> <9f785d120810160723s41b7af7bwd7e5dc4575ccb38f@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406379481@xmb-ams-333.emea.cisco.com> Nathan <> wrote on Thursday, October 16, 2008 4:23 PM: > On Wed, Sep 24, 2008 at 12:01 PM, Phil Mayers > wrote: >> You can import from OSPF to BGP, but it has some risks and >> complexities that are best avoided if at all possible. Much worse is >> distributing BGP into OSPF - don't do that. > > In case someone even thinks of ever doing that, please note: > > rtr(config)# router ospf 10 > rtr(config-rtr)# redistribute bgp 65000 subnets route-map > JustATeensyFiftyRoutesOrSo > > certainly does works as advertised (no idea if it consumes a lot of > CPU to filter out all those routes) . . . but trying to remove that > using > > rtr(config-rtr)# no redistribute bgp 65000 subnets route-map > JustATeensyFiftyRoutesOrSo > > results in > > redistribute bgp 65000 subnets > > and that *hurts* agree, however this is the only way to remove redistribution options without removing the actual redistribution. I would advise to always use "redistribute maximum-prefix" when redistributing BGP into an IGP, just an addtl. safeguard against this kind of problems. oli From daniele at orlandi.com Sat Oct 18 09:19:01 2008 From: daniele at orlandi.com (Daniele Orlandi) Date: Sat, 18 Oct 2008 15:19:01 +0200 Subject: [c-nsp] OSPF over PPPoATM Message-ID: <200810181519.02668.daniele@orlandi.com> Hello, Someone please help me spotting out what so weird is happening :) I have a 2800 with an ADSL WIC connected to a 7200 with a STM-1 ATM. The 2800 is sending hellos on its virtual access interface, the 7200 is receiving those hellos and sending his, but the 2800 isn't receiving the hellos. 2800 ---- Oct 18 15:14:10.813: OSPF: Send hello to 224.0.0.5 area 0 on Virtual-Access1.1 from 62.212.6.191 7200 ---- Oct 18 15:13:50.822: OSPF: Rcv hello from 62.212.3.243 area 0 from Virtual- Access2.139 62.212.6.191 Oct 18 15:13:50.822: OSPF: Send immediate hello to nbr 62.212.3.243, src address 62.212.6.191, on Virtual-Access2.139 Oct 18 15:14:30.874: OSPF: Send hello to 224.0.0.5 area 0 on Virtual- Access2.139 from 0.0.0.0 #sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 62.212.3.243 0 INIT/ - 00:00:37 62.212.6.191 Virtual- Access2.139 ... The 2800 is also connected to the 7200 via a frame-relay to ATM PVC on which OSPF is running fine (but not IPv6, but that's another story). What is happening to those hello packets? Who is eating them? Thank you, Bye, -- Daniele Orlandi ??? From saku+cisco-nsp at ytti.fi Sat Oct 18 09:48:26 2008 From: saku+cisco-nsp at ytti.fi (Saku Ytti) Date: Sat, 18 Oct 2008 16:48:26 +0300 Subject: [c-nsp] RSP720-10G In-Reply-To: <836bf1f90810170650k69b5bdeeyaae9a776c11cc7d8@mail.gmail.com> References: <836bf1f90810170650k69b5bdeeyaae9a776c11cc7d8@mail.gmail.com> Message-ID: <20081018134826.GA30176@mx.ytti.net> On (2008-10-17 09:50 -0400), Mike Johnson wrote: > Does anyone know the details of the problems they are having with the > RSP720-10G? > > Specifically, RPR+ and IPSEC? I hope a new software release will fix the > problems. Any details > or experiences would be greatly appreciated. IIRC it's limited orderability, because only RPR is supported, not RPR+ or SSO and because redundant RSP's ports do not work. And yes, those will be fixed. I think in SRD. -- ++ytti From peter at rathlev.dk Sat Oct 18 12:34:18 2008 From: peter at rathlev.dk (Peter Rathlev) Date: Sat, 18 Oct 2008 18:34:18 +0200 Subject: [c-nsp] 6500 and MPLS In-Reply-To: <48F8BD75.8000505@justinshore.com> References: <48F4C853.50103@templin.org> <20081014192215.GQ8535@greenie.muc.de> <1224018141.31143.4.camel@abehat> <48F8BD75.8000505@justinshore.com> Message-ID: <1224347658.19069.2.camel@abehat> On Fri, 2008-10-17 at 11:29 -0500, Justin Shore wrote: > Peter Rathlev wrote: > > This is VLAN mode EoMPLS. The PFC3 supports this and (physical) port > > mode. > > I still haven't been able to get this to work. I tried this between 2 > 7600s running SRB1 and between the same 7600s to 2 6524s, one running > SXH and the other running ZU code. The thing just won't come up. I > wish we could do SVI-based EoMPLS on at least the 6524 end. Would that be port mode EoMPLS not working on the 7600s? We have it running fine on 6500s SXF. And VLAN/subinterface based on 7600 SRB1 seems to work fine too. We haven't tried the other combinations, but I can't see why it wouldn't work. Or did you mean locally switched SVI mode EoMPLS? Regards, Peter From masood at nexlinx.net.pk Sat Oct 18 12:47:25 2008 From: masood at nexlinx.net.pk (Masood Ahmad Shah) Date: Sat, 18 Oct 2008 21:47:25 +0500 Subject: [c-nsp] Conditional BGP In-Reply-To: <20080924010604.GA33338@root.ucsc.edu> References: <001801c91d9f$df280fc0$9d782f40$@org> <48D98ED6.60403@templin.org> <20080924010604.GA33338@root.ucsc.edu> Message-ID: <00ba01c93141$37dcc3e0$a7964ba0$@net.pk> A nice book on BGP Practical BGP By Russ White Regards, Masood BLOG: http://www.weblogs.com.pk/jahil -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Boolootian Sent: Wednesday, September 24, 2008 6:06 AM To: brandon at sterling.net Cc: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Conditional BGP > 2) View the NANOG presentation archives. Several come to mind; I'll try to > compile a list of suggestions, or just browse away. Search the presentation archive for Smith and BGP. Philip Smith's BGP tutorials are outstanding. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From mdado at Airspan.com Sat Oct 18 15:05:33 2008 From: mdado at Airspan.com (Mohammed Dado) Date: Sat, 18 Oct 2008 20:05:33 +0100 Subject: [c-nsp] EIGRP routing failure Message-ID: Dears, We're configuring EIGRP on both sides, customer and ISP. The customer router are dumping the following logs. Here's an example of some logs .. 128326: Oct 6 02:48:05.387 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128327: Oct 6 02:48:05.435 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128328: Oct 6 02:48:19.519 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128329: Oct 6 02:57:37.414 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128330: Oct 6 02:57:41.210 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128331: Oct 6 02:58:46.495 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128332: Oct 6 02:58:50.655 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128333: Oct 6 02:58:52.699 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128334: Oct 6 02:58:57.623 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128335: Oct 6 02:59:36.491 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128336: Oct 6 02:59:44.327 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency Can anybody assist ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd [cid:identifierFooterImage] From chunt at reachone.com Sat Oct 18 15:37:54 2008 From: chunt at reachone.com (Christopher Hunt) Date: Sat, 18 Oct 2008 12:37:54 -0700 Subject: [c-nsp] [Fwd: Re: MPLS and IPSEC co-working (reviving an old thread)] Message-ID: <48FA3B12.1000305@reachone.com> Luan, To recap: applying an IPSEC crypto-map to the WAN physical interface works, but applying IPSEC to Tunnel Protection breaks end-to-end vrf connections. I have a feeling it is a combination of these two statements from Cisco: from http://www.cisco.com/en/US/tech/tk827/tk369/technologies_tech_note09186a008048cffc.shtml: "There are two key differences between when you use a crypto-map and when you use tunnel protection: *The IPSec crypto-map is tied to the physical interface and is checked as packets are forwarded out the physical interface. Note: The GRE tunnel has already GRE encapsulated the packet by this point. *Tunnel protection ties the encryption functionality to the GRE tunnel and is checked after the packet is GRE encapsulated but before the packet is handed to the physical interface." and from http://www.cisco-ri.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/ngwanearch.html#wp1000241: " currently there are no mechanisms that allow for encryption of labelled packets. " So I'll stick with crypto-maps for now. I'm definitely looking into the very interesting link you provided re: GET-VPN. Thanks again... Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com -------- Original Message -------- Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) Date: Fri, 17 Oct 2008 16:27:51 -0700 From: Christopher Hunt To: Luan Nguyen CC: 'cisco-nsp' References: <48E90EEA.5090305 at reachone.com> <001501c9275a$3f35f350$bda1d9f0$@net> Luan, Thanks for your excellent and detailed reply. I was able to get the tunnels up and passing encrypted traffic (after adding the "tunnel mode ipsec ipv4" command to the tunnel). LDP and OSPF came right up too. The interesting bit is that I have no end-to-end vrf connectivity. In other words: CORE-DIA-1#sh ip ro vrf CustA Routing Table: CustA ..... Gateway of last resort is not set 10.0.0.0/32 is subnetted, 2 subnets B 10.1.1.1 [200/0] via 192.168.255.252, 00:23:06 C 10.0.0.1 is directly connected, Loopback100 CORE-DIA-1#ping vrf CustA 10.1.1.1 source 10.0.0.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 ..... Success rate is 0 percent (0/5) CORE-DIA-1#sho ip ro 192.168.255.252 Routing entry for 192.168.252/32 Known via "ospf 100", distance 110, metric 11112, type intra area Last update from 10.0.0.2 on Tunnel0, 00:02:34 ago Routing Descriptor Blocks: * 10.0.0.2, from 192.168.255.252, 00:02:34 ago, via Tunnel0 Route metric is 11112, traffic share count is 1 It worked until i added the "tunnel protection ipsec profile foo" bit. I can still ping loopbacks etc. in the Default-IP-Routing-Table. I had it working in an alternate config, with a crypto map applied to the physical interface that is the tunnel-source. Any idea why this might be? Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com Luan Nguyen wrote: > You could encrypt the GRE tunnel. Everything traverse the tunnel will get > encrypted. > On CORE-DIA-1 > > crypto isakmp policy 10 > encr aes 256 > authentication pre-share > group 5 > crypto isakmp key cisco address 172.16.0.98 > crypto isakmp keepalive 10 4 periodic > ! > ! > crypto ipsec transform-set TEST esp-aes 256 esp-sha-hmac > mode transport > ! > crypto ipsec profile foo > set transform-set TEST > set pfs group5 > ! > ! > interface Tunnel0 > ip address 10.0.0.2 255.255.255.252 > ip mtu 1420 > ip tcp adjust-mss 1436 > mpls ip > mpls mtu 1508 > keepalive 1 3 > tunnel source FastEthernet0/0 > tunnel destination 172.16.0.98 > tunnel protection ipsec profile foo > > Just the reverse on the other side. > > You, and the original poster, could do IPSEC encryption between CEs of the > MPLS VPN by using GET-VPN (if don't want to do that encrypted L2TPv3 > suggestion :)) > http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7 > 180/product_data_sheet0900aecd80582067.html. > The CE-to-CE routing remains the same, with added security. > > > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > Luan Nguyen > Chesapeake NetCraftsmen, LLC. > www.NetCraftsmen.net > ---------------------------------------------------------------------------- > ------------------------------------------------------------------------- > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Christopher Hunt > Sent: Sunday, October 05, 2008 3:01 PM > To: cisco-nsp > Subject: Re: [c-nsp] MPLS and IPSEC co-working (reviving an old thread) > > For simplicity's sake let's say that i have 2 7206VXRs running > advip-12.4(9)T2. They're in separate cities, each has a direct Internet feed > plus a L2 feed between them. Each one is a PE, and running L3VPNs for > customers. I use OSPF as an IGP. Everything's working great, but I want to > build VPN failover in case the L2 feed between them goes down. > > Since the backup is a L3 service, MPLSoGRE seems the best option for me. > At the same time, I want to encrypt ***at least the customer vrf > traffic*** when it uses the L3 MPLSoGRE path. I'm no wiz with IPSec > unfortunately an am struggling to understand the process. > > I've got the GRE Tunnels up and failing over but can't seem to understand > how to encrypt the customer data. See attached configs. > Anyone have any pointers? See > http://markmail.org/message/lob467v2oxc6my5x for original thread > > > onward through the fog, > Christopher Hunt > > -------- Original Message -------- > Subject: [c-nsp] MPLS and IPSEC co-workingLink to this message > From: Oliver Boehmer (oboehmer) (oboe... at cisco.com) > Date: 08/16/2007 09:31:25 AM > List: net.nether.puck.cisco-nsp > > >Andris Zarins <> wrote on Thursday, August 16, 2007 1:44 PM: > > > >Hi, > > > >Network setup is pretty trivial - three routers running MPLS (LDP > >full-mesh) to support 20+ MPLS VPNs. Tricky part, is that customer is >> asking to secure that infrastructure by running IPSEC (3DES). As far >as I > know, I can not run LDP over Tunnel interfaces, and crypto-maps >will not > help also. Concept of running IPSEC between CPEs doesn't >make sense, as > there are no CPEs :( > >Question is - is VRF-Lite plus back-to-back > connectivity, like option >A for inter AS MPLS, the only viable option I > have, or Im missing >something and there are other, more scalable ways to > do it? > well, you can run MPLSoGRE at least on SW-based platforms (like the 7200), > haven't checked for 6500/7600 or GSR.. You could also use BGP-L3VPN over > L2TPv3 and then encrypt the L2TPv3 traffic using crypto-maps.. > > Not a complete solution, I know.. > > oli > > -- Christopher Hunt ReachONE Internet, Inc. (360)456-5640 http://www.reachone.com From gwendel at gmail.com Sat Oct 18 15:52:19 2008 From: gwendel at gmail.com (Greg Wendel) Date: Sat, 18 Oct 2008 15:52:19 -0400 Subject: [c-nsp] EIGRP routing failure In-Reply-To: References: Message-ID: <8dfae3430810181252w3fc43e8x5f5cf90a8159a8dc@mail.gmail.com> If you are running older IOS code the K value mismatch could be the router misinterpreting the goodbye message sent by EIGRP. Hope this helps. On Sat, Oct 18, 2008 at 3:05 PM, Mohammed Dado wrote: > Dears, > > We're configuring EIGRP on both sides, customer and ISP. The customer > router are dumping the following logs. Here's an example of some logs .. > > > 128326: Oct 6 02:48:05.387 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128327: Oct 6 02:48:05.435 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch > 128328: Oct 6 02:48:19.519 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128329: Oct 6 02:57:37.414 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128330: Oct 6 02:57:41.210 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128331: Oct 6 02:58:46.495 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128332: Oct 6 02:58:50.655 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128333: Oct 6 02:58:52.699 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch > 128334: Oct 6 02:58:57.623 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128335: Oct 6 02:59:36.491 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128336: Oct 6 02:59:44.327 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: > Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > > > Can anybody assist ? > > > Best Regards, > > Mohammed Dado > Technical Support Engineer - EMEA > > Airspan Communications Ltd > [cid:identifierFooterImage] > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > -- Gregory Wendel Springfield VA, 22153 From mmckillo at cisco.com Sat Oct 18 15:52:49 2008 From: mmckillo at cisco.com (Mark Mckillop (mmckillo)) Date: Sat, 18 Oct 2008 21:52:49 +0200 Subject: [c-nsp] EIGRP routing failure In-Reply-To: Message-ID: <660CDBE9F5177645BF5FAE6EFE2D9BA406106914@xmb-ams-332.emea.cisco.com> I'd begin with checking the K-Values match on both sides... Router#show ip protocols Routing Protocol is "eigrp 100 100" Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Default networks flagged in outgoing updates Default networks accepted from incoming updates EIGRP metric weight K1=1, K2=0, K3=1, K4=0, K5=0 <========= K-Values EIGRP maximum hopcount 100 EIGRP maximum metric variance 1 Redistributing: eigrp 100 100 EIGRP NSF-aware route hold timer is 240s Automatic network summarization is in effect Maximum path: 4 Routing for Networks: Routing Information Sources: Gateway Distance Last Update Distance: internal 90 external 170 Mark. -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mohammed Dado Sent: 18 October 2008 20:06 To: cisco-nsp at puck.nether.net Subject: [c-nsp] EIGRP routing failure Dears, We're configuring EIGRP on both sides, customer and ISP. The customer router are dumping the following logs. Here's an example of some logs .. 128326: Oct 6 02:48:05.387 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128327: Oct 6 02:48:05.435 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128328: Oct 6 02:48:19.519 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128329: Oct 6 02:57:37.414 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128330: Oct 6 02:57:41.210 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128331: Oct 6 02:58:46.495 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128332: Oct 6 02:58:50.655 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128333: Oct 6 02:58:52.699 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch 128334: Oct 6 02:58:57.623 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency 128335: Oct 6 02:59:36.491 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired 128336: Oct 6 02:59:44.327 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency Can anybody assist ? Best Regards, Mohammed Dado Technical Support Engineer - EMEA Airspan Communications Ltd [cid:identifierFooterImage] From keithsecond at gmail.com Sat Oct 18 19:14:19 2008 From: keithsecond at gmail.com (Keith Stewart) Date: Sat, 18 Oct 2008 18:14:19 -0500 Subject: [c-nsp] DSCP & QoS, etc Message-ID: <9554e0680810181614s61e2ae53m85fcc8084d72785c@mail.gmail.com> Where can I find more information regarding DSCP, manual assignments, and their default assignments? The typical cisco pages leave me wanting more specific information. Perhaps my search terms are failing. Any help/direction would be appreciated. From hank at efes.iucc.ac.il Sun Oct 19 04:35:36 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 19 Oct 2008 10:35:36 +0200 Subject: [c-nsp] Conditional BGP In-Reply-To: <00ba01c93141$37dcc3e0$a7964ba0$@net.pk> References: <20080924010604.GA33338@root.ucsc.edu> <001801c91d9f$df280fc0$9d782f40$@org> <48D98ED6.60403@templin.org> <20080924010604.GA33338@root.ucsc.edu> Message-ID: <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> At 09:47 PM 18-10-08 +0500, Masood Ahmad Shah wrote: I am curious if anyone else uses conditional BGP as a poor man's DRP? Suppose you have site A with 192.168.1.0/24. The site is connected to 2 upstream ISPs and they have a number of servers at site A. They now create a DRP site (site B), which is also connected to 2 upstream ISPs and they create a mirror copy of those servers from site A over at site B and assign them the *exact* same IP addresses as at site A. They have the router at site B do conditional BGP, checking to see if it sees 192.168.1.0/24 from the Internet. As soon as it disappears (site A is gone), site B starts announcing 192.168.1.0/24 to the Internet and all the DRP servers at site B are suddenly active. Ignoring the syncing of the servers from site B to site A, what is the downside of such a "poor mans' DRP solution? Regards, Hank >A nice book on BGP > >Practical BGP >By Russ White > >Regards, >Masood >BLOG: http://www.weblogs.com.pk/jahil > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Boolootian >Sent: Wednesday, September 24, 2008 6:06 AM >To: brandon at sterling.net >Cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Conditional BGP > > > > 2) View the NANOG presentation archives. Several come to mind; I'll try >to > > compile a list of suggestions, or just browse away. > >Search the presentation archive for Smith and BGP. Philip Smith's >BGP tutorials are outstanding. From oliver.gorwits at oucs.ox.ac.uk Sun Oct 19 06:34:31 2008 From: oliver.gorwits at oucs.ox.ac.uk (Oliver Gorwits) Date: Sun, 19 Oct 2008 11:34:31 +0100 Subject: [c-nsp] FWSM loading shuns In-Reply-To: <038DE895-6E83-4D1D-9FA0-00526AC5BEF2@princeton.edu> References: <038DE895-6E83-4D1D-9FA0-00526AC5BEF2@princeton.edu> Message-ID: <48FB0D37.7060209@oucs.ox.ac.uk> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jeff, Jeff Fitzwater wrote: > Q. Has anybody found a way around this or even use SHUN? > > I thought that using the SHUN would be simpler than modifying an ACL, > but it might be faster. We're probably not a representative user of the FWSM (for various uninteresting reasons), but we don't bother with shun, and instead use an ACL. To make life a little easier I wrote a few Perl modules, which are available on CPAN, and can be used to semi-automate the process: Net:Appliance::Session (like Net::Telnet but does SSH+more) Net::Cisco::AccessList::Extended Net::Cisco::ObjectGroup There is a little hoop jumping required if you deal with FWSM failover, but things can be made to work seamlessly. Drop me a line if you need a hand, regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFI+w032NPq7pwWBt4RAhGJAKDnhAVrBK6gKaw6yD8E5a7gDeXGHwCg8xlN yj6Rg9KLTSvg6IOkOXNFW9I= =0myt -----END PGP SIGNATURE----- From tbaranski at mail.com Sun Oct 19 07:08:53 2008 From: tbaranski at mail.com (Terry Baranski) Date: Sun, 19 Oct 2008 07:08:53 -0400 Subject: [c-nsp] Conditional BGP In-Reply-To: <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> Message-ID: <000501c931db$12e27680$0200000a@pleth0ra> On Sun, Oct 19, 2008 at 04:36:41AM, Hank Nussbacher wrote: > I am curious if anyone else uses conditional BGP as a poor man's DRP? > > Suppose you have site A with 192.168.1.0/24. The site is > connected to 2 upstream ISPs and they have a number of > servers at site A. They now create a DRP site (site B), > which is also connected to 2 upstream ISPs and they > create a mirror copy of those servers from site A over at > site B and assign them the *exact* same IP addresses as at > site A. They have the router at site B do conditional BGP, > checking to see if it sees 192.168.1.0/24 from the Internet. > As soon as it disappears (site A is gone), site B starts > announcing 192.168.1.0/24 to the Internet and all the DRP > servers at site B are suddenly active. Ignoring the syncing > of the servers from site B to site A, what is the downside > of such a "poor mans' DRP solution? I've done something similiar, but went with what I perceived to be the somewhat less complex route of advertising the routes from both places at all times, but with AS Prepending and such so that Site A was always preferred when reachable. It worked well, and no DNS games required for failover. -Terry From zivl at gilat.net Sun Oct 19 07:09:21 2008 From: zivl at gilat.net (Ziv Leyes) Date: Sun, 19 Oct 2008 13:09:21 +0200 Subject: [c-nsp] NAT - SIP Problem In-Reply-To: <000d01c92fa9$88474380$98d5ca80$@org> References: <000601c92fa2$07081f30$15185d90$@org> <000d01c92fa9$88474380$98d5ca80$@org> Message-ID: The function "ip nat piggyback-support" can help you solve issues with SIP behind NAT But I don't think you'll be able to use it with your soho91 Read more about this here: http://www.cisco.com/en/US/docs/ios/12_4t/12_4t2/htsmpws.html Ziv -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Thursday, October 16, 2008 6:09 PM To: 'Church, Charles'; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] NAT - SIP Problem Thanks Chuck - didn't know about that command... was discussing internally here and the ATA that doesn't want to work at all has a newer firmware on it which might explain this better too... both ATA's are same (Tilgin 322) hardware wise... We'll give it a shot and I'll post back for others if it works ;) Paul -----Original Message----- From: Church, Charles [mailto:cchurc05 at harris.com] Sent: Thursday, October 16, 2008 11:31 AM To: Paul Stewart; cisco-nsp at puck.nether.net Subject: RE: [c-nsp] NAT - SIP Problem Paul, Do you have "no ip nat service sip udp port 5060" in the config? We had all sorts of registration issues involving NAT until we were told to try that. The documentation for it isn't that good, but what it does is turn off the NAT translation of addresses in the SIP payload. That interferes with an ATA already doing things to get around NAT (as most ATAs do these days). Although that old an IOS may not even be doing the payload translation, or support the command. It's worth a try though. Chuck -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: Thursday, October 16, 2008 11:15 AM To: cisco-nsp at puck.nether.net Subject: [c-nsp] NAT - SIP Problem Hi folks... Have a customer who has two ATA devices behind a Cisco Soho91 and having a problem - trying to figure out if this is an IOS issue, a platform issue or a Session Border Controller issue.... With the "original" ATA in place, things worked fine. With a second ATA hooked up, first one still works - second one doesn't. With only the second ATA in place it doesn't work. When I say it doesn't work, the SIP registration will not occur. XYZ#sh ip nat translations Pro Inside global Inside local Outside local Outside global udp xx.xx.111.3:5060 192.168.0.3:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 udp xx.xx.111.3:1029 192.168.0.6:5060 xx.xx.98.6:5060 xx.xx.98.6:5060 I'm working on the hunch that the SBC is getting confused with this newer ATA on the return traffic as the session stays in the NAT translations table forever. The "old" ATA is 192.168.0.3 and new is 192.168.0.6 - notice the .6 ATA can't use 5060 on the outside interface as it's already in use. A similar problem came up at another site a while ago (against the same SBC's) and we converted it over to firewalled public IP space and worked fine - kind of points me back to the way NAT is behaving on these routers but could be an issue between the NAT and the way the SBC sees the traffic.... Cisco Internetwork Operating System Software IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.2(8)YN, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) Any input appreciated... Paul _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ ************************************************************************************ This footnote confirms that this email message has been scanned by PineApp Mail-SeCure for the presence of malicious code, vandals & computer viruses. ************************************************************************************ From dwinkworth at att.net Sun Oct 19 09:29:13 2008 From: dwinkworth at att.net (Derick Winkworth) Date: Sun, 19 Oct 2008 08:29:13 -0500 Subject: [c-nsp] EIGRP routing failure In-Reply-To: References: Message-ID: <48FB3629.90804@att.net> Do you see giants incrementing on either interface? Mohammed Dado wrote: > Dears, > > We're configuring EIGRP on both sides, customer and ISP. The customer router are dumping the following logs. Here's an example of some logs .. > > > 128326: Oct 6 02:48:05.387 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128327: Oct 6 02:48:05.435 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch > 128328: Oct 6 02:48:19.519 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128329: Oct 6 02:57:37.414 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128330: Oct 6 02:57:41.210 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128331: Oct 6 02:58:46.495 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128332: Oct 6 02:58:50.655 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128333: Oct 6 02:58:52.699 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: K-value mismatch > 128334: Oct 6 02:58:57.623 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > 128335: Oct 6 02:59:36.491 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is down: holding time expired > 128336: Oct 6 02:59:44.327 CDT: %DUAL-5-NBRCHANGE: IP-EIGRP(1) 100: Neighbor > 10.253.225.38 (GigabitEthernet1/31.101) is up: new adjacency > > > Can anybody assist ? > > > Best Regards, > > Mohammed Dado > Technical Support Engineer - EMEA > > Airspan Communications Ltd > [cid:identifierFooterImage] > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > ------------------------------------------------------------------------ > > > No virus found in this incoming message. > Checked by AVG - http://www.avg.com > Version: 8.0.173 / Virus Database: 270.8.1/1732 - Release Date: 10/18/2008 6:01 PM > > From A.L.M.Buxey at lboro.ac.uk Sun Oct 19 11:27:36 2008 From: A.L.M.Buxey at lboro.ac.uk (A.L.M.Buxey at lboro.ac.uk) Date: Sun, 19 Oct 2008 16:27:36 +0100 Subject: [c-nsp] SCP bug in SXH3 i.e. CSCsr86489 In-Reply-To: <48F8B2A1.6090900@imperial.ac.uk> References: <48F8B2A1.6090900@imperial.ac.uk> Message-ID: <20081019152736.GA18202@lboro.ac.uk> Hi, > Just FYI, the above bug (a "catastrophic" sup-crasher in SXH3) is not > fixed in SXH3a. yup. SXH4 in mid november was the last whispers I heard.... alan From jay at west.net Sun Oct 19 11:46:48 2008 From: jay at west.net (Jay Hennigan) Date: Sun, 19 Oct 2008 08:46:48 -0700 Subject: [c-nsp] Conditional BGP In-Reply-To: <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> References: <20080924010604.GA33338@root.ucsc.edu> <001801c91d9f$df280fc0$9d782f40$@org> <48D98ED6.60403@templin.org> <20080924010604.GA33338@root.ucsc.edu> <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> Message-ID: <48FB5668.4080701@west.net> Hank Nussbacher wrote: > At 09:47 PM 18-10-08 +0500, Masood Ahmad Shah wrote: > > I am curious if anyone else uses conditional BGP as a poor man's DRP? > > Suppose you have site A with 192.168.1.0/24. The site is connected to 2 > upstream ISPs and they have a number of servers at site A. They now > create a DRP site (site B), which is also connected to 2 upstream ISPs > and they create a mirror copy of those servers from site A over at site > B and assign them the *exact* same IP addresses as at site A. They have > the router at site B do conditional BGP, checking to see if it sees > 192.168.1.0/24 from the Internet. As soon as it disappears (site A is > gone), site B starts announcing 192.168.1.0/24 to the Internet and all > the DRP servers at site B are suddenly active. Ignoring the syncing of > the servers from site B to site A, what is the downside of such a "poor > mans' DRP solution? It has possibilities, but consider: How do you get it to fail back to site A when site A is restored? How do you protect against a temporary or transient failure? What mechanism is in place to prevent both sites from being live at the same time? I think there should be some form of out-of-band communication between the two sites to keep things in sync. -- Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net Impulse Internet Service - http://www.impulse.net/ Your local telephone and internet company - 805 884-6323 - WB6RDV From hank at efes.iucc.ac.il Sun Oct 19 13:53:16 2008 From: hank at efes.iucc.ac.il (Hank Nussbacher) Date: Sun, 19 Oct 2008 19:53:16 +0200 (IST) Subject: [c-nsp] Conditional BGP In-Reply-To: <48FB5668.4080701@west.net> References: <20080924010604.GA33338@root.ucsc.edu> <001801c91d9f$df280fc0$9d782f40$@org> <48D98ED6.60403@templin.org> <20080924010604.GA33338@root.ucsc.edu> <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> <48FB5668.4080701@west.net> Message-ID: On Sun, 19 Oct 2008, Jay Hennigan wrote: > Hank Nussbacher wrote: >> At 09:47 PM 18-10-08 +0500, Masood Ahmad Shah wrote: >> >> I am curious if anyone else uses conditional BGP as a poor man's DRP? >> >> Suppose you have site A with 192.168.1.0/24. The site is connected to 2 >> upstream ISPs and they have a number of servers at site A. They now create >> a DRP site (site B), which is also connected to 2 upstream ISPs and they >> create a mirror copy of those servers from site A over at site B and assign >> them the *exact* same IP addresses as at site A. They have the router at >> site B do conditional BGP, checking to see if it sees 192.168.1.0/24 from >> the Internet. As soon as it disappears (site A is gone), site B starts >> announcing 192.168.1.0/24 to the Internet and all the DRP servers at site B >> are suddenly active. Ignoring the syncing of the servers from site B to >> site A, what is the downside of such a "poor mans' DRP solution? > > It has possibilities, but consider: > > How do you get it to fail back to site A when site A is restored? Conditional BGP should handle that. My tests have shown about 90 seconds for the trigger to work, which is within the parameters they need for "poor mans DRP". > > How do you protect against a temporary or transient failure? > I have found that conditional BGP doesn't kick in after just 10-20 second failures. > What mechanism is in place to prevent both sites from being live at the same > time? None. That I'll have to think about and see if they can live with it for 1-2 minutes of both being live. -Hank > > > > I think there should be some form of out-of-band communication between the > two sites to keep things in sync. > > -- > Jay Hennigan - CCIE #7880 - Network Engineering - jay at impulse.net > Impulse Internet Service - http://www.impulse.net/ > Your local telephone and internet company - 805 884-6323 - WB6RDV > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From nick.geyer at eds.com Sun Oct 19 18:29:59 2008 From: nick.geyer at eds.com (Geyer, Nick) Date: Mon, 20 Oct 2008 09:29:59 +1100 Subject: [c-nsp] Transparent ASA on dot1q trunk Message-ID: <83027F7A5EB4D6449A1393A94E4D41DA0401855A@aubwm232.apac.corp.eds.com> Hi All, A few months back I remember there was a discussion regarding the configuration of an ASA in transparent mode sitting in the middle of a dot1q trunk. I believe a few example configurations were passed around, but I cant find any of these using public archives. I'm just wondering if anyone has such configuration examples they could pass on to me? Any assistance would be greatly appreciated. Cheers, Nick From matt at iseek.com.au Sun Oct 19 22:45:44 2008 From: matt at iseek.com.au (Matt Carter) Date: Mon, 20 Oct 2008 12:45:44 +1000 Subject: [c-nsp] Conditional BGP In-Reply-To: <000501c931db$12e27680$0200000a@pleth0ra> References: <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> <000501c931db$12e27680$0200000a@pleth0ra> Message-ID: <7FEDD455961B164D8C4EEA60E22914205B7F329C52@EXCHANGE1.intranet.iseek.com.au> > > I've done something similiar, but went with what I perceived to be the > somewhat less complex route of advertising the routes from both places > at > all times, but with AS Prepending and such so that Site A was always > preferred when reachable. > > It worked well, and no DNS games required for failover. > the main problem i've seen with this is that a lot of providers are going to local pref their downstreams such that they are not using provider/peer links for traffic going to directly connected customers. given local pref beats as path length, you are likely going to get traffic bleeding over to your DR site from ISP A/B local networks.. to achieve the same goal perhaps (albeit not in the best interests of the global bgp table) advertise additional prefixes. eg primary site advertise 2 x /24 , backup site advertise 1 x /23 primary site disappears, falls through to secondary site From Rijas.Ali at dubaiholding.com Mon Oct 20 01:52:39 2008 From: Rijas.Ali at dubaiholding.com (Rijas Ali) Date: Mon, 20 Oct 2008 09:52:39 +0400 Subject: [c-nsp] Cisco Console Port - Question ? Message-ID: <4B4C6EF88DE69842AA91CE78E826F8A8023A56F77F@DHLDVEX02.dubai-holding.ezone> Hi All, I see that our normal Console port can be configured for the following commands .. Access-class X in Transport preferred TELNET In which scenario do we need these IP commands in a Console Port ??? Can Console port listen to IP traffic ?? Rijas From have.an.email at gmail.com Mon Oct 20 04:29:01 2008 From: have.an.email at gmail.com (Nathan) Date: Mon, 20 Oct 2008 10:29:01 +0200 Subject: [c-nsp] EoMPLS terminating on PE? Message-ID: <9f785d120810200129v65fd804bl22872763e90f75c3@mail.gmail.com> Hi, I'm having a problem understanding how to configure EoMPLS in a specific case, I've read lots of docs and found lots of examples, but none that apply to my problem, so I'm not even sure that what I want to do is possible. I have two 7206 G1 PE routers with client-facing ATM interfaces, running CE-PE OSPF over the aal5snap VCs. I want one of those PEs to speak OSPF directly to a CE connected to a VC coming in on the *other* PE. In effect, I want to extend the VC coming in on one PE so that it (L3) terminates on another PE. I don't see how to configure this, is it possible ? Thanks, -- Nathan From b.turnbow at twt.it Mon Oct 20 05:20:07 2008 From: b.turnbow at twt.it (Brian Turnbow) Date: Mon, 20 Oct 2008 11:20:07 +0200 Subject: [c-nsp] 7206VXR and CBWFQ In-Reply-To: References: Message-ID: Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 486842/493318682 0/0 50/40543 20 40 1/10 1 54/22464 0/0 0/0 22 40 1/10 2 6/746 0/0 0/0 24 40 1/10 3 0/0 0/0 0/0 26 40 1/10 4 5/330 0/0 0/0 28 40 1/10 5 20/1200 0/0 0/0 30 40 1/10 6 5753/515372 0/0 0/0 32 40 1/10 7 53/7423 0/0 0/0 34 40 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian ________________________________ From: Victor Cappuccio [mailto:vcappuccio at gmail.com] Sent: venerd? 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 2000000 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent Cisco Page: http://tinyurl.com/ytt8ge Note: Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: venerd? 17 ottobre 2008 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- From kremeznoys at gmail.com Mon Oct 20 06:02:13 2008 From: kremeznoys at gmail.com (=?KOI8-R?B?88XSx8XKIOvSxc3F2s7Pyg==?=) Date: Mon, 20 Oct 2008 13:02:13 +0300 Subject: [c-nsp] *** Problem with collecting flows Message-ID: Hi all! I have some problems using flow-capture and Cisco routers 7206-VXR/NPE-G2. Once per 2 or 3 days the proccess flow-capture dies. It disappears from top-table on the server, working as a collector (FreeBSD, Intel Xeon 3220 4GB 4x1000GB 1x250GB ARECA 1110). A Collector is not loaded hardly. For example, results of "tcpdump" in the management VLAN during the problem are: 11:16:39.616421 arp who-has 10.0.11.3 tell 10.0.11.11 11:16:39.616426 arp who-has 10.0.11.3 tell 10.0.11.11 11:16:39.616509 arp reply 10.0.11.3 is-at 00:1a:2f:5b:48:18 (oui Unknown) 11:16:39.616515 arp reply 10.0.11.3 is-at 00:1a:2f:5b:48:18 (oui Unknown) 11:16:39.616559 IP 10.0.11.11 > 10.0.11.3: ICMP 10.0.11.11 udp port 9997 unreachable, length 36 11:16:39.616565 IP 10.0.11.11 > 10.0.11.3: ICMP 10.0.11.11 udp port 9997 unreachable, length 36 11:16:39.629802 IP 10.0.11.3.50494 > 10.0.11.11.9997: UDP, length 1464 11:16:39.629924 IP 10.0.11.3.50494 > 10.0.11.11.9997: UDP, length 1464 But 10-15 seconds before it: 11:16:25.804800 IP 10.0.11.1.57907 > 10.0.11.11.9997: UDP, length 1464 11:16:25.804921 IP 10.0.11.1.57907 > 10.0.11.11.9997: UDP, length 1464 11:16:25.805964 IP 10.0.11.3.50494 > 10.0.11.11.9997: UDP, length 1464 11:16:25.806088 IP 10.0.11.3.50494 > 10.0.11.11.9997: UDP, length 1464 11:16:25.809257 IP 10.0.11.124.snmp > 10.0.11.14.54601: C=****** GetResponse(36) interfaces.ifTable.ifEntry.ifInOctets.10013=2568101177 11:16:25.809262 IP 10.0.11.124.snmp > 10.0.11.14.54601: C=****** GetResponse(36) interfaces.ifTable.ifEntry.ifInOctets.10013=2568101177 Here, a collector has ip=10.0.11.11 and others addresses - routers(72XX) and switches(2960). Can anybody explain this situation and, maybe, help in it. Thanks for all ------------ Regards Sergey Kremeznoy From dean at eatworms.org.uk Mon Oct 20 06:21:01 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Mon, 20 Oct 2008 11:21:01 +0100 Subject: [c-nsp] 7206VXR and CBWFQ References: Message-ID: <000b01c9329d$8ed926e0$0b03010a@DEANPC> I see you have your PVC as vbr-nrt. Orig poster has UBR When we've tested QoS on ADSL we found the PVC had to be configured as VBR-NRT to make QOS work. this may be the issue here. I'm sure I found a reference on CCO to this behaviour but cant find it again quickly. Regards Dean ----- Original Message ----- From: "Brian Turnbow" To: "Victor Cappuccio" Cc: "Networkers" ; Sent: Monday, October 20, 2008 10:20 AM Subject: Re: [c-nsp] 7206VXR and CBWFQ Please don't tell that to this router policy-map llq class sipRTP priority 512 class class-default fair-queue random-detect vc-class atm CVPHDSL-VoIP vbr-nrt 1524 1524 encapsulation aal5snap interface ATM3/0.20842 point-to-point description cust 1 ip address192.168.0.41 255.255.255.252 pvc CVPH_CUSTVOIP 208/42 class-vc CVPHDSL-VoIP service-policy out llq 7200-accessjn3#sh policy-map int ATM3/0.20842 ATM3/0.20842: VC 208/42 - Service-policy output: llq queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 5466056/418685691 Class-map: sipRTP (match-all) 5466056 packets, 418685691 bytes 5 minute offered rate 61000 bps, drop rate 0 bps Match: access-group 5 Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 Class-map: class-default (match-any) 492783 packets, 493906760 bytes 5 minute offered rate 509000 bps, drop rate 0 bps Match: any 492783 packets, 493906760 bytes 5 minute rate 509000 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 (pkts output/bytes output) 492733/493866217 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 486842/493318682 0/0 50/40543 20 40 1/10 1 54/22464 0/0 0/0 22 40 1/10 2 6/746 0/0 0/0 24 40 1/10 3 0/0 0/0 0/0 26 40 1/10 4 5/330 0/0 0/0 28 40 1/10 5 20/1200 0/0 0/0 30 40 1/10 6 5753/515372 0/0 0/0 32 40 1/10 7 53/7423 0/0 0/0 34 40 1/10 http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml Brian ________________________________ From: Victor Cappuccio [mailto:vcappuccio at gmail.com] Sent: venerd? 17 ottobre 2008 18.52 To: Brian Turnbow Cc: Networkers; cisco-nsp at puck.nether.net Subject: Re: [c-nsp] 7206VXR and CBWFQ Hi, Subinterfaces and software interfaces do not have their own separate transmit (Tx) ring; therefore, no congestion can occur. These interface types include dialers, tunnels, and Frame Relay subinterfaces, and will only congest when their main hardware interface Tx ring congests. The Tx ring state is an indication of congestion for software interfaces. router(config)# interface Serial0/0.1 router(config-subif)# service-policy output test CBWFQ : Not supported on subinterfaces 1.- Create a child or lower-level policy that configures a queueing mechanism. In the example below, we configure LLQ using the priority command and CBWFQ using the bandwidth command. Refer to Congestion Management Overview for more information. policy-map child class voice priority 512 2. Create a parent or top-level policy that applies class-based shaping. Apply the child policy as a command under the parent policy since the admission control for the child class is done based on the shaping rate for the parent class. policy-map parent class class-default shape average 2000000 service-policy child 3. Apply the parent policy to the subinterface. interface Serial0/0.1 service-policy parent Cisco Page: http://tinyurl.com/ytt8ge Note: Class-based shaping works at the interface and subinterface level. Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the main interface and IP addresses on the subinterfaces. thanks, Victor Cappuccio CCIE R/S# 20657 CCSI# 30452 www.anetworkerblog.com On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: Your pvc needs to be abr/vbr/cbr You can't do it on ubr Regards Brian -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers Sent: venerd? 17 ottobre 2008 17.10 To: cisco-nsp at puck.nether.net Subject: [c-nsp] 7206VXR and CBWFQ Whenever I try to apply the following I get an error message about how CBWFQ can't be applied to subinterfaces. What is the correct way to do this? Thanks, Chris class-map match-any VOIP match ip dscp ef match precedence 5 class-map match-all CRITICAL match access-group 100 policy-map MyCBWFQ class CRITICAL priority 48 class VOIP bandwidth 320 set precedence 6 vc-class atm MyClass ubr 1536 encapsulation aal5mux ppp Virtual-Template5 interface Virtual-Template5 ip unnumbered Loopback0 service-policy output MyCBWFQ peer default ip address pool default ppp authentication pap callin interface ATM2/0.1921 point-to-point pvc 1/1921 class-vc MyClass _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ -- _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From dean at eatworms.org.uk Mon Oct 20 06:24:25 2008 From: dean at eatworms.org.uk (Dean Smith) Date: Mon, 20 Oct 2008 11:24:25 +0100 Subject: [c-nsp] 7206VXR and CBWFQ Message-ID: <001801c9329e$07cb8610$0b03010a@DEANPC> Here it is.... Because CBWFQ provides a minimum bandwidth guarantee, you can only apply CBWFQ to VCs with classes of service other than UBR and UBR+. http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml ----- Original Message ----- From: "Dean Smith" To: Sent: Monday, October 20, 2008 11:21 AM Subject: Re: [c-nsp] 7206VXR and CBWFQ >I see you have your PVC as vbr-nrt. > > Orig poster has UBR > > When we've tested QoS on ADSL we found the PVC had to be configured as > VBR-NRT to make QOS work. this may be the issue here. > > I'm sure I found a reference on CCO to this behaviour but cant find it > again quickly. > > Regards > Dean > ----- Original Message ----- > From: "Brian Turnbow" > To: "Victor Cappuccio" > Cc: "Networkers" ; > Sent: Monday, October 20, 2008 10:20 AM > Subject: Re: [c-nsp] 7206VXR and CBWFQ > > > Please don't tell that to this router > > > policy-map llq > class sipRTP > priority 512 > class class-default > fair-queue > random-detect > > vc-class atm CVPHDSL-VoIP > vbr-nrt 1524 1524 > encapsulation aal5snap > > > interface ATM3/0.20842 point-to-point > description cust 1 > ip address192.168.0.41 255.255.255.252 > pvc CVPH_CUSTVOIP 208/42 > class-vc CVPHDSL-VoIP > service-policy out llq > > 7200-accessjn3#sh policy-map int ATM3/0.20842 > ATM3/0.20842: VC 208/42 - > > Service-policy output: llq > > queue stats for all priority classes: > > queue limit 64 packets > (queue depth/total drops/no-buffer drops) 0/0/0 > (pkts output/bytes output) 5466056/418685691 > > Class-map: sipRTP (match-all) > 5466056 packets, 418685691 bytes > 5 minute offered rate 61000 bps, drop rate 0 bps > Match: access-group 5 > Priority: 512 kbps, burst bytes 12800, b/w exceed drops: 0 > > Class-map: class-default (match-any) > 492783 packets, 493906760 bytes > 5 minute offered rate 509000 bps, drop rate 0 bps > Match: any > 492783 packets, 493906760 bytes > 5 minute rate 509000 bps > Queueing > queue limit 64 packets > (queue depth/total drops/no-buffer drops/flowdrops) 0/50/0/50 > (pkts output/bytes output) 492733/493866217 > Fair-queue: per-flow queue limit 16 > Exp-weight-constant: 9 (1/512) > Mean queue depth: 0 packets > class Transmitted Random drop Tail/Flow drop Minimum > Maximum Mark > pkts/bytes pkts/bytes pkts/bytes thresh > thresh prob > > 0 486842/493318682 0/0 50/40543 20 > 40 1/10 > 1 54/22464 0/0 0/0 22 > 40 1/10 > 2 6/746 0/0 0/0 24 > 40 1/10 > 3 0/0 0/0 0/0 26 > 40 1/10 > 4 5/330 0/0 0/0 28 > 40 1/10 > 5 20/1200 0/0 0/0 30 > 40 1/10 > 6 5753/515372 0/0 0/0 32 > 40 1/10 > 7 53/7423 0/0 0/0 34 > 40 1/10 > > > http://www.cisco.com/en/US/tech/tk39/tk824/technologies_configuration_example09186a0080094cf6.shtml > > > > Brian > > > > > ________________________________ > > From: Victor Cappuccio [mailto:vcappuccio at gmail.com] > Sent: venerd? 17 ottobre 2008 18.52 > To: Brian Turnbow > Cc: Networkers; cisco-nsp at puck.nether.net > Subject: Re: [c-nsp] 7206VXR and CBWFQ > > > Hi, > > Subinterfaces and software interfaces do not have their own separate > transmit (Tx) ring; therefore, no congestion can occur. These interface > types include dialers, tunnels, and Frame Relay subinterfaces, and will > only congest when their main hardware interface Tx ring congests. The Tx > ring state is an indication of congestion for software interfaces. > > > router(config)# interface Serial0/0.1 > router(config-subif)# service-policy output test > CBWFQ : Not supported on subinterfaces > > > 1.- Create a child or lower-level policy that configures a queueing > mechanism. In the example below, we configure LLQ using the priority > command and CBWFQ using the bandwidth command. Refer to Congestion > Management Overview for more information. > > policy-map child > class voice > priority 512 > > 2. Create a parent or top-level policy that applies class-based shaping. > Apply the child policy as a command under the parent policy since the > admission control for the child class is done based on the shaping rate > for the parent class. > > policy-map parent > class class-default > shape average 2000000 > service-policy child > > 3. Apply the parent policy to the subinterface. > > interface Serial0/0.1 > service-policy parent > > Cisco Page: http://tinyurl.com/ytt8ge > > Note: Class-based shaping works at the interface and subinterface level. > Cisco IOS 12.2(2.5) introduces the ability to configure shaping on the > main interface and IP addresses on the subinterfaces. > > thanks, > > Victor Cappuccio > CCIE R/S# 20657 > CCSI# 30452 > www.anetworkerblog.com > > > On Fri, Oct 17, 2008 at 6:19 PM, Brian Turnbow wrote: > > > Your pvc needs to be abr/vbr/cbr > You can't do it on ubr > > Regards > > Brian > > > > > > > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Networkers > > Sent: venerd? 17 ottobre 2008 17.10 > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] 7206VXR and CBWFQ > > > Whenever I try to apply the following I get an error message about how > CBWFQ can't be applied to subinterfaces. What is the correct way to do > this? > > Thanks, > Chris > > class-map match-any VOIP > match ip dscp ef > match precedence 5 > class-map match-all CRITICAL > match access-group 100 > > policy-map MyCBWFQ > class CRITICAL > priority 48 > class VOIP > bandwidth 320 > set precedence 6 > > vc-class atm MyClass > ubr 1536 > encapsulation aal5mux ppp Virtual-Template5 > > interface Virtual-Template5 > ip unnumbered Loopback0 > service-policy output MyCBWFQ > peer default ip address pool default > ppp authentication pap callin > > interface ATM2/0.1921 point-to-point > pvc 1/1921 > class-vc MyClass > > > > > > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > > > > > -- > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From oboehmer at cisco.com Mon Oct 20 06:54:25 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 20 Oct 2008 12:54:25 +0200 Subject: [c-nsp] EoMPLS terminating on PE? In-Reply-To: <9f785d120810200129v65fd804bl22872763e90f75c3@mail.gmail.com> References: <9f785d120810200129v65fd804bl22872763e90f75c3@mail.gmail.com> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED7840637987B@xmb-ams-333.emea.cisco.com> Nathan <> wrote on Monday, October 20, 2008 10:29 AM: > Hi, > > I'm having a problem understanding how to configure EoMPLS in a > specific case, I've read lots of docs and found lots of examples, but > none that apply to my problem, so I'm not even sure that what I want > to do is possible. > > I have two 7206 G1 PE routers with client-facing ATM interfaces, > running CE-PE OSPF over the aal5snap VCs. I want one of those PEs to > speak OSPF directly to a CE connected to a VC coming in on the *other* > PE. In effect, I want to extend the VC coming in on one PE so that it > (L3) terminates on another PE. > > I don't see how to configure this, is it possible ? you need the "routed pseudowire" feature, but this is currently only supported on the 7600 (http://www.cisco.com/en/US/docs/ios/12_2sr/release/notes/122SRrn.html#w p3970796). If this is a one-off requirement (i.e. not supposed to scale), you could use a physical loop cable :-| oli From piotr.sawicki.pl at gmail.com Mon Oct 20 07:02:42 2008 From: piotr.sawicki.pl at gmail.com (piotr/sawicki) Date: Mon, 20 Oct 2008 13:02:42 +0200 Subject: [c-nsp] NMS for l2vpn service instance Message-ID: <48FC6552.9060404@gmail.com> Hi experts !!! I'd like to ask you for help / advice on cisco 7600 l2 vpn's management Can you recommend any system for as much as monitoring and gathering statistics on l2 vpns? Do you know the software capable of discovering service instances on physical interface ? Service instance don't have ip address on them , nor they are subinterface but may contain connect/xconnect to another mpls router - and the role of this c7600 ends . L2 vfi ? I see Cisco Metro Ethernet Solution Center is the first choice but if it does a lot more - provisioning , but are there any opensource nms capable of doing this, out of the box ? // great thanks Peter Sawicki network admin / service provider poland From zoe-nsp at complicity.co.uk Mon Oct 20 06:56:55 2008 From: zoe-nsp at complicity.co.uk (Zoe O'Connell) Date: Mon, 20 Oct 2008 11:56:55 +0100 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48F8481D.6090901@bytemark.co.uk> References: <48F78FA1.40607@velvet.org> <48F8481D.6090901@bytemark.co.uk> Message-ID: <48FC63F7.9020306@complicity.co.uk> On 17/10/2008 09:09, Peter Taphouse wrote: > * SXF15 which has a bug in BFD that caused a router to reload when it > detects a link flap, turning a sub-second blip into a 10 minute brown > out whilst the router reloaded. > > We're now still running SXF15, and we've not had any problems since we > disabled bfd everywhere. Unfortunately, despite repeated prodding, Cisco have flatly refused to fix BFD in SXF - we ended up jumping to SRC1 on our 7600s, which was a shame as we were otherwise happy with SXF. From have.an.email at gmail.com Mon Oct 20 08:16:24 2008 From: have.an.email at gmail.com (Nathan) Date: Mon, 20 Oct 2008 14:16:24 +0200 Subject: [c-nsp] EoMPLS terminating on PE? In-Reply-To: <70B7A1CCBFA5C649BD562B6D9F7ED7840637987B@xmb-ams-333.emea.cisco.com> References: <9f785d120810200129v65fd804bl22872763e90f75c3@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840637987B@xmb-ams-333.emea.cisco.com> Message-ID: <9f785d120810200516n5d019b9i3eace94c3c06737e@mail.gmail.com> On Mon, Oct 20, 2008 at 12:54 PM, Oliver Boehmer (oboehmer) wrote: > > you need the "routed pseudowire" feature, but this is currently only > supported on the 7600 > > If this is a one-off requirement (i.e. not supposed to scale), you could > use a physical loop cable :-| Most definitely one-off, but what kind of loop cable would that be ? An ATM one? I'm thinking that I could terminate the aal5snap pvc into a VLAN on some convenient third PE router, and then run a straight 802.1q into the PE router I want the termination on, but mightn't there be some kind of encapsulation problem? All the examples I've seen do xconnects between VLANs or between PVCs, not between a VLAN on one hand and a PVC on the other hand. Thanks, Nathan (Anxiously waiting to see if anyone has insights on my service provider network design question from a few days ago, no one's taken me up so far ;-)) From markom at markom.info Mon Oct 20 08:54:53 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 20 Oct 2008 12:54:53 +0000 Subject: [c-nsp] EoMPLS terminating on PE? In-Reply-To: <9f785d120810200516n5d019b9i3eace94c3c06737e@mail.gmail.com> References: <9f785d120810200129v65fd804bl22872763e90f75c3@mail.gmail.com> <70B7A1CCBFA5C649BD562B6D9F7ED7840637987B@xmb-ams-333.emea.cisco.com> <9f785d120810200516n5d019b9i3eace94c3c06737e@mail.gmail.com> Message-ID: <1fb747910810200554h13820756yd9209cdb379eca16@mail.gmail.com> I don't think that routed pseudowire would work for you, but I could be mistaken. However, external loop may work. If I understand your problem well, this is what you want (horrible ascii art follows): [CE]---{ATM PVC}--->[PE]---[P]---[PE] | >{L3} | | +---xconnect---+ If I understood that correctly, and you are willing to play with external loopbacks (since you own 7600, you definitely are, btw.) read on. > Most definitely one-off, but what kind of loop cable would that be ? An ATM one? Yes, you can loop, for example ATM3/0/0 to ATM3/0/1 on rightmost PE. Have xconnect from 3/0/0 to leftmost PE and L3 interface on 3/0/1. If you have available and unused ATM interfaces, this is the easiest thing to do. It's a little bit expensive, IMHO. > I'm thinking that I could terminate the aal5snap pvc into a VLAN on > some convenient third PE router, and then run a straight 802.1q into > the PE router I want the termination on, but mightn't there be some > kind of encapsulation problem? All the examples I've seen do xconnects > between VLANs or between PVCs, not between a VLAN on one hand and a > PVC on the other hand. This could be on the right track, though. I'm not entirely sure about support on 7600, but you could have xconnect between ATM and 802.1Q interface using IP interworking. Another approach, without 3rd party router would be to loop two GigabitEthernet inerfaces on rightmost PE using an external cable and do exactly the same thing as described with ATM loopback above. You would xconnect from one and have L3 on the other one. Note that if you are using LAN cards for this excercise, you will need to configure VLAN mapping, as VLAN's are global. It's still a little bit cheaper than using ATM interfaces, albeit messier. > (Anxiously waiting to see if anyone has insights on my service provider network design > question from a few days ago, no one's taken me up so far ;-)) ( it was a little bit unclear :-) ) HTH. -- Marko CCIE #18427 My network blog: http://cisco.markom.info/ From MLouis at nwnit.com Mon Oct 20 08:57:52 2008 From: MLouis at nwnit.com (Mike Louis) Date: Mon, 20 Oct 2008 08:57:52 -0400 Subject: [c-nsp] Cisco Quality of Service Manager Message-ID: Does anyone on this list have any experience with the Cisco Quality of Service Manager? Are there any other products out there in the same wheelhouse that you would recommend? I have a customer that is looking to manage 55 remote site QOS policies for a large voice rollout. They need something that will automate the process. We can do this with scripts and open source but I would rather not do this from a support standpoint. Any thoughts on the best way to approach this? They are planning on making changes pretty often to the policies as they roll out more and more VOIP and other cisco gear. Thanks in advance Mike ________________________________ Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately. From markom at markom.info Mon Oct 20 09:43:03 2008 From: markom at markom.info (Marko Milivojevic) Date: Mon, 20 Oct 2008 13:43:03 +0000 Subject: [c-nsp] OSPF over PPPoATM In-Reply-To: <200810181519.02668.daniele@orlandi.com> References: <200810181519.02668.daniele@orlandi.com> Message-ID: <1fb747910810200643h13f18451i412e1a55d5943928@mail.gmail.com> > The 2800 is also connected to the 7200 via a frame-relay to ATM PVC on which > OSPF is running fine (but not IPv6, but that's another story). > > What is happening to those hello packets? Who is eating them? Before I accuse intermediate DSLAM filtering them, could you post relevant interface and OSPF process configurations from both routers, please? -- Marko CCIE #18427 My network blog: http://cisco.markom.info/ From wim.holemans at ua.ac.be Mon Oct 20 09:50:20 2008 From: wim.holemans at ua.ac.be (Holemans Wim) Date: Mon, 20 Oct 2008 15:50:20 +0200 Subject: [c-nsp] rtr responder on 6500 Message-ID: <2F7B70885960AA42BE820036B3A8CDA041E68D@xmail06.ad.ua.ac.be> We are setting up a testbed for IP SLA monitoring and I wanted to include our core 6500 switches into the test. For 2 of them this went without problem, on two others this doesn't work : I get the following error (after putting on debug) : RTR unable to set SO_STRICT_ADDR_BIND option I searched the Cisco website and also did a google search but this didn't give any results. Anyone an idea of what is going wrong here ? Both not-working routers have a SUP32, the working ones a SUP2 supervisor. Router1 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 WS-SUP32-GE-3B : rtr responder not working Router2 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 WS-X6K-SUP2-2GE : rtr responder working Router3 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 WS-SUP32-GE-3B : rtr responder not working Router4 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 WS-X6K-SUP2-2GE : rtr responder working Is it possible I need the ipservices version to do this ? Anyone a clue on what the error means ? The rtr responder command is accepted in all versions. Wim Holemans Netwerkdienst Universiteit Antwerpen From p.mayers at imperial.ac.uk Mon Oct 20 09:56:58 2008 From: p.mayers at imperial.ac.uk (Phil Mayers) Date: Mon, 20 Oct 2008 14:56:58 +0100 Subject: [c-nsp] rtr responder on 6500 In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041E68D@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041E68D@xmail06.ad.ua.ac.be> Message-ID: <48FC8E2A.4020809@imperial.ac.uk> Holemans Wim wrote: > We are setting up a testbed for IP SLA monitoring and I wanted to > include our core 6500 switches into the test. For 2 of them this went > without problem, on two others this doesn't work : I get the following > error (after putting on debug) : > > RTR unable to set SO_STRICT_ADDR_BIND option > > > > I searched the Cisco website and also did a google search but this > didn't give any results. Anyone an idea of what is going wrong here ? > > Both not-working routers have a SUP32, the working ones a SUP2 > supervisor. > > Router1 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 > WS-SUP32-GE-3B : rtr responder not working > > Router2 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 > WS-X6K-SUP2-2GE : rtr responder working > > Router3 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 > WS-SUP32-GE-3B : rtr responder not working > > Router4 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 > WS-X6K-SUP2-2GE : rtr responder working > > > > Is it possible I need the ipservices version to do this ? Anyone a clue > on what the error means ? The rtr responder command is accepted in all > versions. I think you need ipservices. Also, IIRC RTR has crash-bugs under SXF, and you are advised to not use it at all :o( From oboehmer at cisco.com Mon Oct 20 10:01:55 2008 From: oboehmer at cisco.com (Oliver Boehmer (oboehmer)) Date: Mon, 20 Oct 2008 16:01:55 +0200 Subject: [c-nsp] rtr responder on 6500 In-Reply-To: <2F7B70885960AA42BE820036B3A8CDA041E68D@xmail06.ad.ua.ac.be> References: <2F7B70885960AA42BE820036B3A8CDA041E68D@xmail06.ad.ua.ac.be> Message-ID: <70B7A1CCBFA5C649BD562B6D9F7ED78406379A74@xmb-ams-333.emea.cisco.com> Holemans Wim <> wrote on Monday, October 20, 2008 3:50 PM: > We are setting up a testbed for IP SLA monitoring and I wanted to > include our core 6500 switches into the test. For 2 of them this went > without problem, on two others this doesn't work : I get the following > error (after putting on debug) : > > RTR unable to set SO_STRICT_ADDR_BIND option > > > > I searched the Cisco website and also did a google search but this > didn't give any results. Anyone an idea of what is going wrong here ? > > Both not-working routers have a SUP32, the working ones a SUP2 > supervisor. > > Router1 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 > WS-SUP32-GE-3B : rtr responder not working > > Router2 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 > WS-X6K-SUP2-2GE : rtr responder working > > Router3 s3223_rp-IPBASEK9-VM Version 12.2(18)SXF6 > WS-SUP32-GE-3B : rtr responder not working > > Router4 s222_rp-IPSERVICESK9-M Version 12.2(18)SXF6 > WS-X6K-SUP2-2GE : rtr responder working > > > > Is it possible I need the ipservices version to do this ? Anyone a > clue on what the error means ? The rtr responder command is accepted > in all versions. Wim, this seems to be related to ION/Modular IOS (which you're running on R1 and R3) not supporting the SO_STRICT_ADDR_BIND which RTR responder uses.. looks like 12.2(33)SXH and later can be used.. oli From Simon.Fawcett at uk.fujitsu.com Mon Oct 20 09:57:45 2008 From: Simon.Fawcett at uk.fujitsu.com (Fawcett Simon) Date: Mon, 20 Oct 2008 14:57:45 +0100 Subject: [c-nsp] Conditional BGP In-Reply-To: <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> References: <20080924010604.GA33338@root.ucsc.edu><001801c91d9f$df280fc0$9d782f40$@org><48D98ED6.60403@templin.org> <20080924010604.GA33338@root.ucsc.edu> <5.1.0.14.2.20081019103012.00ae82f0@efes.iucc.ac.il> Message-ID: Hi Hank It's a good question. Your approach is good as mentioned by others in the thread, if you advertise both externally at the same time. Private peering agreements may still prefer the prepended route as it costs them less money. Hence do not advertise your prefix on the backup path as long as the backup ebgp peer is advertising the route back to you. This was done with local pref. simon -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Hank Nussbacher Sent: 19 October 2008 09:36 To: cisco-nsp at puck.nether.net Subject: Re: [c-nsp] Conditional BGP At 09:47 PM 18-10-08 +0500, Masood Ahmad Shah wrote: I am curious if anyone else uses conditional BGP as a poor man's DRP? Suppose you have site A with 192.168.1.0/24. The site is connected to 2 upstream ISPs and they have a number of servers at site A. They now create a DRP site (site B), which is also connected to 2 upstream ISPs and they create a mirror copy of those servers from site A over at site B and assign them the *exact* same IP addresses as at site A. They have the router at site B do conditional BGP, checking to see if it sees 192.168.1.0/24 from the Internet. As soon as it disappears (site A is gone), site B starts announcing 192.168.1.0/24 to the Internet and all the DRP servers at site B are suddenly active. Ignoring the syncing of the servers from site B to site A, what is the downside of such a "poor mans' DRP solution? Regards, Hank >A nice book on BGP > >Practical BGP >By Russ White > >Regards, >Masood >BLOG: http://www.weblogs.com.pk/jahil > > >-----Original Message----- >From: cisco-nsp-bounces at puck.nether.net >[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mark Boolootian >Sent: Wednesday, September 24, 2008 6:06 AM >To: brandon at sterling.net >Cc: cisco-nsp at puck.nether.net >Subject: Re: [c-nsp] Conditional BGP > > > > 2) View the NANOG presentation archives. Several come to mind; I'll try >to > > compile a list of suggestions, or just browse away. > >Search the presentation archive for Smith and BGP. Philip Smith's >BGP tutorials are outstanding. _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From christian at broknrobot.com Mon Oct 20 10:38:23 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 20 Oct 2008 10:38:23 -0400 Subject: [c-nsp] FWSM Static NAT gets stuck.. Message-ID: Hello All - Seeing an issue on FWSM running 3.2(4) code.. Where a static nat gets stuck, and the host becomes unreachable via both ingress/egress If i issue a clear xlate local x.x.x.x, this clears things up and connectivity is restored there are currently 2 hosts on the same network, yet this problem only occurs with one of them static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255 static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255 .24 is the one that becomes stuck, .25 is fine and never has a problem.. any ideas/possible bugs? thanks christian From gulerozgur at yahoo.co.uk Mon Oct 20 10:58:21 2008 From: gulerozgur at yahoo.co.uk (Ozgur Guler) Date: Mon, 20 Oct 2008 14:58:21 +0000 (GMT) Subject: [c-nsp] FWSM Static NAT gets stuck.. In-Reply-To: Message-ID: <463736.43764.qm@web25508.mail.ukl.yahoo.com> Do you see the correct arp for the translation when it stops working? You might need to define a static arp with alias to fix it. --- On Mon, 20/10/08, Christian Koch wrote: From: Christian Koch Subject: [c-nsp] FWSM Static NAT gets stuck.. To: "Cisco-nsp" Date: Monday, 20 October, 2008, 3:38 PM Hello All - Seeing an issue on FWSM running 3.2(4) code.. Where a static nat gets stuck, and the host becomes unreachable via both ingress/egress If i issue a clear xlate local x.x.x.x, this clears things up and connectivity is restored there are currently 2 hosts on the same network, yet this problem only occurs with one of them static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255 static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255 .24 is the one that becomes stuck, .25 is fine and never has a problem.. any ideas/possible bugs? thanks christian _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ Send instant messages to your online friends http://uk.messenger.yahoo.com From christian at broknrobot.com Mon Oct 20 11:15:39 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 20 Oct 2008 11:15:39 -0400 Subject: [c-nsp] FWSM Static NAT gets stuck.. In-Reply-To: <463736.43764.qm@web25508.mail.ukl.yahoo.com> References: <463736.43764.qm@web25508.mail.ukl.yahoo.com> Message-ID: i checked this when it happened the first time but i forgot what the ouput was...thanks for the suggestion, i'll have to check it again next time it pops up christian On Mon, Oct 20, 2008 at 10:58 AM, Ozgur Guler wrote: > Do you see the correct arp for the translation when it stops working? > You might need to define a static arp with alias to fix it. > > > --- On Mon, 20/10/08, Christian Koch wrote: > > From: Christian Koch > Subject: [c-nsp] FWSM Static NAT gets stuck.. > To: "Cisco-nsp" > Date: Monday, 20 October, 2008, 3:38 PM > > Hello All - > > Seeing an issue on FWSM running 3.2(4) code.. > > Where a static nat gets stuck, and the host becomes unreachable via > both ingress/egress > > If i issue a clear xlate local x.x.x.x, this clears things up and > connectivity is restored > > there are currently 2 hosts on the same network, yet > this problem only > occurs with one of them > > static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255 > static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255 > > .24 is the one that becomes stuck, .25 is fine and never has a problem.. > > any ideas/possible bugs? > > thanks > > christian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Send instant messages to your online friends http://uk.messenger.yahoo.com From paul at paulstewart.org Mon Oct 20 11:46:04 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 20 Oct 2008 11:46:04 -0400 Subject: [c-nsp] %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB Message-ID: <000001c932ca$f77f7dc0$e67e7940$@org> Hi there... I just scanned Cisco's site and come up empty... got this weird message in our logs this morning on a 7206VXR-NPE2G: Oct 20 11:37:17: %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB:Duplicate ID free for 11532219 (count = 2) -Traceback= 662444 6633DC 663B0C 2E1D644 2E1D7AC 17BCAA0 17A1FB0 17A56A4 17A5B08 It's running: Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRC2, RELEASE SOFTWARE (fc2) Anyone have a clue what this means? Is it an IOS bug or some other type of error I should be concerned about? Best regards, Paul Stewart From vijay.ramcharan at verizonbusiness.com Mon Oct 20 12:01:48 2008 From: vijay.ramcharan at verizonbusiness.com (Ramcharan, Vijay A) Date: Mon, 20 Oct 2008 16:01:48 +0000 Subject: [c-nsp] %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB In-Reply-To: <000001c932ca$f77f7dc0$e67e7940$@org> References: <000001c932ca$f77f7dc0$e67e7940$@org> Message-ID: Googling "UTIL-3-IDTREE_TRACE" returns 6 hits. Apparently applicable for 10K and 12K boxes: http://74.125.45.104/search?q=cache:e_oNyDi2EUcJ:cco.cisco.com/en/US/doc s/ios/12_0/12_0sy/release/notes/120SYrn.html+UTIL-3-IDTREE_TRACE&hl=en&c t=clnk&cd=1&gl=us CSCek77589 Symptoms: The following message is observed in syslog/console. %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB:Duplicate ID free Conditions: This symptom was observed during scalability testing of a large number (over 2000) of PPP sessions being brought up and torn down continuously. Workaround: There is no workaround. Listed under two other links: http://www.cisco.com/en/US/docs/ios/12_2sr/system/messages/sm2sr08.html http://www.cisco.com/en/US/docs/ios/12_2sx/system/messages/sm2sx09.html Error Message %UTIL-3-IDTREE_TRACE : [chars] Explanation A software error occurred, resulting in a data structure inconsistency. Recommended Action Copy the message exactly as it appears on the console or in the system log. Research and attempt to resolve the issue using the tools and utilities provided at http://www.cisco.com/tac. With some messages, these tools and utilities will supply clarifying information. Also perform a search of the Bug Toolkit http://www.cisco.com/pcgi-bin/Support/Bugtool/home.pl. If you still require assistance, open a case with the Technical Assistance Center via the Internet http://tools.cisco.com/ServiceRequestTool/create, or contact your Cisco technical support representative and provide the representative with the gathered information. The other Google provided links may or may not be relevant as the error message is listed slightly different than "UTIL-3-IDTREE_TRACE: SSM SEG freelist DB" Vijay Ramcharan -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart Sent: October 20, 2008 11:46 To: cisco-nsp at puck.nether.net Subject: [c-nsp] %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB Hi there... I just scanned Cisco's site and come up empty... got this weird message in our logs this morning on a 7206VXR-NPE2G: Oct 20 11:37:17: %UTIL-3-IDTREE_TRACE: SSM SEG freelist DB:Duplicate ID free for 11532219 (count = 2) -Traceback= 662444 6633DC 663B0C 2E1D644 2E1D7AC 17BCAA0 17A1FB0 17A56A4 17A5B08 It's running: Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.2(33)SRC2, RELEASE SOFTWARE (fc2) Anyone have a clue what this means? Is it an IOS bug or some other type of error I should be concerned about? Best regards, Paul Stewart _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From jeff at ocjtech.us Mon Oct 20 12:06:24 2008 From: jeff at ocjtech.us (Jeffrey Ollie) Date: Mon, 20 Oct 2008 11:06:24 -0500 Subject: [c-nsp] WCS on CentOS? Message-ID: <935ead450810200906s5dc50bb4s997ee6f2c2730d8a@mail.gmail.com> Currently, my Wireless Control System is running on an upgraded WLSE box that runs RHEL 4 (which came with the WLSE->WCS conversion) and version 5.0.56 of the WCS software. I'd like to move to the latest version but it requires RHEL 5. I don't have any RHEL licenses otherwise as I use CentOS for my server OS. WCS detects that I'm running CentOS and not RHEL and won't install. Is there any way that I can work around that? Failing that is there a way that I can upgrade the old RHEL 4 install? -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" From rinse.kloek at isp.solcon.nl Mon Oct 20 13:08:38 2008 From: rinse.kloek at isp.solcon.nl (Rinse Kloek (Solcon)) Date: Mon, 20 Oct 2008 19:08:38 +0200 Subject: [c-nsp] ASR1002 Message-ID: <48FCBB16.3070805@isp.solcon.nl> We are looking for a replacement for our 7200 BRAS routers. The ASR1002 looks promising: - Dual IOS (Software Redundancy / Much easier upgrading) - Standaard 4 GE ports - 6-8 Mpps - Front to back airflow in stead of side air flow - Much hardware features like QOS / SBC / NBAR Anybody some experience in a production environment with the ASR1002 regarding stability / IOS bugs ? Rinse From dloughlin at otc.fsu.edu Mon Oct 20 13:45:55 2008 From: dloughlin at otc.fsu.edu (Loughlin, Daniel J.) Date: Mon, 20 Oct 2008 13:45:55 -0400 Subject: [c-nsp] WCS on CentOS? In-Reply-To: <935ead450810200906s5dc50bb4s997ee6f2c2730d8a@mail.gmail.com> References: <935ead450810200906s5dc50bb4s997ee6f2c2730d8a@mail.gmail.com> Message-ID: <0B5DA805D198954F8E6160D2AB3B43A54E0E41@fsu-exch-11.fsu.edu> I'm not sure if this will help, but try altering your /etc/redhat-release (yes, centos has such a thing) file to say redhat version 5 instead of centos version 5 before you install the WCS and see if you can trick it into installing. Change it back to Centos, when you are done installing it. I'm not sure about the exact text that goes in a Redhat 5.x /etc/redhat-release. You can look on a redhat 5.x box for an example... Good luck, -Danny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeffrey Ollie Sent: Monday, October 20, 2008 12:06 PM To: Cisco Network Service Providers Subject: [c-nsp] WCS on CentOS? Currently, my Wireless Control System is running on an upgraded WLSE box that runs RHEL 4 (which came with the WLSE->WCS conversion) and version 5.0.56 of the WCS software. I'd like to move to the latest version but it requires RHEL 5. I don't have any RHEL licenses otherwise as I use CentOS for my server OS. WCS detects that I'm running CentOS and not RHEL and won't install. Is there any way that I can work around that? Failing that is there a way that I can upgrade the old RHEL 4 install? -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From rshughes at gmail.com Mon Oct 20 14:41:45 2008 From: rshughes at gmail.com (Ryan Hughes) Date: Mon, 20 Oct 2008 14:41:45 -0400 Subject: [c-nsp] ASR1002 In-Reply-To: <48FCBB16.3070805@isp.solcon.nl> References: <48FCBB16.3070805@isp.solcon.nl> Message-ID: I've got one customer running a ASR 1006 and seems to be working just fine on their 100 mb metro-e link; running 12.2(33) XNA - using basic EIGRP and QoS features.. I've heard unconfirmed claims of some software instability but maybe there's more people out there who have run into them. On Mon, Oct 20, 2008 at 1:08 PM, Rinse Kloek (Solcon) < rinse.kloek at isp.solcon.nl> wrote: > We are looking for a replacement for our 7200 BRAS routers. The ASR1002 > looks promising: > > - Dual IOS (Software Redundancy / Much easier upgrading) > - Standaard 4 GE ports > - 6-8 Mpps > - Front to back airflow in stead of side air flow > - Much hardware features like QOS / SBC / NBAR > > Anybody some experience in a production environment with the ASR1002 > regarding stability / IOS bugs ? > > Rinse > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > From Gregori.Parker at theplatform.com Mon Oct 20 14:25:50 2008 From: Gregori.Parker at theplatform.com (Gregori Parker) Date: Mon, 20 Oct 2008 11:25:50 -0700 Subject: [c-nsp] WCS on CentOS? In-Reply-To: <0B5DA805D198954F8E6160D2AB3B43A54E0E41@fsu-exch-11.fsu.edu> References: <935ead450810200906s5dc50bb4s997ee6f2c2730d8a@mail.gmail.com> <0B5DA805D198954F8E6160D2AB3B43A54E0E41@fsu-exch-11.fsu.edu> Message-ID: <1A9866F953006D45AEE0166066114E0913D06505@TPMAIL02.corp.theplatform.com> You have to do the same thing to trick HP agents to install on Centos: Edit /etc/redhat-release to contain: Red Hat Enterprise Linux Client release 5 (Tikanga) -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Loughlin, Daniel J. Sent: Monday, October 20, 2008 10:46 AM To: Jeffrey Ollie; Cisco Network Service Providers Subject: Re: [c-nsp] WCS on CentOS? I'm not sure if this will help, but try altering your /etc/redhat-release (yes, centos has such a thing) file to say redhat version 5 instead of centos version 5 before you install the WCS and see if you can trick it into installing. Change it back to Centos, when you are done installing it. I'm not sure about the exact text that goes in a Redhat 5.x /etc/redhat-release. You can look on a redhat 5.x box for an example... Good luck, -Danny -----Original Message----- From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Jeffrey Ollie Sent: Monday, October 20, 2008 12:06 PM To: Cisco Network Service Providers Subject: [c-nsp] WCS on CentOS? Currently, my Wireless Control System is running on an upgraded WLSE box that runs RHEL 4 (which came with the WLSE->WCS conversion) and version 5.0.56 of the WCS software. I'd like to move to the latest version but it requires RHEL 5. I don't have any RHEL licenses otherwise as I use CentOS for my server OS. WCS detects that I'm running CentOS and not RHEL and won't install. Is there any way that I can work around that? Failing that is there a way that I can upgrade the old RHEL 4 install? -- Jeff Ollie "You know, I used to think it was awful that life was so unfair. Then I thought, wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? So, now I take great comfort in the general hostility and unfairness of the universe." -- Marcus to Franklin in Babylon 5: "A Late Delivery from Avalon" _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ From spinthiras.mario at gmail.com Mon Oct 20 15:09:50 2008 From: spinthiras.mario at gmail.com (Mario Spinthiras) Date: Mon, 20 Oct 2008 22:09:50 +0300 Subject: [c-nsp] NMS for l2vpn service instance In-Reply-To: <48FC6552.9060404@gmail.com> References: <48FC6552.9060404@gmail.com> Message-ID: <4f890e580810201209o5138be16o52ba16682901c46@mail.gmail.com> have you tried zenoss? From rmg at conviva.com Mon Oct 20 16:53:31 2008 From: rmg at conviva.com (Robert Gutierrez) Date: Mon, 20 Oct 2008 13:53:31 -0700 (PDT) Subject: [c-nsp] BGP load-sharing *and* redundancy across 2 routers In-Reply-To: <4f890e580810201209o5138be16o52ba16682901c46@mail.gmail.com> References: <48FC6552.9060404@gmail.com> <4f890e580810201209o5138be16o52ba16682901c46@mail.gmail.com> Message-ID: <3C669F4F3C464CCCB1F12455EFD75D6F@ranma> Hi all. I have a typical BGP loopback setup to my ISP. 4 links across 2 routers. 2 links on each router. Easy -- no problemo. Now, how can I get loopback address redundancy? I'm currently using Router "A" as my loopback address, with an iBGP to Router "B", and multihop and maximum-paths set up. So Router "A" knows about all 4 links outbound. Now, if I lose Router "A" (crash, power-off, etc), I want Router "B" to pick up the peering of it's 2 links, and bring the BGP session back up. The only way that I can figure out is (1) Make the loopback address an HSRP across both routers (is that even possible or been done?), or (2) Just bring up sessions on both routers using the same Loopback address. I guess the "right" way is to use 2 different loopback addresses, one for each router, and bring up peers for both, and use MEDs or their community map to make them pref one way or another across each loopback peer (with myself using local-pref). Do you know of any Tier-1's that let you do this? Thanks in advance! Rob Gutierrez / Conviva Inc. From tbaranski at mail.com Mon Oct 20 18:00:28 2008 From: tbaranski at mail.com (Terry Baranski) Date: Mon, 20 Oct 2008 18:00:28 -0400 Subject: [c-nsp] Conditional BGP In-Reply-To: <7FEDD455961B164D8C4EEA60E22914205B7F329C52@EXCHANGE1.intranet.iseek.com.au> Message-ID: <000201c932ff$45321850$0200000a@pleth0ra> On Sun, Oct 19, 2008 at 10:46:31PM, Matt Carter wrote: > the main problem i've seen with this is that a lot of > providers are going to local pref their downstreams such that > they are not using provider/peer links for traffic going to > directly connected customers. given local pref beats as path > length, you are likely going to get traffic bleeding over to > your DR site from ISP A/B local networks.. Indeed -- you have to work with each provider to make sure you know what they're doing. In addition to prepending we also advertised a local-pref community to each peer so that they set the desired local-pref upon receiving a given route from us. -Terry From christian at broknrobot.com Mon Oct 20 19:09:06 2008 From: christian at broknrobot.com (Christian Koch) Date: Mon, 20 Oct 2008 19:09:06 -0400 Subject: [c-nsp] FWSM Static NAT gets stuck.. In-Reply-To: <463736.43764.qm@web25508.mail.ukl.yahoo.com> References: <463736.43764.qm@web25508.mail.ukl.yahoo.com> Message-ID: ok just had it happen again and i checked, and the correct arp entry was there... On Mon, Oct 20, 2008 at 10:58 AM, Ozgur Guler wrote: > Do you see the correct arp for the translation when it stops working? > You might need to define a static arp with alias to fix it. > > > --- On Mon, 20/10/08, Christian Koch wrote: > > From: Christian Koch > Subject: [c-nsp] FWSM Static NAT gets stuck.. > To: "Cisco-nsp" > Date: Monday, 20 October, 2008, 3:38 PM > > Hello All - > > Seeing an issue on FWSM running 3.2(4) code.. > > Where a static nat gets stuck, and the host becomes unreachable via > both ingress/egress > > If i issue a clear xlate local x.x.x.x, this clears things up and > connectivity is restored > > there are currently 2 hosts on the same network, yet > this problem only > occurs with one of them > > static (DMZ,OUTSIDE) 1.1.1.24 2.2.2.24 netmask 255.255.255.255 > static (DMZ,OUTSIDE) 1.1.1.25 2.2.2.25 netmask 255.255.255.255 > > .24 is the one that becomes stuck, .25 is fine and never has a problem.. > > any ideas/possible bugs? > > thanks > > christian > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > Send instant messages to your online friends http://uk.messenger.yahoo.com From paul at paulstewart.org Mon Oct 20 19:34:36 2008 From: paul at paulstewart.org (Paul Stewart) Date: Mon, 20 Oct 2008 19:34:36 -0400 Subject: [c-nsp] QOS for VOIP 1811 Message-ID: <000001c9330c$70d87d70$52897850$@org> Can anyone tell me what's wrong with this configuration or a better way to do it? It doesn't appear to be working. 1811 - Cisco IOS Software, C181X Software (C181X-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3) 3500Kb/s bi-directional connection via PPPOE - trying to give VOIP priority. matching against destination IP address of a Session Border Controller.. class-map match-all Call-Signalling match access-group 155 class-map match-all Voice match access-group 155 ! ! policy-map VOIP class Voice priority 100 class Call-Signalling bandwidth 10 class class-default fair-queue random-detect interface FastEthernet0 bandwidth 3500 no ip address ip mtu 1492 ip nat outside ip virtual-reassembly ip tcp adjust-mss 1452 duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 service-policy output VOIP interface Dialer0 bandwidth 3500 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 load-interval 30 dialer pool 1 dialer-group 1 no cdp enable ppp authentication pap callin ppp pap sent-username xxxxxxxxxxxxxx service-policy output VOIP As you can see, I'm trying to match in two places to cover all bases.. Also cannot find a way to do an inbound service policy.. Of which is most likely my problem. If I hit peak traffic my voice quality gets bad.. Can someone suggest a better way? ;) I've tried applying the QOS policy on Vlan1 (hoping I would get traffic in and out of the router that way) and get this: demarc-psa(config-if)#service-policy output VOIP Configuration failed! It's marking the packets correctly but not keeping the voice quality intact: demarc-psa#sh policy-map interface FastEthernet 0 FastEthernet0 Service-policy output: VOIP queue stats for all priority classes: Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 724224/228059272 Class-map: Voice (match-all) 732132 packets, 230445897 bytes 5 minute offered rate 80000 bps, drop rate 0 bps Match: access-group 155 Priority: 100 kbps, burst bytes 2500, b/w exceed drops: 0 Class-map: Call-Signalling (match-all) 56 packets, 42988 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: access-group 155 Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 56/42988 bandwidth 10 kbps Class-map: class-default (match-any) 3392831 packets, 378440929 bytes 5 minute offered rate 0 bps, drop rate 0 bps Match: any Queueing queue limit 64 packets (queue depth/total drops/no-buffer drops/flowdrops) 0/0/0/0 (pkts output/bytes output) 3392833/378442341 Fair-queue: per-flow queue limit 16 Exp-weight-constant: 9 (1/512) Mean queue depth: 0 packets class Transmitted Random drop Tail/Flow drop Minimum Maximum Mark pkts/bytes pkts/bytes pkts/bytes thresh thresh prob 0 3389220/378170759 0/0 0/0 20 40 1/10 1 0/0 0/0 0/0 22 40 1/10 2 0/0 0/0 0/0 24 40 1/10 3 0/0 0/0 0/0 26 40 1/10 4 0/0 0/0 0/0 28 40 1/10 5 0/0 0/0 0/0 30 40 1/10 6 3613/271582 0/0 0/0 32 40 1/10 7 0/0 0/0 0/0 34 40 1/10 Thanks in advance, Paul From andy.saykao at staff.netspace.net.au Mon Oct 20 21:34:44 2008 From: andy.saykao at staff.netspace.net.au (Andy Saykao) Date: Tue, 21 Oct 2008 12:34:44 +1100 Subject: [c-nsp] Strange cache flow seen on SB release for PPPoE/A connections Message-ID: <56F211C5E3F24F47B103EA1B253822BE036549A2@vic-cr-ex1.staff.netspace.net.au> Hi All, Another interesting thing about the SB release we're using has to do with flows. After upgrading to the SB release (12.2(31)SB13) on a few production 7301 routers we noticed the usage was down for our PPPoE/A customers connecting to that router. Based on historical data, one PPPoE/A business customer would download 1-2G/day but after the upgrade to the SB release, they are now only doing 200-300M/day. Further investigation showed that the SB release were sending some flows to Null as the destination interface and this is probably why flows were not being collected properly. Here's an example of what I mean with me downloading something using the SB release. router#sh ip cache flow | inc 210.15.230.84 SrcIf SrcIPaddress DstIf DstIPaddress Pr SrcP DstP Pkts Gi0/0.11 216.239.113.224 Vi3.2 210.15.230.84 06 0050 0753 1 Gi0/0.11 216.239.122.60 Null 210.15.230.84 06 0050 0792 6199 Vi3.2 210.15.230.84 Gi0/0.11* 216.239.122.60 06 0792 0050 3206 Vi3.2 210.15.230.84 Gi0/0.11 216.239.122.60 06 0792 0050 3206 Vi3.2 210.15.230.84 Gi0/0.11 216.239.113.224 06 0753 0050 2 Vi3.2 210.15.230.84 Gi0/0.11* 216.239.113.224 06 0753 0050 2 You can see that a download from 216.239.122.60 is being sent to the Null interface instead of to the Virtual-Access interface. And looking at our collector, no flows were collected for this download session. Also not sure why there appears to be duplicate flows, one with w/o a STAR and one with a STAR for some flows. We thought it might have something to do with the Virtual-Template as we were use to having "ip route-cache flow" enabled on it. But the SB release removes this command. Our PPP config looks like this: bba-group pppoe global virtual-template 2 ! interface GigabitEthernet0/1.21 description DSLAM VLAN encapsulation dot1Q 21 ip flow ingress pppoe enable group global ! interface Virtual-Template2 bandwidth 1500 ip unnumbered Loopback0 ip flow ingress ip tcp adjust-mss 1412 peer default ip address pool PPP-ADSL ppp mtu adaptive ppp authentication chap pap PPPCustomers ppp authorization PPPCustomers ppp accounting PPPCustomers ppp chap hostname PPP-VIC What we then discovered was that with the SB release we needed to add "ip flow egress" to the Virtual-Template to be able to capture flows properly. I had read somewhere that this appears to be work around for not being able to have "ip route-cache flow" on the Virtual-Template. Flows appear to be collecting properly now with both "ip flow ingress" and "ip flow egress" applied to the Virtual-Template. We're seeing two flows now, one going to Null and another going to the correct Virtual-Access interface for my download from 216.239.113.112. Without the "ip flow egress" in the Virtual-Template, the flow would go just to the Null interface. router#sh ip cache flow | inc 210.15.230.84 Gi0/0.11 74.80.127.24 Vi3.2 210.15.230.84 06 0050 0AC6 1 Gi0/0.11 74.80.127.24 Vi3.2* 210.15.230.84 06 0050 0AC6 1 Gi0/0.11 216.239.113.112 Vi3.2* 210.15.230.84 06 0050 0B13 6199 Gi0/0.11 216.239.113.112 Null 210.15.230.84 06 0050 0B13 6199 Vi3.2 210.15.230.84 Gi0/0.11 74.80.127.24 06 0AC6 0050 1 Vi3.2 210.15.230.84 Gi0/0.11 216.239.113.112 06 0B13 0050 3166 I'm still puzzled as to what the STAR means in the flow and why there appears to be two "duplicate" flows. Any ideas??? This is also a PE router so not sure if MPLS has anything to do with it. Also, as discussed above we've had to apply both "ip flow ingress" and "ip flow egress" to the Virtual-Template for flows to be collected properly. How should I be collecting flows on the Virtual-Template?? Thanks in advance. Andy This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. Please notify the sender immediately by email if you have received this email by mistake and delete this email from your system. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the organisation. Finally, the recipient should check this email and any attachments for the presence of viruses. The organisation accepts no liability for any damage caused by any virus transmitted by this email. From ygauteron at gmail.com Tue Oct 21 01:06:25 2008 From: ygauteron at gmail.com (Yann Gauteron) Date: Tue, 21 Oct 2008 07:06:25 +0200 Subject: [c-nsp] QOS for VOIP 1811 In-Reply-To: <000001c9330c$70d87d70$52897850$@org> References: <000001c9330c$70d87d70$52897850$@org> Message-ID: <8097baf0810202206y689a0be7v7aa6ae6b47fa58c9@mail.gmail.com> Hi Paul, If I understand well, you're doing VoIP over a PPPoE link. I never tried such a configuration (does not mean it should not work, just I never had the chance to have to implement it), but as you're mentionning that voice quality is not good, I would consider: 1) First thing very surprising to me is your class maps definitions: both use the very same matches (match access-group 155 for Voice and Signalling). This sounds as incompatible for me as you can not define that signalling is matching one ACL, and that VoIP RTP streams is matching the exactly same ACL - that is the same source/destination addresses and ports. Try to split RTP and signalling into two different ACLs. You're using an SBC which can perform the B2BUA behavior for both SIP signalling and RTP flows I guess, then the following should be better (if your LAN net is 172.16.100.0/24 and your SBC is at 192.168.200.200): ip access-list extended aclVoipSignalling permit udp 172.16.100.0 0.0.0.255 eq 5060 host 192.168.200.200 eq 5060 ip access-list extended aclVoipRTP permit udp 172.16.100.0 0.0.0.255 host 192.168.200.200 class-map match-all Call-Signalling match access-group name aclVoipSignalling class-map match-all Voice match access-group name aclVoipRTP match not access-group name aclVoIPSignalling This way you ensures that class map Voice excludes SIP signalling. You can also add a deny udp on ports 5060 in the ACL directly. This is a more philosophical question now. However this should not explain (to me) why your "show policy-map" displays some traffic flowing in your "Call-Signalling" class ("(pkts output/bytes output) 56/42988") 2) If 1 does not solve your problem. If your codec is G.711, increasing the bandwidth reserved in your LLQ (priority command) to (let say) 120kbps. PPPoE adds additional headers and headers are considered in reserved/guaranteed bandwidths. If problem is solved, then you can start to compute the exact value to allocate by knowing the codec, packetization rate, IP+UDP+RTP headers, PPPoE headers. It's too early here now to start for me computing this value (06:45am). 3) If 2 does not solve your problem. If your codec is G.711, ensure that only one call is flowing over your PPPoE link. A second call would degrade the overall quality of both calls, as the priority would police the traffic exceeding 100kbps. Good luck in your troubleshoot and let us know. Cheers, Y. From have.an.email at gmail.com Tue Oct 21 04:17:38 2008 From: have.an.email at gmail.com (Nathan) Date: Tue, 21 Oct 2008 10:17:38 +0200 Subject: [c-nsp] question about service provider network design In-Reply-To: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> Message-ID: <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> Hi again, Since Marko says my question wasn't clear I'll try to make it better :-) - Is running OSPF on a switch at all useful when the switch is connecting routers that are running MPLS, MP-BGP, and OSPF? Can it provide faster detection of link loss? - In a campus scenario, Cisco recommends not using STP, instead preferring point-to-point links. I don't have enough point-to-point links, so what is better, creating an L2 square running MST, with the square's top and bottom being WAN links, or creating two L2 networks, each consisting of two switches (one at each of the two locations) connected by one WAN link, with all routers having an interface connected to both switches at its location? -- Nathan From lists at memetic.org Tue Oct 21 04:36:54 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 21 Oct 2008 09:36:54 +0100 Subject: [c-nsp] ASR1002 In-Reply-To: <48FCBB16.3070805@isp.solcon.nl> References: <48FCBB16.3070805@isp.solcon.nl> Message-ID: <48FD94A6.1040006@memetic.org> Rinse Kloek (Solcon) wrote: > We are looking for a replacement for our 7200 BRAS routers. The > ASR1002 looks promising: > > - Dual IOS (Software Redundancy / Much easier upgrading) Do you trust that stuff to work properly so early? I wouldn't! > - Standaard 4 GE ports > - 6-8 Mpps Assuming zero feature use. The Quantumflow slows down quite a bit when you start adding more features. > - Front to back airflow in stead of side air flow > - Much hardware features like QOS / SBC / NBAR Be sure to test the throughput of the device with all the features you want to use enabled. Don't expect full performance with all the features! I've ordered a load of ASR1ks for peering routers, not recieved them yet though! adam. From lists at memetic.org Tue Oct 21 04:44:12 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 21 Oct 2008 09:44:12 +0100 Subject: [c-nsp] question about service provider network design In-Reply-To: <48FD963E.2060507@memetic.org> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> <48FD963E.2060507@memetic.org> Message-ID: <48FD965C.6090101@memetic.org> Adam Armstrong wrote: > Nathan wrote: >> Hi again, >> >> Since Marko says my question wasn't clear I'll try to make it better :-) >> >> - Is running OSPF on a switch at all useful when the switch is >> connecting routers that are running MPLS, MP-BGP, and OSPF? Can it >> provide faster detection of link loss? >> > The routers can see eachother directly at L2? Then no. It might make > it easier to keep the switch's management loopback connected though. > > Consider switching to IS-IS, assuming your kit can do it. >> - In a campus scenario, Cisco recommends not using STP, instead >> preferring point-to-point links. I don't have enough point-to-point >> links, so what is better, creating an L2 square running MST, with the >> square's top and bottom being WAN links, or creating two L2 networks, >> each consisting of two switches (one at each of the two locations) >> connected by one WAN link, with all routers having an interface >> connected to both switches at its location? > Do you have a diagram? > > When you say WAN, what do you mean? A long distance ethernet circuit? > Or a Serial/Pos/etc? > > adam. > From lists at memetic.org Tue Oct 21 04:46:53 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 21 Oct 2008 09:46:53 +0100 Subject: [c-nsp] BGP load-sharing *and* redundancy across 2 routers In-Reply-To: <3C669F4F3C464CCCB1F12455EFD75D6F@ranma> References: <48FC6552.9060404@gmail.com> <4f890e580810201209o5138be16o52ba16682901c46@mail.gmail.com> <3C669F4F3C464CCCB1F12455EFD75D6F@ranma> Message-ID: <48FD96FD.9080709@memetic.org> Robert Gutierrez wrote: > Hi all. I have a typical BGP loopback setup to my ISP. 4 links across 2 > routers. 2 links on each router. Easy -- no problemo. > > Now, how can I get loopback address redundancy? I'm currently using > Router "A" as my loopback address, with an iBGP to Router "B", and > multihop and maximum-paths set up. So Router "A" knows about all 4 links > outbound. > > Now, if I lose Router "A" (crash, power-off, etc), I want Router "B" to > pick up the peering of it's 2 links, and bring the BGP session back up. > The only way that I can figure out is (1) Make the loopback address an > HSRP across both routers (is that even possible or been done?), or (2) > Just bring up sessions on both routers using the same Loopback address. > You don't really want to do this. It'd only cause your links to flap a second time when the router came back up. What are the links? Ethernet? Serial? If you're taking ethernet from the provider, why not just use switches so that both routers can talk across all of the links? It would mean 8 sessions though. > I guess the "right" way is to use 2 different loopback addresses, one for > each router, and bring up peers for both, and use MEDs or their community > map to make them pref one way or another across each loopback peer (with > myself using local-pref). Do you know of any Tier-1's that let you do > this? adam. From lists at memetic.org Tue Oct 21 04:49:05 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 21 Oct 2008 09:49:05 +0100 Subject: [c-nsp] NMS for l2vpn service instance In-Reply-To: <48FC6552.9060404@gmail.com> References: <48FC6552.9060404@gmail.com> Message-ID: <48FD9781.30706@memetic.org> piotr/sawicki wrote: > Hi experts !!! > > I'd like to ask you for help / advice on cisco 7600 l2 vpn's management > > Can you recommend any system for as much as monitoring and gathering > statistics on l2 vpns? > Do you know the software capable of discovering service instances on > physical interface ? > Service instance don't have ip address on them , nor they are > subinterface but may contain connect/xconnect to another mpls router > - and the role of this c7600 ends . > L2 vfi ? > > I see Cisco Metro Ethernet Solution Center is the first choice but if > it does a lot more - provisioning , but are there any opensource nms > capable of doing this, out of the box ? Hi Peter, I'm planning to add this to Observer in the near future. We're using the Cisco commercial solution here, but I still think it's a useful feature. I'll see how quickly I can get it in! adma. From have.an.email at gmail.com Tue Oct 21 05:43:39 2008 From: have.an.email at gmail.com (Nathan) Date: Tue, 21 Oct 2008 11:43:39 +0200 Subject: [c-nsp] question about service provider network design In-Reply-To: <48FD965C.6090101@memetic.org> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> <48FD963E.2060507@memetic.org> <48FD965C.6090101@memetic.org> Message-ID: <9f785d120810210243v229a2514oc51503fd5154bfef@mail.gmail.com> On Tue, Oct 21, 2008, Adam Armstrong wrote: > Nathan wrote: >> - Is running OSPF on a switch at all useful when the switch is >> connecting routers that are running MPLS, MP-BGP, and OSPF? Can it >> provide faster detection of link loss? > > The routers can see each other directly at L2? Then no. It might make it > easier to keep the switch's management loopback connected though. Well I don't see how the LDP would keep running if the switch cut off L2. The switch would need to speak LDP . . . which would make it an MPLS P router, which would be cool but I'm quite sure neither 2960s or even 3550s can do that :-) P router with eight gigabit ethernet ports running at line speed for the price of a 2960 anyone? Seriously, what kind of beast does that? A 7600 or 6500 I suppose, anything smaller? Good point about the management loopback. > Consider switching to IS-IS, assuming your kit can do it. The switches can't, but I do think the routers can. What would the benefits be? If I change to IS-IS, now's the time. > Do you have a diagram? I'm not sure that ASCII art will cut it, but I'll try . . . First option: /----------SW----------WAN---------SW-----------\ | | | | | | | PE PE PE | | PE PE PE | | | | | | | \----------SW----------WAN---------SW-----------/ This way I don't have to have each PE connected to both switches in order to communicate directly, it's only when a switch goes down that PEs only connected to that single switch will have a problem. I'll have to place different VLANs on top and bottom and use MST so that both links are used. If I lose the ethernet link on a WAN link, MST notices immediately and reroutes traffic. Second option: /----------SW----------WAN---------SW-----------\ | | | | | | PE PE PE PE PE PE | | | | | | \----------SW----------WAN---------SW-----------/ > When you say WAN, what do you mean? A long distance ethernet circuit? Or a > Serial/Pos/etc? Thay are seen as gigabit ethernet (copper or fiber), but they run over the national backbone of bigger fish than I. They are probably AToM pseudowires. Unfortunately that means that when one goes down (not often, maybe once or at most twice a year) I don't always lose the ethernet link (and I suppose I might get one-way communication only). -- Nathan From lists at memetic.org Tue Oct 21 08:59:00 2008 From: lists at memetic.org (Adam Armstrong) Date: Tue, 21 Oct 2008 13:59:00 +0100 Subject: [c-nsp] question about service provider network design In-Reply-To: <9f785d120810210243v229a2514oc51503fd5154bfef@mail.gmail.com> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> <48FD963E.2060507@memetic.org> <48FD965C.6090101@memetic.org> <9f785d120810210243v229a2514oc51503fd5154bfef@mail.gmail.com> Message-ID: <48FDD214.3040900@memetic.org> Nathan wrote: > On Tue, Oct 21, 2008, Adam Armstrong > wrote: > > Nathan wrote: > >> - Is running OSPF on a switch at all useful when the switch is > >> connecting routers that are running MPLS, MP-BGP, and OSPF? Can it > >> provide faster detection of link loss? > > > > The routers can see each other directly at L2? Then no. It might make it > > easier to keep the switch's management loopback connected though. > > Well I don't see how the LDP would keep running if the switch cut off > L2. The switch would need to speak LDP . . . which would make it an > MPLS P router, which would be cool but I'm quite sure neither 2960s or > even 3550s can do that :-) P router with eight gigabit ethernet ports > running at line speed for the price of a 2960 anyone? Seriously, what > kind of beast does that? A 7600 or 6500 I suppose, anything smaller? Umm. I've no idea what you're talking about now... The switch doesn't speak LDP. It can merely participate in your IGP for its loopback address. Just give the switches an IP in the subnet that exists on their layer 2 domain and point their default route at one of the PEs (or do hsrp between a couple of them). > > Consider switching to IS-IS, assuming your kit can do it. > > The switches can't, but I do think the routers can. What would the > benefits be? If I change to IS-IS, now's the time. Well, the switches aren't important here, so if you plan to do ipv6 in the future and aren't a huge ospf fan, have a look at isis now and switch if you like it. It's definitely a lot easier to manage and troubleshoot. Not to mention not having to run two versions of ospf when you want to do ipv6! > > Do you have a diagram? > > I'm not sure that ASCII art will cut it, but I'll try . . . > > First option: > > /----------SW----------WAN---------SW-----------\ > | | | | | | | > PE PE PE | | PE PE PE > | | | | | | | > \----------SW----------WAN---------SW-----------/ > > This way I don't have to have each PE connected to both switches in > order to communicate directly, it's only when a switch goes down that > PEs only connected to that single switch will have a problem. I'll > have to place different VLANs on top and bottom and use MST so that > both links are used. If I lose the ethernet link on a WAN link, MST > notices immediately and reroutes traffic. > > Second option: > > /----------SW----------WAN---------SW-----------\ > | | | | | | > PE PE PE PE PE PE > | | | | | | > \----------SW----------WAN---------SW-----------/ > Second option is the sensible one. Think of it as building 2 core layer 2 domains across witch all of the PEs can talk to eachother. During normal operation, they balance across the two domains, when a switch or link dies, the traffic goes across the other. It's a relatively standard design. http://alpha.memetic.org/basic.jpg is how i would draw it. > > > > When you say WAN, what do you mean? A long distance ethernet circuit? > Or a > > Serial/Pos/etc? > > Thay are seen as gigabit ethernet (copper or fiber), but they run over > the national backbone of bigger fish than I. They are probably AToM > pseudowires. Unfortunately that means that when one goes down (not > often, maybe once or at most twice a year) I don't always lose the > ethernet link (and I suppose I might get one-way communication only). Well, tune your IGP so that it notices as quickly as possible and pulls down the link. You want as few routes as possible in IGP (so just links and loopbacks), but i guess you already knew that! :) adam. From Grzegorz at Janoszka.pl Tue Oct 21 09:28:50 2008 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Tue, 21 Oct 2008 15:28:50 +0200 Subject: [c-nsp] How to match local IP address? Message-ID: <48FDD912.1060205@Janoszka.pl> Is there a way to automatically match local (static, connected) IP subnets and deny ospf/bgp routes? Something like: route-map name permit 10 match connected I use soft SHX or SXF. We tried something like: 1. match route-type external 2. permit any but it did not work. Thanks in advance for your help. -- Grzegorz Janoszka From have.an.email at gmail.com Tue Oct 21 09:49:45 2008 From: have.an.email at gmail.com (Nathan) Date: Tue, 21 Oct 2008 15:49:45 +0200 Subject: [c-nsp] question about service provider network design In-Reply-To: <48FDD214.3040900@memetic.org> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> <48FD963E.2060507@memetic.org> <48FD965C.6090101@memetic.org> <9f785d120810210243v229a2514oc51503fd5154bfef@mail.gmail.com> <48FDD214.3040900@memetic.org> Message-ID: <9f785d120810210649x75a03257r220f4062b8cced30@mail.gmail.com> On Tue, Oct 21, 2008 at 2:59 PM, Adam Armstrong wrote: > > Well, the switches aren't important here, so if you plan to do ipv6 in the future and aren't a huge ospf fan, > have a look at isis now and switch if you like it. It's definitely a lot easier to manage and troubleshoot. Not > to mention not having to run two versions of ospf when you want to do ipv6! OK noted, that could be important. > Second option is the sensible one. Think of it as building 2 core layer 2 domains across witch all of the PEs > can talk to eachother. During normal operation, they balance across the two domains, when a switch or > link dies, the traffic goes across the other. It's a relatively standard design. The "relatively standard" was what I was looking for :-) > Well, tune your IGP so that it notices as quickly as possible and pulls down the link. > > You want as few routes as possible in IGP (so just links and loopbacks), but i guess you already knew that! :) It's not stressed enough in docs about setting up iBGP and MP-BGP, unfortunately, but yes I did learn that later on :-/ Thanks, -- Nathan From dcp at dcptech.com Tue Oct 21 10:00:37 2008 From: dcp at dcptech.com (David Prall) Date: Tue, 21 Oct 2008 10:00:37 -0400 Subject: [c-nsp] How to match local IP address? In-Reply-To: <48FDD912.1060205@Janoszka.pl> References: <48FDD912.1060205@Janoszka.pl> Message-ID: <000f01c93385$667bdbf0$337393d0$@com> What exactly are you trying to do? Redistribute connected and redistribute static only match those, no need for a route-map. Or are you attempting to advertise these to a particular BGP peer? David -- http://dcp.dcptech.com > -----Original Message----- > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp- > bounces at puck.nether.net] On Behalf Of Grzegorz Janoszka > Sent: Tuesday, October 21, 2008 9:29 AM > To: cisco-nsp at puck.nether.net > Subject: [c-nsp] How to match local IP address? > > > Is there a way to automatically match local (static, connected) IP > subnets and deny ospf/bgp routes? Something like: > > route-map name permit 10 > match connected > > I use soft SHX or SXF. > > We tried something like: > 1. match route-type external > 2. permit any > > but it did not work. Thanks in advance for your help. > > -- > Grzegorz Janoszka > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ib_cims at yahoo.com Tue Oct 21 10:25:05 2008 From: ib_cims at yahoo.com (Ibrahim Alsharif) Date: Tue, 21 Oct 2008 07:25:05 -0700 (PDT) Subject: [c-nsp] Network Management System Message-ID: <955352.5529.qm@web63805.mail.re1.yahoo.com> hello Guys, could please help me to choose which Cisco Network?Management software, Cuz I have a network include LAN, WAN, ASA Firewalls & Voice Equipments so?I need Management Software for these equipments thank you, __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From Grzegorz at Janoszka.pl Tue Oct 21 10:25:35 2008 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Tue, 21 Oct 2008 16:25:35 +0200 Subject: [c-nsp] How to match local IP address? In-Reply-To: <000f01c93385$667bdbf0$337393d0$@com> References: <48FDD912.1060205@Janoszka.pl> <000f01c93385$667bdbf0$337393d0$@com> Message-ID: <48FDE65F.8040002@Janoszka.pl> David Prall wrote: > What exactly are you trying to do? > > Redistribute connected and redistribute static only match those, no need for > a route-map. Or are you attempting to advertise these to a particular BGP > peer? Announce connected network with no-export community - it may be lot of smaller prefixes. The big aggregate prefixes will be announced statically in other places. -- Grzegorz Janoszka From rodunn at cisco.com Tue Oct 21 10:37:13 2008 From: rodunn at cisco.com (Rodney Dunn) Date: Tue, 21 Oct 2008 10:37:13 -0400 Subject: [c-nsp] Sup720, SXH or SXF? In-Reply-To: <48FC63F7.9020306@complicity.co.uk> References: <48F78FA1.40607@velvet.org> <48F8481D.6090901@bytemark.co.uk> <48FC63F7.9020306@complicity.co.uk> Message-ID: <20081021143713.GJ13328@rtp-cse-489.cisco.com> Sometimes the infrastructure changes to do it override the decision to back port. That's one of the biggest dangers with long lived throttles. I was part of those dicussions on the topic. It wasn't a decision made lightly but they made the "best, note I didn't say "right", choice. Rodney On Mon, Oct 20, 2008 at 11:56:55AM +0100, Zoe O'Connell wrote: > On 17/10/2008 09:09, Peter Taphouse wrote: > > * SXF15 which has a bug in BFD that caused a router to reload when it > > detects a link flap, turning a sub-second blip into a 10 minute brown > > out whilst the router reloaded. > > > > We're now still running SXF15, and we've not had any problems since we > > disabled bfd everywhere. > > Unfortunately, despite repeated prodding, Cisco have flatly refused to > fix BFD in SXF - we ended up jumping to SRC1 on our 7600s, which was a > shame as we were otherwise happy with SXF. > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From markom at markom.info Tue Oct 21 10:52:37 2008 From: markom at markom.info (Marko Milivojevic) Date: Tue, 21 Oct 2008 14:52:37 +0000 Subject: [c-nsp] How to match local IP address? In-Reply-To: <48FDE65F.8040002@Janoszka.pl> References: <48FDD912.1060205@Janoszka.pl> <000f01c93385$667bdbf0$337393d0$@com> <48FDE65F.8040002@Janoszka.pl> Message-ID: <1fb747910810210752u346cedbdvfebc8d1f2ff455f8@mail.gmail.com> > Announce connected network with no-export community - it may be lot of > smaller prefixes. > The big aggregate prefixes will be announced statically in other places. How about something like this? route-map Connected-Routes set community no-export ! router bgp XXX address-family ipv4 redistribute connected route-map Connected-Routes ! If you wish to assign community for only specific interfaces only, you can do something like: route-map Connected-Routes permit 10 match interface XXX match interface YYY set community no-export ! route-map Connected-Routes permit 999 -- Marko CCIE #18427 (SP) My network blog: http://cisco.markom.info/ From hashng at gmail.com Tue Oct 21 11:08:04 2008 From: hashng at gmail.com (Hashiru Aminu) Date: Tue, 21 Oct 2008 18:08:04 +0300 Subject: [c-nsp] MST issues In-Reply-To: <48FC63F7.9020306@complicity.co.uk> References: <48F78FA1.40607@velvet.org> <48F8481D.6090901@bytemark.co.uk> <48FC63F7.9020306@complicity.co.uk> Message-ID: <000b01c9338e$d477e690$7d67b3b0$@com> Hi guys Please can someone explain to be the following outputs when seen on an MST device Te9/1 Mstr FWD 2000 128.2049 P2p Bound(PVST) I am reffering to the Mstr and the Bound (PVST) there Regards Hash From Grzegorz at Janoszka.pl Tue Oct 21 11:14:54 2008 From: Grzegorz at Janoszka.pl (Grzegorz Janoszka) Date: Tue, 21 Oct 2008 17:14:54 +0200 Subject: [c-nsp] How to match local IP address? In-Reply-To: <1fb747910810210752u346cedbdvfebc8d1f2ff455f8@mail.gmail.com> References: <48FDD912.1060205@Janoszka.pl> <000f01c93385$667bdbf0$337393d0$@com> <48FDE65F.8040002@Janoszka.pl> <1fb747910810210752u346cedbdvfebc8d1f2ff455f8@mail.gmail.com> Message-ID: <48FDF1EE.1040407@Janoszka.pl> Marko Milivojevic wrote: > How about something like this? > > route-map Connected-Routes > set community no-export > ! > router bgp XXX > address-family ipv4 > redistribute connected route-map Connected-Routes > ! > > If you wish to assign community for only specific interfaces only, you > can do something like: > > route-map Connected-Routes permit 10 > match interface XXX > match interface YYY > set community no-export > ! > route-map Connected-Routes permit 999 It is a kind of idea, however it is rather complicated setup. The biggest disadvantage is that the interface list has to be updated. Let's say I insert a new blade to a free slot, then I have to update the route-map. Another disadvantage may be length of the route-map - if I have 4x48 ports, then it has almost 200 match entries - I do not know if Cisco allows for so many match entries. However it is a way to do it. I think I would slightly modify it and use, thanks. If you have another idea I will appreciate it. -- Grzegorz Janoszka From dan at beanfield.com Tue Oct 21 10:16:19 2008 From: dan at beanfield.com (Dan Armstrong) Date: Tue, 21 Oct 2008 10:16:19 -0400 Subject: [c-nsp] question about service provider network design In-Reply-To: <48FDD214.3040900@memetic.org> References: <9f785d120810150832k54425422i1fb29a9d1208060a@mail.gmail.com> <9f785d120810210117g7d70deb1o9781b5f97c5edcc9@mail.gmail.com> <48FD963E.2060507@memetic.org> <48FD965C.6090101@memetic.org> <9f785d120810210243v229a2514oc51503fd5154bfef@mail.gmail.com> <48FDD214.3040900@memetic.org> Message-ID: <48FDE433.4050503@beanfield.com> We have a fairly similar design for our Metro Ethernet network. Our primary method of protection is STP(MST). I've been thinking about this, and I can't come up with a reason why we even really need an IGP down to the edge PE devices? Since it's all layer2 - the core switch/routers see all of the PE<>core links as Connected routes anyway - what's the point of bother pushing your IGP down there? It's just more needless routes. That leaves you with a very small IGP in your core. Adam Armstrong wrote: > Nathan wrote: >> On Tue, Oct 21, 2008, Adam Armstrong > > wrote: >> > Nathan wrote: >> >> - Is running OSPF on a switch at all useful when the switch is >> >> connecting routers that are running MPLS, MP-BGP, and OSPF? Can it >> >> provide faster detection of link loss? >> > >> > The routers can see each other directly at L2? Then no. It might >> make it >> > easier to keep the switch's management loopback connected though. >> >> Well I don't see how the LDP would keep running if the switch cut off >> L2. The switch would need to speak LDP . . . which would make it an >> MPLS P router, which would be cool but I'm quite sure neither 2960s >> or even 3550s can do that :-) P router with eight gigabit ethernet >> ports running at line speed for the price of a 2960 anyone? >> Seriously, what kind of beast does that? A 7600 or 6500 I suppose, >> anything smaller? > Umm. I've no idea what you're talking about now... The switch doesn't > speak LDP. It can merely participate in your IGP for its loopback > address. > > Just give the switches an IP in the subnet that exists on their layer > 2 domain and point their default route at one of the PEs (or do hsrp > between a couple of them). >> > Consider switching to IS-IS, assuming your kit can do it. >> >> The switches can't, but I do think the routers can. What would the >> benefits be? If I change to IS-IS, now's the time. > Well, the switches aren't important here, so if you plan to do ipv6 in > the future and aren't a huge ospf fan, have a look at isis now and > switch if you like it. It's definitely a lot easier to manage and > troubleshoot. Not to mention not having to run two versions of ospf > when you want to do ipv6! >> > Do you have a diagram? >> >> I'm not sure that ASCII art will cut it, but I'll try . . . >> >> First option: >> >> /----------SW----------WAN---------SW-----------\ >> | | | | | | | >> PE PE PE | | PE PE PE >> | | | | | | | >> \----------SW----------WAN---------SW-----------/ >> >> This way I don't have to have each PE connected to both switches in >> order to communicate directly, it's only when a switch goes down that >> PEs only connected to that single switch will have a problem. I'll >> have to place different VLANs on top and bottom and use MST so that >> both links are used. If I lose the ethernet link on a WAN link, MST >> notices immediately and reroutes traffic. >> >> Second option: >> >> /----------SW----------WAN---------SW-----------\ >> | | | | | | >> PE PE PE PE PE PE >> | | | | | | >> \----------SW----------WAN---------SW-----------/ >> > Second option is the sensible one. Think of it as building 2 core > layer 2 domains across witch all of the PEs can talk to eachother. > During normal operation, they balance across the two domains, when a > switch or link dies, the traffic goes across the other. It's a > relatively standard design. > > http://alpha.memetic.org/basic.jpg is how i would draw it. >> >> >> > When you say WAN, what do you mean? A long distance ethernet >> circuit? Or a >> > Serial/Pos/etc? >> >> Thay are seen as gigabit ethernet (copper or fiber), but they run >> over the national backbone of bigger fish than I. They are probably >> AToM pseudowires. Unfortunately that means that when one goes down >> (not often, maybe once or at most twice a year) I don't always lose >> the ethernet link (and I suppose I might get one-way communication >> only). > Well, tune your IGP so that it notices as quickly as possible and > pulls down the link. > > You want as few routes as possible in IGP (so just links and > loopbacks), but i guess you already knew that! :) > > adam. > > > _______________________________________________ > cisco-nsp mailing list cisco-nsp at puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ From ayourtch at cisco.com Tue Oct 21 11:20:45 2008 From: ayourtch at cisco.com (Andrew Yourtchenko) Date: Tue, 21 Oct 2008 17:20:45 +0200 (CEST) Subject: [c-nsp] FWSM Static NAT gets stuck.. In-Reply-To: References: <463736.43764.qm@web25508.mail.ukl.yahoo.com> Message-ID: If "clear local" fixes it - then most probably there's another xlate that stands in the way, should not be related to arp. Watch out for the identity statics that are supersets of this host static, i.e. something like this is not good: static (inside,outside) 1.1.1.1 2.2.2.2 netmask 255.255.255.255 static (inside,outside) 2.2.2.0 2.2.2.0 netmask 255.255.255.0 if your